I'd go even further and say this should be shipped as part of regular
Debian releases, ie. just push it to unstable.
I think the argument against that was that it requires a hard-coded third-party server as a middleman, and it's explicitly stated that it'll disappear if load increases.
We still ship FTP daemons that serve files without passwords and use
cleartext by default.
They're not labeled "secure" though ;) Just to clarify, I never objected to the package itself, just that I wasn't sure about it being called "secure". I don't know enough about the algorithms and attack surfaces involved to make any kind of qualified statement though, so maybe it does qualify as secure.