Re: Deprecating base system ftpd?

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

Don't forget that Telnet is an actual protocol, which telnet(1)
implements.  nc is (for the most part) just a byte-copying middleman.

There's still gear out there that speaks Telnet, and expects the
client to support it (primarily for things like line mode editing).

--lyndon
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: current make world brakes if HESIOD enabled

[Mark Johnston]

On Sat, Apr 03, 2021 at 09:18:29AM +0300, Daniel Braniss wrote:
> I must be the last person on earth to use Hesiod :-)
> this are the diffs:

Thanks, this was committed earlier today.

> diff --git a/lib/libc/gen/getgrent.c b/lib/libc/gen/getgrent.c
> index afb89cab3..5832cb8c6 100644
> --- a/lib/libc/gen/getgrent.c
> +++ b/lib/libc/gen/getgrent.c
> @@ -971,7 +971,7 @@ dns_group(void *retval, void *mdata, va_list ap)
>   hes = NULL;
>   name = NULL;
>   gid = (gid_t)-1;
> - how = (enum nss_lookup_type)mdata;
> + how = (enum nss_lookup_type)(uintptr_t)mdata;
>   switch (how) {
>   case nss_lt_name:
>   name = va_arg(ap, const char *);
> diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
> index a07ee109e..bc1d341fd 100644
> --- a/lib/libc/gen/getpwent.c
> +++ b/lib/libc/gen/getpwent.c
> @@ -1108,7 +1108,7 @@ dns_passwd(void *retval, void *mdata, va_list ap)
>   hes = NULL;
>   name = NULL;
>   uid = (uid_t)-1;
> - how = (enum nss_lookup_type)mdata;
> + how = (enum nss_lookup_type)(uintptr_t)mdata;
>   switch (how) {
>   case nss_lt_name:
>   name = va_arg(ap, const char *);
> 
> 
> ___
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Roderick]

On Sun, 4 Apr 2021, Daniel Morante via freebsd-stable wrote:


My vote is for no.

Reasoning is simple... at what point does it stop?  By continuously moving 
stuff from base to ports, FreeBSD slowly becomes just a Kernel. 😉


I follow this argumentation.

I do not understand what is the problem leaving it there. It is no bloat.
It was there from the beginning of BSD.

It may be insecure, but can be used in local nets. And who does
not like it, do not need to use it.

We had in base a complete DNS, now only a cashing one. We have a very
robust MTA in base, sendmail, but some people complain against it.

This will never end.

R.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Ed Maste]

On Sat, 3 Apr 2021 at 16:39, Ed Maste  wrote:
>
> I propose deprecating the ftpd currently included in the base system
> before FreeBSD 14, and opened review D26447
> (https://reviews.freebsd.org/D26447) to add a notice to the man page.

I posted this as a proposal for community feedback, and there's
clearly a strong objection to removing the base system ftpd. So, I'm
not going to pursue this any further.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Charles Sprickman via freebsd-stable]

> On Apr 5, 2021, at 3:01 PM, Patrick M. Hausen  wrote:
> 
> Hi all,
> 
> I absolutely freaked out when Apple removed the telnet and ftp clients
> from Mac OS and I needed to reinstall them via MacPorts.

Yep, and what I think many miss IRT to the stock ftpd is that it’s dumb simple 
and “just works”.

For web hosting stuff I generally use something like Proftpd or vsftpd, and, 
IMHO, that’s when you should have to expend brain power to choose something 
from ports - when your use-case (supporting hosting customers, virtual users, 
etc.) requires a non-trivial ftp implementation.

Also I can count on my left hand the number of web hosting customers I’ve run 
into that actually use scp for sftp or even know what that is. They’re using 
the same ftp client they’ve always used (ws-ftp quite often) and the last thing 
they want to do is learn something new.

> People who manage any larger collection of networking gear *depend*
> on these outdated but simple services. Client and server side alike.

I frequently work with people who have limited budgets, and I don’t think I’m 
alone in that. Ebay is chock full of high-volume sellers turning over old 
networking gear that is amazingly good stuff that’s just outdated. I can grab a 
48 port GigE switch with 10gb/s uplink ports for under $200. The market is 
gigantic, and putting old stuff to use on an internal network with proper 
safeguards is not totally crazy. Customers can have multiple fully-loaded 
spares on-site for less than what a year of SmartNet coverage would cost.

