From owner-freebsd-stable@freebsd.org Mon Apr 5 12:10:26 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 98D245B6065 for ; Mon, 5 Apr 2021 12:10:26 +0000 (UTC) (envelope-from ruben@verweg.com) Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FDTxs3Msjz4RmQ for ; Mon, 5 Apr 2021 12:10:24 +0000 (UTC) (envelope-from ruben@verweg.com) DKIM-Filter: OpenDKIM Filter v2.10.3 erg.verweg.com (unknown-jobid) Received: from [IPv6:2a10:3781:3e9:1:4ab:c743:bc8b:a88b] ([IPv6:2a10:3781:3e9:1:4ab:c743:bc8b:a88b]) (authenticated bits=0) by erg.verweg.com (8.16.1/8.15.2) with ESMTPSA id 135CAGXw056377 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 5 Apr 2021 12:10:16 GMT (envelope-from ruben@verweg.com) From: Ruben van Staveren Content-Type: multipart/signed; boundary="Apple-Mail=_5BCF84FF-F2D6-487C-9A6D-C2A114E353E7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: Deprecating base system ftpd? Date: Mon, 5 Apr 2021 14:10:09 +0200 References: To: freebsd-stable stable In-Reply-To: Message-Id: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FDTxs3Msjz4RmQ X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; HAS_ATTACHMENT(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[verweg.com:+]; DMARC_POLICY_ALLOW(-0.50)[verweg.com,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a02:898:96::5e8e:f508:from]; ASN(0.00)[asn:8283, ipnet:2a02:898::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[verweg.com:s=verweg]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a02:898:96::5e8e:f508:from:127.0.2.255]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-stable] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2021 12:10:26 -0000 --Apple-Mail=_5BCF84FF-F2D6-487C-9A6D-C2A114E353E7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 3 Apr 2021, at 22:39, Ed Maste wrote: >=20 > I propose deprecating the ftpd currently included in the base system > before FreeBSD 14, and opened review D26447 > (https://reviews.freebsd.org/D26447) to add a notice to the man page. > I had originally planned to try to do this before 13.0, but it dropped > off my list. FTP is not nearly as relevant now as it once was, and it > had a security vulnerability that secteam had to address. >=20 > I'm happy to make a port for it if anyone needs it. Comments? Make it a port It is time to deprecate ftp altogether, and any other protocols that = embed protocol information in layer 7, thus hurting any #IPv6 migration = and deployment technology (SIIT-DC e.g). Hopefully the IETF can put up a deprecation notice, just as was done for = e.g. TLS 1.0. Then we move onward to the self regulating capacity of the community, = warning each other on =E2=80=9Cyou have ftp=E2=80=9D running. ftp, a protocol not using TLS protection but by adding it a netadmin = needs to manage the port range in their firewalls too because clients = behind nat can=E2=80=99t use passive mode with TLS as NAT can=E2=80=99t = map things around =C2=AF\_(=E3=83=84)_/=C2=AF It is not worth the time and the hassle. Keep FTP(s) for legacy and = internal, serve anyone else with https Best Regards, Ruben --Apple-Mail=_5BCF84FF-F2D6-487C-9A6D-C2A114E353E7 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBAgAdFiEEJ5YXTZtFY5bgSLwXiG9r7NR3qT8FAmBq/iEACgkQiG9r7NR3 qT8OdA//bLLHtBxR3uNLa4Mzy9Dx9NVXEZuPJPvuqYusOuto15nOwHBSLAOEzFVM +vOzxwDl8/Z54o2sDPwSHBowbwHuSR3sNBAWQM9jpeM9VEnYRVIR4wiAxiWO9CyB 7sYtQkHd7eZ7gsxWUjcezWq2u6ct28Nx5bXFJfJcKH6Z9Dp3XTK/vT/xII3qIUaU oLykDRw1fCkVLbqL76l8SPh9npDYahNelsuyCr5iGPhEMABC/sI4YA8d7lKv+B7W wU/4I+8zAebLsVotQjI9Ppf+x+omrTVjUi9ZCCPzbmXhQw6qUGoKexD2KRuPcIQp ChVXBzGOtY/oNVyRze/SqsT8mYjrSQ3M8swdbutkX1N1U5W+Fi6DBSNnX959pPgc u9ePYeZXprHbmmVHf57mVnU9v3g4FeCiov2rS977j6XG+xXg4KD5KzyLcYV6pl59 DJn8Qp8k1reM/Mea9WbCmG4HKv/MDZqOFuF/xPUMs+rOYTuQeL6lrSNkHJS5ADAO xeOz4zHvpuuxbroIJktahLiUNbKHdQItNcsg3nScLwXQ4JnX4VjavxGj6mx2aMAA mqzBdAc+/0y1ImYDT0tCiJxcGwskv8ymQx4ILbTMbb3IgryxMx6XjjLgYkeIhZhy wj9qakaHFSaHXzV80GKeioVf4b9KeFTrOLEA6u4obyhTBXUxxXE= =dXRj -----END PGP SIGNATURE----- --Apple-Mail=_5BCF84FF-F2D6-487C-9A6D-C2A114E353E7--