[Bug 257767] Mk/bsd.sites.mk: Disable ftp protocol for fetch MASTER_SITES

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 12 Aug 2021 09:54:02 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257767

--- Comment #7 from Loic <hackurx_at_gmail.com> ---
(In reply to Alexey Dokuchaev from comment #5)

> One does not verify distfiles' links with the browser

This is not written in the documentation and only makes sense if you check many
URLs.

> It does not have to be secure for the purpose of distributing distfiles, 
> their authenticity is ensured by SHA256 hashes which are checked on the receiving end.

Except that the user will have opened an insecure ftp connection as root that
the attacker can exploit to gain access to the system.
The problem does not come from the download file itself.

> This is simply not true, there are plenty of FTP servers which are actively 
> maintained as of today.

Some ports may be, but this is not the case for the base:
In the commit 674400eb20b65369a88b1cb778d729bc297832c9 very recent (Tue Jul 27
12:14:00 2021 -0600) the comment is "Delete code killed by SVN r13139 in 1996. 
Little chance that it would still compile today". This shows how little
interest there is at the moment.

For /usr.bin/ftp the last commit a598c4b809a73772d7452991213407cdac302156 is
from 2017.

> How exactly removing a feature, even not very popular one, is *nice* to the users of the Ports Collection?

This simplified the firewall rules and increased security for the system
administrator using Poudière.
For the user, the goal is to eventually achieve HTTPS to complicate MITM
attacks while using the ports.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Thu Aug 12 2021 - 09:54:02 UTC

Original text of this message