Removing NOCRYPT

Ruslan Ermilov ru at
Tue Apr 27 08:21:46 PDT 2004

On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote:
>   I would like to remove the NOCRYPT option from FreeBSD before
> 5.3-RELEASE.  There are a number of good reasons for doing this:
This should probably be discussed on -arch.

> 1. NOCRYPT is almost completely untested, and in the past it has
> often broken (for example, there was a recent release where it
> was impossible to pkg_add without the cryptographic libraries.)
You obviously mean "untested by running", since "testing by
compiling" is done every time you build a snapshot.

> 2. NOCRYPT has outlived its original purpose.  The separation of
> cryptographic code from non-cryptographic code is a result of
> "munitions" export restrictions in the US which were changed a
> long time ago.
> 3. NOCRYPT causes major headaches.  With the Kerberos options
> removed (or rather, Kerberos 4 removed and Kerberos 5 made
> manditory) this is the only remaining option which can result
> in certain files from the FreeBSD world existing in multiple
> entirely different forms.  Most obviously, this complicates
> release-building; it also adds significant complications to
> FreeBSD Update.
I think it's in a pretty normal form now, though I agree this
complicates things, but that's the price for flexibility.

>   If anyone has a really good reason for keeping the NOCRYPT
> option, please let me know.  In particular, I'd like to hear
> from anyone who is actually running a NOCRYPT world.
My first and only argument is that it is extremely useful for
embedded environment, where space is an issue, and crypto code
occupies lot of space.  Perhaps also there are still some legal
issues in some countries, but I'm not sure, and will let the
"security-aware persons" comment on this.  Mark?

Ruslan Ermilov
ru at
FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-current mailing list