My server platform of choice when I want a “support server” for this old stuff 
has always been FreeBSD. Stock tftpd and ftpd are wonderful, and anyone 
professing that those two tiny daemons are “bloat” just hasn’t used Linux.

> TFTP is not going away, neither is FTP. I'm dead serious. Remote media
> via Supermicro IPMI in 2021? SMB1. Firmware updates for my UPS? FTP.
> Scanner/printer/fax all-in-one thingy? Uploads received fax transmissions
> via FTP. PBX? Uploads usage reports via FTP. This stuff is here to stay.
> In local networks, of course.

Preach! And plenty of VoIP gear too!

There are absolutely real world uses for these simple daemons, and I trust some 
stock FreeBSD daemon like this more than something I might fetch from ports - 
both in terms of knowing it’s had some kind of auditing/maintenance by 
qualified people and that it’s going to have an accurate manpage, sane 
defaults, and remain relatively simple/minimal.

I think as everyone has moved to the cloud and devops and all that they forget 
about sysadmins standing up servers as simple utility boxes that support a 
bunch of other gear.

> But still even on "the Internet", FTP is the most used method for customers
> of static website hosting. You cannot teach these people what an SSH key is.
> Just my experience, but backed by a load of customer interactions over more
> than 20 years …

I think some people mean well, and they imagine that if we just tell people to 
move to some monstrosity like Filezilla the problem is solved, but 
realistically it’s just a good way to lose paying customers.

Charles

> 
> Kind regards,
> Patrick
> --
> punkt.de GmbH
> Patrick M. Hausen
> .infrastructure
> 
> Kaiserallee 13a
> 76133 Karlsruhe
> 
> Tel. +49 721 9109500
> 
> https://infrastructure.punkt.de
> i...@punkt.de
> 
> AG Mannheim 108285
> Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
> 



signature.asc
Description: Message signed with OpenPGP

Re: Deprecating base system ftpd?

[Bob Bishop]

Hi,

> On 5 Apr 2021, at 20:01, Patrick M. Hausen  wrote:
> 
> Hi all,
> 
>> Am 03.04.2021 um 22:39 schrieb Ed Maste :
>> I'm happy to make a port for it if anyone needs it. Comments?
> 
> A bit late to the party, but my take is: please just don't.

+1 (later still)

> I absolutely freaked out when Apple removed the telnet and ftp clients
> from Mac OS and I needed to reinstall them via MacPorts.
> 
> People who manage any larger collection of networking gear *depend*
> on these outdated but simple services. Client and server side alike.
> 
> TFTP is not going away, neither is FTP. I'm dead serious. Remote media
> via Supermicro IPMI in 2021? SMB1. Firmware updates for my UPS? FTP.
> Scanner/printer/fax all-in-one thingy? Uploads received fax transmissions
> via FTP. PBX? Uploads usage reports via FTP. This stuff is here to stay.
> In local networks, of course.
> 
> But still even on "the Internet", FTP is the most used method for customers
> of static website hosting. You cannot teach these people what an SSH key is.
> Just my experience, but backed by a load of customer interactions over more
> than 20 years ...
> 
> Kind regards,
> Patrick
> --
> punkt.de GmbH
> Patrick M. Hausen
> .infrastructure
> 
> Kaiserallee 13a
> 76133 Karlsruhe
> 
> Tel. +49 721 9109500
> 
> https://infrastructure.punkt.de
> i...@punkt.de
> 
> AG Mannheim 108285
> Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
> 

--
Bob Bishop
r...@gid.co.uk




___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Ted Hatfield]

On Mon, 5 Apr 2021, Patrick M. Hausen wrote:

Hi all,


Am 03.04.2021 um 22:39 schrieb Ed Maste :
I'm happy to make a port for it if anyone needs it. Comments?


A bit late to the party, but my take is: please just don't.

I absolutely freaked out when Apple removed the telnet and ftp clients
from Mac OS and I needed to reinstall them via MacPorts.

People who manage any larger collection of networking gear *depend*
on these outdated but simple services. Client and server side alike.

