Firefox [Tor] Browser 0day: Anti-Privacy Implantation at Mass Scale

John Newman jnn at synfin.org
Fri Sep 16 11:56:11 PDT 2016


At least you can easily build your entire user land and kernel (and ports) on FreeBSD. It's very straight forward compared to Linux distros (Gentoo/arch some what excluded I guess).  I suppose this isn't much consolation if you're worried about the upstream svn repo itself..... Generally I trust that svn updates are not pulling down back doored code. I don't have the time (or the capacity) to read though all of /usr/src....

Trying to use ports built from source along side prebuilt binaries from pkg is a complete fucking nightmare on FreeBSD.  I routinely have to hack the pkg SQLite db file to make pkg audits reflect the actual state of my system. Need to invest some time in poudriere....


John

> On Sep 16, 2016, at 2:29 PM, grarpamp <grarpamp at gmail.com> wrote:
> 
>> On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <guninski at guninski.com> wrote:
>> Is Debian _still_ vulnerable to automatic updates, it used to be?:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820698;msg=5
>> Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of addons
>> when started from terminal (otherwise they are not visible ;) )
> 
> Here's FreeBSD's take on the issue...
> https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html
> 
> Nevermind that they still [1] don't have their release iso's and everything
> else fully reproduceable and cryptographically traceable back to
> their source repository, in part because their silly choice of repo (svn)
> isn't capable of establishing cryptographic provenance over, and distribution
> of, the source, so unlike signable trees git or monotone there's a big gaping
> disconnect there. Though they are making good progress on reproduceability.
> 
> Oh, and OpenBSD still uses cvs for code authenticity, lol.
> 
> Don't mistake this to mean that Linux distroland and model is anything
> close to secure either. It's probably much worse.
> 
> [1] They claim signed / hashed isos and packages, and
> server / filesystem / commiter / sysadmin security / integrity
> are backtraceable and sufficient. And that monotonically increasing
> numeric commit revID's and 'workflow' prevent using something like git.
> I claim baloney.




More information about the cypherpunks mailing list