From owner-freebsd-security@freebsd.org  Tue Apr  6 14:39:45 2021
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B23A05D35FF
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue,  6 Apr 2021 14:39:45 +0000 (UTC)
 (envelope-from SRS0=/AfJ=JD=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FF9Cj3zYCz3H3N;
 Tue,  6 Apr 2021 14:39:45 +0000 (UTC)
 (envelope-from SRS0=/AfJ=JD=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id BF2B728416;
 Tue,  6 Apr 2021 16:39:42 +0200 (CEST)
Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz
 [94.113.69.69])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id C35B32840C;
 Tue,  6 Apr 2021 16:39:41 +0200 (CEST)
Subject: Re: Security leak: Public disclosure of user data without their
 consent by installing software via pkg
To: Shawn Webb <shawn.webb@hardenedbsd.org>,
 Stefan Blachmann <sblachmann@gmail.com>
Cc: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org,
 cperciva@freebsd.org
References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com>
 <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz>
Date: Tue, 6 Apr 2021 16:39:40 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4FF9Cj3zYCz3H3N
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 14:39:45 -0000

On 06/04/2021 16:27, Shawn Webb wrote:

> 1. BSDStats isn't run/maintained by the FreeBSD project. File the
>     report with the BSDStats project, not FreeBSD.
> 2. You install a package that is made to submit statistical data.
> 3. You're upset that it submits statistical data?

The problem here is that it collects and sends data right at the install 
time. It is really unexpected to run installed package without user 
consent. If you install Apache, MySQL or any other package the command / 
daemon is no run by "pkg install" command.
This must be avoided.

Kind regards
Miroslav Lachman