Security Issues using Homebrew or Macports, malicious binary insertion

[Rainer Müller]

On 06.11.18 23:29, Nicholas Papadonis wrote:
> Do you know anything about the process to integrate new source code,
> review changes that are Mac specific, mark branches stable, build and
> release?  Do particular users have privileged access to be part of this
> process?

There are no special privileges with regard to any part of the ports
tree or base development. All project members have the same access
level. Things that are only handled by the infrastructure team would be
server administration and ownership of the GitHub project.

Code review happens over pull requests on GitHub and also the mailing
list macports-changes [1], where all commits to base and ports are
announced. Note there are only a handful of regular base developers.

Creation of new base branches is usually announces on the macports-dev
mailing list. For new 2.x.0 releases, we usually have several release
candidates first, for which everyone should feel invited to test the
changes.

> I suspect this is an issue with any open source project, however am
> curious how MacPorts itself ensures the code from the project makes it
> to release as original as possible.  I hope these are the right
> questions to ask form a security standpoint.

Hm, I do not think there is anything special in place. Whoever signs a
MacPorts base release has also built the binaries. We have to trust the
release builder in the same way any user that receives such a package
installer has to trust them.

Rainer

[1] https://lists.macports.org/mailman/listinfo/macports-changes
[2] https://lists.macports.org/mailman/listinfo/macports-dev