back to article FTP becoming Forgotten Transfer Protocol as Debian turns it off

Debian is shutting down its public File Transfer Protocol (FTP) services, because hardly anybody uses them any more and they're hard to operate and maintain. The project has told world+dog that come November 1st, 2017, ftp://ftp.debian.org and ftp://security.debian.org will cease operations. The reasons are pretty simple: …

  1. Malcolm Weir Silver badge

    FTP sends passwords in the clear. 'Nuff said.

    1. jake Silver badge

      passwords

      For values of password that include "anonymous" does it really matter?

  2. Ole Juul

    awkward to use?

    He also notes that “Most software implementations have stagnated and are awkward to use and configure,”

    I disagree. Security aside, just downloading with ftp is about as simple as it gets. Type "lftp filename", "ftp filename", or "sftp filename", whichever program you prefer, and that's it. And no, there's no configuration required on the client. Hard to imagine anything simpler to use.

    1. kiwikrag

      Re: awkward to use?

      errr, wget $filename

      1. phuzz Silver badge

        Re: awkward to use?

        Invoke-WebRequest $url -outfile $filename

        (Although this will work equally well with http, https and ftp links)

    2. Richard 12 Silver badge

      Re: awkward to use?

      While HTTP is "click on link in the browser", and HTTPS is "click on link in browser".

      The link can even have text and images to explain what it is for, how to use it and why you might choose one link instead of another.

      That human-readable metadata is extremely useful to everyone.

      FTP clients have stagnated, they haven't become any easier to use for a decade. In fact they've barely changed at all.

      FTP servers are worse, as they are hard to balance and hard to configure.

      Worst, common implementations of client and server are subtly incompatible with each other.

    3. davidp231

      Re: awkward to use?

      (s)ftp <web address>

      <enter credentials>

      cd <path to file>

      ls

      get <filename> (or put, if uploading)

      bye

      or:

      (s)ftp

      open

      <web address>

      or: open <web address>

      etc etc.

  3. Denarius
    Meh

    meanwhile, back in the coporate world

    FTP chugs along feeding data from unices, Windows, whatever relics like VMS lying around to the organisations mainframe. Not something one uses outside of a couple of firewalls, but I can think of multiple government sites where FTP gets data from A to B quietly and reliably if one scripts decent post transfer log analysis. FTP use is fading as ssh takes over. Somehow I do not see Kermit coming back either.

    As for hard to use argument, BH. Download WS-FTP or equivalent, read instructions, configure, compile and install or download existing compiled package if lazy and trusting. It is simple to set up an anonymous FTP server. Simpler than NFS even. Throughput I find better than http. Don't know about caching. Given the size of the files I transferred or their contents, non-caching is desirable. Perhaps this is another sign of the dumbing down of IT as the lowest common denominator consumer experience sets standards.

    Agreed ftp is not secure. Once can add a little security by using Franceso Rosales shell compiler or using the equivalent in ksh93 that hides the account details from causal snooping.

    Given the lack of use, decommissioning FTP is logical for Debian. Whether it will fade away or become another "Death of COBOL predicted" meme is debatable. Meanwhile, back to Devuan install

  4. Frumious Bandersnatch Silver badge

    "no caching"? Hmm.

    I was going to complain that most people use something akin to apt-cacher-ng or squid on the client side, anyway. But then, realised that FTP doesn't have a standard way of getting file metadata, particularly the HTTP-like "last-modified" data that's crucial for avoiding downloading (mirroring) stuff you already have. Sure, running "dir" works, but there doesn't seem to be a standard way of presenting all the fields ...

    Overall, probably a sensible move. Still, with FTP disappearing it does make me feel just that little bit more antiquated.

  5. jake Silver badge

    "hard to operate and maintain"???

    What are they teaching kids in school these days if ftp is considered "hard"? Does this exemplify the abilities of the average Debian maintainer?

    Come to think of it, it could partially explain the move to systemd ...

  6. bobajob12
    Unhappy

    Sad but not terrible

    I'll confess: I don't use FTP, and haven't for years in any proper scenario. Around my home network, setting up a web, SSH or NFS server is so quick now that I don't even bother there. So all power to Debian for pulling the plug.

    I do feel a little wistful though, because with each passing the year, the number of things you can do on a network by just connecting to the socket and typing gets smaller. One day soon we won't be able to connect to any resource unless it's over a channel that has been preapproved by our Corporate Overlords, and that makes me a little sad.

