Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Greg Troxel
I just sent a big note about the default trust anchor issue to tech-security. Please follow up there about that, vs this specific ftp change.

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Greg Troxel
Martin Husemann writes: > On Fri, Sep 02, 2022 at 06:23:48PM +0300, Christos Zoulas wrote: >> I think we should be installing the anchors by default. I also think >> that people think that https gets validated by default. > > I agree. The problem is that we need to suply anchors now with new > i

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Greg Troxel
Christos Zoulas writes: >> On Sep 2, 2022, at 3:57 PM, Greg Troxel wrote: >> >> Did I miss discussion on this? I am getting the impression that we now >> have defaults: >> no trust anchors installed >> require verification >> >> which really doesn't make sense. If I am following correctly

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Emmanuel Dreyfus
On Fri, Sep 02, 2022 at 06:23:48PM +0300, Christos Zoulas wrote: > I think we should be installing the anchors by default. I also think > that people think that https gets validated by default. Yes, this is long overdue. The current situation is vulnerable by default to MiM attacks, like malware i

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Pierre-Philipp Braun
On 02/09/2022 18:32, Martin Husemann wrote: Could be something easy like using the mozilla root certs from last quarters pkgsrc branch, downloadable from some well known NetBSD.org URL. Either the original bin pkg and a (special) base system script to unpack and update (w/o pkg_add and architect

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Martin Husemann
On Fri, Sep 02, 2022 at 06:23:48PM +0300, Christos Zoulas wrote: > I think we should be installing the anchors by default. I also think > that people think that https gets validated by default. I agree. The problem is that we need to suply anchors now with new installations and have a way to keep

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Christos Zoulas
> On Sep 2, 2022, at 3:57 PM, Greg Troxel wrote: > > Did I miss discussion on this? I am getting the impression that we now > have defaults: > no trust anchors installed > require verification > > which really doesn't make sense. If I am following correctly this is a > major behavior chang

[Christos Zoulas] CVS commit: src/usr.bin/ftp

2022-09-02 Thread Greg Troxel
Did I miss discussion on this? I am getting the impression that we now have defaults: no trust anchors installed require verification which really doesn't make sense. If I am following correctly this is a major behavior change in a controversial area, which isn't ok without discussion/consen