> Around three months ago, a post was published (mirror) on GitHub's Gist service. In the report, multiple vulnerabilities against portsnap, freebsd-update, bspatch, and libarchive were detailed. To this date, FreeBSD has been silent on official mailing lists.<p>Why didn't the poster file the bugs in the FreeBSD bug tracker and/or contact the FreeBSD security team? Even posting to the mailing list would have been better than posting on some random github page. I don't think you can fault the FreeBSD people for not seeing some random post online.
If you're interested in securing software update systems, check out The Update Framework. TUF is the only system I'm aware of that has a comprehensive threat model for the problem of securely distributing software updates.<p><a href="https://theupdateframework.github.io" rel="nofollow">https://theupdateframework.github.io</a>
> The libarchive vulnerabilities could allow a malicious third-party to distribute update archives that could place arbitrary files on the filesystem.<p>Why do people keep doing this crap every time they re-invent the packaging wheel? And it's particularly awful from something purporting to be more secure than vanilla FreeBSD (which generally purports to be "better engineered" than Linux, where sane behaviour for distributing binaries is a long-solved problem).