At least you can easily build your entire user land and kernel (and ports) on FreeBSD. It's very straight forward compared to Linux distros (Gentoo/arch some what excluded I guess). I suppose this isn't much consolation if you're worried about the upstream svn repo itself..... Generally I trust that svn updates are not pulling down back doored code. I don't have the time (or the capacity) to read though all of /usr/src....
Trying to use ports built from source along side prebuilt binaries from pkg is a complete fucking nightmare on FreeBSD. I routinely have to hack the pkg SQLite db file to make pkg audits reflect the actual state of my system. Need to invest some time in poudriere.... John > On Sep 16, 2016, at 2:29 PM, grarpamp <grarp...@gmail.com> wrote: > >> On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <gunin...@guninski.com> >> wrote: >> Is Debian _still_ vulnerable to automatic updates, it used to be?: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820698;msg=5 >> Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of >> addons >> when started from terminal (otherwise they are not visible ;) ) > > Here's FreeBSD's take on the issue... > https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html > > Nevermind that they still [1] don't have their release iso's and everything > else fully reproduceable and cryptographically traceable back to > their source repository, in part because their silly choice of repo (svn) > isn't capable of establishing cryptographic provenance over, and distribution > of, the source, so unlike signable trees git or monotone there's a big gaping > disconnect there. Though they are making good progress on reproduceability. > > Oh, and OpenBSD still uses cvs for code authenticity, lol. > > Don't mistake this to mean that Linux distroland and model is anything > close to secure either. It's probably much worse. > > [1] They claim signed / hashed isos and packages, and > server / filesystem / commiter / sysadmin security / integrity > are backtraceable and sufficient. And that monotonically increasing > numeric commit revID's and 'workflow' prevent using something like git. > I claim baloney.