PROFTPD

[Mike A. Harris]

On Thu, 23 Oct 2003, Res wrote:

>> I think the general thing we're trying to get across is that we
>> do not have the engineering resources to package and maintain 15
>> ftp daemons, SMTP daemons, web servers, imap daemons, etc. and
>> also audit them, track their security flaws and major bugs and
>> provide proper and timely updates when such flaws are found, and
>> provide the level of support for them that would be needed for
>> them to be in Fedora Core.  We just don't have 5000 engineers
>> here twiddling their thumbs looking for new applications with
>> major security flaws to fix and release updates for.
>
>ProFTPd has always had a good security track record, RH used to
>include it years ago (ok i think it was only on the contrib tho)

Red Hat did not create the packages in contrib, and did not 
include any of them in the distribution.  proftpd was on 
powertools 6.0, but I believe that was the only thing it was ever 
released on.

proftpd has definitely not always had a good security record.  It 
had a decent security record for a while, followed by a very poor 
one while it fell out of maintenance, then it picked up a bit 
again.  At the time we included vsftpd into the distro, proftpd 
had it's fair share of security issues.  I remember because I 
used it on almost every ftp server I maintained at the time.  I 
must admit though, while I loved proftpd's feature set and 
configuration, vsftpd was a godsend security wise.

>when it also included the biggest security nightmare every ftp
>admin has 'wu-ftpd', they dropped proftpd but kept wu-ftpd, that
>just made absolute no sense at all, I feel there is more to it

Simple, proftpd was never part of the distribution *EVER*, so
your premise that we dropped proftpd and kept wuftpd is based on
an invalid claim.  wu-ftpd was kept for a long time for 
historical reasons.  There are many systems running wu-ftpd out 
there which have their entire infrastructure configured around 
it.  To upgrade those systems, throw out wu-ftpd immediately and 
switch over to a new ftpd just wasn't something every customer 
out there would be willing or able to do without a migration 
period.  We never shipped anything other than wu-ftpd before, so 
we added vsftpd in 7.3 IIRC, then removed wu-ftpd recently in RHL 
9.

As I said above, proftpd was included on an ancient version of 
powertools more or less unsupported for one release, possibly on 
older powertools I no longer have also.  What used to be 
powertools in days gone by could be somewhat viewed as "Fedora 
Extras" or "Fedora Alternatives" in our current framework, and 
that would be the perfect place for proftpd to reside now.

>and RH wont say (at least publicly) why :)

Well, now you know.  ;o)  Feel free to create new consipiracy 
theories, they're fun to resolve with factual information.  ;o)


-- 
Mike A. Harris     ftp://people.redhat.com/mharris
OS Systems Engineer - XFree86 maintainer - Red Hat