Date: Tue, 6 Apr 2021 10:42:22 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Stefan Blachmann <sblachmann@gmail.com>, secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> In-Reply-To: <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
--kuc4mvvoitpyxpio Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: > On 06/04/2021 16:27, Shawn Webb wrote: >=20 > > 1. BSDStats isn't run/maintained by the FreeBSD project. File the > > report with the BSDStats project, not FreeBSD. > > 2. You install a package that is made to submit statistical data. > > 3. You're upset that it submits statistical data? >=20 > The problem here is that it collects and sends data right at the install > time. It is really unexpected to run installed package without user conse= nt. > If you install Apache, MySQL or any other package the command / daemon is= no > run by "pkg install" command. > This must be avoided. It's probably easier to submit a patch than it is to write a lolwut-type email. All you gotta do is rm the post-install script. Also `pkg install` has the -I option. But whatever, let the lolwut mentality prevail! --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --kuc4mvvoitpyxpio Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBsc0sACgkQ/y5nonf4 4fqf9A/+N3zIoFFvA93nviRicCK4h82oq/jB0HFEQDGdPscC0jpvZSwh/ekTragQ iwoItzV/yT8AbyE5xFGKBUelQKvn8VeNPCR6swuJVH+gqnYNlmtZQ5tYeVmrSVA/ BhuK+dYx11x1sQG19gUSp/abJHEh6kSNeGWx1QqKS+PHi75tqb7LdJ5J5Upy3CrV RWPgFePrjLHBw3JOQO1+Q7NXQETgYy0dU7qH1WflEVDieHTiwOdXC4CNy4MfoD1+ GO3tJi6XUuWi1X0U6vMqskwcp2kMNg1E5Mg4HTcgZKkUd3MVVuymbBmpNDeVaFD5 oyj163FeuEcYvL+ZgUfMD7JKmV1gM9+v/jY/fjIg048nbcgEab+B1BoXd6BYulDt bil7qIygSIolrnfWIXhTyXUJxPEXf0MKm+4DcpIQuUwYbh8V4mXfYTba2FfLUbLY bHG+ZYl5JEww6iOIs3HNrM6vSXOXPy2dLgf4kf03U4o8wI5FLl91Yfsn5KlStFTT v2YLboq+lVOGJ1FqVF0BRTBgv01PIVrxd2Jupi8hPbXOW9VydFS7uiDro0eBLUYI Dc/Z8SMfVd3qRmv1aYm5i/wt+P7NQJqedNeJjUZNYYe4iE0icns+qvqDHam0tV8A MSrgwWilyw4eVMdOMaKhD8W5uVCcudVA0PjeskuLqU7eQnIYHw8= =8vrO -----END PGP SIGNATURE----- --kuc4mvvoitpyxpio--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210406144222.gbgjcc7jsozsl2m2>