|
|
|
|
|
|
by meaty
4963 days ago
|
|
|
I have a couple of FreeBSD machines which pulled binary packages between those dates. I'm not overly worried. The packages have been removed and installed again from ports after a fresh portsnap dump and the systems have been verified with "freebsd-update IDS" against known good signatures. Any modified files were manually checked. I use MAC on each machine and pf up front on firewalls so I know what is going in and out as well. The fact that these mechanisms are available is the reason I use such a system. Also, if you consider any problems like this happening to a closed source vendor, you may never know it's happened. And don't tell me they don't do it as I've worked for a couple of companies that felt that burying security fuck ups was acceptable practice. It's why I don't work for them any more. |
|
|
- They have to find it out first.
- Then they've to be willing to disclose the incident
- Even if, you still trust the source of the packages, the developers, etc. There's a zillion bugs that look like "just an error" which can also be "just a backdoor".
For these reasons, running mac, checking modified files, etc is ALWAYS good practice (that you seem to follow, don't get me wrong - but that's pretty rare)