TFTP is not going away, neither is FTP. I'm dead serious. Remote media
via Supermicro IPMI in 2021? SMB1. Firmware updates for my UPS? FTP.
Scanner/printer/fax all-in-one thingy? Uploads received fax transmissions
via FTP. PBX? Uploads usage reports via FTP. This stuff is here to stay.
In local networks, of course.

But still even on "the Internet", FTP is the most used method for customers
of static website hosting. You cannot teach these people what an SSH key is.
Just my experience, but backed by a load of customer interactions over more
than 20 years ...

Kind regards,
Patrick
--




Hear! Hear!

Although I don't have any statistics to back this up this
has been my experience as well.

Sincerely,

Ted Hatfield

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Patrick M. Hausen]

Hi all,

> Am 03.04.2021 um 22:39 schrieb Ed Maste :
> I'm happy to make a port for it if anyone needs it. Comments?

A bit late to the party, but my take is: please just don't.

I absolutely freaked out when Apple removed the telnet and ftp clients
from Mac OS and I needed to reinstall them via MacPorts.

People who manage any larger collection of networking gear *depend*
on these outdated but simple services. Client and server side alike.

TFTP is not going away, neither is FTP. I'm dead serious. Remote media
via Supermicro IPMI in 2021? SMB1. Firmware updates for my UPS? FTP.
Scanner/printer/fax all-in-one thingy? Uploads received fax transmissions
via FTP. PBX? Uploads usage reports via FTP. This stuff is here to stay.
In local networks, of course.

But still even on "the Internet", FTP is the most used method for customers
of static website hosting. You cannot teach these people what an SSH key is.
Just my experience, but backed by a load of customer interactions over more
than 20 years ...

Kind regards,
Patrick
--
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Kaiserallee 13a
76133 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
i...@punkt.de

AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein



signature.asc
Description: Message signed with OpenPGP

RE: Deprecating base system ftpd?

[Feldman, JamesX Michael]

I'd shed no tears losing ftp+(d).  That noted, tftp (the daemon) is still used 
to load firmware on too many devices (changing) and telnet (the client) can be 
useful in debugging network listeners and chatting with stupid IOTs that can't 
be bothered with using SSH.  I haven't enabled either telnetd or ftpd daemon in 
at least a decade.  My baseline would be, " is this something I'd want working 
from a live iso?".  Maybe the better (and tougher) decision is, "what belongs 
in a modern integrated OS environment?".  I leave that to better minds than 
mine.

jim

-Original Message-
From: owner-freebsd-sta...@freebsd.org  On 
Behalf Of Roger Leigh
Sent: Monday, April 5, 2021 11:27 AM
To: freebsd-stable stable 
Subject: Re: Deprecating base system ftpd?

On 3 Apr 2021, at 22:21, Eugene Grosbein  wrote:
> 
> 04.04.2021 3:39, Ed Maste wrote:
> 
>> I propose deprecating the ftpd currently included in the base system 
>> before FreeBSD 14, and opened review D26447
>> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
>> I had originally planned to try to do this before 13.0, but it 
>> dropped off my list. FTP is not nearly as relevant now as it once 
>> was, and it had a security vulnerability that secteam had to address.
>> 
>> I'm happy to make a port for it if anyone needs it. Comments?
> 
> I'm strongly against remove of stock ftpd. FTP is fastest protocol for 
> both testing and daily file transfer for trusted isolated segments, and even 
> for WAN wrapped in IPSec.
> 
> Our stock ftpd has very short backlog of security issues comparing 
> with other FTP server implementations, mostly linked with libc or other 
> libraries and not with ftpd code itself.
> 
> Please don't fix what ain't broken. Please.

How would you draw the line between something that must be part of the base 
system vs. something that would be better off as part of the ports tree?  What 
bar should ftpd have to meet to warrant remaining in base vs moving to ports?

Personally, I’ve never enabled it nor had any desire to.  FTP is, at this point 
in time, thoroughly obsolescent, and I cannot imagine that it is something that 
most people enable, if they are even aware of its existence.  Why can’t it 
simply be installed from the ports for the occasional user who still requires 
it?  Why should the base system contain obsolete stuff that few people will 
use?  Surely the ports tree serves this need better?

