On Wed, Apr 7, 2021 at 6:18 AM tech-lists <tech-li...@zyxst.net> wrote: > > Hi, I'm a bit late to the discussion > > On Mon, Apr 05, 2021 at 07:44:59AM -0700, Cy Schubert wrote: > > >I think this is an excellent start. My shopping list includes: > > > >- remove ftp(1) > >- remove ftpd(8) > >- remove telnet(1) > >- remove telnetd(8) > >- remove ftp:// and http:// from libfetch. This is 2021 and we should all > >use https://. > >- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS > >traffic? > > Very firmly against this, and this sort of thing, for the following reasons: > > 1. I want an OS, not a kernel. If I just want a kernel, then why not go > with linux? FreeBSD is meant to be, I think, (generally), a server OS. > So, would you agree that it needs the ability to have server protocols > easily configured, with a minimum of fuss, without packages? > > 2. a lot of infrastructure depends on ftpd. it's easy to configure > securely ftpd in base. > > 3. there are some networks, like internal ones, where encryption is not > a requirement, or appropriate. > > 4. there are some places where encryption is in fact illegal. > > >Personally, I'd suggest we remove the ftpd server *AND* ftp client and rely > >on ports. Having worked on UNIX, Internet security, and firewalls over the > >last 3/5 of my almost 50 year career, I have lamented the existence of the > >FTP protocol back in 1995 and I hate the FTP protocol with greater a > >passion today. Let's simply remove all vestiges of FTP from the base > >system, including libfetch, sooner than later. We don't need it now that we > >have HTTPS and POST; and sftp. > > 5. some services commonly don't use https. Lots of internet radio > stations don't. If https is enforced then the user will have to jump > through more hoops than they already do in order to, in this case, > listen to internet radio. Or face a loss of functionality. > > 6. not everywhere will have constant internet access. Not everyone will > want to use pkgs or have space for the ports tree. > > >I think we should make it our goal to remove any and all unencrypted > >protocols from FreeBSD by 2025. > > I think you should carefully think of the consequences of removing > functionality in the default install. It will make it less useful, not > more. > -- > J.
To amplify this a bit: Those who are all about secure protocols (and I'm one of them) should realize that public cryptography (not just public key, but public use of cryptographic protocols i general) is not a solved problem. In particular, multi-party key management in an open Internet is problematic. Open or plain text protocols do have a place. Kurt _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
