Firefox package version different from original firefox release notes and generic question about package security

fufukauliza

fufukauliza

Hi everyone, I apologize for two questions in one post but I wanted to take advantage and try to clarify both things.
The reference to Firefox is just an example, I imagine it could be the same for other software.
I noticed, while doing a search on the freshports web page, that the installable version of Firefox is one number ahead of the latest one released, that is, it is 124.0, while on Windows it gives me 123.0.1 as the latest one.
Why does this happen if a version has not yet been released by the manufacturer?
Then I see another thing that isn't clear to me: for example, that 123.0.1 is identified in the commit history as (rc1) but it wasn't definitive?
Also, what does the number after the comma mean?
I guess I'm getting confused so I ask you to please explain to me how releasing package versions works.
Finally I wanted to ask you: how safe is the freebsd package installation system? Couldn't a package be modified by inserting malicious code capable of intercepting what is being typed and perhaps even exfiltrating sensitive data such as that of a home banking system?
A browser in this case would be perfect.
Is integrity verification performed constantly by the security team? Can we be trusted?
These are probably silly questions but I would like an expert opinion on the matter if possible.

Thank you all
 

Attachments

  • Firefox.png
    Firefox.png
    27.3 KB · Views: 29
Just look at the commit history, which is also available on freshports. The team maintaining the firefox port always updates as soon as rc1 is available, so before the final release. In terms of security, this is probably more often an adantage than it isn't. If you like it more conservative, there's the firefox-esr port.
 
Thank you all for the information but I don't quite understand why the proposed version may be numerically ahead of the latest official one.
Finally, regarding my question about security, what can you tell me? "Finally I wanted to ask you: how safe is the freebsd package installation system? Couldn't a package be modified by inserting malicious code capable of intercepting what is being typed and perhaps even exfiltrating sensitive data such as that of a home banking system?
A browser in this case would be perfect.
Is integrity verification performed constantly by the security team? Can we be trusted?"

Thanks again everyone.
 
Packages are checksummed and the catalogue is signed, so pkg won't ever install anything that has been tampered with. Ports the packages are built from are public to everyone and from what I see on internal mailing lists, a lot of committers regularly review other commits and point out errors, so "sneaking in" something there isn't a realistic option either.

The only persons that could, theoretically, sneak in malware would be those operating the build and packaging infrastructure (and therefore also controlling the signing keys for the repo catalogues). Well, if you don't trust those (as a whole btw, they would need to work together on such a thing), you probably shouldn't execute any software you ever obtained from others. I'd say it's way more likely that something bad is hidden somewhere upstream (and the FreeBSD port maintainer doesn't notice).
 
fufukauliza said:
… how safe is the freebsd package installation system? …
Click to expand...

Ampere in the Wild: How FreeBSD Employs Ampere Arm64 Servers in the Data Center – some observations from emaste@ (Ed Maste) and gtewallace (Greg Wallace). <https://www.freebsd.org/administration/#t-secteam>, <https://freebsdfoundation.org/about-us/our-team/>.

FreeBSD Security Information | The FreeBSD Project – could be much better, with regard to ports and packages. There's just one sentence about ports, and the linked page probably raises more questions than it asks, for someone who's not already familiar with VuXML.
 
About ports and VuXML... interestingly, (S)BOM was a topic that came up in the Enterprise Working Group, but didn't gain enough traction to follow up on.

While the original discussion was targeted on building a "bill of materials" for base, I'd expect it could be expanded to ports too.
 
You must log in or register to reply here.
Back
Top