Can I ask, for those who do enable it, why isn’t “sftp” acceptable (or “scp”)?  
Both provide a similar function, securely, which also works with a basic 
installation without any ports.  SSHFXP, the protocol underlying sftp is better 
specified, less ambiguous and more fault tolerant and safe than the FTP 
protocol ever was.  The client is better than most ftp clients, and the server 
(/usr/libexec/sftp-server) is started on demand on a per-connection basis.  
What makes FTP more desirable than a service over SSH which is (from a 
technical and usability point of view) a better FTP than FTP ever was?

Kind regards,
Roger   

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Roger Leigh]

On 3 Apr 2021, at 22:21, Eugene Grosbein  wrote:
> 
> 04.04.2021 3:39, Ed Maste wrote:
> 
>> I propose deprecating the ftpd currently included in the base system
>> before FreeBSD 14, and opened review D26447
>> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
>> I had originally planned to try to do this before 13.0, but it dropped
>> off my list. FTP is not nearly as relevant now as it once was, and it
>> had a security vulnerability that secteam had to address.
>> 
>> I'm happy to make a port for it if anyone needs it. Comments?
> 
> I'm strongly against remove of stock ftpd. FTP is fastest protocol for both 
> testing
> and daily file transfer for trusted isolated segments, and even for WAN 
> wrapped in IPSec.
> 
> Our stock ftpd has very short backlog of security issues comparing with other 
> FTP server implementations,
> mostly linked with libc or other libraries and not with ftpd code itself.
> 
> Please don't fix what ain't broken. Please.

How would you draw the line between something that must be part of the base 
system vs. something that would be better off as part of the ports tree?  What 
bar should ftpd have to meet to warrant remaining in base vs moving to ports?

Personally, I’ve never enabled it nor had any desire to.  FTP is, at this point 
in time, thoroughly obsolescent, and I cannot imagine that it is something that 
most people enable, if they are even aware of its existence.  Why can’t it 
simply be installed from the ports for the occasional user who still requires 
it?  Why should the base system contain obsolete stuff that few people will 
use?  Surely the ports tree serves this need better?

Can I ask, for those who do enable it, why isn’t “sftp” acceptable (or “scp”)?  
Both provide a similar function, securely, which also works with a basic 
installation without any ports.  SSHFXP, the protocol underlying sftp is better 
specified, less ambiguous and more fault tolerant and safe than the FTP 
protocol ever was.  The client is better than most ftp clients, and the server 
(/usr/libexec/sftp-server) is started on demand on a per-connection basis.  
What makes FTP more desirable than a service over SSH which is (from a 
technical and usability point of view) a better FTP than FTP ever was?

Kind regards,
Roger   

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Andrea Venturoli]

On 4/5/21 5:28 PM, sth...@nethelp.no wrote:


- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS
traffic?


Because I trust my (European) ISP significantly more than I trust big
US companies? Yes, I have a pretty good idea what Cloudflare, Google
etc have said about the queries they receive. I still don't see a
reason to trust them, given their actions in other areas.


I agree.

Another reason is I often have my internal DNS server.

 bye
av.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: FreeBSD 13.0-RC5 Now Available

[Robert Blayzor via freebsd-stable]

I don't know, ask yourself that, you did the same thing


On 4/4/21 6:21 PM, Glen Barber wrote:

Is it necessary to quote the*entire*  email (including checksums)?

Glen
Sent from my phone.
Please excuse my brevity and/or typos.



___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Doug McIntyre]

On Mon, Apr 05, 2021 at 06:57:31PM +0300, Lev Serebryakov wrote:
> On 05.04.2021 17:44, Cy Schubert wrote:
> 
> > - remove ftp:// and http:// from libfetch. This is 2021 and we should all
> > use https://.
>   Please, explain how to setup simple sever which allows upload and on-server 
> file management with https ;-)
> 
>   I know letters "WebDAV", but I don't know any ftp-like client for it. And 
> server is apache24, which is much more huge security target than simple ftpd.


WebDAV is not simple, is not straight forward to use, and is not a FTP like 
setup for HTTP.

I'd agree that libfetch requires ftp: and http: methods in it.

The server set somebody runs may allow only modern stuff in it, but my network 
has items in it
that only support the old stuff that can't be upgraded short of a forklift 
upgrade.




