Re: tcp_wrappers deprecation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2017-08-15 at 13:58 +0200, Jakub Jelen wrote:
> Hello Fedora devels and users,
> 
> more than three years ago, the same topic started discussion if we
> want
> this package in Fedora or not and how [1]. The discussion resulted
> mostly in flames and in the removal of the dependency on tcp_wrappers
> from systemd. But it was quite agreed that it is considered as a
> security layer for some users, if they use it correctly, or something
> that is or should be replaced by firewalls.
> 
> So can we discuss it now once more without the affiliation to
> systemd?
> The fact is that we still do not have any other replacement except
> firewalls. But do we need one?
> 
> The complete removal of the package is probably not a wise step, even
> though we can not find tcp_wrappers in recent SuSE anymore [2]. It is
> still available in Arch [3] without other tools depending on it. To
> be
> fair, Debian [4] is still building tools (for example openssh) with a
> build-time support for it.
> 
> My primary concern is OpenSSH, which upstream dropped support for
> tcp_wrappers three years ago (late 2014) [5] and since then we are
> maintaining one more downstream patch. But this effort should be
> coordinated among other components to simplify the transition for
> users
> who insist on using it (using tcpd).
> 
> Removing the dependency will also allow us to trim the default
> install for few more Kb.
> 
> If there will be no significant drawbacks, I will progress with
> filling
> a system wide change for Fedora 28 and I will pull the maintainers of
> other tolls using libwrap into the round and discussion.

Hello,
In Fedora 26, there is over 50 packages using tcp_wrappers as a build-
time dependency:

$ dnf repoquery --whatrequires 'libwrap.so.0()(64bit)'|grep x86_64
389-ds-base-snmp-0:1.3.6.6-2.fc26.x86_64             rmeggins
aeskulap-0:0.2.2-0.27.beta1.fc26.x86_64              jenslody
apcupsd-0:3.14.14-5.fc26.x86_64                      tibbs
apcupsd-cgi-0:3.14.14-5.fc26.x86_64
apcupsd-gui-0:3.14.14-5.fc26.x86_64
apt-cacher-ng-0:0.9.0-3.fc26.x86_64                  kenjiro
audit-0:2.7.7-1.fc26.x86_64                          sgrubb
bacula-client-0:7.4.7-1.fc26.x86_64                  slaanesh
bacula-director-0:7.4.7-1.fc26.x86_64
bacula-libs-0:7.4.7-1.fc26.x86_64
bacula-storage-0:7.4.7-1.fc26.x86_64
bacula2-client-0:2.4.4-24.fc26.x86_64                limb
conserver-0:8.2.1-3.fc24.x86_64                      jkastner
ctk-devel-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64   bizdelnick
ctk-dicom-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64
cyrus-imapd-0:3.0.1-7.fc26.x86_64                    landgraf
dcmtk-0:3.6.1-4.fc24.x86_64                          ignatenkobrain
dovecot-1:2.2.31-3.fc26.x86_64                       mhlavink
exim-0:4.89-1.fc26.x86_64                            dwmw2
flow-tools-0:0.68.5.1-18.fc26.x86_64                 stingray
foghorn-0:0.1.6-12.fc26.x86_64                       rohara  
gsi-openssh-server-0:7.5p1-1.fc26.x86_64             ellert
libvirt-snmp-0:0.0.3-7.fc24.x86_64                   mprivozn
libyaz-0:5.14.11-6.fc26.x86_64                       guidograzioli
lldpd-0:0.9.7-5.fc26.x86_64                          jhogarth
net-snmp-1:5.7.3-15.fc26.x86_64                      jsafrane
net-snmp-agent-libs-1:5.7.3-15.fc26.x86_64
nfs-utils-1:2.1.1-5.rc4.fc26.x86_64                  steved
ngircd-0:24-2.fc26.x86_64                            ixs
nrpe-0:3.0.1-4.fc26.x86_64                           smooge
nut-0:2.7.4-7.fc26.x86_64                            mhlavink
ocserv-0:0.11.8-1.fc26.x86_64                        nmav
openhpi-subagent-0:2.3.4-28.fc26.x86_64              sharkcz
openldap-servers-0:2.4.44-10.fc26.x86_64             mhonek
opensips-snmpstats-0:2.2.3-1.fc26.x86_64             ivaxer
openssh-server-0:7.5p1-2.fc26.x86_64                 jjelen
pptpd-0:1.4.0-11.fc26.x86_64                         jskarvad
prelude-manager-0:3.1.0-2.fc26.x86_64                totol
proftpd-0:1.3.6-1.fc26.x86_64                        itamarjp
ptpd-0:2.3.1-4.fc24.x86_64                           pbrobinson
pulseaudio-libs-0:10.0-4.fc26.x86_64                 lennart
quagga-0:1.1.1-2.fc26.x86_64                         mruprich
quota-rpc-1:4.03-8.fc26.x86_64                       ppisar
redir-0:2.2.1-16.fc26.x86_64                         itamarjp
rpcbind-0:0.2.4-7.rc2.fc26.x86_64                    steved
rwhoisd-0:1.5.9.6-6.fc26.x86_64                      ppisar
sendmail-0:8.15.2-14.fc26.x86_64                     jskarvad
slapi-nis-0:0.56.1-2.fc26.x86_64                     abbra
sslh-0:1.18-2.fc26.x86_64                            jhogarth
stunnel-0:5.41-1.fc26.x86_64                         tmraz
syslog-ng-0:3.9.1-1.fc26.x86_64                      marcusk
tcp_wrappers-devel-0:7.6-85.fc26.x86_64              jjelen
tftp-server-0:5.2-20.fc26.x86_64                     jsynacek
up-imapproxy-0:1.2.8-0.7.20130726svn14389.fc24.x86_64 cmadams
uwsgi-router-access-0:2.0.15-1.fc26.x86_64           kad
vsftpd-0:3.0.3-5.fc26.x86_64                         msehnout
xinetd-2:2.3.15-18.fc26.x86_64                       jsynacek

I added the main contacts on these packages to the bcc to let them
express their opinions on this proposal and usefulness of tcp_wrappers
in case of their package and their upstream community.

This is not a call for immediate action, but more a discussion, if
there is a way and will to get rid of this dependency.

As already mentioned, I would like to see that go in one go (eg. Fedora
28) so anyone using them currently, can step back to tcpd or swat to
firewall at once for all the services, if possible.

Thanks,
Jakub

> 
> 
> [1] https://lists.fedoraproject.org/pipermail/devel/2014-March/196913
> .h
> tml
> [2] https://www.rpmfind.net/linux/rpm2html/search.php?query=tcpd&subm
> it
> =Search+...&system=&arch=
> [3] https://www.archlinux.org/packages/community/x86_64/tcp-wrappers/
> [4] https://packages.debian.org/sid/openssh-server
> [5] http://www.openssh.com/txt/release-6.7
> 
> 
> Thank you for comments and constructive ideas.
> Regards,
> -- 
> Jakub Jelen
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux