Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Marco Moock Newsgroups: news.admin.hierarchies,news.software.nntp Subject: Re: ISC will likely be shutting down FTP access to ftp.isc.org soon (https will remain) Date: Fri, 27 Sep 2024 17:25:47 +0200 Organization: A noiseless patient Spider Lines: 59 Message-ID: References: <1f19a554-8a81-ce8c-8ac6-7ab1e053a632@isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Injection-Date: Fri, 27 Sep 2024 17:25:48 +0200 (CEST) Injection-Info: dont-email.me; posting-host="24e1c1b174f260931f1c6d5c13122b6b"; logging-data="817368"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/BYmjcuywg61ZLtVrtL46V" Cancel-Lock: sha1:1YUB/lEiP9JizsxTmqYJyIm2TZs= Bytes: 3378 On 26.09.2024 um 22:17 Uhr Dan Mahoney wrote: > However, as ISC also offers support contracts for BIND and Kea, and > those customers have their own due diligence policies, we are often > subject to scrutiny and audits about how our network runs, and even > for a venerable URL > like ftp.isc.org, we get questions from auditors like "did you know > you have a public FTP server on your network! Why!?" Why is that a problem for your customers? FTP is unencrypted, but the stuff on the ftp server is public. I know that some people hate this protocol and want everybody to use HTTPS, but HTTPS has some vast disadvantages compared to FTP. > We also no longer live in the world where a copy of curl/wget that > supports modern ciphers is not available everywhere. ftp supports a standardized directory listing. HTTP doesn't. One big reason for not using HTTP. > Ergo, it seems to be a simple enough matter to tell people who fetch > those usenet control files via anonymous FTP to simply switch to > HTTPS. As a benefit, this also allows us to use the CDN provider we > already use for downloads.isc.org. Is there that much traffic that a CDN is needed? I like the distributed concept of the internet and I see a big disadvantage in sourcing that out to only a small amount of CDN operators. > We do not have a specific date yet (this depends on specific feedback > from the community), but on the order of a month or two sounds > reasonable. This will most likely break many usenet servers because I don't think every newsmaster will have a look at such stuff that often. > If any software, such as INN, ships with the "ftp" > protocol baked-in, this gives enough time for people to put out new > releases and docs that point at the change, or at least add the > change to their README's, and the like. Might be true, but be aware that most systems run on operating systems that don't always have the latest upstream packages. Systems like Debian have package versions that are sometimes older than 1 or 2 years with security backports. > If there are objections or considerations, please feel free to reply > here or contact me directly. I don't see a real reason to shut down the ftp server. If some of your customers don't like the FTP protocol, they don't need to use it. -- kind regards Marco Send spam to 1727381856muell@cartoonies.org