1. 14
  1.  

  2. 4

    I’m interested in the Cargo ports feature. I’m not that familiar with FreeBSD Ports but based on this description:

    Each port’s Makefile automatically fetches the application source code, either from a local disk, CD-ROM or via ftp, unpacks it on your system, applies the patches, and compiles. If all went well, a simple make install will install the application and register it with the package system.

    It sounds like FreeBSD lends a higher level of trust to 3rd party sites, in this case Rust’s crates.io. Is there any implied level of security when it comes to ports?

    On the other hand, Debian has a pretty high bar for entry into its repositories. The Debian Rust packaging policy seems to require each Cargo library to be its own Debian package. More importantly there is no network allowed when building Debian packages; they must be self contained within the package’s own source code + Debian’s package repository. So as far as I know, Rust libraries/applications are almost nonexistent in Debian, since so many of them depend on the Cargo ecosystem.

    I certainly hope this improves somehow, on the Debian side. Is it just a matter of getting people to do the grunt work of packaging crates for Debian? I can’t imagine Debian changing their policy to become lax toward third party code repositories.

    1. 3

      It sounds like FreeBSD lends a higher level of trust to 3rd party sites, in this case Rust’s crates.io. Is there any implied level of security when it comes to ports?

      Yes, sort-of. There is a checksum for the distfiles fetched and the ports committer is somewhat vetted and trusted to not be committing malware into the tree. The official package building infra (using the poudriere tool) is sandboxed/jailed with no network access, so the fetching of the distfile(s) happens before going into the sandbox and from that point forward it’s not possible for any of the build toolchain for the software to reach out to the internet and fetch files or send data. It’s pretty secure.

      I haven’t looked at USES=cargo yet, but I don’t expect anything nefarious to be going on.

      1. 3

        It sounds like FreeBSD lends a higher level of trust to 3rd party sites, in this case Rust’s crates.io. Is there any implied level of security when it comes to ports?

        I don’t think so. Because Rust tends to have lots of dependencies via cargo, it’s very inconvenient to package up each dependency independently or fetch them all. I think is for convenience, similar to the USE_GITHUB or MASTER_SITES option.

      2. 1

        The next step was to remove the $FreeBSD$ strings from the source files and remove the FreeBSD=%H property that forces Subversion, against its better judgement, to substitute text in the actual contents of the file.

        I don’t disagree with this change itself. I just wish they’d done this before I spent time quite some time on introducing custom keyword support to SVN just for FreeBSD…

        Edit: OK, reading over this again it seems this only affects source files for documentation. Fair enough :)

        1. 1

          “FreeBSD continues to defy the rumors of its demise.” That’s a strange opening statement, or did I miss something?

          1. 2

            It’s a reference to the long standing BSD is dying joke.

            1. 3

              “OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let’s see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts. “

              Oh wow. This kind of mathematical analysis on determining number of users/systems could get whoever wrote that a job at RIAA.

              1. 2

                Fewer than I would have guessed. Thin ice.

              2. 1

                Ha! Shows how much I know… Funny though.