In message <[email protected] om> , Alan Somers writes: > --000000000000bb4fba05bf3ae99f > Content-Type: text/plain; charset="UTF-8" > > On Mon, Apr 5, 2021 at 8:45 AM Cy Schubert <[email protected]> > wrote: > > > In message > > <[email protected] > > om> > > , Ed Maste writes: > > > I propose deprecating the ftpd currently included in the base system > > > before FreeBSD 14, and opened review D26447 > > > (https://reviews.freebsd.org/D26447) to add a notice to the man page. > > > I had originally planned to try to do this before 13.0, but it dropped > > > off my list. FTP is not nearly as relevant now as it once was, and it > > > had a security vulnerability that secteam had to address. > > > > I think this is an excellent start. My shopping list includes: > > > > - remove ftp(1) > > - remove ftpd(8) > > - remove telnet(1) > > - remove telnetd(8) > > - remove ftp:// and http:// from libfetch. This is 2021 and we should all > > use https://. > > > > Whoa there! You can't remove ftp and http from libfetch, because FreeBSD > doesn't control all of the servers that our users need to fetch from. Not > even close. > > > > - replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS > > traffic? > > > > > > > > I'm happy to make a port for it if anyone needs it. Comments? > > > > I've started working on splitting ftp and ftpd into an external git repo. > > The problem I've encountered is that though only ftp and ftpd are left the > > resultant repo is still 1.2 GB. If my last attempt fails, there is a > > choice > > between a 1.2 GB repo and burning ftp forever then the choice is clear: > > burn it forever. > > > > Adding the following as an option: > > > > Also note that the tnftp ports are the NetBSD ftp and ftpd. The FreeBSD > > ftp > > and ftpd are simply copies of tnftp and tnfpd. Would it make more sense to > > share our customizations with NetBSD and we simply reply on NetBSD for the > > client and server in our ports? This last option might be simpler than > > creating a port. > > > > Maybe, but that would be an impediment to adding Capsicum support.
If they accept #ifdef'd Capsicum patches, great! Otherwise we'd need to support a port for a period of time. > > > > > > Personally, I'd suggest we remove the ftpd server *AND* ftp client and > > rely > > on ports. Having worked on UNIX, Internet security, and firewalls over the > > last 3/5 of my almost 50 year career, I have lamented the existence of the > > FTP protocol back in 1995 and I hate the FTP protocol with greater a > > passion today. Let's simply remove all vestiges of FTP from the base > > system, including libfetch, sooner than later. We don't need it now that > > we > > have HTTPS and POST; and sftp. > > > > I think we should make it our goal to remove any and all unencrypted > > protocols from FreeBSD by 2025. > > > > tftpd is still vitally important for PXE booting. And unencrypted NFS will > certainly live on past 2025. Sadly yes but I'm of the opinion we should do as much as we can with the low hanging fruit. I doubt there will be a replacement or enhancement for tftp. Until the IETF NFSv4 TLS draft has been widely accepted and implemented across all platforms we will need to live with unencrypted NFS for a while. I'm hopful. -- Cheers, Cy Schubert <[email protected]> FreeBSD UNIX: <[email protected]> Web: https://FreeBSD.org NTP: <[email protected]> Web: https://nwtime.org The need of the many outweighs the greed of the few. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
