Re: Deprecating ftpd in the FreeBSD base system?
On Thu, 17 Sep 2020 08:55:26 -0700 Cy Schubert wrote: > In message <451538de-9427-4584-987b-8e4aa26c2...@freebsd.org>, Daniel > Eischen w > rites: > > > > > > > On Sep 17, 2020, at 11:20 AM, Maxim Sobolev wrote: > > > > > > 〓〓〓Re: removing HTTP client please no!!! The current drive to "outlaw" > > > HTTP > > > coming from companies who see all world via web browser. Totally ignoring > > > the fact that HTTP != HTTPS in particular in cases where reliability and > > > lower complexity of the system takes precedence over on-the-wire protocol > > > security. For example, many internal APIs of AWS EC2 are HTTP. > > > > Agree. And remember the mantra: tools, not policy. > > Since there are so many I'll pick this email to reply to. > > libfetch should be designed to call plugins. An https plugin, http plugin, > ftp plugin, sftp plugin, and so on. New protocols are added as needed, > preferably to ports before they are mainstream. Old protocols are removed > and moved to ports. People who still need to use old protocols can install > the port which plugs into libfetch. When a protocol becomes stale it's > forgotten, no longer maintained and simply disappears into the ether. Looks reasonable for me, if all plugin to fetch base distribution and pkgbase is guaranteed to be incorporated in base and install images. No objection about removing ftpd and ftp client from base, if drop-in (at least having enough compatibility with configuration files/envs) alternatives are in ports. Regards. > Given that pkgbase will become a reality at some point the line between > base and ports will blur. I expect at some point some of what we see in > base to simply become ports. As a developer of both base and ports, ports > are much easier to maintain than importing into base. > > That's my vision. > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > The need of the many outweighs the greed of the few. > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > -- Tomoaki AOKI ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 3:54 PM Ian Lepore wrote: > On Thu, 2020-09-17 at 12:49 -0700, John-Mark Gurney wrote: > > Ian Lepore wrote this message on Thu, Sep 17, 2020 at 09:01 -0600: > > > On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: > > > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < > > > > cy.schub...@cschubert.com> > > > > wrote: > > > > > > > > > I've been advocating removing FTP (and HTTP) from libfetch as > > > > > well. > > > > > People > > > > > should be using HTTPS only. > > > > > > > > > > > > > Isn't this a bit too much? I often find myself in need to > > > > download > > > > something starting with "http://; or "ftp://; and use fetch for > > > > this. > > > > > > Indeed, we have products which rely on this ability in libfetch and > > > we > > > have to keep supporting them for many many years to come. > > > > > > I hate it when someone imperiously declares [For security reasons] > > > "People should/shouldn't be using __". You have no idea what > > > the > > > context is, and thus no ability to declare what should or shouldn't > > > be > > > used in that context. For example, two embedded systems talking to > > > each other over a point to point link within a sealed device are > > > not > > > concerned about man in the middle attacks or other modern internet > > > threats. > > > > And I really dislike when people want to make sure that their unique > > case that less than a percent of people would every hit blocks the > > security improvements for the majority of people... > > > > I've given up on a number of security improvements in FreeBSD because > > of this attitude... > > > > Good. Because what you call "improvements" I would probably call > "Imposing policy rather than providing tools." > > I've don't complain about making defaults the safest choices available. > I complain about removing options completely because they're unsafe in > some circumstances according to some people. > > -- Ian > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > Even making defaults the "safest choice" I have any issue with. Security is a balance between risk, environment and usability. The "Safest choice" is turning your box off or cutting your internet connection. Now hardening as an option in a global config file for whatever program I have no issue with just need to be very careful on what is hardened by default and what is exposed as an option for hardening to those who need it. Also as a reminder just because something has a hardening option that is disabled by default that doesn't mean the project ever needs to enable it by default. Sometimes we add those options and have a migration path/timeline to them being enabled by default sometimes we just add those options for those who need them whether by policy, environment, or paranoia. So a global option in a config file or ENV variable to disable unencrypted protocols by default is fine. It just should Also in defense of http is it allows caching. If you are downloading a signed resource to 10, 100 or 1,000,000 boxes and don't care who knows caching maybe a very helpful option. --Nick "darkfiberiru" Wolff ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020, 11:55 PM Cy Schubert wrote: > In message <451538de-9427-4584-987b-8e4aa26c2...