Deprecating ftpd in the FreeBSD base system?
Cy Schubert
Cy.Schubert at cschubert.com
Thu Sep 17 23:29:29 UTC 2020
In message <0ab6a75e6b821058a2b939447a8e499196ec2388.camel at freebsd.org>,
Ian Le
pore writes:
> On Thu, 2020-09-17 at 12:49 -0700, John-Mark Gurney wrote:
> > Ian Lepore wrote this message on Thu, Sep 17, 2020 at 09:01 -0600:
> > > On Thu, 2020-09-17 at 18:43 +0400, Gleb Popov wrote:
> > > > On Thu, Sep 17, 2020 at 6:05 PM Cy Schubert <
> > > > Cy.Schubert at cschubert.com>
> > > > wrote:
> > > >
> > > > > I've been advocating removing FTP (and HTTP) from libfetch as
> > > > > well.
> > > > > People
> > > > > should be using HTTPS only.
> > > > >
> > > >
> > > > Isn't this a bit too much? I often find myself in need to
> > > > download
> > > > something starting with "http://" or "ftp://" and use fetch for
> > > > this.
> > >
> > > Indeed, we have products which rely on this ability in libfetch and
> > > we
> > > have to keep supporting them for many many years to come.
> > >
> > > I hate it when someone imperiously declares [For security reasons]
> > > "People should/shouldn't be using ______". You have no idea what
> > > the
> > > context is, and thus no ability to declare what should or shouldn't
> > > be
> > > used in that context. For example, two embedded systems talking to
> > > each other over a point to point link within a sealed device are
> > > not
> > > concerned about man in the middle attacks or other modern internet
> > > threats.
> >
> > And I really dislike when people want to make sure that their unique
> > case that less than a percent of people would every hit blocks the
> > security improvements for the majority of people...
> >
> > I've given up on a number of security improvements in FreeBSD because
> > of this attitude...
> >
>
> Good. Because what you call "improvements" I would probably call
> "Imposing policy rather than providing tools."
We as developers, here, on the job, or elsewhere, apply policy all the time
when we make decisions regarding the software we write/maintain. When you
think of it, I don't have the time for _____ is also a policy decision.
My former manager's 80/20 rule, as much as I didn't like it at the time
(but now see the wisdom), was also a policy decision. A business decision.
>
> I've don't complain about making defaults the safest choices available.
> I complain about removing options completely because they're unsafe in
> some circumstances according to some people.
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy at nwtime.org> Web: https://nwtime.org
The need of the many outweighs the greed of the few.
More information about the freebsd-current
mailing list