Why is pkg(8) so frequently updated?

Today it might make sense with all the work on pkg-base even before pkg-base, I would see pkg upgrade itself almost every time I ran pkg upgrade.

What's going on here? Why is pkg(8) so maintenance intensive?
 
It's absolutely a supply-chain attack target. Everyday someone is trying to spread malicious code through this default portal.

I wonder if it also interchanges the executable fingerprint with rhe official binary suppliers to catch systems with a suspicious client.
 
Basically, ports need upsream to fetch distfiles.
And commit to the ports tree can be done by authorized committers who has commit bits and mentored by experienced committer in early days after becomming a committer (excluding long-standing committers who obtained commit bits from before this mentor-mentee system started years ago).
Non-committer maintainers like me need review by committers to allow updates to be landed.

This means, there are 2 (at least 1, in case the maintainer is a committer) gate to pass before incorporated into ports tree.

And basically all ports need distinfo keeping filenames, size and sha256 hash of the upstream distfiles. So builds should fail (on official pkg builder or local builds) as of mis-matches in size and/or hash if the upstream tarball is rerolled in the same filename.
In this case, maintainer is required to confirm the rerolled distfile is still sane or not and update distinfo to match rerolled one once it is considered to be safe and sane.

In well known archivers/xz case, the build method used on FreeBSD ports that was DIFFERENT WITH LINUX doesn't affected by the malicious codes incorporated, thus, the maintainer even didn't noticed on upgrade (as it was NOT AT ALL affected).
 
Back
Top