rtools were deemed almost unused 15 years ago...
Jeremie Le Hen
jlh at freebsd.org
Tue Jun 20 10:25:48 UTC 2017
Hey folks,
I remember when I was still barely out of my teenagehood, people were
mostly using ssh/scp while rtools (rsh, rlogin, ... for the
youngsters) were left in place as a courtesy for legacy production
systems still relying it on them.
Fast forward to 2017 (so yes, 15 years later), stack-clash [1] sorely
reminds us that suid binaries are an attack surface. I don't even need
to mention that it's a healthy engineering practice to remove unused
code, both from a maintenance and security perspective.
Therefore, I hereby propose to remove rtools from the base system. I
acknowledge this will likely cause troubles for a handful of people
who are still relying on it for good or bad reasons. But the flipside
is that the attack surface of millions of FreeBSD installed out there
will be reduced.
The proposed roadmap is:
- disable from the build on head and let it soak for one month
- remove rtools from the base.
What do you guys think? Any preferred color for the bikeshed? :)
[1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
--
Jeremie Le Hen
jlh at FreeBSD.org
More information about the freebsd-arch
mailing list