Bug 257767 - Mk/bsd.sites.mk: Disable ftp protocol for fetch MASTER_SITES
Summary: Mk/bsd.sites.mk: Disable ftp protocol for fetch MASTER_SITES
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Port Management Team
URL:
Keywords: needs-patch
Depends on:
Blocks:
 
Reported: 2021-08-11 12:07 UTC by Loic
Modified: 2021-09-05 16:51 UTC (History)
4 users (show)

See Also:


Attachments
Step one - FTP to HTTP (33.69 KB, patch)
2021-08-12 07:02 UTC, Loic
no flags Details | Diff
bsd.port.mk (423 bytes, patch)
2021-08-12 07:15 UTC, Loic
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Loic 2021-08-11 12:07:18 UTC
Hello everyone,

The ftp protocol is no longer supported in Firefox, Chrome & Co. which makes it's not user-friendly to verify links in the ports.
Finally the ftp protocol is not secure (not encrypted, which exposes it to interceptions or attacks), and does not have any good maintenance in the source code.

To this end, I think it would be nice to be able to no longer support the ftp protocol in the ports or at least to add an option to dynamically convert an ftp MASTER_SITES url to http/https for fetch because most of the repositories used in the "MASTER_SITES" also support http and https.
In fact, it is rare to have an ftp only repository.

Thanks.

Loic
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-08-12 02:14:56 UTC
Thank you for the report and proposal Loic. If you can manage it, a patch against at least Mk/bsd.sites.mk would be great to review
Comment 2 Loic 2021-08-12 07:02:26 UTC
Created attachment 227126 [details]
Step one - FTP to HTTP
Comment 3 Loic 2021-08-12 07:05:31 UTC
Thank you for your answer. Here is a patch, I propose to replace the FTP protocol by HTTP and then see which URLs we can switch to HTTPS.

Thanks.

Loic
Comment 4 Loic 2021-08-12 07:15:38 UTC
Created attachment 227127 [details]
bsd.port.mk
Comment 5 Alexey Dokuchaev freebsd_committer 2021-08-12 08:15:54 UTC
(In reply to Loic from comment #0)
> The FTP protocol is no longer supported in Firefox, Chrome & Co. which makes
> it not user-friendly to verify links in the ports.
One does not verify distfiles' links with the browser, there are more suitable tools for that purpose, from fetch(1) or wget(1) to `ports-mgmt/distilator'.

> Finally, the FTP protocol is not secure (not encrypted, which exposes it to
> interceptions or attacks)
It does not have to be secure for the purpose of distributing distfiles, their authenticity is ensured by SHA256 hashes which are checked on the receiving end.

> and does not have any good maintenance in the source code.
This is simply not true, there are plenty of FTP servers which are actively maintained as of today.  FTP is old and cumbersome, but still has its users, see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256840#c4 for example.

> To this end, I think it would be nice to be able to no longer support the FTP
> protocol in the ports
How exactly removing a feature, even not very popular one, is *nice* to the users of the Ports Collection?
Comment 6 Daniel Engberg freebsd_committer 2021-08-12 09:30:39 UTC
While I understand the intent I don't think it's a good idea because it isn't deprecated and there are some edgecases where there are few mirrors to begin with and some are ftp only.

As for security it's been discussed before and SHA256 provides satisfactory security. It's not like HTTP is any better än FTP in that regard anyway.

What I think would be a good idea however is to clean up Mk/bsd.sites.mk in some similar fashon to https://reviews.freebsd.org/D25005

The only change that may need some discussion is to move main sites as primary source to last resort as I think that would be good conduct and many projects actually asks you do use mirrors for offloading. Worth noting is that mirrors are many cases faster than primary site(s).
Comment 7 Loic 2021-08-12 09:54:02 UTC
(In reply to Alexey Dokuchaev from comment #5)

> One does not verify distfiles' links with the browser

This is not written in the documentation and only makes sense if you check many URLs.

> It does not have to be secure for the purpose of distributing distfiles, 
> their authenticity is ensured by SHA256 hashes which are checked on the receiving end.

Except that the user will have opened an insecure ftp connection as root that the attacker can exploit to gain access to the system.
The problem does not come from the download file itself.

> This is simply not true, there are plenty of FTP servers which are actively 
> maintained as of today.

Some ports may be, but this is not the case for the base:
In the commit 674400eb20b65369a88b1cb778d729bc297832c9 very recent (Tue Jul 27 12:14:00 2021 -0600) the comment is "Delete code killed by SVN r13139 in 1996.  Little chance that it would still compile today". This shows how little interest there is at the moment.

For /usr.bin/ftp the last commit a598c4b809a73772d7452991213407cdac302156 is from 2017.

> How exactly removing a feature, even not very popular one, is *nice* to the users of the Ports Collection?

This simplified the firewall rules and increased security for the system administrator using Poudière.
For the user, the goal is to eventually achieve HTTPS to complicate MITM attacks while using the ports.
Comment 8 Loic 2021-08-12 10:00:27 UTC
> This simplified the firewall rules and increased security for the system administrator using Poudière

sed "s/Poudière/Poudriere/"
Comment 9 Daniel Engberg freebsd_committer 2021-08-12 10:28:48 UTC
(In reply to Loic from comment #7)

fetch/libfetch is used for downloads and my proposal here https://reviews.freebsd.org/D25005#551019 would more or less fix your concerns unless there's a lot of breakage going on.

Passive ftp mode which is the default works without any "ftp specific" firewall configuration (except for having relevant ports not blocked).
Comment 10 Loic 2021-08-12 12:23:12 UTC
(In reply to Daniel Engberg from comment #9)

> fetch/libfetch is used for downloads and my proposal here

Ditto, the last commit commit 76f106831361817c4f333e82e901bf60bf551351 is from 2018.

> https://reviews.freebsd.org/D25005#551019 would more or less fix your concerns unless there's a lot of breakage going on.

Except that here you have enough mirrors to keep only the HTTPS protocol and not have any problem with "RANDOMIZE_MASTER_SITES". On the other hand it's clean :)

At the very least, I think it would be nice to have a comment in "Mk/bsd.sites.mk" like:

# Please, prefer HTTPS procotol, otherwise HTTP and finally FTP only if you have no other mirror.