Re: Adding functionality to a port

Hi,

On 15/11/2021 10:21, Guido Falsi wrote:
> You look too worried by the "functionality added" part.

Yes, I am worried. Of course I am.
When I first asked my question the day before yesterday, the first 
responses were in the line of "port maintainers can do whatever they 
want", accompanied by emoticons with sunglasses.
So that kind of makes me wonder how seriously FreeBSD takes itself, as 
an OS.

I understand very well that a startup script or similar stuff can be 
added without any problem.
But what worries me, is that apparently there are no limits or rules 
whatsoever. Even OpenBSD, if you want to keep it close to home, dictates 
that all patches, work-arounds and dependencies must be documented, and 
that all changes must be sent upstream to try and have them included in 
the original work. [1] (And when I say 'Even OpenBSD' I don't mean to 
say that OpenBSD is any less than FreeBSD, but just that it could be 
considered a small player, compared to FreeBSD or most other OSes.)

I run real servers, so as a sysadmin I want to be able to rely on the 
fact that the software I install does exactly what is advertised in the 
upstream documentation, no more and no less.
And that's not just from a point of view of security for just me. I run 
2 Tor relays, so it's potentially the security of many more people 
(where 'security' could mean a way bigger risk than just losing some files).
And yes, I am sure that Tor runs as advertised, because I verified that 
(as far as I could). But what if the port maintainer of some obscure 
library, that is installed through some bizarre chain of dependencies, 
managed to sneak in a backdoor that gives them root access to my server? 
Then the security of my Tor installation is no longer relevant, because 
an attacker can just gain root and compromise that installation.

And please don't tell me that that would be illegal, because the amount 
of attempts I receive on my servers every day tells me that not 
everybody is as law abiding as you apparently are.

Apart from that, triggered by this email conversation, I studied some 
open source licenses in the past days. And apart from the BSD licenses, 
MIT license and Mozilla Public License, most open source licenses 
require modifications to at least be well documented (GPLv2, article 
2.a; GPLv3, article 5.a; Apache License, article 4.2; LGPLv2, article 
2.b; CDDL-1.0, article 3.3). Which means that even the added startup 
scripts should carry a notice saying something like "This file is not 
part of the original distribution, but was added for FreeBSD - <date> 
<name port maintainer>".
So if you want to talk about legal stuff: current practice may violate 
some licenses.

I really understand that not everything can be cast in stone. And I 
understand that there must be some freedom for port maintainers. And I 
don't want to be a Karen about it either. I am even rather pro-anarchy. 
But not on the servers that keep my data and that of others secure. I'm 
just looking for some guarantees for me and my users. I understand that 
100% guarantee is hard, if not impossible, but I would like it to be a 
bit more than "You just shouldn't do bad things.".

But I understand that I'm alone in this: only 3 or 4 people have 
responded, and they all seemed to be very much against any rules for 
port maintainers. So I won't insist any more.

Best,
   Rob


[1] https://www.openbsd.org/faq/ports/guide.html

-- 

  https://www.librobert.net/
  https://www.ohreally.nl/category/nerd-stuff/
  https://github.com/ohreally/