I do not object to turning off the FTP service.
In the analysis, I think there are two costs to consider and one
benefit. The benefit of leaving it online, of course, is that some small
group of users still find utility in FTP. Keith has outlined some of the
reasons that users might prefer FTP, and I think it would be worthwhile
replicating these properties in HTTP where possible (e.g., ensuring
access to RFCs at a stable URL in a raw format, and possibly even
configuring WebDAV on those paths in a read-only mode to support remote
filesystem mounting).
The costs, as I mention, are twofold. There's a small operational cost
to keeping the FTP service up, running, and configured. For example, if
there were some reason to restructure the way files are stored on the
server, it's one additional service that needs to be updated. This is
probably pretty small from a monetary perspective.
The far greater cost is that every additional public-facing service on a
server adds attack surface for malicious parties. And for less popular
protocols like FTP, the chance of maintainers proactively finding and
patching security vulnerabilities in their servers is vanishingly small.
(If there's some vibrant community actively and continuously
contributing to an FTP server implementation, that changes the calculus
a fair bit, but that seems fantastically unlikely.)
So, on balance, it looks like retiring a lightly-used service is the
right choice.
/a
On 11/16/2020 4:51 AM, Lars Eggert wrote:
On 2020-11-16, at 12:43, Russ Housley <housley@xxxxxxxxxxxx> wrote:
I support turning off the FTP service at ietf.org.
+1
Lars