@freebsd.org>, Daniel > Eischen w > rites: > > > > > > > On Sep 17, 2020, at 11:20 AM, Maxim Sobolev > wrote: > > > > > > Re: removing HTTP client please no!!! The current drive to "outlaw" > HTTP > > > coming from companies who see all world via web browser. Totally > ignoring > > > the fact that HTTP != HTTPS in particular in cases where reliability > and > > > lower complexity of the system takes precedence over on-the-wire > protocol > > > security. For example, many internal APIs of AWS EC2 are HTTP. > > > > Agree. And remember the mantra: tools, not policy. > > Since there are so many I'll pick this email to reply to. > > libfetch should be designed to call plugins. An https plugin, http plugin, > ftp plugin, sftp plugin, and so on. New protocols are added as needed, > preferably to ports before they are mainstream. Old protocols are removed > and moved to ports. People who still need to use old protocols can install > the port which plugs into libfetch. When a protocol becomes stale it's > forgotten, no longer maintained and simply disappears into the ether. > Thinking in this way, very soon we need to remove TCP, UDP, IP and the list growing, they are all stale. > Given that pkgbase will become a reality at some point the line between > base and ports will blur. I expect at some point some of what we see in > base to simply become ports. As a developer of both base and ports, ports > are much easier to maintain than importing into base. > > That's my vision. > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > The need of the many outweighs the greed of the few. > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
In message <0ab6a75e6b821058a2b939447a8e499196ec2388.ca...@freebsd.org>, Ian Le pore writes: > On Thu, 2020-09-17 at 12:49 -0700, John-Mark Gurney wrote: > > Ian Lepore wrote this message on Thu, Sep 17, 2020 at 09:01 -0600: > > > On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: > > > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < > > > > cy.schub...@cschubert.com> > > > > wrote: > > > > > > > > > I've been advocating removing FTP (and HTTP) from libfetch as > > > > > well. > > > > > People > > > > > should be using HTTPS only. > > > > > > > > > > > > > Isn't this a bit too much? I often find myself in need to > > > > download > > > > something starting with "http://; or "ftp://; and use fetch for > > > > this. > > > > > > Indeed, we have products which rely on this ability in libfetch and > > > we > > > have to keep supporting them for many many years to come. > > > > > > I hate it when someone imperiously declares [For security reasons] > > > "People should/shouldn't be using __". You have no idea what > > > the > > > context is, and thus no ability to declare what should or shouldn't > > > be > > > used in that context. For example, two embedded systems talking to > > > each other over a point to point link within a sealed device are > > > not > > > concerned about man in the middle attacks or other modern internet > > > threats. > > > > And I really dislike when people want to make sure that their unique > > case that less than a percent of people would every hit blocks the > > security improvements for the majority of people... > > > > I've given up on a number of security improvements in FreeBSD because > > of this attitude... > > > > Good. Because what you call "improvements" I would probably call > "Imposing policy rather than providing tools." We as developers, here, on the job, or elsewhere, apply policy all the time when we make decisions regarding the software we write/maintain. When you think of it, I don't have the time for _ is also a policy decision. My former manager's 80/20 rule, as much as I didn't like it at the time (but now see the wisdom), was also a policy decision. A business decision. > > I've don't complain about making defaults the safest choices available. > I complain about removing options completely because they're unsafe in > some circumstances according to some people. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On 9/17/20 12:49 PM, John-Mark Gurney wrote: Ian Lepore wrote this message on Thu, Sep 17, 2020 at 09:01 -0600: On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < cy.schub...@cschubert.com> wrote: I've been advocating removing FTP (and HTTP) from libfetch as well. People should be using HTTPS only. Isn't this a bit too much? I often find myself in need to download something starting with "http://; or "ftp://; and use fetch for this. Indeed, we have products which rely on this ability in libfetch and we have to keep supporting them for many many years to come. I hate it when someone imperiously declares [For security reasons] "People should/shouldn't be using __". You have no idea what the context is, and thus no ability to declare what should or shouldn't be used in that context. For example, two embedded systems talking to each other over a point to point link within a sealed device are not concerned about man in the middle attacks or other modern internet threats. And I really dislike when people want to make sure that their unique case that less than a percent of people would every hit blocks the security improvements for the majority of people... I've given up on a number of security improvements in FreeBSD because of this attitude... while i tend to agree with you here - i would say that in this case there is a very large use case where preservation of http is very important to a wide base of users: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html https://cloud.google.com/compute/docs/storing-retrieving-metadata https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service regarding the main topic tho - dropping ftpd from base seems like a good iteration in clearing out cruft from the code base so we can focus on things with much larger user bases. fortunately we have an excellent ports/pkg infrastructure to service this need if it arises. -pete -- Pete Wright p...