upgrades no longer allow ftp for sets

classic Classic list List threaded Threaded
50 messages Options
123
Reply | Threaded
Open this post in threaded view
|

upgrades no longer allow ftp for sets

LeviaComm Networks NOC
Since the 23 March snapshot I've no longer been able to get the sets via
ftp during upgrade, is this intentional or is this an error on my end?
This worked on the snapshot form 19 March and earlier using the
amd64-snapshot bsd.rd indirectly from ftp3.usa.openbsd.org (Local ftp
mirror with rsync daily pull from ftp3).

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Shawn K. Quinn-2
On Tue, Mar 25, 2014, at 06:58 PM, [hidden email] wrote:
> Since the 23 March snapshot I've no longer been able to get the sets via
> ftp during upgrade, is this intentional or is this an error on my end?
> This worked on the snapshot form 19 March and earlier using the
> amd64-snapshot bsd.rd indirectly from ftp3.usa.openbsd.org (Local ftp
> mirror with rsync daily pull from ftp3).
 
I would guess it's intentional as there's no real reason to pick FTP
over HTTP anymore.

--
  Shawn K. Quinn
  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Theo de Raadt
In reply to this post by LeviaComm Networks NOC
>Since the 23 March snapshot I've no longer been able to get the sets via
>ftp during upgrade, is this intentional or is this an error on my end?
>This worked on the snapshot form 19 March and earlier using the
>amd64-snapshot bsd.rd indirectly from ftp3.usa.openbsd.org (Local ftp
>mirror with rsync daily pull from ftp3).

The 5.5 release will support FTP releases, but after that we are
disabling FTP and thus pushing people to use HTTP installs.

In this day and age, it is somewhat irresponsible for us to put
people into a situation where they might install new FTP servers on
the internet.  We've known it is a dangerous protocol for over 20
years.  Use a HTTP server to serve the sets, please.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

LeviaComm Networks NOC
In reply to this post by LeviaComm Networks NOC
Thanks and I understand the reasoning.  The current ftp server won't be
able to do http and use of siteXX files prevents using an external
source.  Will nfs be supported or am I going to need more hardware?

  -------- Original Message --------
  Subject: Re: upgrades no longer allow ftp for sets
  From: Theo de Raadt <[hidden email]>
  Date: Tue, March 25, 2014 5:34 pm
  To: [hidden email], [hidden email]

  >Since the 23 March snapshot I've no longer been able to get the sets
  via
  >ftp during upgrade, is this intentional or is this an error on my
  end?
  >This worked on the snapshot form 19 March and earlier using the
  >amd64-snapshot bsd.rd indirectly from ftp3.usa.openbsd.org (Local
  ftp
  >mirror with rsync daily pull from ftp3).

  The 5.5 release will support FTP releases, but after that we are
  disabling FTP and thus pushing people to use HTTP installs.

  In this day and age, it is somewhat irresponsible for us to put
  people into a situation where they might install new FTP servers on
  the internet. We've known it is a dangerous protocol for over 20
  years. Use a HTTP server to serve the sets, please.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Shawn K. Quinn-2
On Tue, Mar 25, 2014, at 08:10 PM, [hidden email] wrote:
> Thanks and I understand the reasoning.  The current ftp server won't be
> able to do http and use of siteXX files prevents using an external
> source.  Will nfs be supported or am I going to need more hardware?

What is preventing you from using, say, a USB thumb drive as the install
media? Also note you can install from multiple sources (http for
everything else, then a local disk for the siteXX files).

--
  Shawn K. Quinn
  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Theo de Raadt
In reply to this post by LeviaComm Networks NOC
> On Tue, Mar 25, 2014, at 08:10 PM, [hidden email] wrote:
> > Thanks and I understand the reasoning.  The current ftp server won't be
> > able to do http and use of siteXX files prevents using an external
> > source.  Will nfs be supported or am I going to need more hardware?
>
> What is preventing you from using, say, a USB thumb drive as the install
> media? Also note you can install from multiple sources (http for
> everything else, then a local disk for the siteXX files).

I also have some large concerns about how the siteXX files interact
with the new signing mechanism.

Obviously, they are not signed.  But furthermore, it is inconvenient
how they affect the install code, by following the same path.  I would
like to see this improve, but don't think anyone has a clear idea yet.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

LeviaComm Networks NOC
In reply to this post by LeviaComm Networks NOC
I am upgrading hundreds of boxes a day with only have serial access to
them.  Installing from an external source would bring any server I use
to its knees (I end up using 4-5 Gbps of bandwidth during upgrades.

I assume packages will still be able to grabbed over ftp, although I
suspect I should be planning for that to go away too at some point.


