Greg 'groggy' Lehey <[email protected]> writes: > I'm really quite concerned about the plans to remove lpd. I > understand that there are security issues with lpd, even if I haven't > heard any reports of exploits in over a third of a century, but the > approach seems wrong to me.
Feel free to review https://reviews.freebsd.org/D55399 yourself, keeping in mind that it addresses only _some_ of the issues I found in just _one_ of the 28 source files that make up lpr / lpd. I estimate the effort needed to overhaul the entire code base and add tests to about 200 hours or two months full-time. I haven't tracked my time so far but I spent about three days full time on just this patch and a few others (D55400 adds a socket timeout to mitigate another possible attack, a bunch of other patches fix build system issues such as parts of lpr / lpd going into the wrong pkgbase package or not being deleted when the LPR option is turned off). I would also like to point out that: - I have not removed lpr / lpd. I have merely marked them deprecated and proposed a plan to remove them in or around September 2027, which is more than a year and half from now, unless they have significantly improved in the interim. - I have done more to improve lpd and keep it alive in the last 5 days than everyone else combined in the last 25 years. But I can't continue to neglect my paying customers to fix something that almost nobody uses. Someone will have to step up to either do the work or hire me to do it. - Simply moving the code to ports will do nothing to address the underlying issue, and I will strenuously object to adding software with known vulnerabilities to the ports tree. - Some of the issues with lpd cannot be fixed because they are inherent to its design, which cannot be changed without breaking compatibility, which is _the only reason_ to keep lpd. The rest of the world has moved on to IPP. - There is no spec. RFC 1179 is not a specification for LPDP, but a description of how lpd works, written after the fact by a third party who... didn't understand how lpd actually works. DES -- Dag-Erling Smørgrav - [email protected]