@nomadlogic.org @nomadlogicLA ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, 2020-09-17 at 12:49 -0700, John-Mark Gurney wrote: > Ian Lepore wrote this message on Thu, Sep 17, 2020 at 09:01 -0600: > > On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: > > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < > > > cy.schub...@cschubert.com> > > > wrote: > > > > > > > I've been advocating removing FTP (and HTTP) from libfetch as > > > > well. > > > > People > > > > should be using HTTPS only. > > > > > > > > > > Isn't this a bit too much? I often find myself in need to > > > download > > > something starting with "http://; or "ftp://; and use fetch for > > > this. > > > > Indeed, we have products which rely on this ability in libfetch and > > we > > have to keep supporting them for many many years to come. > > > > I hate it when someone imperiously declares [For security reasons] > > "People should/shouldn't be using __". You have no idea what > > the > > context is, and thus no ability to declare what should or shouldn't > > be > > used in that context. For example, two embedded systems talking to > > each other over a point to point link within a sealed device are > > not > > concerned about man in the middle attacks or other modern internet > > threats. > > And I really dislike when people want to make sure that their unique > case that less than a percent of people would every hit blocks the > security improvements for the majority of people... > > I've given up on a number of security improvements in FreeBSD because > of this attitude... > Good. Because what you call "improvements" I would probably call "Imposing policy rather than providing tools." I've don't complain about making defaults the safest choices available. I complain about removing options completely because they're unsafe in some circumstances according to some people. -- Ian ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
Rodney W. Grimes wrote this message on Thu, Sep 17, 2020 at 10:53 -0700: > > FTP is firewall unfriendly. > > Passive mode solved that decades ago. Requires that the server not be behind a firewall or port forwarding as well.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
Ian Lepore wrote this message on Thu, Sep 17, 2020 at 09:01 -0600: > On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < > > cy.schub...@cschubert.com> > > wrote: > > > > > I've been advocating removing FTP (and HTTP) from libfetch as well. > > > People > > > should be using HTTPS only. > > > > > > > Isn't this a bit too much? I often find myself in need to download > > something starting with "http://; or "ftp://; and use fetch for this. > > Indeed, we have products which rely on this ability in libfetch and we > have to keep supporting them for many many years to come. > > I hate it when someone imperiously declares [For security reasons] > "People should/shouldn't be using __". You have no idea what the > context is, and thus no ability to declare what should or shouldn't be > used in that context. For example, two embedded systems talking to > each other over a point to point link within a sealed device are not > concerned about man in the middle attacks or other modern internet > threats. And I really dislike when people want to make sure that their unique case that less than a percent of people would every hit blocks the security improvements for the majority of people... I've given up on a number of security improvements in FreeBSD because of this attitude... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
Warner Losh wrote this message on Thu, Sep 17, 2020 at 10:08 -0600: > On Thu, Sep 17, 2020 at 8:05 AM Cy Schubert > wrote: > > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > should be using HTTPS only. (libfetch could support a plugin that might be > > supplied by a port should someone be inclined to write one.) > > The project isn't going to do that. "tools not policy" dictates that > anything like that should be done in fetch(1) and likely only as a command > line option for people that require a secure connection (or that can > tolerate an insecure one). Do we have a way for the admin/root to set fetch's policy to block FTP and HTTP? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 04:46:19PM +0200, Kurt Jaeger wrote: > Hi! > > > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > > should be using HTTPS only. > > > Isn't this a bit too much? I often find myself in need to download > > something starting with "http://; or "ftp://; and use fetch for this. > > It's a bit too much. Deprecating it, 'add --really if you really > want to use http/ftp' would be more useful for the common > sys-admin 8-) Doesn't pkg/freebsd-update use libfetch? If I'm right and they do, http is widely used, then. signature.asc Description: PGP signature
Re: Deprecating ftpd in the FreeBSD base system?
