deprecate FTP in favor of SFTP?

[zooko]

There are major limitations to the LAFS-FTPd implementation—starting with the fact that mutable files just don't work—and there is no intent to fix these limitations, because the Tahoe-LAFS developers think that the SFTP protocol is better, the LAFS-SFTP implementation already works better, and we think everyone should switch from FTP to SFTP. There are more details about this here, in addition to the obvious issue that FTP lacks confidentiality and integrity: trunk/docs/frontends/FTP-and-SFTP.rst​ .

However, I've observed that people continue to use FTP because:

• They think that the only difference between the two is that SFTP is encrypted, and
• They are accessing it over localhost only, anyway, or they otherwise aren't worried about attackers snooping on or altering their files in flight, and
• Setting up LAFS-SFTPd requires an extra step more than setting up LAFS-FTPd — you have to create an ssh keypair.

In other words, I've observed that people are unaware of the limitations and problems in the FTP protocol and the LAFS-FTPd implementation, mentioned above and documented in trunk/docs/frontends/FTP-and-SFTP.rst​, even though we've documented them from the beginning. This is a lesson we've learned many times: it doesn't matter what the documentation says, people will continue to use a feature as long as it *appears* to work.

The most recent example of this pattern is the choice of Stig Atle Steffensen to use LAFS-FTPd even though I already told him that there were relevant limitations documented in FTP-and-SFTP.rst. Apparently he didn't read it, didn't notice the limitations part, or thinks those limitations are irrelevant to his use case. (Which I guess could be true for him, if he uses only ASCII filenames, only immutable files, doesn't have servers-of-happiness failures on his grid, etc.) In this tweet he wrote, it sounded like he wasn't aware of those other issues and thought that the only difference between FTP and SFTP was encryption:

“ftp is unencrypted, sftp is encrypted, but if you run everything on 'localhost' then it does not matter if you use one over the other”

— ​https://twitter.com/stigatle/status/397059080499789824

This ticket proposes to deprecate and then remove the LAFS-FTPd implementation in favor of LAFS-SFTPd. The justification is that LAFS-FTPd lacks important functionality, like mutable files, error reporting, and non-ASCII filenames, not to mention confidentiality and integrity, and we have no plans to add it, because the FTP protocol can't support some of those features, and because we've already implemented all of that in LAFS-SFTPd and we think anyone who uses LAFS-FTPd could (with only a *little* added effort) switch to LAFS-SFTPd.

I'm marking this with the tag forward-compatibility and putting it into Milestone 1.11 because if we want to leave the deprecated LAFS-FTPd functionality in place for a full major release, then not doing the deprecation notice in 1.11 will obligate us to keep LAFS-FTPd functionality running in 1.12.