Date: Mon, 5 Apr 2021 08:57:02 -0600 From: Alan Somers <asomers@freebsd.org> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: Ed Maste <emaste@freebsd.org>, freebsd-stable stable <freebsd-stable@freebsd.org> Subject: Re: Deprecating base system ftpd? Message-ID: <CAOtMX2jjL0Kgmv2WsGQhEBm46pNPn-Ni=UfSi=1MDW=-asgbpQ@mail.gmail.com> In-Reply-To: <202104051444.135EixF6025306@slippy.cwsent.com> References: <CAPyFy2AbP2X339zbemZ9Y8edjNKdyygnR9mH48Q78nxwDtOBAg@mail.gmail.com> <202104051444.135EixF6025306@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 5, 2021 at 8:45 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > In message > <CAPyFy2AbP2X339zbemZ9Y8edjNKdyygnR9mH48Q78nxwDtOBAg@mail.gmail.c > om> > , Ed Maste writes: > > I propose deprecating the ftpd currently included in the base system > > before FreeBSD 14, and opened review D26447 > > (https://reviews.freebsd.org/D26447) to add a notice to the man page. > > I had originally planned to try to do this before 13.0, but it dropped > > off my list. FTP is not nearly as relevant now as it once was, and it > > had a security vulnerability that secteam had to address. > > I think this is an excellent start. My shopping list includes: > > - remove ftp(1) > - remove ftpd(8) > - remove telnet(1) > - remove telnetd(8) > - remove ftp:// and http:// from libfetch. This is 2021 and we should all > use https://. > Whoa there! You can't remove ftp and http from libfetch, because FreeBSD doesn't control all of the servers that our users need to fetch from. Not even close. > - replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS > traffic? > > > > > I'm happy to make a port for it if anyone needs it. Comments? > > I've started working on splitting ftp and ftpd into an external git repo. > The problem I've encountered is that though only ftp and ftpd are left the > resultant repo is still 1.2 GB. If my last attempt fails, there is a > choice > between a 1.2 GB repo and burning ftp forever then the choice is clear: > burn it forever. > > Adding the following as an option: > > Also note that the tnftp ports are the NetBSD ftp and ftpd. The FreeBSD > ftp > and ftpd are simply copies of tnftp and tnfpd. Would it make more sense to > share our customizations with NetBSD and we simply reply on NetBSD for the > client and server in our ports? This last option might be simpler than > creating a port. > Maybe, but that would be an impediment to adding Capsicum support. > > Personally, I'd suggest we remove the ftpd server *AND* ftp client and > rely > on ports. Having worked on UNIX, Internet security, and firewalls over the > last 3/5 of my almost 50 year career, I have lamented the existence of the > FTP protocol back in 1995 and I hate the FTP protocol with greater a > passion today. Let's simply remove all vestiges of FTP from the base > system, including libfetch, sooner than later. We don't need it now that > we > have HTTPS and POST; and sftp. > > I think we should make it our goal to remove any and all unencrypted > protocols from FreeBSD by 2025. > tftpd is still vitally important for PXE booting. And unencrypted NFS will certainly live on past 2025. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2jjL0Kgmv2WsGQhEBm46pNPn-Ni=UfSi=1MDW=-asgbpQ>