In message <202009171753.08hhrjbj014...@gndrsh.dnsmgr.net>, "Rodney W. Grimes" writes: > > In message c > > om> > > , Ed Maste writes: > > > FTP is (becoming?) a legacy protocol, and I think it may be time to > > > remove the ftp server from the FreeBSD base system - with the recent > > > security advisory for ftpd serving as a reminder. > > > > > > I've proposed adding a deprecation notice to the man page in > > > https://reviews.freebsd.org/D26447 to start this off. There are a > > > number of ftp servers in ports, and if we're going to remove the base > > > system one we can create a port for it first, as well. > > > > > > Any comments or concerns, please follow up in the code review or in email > her > > > e. > > > > We should also deprecate the FTP client. > > > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > should be using HTTPS only. (libfetch could support a plugin that might be > > supplied by a port should someone be inclined to write one.) > > All the world is NOT the internet, there are far to many > uses and places that do not need or warrant https, or sftp > to make this type of move. > > It is already become very annoying that certain infustructure > now only supports https for what is data that has no security > concern. > > Please do NOT remove the ftp client, or the ability of fetch > to use ftp or http protocols. > > > > > FTP is firewall unfriendly. > > Passive mode solved that decades ago. Not always, when you have dueling firewalls. When the local firewall allows passive and the remote firewall expects port ftp, i.e. denies ingress data port, you're stuck. I see this all the time. Switching from passive to port ftp will resolve the instance. I see this all the time. Usually due to NAT of ftp to a bastion in the DMZ. Even worse, Checkpoint is doing some funky things with various protocols. FTP-like protocols, like rexec, ftp, and oracle's tns listner are a royal PITA. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 08:55:26AM -0700, Cy Schubert wrote: > In message <451538de-9427-4584-987b-8e4aa26c2...@freebsd.org>, Daniel > Eischen w > rites: > > > > > > > On Sep 17, 2020, at 11:20 AM, Maxim Sobolev wrote: > > > > > > Re: removing HTTP client please no!!! The current drive to "outlaw" > > > HTTP > > > coming from companies who see all world via web browser. Totally ignoring > > > the fact that HTTP != HTTPS in particular in cases where reliability and > > > lower complexity of the system takes precedence over on-the-wire protocol > > > security. For example, many internal APIs of AWS EC2 are HTTP. > > > > Agree. And remember the mantra: tools, not policy. > > Since there are so many I'll pick this email to reply to. > > libfetch should be designed to call plugins. An https plugin, http plugin, > ftp plugin, sftp plugin, and so on. New protocols are added as needed, > preferably to ports before they are mainstream. Old protocols are removed > and moved to ports. People who still need to use old protocols can install > the port which plugs into libfetch. When a protocol becomes stale it's > forgotten, no longer maintained and simply disappears into the ether. > > Given that pkgbase will become a reality at some point the line between > base and ports will blur. I expect at some point some of what we see in > base to simply become ports. As a developer of both base and ports, ports > are much easier to maintain than importing into base. And for install plugin from ports use HTTP AWS API installed from ports? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
> In message om> > , Ed Maste writes: > > FTP is (becoming?) a legacy protocol, and I think it may be time to > > remove the ftp server from the FreeBSD base system - with the recent > > security advisory for ftpd serving as a reminder. > > > > I've proposed adding a deprecation notice to the man page in > > https://reviews.freebsd.org/D26447 to start this off. There are a > > number of ftp servers in ports, and if we're going to remove the base > > system one we can create a port for it first, as well. > > > > Any comments or concerns, please follow up in the code review or in email > > her > > e. > > We should also deprecate the FTP client. > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > should be using HTTPS only. (libfetch could support a plugin that might be > supplied by a port should someone be inclined to write one.) All the world is NOT the internet, there are far to many uses and places that do not need or warrant https, or sftp to make this type of move. It is already become very annoying that certain infustructure now only supports https for what is data that has no security concern. Please do NOT remove the ftp client, or the ability of fetch to use ftp or http protocols. > > FTP is firewall unfriendly. Passive mode solved that decades ago. > > The F5 gateway at $JOB does not support FTP. When we still worked at the > office I had to take my $JOB laptop to the coffee shop to use their > wireless to download patches from Broadcom's FTP site. Now that I WFH (we > won't ever go back to the office) I download while disconnected from the > VPN. I believe this is mis-information on F5 gateways, I know that at least some of them can be configure to support ftp. Any gateway/firewall that can not be configure to support passive mode ftp is.. um... broken. > Then move the removed bits to ports, which I think we already have in tnftp > and tnftpd. > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > The need of the many outweighs the greed of the few. > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > -- Rod Grimes rgri...