    Yes, I know no sensible person sends mail by "telnet <mx> 25" or reads El Reg with a "nc www.theregister.co.uk 80", but the thought of being able to in a pinch is comforting, and it's a great way to learn how things really worked.

    1. Herby

      Re: Sad but not terrible

      Yes, I know no sensible person sends mail by "telnet <mx> 25"

      While this may be true, spammers do exactly that programatically. Spew to port 25 and just discard the result.

      Me? One of my web cams nicely transfers pictures once a minute to my FPT server and has for over 10 years. Of course, FTP is a really weird protocol (PORT/PASV and all that), but if it is implemented, it DOES work. There is a lot of history around it and the problems/flaws are pretty well known, and for the most part pretty well fixed. It is like the energizer bunny, it keeps going, beating its drum.

  7. herman Silver badge

    Windows

    Anonymous FTP is one of the few protocols that Windows supports natively. For any small business, it is much easier to set up a FTP server than a SMB/CIFS server, since it requires zero maintenance and anyone can access their files from the Windows file explorer.

    1. Richard 12 Silver badge

      Re: Windows

      For small values of "support", anyway.

      SMB is much easier to set up in Windows (and multi-OS environments).

      You just tick the box labelled "Share folder" and follow the prompts to set passwords and user access rights.

      Yet even SMB is basically deprecated for local file sharing, there are far better things now and the tools to set them up - in a reasonably secure way - are becoming easier to use.

  8. CentralCoasty

    FTP ...... ah the memories......

    Lets face it, what would we have done without it back in the "good ol days!'. When we managed to sync the connections ftp made our life so easy! We could finally start actually moving data without having to use tape!

    Well its been dying for some time now - am actually amazed its lasted this long given its insecurities - but its still sad to see it go...... (in some perverse, nostalgic and idiotic way).

    1. Dan 55 Silver badge
      Windows

      Re: FTP ...... ah the memories......

      Ftpmail, eh? Jumpers for goalposts...

      1. jake Silver badge

        Re: FTP ...... ah the memories......

        ftpmail ... the reason AOL finally brought AOL's version of FTP online. The Stratus computer based email system couldn't handle the large quantity of uuencoded files users were requesting.

        Which reminds me ... I still use UUCP in a few places, mostly to transport email within corporations, but also within the load balancing guts of a largish Usenet system I maintain. I'll leave the "why" as an exercise for the reader ;-)

        1. Down not across Silver badge

          Re: FTP ...... ah the memories......

          Which reminds me ... I still use UUCP in a few places, mostly to transport email within corporations,

          I still remember my bangpath email address. That was before there was any commercial internet.

      2. fuzzie

        Re: FTP ...... ah the memories......

        If you remember ftpmail, you might also remember the brief period of FSP ;)

        1. jake Silver badge

          Re: FTP ...... ah the memories......

          I remember it because I didn't allow it. I only saw FSP used by pr0n and warez collectors ... For a short while (a week or ten days) it was the largest bandwidth user at one of the Unis I was taking care of.

  9. sabroni Silver badge

    usage of the FTP servers is pretty low...

    ...as our own installer has not offered FTP as a way to access mirrors for over ten years.

    So you stopped offering it and usage of it dropped off? No shit. That's clear evidence that no one likes ftp.

  10. Anonymous Coward
    Anonymous Coward

    Filezilla

    I use Filezilla often to get large files onto client's servers or with colleagues as it is great at resuming if the connection is interrupted (work for a software reseller so often passing installation software or zipped virtuals around)

    1. steelpillow Silver badge

      Re: Filezilla

      Same here. And it supports SFTP, so I can use it outside the cage, too. :)

    2. Jay 2

      Re: Filezilla

      Another Filezilla user here. Very handy for moving stuff to/from desktop to build/jumphost servers. we still use FTP a fair bit internally, though we also have a fair amount of HTTP/wget too. Also lurking is some SFTP, but I don't find it the easiest thing to set up (and quickly get working) on some of out Linux kit.

      1. Peter2 Silver badge
        Coat

        Re: Filezilla

        yet another filezilla user who migrated from WS FTP Pro, since filezilla does the job, and is free so you don't have to try and get money authorised for licensing if you want to use an FTP client at work.

        What has FTP been replaced with for uploading/managing a website? Yes, niche thing, but it's not going to go away. And no, CMS's aren't replacements for FTP.

        Yeah, i'll get my coat.

        1. Bronek Kozicki Silver badge

          Re: Filezilla

          "What has FTP been replaced with for uploading/managing a website?"

