Re: Moving telnet/telnetd from base to pkgsrc

[Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>]

> Date: Fri, 14 Dec 2018 09:46:08 +0100
> From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
> 
> > Y'all seem to think it's totally reasonable to telnet in the open internet
> What's the problem with "telnet www.uni-bonn.de http"?

If the telnet client is remotely exploitable then that exposes you to
exploitation by www.uni-bonn.de and by anyone on the internet between
you and www.uni-bonn.de.  The attack surface is unmaintained network
code from the '80s.

> Date: Fri, 14 Dec 2018 02:13:40 -0800
> From: John Nemeth <jnemeth%cue.bc.ca@localhost>
> 
>      This statement is total nonsense.  It works just fine.  And,
> it's not like there is a crap-ton of CVEs against it.  In fact,
> there have been almost none, which is pretty impressive considering
> how old the code is.

This reflects how little attention telnet has gotten, not how much
scrutiny it has withstood.

If it is used only on a carefully isolated network for something like
a serial management console, that's not really worse than the security
of a lot of management console tooling, but it's not clear to me that
it needs to be in base any more than ipmitool or amtterm.  We should
at least have warnings on it until someone takes up maintenance not to
use it on the open internet.