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 09:01:57AM -0600, Ian Lepore wrote: > On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < > > cy.schub...@cschubert.com> > > wrote: > > > > > I've been advocating removing FTP (and HTTP) from libfetch as well. > > > People > > > should be using HTTPS only. > > > > > > > Isn't this a bit too much? I often find myself in need to download > > something starting with "http://; or "ftp://; and use fetch for this. > > > > Indeed, we have products which rely on this ability in libfetch and we > have to keep supporting them for many many years to come. > > I hate it when someone imperiously declares [For security reasons] > "People should/shouldn't be using __". You have no idea what the > context is, and thus no ability to declare what should or shouldn't be > used in that context. For example, two embedded systems talking to > each other over a point to point link within a sealed device are not > concerned about man in the middle attacks or other modern internet > threats. > +1 My small FreeBSD-based HPC cluster is deattached from the internet. -- Steve ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On 9/17/20 8:04 AM, Cy Schubert wrote: We should also deprecate the FTP client. I've been advocating removing FTP (and HTTP) from libfetch as well. People should be using HTTPS only. (libfetch could support a plugin that might be supplied by a port should someone be inclined to write one.) As an aside, are there any plans to remove the word "ftp" from the FreeBSD download sites. e.g. https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/ ? -- Rebecca Cran ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 8:05 AM Cy Schubert wrote: > I've been advocating removing FTP (and HTTP) from libfetch as well. People > should be using HTTPS only. (libfetch could support a plugin that might be > supplied by a port should someone be inclined to write one.) > The project isn't going to do that. "tools not policy" dictates that anything like that should be done in fetch(1) and likely only as a command line option for people that require a secure connection (or that can tolerate an insecure one). Warner ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
In message <451538de-9427-4584-987b-8e4aa26c2...@freebsd.org>, Daniel Eischen w rites: > > > > On Sep 17, 2020, at 11:20 AM, Maxim Sobolev wrote: > > > > Re: removing HTTP client please no!!! The current drive to "outlaw" HTTP > > coming from companies who see all world via web browser. Totally ignoring > > the fact that HTTP != HTTPS in particular in cases where reliability and > > lower complexity of the system takes precedence over on-the-wire protocol > > security. For example, many internal APIs of AWS EC2 are HTTP. > > Agree. And remember the mantra: tools, not policy. Since there are so many I'll pick this email to reply to. libfetch should be designed to call plugins. An https plugin, http plugin, ftp plugin, sftp plugin, and so on. New protocols are added as needed, preferably to ports before they are mainstream. Old protocols are removed and moved to ports. People who still need to use old protocols can install the port which plugs into libfetch. When a protocol becomes stale it's forgotten, no longer maintained and simply disappears into the ether. Given that pkgbase will become a reality at some point the line between base and ports will blur. I expect at some point some of what we see in base to simply become ports. As a developer of both base and ports, ports are much easier to maintain than importing into base. That's my vision. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On 17/09/20 11:04, Cy Schubert wrote: In message , Ed Maste writes: FTP is (becoming?) a legacy protocol, and I think it may be time to remove the ftp server from the FreeBSD base system - with the recent security advisory for ftpd serving as a reminder. I've proposed adding a deprecation notice to the man page in https://reviews.freebsd.org/D26447 to start this off. There are a number of ftp servers in ports, and if we're going to remove the base system one we can create a port for it first, as well. Any comments or concerns, please follow up in the code review or in email her e. We should also deprecate the FTP client. I've been advocating removing FTP (and HTTP) from libfetch as well. People should be using HTTPS only. (libfetch could support a plugin that might be supplied by a port should someone be inclined to write one.) FTP is firewall unfriendly. The F5 gateway at $JOB does not support FTP. When we still worked at the office I had to take my $JOB laptop to the coffee shop to use their wireless to download patches from Broadcom's FTP site. Now that I WFH (we won't ever go back to the office) I download while disconnected from the VPN. Then move the removed bits to ports, which I think we already have in tnftp and tnftpd. pkg still uses HTTP ❯ sudo pkg -d update -f Password: DBG(1)[78228]> pkg initialized Updating FreeBSD repository catalogue... DBG(1)[78228]> PkgRepo: verifying update for FreeBSD DBG(1)[78228]> Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite' DBG(1)[78228]> Fetch: fetching from: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/latest/meta.conf with opts "i" Fetching meta.conf: 100%163 B 0.2kB/s00:01 DBG(1)[78228]> Fetch: fetching from: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/latest/packagesite.txz with opts "i" Fetching packagesite.txz: 100%6 MiB 6.5MB/s00:01 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