          Depends on server software used, but if something relatively modern then webdav + authentication modules should be available. Or maybe setup a git repository for website files. Or use ssh and scp. I recon any of those would be safer and better performing that FTP, but I do appreciate the sentimental value of a very old protocol.

          1. Peter2 Silver badge

            Re: Filezilla

            When those options are available on 1&1's platform and other shared webhosts running cPanel then I'm sure that people might start using them. Until then...

  11. Giles C

    Still out there

    Plain ftp maybe that is declining but I still do a lot of transfers using it along with sftp or similar protocols. Most hosting companies still use it to upload websites and it is a lot faster than smb.

    Mind you saying it is unnecessary is a bit like having to install the telnet client on a windows box. Try troubleshooting firewall connections without a telnet xxxx port yyy command line to hand.

  12. Anonymous Coward
    Anonymous Coward

    I occasionally still use FTP to get older unborked version of fire fox.

    1. Anonymous Coward
      Anonymous Coward

      You can still get it via the website. Just need to dig. Just make sure auto-update is the first thing you kill off.

      Yes, some of us still need Java plugins.

      1. jake Silver badge

        Try via FTP ...

        ftp.mozilla.org/pub/firefox/releases/52.1.0esr/

        "Old" version of Firefox (released 18-Apr-2017). Note that this is the extended support release. Keep an eye on the latest ESR here:

        ftp.mozilla.org/pub/firefox/releases/latest-esr/README.txt

        Might be handy info for some.

  13. steelpillow Silver badge

    SFTP?

    Presumably by HTTP they mean HTTPS, otherwise you have gained nothing but a wider attack ecology. What do they think is wrong with standing up SSH/SFTP?

  14. Chris Johnson 1

    I never remember FTP being used by bulletin boards; they transferred files by using the X/Y/Zmodem protocols. In my own field (EDI) I have seen increasing use of FTP in the last 20 years, both for point to point communication and as a way of accessing VANs (Value Added Networks)

    1. jake Silver badge
      Coat

      That's OFTP ...

      Mines the one with the kermit code in the inside pocket ...

    2. Infernoz Bronze badge
      Holmes

      True, FTP requires TCP/IP packets and two TCP/IP socket channels, and pre-internet, direct to BBS, modem calls just send and received bytes over a single raw channel, so it was up to both ends which protocols they used after text based negotiation.

  15. Anonymous Coward
    Anonymous Coward

    All this nostalgia ...

    whatever happened to KERMIT ? My first exposure to FOSS in 1985 ... I still have some patches to Sperry KERMIT immortalised at Columbia. Very useful in interviews ..

    "So what experience have you got ?"

    "Well I've got a patch from 1986 (i.e. before you were born) lodged on the internet. What's yours ??"

    1. Andy The Hat Silver badge

      Re: All this nostalgia ...

      FTP, Kermit, Zmodem? It'll be memories of SCSI cables or VGA next ... I need really to retire on the grounds of having too much old crap in my brain ...

  16. Alister Silver badge

    We still use ftp extensively to move backup files around within our WAN. It's still the fastest method of transferring a file over a network, with the least overhead, that I know.

  17. hammarbtyp Silver badge

    Our company disables all outgoing ftp requests for security reasons (something IT forgot to mention for about 6 months). so my heart sinks when I go to a company website and see only a ftp link for uploading patches/software etc.

  18. This post has been deleted by its author

  19. /dev/null

    RFC114

    RFC114 might have been published in 1971, but that described ye olde ARPAnet FTP. The Internet (TCP/IP) FTP protocol we all know and love didn't arrive until 1980 with RFC765, updated in 1985 by RFC959 and later RFCs.

  20. Infernoz Bronze badge
    Facepalm

    User level login security (with FTPS or SFTP) in FTP.

    I use FTP when Samba has file permissions glitches in FreeNAS, and it of course can supports user level login and user home restrictions, and can support TLS encryption, which are both useful to block unwanted access.

    I don't see even user level security for WebDAV in FreeNAS 9.10.2-U3, just a useless shared basic/digest password over HTTPS; it seems you need to bolt stuff in front of WebDAV to get user level security, when it should be standard!

    The result is I could safely expose an FTP service, with TLS, to the internet for people, but WebDAV is useless except for read-only access for people by I can trust with a common password/digest i.e. none so far.

  21. Zippy's Sausage Factory

    So someone encourages their users to use a different method of doing stuff, then turns off the old way of doing things because users aren't using it any more.

