On Fri, Sep 16, 2016 at 2:56 PM, John Newman <jnn@synfin.org> wrote:
Generally I trust that svn updates are not pulling down back doored code. I don't have the time (or the capacity) to read though all of /usr/src....
Only about that in part, but also just taking random corrupted bits. If you're not wrapping everything in your toolchain in crypto, originating at and in the repo, the path the backdoored code takes to you is bound to take gain hits sooner or later. On the plus side, maybe those hits will neuter the backdoor sometime before the seas boil. But you get the point.
Trying to use ports built from source along side prebuilt binaries from pkg is a complete fucking nightmare on FreeBSD. I routinely have to hack the pkg SQLite db file to make pkg audits reflect the actual state of my system. Need to invest some time in poudriere....
If a given port doesn't have a package, maybe invest in committing the build bits to your OS of choice so that it does.