Date: Thu, 15 Mar 2001 09:14:50 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: freebsd-arch@FreeBSD.ORG Subject: Re: [PATCH] add a SITE MD5 command to ftpd Message-ID: <20010315091450.B30551@Odin.AC.HMC.Edu> In-Reply-To: <20010314185026.C7683@dragon.nuxi.com>; from TrimYourCc@NUXI.com on Wed, Mar 14, 2001 at 06:50:26PM -0800 References: <20010314084651.A23104@ringworld.oblivion.bg> <200103142342.QAA09233@usr08.primenet.com> <20010314161555.A4984@Odin.AC.HMC.Edu> <20010314185026.C7683@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 14, 2001 at 06:50:26PM -0800, David O'Brien wrote: > On Wed, Mar 14, 2001 at 04:15:55PM -0800, Brooks Davis wrote: > > I'm frankly, completly mystified by the various comments about this not > > being a security feature. Of course it's not. That's blindly obvious. >=20 > I disagree it is blindly obvious. It wasn't to some I've talked to. > We've ended up associating a "security nature" to MD5. Thus when people > see that name, they make assumptions. I'll give you that a number of smart people didn't get it very quickly, but I'll also say, and I'm still mystified that they thought this. If you tried to use it as one you wouldn't get very far since there's nothing to do. > How?? are clients going to take advantage of it? For the majority of FTP > clients want to fetch the file, so why ask for an MD5 of it? Are you > thinking about checking the xfer was OK? That's the only use I can think > of. The other uses people have mentioned are very, very specific to a > single task done by the FreeBSD Project. Checking distfiles for unnumbered re-rolls, mirroring files who's names don't change but who's contents does. Checking the xfer could also be useful, expecialy for people with truly crappy links. You're average client isn't going to have much if any use for it at all. > Since making a loadable Apache module is so much less intrusive, I call > on those wanting to experiment with this feature to do this thru this > path. If you can get the Apache people to either bundle the module as a > standard thing, or convince large sites to load it; THEN hack ftpd. I don't see why you are objecting. If it's added AND it actually turns out to be useful then it would have to be added to lukem ftpd before we used it, but we haven't proven it one way or another and it's not like it's a hugly complicated feature requiring a major restructuring of code. In many respects FreeBSD's ftpd is the perfect place to test a new feature because if the feature turns out to be less then useful the impending ftpd replacement is a perfect excuse to kill the feature. As far as I can tell, as long as you can turn it off to avoid trashing your underpowered, high useage system it's entierly harmless. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --nVMJ2NtxeReIH9PS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6sPiJXY6L6fI4GtQRAhmDAJ4vvhIz7jMmXzCIfCui3zYStcK5ggCeJWaJ OqaZNZxKhTbtK3STxQB4lto= =okyo -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315091450.B30551>