    Hmmm... couldn't this have easily gone the other way if they'd put the ftp link at the top and the word "recommended" against it, then hidden the http links smaller and lower down. Of course it could. It's simply Debian trying to only have one way of doing things rather than two.

    I must put something in my calendar to download the lot in October and stuff it on the Internet Archive in their "ftp mirrors" collection (an absolute treasure trove of weird and wonderful stuff, well worth a browse)

  22. doke

    routers and embedded devices

    These days I mostly use ftp to get firmware images and data on and off of routers, switches, and embedded devices. The simple protocol, and low cpu / memory requirements make it a good fit in bootloaders and rescue images. Virtually all of those transfers are to or from an anonymous ftp server on the same protected management lan.

    ftp is sometimes problematic on the internet, because the firewall has to inspect the protocol and open the ports for the data channel. Passive mode will get around your firewall, but not the other end's firewall. Active mode is the other way around. In linux, as a client, you have to load a kernel module, nf_conntrack_ftp, to get iptables to do the inspection to make active mode work.

  23. patrickstar

    I use it all the time for downloading ISO images and source tarballs, especially when doing it straight to a server. Sure, there's always Lynx/links, but just firing up the basic always-available ftp client is quicker.

    Plus I use it a lot for transfers within networks. Typically I will have an account with a not-very-secret password for uploading stuff, with FTP access only.

    Many FTP daemons actually have an important security advantage to SSH - it's a lot easier to setup an account that can upload/download/list files in a specific directory and do nothing else. Try doing it with SSH - certainly possible, but a lot more work and things that can go wrong. Even to properly chroot the user you may very well end up having to run a separate sshd for the task.

    Compared to, for example, vsftpd where it's a single configuration option and voila - all users end up chroot'ed to their home directories.

  24. Dwarf Silver badge

    The one good thing about FTP

    You can go rummaging around the shared file system without getting any silly Apache error messages about folder listing being denied, or suddenly get to a web page that you are not interested in.

    Simplicity does have its place.

    I remember rummaging around in various vendors public ftp sites to find the specific tool I needed that doesn't appear on their web site.

    Does anyone else remember when Microsoft used to think that it was a good idea to make their downloads available via an Internet visible SMB share, so you could just mount it from your office to get service packs and patches..

  25. John Smith 19 Gold badge
    Unhappy

    So they may not like it but it's quite a lingu franca of hassle free file tranfer

    Whereas most of its "replacements" depend on what host OS you're running.

    So back to walled gardens then..

  26. Chrisd1004

    I would say that FTP is definitely becoming outdated as companies are looking to modernize their infrastructure with more secure and user-friendly file sharing tools. There are many new file sharing platforms that enable companies to share files from multiple protocols like HTTPS, FTPS, SFTP without using separate tools.

    1. patrickstar

      When you say "file sharing platform", do you mean some clown service?

      In that case I'd universally recommend an internal FTP server over any of them...

    2. jake Silver badge

      "many new file sharing platforms ... without using separate tools."

      Do you honestly not see the disconnect in that? Marketing sure has your number ... Me, I'll stick to good, old fashioned FTP for the bulk of the time when I want to ... uh ... er ... transfer files, to coin a phrase. One tool, works on all platforms. Unless those platforms intentionally block FTP, of course. Now why do you suppose they would want to do that? And please don't try to tell me it's "because they are hard to operate and maintain". That's just laughable.

  27. llaryllama

    Actually..

    At a printing outfit we run a secure FTP service using FTPS (FTP over TLS) which is supported by all decent modern FTP clients such as Filezilla. It's used for clients who need to send very large files to us.

    We do have a pretty advanced browser based uploader but it doesn't work well when e.g. clients are behind a slow or unreliable network connection. Also sometimes a combination of browser, add-ons and/or the phase of the moon just randomly stops things working.

    A secured FTP service is useful over something like SCP because a) non tech savvy people have generally at least heard of FTP and any other acronym scares them off and b) it allows for very secure jailing of the FTP user from the system at large.

    Sometimes it's easy to forget that not everybody has super fast and reliable internet, and FTP over TLS is nice for those users because you can choose to secure just the communications between client and server but perform the transfer unencrypted. The data we are receiving is not exactly top secret blueprints so that can be a lot faster and more reliable for these users.

    1. patrickstar

      Re: Actually..

      The problem with running the FTP control channel over SSL/TLS (or encrypting it in general) is that it breaks NAT protocol handling. Which is fine as long as the relevant data transfer ports on the FTP server are accessible and the client configured properly regarding active vs. passive mode, but still.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019