Date: Tue, 27 Apr 2004 18:21:41 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Colin Percival <colin.percival@wadham.ox.ac.uk> Cc: freebsd-current@freebsd.org Subject: Re: Removing NOCRYPT Message-ID: <20040427152141.GE65943@ip.net.ua> In-Reply-To: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca> References: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--zjcmjzIkjQU2rmur Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote: > I would like to remove the NOCRYPT option from FreeBSD before > 5.3-RELEASE. There are a number of good reasons for doing this: >=20 This should probably be discussed on -arch. > 1. NOCRYPT is almost completely untested, and in the past it has > often broken (for example, there was a recent release where it > was impossible to pkg_add without the cryptographic libraries.) >=20 You obviously mean "untested by running", since "testing by compiling" is done every time you build a snapshot. > 2. NOCRYPT has outlived its original purpose. The separation of > cryptographic code from non-cryptographic code is a result of > "munitions" export restrictions in the US which were changed a > long time ago. >=20 > 3. NOCRYPT causes major headaches. With the Kerberos options > removed (or rather, Kerberos 4 removed and Kerberos 5 made > manditory) this is the only remaining option which can result > in certain files from the FreeBSD world existing in multiple > entirely different forms. Most obviously, this complicates > release-building; it also adds significant complications to > FreeBSD Update. >=20 I think it's in a pretty normal form now, though I agree this complicates things, but that's the price for flexibility. > If anyone has a really good reason for keeping the NOCRYPT > option, please let me know. In particular, I'd like to hear > from anyone who is actually running a NOCRYPT world. >=20 My first and only argument is that it is extremely useful for embedded environment, where space is an issue, and crypto code occupies lot of space. Perhaps also there are still some legal issues in some countries, but I'm not sure, and will let the "security-aware persons" comment on this. Mark? Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --zjcmjzIkjQU2rmur Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAjnqFUkv4P6juNwoRAr/0AJ9iUBhxCPcV4sGWnAPOjLJmz6VjjwCbBhOW NZSwQS6du8OhHFF2UzKjYOM= =WOw8 -----END PGP SIGNATURE----- --zjcmjzIkjQU2rmur--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040427152141.GE65943>