From owner-freebsd-arch Tue Jul 17 10:36:10 2001 Delivered-To: freebsd-arch@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-62.dsl.lsan03.pacbell.net [63.207.60.62]) by hub.freebsd.org (Postfix) with ESMTP id BB6A937B403; Tue, 17 Jul 2001 10:36:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BA72C6769D; Tue, 17 Jul 2001 10:36:05 -0700 (PDT) Date: Tue, 17 Jul 2001 10:36:05 -0700 From: Kris Kennaway To: Mike Heffner Cc: arch@FreeBSD.ORG, obrien@FreeBSD.ORG Subject: Re: Importing lukemftpd Message-ID: <20010717103604.B79329@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ADZbWkCsHQ7r3kzd" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mheffner@novacoxmail.com on Mon, Jul 16, 2001 at 09:24:54PM -0400 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 16, 2001 at 09:24:54PM -0400, Mike Heffner wrote: > Hi, >=20 > I would like to import Luke Mewburn's ftpd from NetBSD as the ftpd for Fr= eeBSD. > David had originally brought up the idea of importing it back in December= , but > it appears that he hasn't had the time, or other issues have come up. How= ever, > I would like to bring up the discussion again as I think it's a needed > improvement--NetBSD's ftpd is better maintained and has better standards > compliance. This has been discussed extensively over on -audit in the past. Basically, I have concerns as security officer about replacing an ftpd which has a good security track record with one which contains large amounts of unaudited code, and has had several security problems. The FreeBSD ftpd is used on far too many installed systems out there to risk introducing new root vulnerabilities, no matter how good the lukemftpd code is or how small that risk. There are also problems with missing features as you note. The last time this came up I offered the compromise solution of importing it into FreeBSD to work on feature parity and to give auditors a known base to work from, but it is not to become the default ftpd until I've signed off on it. We now have funding to perform in-depth auditing work on FreeBSD, so I think this would be achieved in a reasonable timeframe (probably by 5.0-RELEASE). Kris --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VHeEWry0BWjoQKURAjLiAKDIIgQXiX/dfrv3GSd5nBBDWUFdDQCfY93T CDXNfnrb+FIeOixNK02XC54= =guQV -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message