[Toybox] ftpget: Remove

Rob Landley rob at landley.net
Fri Oct 29 15:43:09 PDT 2021 

On 10/29/21 1:16 PM, enh wrote:
> On Fri, Oct 29, 2021 at 10:47 AM Rob Landley <rob at landley.net
> <mailto:rob at landley.net>> wrote:
> 
>     On 10/29/21 10:51 AM, enh via Toybox wrote:
>     > i don't have much of an opinion here, but i was wondering about the usefulness
>     > of this in a world where all the major browsers have now removed ftp
>     support...
>     > is anyone likely to still be using ftp by the time toybox hits 1.0?
> 
>     Other than me? (It's the only server/client protocol toybox had implemented, I
>     was using it to send files out of mkroot.)
> 
>     I acknowledge there's a general tendency to accumulate old protocols. Busybox
>     has "rdate" and "sum" and "mt" and so on, all of which toybox decided against
>     adding. When do you remove once you've already got is an interesting question.
> 
>     But right now, I have a question for you: what's the wget equivalent of
>     "ftpput"? How do you _upload_ a file when you remove this? This isn't even a "we
>     haven't got an httpd yet". Even then, how do you push a file to a server?
> 
> scp for locked-down corporate systems, and...

Which requires ssh, which even with an integrated https we wouldn't be
implementing. (Dropbear does a fine job, and when I asked why he didn't do an
stunnel he said they were very different behind the scenes. I'm assuming this
meant different encryption plumbing.)

>     (Yes rsync is on the todo list, but it's post-1.0 and would depend on an
>     external ssh implementation. There's lots of "behind the firewall, between two
>     containers on the same machine, between VM and hypervisor" use cases that don't
>     require the connection to be encrypted, especially during development. Nice if
>     it CAN be, but can we provide that? If so, how? Can/should tftp do it?)
> 
> ...yeah, that's what i was assuming for smaller stuff. (or scp there too, or adb
> in some cases. tbh, i haven't seen tftp personally since the 1990s, but i'm
> happy to believe it's still alive and well _somewhere_ :-) )

It's still used in network booting: pxe is more or less tftp/dhcp instead of
tftp/bootp.

There were some rough edges to file off the early tftp implementations (don't
round up file size to transfer block size, don't barf when the packet sequence
number wraps on a large file), but as far as I know they got sorted out years ago.

That said: ftp didn't just let you upload. It let you list directory contents,
authenticate as a user to track file ownership, delete/rename files,
mkdir/rmdir, set timestamps... bit easier to control than just giving someone
shell access.

I have no idea how you'd list directory contents with tftp.

> toybox tftp already does puts too, no? i haven't used it, but it looks
> implemented?

I've used it. Toybox ftpget worked with toybox ftpput at least.

The problem with checking it against "an ftp server" is that apt-get had
something like 5 of them and doesn't recommend a "standard" one. :P

> (and there's a tftpd in pending too.)

There is indeed a tftpd in pending. I've meant to set up qemu pxeboot to test it
out with, and make sure it handles the packet wrapping for large files...

>     Passive ftp support is still reasonable. Non-passive ftp was always nuts: you
>     open a port and the server connects BACK to you. (What? Why?) There was even an
>     sftp that tunneled ftp via https, but as "http" being in the name of https
>     implied, people kinda assumed that everyone everywhere would be doing everything
>     over http from now own. (As insane hacks like "microsoft soap" attested
>     https://en.wikipedia.org/wiki/SOAP#History
>     <https://en.wikipedia.org/wiki/SOAP#History> although that was mostly microsoft
>     engineers wanting to bypass firewalls and take control away from site
>     administrators.)
> 
>     Removal of ftp support has been largely because "we have http, why open a second
>     port"...
> 
> plus i don't think ftpes:// or ftps:// ever really caught on, did they?

Not as url prefixes: ftp in a browser has no obvious advantages over https.

It's when you're NOT using a browser that ftp has advantages. Although scp+ssh
took over a lot of the remaining space, "I give you a shell login" is still a
higher level of trust than "you can play with files in this directory but not
run arbitrary binaries on the system". So there's still a niche for ftp, but
between ftps not being regularly supported enough to avoid the purging of
unencrypted protocols, and ssh/scp/rsync working fine if you have a shell login
on the target machine, it's not necessarily a big enough niche to sustain it.

That said, some web hosts still used ftp-over-https as their update mechanism
last I checked. (Dreamhost gives me a shell so I rsync: containers are _also_
eroding ftp's niche...)

Rob

P.S. Android used to let me mount a vfat block device to send files to/from the
phone, and then switched to some windows protocol I needed a gnome tool to deal
with on Linux, and I just started enabled developer options on my phone and
started using adb instead. FTP over the usb tether would have made sense there,
but despite wifi hotspot having an icon in the main screen pulldown, to enable
USB tethering I have to navigate something like 5 menus deep. *shrug*

More information about the Toybox mailing list