Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Aug 2021 09:54:02 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 257767] Mk/bsd.sites.mk: Disable ftp protocol for fetch MASTER_SITES
Message-ID:  <bug-257767-7788-or8ZSmyohz@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-257767-7788@https.bugs.freebsd.org/bugzilla/>
References:  <bug-257767-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257767

--- Comment #7 from Loic <hackurx@gmail.com> ---
(In reply to Alexey Dokuchaev from comment #5)

> One does not verify distfiles' links with the browser

This is not written in the documentation and only makes sense if you check =
many
URLs.

> It does not have to be secure for the purpose of distributing distfiles,=
=20
> their authenticity is ensured by SHA256 hashes which are checked on the r=
eceiving end.

Except that the user will have opened an insecure ftp connection as root th=
at
the attacker can exploit to gain access to the system.
The problem does not come from the download file itself.

> This is simply not true, there are plenty of FTP servers which are active=
ly=20
> maintained as of today.

Some ports may be, but this is not the case for the base:
In the commit 674400eb20b65369a88b1cb778d729bc297832c9 very recent (Tue Jul=
 27
12:14:00 2021 -0600) the comment is "Delete code killed by SVN r13139 in 19=
96.=20
Little chance that it would still compile today". This shows how little
interest there is at the moment.

For /usr.bin/ftp the last commit a598c4b809a73772d7452991213407cdac302156 is
from 2017.

> How exactly removing a feature, even not very popular one, is *nice* to t=
he users of the Ports Collection?

This simplified the firewall rules and increased security for the system
administrator using Poudi=C3=A8re.
For the user, the goal is to eventually achieve HTTPS to complicate MITM
attacks while using the ports.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-257767-7788-or8ZSmyohz>