On Tue, 2017-08-15 at 13:58 +0200, Jakub Jelen wrote: > Hello Fedora devels and users, > > more than three years ago, the same topic started discussion if we > want > this package in Fedora or not and how [1]. The discussion resulted > mostly in flames and in the removal of the dependency on tcp_wrappers > from systemd. But it was quite agreed that it is considered as a > security layer for some users, if they use it correctly, or something > that is or should be replaced by firewalls. > > So can we discuss it now once more without the affiliation to > systemd? > The fact is that we still do not have any other replacement except > firewalls. But do we need one? > > The complete removal of the package is probably not a wise step, even > though we can not find tcp_wrappers in recent SuSE anymore [2]. It is > still available in Arch [3] without other tools depending on it. To > be > fair, Debian [4] is still building tools (for example openssh) with a > build-time support for it. > > My primary concern is OpenSSH, which upstream dropped support for > tcp_wrappers three years ago (late 2014) [5] and since then we are > maintaining one more downstream patch. But this effort should be > coordinated among other components to simplify the transition for > users > who insist on using it (using tcpd). > > Removing the dependency will also allow us to trim the default > install for few more Kb. > > If there will be no significant drawbacks, I will progress with > filling > a system wide change for Fedora 28 and I will pull the maintainers of > other tolls using libwrap into the round and discussion. Hello, In Fedora 26, there is over 50 packages using tcp_wrappers as a build- time dependency: $ dnf repoquery --whatrequires 'libwrap.so.0()(64bit)'|grep x86_64 389-ds-base-snmp-0:1.3.6.6-2.fc26.x86_64 rmeggins aeskulap-0:0.2.2-0.27.beta1.fc26.x86_64 jenslody apcupsd-0:3.14.14-5.fc26.x86_64 tibbs apcupsd-cgi-0:3.14.14-5.fc26.x86_64 apcupsd-gui-0:3.14.14-5.fc26.x86_64 apt-cacher-ng-0:0.9.0-3.fc26.x86_64 kenjiro audit-0:2.7.7-1.fc26.x86_64 sgrubb bacula-client-0:7.4.7-1.fc26.x86_64 slaanesh bacula-director-0:7.4.7-1.fc26.x86_64 bacula-libs-0:7.4.7-1.fc26.x86_64 bacula-storage-0:7.4.7-1.fc26.x86_64 bacula2-client-0:2.4.4-24.fc26.x86_64 limb conserver-0:8.2.1-3.fc24.x86_64 jkastner ctk-devel-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64 bizdelnick ctk-dicom-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64 cyrus-imapd-0:3.0.1-7.fc26.x86_64 landgraf dcmtk-0:3.6.1-4.fc24.x86_64 ignatenkobrain dovecot-1:2.2.31-3.fc26.x86_64 mhlavink exim-0:4.89-1.fc26.x86_64 dwmw2 flow-tools-0:0.68.5.1-18.fc26.x86_64 stingray foghorn-0:0.1.6-12.fc26.x86_64 rohara gsi-openssh-server-0:7.5p1-1.fc26.x86_64 ellert libvirt-snmp-0:0.0.3-7.fc24.x86_64 mprivozn libyaz-0:5.14.11-6.fc26.x86_64 guidograzioli lldpd-0:0.9.7-5.fc26.x86_64 jhogarth net-snmp-1:5.7.3-15.fc26.x86_64 jsafrane net-snmp-agent-libs-1:5.7.3-15.fc26.x86_64 nfs-utils-1:2.1.1-5.rc4.fc26.x86_64 steved ngircd-0:24-2.fc26.x86_64 ixs nrpe-0:3.0.1-4.fc26.x86_64 smooge nut-0:2.7.4-7.fc26.x86_64 mhlavink ocserv-0:0.11.8-1.fc26.x86_64 nmav openhpi-subagent-0:2.3.4-28.fc26.x86_64 sharkcz openldap-servers-0:2.4.44-10.fc26.x86_64 mhonek opensips-snmpstats-0:2.2.3-1.fc26.x86_64 ivaxer openssh-server-0:7.5p1-2.fc26.x86_64 jjelen pptpd-0:1.4.0-11.fc26.x86_64 jskarvad prelude-manager-0:3.1.0-2.fc26.x86_64 totol proftpd-0:1.3.6-1.fc26.x86_64 itamarjp ptpd-0:2.3.1-4.fc24.x86_64 pbrobinson pulseaudio-libs-0:10.0-4.fc26.x86_64 lennart quagga-0:1.1.1-2.fc26.x86_64 mruprich quota-rpc-1:4.03-8.fc26.x86_64 ppisar redir-0:2.2.1-16.fc26.x86_64 itamarjp rpcbind-0:0.2.4-7.rc2.fc26.x86_64 steved rwhoisd-0:1.5.9.6-6.fc26.x86_64 ppisar sendmail-0:8.15.2-14.fc26.x86_64 jskarvad slapi-nis-0:0.56.1-2.fc26.x86_64 abbra sslh-0:1.18-2.fc26.x86_64 jhogarth stunnel-0:5.41-1.fc26.x86_64 tmraz syslog-ng-0:3.9.1-1.fc26.x86_64 marcusk tcp_wrappers-devel-0:7.6-85.fc26.x86_64 jjelen tftp-server-0:5.2-20.fc26.x86_64 jsynacek up-imapproxy-0:1.2.8-0.7.20130726svn14389.fc24.x86_64 cmadams uwsgi-router-access-0:2.0.15-1.fc26.x86_64 kad vsftpd-0:3.0.3-5.fc26.x86_64 msehnout xinetd-2:2.3.15-18.fc26.x86_64 jsynacek I added the main contacts on these packages to the bcc to let them express their opinions on this proposal and usefulness of tcp_wrappers in case of their package and their upstream community. This is not a call for immediate action, but more a discussion, if there is a way and will to get rid of this dependency. As already mentioned, I would like to see that go in one go (eg. Fedora 28) so anyone using them currently, can step back to tcpd or swat to firewall at once for all the services, if possible. Thanks, Jakub > > > [1] https://lists.fedoraproject.org/pipermail/devel/2014-March/196913 > .h > tml > [2] https://www.rpmfind.net/linux/rpm2html/search.php?query=tcpd&subm > it > =Search+...&system=&arch= > [3] https://www.archlinux.org/packages/community/x86_64/tcp-wrappers/ > [4] https://packages.debian.org/sid/openssh-server > [5] http://www.openssh.com/txt/release-6.7 > > > Thank you for comments and constructive ideas. > Regards, > -- > Jakub Jelen _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
