Originally, MKCRYPTO was introduced because the United States
classified cryptography as a munition and restricted its export. The
export controls were substantially relaxed fifteen years ago, and are
essentially irrelevant for software with published source code.
In the intervening time, nobody bothered to remove the option after
its motivation -- the US export restriction -- was eliminated. I'm
not aware of any other operating system that has a similar option; I
expect it is mainly out of apathy for churn that we still have it.
Today, cryptography is an essential part of modern computing -- you
can't use the internet responsibly without cryptography.
The position of the TNF board of directors is that TNF makes no
representation that MKCRYPTO=no satisfies any country's cryptography
regulations.
My personal position is that the availability of cryptography is a
basic human right; that any local laws restricting it to a privileged
few are fundamentally immoral; and that it is wrong for developers to
spend effort crippling cryptography to work around such laws.
As proposed on tech-crypto, tech-security, and tech-userlevel to no
objections:
https://mail-index.netbsd.org/tech-crypto/2017/05/06/msg000719.htmlhttps://mail-index.netbsd.org/tech-security/2017/05/06/msg000928.htmlhttps://mail-index.netbsd.org/tech-userlevel/2017/05/06/msg010547.html
P.S. Reviewing all the uses of MKCRYPTO in src revealed a lot of
*bad* crypto that was conditional on it, e.g. DES in telnet... That
should probably be removed too, but on the grounds that it is bad,
not on the grounds that it is (nominally) crypto.
amd64/ramdisks/common/list.ramdisk.
Previously, the amd64 list.ramdisk used the small version of gzip from
distrib/utils/x_gzip, while the i386 list.ramdisk used the full version
of gzip built from usr.bin/gzip, and also used extra libraries needed to
make that work. Now, they both use the small version.
The only other difference was in the order of some PROG lines.
pre-define the LISTS variable if they do not want it to include
${.CURDIR}/lists. This opens the possibility of making some of the
many distrib/*/ramdisks/*/lists files shared in the future.
XXX: Some of the differences between these files seem to be unnecessary.
where configuration for crunchgen(1) is moved from ramdisk/ to common/.
For i386, only mbrlabel(8) and various LFS related binaries are added. Yes,
LFS. It was added to amd64 ramdisk 3 years ago, I believe it's for a good
reason... ?
the full termcap distfile. In an attempt to reduce the madness
switch everyone (except the i386 cd install which does its own
thing) to the same (under 8K) termcap subset:
ansi ansi/pc-term compatible with color
dumb|unknown 80-column dumb tty
hp300h HP Catseye console
iris-ansi-ap IRIS ANSI in application-keypad mode
iris-ansi|iris-ansi-net IRIS emulating 40 line ANSI terminal (almost VT100)
sun|sun1|sun2|sun-il Sun Microsystems Inc. console with working insert-line
vt100|vt100-am DEC VT100 (w/advanced video)
vt220-8 DEC VT220 8 bit terminal
vt220|vt200|vt300 DEC VT220 in vt100 emulation mode
wsvt25 NetBSD wscons in 25 line DEC VT220 mode
wsvt25m NetBSD wscons in 25 line DEC VT220 mode with Meta
x68k|x68k-ite NetBSD/x68k ITE
xterm|vs100 xterm terminal emulator (X Window System)
Trying to provide similar functionality across all ports? It'll never
catch on...
CD-ROM as the root file system. It contains a limited subset of $DESTDIR
along with sysinst. This will help to massively reduce the amount of memory
needed to install from CD or netboot, and allow us to continue using the
generic kernel on the CDs.
improved modularity and extensibility.
In the new architecture, a directed graph of argument-matching
objects (match objects) expresses the set of feasible ifconfig
statements. Match objects are labelled by subroutines that provide
the statement semantics.
Many IPv4, IPv6, 802.11, tunnel, and media configurations have been
tested.
AppleTalk, ISO, carp(4), agr(4), and vlan(4) configuration need
testing.
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.
This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.
This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.
Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
updating. Probably to an ACPI kernel that need not fit into an 'emulated floppy'
and a 'legacy' kernel that will fit.
In any case the small/tiny kernels which are really for i386 systems with
< 16MB of memory (some are sized for a 5.25" floppy) don't need to be built.
Remove bootfloppy-small, bootfloppy-tiny, rescue-tiny and bootfloppy-ps2
and associated ramdisks.
martin