Date: Tue, 6 Apr 2021 07:56:19 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Miroslav Lachman <000.fbsd@quip.cz>, Stefan Blachmann <sblachmann@gmail.com>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> In-Reply-To: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Apr 6, 2021, at 7:42 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >> On 06/04/2021 16:27, Shawn Webb wrote: >> >>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>> report with the BSDStats project, not FreeBSD. >>> 2. You install a package that is made to submit statistical data. >>> 3. You're upset that it submits statistical data? >> >> The problem here is that it collects and sends data right at the install >> time. It is really unexpected to run installed package without user consent. >> If you install Apache, MySQL or any other package the command / daemon is no >> run by "pkg install" command. >> This must be avoided. > > It's probably easier to submit a patch than it is to write a > lolwut-type email. All you gotta do is rm the post-install script. > Also `pkg install` has the -I option. But whatever, let the lolwut > mentality prevail! I had a conversation on the side with the requestor. In short, there is already a patch to address this issue in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152>. Not sure why it hasn't been committed yet, but hopefully it gets picked up shortly. Gordon [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmBsdpMACgkQ5fe8y6O9 3fh8Bwf6AzhluVmpBSM0xzMj92SJFPjKoJGUbQZr26W+yQiosUg4798OexCZ6wse iFrEykkeK6QbkfHqrRojxzmQGQR0au903RA/U5UpYlatMqWYpoeijHc419/dnmXw 33IXcgJb4wBrSonQ7lhGlidD35wDzqHjESqfsgIkwTjUxGItbeUy9Yzh9F9W8OoR DLWWdlJdIEGBChjr4P35+RgLSU8ylJrQwjdRkldfHHm2mn8P1fyqnmmRfX7xsWyD fusBofOIDERAeqbuYiu1yCB0BjmG2lUUWIZ517Ou2Gr7HRD7DbPa/W2vRanc2N5I J2xg3Wy39Xdg7lxruPjhl8R9XqIP9A== =0UGI -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?410E4486-F9CF-41C3-9396-BD307AF2325F>