Date: Tue, 6 Apr 2021 03:11:31 +0200 From: Stefan Blachmann <sblachmann@gmail.com> To: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I had a very distressing experience today. I installed a package to view its scripts (and *not* to run them!). I was shocked when pkg told me that my system configuration, including which packages and their versions are installed on my system, has been sent to an external entity, without asking for my content. This is a security leak as well as a breach of EU data protection rules, but above all, it is a breach of trust of the unsuspecting FreeBSD users. Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 And read my experience in this and the following forum posts: https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430 If this does not get fixed in short time, I will contact ArsTechnica, TheRegister and some other reputed IT news outlets, to create public pressure to get the issue resolved. So please get this fixed and report back. Sincerely, Stefan Blachmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ>