On Thu Sep 25, 2003 at 07:57:30PM -0400, Lyvim Xaphir wrote: > > > > > Can't we dump wu-ftpd? I mean there are lots of more secure > > > > > alternatives and this daemon still has regular exploits. > > > > > > > > wu-ftpd is only in contribs > > > > > > Ok, that's in the good direction. Lets take it a step further. :) > > > > > > I mean someone gets a 9.1 cd, installs wu-ftpd and forgets to run updates. You > > > can predict that by the time 9.2 is released a working exploit has been found. > > > > > > You can nearly be sure that any contrib cd will contain a package that will > > > result in remote root exploits if you install them a half year after the release > > > date. > > > > > > You can't be sure about that for any other rpm. > > > > > > I say lets dump wu-ftpd completely from the distro. I don't want to make it too > > > easy for users to shoot themselves in the foot. > > > > Heck, I'm all for it and agree with all your reasons. But the example is a > > touch out... wu-ftpd hasn't been in main since 8.2 (last version it shipped > > in main). > > > > Hey, while we're at it, can we throw sendmail in contribs? =) > > > > (Serious about killing wu-ftpd altogether, semi-serious about sendmail) > > I think that both are super excellent ideas; pure-ftp should definitely > be the default, for many reasons, but if only because of it's infinitely > better security. For the opposite reason of insecurity I also agree > with you on sendmail; it should be a go getter.
I don't mind pure-ftpd being default, although it we want secure I still maintain that vsftpd is what we want. Can't beat it for security. Of course, it's a little spartan on the feature side as well. Of course, I still don't get why we're jumping all over proftpd. It isn't really *that* insecure. As I pointed out to Han regarding wu-ftpd, proftpd is in a similar boat. There is this hole, which should be available in updates RSN, but the last one was in Jan 2002... over a year and a half ago. Again, comparing to sendmail, this sucker is pretty secure. Heck, compare it to openssh! How many updates for openssh have there been in the same timespan? We can't just throw stuff out the window because it has a hole today and has had one over a year or two years ago. That's just silly. Why aren't we jumping up and down about ditching php? Or apache? Or cups? Or XFree86? Or bind? Or openldap? The list goes on. All of those have been updated within the last 1-2 years as well, some many many times. Personally, if pure-ftpd can't authenticate against LDAP (like proftpd can), I'm not overly interested. =) proftpd may have some issues periodically, but you can't beat it for configurability. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
