From owner-freebsd-current@FreeBSD.ORG Tue Apr 27 08:21:46 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1EAF16A4CE for ; Tue, 27 Apr 2004 08:21:46 -0700 (PDT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D746743D54 for ; Tue, 27 Apr 2004 08:21:45 -0700 (PDT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i3RFQwBd044721 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Apr 2004 18:27:00 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i3RFLfbd074576; Tue, 27 Apr 2004 18:21:41 +0300 (EEST) (envelope-from ru) Date: Tue, 27 Apr 2004 18:21:41 +0300 From: Ruslan Ermilov To: Colin Percival Message-ID: <20040427152141.GE65943@ip.net.ua> References: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zjcmjzIkjQU2rmur" Content-Disposition: inline In-Reply-To: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-current@freebsd.org Subject: Re: Removing NOCRYPT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2004 15:21:46 -0000 --zjcmjzIkjQU2rmur Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote: > I would like to remove the NOCRYPT option from FreeBSD before > 5.3-RELEASE. There are a number of good reasons for doing this: >=20 This should probably be discussed on -arch. > 1. NOCRYPT is almost completely untested, and in the past it has > often broken (for example, there was a recent release where it > was impossible to pkg_add without the cryptographic libraries.) >=20 You obviously mean "untested by running", since "testing by compiling" is done every time you build a snapshot. > 2. NOCRYPT has outlived its original purpose. The separation of > cryptographic code from non-cryptographic code is a result of > "munitions" export restrictions in the US which were changed a > long time ago. >=20 > 3. NOCRYPT causes major headaches. With the Kerberos options > removed (or rather, Kerberos 4 removed and Kerberos 5 made > manditory) this is the only remaining option which can result > in certain files from the FreeBSD world existing in multiple > entirely different forms. Most obviously, this complicates > release-building; it also adds significant complications to > FreeBSD Update. >=20 I think it's in a pretty normal form now, though I agree this complicates things, but that's the price for flexibility. > If anyone has a really good reason for keeping the NOCRYPT > option, please let me know. In particular, I'd like to hear > from anyone who is actually running a NOCRYPT world. >=20 My first and only argument is that it is extremely useful for embedded environment, where space is an issue, and crypto code occupies lot of space. Perhaps also there are still some legal issues in some countries, but I'm not sure, and will let the "security-aware persons" comment on this. Mark? Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --zjcmjzIkjQU2rmur Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAjnqFUkv4P6juNwoRAr/0AJ9iUBhxCPcV4sGWnAPOjLJmz6VjjwCbBhOW NZSwQS6du8OhHFF2UzKjYOM= =WOw8 -----END PGP SIGNATURE----- --zjcmjzIkjQU2rmur--