___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Cy Schubert]

In message 
, Alan Somers writes:
> --bb4fba05bf3ae99f
> Content-Type: text/plain; charset="UTF-8"
>
> On Mon, Apr 5, 2021 at 8:45 AM Cy Schubert 
> wrote:
>
> > In message
> >  > om>
> > , Ed Maste writes:
> > > I propose deprecating the ftpd currently included in the base system
> > > before FreeBSD 14, and opened review D26447
> > > (https://reviews.freebsd.org/D26447) to add a notice to the man page.
> > > I had originally planned to try to do this before 13.0, but it dropped
> > > off my list. FTP is not nearly as relevant now as it once was, and it
> > > had a security vulnerability that secteam had to address.
> >
> > I think this is an excellent start. My shopping list includes:
> >
> > - remove ftp(1)
> > - remove ftpd(8)
> > - remove telnet(1)
> > - remove telnetd(8)
> > - remove ftp:// and http:// from libfetch. This is 2021 and we should all
> > use https://.
> >
>
> Whoa there!  You can't remove ftp and http from libfetch, because FreeBSD
> doesn't control all of the servers that our users need to fetch from.  Not
> even close.
>
>
> > - replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS
> > traffic?
> >
> > >
> > > I'm happy to make a port for it if anyone needs it. Comments?
> >
> > I've started working on splitting ftp and ftpd into an external git repo.
> > The problem I've encountered is that though only ftp and ftpd are left the
> > resultant repo is still 1.2 GB. If my last attempt fails, there is a
> > choice
> > between a 1.2 GB repo and burning ftp forever then the choice is clear:
> > burn it forever.
> >
> > Adding the following as an option:
> >
> > Also note that the tnftp ports are the NetBSD ftp and ftpd. The FreeBSD
> > ftp
> > and ftpd are simply copies of tnftp and tnfpd. Would it make more sense to
> > share our customizations with NetBSD and we simply reply on NetBSD for the
> > client and server in our ports? This last option might be simpler than
> > creating a port.
> >
>
> Maybe, but that would be an impediment to adding Capsicum support.

If they accept #ifdef'd Capsicum patches, great! Otherwise we'd need to 
support a port for a period of time.

>
>
> >
> > Personally, I'd suggest we remove the ftpd server *AND* ftp client and
> > rely
> > on ports. Having worked on UNIX, Internet security, and firewalls over the
> > last 3/5 of my almost 50 year career, I have lamented the existence of the
> > FTP protocol back in 1995 and I hate the FTP protocol with greater a
> > passion today. Let's simply remove all vestiges of FTP from the base
> > system, including libfetch, sooner than later. We don't need it now that
> > we
> > have HTTPS and POST; and sftp.
> >
> > I think we should make it our goal to remove any and all unencrypted
> > protocols from FreeBSD by 2025.
> >
>
> tftpd is still vitally important for PXE booting.  And unencrypted NFS will
> certainly live on past 2025.

Sadly yes but I'm of the opinion we should do as much as we can with the 
low hanging fruit.

I doubt there will be a replacement or enhancement for tftp. Until the IETF 
NFSv4 TLS draft has been widely accepted and implemented across all 
platforms we will need to live with unencrypted NFS for a while. I'm hopful.


-- 
Cheers,
Cy Schubert 
FreeBSD UNIX: Web:  https://FreeBSD.org
NTP:   Web:  https://nwtime.org

The need of the many outweighs the greed of the few.


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

Ruben van Staveren via freebsd-stable writes:

> It is time to deprecate ftp altogether, and any other protocols that =
> embed protocol information in layer 7, thus hurting any #IPv6 migration =
> and deployment technology (SIIT-DC e.g).

> ftp, a protocol not using TLS protection [...]

You seem to be a couple of decades behind the times.

RFC4217 (Securing FTP with TLS) was published on 2005.  IPv6 suopport
dates back to 1998 in RFC 2428 (FTP Extensions for IPv6 and NATs).

It would be nice if the base system ftpd grew TLS support.  OpenBSD has
had this for years.

--lyndon
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Lev Serebryakov]

On 05.04.2021 17:44, Cy Schubert wrote:


- remove ftp:// and http:// from libfetch. This is 2021 and we should all
use https://.

