turn off FTP uploads

Asked by Nico Schlömer on 2017-09-19

The FTP protocol has been declared insecure on numerous occasions. Kernel.org shut down FTP [1], Debian did the same [2], and recently Google declared that FTP connections will be marked insecure [3]. Still, FTP is the the number one protocol suggested for PPA uploads ("The easy way") [1]. I would hereby like to suggest updating the policy.

Cheers,
Nico

[1] https://www.kernel.org/shutting-down-ftp-services.html
[2] https://lists.debian.org/debian-announce/2017/msg00001.html
[3] https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/HknIAQwMoWo/xYyezYV5AAAJ
[4] https://help.launchpad.net/Packaging/PPA/Uploading

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Colin Watson
Solved:
2017-09-19
Last query:
2017-09-19
Last reply:
2017-09-19
Best Colin Watson (cjwatson) said : #1

It's a bit overly-simplistic to frame this as a fundamental insecurity with the FTP protocol. Those service shutdown notices are all for FTP download services. FTP uploads are a somewhat different case, for two reasons:

 1) While it may not be reasonable to expect users to check signatures and thus there is a good argument for applying security at the transport layer, it is absolutely reasonable to expect developers to sign code, and all uploads are required to be signed. It doesn't matter that the transport layer is unauthenticated.
 2) Launchpad does support SFTP uploads, but that requires an extra piece of configuration (your Launchpad username), which as far as I know nobody has ever arranged for dput to be able to acquire by any means other than editing configuration files. As such, dput still defaults to FTP. Changing this is somewhat outside the scope of Launchpad itself, and in any case we'd want to wait for some time after a change of dput's default behaviour before withdrawing FTP uploads.

If you want to work on this, the best thing to do would be to work on improving dput's out-of-the-box behaviour.

Nico Schlömer (nschloe) said : #2

Thanks Colin Watson, that solved my question.