Date: Tue, 17 Jul 2001 10:36:05 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Mike Heffner <mheffner@vt.edu> Cc: arch@FreeBSD.ORG, obrien@FreeBSD.ORG Subject: Re: Importing lukemftpd Message-ID: <20010717103604.B79329@xor.obsecurity.org> In-Reply-To: <XFMail.20010716212454.mheffner@novacoxmail.com>; from mheffner@novacoxmail.com on Mon, Jul 16, 2001 at 09:24:54PM -0400 References: <XFMail.20010716212454.mheffner@novacoxmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 16, 2001 at 09:24:54PM -0400, Mike Heffner wrote: > Hi, >=20 > I would like to import Luke Mewburn's ftpd from NetBSD as the ftpd for Fr= eeBSD. > David had originally brought up the idea of importing it back in December= , but > it appears that he hasn't had the time, or other issues have come up. How= ever, > I would like to bring up the discussion again as I think it's a needed > improvement--NetBSD's ftpd is better maintained and has better standards > compliance. This has been discussed extensively over on -audit in the past. Basically, I have concerns as security officer about replacing an ftpd which has a good security track record with one which contains large amounts of unaudited code, and has had several security problems. The FreeBSD ftpd is used on far too many installed systems out there to risk introducing new root vulnerabilities, no matter how good the lukemftpd code is or how small that risk. There are also problems with missing features as you note. The last time this came up I offered the compromise solution of importing it into FreeBSD to work on feature parity and to give auditors a known base to work from, but it is not to become the default ftpd until I've signed off on it. We now have funding to perform in-depth auditing work on FreeBSD, so I think this would be achieved in a reasonable timeframe (probably by 5.0-RELEASE). Kris --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VHeEWry0BWjoQKURAjLiAKDIIgQXiX/dfrv3GSd5nBBDWUFdDQCfY93T CDXNfnrb+FIeOixNK02XC54= =guQV -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010717103604.B79329>