> On Sep 17, 2020, at 11:20 AM, Maxim Sobolev wrote: > > Re: removing HTTP client please no!!! The current drive to "outlaw" HTTP > coming from companies who see all world via web browser. Totally ignoring > the fact that HTTP != HTTPS in particular in cases where reliability and > lower complexity of the system takes precedence over on-the-wire protocol > security. For example, many internal APIs of AWS EC2 are HTTP. Agree. And remember the mantra: tools, not policy. -- DE ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
Re: removing HTTP client please no!!! The current drive to "outlaw" HTTP coming from companies who see all world via web browser. Totally ignoring the fact that HTTP != HTTPS in particular in cases where reliability and lower complexity of the system takes precedence over on-the-wire protocol security. For example, many internal APIs of AWS EC2 are HTTP. -Max On Thu., Sep. 17, 2020, 7:04 a.m. Cy Schubert, wrote: > In message > om> > , Ed Maste writes: > > FTP is (becoming?) a legacy protocol, and I think it may be time to > > remove the ftp server from the FreeBSD base system - with the recent > > security advisory for ftpd serving as a reminder. > > > > I've proposed adding a deprecation notice to the man page in > > https://reviews.freebsd.org/D26447 to start this off. There are a > > number of ftp servers in ports, and if we're going to remove the base > > system one we can create a port for it first, as well. > > > > Any comments or concerns, please follow up in the code review or in > email her > > e. > > We should also deprecate the FTP client. > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > should be using HTTPS only. (libfetch could support a plugin that might be > supplied by a port should someone be inclined to write one.) > > FTP is firewall unfriendly. > > The F5 gateway at $JOB does not support FTP. When we still worked at the > office I had to take my $JOB laptop to the coffee shop to use their > wireless to download patches from Broadcom's FTP site. Now that I WFH (we > won't ever go back to the office) I download while disconnected from the > VPN. > > Then move the removed bits to ports, which I think we already have in > tnftp > and tnftpd. > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > The need of the many outweighs the greed of the few. > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
Hi. > On Sep 17, 2020, at 11:05 AM, Cy Schubert wrote: > In message om> > , Ed Maste writes: >> FTP is (becoming?) a legacy protocol, and I think it may be time to >> remove the ftp server from the FreeBSD base system - with the recent >> security advisory for ftpd serving as a reminder. > > We should also deprecate the FTP client. > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > should be using HTTPS only. (libfetch could support a plugin that might be > supplied by a port should someone be inclined to write one.) I usually evaluate the possibility to interact with legacy stuff as a feature and then this would make FreeBSD shine less. The associated security improvement could be done in many different ways and this one is one of the worsts. Maybe a warning during use or a flag to disable/enable it when desired or needed? And among all the security measures the project can take to improve FreeBSD security, this one is on the bottom of my list for sure. FTPD not even comes enabled by default. -- rollingbits — rollingb...@gmail.com rollingb...@terra.com.br rollingb...@yahoo.com rollingb...@globo.com rollingb...@icloud.com ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 06:43:16PM +0400, Gleb Popov wrote: > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert > wrote: > > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > should be using HTTPS only. > > > > Isn't this a bit too much? I often find myself in need to download > something starting with "http://; or "ftp://; and use fetch for this. Yes, let's remove access to instance metadata on several (hundred-?)million AWS instances. -- Brooks signature.asc Description: PGP signature
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 07:04:41AM -0700, Cy Schubert wrote: > In message om> > , Ed Maste writes: > > FTP is (becoming?) a legacy protocol, and I think it may be time to > > remove the ftp server from the FreeBSD base system - with the recent > > security advisory for ftpd serving as a reminder. > > > > I've proposed adding a deprecation notice to the man page in > > https://reviews.freebsd.org/D26447 to start this off. There are a > > number of ftp servers in ports, and if we're going to remove the base > > system one we can create a port for it first, as well. > > > > Any comments or concerns, please follow up in the code review or in email > > her > > e. > > We should also deprecate the FTP client. > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > should be using HTTPS only. (libfetch could support a plugin that might be > supplied by a port should someone be inclined to write one.) > That that and we can throw away half of the ports tree ;) Best regards, Bapt signature.asc Description: PGP signature
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote: > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert < > cy.schub...@cschubert.com> > wrote: > > > I've been advocating removing FTP (and HTTP) from libfetch as well. > > People > > should be using HTTPS only. > > > > Isn't this a bit too much? I often find myself in need to download > something starting with "http://; or "ftp://; and use fetch for this. > Indeed, we have products which rely on this ability in libfetch and we have to keep supporting them for many many years to come. I hate it when someone imperiously declares [For security reasons] "People should/shouldn't be using __". You have no idea what the context is, and thus no ability to declare what should or shouldn't be used in that context. For example, two embedded systems talking to each other over a point to point link within a sealed device are not concerned about man in the middle attacks or other modern internet threats. -- Ian ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