-------- Original Message --------
Subject: Re: upgrades no longer allow ftp for sets
From: "Shawn K. Quinn" <[hidden email]>
Date: Tue, March 25, 2014 6:38 pm
To: [hidden email]

On Tue, Mar 25, 2014, at 08:10 PM, [hidden email] wrote:
> Thanks and I understand the reasoning. The current ftp server won't be
> able to do http and use of siteXX files prevents using an external
> source. Will nfs be supported or am I going to need more hardware?

What is preventing you from using, say, a USB thumb drive as the install
media? Also note you can install from multiple sources (http for
everything else, then a local disk for the siteXX files).

--
 Shawn K. Quinn
 [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Adriaan Misc
In reply to this post by LeviaComm Networks NOC
On Wed, Mar 26, 2014 at 2:10 AM, <[hidden email]> wrote:

> Thanks and I understand the reasoning.  The current ftp server won't be
> able to do http and use of siteXX files prevents using an external
> source.  Will nfs be supported or am I going to need more hardware?
>

For more than 7 years, I have been using installation file sets as well as
siteXX files on  USB thumbdrives for installing and testing snapshots. So
you don't need a lot of extra hardware at all.

Adriaan

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Theo de Raadt
In reply to this post by LeviaComm Networks NOC
> > Thanks and I understand the reasoning.  The current ftp server won't be
> > able to do http and use of siteXX files prevents using an external
> > source.  Will nfs be supported or am I going to need more hardware?
> >
>
> For more than 7 years, I have been using installation file sets as well as
> siteXX files on  USB thumbdrives for installing and testing snapshots. So
> you don't need a lot of extra hardware at all.

Another reason for doing this is so that in the future we can "gut" the
fetching program to not have the totally enormous FTP code path.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Theo de Raadt
In reply to this post by LeviaComm Networks NOC
Whatever you're doing, it is wrong.

You think you cannot properly filter HTTP.

But you can properly filter FTP.

Riiiiiiiiight.  Suuuuuuuure.  Keep believing that.

> I am upgrading hundreds of boxes a day with only have serial access to
> them.  Installing from an external source would bring any server I use
> to its knees (I end up using 4-5 Gbps of bandwidth during upgrades.
>
> I assume packages will still be able to grabbed over ftp, although I
> suspect I should be planning for that to go away too at some point.
>
>
> -------- Original Message --------
> Subject: Re: upgrades no longer allow ftp for sets
> From: "Shawn K. Quinn" <[hidden email]>
> Date: Tue, March 25, 2014 6:38 pm
> To: [hidden email]
>
> On Tue, Mar 25, 2014, at 08:10 PM, [hidden email] wrote:
> > Thanks and I understand the reasoning. The current ftp server won't be
> > able to do http and use of siteXX files prevents using an external
> > source. Will nfs be supported or am I going to need more hardware?
>
> What is preventing you from using, say, a USB thumb drive as the install
> media? Also note you can install from multiple sources (http for
> everything else, then a local disk for the siteXX files).
>
> --
>  Shawn K. Quinn
>  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Ted Unangst-6
In reply to this post by LeviaComm Networks NOC
On Tue, Mar 25, 2014 at 18:10, [hidden email] wrote:
> Thanks and I understand the reasoning.  The current ftp server won't be
> able to do http and use of siteXX files prevents using an external
> source.  Will nfs be supported or am I going to need more hardware?

nfs is supported, though finding a way to install an http server on
your ftp server is still the better option.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Peter Hessler
In reply to this post by Shawn K. Quinn-2
On 2014 Mar 25 (Tue) at 20:38:08 -0500 (-0500), Shawn K. Quinn wrote:
:On Tue, Mar 25, 2014, at 08:10 PM, [hidden email] wrote:
:> Thanks and I understand the reasoning.  The current ftp server won't be
:> able to do http and use of siteXX files prevents using an external
:> source.  Will nfs be supported or am I going to need more hardware?
:
:What is preventing you from using, say, a USB thumb drive as the install
:media? Also note you can install from multiple sources (http for
:everything else, then a local disk for the siteXX files).
:

"I am upgrading hundreds of boxes a day"

That is an *excellent* reason to not use usb thumb drives.  Want another
reason?  "Remote machines with serial console"


--
Rudin's Law:
        If there is a wrong way to do something, most people will do it
every time.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Marc Espie-2
In reply to this post by Shawn K. Quinn-2
One other reason is that our ftp *client* is a pile of crud.

Almost anyone who approaches it  runs away screaming (or becomes berserk,
grabs an axe, and starts cutting madly at the rest of the tree)

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Stuart Henderson
In reply to this post by LeviaComm Networks NOC
On 2014-03-26, <[hidden email]> <[hidden email]> wrote:
> I am upgrading hundreds of boxes a day with only have serial access to
> them.  Installing from an external source would bring any server I use
> to its knees (I end up using 4-5 Gbps of bandwidth during upgrades.

