On 16/11/21 11:56, Kurt Jaeger wrote:
Hi!
On 15/11/2021 10:21, Guido Falsi wrote:
You look too worried by the "functionality added" part.
Yes, I am worried. Of course I am.
When I first asked my question the day before yesterday, the first
responses were in the line of "port maintainers can do whatever they
want", accompanied by emoticons with sunglasses.
At least I did not understand your question as a topic on security,
but rather on: What are the rules for a port...
Security is important, but if security is at stake we need more detailed
info, we need "actionable" information.
As I said startup and periodic scripts are and should be installed
disabled, if he found a port/package installing a startup
script/periodic script auto enabling itself, he should report that and
it should be fixed.
If there is a broken script it should be fixed.
If there is some malicious script that should not happen, committers
should and do review submissions to avoid such things. Mistakes can
happen, please report and make it noticed and it will be discussed/fixed.
If there is some more obscure patch to some source code causing
significant behaviour changes in some package, please report it, as
usual make you noticed and it will be at least discussed, if it has
security implications I'm sure also acted upon effectively. If no
security implication is involved there is also less urgency.
If we're talking security there is no grey area, the concept is clearly
defined and things will be acted upon, there is no need for new rules or
philosophy.
--
Guido Falsi <madpi...@freebsd.org>
