1. 40

The original filezilla project has been adding some kind of unwanted extra nonfree software to the releases. For this reason we have created a fork which is committed to plain and simple releases with no extra rubbish.

    1. 17

      You’d save yourself a lot of trouble upfront not borrowing the filezilla name - it’s trademarked. Already there’s an argument for whether “-ng” postfix constitutes a new mark, why bother even having it. Just completely rename it

      Hilariously their trademark policy seems to prohibit their use of their own name

      1. 3

        Oh, great point. We will need to think of a new name.

        How about godzilla-ftp.

        1. 14

          How about filemander? It’s still in the same vein as “zilla,” but far more modest. The fact that you’re refusing cruft, provides a sense of modesty.

          Also, “mander” and “minder” — minder maybe isn’t exactly right for an FTP client, but it’s not completely wrong…

          1. 4


            Great name! A quick ddg search does not show any existing projects using it.

          2. 1

            And it sounds a bit like “fire mander”, which ties in well with the mythological connections between salamanders and fire.

            1. 1

              Yeah, the intention was to have a cute salamander logo–way more modest a lizard than a “SOMETHINGzilla!”

        2. 8
        3. 5

          Just remember to make sure it’s easy for random people to remember and spell. They’ll be Googling it at some point.

    2. 11

      Nice. If you distribute pre-compiled binaries, please gpg-sign them and perhaps provide sha512 checksums of them as well.

      1. 5

        Thank you. I was planning on GPG signing and using SHA256. Is that OK?

        I also hope to make the build reproducible on linux, using debian’s reproducible build tools.

        1. 3

          Reproducible builds would be awesome.

          As for SHA256 vs. SHA512, from a performance point of view, SHA512 seems to perform ~1.5x faster than SHA256 on 64-bit platforms. Not that that matters much in a case like this, where we’re calculating it for a very small file, and very infrequently. Just thought I’d put it out there. So, yeah, SHA256 works too if you want to go with that :)

          1. 2

            Also remember defaulting on SHA-1 or SHA-256 means hardware acceleration might be possible for some users.

            1. 2

              SHA-1 has been on the way out for a while, and browsers refuse SHA-1 certificates these days. It might be a good idea to just skip SHA-1 entirely and rely on the SHA-2 family.

              1. 1

                True. I was just noting there’s accelerators for it in many chips.

            2. 2

              Isn’t SHA-512 faster on most modern hardware? ZFS uses SHA-512 cut down to SHA-256 for this reason, AFAIK.

              A benchmark: https://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha256

              1. 1

                Oh idk. I havent looked at the numbers in a while. I recall some systems, esp cost- or performance-sensitive, stuck with SHA-1 over SHA-256 years ago when I was doing comparisons. It was fine if basic collisions weren’t an issue in thd use case.

                1. 4

                  Anecdotal, but I just timed running sha 512 and 256 10 times each, on a largeish (512MB) file. Made sure to run them a couple of times before starting the timer to make sure it was in cache. Results for sha-512 were:

                  27.66s user 2.86s system 99% cpu 30.562 total

                  And 256:

                  42.18s user 2.72s system 99% cpu 44.943 total

                  So it looks like sha-512 pretty clearly wins. (CPU is an i3-5005u).

                  1. 2

                    Cool stuff. Modern chips handle good algorithms pretty well. What I might look up later is where the dirt-cheap chips are on offload performance and if they’ve upgraded algorithms yet. That will be important for IoT applications as hackers focus on them more.

                2. 0

                  You should probably be sure to have your facts straight before giving security advice.

                  1. 1

                    I said there’s hardware accelerators for SHA-1 and SHA-2. Both are in use in new deployments with one used sometimes for weak-CPU devices or legacy support. Others added more points to the discussion with current, performance stats something I couldnt comment on.

                    Now, which of my two claims do you think is wrong?

                    1. 3
                      1. As noted, SHA-1 has been on its way out for awhile and shouldn’t be suggested.
                      2. I don’t know if your claim on weak-CPU devices or legacy support is true, plus you mentioned IoT in response elsewhere, it clearly doesn’t apply in the context of filezilla, an FTP app people will be running on desktops/laptops. Even if one is using the a new ARM laptop that is somewhat under powered…
                      3. As the comment you responded to points out, one installs new software quite infrequently, so the suggestion based on performance seems odd, especially since the comment you responded to already points out that SHA-512 is generally faster to compute than SHA-256. In any case, suggesting SHA-1 for performance reasons seems unsecure.
      2. 2

        Ideally, OP would also get a code signing certificate from Microsoft to decrease the amount of warnings Windows spouts about the executable.

    3. 4

      Great idea!

      I think being more explicit about what “fresh and clean” means in the README would be helpful. I was unaware of the nonfree software part until I clicked into this thread, and assumed it was about code quality.

      It would also be reassuring to see some comments around strategy for keeping this up-to-date with new features, bugfixes etc. from the main filezilla repo (if that is the plan).

    4. 3

      It was always my favorite FTP client. Good job on the fork.

      1. 1

        So that’s what it is. @rain1: can you add a sentence to the top of the Readme saying that it’s an FTP client? The description should also say, “A fresh and clean fork of the FTP client filezilla”.

        1. 2

          excellent suggestion. Done.

    5. 4

      The original filezilla project has been adding some kind of unwanted extra nonfree software to the releases.

      Can you be more specific about what exactly? It would probably also be good to state the motivation for the fork at the beginning of the README.

      1. 3

        +1. I get frustrated with forks that don’t provide a straight forward reason for their existence. I mean, it’s open source so that’s your right, but there’s a certain amount of harm that happens to the original project when a fork happens and takes off, and I feel like it’s important to at least be super clear about what you’re doing and why.

    6. 2

      Bring back LeechFTP!

      1. 4


        1. 1

          LLNL XFTP!