From owner-freebsd-current@FreeBSD.ORG Tue Apr 27 10:54:44 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DBE516A4CE for ; Tue, 27 Apr 2004 10:54:44 -0700 (PDT) Received: from newtrinity.zeist.de (newtrinity.zeist.de [217.24.217.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9454243D64 for ; Tue, 27 Apr 2004 10:54:43 -0700 (PDT) (envelope-from marius@newtrinity.zeist.de) Received: from newtrinity.zeist.de (localhost [127.0.0.1]) i3RHsf6F033277; Tue, 27 Apr 2004 19:54:41 +0200 (CEST) (envelope-from marius@newtrinity.zeist.de) Received: (from marius@localhost) by newtrinity.zeist.de (8.12.10/8.12.10/Submit) id i3RHsaIk033276; Tue, 27 Apr 2004 19:54:36 +0200 (CEST) (envelope-from marius) Date: Tue, 27 Apr 2004 19:54:36 +0200 From: Marius Strobl To: Colin Percival Message-ID: <20040427195436.D11722@newtrinity.zeist.de> References: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <6.1.0.6.1.20040427094029.03d3d218@popserver.sfu.ca>; from colin.percival@wadham.ox.ac.uk on Tue, Apr 27, 2004 at 10:08:30AM +0100 X-AntiVirus: checked by AntiVir Milter 1.1-beta; AVE 6.25.0.2; VDF 6.25.0.32 (host: newtrinity.zeist.de) X-Mailman-Approved-At: Wed, 28 Apr 2004 05:00:05 -0700 cc: freebsd-current@freebsd.org Subject: Re: Removing NOCRYPT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2004 17:54:44 -0000 On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote: > I would like to remove the NOCRYPT option from FreeBSD before > 5.3-RELEASE. There are a number of good reasons for doing this: > > 1. NOCRYPT is almost completely untested, and in the past it has > often broken (for example, there was a recent release where it > was impossible to pkg_add without the cryptographic libraries.) > > 2. NOCRYPT has outlived its original purpose. The separation of > cryptographic code from non-cryptographic code is a result of > "munitions" export restrictions in the US which were changed a > long time ago. > > 3. NOCRYPT causes major headaches. With the Kerberos options > removed (or rather, Kerberos 4 removed and Kerberos 5 made > manditory) this is the only remaining option which can result > in certain files from the FreeBSD world existing in multiple > entirely different forms. Most obviously, this complicates For telnet(1) and telnetd(8) you currently can have three different versions: kerberized telnet - default build "secure" telnet - built when only NO_KERBEROS is defined "unsecure" telnet - built when NOCRYPT or NO_OPENSSL is defined NO_OPENSSL is a subset of NOCRYPT, the difference over NO_OPENSSL is that libcrypt doesn't include DES and Blowfish and some crypto LKMs don't get built when NOCRYPT is defined. So one can argue if either NO_OPENSSL or NOCRYPT can be removed (I'd vote for NOCRYPT to be removed) but that most likely won't solve your problem that certain files can exist in different forms. > release-building; it also adds significant complications to > FreeBSD Update. > > If anyone has a really good reason for keeping the NOCRYPT > option, please let me know. In particular, I'd like to hear > from anyone who is actually running a NOCRYPT world. > FYI, I use world built with NO_OPENSSL on most machines so I catch most of the world problems that would also affect NOCRYPT.