Sounds like an excellent reason to setup a new infrastructure with
HTTP server and using the new autoinstall/autoupgrade functionality in
the installer.

> I assume packages will still be able to grabbed over ftp, although I
> suspect I should be planning for that to go away too at some point.

I don't know, but I wouldn't want to use ftp to update packages anyway,
it goes so much faster over HTTP.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Giancarlo Razzolini-3
In reply to this post by LeviaComm Networks NOC
Em 25-03-2014 23:27, [hidden email] escreveu:

> I am upgrading hundreds of boxes a day with only have serial access to
> them.  Installing from an external source would bring any server I use
> to its knees (I end up using 4-5 Gbps of bandwidth during upgrades.
>
> I assume packages will still be able to grabbed over ftp, although I
> suspect I should be planning for that to go away too at some point.
>
>
> -------- Original Message --------
> Subject: Re: upgrades no longer allow ftp for sets
> From: "Shawn K. Quinn" <[hidden email]>
> Date: Tue, March 25, 2014 6:38 pm
> To: [hidden email]
>
> On Tue, Mar 25, 2014, at 08:10 PM, [hidden email] wrote:
>> Thanks and I understand the reasoning. The current ftp server won't be
>> able to do http and use of siteXX files prevents using an external
>> source. Will nfs be supported or am I going to need more hardware?
> What is preventing you from using, say, a USB thumb drive as the install
> media? Also note you can install from multiple sources (http for
> everything else, then a local disk for the siteXX files).
>
Why don't you create your own internal mirror? Or your own external
mirror if you have the bandwidth/server available? I did had a complete
mirror for internal installs with siteXX and I didn't used ftp. Please,
help us purge this protocol from the internet. If your siteXX has
sensible information you can use ssl with authentication.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Nick Holland
In reply to this post by LeviaComm Networks NOC
On 03/25/14 21:09, [hidden email] wrote:
> Thanks and I understand the reasoning.  The current ftp server won't be
> able to do http and use of siteXX files prevents using an external
> source.  Will nfs be supported or am I going to need more hardware?

I'm not understanding something here, and I think most of the rest of us
are missing it, as well.

You can pick up hardware capable of serving http to all your machines
for upgrade off my curb today.  Really, it takes almost nothing to build
a very capable web server for static content.  Since you are probably
talking about only one or two platforms, a small SSD can hold all the
files and packages, put into a seven year old computer with SATA
interface, and ta-da, you got a $100 (or way less) http server that will
absolutely kick ***.

I find it unlikely your existing FTP server can't have a web server
added and pointed at the same directory your FTP is being served from
now, unless it is some bizarre little appliance thing, in which case,
you would really benefit from an upgrade, performance-wise.

So...is there a real problem in your environment that makes FTP more
desirable?  If so, I'm sure a lot of us would like to be educated on
this...or is it just a reluctance to change?

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Craig Skinner-3
In reply to this post by Theo de Raadt
On 2014-03-25 Tue 18:34 PM |, Theo de Raadt wrote:
>
> The 5.5 release will support FTP releases, but after that we are
> disabling FTP and thus pushing people to use HTTP installs.
>
> In this day and age, it is somewhat irresponsible for us to put
> people into a situation where they might install new FTP servers on
> the internet.  We've known it is a dangerous protocol for over 20
> years.  Use a HTTP server to serve the sets, please.
>

Would these pages summarise it?

http://cr.yp.to/ftp/security.html
http://tools.ietf.org/html/rfc2577
http://en.wikipedia.org/wiki/File_Transfer_Protocol#Security
http://daniel.haxx.se/docs/ftp-vs-http.html

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Ted Unangst-6
In reply to this post by LeviaComm Networks NOC
On Wed, Mar 26, 2014 at 10:41, Marc Espie wrote:
> One other reason is that our ftp *client* is a pile of crud.
>
> Almost anyone who approaches it  runs away screaming (or becomes berserk,
> grabs an axe, and starts cutting madly at the rest of the tree)

I have seen no evidence of this ever happening.

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

kwesterback
On 26 March 2014 13:46, Ted Unangst <[hidden email]> wrote:
> On Wed, Mar 26, 2014 at 10:41, Marc Espie wrote:
>> One other reason is that our ftp *client* is a pile of crud.
>>
>> Almost anyone who approaches it  runs away screaming (or becomes berserk,
>> grabs an axe, and starts cutting madly at the rest of the tree)
>
> I have seen no evidence of this ever happening.
>

The first thing and last thing axed is always the log. :-)

.... Ken

Reply | Threaded
Open this post in threaded view
|

Re: upgrades no longer allow ftp for sets

Stuart Henderson
In reply to this post by Giancarlo Razzolini-3
On 2014-03-26, Giancarlo Razzolini <[hidden email]> wrote:
> If your siteXX has
> sensible information you can use ssl with authentication.

The installer doesn't include openssl.

123