Date: Tue, 27 Apr 2004 19:54:36 +0200 From: Marius Strobl <marius@alchemy.franken.de> To: Colin Percival <colin.percival@wadham.ox.ac.uk> Cc: freebsd-current@freebsd.org Subject: Re: Removing NOCRYPT Message-ID: <20040427195436.D11722@newtrinity.zeist.de> In-Reply-To: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca>; from colin.percival@wadham.ox.ac.uk on Tue, Apr 27, 2004 at 10:08:30AM %2B0100 References: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote: > I would like to remove the NOCRYPT option from FreeBSD before > 5.3-RELEASE. There are a number of good reasons for doing this: > > 1. NOCRYPT is almost completely untested, and in the past it has > often broken (for example, there was a recent release where it > was impossible to pkg_add without the cryptographic libraries.) > > 2. NOCRYPT has outlived its original purpose. The separation of > cryptographic code from non-cryptographic code is a result of > "munitions" export restrictions in the US which were changed a > long time ago. > > 3. NOCRYPT causes major headaches. With the Kerberos options > removed (or rather, Kerberos 4 removed and Kerberos 5 made > manditory) this is the only remaining option which can result > in certain files from the FreeBSD world existing in multiple > entirely different forms. Most obviously, this complicates For telnet(1) and telnetd(8) you currently can have three different versions: kerberized telnet - default build "secure" telnet - built when only NO_KERBEROS is defined "unsecure" telnet - built when NOCRYPT or NO_OPENSSL is defined NO_OPENSSL is a subset of NOCRYPT, the difference over NO_OPENSSL is that libcrypt doesn't include DES and Blowfish and some crypto LKMs don't get built when NOCRYPT is defined. So one can argue if either NO_OPENSSL or NOCRYPT can be removed (I'd vote for NOCRYPT to be removed) but that most likely won't solve your problem that certain files can exist in different forms. > release-building; it also adds significant complications to > FreeBSD Update. > > If anyone has a really good reason for keeping the NOCRYPT > option, please let me know. In particular, I'd like to hear > from anyone who is actually running a NOCRYPT world. > FYI, I use world built with NO_OPENSSL on most machines so I catch most of the world problems that would also affect NOCRYPT.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040427195436.D11722>