 Please, explain how to setup simple sever which allows upload and on-server 
file management with https ;-)

 I know letters "WebDAV", but I don't know any ftp-like client for it. And 
server is apache24, which is much more huge security target than simple ftpd.

 Even `sftp` is ugly.


- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS
traffic?


 As soon as FreeBSD will include in *base* system DoH/DoT recursive server (as it 
includes unbound for simple DNS now). I don't understand why should I trust 
"centralized" DoH services.

 Do we want to import libnghttp2 to base for this?


--
// Lev Serebryakov
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[sthaug]

>> I propose deprecating the ftpd currently included in the base system
>> before FreeBSD 14, and opened review D26447
>> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
>> I had originally planned to try to do this before 13.0, but it dropped
>> off my list. FTP is not nearly as relevant now as it once was, and it
>> had a security vulnerability that secteam had to address.
> 
> I think this is an excellent start. My shopping list includes:
> 
> - remove ftp(1)
> - remove ftpd(8)
> - remove telnet(1)
> - remove telnetd(8)

My preference would be to leave those four in the system. However, I
can live with removal, as long as they are available as ports.

> - remove ftp:// and http:// from libfetch. This is 2021 and we should all 
> use https://.

Please don't. There is still a lot of content not available over https
(and quite a few web sites with only "readonly" type content). Removal
of ftp:// and http:// from libfetch simply means I'll have to install
wget instead - and we're getting ever close to FreeBSD being only a
kernel.

> - replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS 
> traffic?

Because I trust my (European) ISP significantly more than I trust big
US companies? Yes, I have a pretty good idea what Cloudflare, Google
etc have said about the queries they receive. I still don't see a
reason to trust them, given their actions in other areas.

Bert Hubert has written much better then I can about moving everything
to DoH/DoT:

https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Alan Somers]

On Mon, Apr 5, 2021 at 8:45 AM Cy Schubert 
wrote:

> In message
>  om>
> , Ed Maste writes:
> > I propose deprecating the ftpd currently included in the base system
> > before FreeBSD 14, and opened review D26447
> > (https://reviews.freebsd.org/D26447) to add a notice to the man page.
> > I had originally planned to try to do this before 13.0, but it dropped
> > off my list. FTP is not nearly as relevant now as it once was, and it
> > had a security vulnerability that secteam had to address.
>
> I think this is an excellent start. My shopping list includes:
>
> - remove ftp(1)
> - remove ftpd(8)
> - remove telnet(1)
> - remove telnetd(8)
> - remove ftp:// and http:// from libfetch. This is 2021 and we should all
> use https://.
>

Whoa there!  You can't remove ftp and http from libfetch, because FreeBSD
doesn't control all of the servers that our users need to fetch from.  Not
even close.


> - replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS
> traffic?
>
> >
> > I'm happy to make a port for it if anyone needs it. Comments?
>
> I've started working on splitting ftp and ftpd into an external git repo.
> The problem I've encountered is that though only ftp and ftpd are left the
> resultant repo is still 1.2 GB. If my last attempt fails, there is a
> choice
> between a 1.2 GB repo and burning ftp forever then the choice is clear:
> burn it forever.
>
> Adding the following as an option:
>
> Also note that the tnftp ports are the NetBSD ftp and ftpd. The FreeBSD
> ftp
> and ftpd are simply copies of tnftp and tnfpd. Would it make more sense to
> share our customizations with NetBSD and we simply reply on NetBSD for the
> client and server in our ports? This last option might be simpler than
> creating a port.
>

Maybe, but that would be an impediment to adding Capsicum support.


>
> Personally, I'd suggest we remove the ftpd server *AND* ftp client and
> rely
> on ports. Having worked on UNIX, Internet security, and firewalls over the
> last 3/5 of my almost 50 year career, I have lamented the existence of the
> FTP protocol back in 1995 and I hate the FTP protocol with greater a
> passion today. Let's simply remove all vestiges of FTP from the base
> system, including libfetch, sooner than later. We don't need it now that
> we
> have HTTPS and POST; and sftp.
>
> I think we should make it our goal to remove any and all unencrypted
> protocols from FreeBSD by 2025.
>

tftpd is still vitally important for PXE booting.  And unencrypted NFS will
certainly live on past 2025.