In message , Gleb Popov writes: > --28da0a05af83697d > Content-Type: text/plain; charset="UTF-8" > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert > wrote: > > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > should be using HTTPS only. > > > > Isn't this a bit too much? I often find myself in need to download > something starting with "http://; or "ftp://; and use fetch for this. Nope. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
Hi! > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > should be using HTTPS only. > Isn't this a bit too much? I often find myself in need to download > something starting with "http://; or "ftp://; and use fetch for this. It's a bit too much. Deprecating it, 'add --really if you really want to use http/ftp' would be more useful for the common sys-admin 8-) -- p...@opsec.eu+49 171 3101372Now what ? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert wrote: > I've been advocating removing FTP (and HTTP) from libfetch as well. People > should be using HTTPS only. > Isn't this a bit too much? I often find myself in need to download something starting with "http://; or "ftp://; and use fetch for this. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
In message , Ed Maste writes: > FTP is (becoming?) a legacy protocol, and I think it may be time to > remove the ftp server from the FreeBSD base system - with the recent > security advisory for ftpd serving as a reminder. > > I've proposed adding a deprecation notice to the man page in > https://reviews.freebsd.org/D26447 to start this off. There are a > number of ftp servers in ports, and if we're going to remove the base > system one we can create a port for it first, as well. > > Any comments or concerns, please follow up in the code review or in email her > e. We should also deprecate the FTP client. I've been advocating removing FTP (and HTTP) from libfetch as well. People should be using HTTPS only. (libfetch could support a plugin that might be supplied by a port should someone be inclined to write one.) FTP is firewall unfriendly. The F5 gateway at $JOB does not support FTP. When we still worked at the office I had to take my $JOB laptop to the coffee shop to use their wireless to download patches from Broadcom's FTP site. Now that I WFH (we won't ever go back to the office) I download while disconnected from the VPN. Then move the removed bits to ports, which I think we already have in tnftp and tnftpd. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Wed, 16 Sep 2020 at 16:51, Allan Jude wrote: > > Is the [ftpd] version we have in base unique? That is to say, does it need > to be preserved somehow. I'm not sure if we have functionality that doesn't exist elsewhere, although we definitely have some changes that do not exist in other BSDs. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
> On 16. Sep 2020, at 22:53, Michael Gmelin wrote: > > > >>> On 16. Sep 2020, at 22:45, mike tancsa wrote: >>> >>> On 9/16/2020 2:07 PM, sth...@nethelp.no wrote: >>> # override default of no subsystems >>> -Subsystemsftp/usr/libexec/sftp-server >>> +Subsystemsftpinternal-sftp -l INFO >> >> Hi, >> >> What is the difference between these two ? Is it not all OpenSSH ? > > Yes, but one is an external binary, while internal doesn’t rely on that. > Which means that your chroot setup won’t require bin and lib dirs. For most > scenarios, internal is the way to go. > > The man page has more details. > > -m p.s. this is a good write-up: https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server > > >>---Mike >> >> >> ___ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
> On 16. Sep 2020, at 22:45, mike tancsa wrote: > > On 9/16/2020 2:07 PM, sth...@nethelp.no wrote: >> # override default of no subsystems >> -Subsystemsftp/usr/libexec/sftp-server >> +Subsystemsftpinternal-sftp -l INFO > > Hi, > > What is the difference between these two ? Is it not all OpenSSH ? Yes, but one is an external binary, while internal doesn’t rely on that. Which means that your chroot setup won’t require bin and lib dirs. For most scenarios, internal is the way to go. The man page has more details. -m > ---Mike > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On 2020-09-16 13:34, Ed Maste wrote: > FTP is (becoming?) a legacy protocol, and I think it may be time to > remove the ftp server from the FreeBSD base system - with the recent > security advisory for ftpd serving as a reminder. > > I've proposed adding a deprecation notice to the man page in > https://reviews.freebsd.org/D26447 to start this off. There are a > number of ftp servers in ports, and if we're going to remove the base > system one we can create a port for it first, as well. > > Any comments or concerns, please follow up in the code review or in email > here. > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > Is the version we have in base unique? That is to say, does it need to be preserved somehow. I know it is based on on the original 4.2BSD ftpd, but did we pull in code from anywhere else at some point? Or maybe a better question is: Which ftpd is the most similar, and would allow people to migrate most easily (tnftpd from netbsd?) -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: Deprecating ftpd in the FreeBSD base system?
