Deprecating base system ftpd?

Cy Schubert Cy.Schubert at cschubert.com
Mon Apr 5 14:45:06 UTC 2021 

In message <CAPyFy2AbP2X339zbemZ9Y8edjNKdyygnR9mH48Q78nxwDtOBAg at mail.gmail.c
om>
, Ed Maste writes:
> I propose deprecating the ftpd currently included in the base system
> before FreeBSD 14, and opened review D26447
> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
> I had originally planned to try to do this before 13.0, but it dropped
> off my list. FTP is not nearly as relevant now as it once was, and it
> had a security vulnerability that secteam had to address.

I think this is an excellent start. My shopping list includes:

- remove ftp(1)
- remove ftpd(8)
- remove telnet(1)
- remove telnetd(8)
- remove ftp:// and http:// from libfetch. This is 2021 and we should all 
use https://.
- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS 
traffic?

>
> I'm happy to make a port for it if anyone needs it. Comments?

I've started working on splitting ftp and ftpd into an external git repo. 
The problem I've encountered is that though only ftp and ftpd are left the 
resultant repo is still 1.2 GB. If my last attempt fails, there is a choice 
between a 1.2 GB repo and burning ftp forever then the choice is clear: 
burn it forever.

Adding the following as an option:

Also note that the tnftp ports are the NetBSD ftp and ftpd. The FreeBSD ftp 
and ftpd are simply copies of tnftp and tnfpd. Would it make more sense to 
share our customizations with NetBSD and we simply reply on NetBSD for the 
client and server in our ports? This last option might be simpler than 
creating a port.

Personally, I'd suggest we remove the ftpd server *AND* ftp client and rely 
on ports. Having worked on UNIX, Internet security, and firewalls over the 
last 3/5 of my almost 50 year career, I have lamented the existence of the 
FTP protocol back in 1995 and I hate the FTP protocol with greater a 
passion today. Let's simply remove all vestiges of FTP from the base 
system, including libfetch, sooner than later. We don't need it now that we 
have HTTPS and POST; and sftp.

I think we should make it our goal to remove any and all unencrypted 
protocols from FreeBSD by 2025.


-- 
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy at nwtime.org>    Web:  https://nwtime.org

	The need of the many outweighs the greed of the few.

More information about the freebsd-stable mailing list