-Alan
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Cy Schubert]

In message 
, Ed Maste writes:
> I propose deprecating the ftpd currently included in the base system
> before FreeBSD 14, and opened review D26447
> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
> I had originally planned to try to do this before 13.0, but it dropped
> off my list. FTP is not nearly as relevant now as it once was, and it
> had a security vulnerability that secteam had to address.

I think this is an excellent start. My shopping list includes:

- remove ftp(1)
- remove ftpd(8)
- remove telnet(1)
- remove telnetd(8)
- remove ftp:// and http:// from libfetch. This is 2021 and we should all 
use https://.
- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS 
traffic?

>
> I'm happy to make a port for it if anyone needs it. Comments?

I've started working on splitting ftp and ftpd into an external git repo. 
The problem I've encountered is that though only ftp and ftpd are left the 
resultant repo is still 1.2 GB. If my last attempt fails, there is a choice 
between a 1.2 GB repo and burning ftp forever then the choice is clear: 
burn it forever.

Adding the following as an option:

Also note that the tnftp ports are the NetBSD ftp and ftpd. The FreeBSD ftp 
and ftpd are simply copies of tnftp and tnfpd. Would it make more sense to 
share our customizations with NetBSD and we simply reply on NetBSD for the 
client and server in our ports? This last option might be simpler than 
creating a port.

Personally, I'd suggest we remove the ftpd server *AND* ftp client and rely 
on ports. Having worked on UNIX, Internet security, and firewalls over the 
last 3/5 of my almost 50 year career, I have lamented the existence of the 
FTP protocol back in 1995 and I hate the FTP protocol with greater a 
passion today. Let's simply remove all vestiges of FTP from the base 
system, including libfetch, sooner than later. We don't need it now that we 
have HTTPS and POST; and sftp.

I think we should make it our goal to remove any and all unencrypted 
protocols from FreeBSD by 2025.


-- 
Cheers,
Cy Schubert 
FreeBSD UNIX: Web:  https://FreeBSD.org
NTP:   Web:  https://nwtime.org

The need of the many outweighs the greed of the few.


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Marek Zarychta]

W dniu 05.04.2021 o 14:10, Ruben van Staveren via freebsd-stable pisze:
> 
> 
>> On 3 Apr 2021, at 22:39, Ed Maste  wrote:
>>
>> I propose deprecating the ftpd currently included in the base system
>> before FreeBSD 14, and opened review D26447
>> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
>> I had originally planned to try to do this before 13.0, but it dropped
>> off my list. FTP is not nearly as relevant now as it once was, and it
>> had a security vulnerability that secteam had to address.
>>
>> I'm happy to make a port for it if anyone needs it. Comments?
> 
> Make it a port
> 
> 
> It is time to deprecate ftp altogether, and any other protocols that embed 
> protocol information in layer 7, thus hurting any #IPv6 migration and 
deployment technology (SIIT-DC e.g).

How would FTP protocol hurt IPv6 deployment? Some transition IPv4 -->
IPv6 techniques will not be able to support it the same way NAT does
hardly cope with FTP protocol. The whole problem looks completely
different. FTP is an ancient protocol where the active mode works fine
only when both ends are directly reachable, so the IPv6 protocol used on
both ends can make the FTP protocol working in active mode again.

> Hopefully the IETF can put up a deprecation notice, just as was done for e.g. 
> TLS 1.0.
> Then we move onward to the self regulating capacity of the community, warning 
> each other on “you have ftp” running.
> 
TLS was to provide security, but TLS 1.0 became considered not secure
enough at some point, the same happened to SSH1 which is no more
trusted. Ancient protocols _do_ exist and probably neither GOPHER nor
FTP will become deprecated as network protocols.

> ftp, a protocol not using TLS protection but by adding it a netadmin needs to 
> manage the port range in their firewalls too because clients behind nat can’t 
> use passive mode with TLS as NAT can’t map things around ¯\_(ツ)_/¯
> 
> It is not worth the time and the hassle. Keep FTP(s) for legacy and internal, 
> serve anyone else with https

There are _many_ devices, which can download files only with FTP or TFTP
protocols. Uploading files with HTTP or HTTPS is impossible, only SCP
sometimes work, but older network equipment usually doesn't support new
ciphers and using SSH/SCP seems to be painful sometimes.

