From owner-freebsd-stable@freebsd.org Mon Apr 5 18:27:43 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 215EA5C2C24 for ; Mon, 5 Apr 2021 18:27:43 +0000 (UTC) (envelope-from rleigh@codelibre.net) Received: from b-painless.mh.aa.net.uk (b-painless.mh.aa.net.uk [IPv6:2001:8b0:0:30::52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FDfKB1kvTz3G70 for ; Mon, 5 Apr 2021 18:27:42 +0000 (UTC) (envelope-from rleigh@codelibre.net) Received: from 182.155.187.81.in-addr.arpa ([81.187.155.182] helo=melaidhrin.home) by painless-b.tch.aa.net.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lTTwr-000593-Hu for freebsd-stable@freebsd.org; Mon, 05 Apr 2021 19:27:41 +0100 From: Roger Leigh Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: Deprecating base system ftpd? Date: Mon, 5 Apr 2021 19:27:23 +0100 References: To: freebsd-stable stable In-Reply-To: Message-Id: <425D60FC-3A9A-4DFA-B793-13B821AFDA7D@codelibre.net> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FDfKB1kvTz3G70 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of rleigh@codelibre.net has no SPF policy when checking 2001:8b0:0:30::52) smtp.mailfrom=rleigh@codelibre.net X-Spamd-Result: default: False [1.40 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:8b0:0:30::52:from]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[codelibre.net]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:8b0:0:30::52:from:127.0.2.255]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DN_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_SHORT(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/32, country:GB]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-stable]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2021 18:27:43 -0000 On 3 Apr 2021, at 22:21, Eugene Grosbein wrote: >=20 > 04.04.2021 3:39, Ed Maste wrote: >=20 >> I propose deprecating the ftpd currently included in the base system >> before FreeBSD 14, and opened review D26447 >> (https://reviews.freebsd.org/D26447) to add a notice to the man page. >> I had originally planned to try to do this before 13.0, but it = dropped >> off my list. FTP is not nearly as relevant now as it once was, and it >> had a security vulnerability that secteam had to address. >>=20 >> I'm happy to make a port for it if anyone needs it. Comments? >=20 > I'm strongly against remove of stock ftpd. FTP is fastest protocol for = both testing > and daily file transfer for trusted isolated segments, and even for = WAN wrapped in IPSec. >=20 > Our stock ftpd has very short backlog of security issues comparing = with other FTP server implementations, > mostly linked with libc or other libraries and not with ftpd code = itself. >=20 > Please don't fix what ain't broken. Please. How would you draw the line between something that must be part of the = base system vs. something that would be better off as part of the ports = tree? What bar should ftpd have to meet to warrant remaining in base vs = moving to ports? Personally, I=E2=80=99ve never enabled it nor had any desire to. FTP = is, at this point in time, thoroughly obsolescent, and I cannot imagine = that it is something that most people enable, if they are even aware of = its existence. Why can=E2=80=99t it simply be installed from the ports = for the occasional user who still requires it? Why should the base = system contain obsolete stuff that few people will use? Surely the = ports tree serves this need better? Can I ask, for those who do enable it, why isn=E2=80=99t =E2=80=9Csftp=E2=80= =9D acceptable (or =E2=80=9Cscp=E2=80=9D)? Both provide a similar = function, securely, which also works with a basic installation without = any ports. SSHFXP, the protocol underlying sftp is better specified, = less ambiguous and more fault tolerant and safe than the FTP protocol = ever was. The client is better than most ftp clients, and the server = (/usr/libexec/sftp-server) is started on demand on a per-connection = basis. What makes FTP more desirable than a service over SSH which is = (from a technical and usability point of view) a better FTP than FTP = ever was? Kind regards, Roger=09