On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote: > I would like to remove the NOCRYPT option from FreeBSD before > 5.3-RELEASE. There are a number of good reasons for doing this: > > 1. NOCRYPT is almost completely untested, and in the past it has > often broken (for example, there was a recent release where it > was impossible to pkg_add without the cryptographic libraries.) > > 2. NOCRYPT has outlived its original purpose. The separation of > cryptographic code from non-cryptographic code is a result of > "munitions" export restrictions in the US which were changed a > long time ago. > > 3. NOCRYPT causes major headaches. With the Kerberos options > removed (or rather, Kerberos 4 removed and Kerberos 5 made > manditory) this is the only remaining option which can result > in certain files from the FreeBSD world existing in multiple > entirely different forms. Most obviously, this complicates For telnet(1) and telnetd(8) you currently can have three different versions: kerberized telnet - default build "secure" telnet - built when only NO_KERBEROS is defined "unsecure" telnet - built when NOCRYPT or NO_OPENSSL is defined NO_OPENSSL is a subset of NOCRYPT, the difference over NO_OPENSSL is that libcrypt doesn't include DES and Blowfish and some crypto LKMs don't get built when NOCRYPT is defined. So one can argue if either NO_OPENSSL or NOCRYPT can be removed (I'd vote for NOCRYPT to be removed) but that most likely won't solve your problem that certain files can exist in different forms. > release-building; it also adds significant complications to > FreeBSD Update. > > If anyone has a really good reason for keeping the NOCRYPT > option, please let me know. In particular, I'd like to hear > from anyone who is actually running a NOCRYPT world. > FYI, I use world built with NO_OPENSSL on most machines so I catch most of the world problems that would also affect NOCRYPT.Received on Tue Apr 27 2004 - 08:54:44 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:52 UTC