At least you can easily build your entire user land and kernel (and ports) on 
FreeBSD. It's very straight forward compared to Linux distros (Gentoo/arch some 
what excluded I guess).  I suppose this isn't much consolation if you're 
worried about the upstream svn repo itself..... Generally I trust that svn 
updates are not pulling down back doored code. I don't have the time (or the 
capacity) to read though all of /usr/src....

Trying to use ports built from source along side prebuilt binaries from pkg is 
a complete fucking nightmare on FreeBSD.  I routinely have to hack the pkg 
SQLite db file to make pkg audits reflect the actual state of my system. Need 
to invest some time in poudriere....


> On Sep 16, 2016, at 2:29 PM, grarpamp <> wrote:
>> On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <> 
>> wrote:
>> Is Debian _still_ vulnerable to automatic updates, it used to be?:
>> Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of 
>> addons
>> when started from terminal (otherwise they are not visible ;) )
> Here's FreeBSD's take on the issue...
> Nevermind that they still [1] don't have their release iso's and everything
> else fully reproduceable and cryptographically traceable back to
> their source repository, in part because their silly choice of repo (svn)
> isn't capable of establishing cryptographic provenance over, and distribution
> of, the source, so unlike signable trees git or monotone there's a big gaping
> disconnect there. Though they are making good progress on reproduceability.
> Oh, and OpenBSD still uses cvs for code authenticity, lol.
> Don't mistake this to mean that Linux distroland and model is anything
> close to secure either. It's probably much worse.
> [1] They claim signed / hashed isos and packages, and
> server / filesystem / commiter / sysadmin security / integrity
> are backtraceable and sufficient. And that monotonically increasing
> numeric commit revID's and 'workflow' prevent using something like git.
> I claim baloney.

Reply via email to