Deprecating ftpd in the FreeBSD base system?

[Lucas Nali de Magalhães]

Hi.

> On Sep 17, 2020, at 11:05 AM, Cy Schubert <Cy.Schubert at cschubert.com> wrote:
> In message <CAPyFy2BHki84KuzP94AqTLk7v9FTAnLP-sa4HaFLq0kdxt0dEQ at mail.gmail.c
> om>
> , Ed Maste writes:
>> FTP is (becoming?) a legacy protocol, and I think it may be time to
>> remove the ftp server from the FreeBSD base system - with the recent
>> security advisory for ftpd serving as a reminder.
> 
> We should also deprecate the FTP client.
> 
> I've been advocating removing FTP (and HTTP) from libfetch as well. People 
> should be using HTTPS only. (libfetch could support a plugin that might be 
> supplied by a port should someone be inclined to write one.)

I usually evaluate the possibility to interact with legacy stuff as a feature and then this would make FreeBSD shine less. The associated security improvement could be done in many different ways and this one is one of the worsts. Maybe a warning during use or a flag to disable/enable it when desired or needed? And among all the security measures the project can take to improve FreeBSD security, this one is on the bottom of my list for sure. FTPD not even comes enabled by default.

-- 
rollingbits — 📧 rollingbits at gmail.com 📧 rollingbits at terra.com.br 📧 rollingbits at yahoo.com 📧 rollingbits at globo.com 📧 rollingbits at icloud.com