On 9/16/2020 2:07 PM, sth...@nethelp.no wrote: > # override default of no subsystems > -Subsystemsftp/usr/libexec/sftp-server > +Subsystemsftpinternal-sftp -l INFO Hi, What is the difference between these two ? Is it not all OpenSSH ? ---Mike ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
> On 16. Sep 2020, at 20:08, sth...@nethelp.no wrote: > > >> >> FTP is (becoming?) a legacy protocol, and I think it may be time to >> remove the ftp server from the FreeBSD base system - with the recent >> security advisory for ftpd serving as a reminder. >> >> I've proposed adding a deprecation notice to the man page in >> https://reviews.freebsd.org/D26447 to start this off. There are a >> number of ftp servers in ports, and if we're going to remove the base >> system one we can create a port for it first, as well. >> >> Any comments or concerns, please follow up in the code review or in email >> here. > > Could we, at the same time, improve the documentation for sftp? I had > to move an FTP server (with one chrooted user) from FTP to sftp today. > I did: > > 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell. > 2. Patch sshd config as follows: > > --- etc/ssh/sshd_config.orig2018-06-16 22:04:20.868762000 +0200 > +++ etc/ssh/sshd_config2020-09-16 10:10:53.133211000 +0200 > @@ -112,7 +112,7 @@ > #Banner none > > # override default of no subsystems > -Subsystemsftp/usr/libexec/sftp-server > +Subsystemsftpinternal-sftp -l INFO > > # Example of overriding settings on a per-user basis > #Match User anoncvs > @@ -120,3 +120,8 @@ > #AllowTcpForwarding no > #PermitTTY no > #ForceCommand cvs server > +Match User sftp > +ChrootDirectory/usr/local/ftp/sftp > +ForceCommand internal-sftp -l INFO > +X11Forwarding no > +AllowTcpForwarding no > > 3. Ensure all levels of /usr/local/ftp/sftp are owned by root. > 4. Create /usr/local/ftp/sftp/dev and add the following line to > /etc/rc.conf: > > syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log" > > Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error > message: "Received message too long 1416128883". Googling that one > eventually led me to the internal-sftp subsystem and the rest of the > sshd_config changes. The sshd_config man page is good, but I couldn't > find anything about arguments (e.g. -l) for internal-sftp. In case it helps, I documented an example sftp setup as part of the paperless port's man page last year: https://svnweb.freebsd.org/ports/head/deskutils/py-paperless/files/paperless.7.in?revision=521891=co -m > > Steinar Haug, Nethelp consulting, sth...@nethelp.no > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
> FTP is (becoming?) a legacy protocol, and I think it may be time to > remove the ftp server from the FreeBSD base system - with the recent > security advisory for ftpd serving as a reminder. > > I've proposed adding a deprecation notice to the man page in > https://reviews.freebsd.org/D26447 to start this off. There are a > number of ftp servers in ports, and if we're going to remove the base > system one we can create a port for it first, as well. > > Any comments or concerns, please follow up in the code review or in email > here. Could we, at the same time, improve the documentation for sftp? I had to move an FTP server (with one chrooted user) from FTP to sftp today. I did: 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell. 2. Patch sshd config as follows: --- etc/ssh/sshd_config.orig2018-06-16 22:04:20.868762000 +0200 +++ etc/ssh/sshd_config 2020-09-16 10:10:53.133211000 +0200 @@ -112,7 +112,7 @@ #Banner none # override default of no subsystems -Subsystem sftp/usr/libexec/sftp-server +Subsystem sftpinternal-sftp -l INFO # Example of overriding settings on a per-user basis #Match User anoncvs @@ -120,3 +120,8 @@ # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server +Match User sftp +ChrootDirectory/usr/local/ftp/sftp +ForceCommand internal-sftp -l INFO +X11Forwarding no +AllowTcpForwarding no 3. Ensure all levels of /usr/local/ftp/sftp are owned by root. 4. Create /usr/local/ftp/sftp/dev and add the following line to /etc/rc.conf: syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log" Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error message: "Received message too long 1416128883". Googling that one eventually led me to the internal-sftp subsystem and the rest of the sshd_config changes. The sshd_config man page is good, but I couldn't find anything about arguments (e.g. -l) for internal-sftp. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Deprecating ftpd in the FreeBSD base system?
On Wed, Sep 16, 2020 at 11:34 AM Ed Maste wrote: > FTP is (becoming?) a legacy protocol, and I think it may be time to > remove the ftp server from the FreeBSD base system - with the recent > security advisory for ftpd serving as a reminder. > > I've proposed adding a deprecation notice to the man page in > https://reviews.freebsd.org/D26447 to start this off. There are a > number of ftp servers in ports, and if we're going to remove the base > system one we can create a port for it first, as well. > > Any comments or concerns, please follow up in the code review or in email > here. > While I may quibble over the 'legacy' tag to FTP, I do agree that ftpd isn't important enough to risk the security exposure for it (even if we don't enable it by default). There are several ftpd ports one could use. I know I'll be installing it on my systems here, but I have some special needs due to a video camera that uploads snapshots via ftp (and yes, I know that's not super secure which is why it's on it's own VLAN, jail insulated, etc). Warner ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Deprecating ftpd in the FreeBSD base system?
FTP is (becoming?) a legacy protocol, and I think it may be time to remove the ftp server from the FreeBSD base system - with the recent security advisory for ftpd serving as a reminder. I've proposed adding a deprecation notice to the man page in https://reviews.freebsd.org/D26447 to start this off. There are a number of ftp servers in ports, and if we're going to remove the base system one we can create a port for it first, as well. Any comments or concerns, please follow up in the code review or in email here. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