Some protocols are insecure and simplistic from the early design.
Forcing FTP, TFTP or TELNET ban would lead to more frustration of
sysadmins only.
16 years ago insecure from the design DNS gained security support via
DNSSEC. Please consider why DNSSEC is not and likely will soon not be
widely deployed. This was an off-topic note, but probably in place.

With kind regards,

-- 
Marek Zarychta



OpenPGP_signature
Description: OpenPGP digital signature

Re: Deprecating base system ftpd?

[Alan Somers]

On Sun, Apr 4, 2021 at 10:29 PM Eugene Grosbein  wrote:

> On 05.04.2021 06:25, Dave Cottlehuber wrote:
>
> > Eugene mentioned the convenience of ftpd in the same sentence as ipsec.
> > I'm willing to bet those systems have ports installed too.
>
> Ports/packages are great but they are not replacement for solid operating
> system
> with bundled software tested and proven with time.
>
> > If speed is an issue, HTTP supports pipelining, compression, chunked
> > encoding, & parallel connections. I'm not sure ftpd is even in the same
> > game anymore.
>
> Compression and various encodings of raw data are not good for speed.
> sendfile(2) system call used by ftpd to send raw data is good for speed.
> Unlimited CPU power should not be assumed.
>
> > The more code we hang onto in base, the larger the millstone around our
> > necks when moving forwards. Each individual opportunity to slim down
> > base *in itself* is not significant, but cumulatively they represent
> > gridlock.
> >
> > For each removal or deprecation, please consider, is this worth holding
> > the project back for?
>
> Our ftpd code does not hold the project back in any way. It's here, it
> works, it's very good.
>
> High quality bundled software is what we love FreeBSD for.
> Unfortunately, ports tend to rot more quick due to some known reasons.
>

I wouldn't say that anything is "very good" when it has no test suite
whatsoever.  If you want to help, you could write one.  You might take a
look at  libexec/tftpd/tests/ to get started.

-Alan
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Deprecating base system ftpd?

[Ruben van Staveren via freebsd-stable]

> On 3 Apr 2021, at 22:39, Ed Maste  wrote:
> 
> I propose deprecating the ftpd currently included in the base system
> before FreeBSD 14, and opened review D26447
> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
> I had originally planned to try to do this before 13.0, but it dropped
> off my list. FTP is not nearly as relevant now as it once was, and it
> had a security vulnerability that secteam had to address.
> 
> I'm happy to make a port for it if anyone needs it. Comments?

Make it a port


It is time to deprecate ftp altogether, and any other protocols that embed 
protocol information in layer 7, thus hurting any #IPv6 migration and 
deployment technology (SIIT-DC e.g).
Hopefully the IETF can put up a deprecation notice, just as was done for e.g. 
TLS 1.0.
Then we move onward to the self regulating capacity of the community, warning 
each other on “you have ftp” running.

ftp, a protocol not using TLS protection but by adding it a netadmin needs to 
manage the port range in their firewalls too because clients behind nat can’t 
use passive mode with TLS as NAT can’t map things around ¯\_(ツ)_/¯

It is not worth the time and the hassle. Keep FTP(s) for legacy and internal, 
serve anyone else with https

Best Regards,
Ruben




signature.asc
Description: Message signed with OpenPGP

Re: FreeBSD 13.0-RC5 Now Available

[Colin Percival]

On 4/4/21 1:50 PM, Alan Somers wrote:
> On Sat, Apr 3, 2021 at 9:34 AM Glen Barber  > wrote:
>
> The fifth RC build of the 13.0-RELEASE release cycle is now available.
>
> In the past, making these releases required pushing updates to
> https://svnweb.freebsd.org/base/user/cperciva/freebsd-update-build/ .

Historically, we often made changes directly on the update builders and
then brought the svn tree back into sync later.

> However, that repo is read-only now.  I assume that it's been gitified, but
> I can't find the new location.  Where is it?

I think the freebsd-update build code might be homeless right now.  I know I
have seen emails mentioning that it needs to land somewhere but I don't recall
any decision being reached.

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"