rtools were deemed almost unused 15 years ago...
Bob Bishop
rb at gid.co.uk
Tue Jun 20 18:17:46 UTC 2017
> On 20 Jun 2017, at 18:17, Joel Dahl <joel at vnode.se> wrote:
>
> On Tue, Jun 20, 2017 at 03:59:54PM +0200, Michael Gmelin wrote:
>>
>>
>> On Tue, 20 Jun 2017 13:11:37 +0200
>> Baptiste Daroussin <bapt at FreeBSD.org> wrote:
>>
>>> On Tue, Jun 20, 2017 at 12:25:46PM +0200, Jeremie Le Hen wrote:
>>>> Hey folks,
>>>>
>>>> I remember when I was still barely out of my teenagehood, people
>>>> were mostly using ssh/scp while rtools (rsh, rlogin, ... for the
>>>> youngsters) were left in place as a courtesy for legacy production
>>>> systems still relying it on them.
>>>>
>>>> Fast forward to 2017 (so yes, 15 years later), stack-clash [1]
>>>> sorely reminds us that suid binaries are an attack surface. I don't
>>>> even need to mention that it's a healthy engineering practice to
>>>> remove unused code, both from a maintenance and security
>>>> perspective.
>>>>
>>>> Therefore, I hereby propose to remove rtools from the base system.
>>>> I acknowledge this will likely cause troubles for a handful of
>>>> people who are still relying on it for good or bad reasons. But the
>>>> flipside is that the attack surface of millions of FreeBSD
>>>> installed out there will be reduced.
>>>>
>>>> The proposed roadmap is:
>>>> - disable from the build on head and let it soak for one month
>>>> - remove rtools from the base.
>>>>
>>>> What do you guys think? Any preferred color for the bikeshed? :)
>>>>
>>>>
>>>>
>>>> [1] https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
>>>
>>> Yeah!
>>>
>>> Is telnetd part of your list?
>>
>> As long as the telnet(1) client stays in I'm all for it.
>
> +1. Please keep the telnet client. It's something I expect be part of the base
> system utilities. I use it all the time.
+1 What he said.
> --
> Joel
--
Bob Bishop
rb at gid.co.uk
More information about the freebsd-arch
mailing list