Firefox [Tor] Browser 0day: Anti-Privacy Implantation at Mass Scale
John Newman
jnn at synfin.org
Fri Sep 16 11:56:11 PDT 2016
At least you can easily build your entire user land and kernel (and ports) on FreeBSD. It's very straight forward compared to Linux distros (Gentoo/arch some what excluded I guess). I suppose this isn't much consolation if you're worried about the upstream svn repo itself..... Generally I trust that svn updates are not pulling down back doored code. I don't have the time (or the capacity) to read though all of /usr/src....
Trying to use ports built from source along side prebuilt binaries from pkg is a complete fucking nightmare on FreeBSD. I routinely have to hack the pkg SQLite db file to make pkg audits reflect the actual state of my system. Need to invest some time in poudriere....
John
> On Sep 16, 2016, at 2:29 PM, grarpamp <grarpamp at gmail.com> wrote:
>
>> On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <guninski at guninski.com> wrote:
>> Is Debian _still_ vulnerable to automatic updates, it used to be?:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820698;msg=5
>> Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of addons
>> when started from terminal (otherwise they are not visible ;) )
>
> Here's FreeBSD's take on the issue...
> https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html
>
> Nevermind that they still [1] don't have their release iso's and everything
> else fully reproduceable and cryptographically traceable back to
> their source repository, in part because their silly choice of repo (svn)
> isn't capable of establishing cryptographic provenance over, and distribution
> of, the source, so unlike signable trees git or monotone there's a big gaping
> disconnect there. Though they are making good progress on reproduceability.
>
> Oh, and OpenBSD still uses cvs for code authenticity, lol.
>
> Don't mistake this to mean that Linux distroland and model is anything
> close to secure either. It's probably much worse.
>
> [1] They claim signed / hashed isos and packages, and
> server / filesystem / commiter / sysadmin security / integrity
> are backtraceable and sufficient. And that monotonically increasing
> numeric commit revID's and 'workflow' prevent using something like git.
> I claim baloney.
More information about the cypherpunks
mailing list