Hi, I'm a bit late to the discussion On Mon, Apr 05, 2021 at 07:44:59AM -0700, Cy Schubert wrote:>I think this is an excellent start. My shopping list includes: > >- remove ftp(1) >- remove ftpd(8) >- remove telnet(1) >- remove telnetd(8) >- remove ftp:// and http:// from libfetch. This is 2021 and we should all >use https://. >- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS >traffic?Very firmly against this, and this sort of thing, for the following reasons: 1. I want an OS, not a kernel. If I just want a kernel, then why not go with linux? FreeBSD is meant to be, I think, (generally), a server OS. So, would you agree that it needs the ability to have server protocols easily configured, with a minimum of fuss, without packages? 2. a lot of infrastructure depends on ftpd. it's easy to configure securely ftpd in base. 3. there are some networks, like internal ones, where encryption is not a requirement, or appropriate. 4. there are some places where encryption is in fact illegal.>Personally, I'd suggest we remove the ftpd server *AND* ftp client and rely >on ports. Having worked on UNIX, Internet security, and firewalls over the >last 3/5 of my almost 50 year career, I have lamented the existence of the >FTP protocol back in 1995 and I hate the FTP protocol with greater a >passion today. Let's simply remove all vestiges of FTP from the base >system, including libfetch, sooner than later. We don't need it now that we >have HTTPS and POST; and sftp.5. some services commonly don't use https. Lots of internet radio stations don't. If https is enforced then the user will have to jump through more hoops than they already do in order to, in this case, listen to internet radio. Or face a loss of functionality. 6. not everywhere will have constant internet access. Not everyone will want to use pkgs or have space for the ports tree.>I think we should make it our goal to remove any and all unencrypted >protocols from FreeBSD by 2025.I think you should carefully think of the consequences of removing functionality in the default install. It will make it less useful, not more. -- J. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210407/3aeef1ac/attachment.sig>
On Wed, Apr 7, 2021 at 6:18 AM tech-lists <tech-lists at zyxst.net> wrote:> > Hi, I'm a bit late to the discussion > > On Mon, Apr 05, 2021 at 07:44:59AM -0700, Cy Schubert wrote: > > >I think this is an excellent start. My shopping list includes: > > > >- remove ftp(1) > >- remove ftpd(8) > >- remove telnet(1) > >- remove telnetd(8) > >- remove ftp:// and http:// from libfetch. This is 2021 and we should all > >use https://. > >- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS > >traffic? > > Very firmly against this, and this sort of thing, for the following reasons: > > 1. I want an OS, not a kernel. If I just want a kernel, then why not go > with linux? FreeBSD is meant to be, I think, (generally), a server OS. > So, would you agree that it needs the ability to have server protocols > easily configured, with a minimum of fuss, without packages? > > 2. a lot of infrastructure depends on ftpd. it's easy to configure > securely ftpd in base. > > 3. there are some networks, like internal ones, where encryption is not > a requirement, or appropriate. > > 4. there are some places where encryption is in fact illegal. > > >Personally, I'd suggest we remove the ftpd server *AND* ftp client and rely > >on ports. Having worked on UNIX, Internet security, and firewalls over the > >last 3/5 of my almost 50 year career, I have lamented the existence of the > >FTP protocol back in 1995 and I hate the FTP protocol with greater a > >passion today. Let's simply remove all vestiges of FTP from the base > >system, including libfetch, sooner than later. We don't need it now that we > >have HTTPS and POST; and sftp. > > 5. some services commonly don't use https. Lots of internet radio > stations don't. If https is enforced then the user will have to jump > through more hoops than they already do in order to, in this case, > listen to internet radio. Or face a loss of functionality. > > 6. not everywhere will have constant internet access. Not everyone will > want to use pkgs or have space for the ports tree. > > >I think we should make it our goal to remove any and all unencrypted > >protocols from FreeBSD by 2025. > > I think you should carefully think of the consequences of removing > functionality in the default install. It will make it less useful, not > more. > -- > J.To amplify this a bit: Those who are all about secure protocols (and I'm one of them) should realize that public cryptography (not just public key, but public use of cryptographic protocols i general) is not a solved problem. In particular, multi-party key management in an open Internet is problematic. Open or plain text protocols do have a place. Kurt
I think folks have different definitions of what an operating system should be. An Operating System (OS) is an interface between a computer user and computer hardware. An operating system is a software which performs all the basic tasks like file management, memory management, process management, handling input and output, and controlling peripheral devices such as disk drives and printers. If you add or take away from the above definition, then there is your misunderstanding. Best Regards, Vic Thacker On Wed, Apr 7, 2021, at 21:17, tech-lists wrote:> Hi, I'm a bit late to the discussion > > On Mon, Apr 05, 2021 at 07:44:59AM -0700, Cy Schubert wrote: > > >I think this is an excellent start. My shopping list includes: > > > >- remove ftp(1) > >- remove ftpd(8) > >- remove telnet(1) > >- remove telnetd(8) > >- remove ftp:// and http:// from libfetch. This is 2021 and we should all > >use https://. > >- replace DNS lookups with DoH and/or DoT. Why let your ISP see your DNS > >traffic? > > Very firmly against this, and this sort of thing, for the following reasons: > > 1. I want an OS, not a kernel. If I just want a kernel, then why not go > with linux? FreeBSD is meant to be, I think, (generally), a server OS. > So, would you agree that it needs the ability to have server protocols > easily configured, with a minimum of fuss, without packages? > > 2. a lot of infrastructure depends on ftpd. it's easy to configure > securely ftpd in base. > > 3. there are some networks, like internal ones, where encryption is not > a requirement, or appropriate. > > 4. there are some places where encryption is in fact illegal. > > >Personally, I'd suggest we remove the ftpd server *AND* ftp client and rely > >on ports. Having worked on UNIX, Internet security, and firewalls over the > >last 3/5 of my almost 50 year career, I have lamented the existence of the > >FTP protocol back in 1995 and I hate the FTP protocol with greater a > >passion today. Let's simply remove all vestiges of FTP from the base > >system, including libfetch, sooner than later. We don't need it now that we > >have HTTPS and POST; and sftp. > > 5. some services commonly don't use https. Lots of internet radio > stations don't. If https is enforced then the user will have to jump > through more hoops than they already do in order to, in this case, > listen to internet radio. Or face a loss of functionality. > > 6. not everywhere will have constant internet access. Not everyone will > want to use pkgs or have space for the ports tree. > > >I think we should make it our goal to remove any and all unencrypted > >protocols from FreeBSD by 2025. > > I think you should carefully think of the consequences of removing > functionality in the default install. It will make it less useful, not > more. > -- > J. > > Attachments: > * signature.asc