On Fri, 18 Aug 2017 17:42:21 +0200 Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > On Tue, 2017-08-15 at 13:58 +0200, Jakub Jelen wrote: > > Hello Fedora devels and users, > > > > more than three years ago, the same topic started discussion if we > > want > > this package in Fedora or not and how [1]. The discussion resulted > > mostly in flames and in the removal of the dependency on > > tcp_wrappers from systemd. But it was quite agreed that it is > > considered as a security layer for some users, if they use it > > correctly, or something that is or should be replaced by firewalls. > > > > So can we discuss it now once more without the affiliation to > > systemd? > > The fact is that we still do not have any other replacement except > > firewalls. But do we need one? > > > > The complete removal of the package is probably not a wise step, > > even though we can not find tcp_wrappers in recent SuSE anymore > > [2]. It is still available in Arch [3] without other tools > > depending on it. To be > > fair, Debian [4] is still building tools (for example openssh) with > > a build-time support for it. > > > > My primary concern is OpenSSH, which upstream dropped support for > > tcp_wrappers three years ago (late 2014) [5] and since then we are > > maintaining one more downstream patch. But this effort should be > > coordinated among other components to simplify the transition for > > users > > who insist on using it (using tcpd). > > > > Removing the dependency will also allow us to trim the default > > install for few more Kb. > > > > If there will be no significant drawbacks, I will progress with > > filling > > a system wide change for Fedora 28 and I will pull the maintainers > > of other tolls using libwrap into the round and discussion. > > Hello, > In Fedora 26, there is over 50 packages using tcp_wrappers as a build- > time dependency: the query shows packages with run-time (not build-time) dependencies, in some cases it's an indirect dependency, so the actual list is shorter > $ dnf repoquery --whatrequires 'libwrap.so.0()(64bit)'|grep x86_64 > 389-ds-base-snmp-0:1.3.6.6-2.fc26.x86_64 rmeggins > aeskulap-0:0.2.2-0.27.beta1.fc26.x86_64 jenslody > apcupsd-0:3.14.14-5.fc26.x86_64 tibbs > apcupsd-cgi-0:3.14.14-5.fc26.x86_64 > apcupsd-gui-0:3.14.14-5.fc26.x86_64 > apt-cacher-ng-0:0.9.0-3.fc26.x86_64 kenjiro > audit-0:2.7.7-1.fc26.x86_64 sgrubb > bacula-client-0:7.4.7-1.fc26.x86_64 slaanesh > bacula-director-0:7.4.7-1.fc26.x86_64 > bacula-libs-0:7.4.7-1.fc26.x86_64 > bacula-storage-0:7.4.7-1.fc26.x86_64 > bacula2-client-0:2.4.4-24.fc26.x86_64 limb > conserver-0:8.2.1-3.fc24.x86_64 jkastner > ctk-devel-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64 bizdelnick > ctk-dicom-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64 > cyrus-imapd-0:3.0.1-7.fc26.x86_64 landgraf > dcmtk-0:3.6.1-4.fc24.x86_64 ignatenkobrain > dovecot-1:2.2.31-3.fc26.x86_64 mhlavink > exim-0:4.89-1.fc26.x86_64 dwmw2 > flow-tools-0:0.68.5.1-18.fc26.x86_64 stingray > foghorn-0:0.1.6-12.fc26.x86_64 rohara > gsi-openssh-server-0:7.5p1-1.fc26.x86_64 ellert > libvirt-snmp-0:0.0.3-7.fc24.x86_64 mprivozn > libyaz-0:5.14.11-6.fc26.x86_64 guidograzioli > lldpd-0:0.9.7-5.fc26.x86_64 jhogarth > net-snmp-1:5.7.3-15.fc26.x86_64 jsafrane > net-snmp-agent-libs-1:5.7.3-15.fc26.x86_64 > nfs-utils-1:2.1.1-5.rc4.fc26.x86_64 steved > ngircd-0:24-2.fc26.x86_64 ixs > nrpe-0:3.0.1-4.fc26.x86_64 smooge > nut-0:2.7.4-7.fc26.x86_64 mhlavink > ocserv-0:0.11.8-1.fc26.x86_64 nmav > openhpi-subagent-0:2.3.4-28.fc26.x86_64 sharkcz > openldap-servers-0:2.4.44-10.fc26.x86_64 mhonek > opensips-snmpstats-0:2.2.3-1.fc26.x86_64 ivaxer > openssh-server-0:7.5p1-2.fc26.x86_64 jjelen > pptpd-0:1.4.0-11.fc26.x86_64 jskarvad > prelude-manager-0:3.1.0-2.fc26.x86_64 totol > proftpd-0:1.3.6-1.fc26.x86_64 itamarjp > ptpd-0:2.3.1-4.fc24.x86_64 pbrobinson > pulseaudio-libs-0:10.0-4.fc26.x86_64 lennart > quagga-0:1.1.1-2.fc26.x86_64 mruprich > quota-rpc-1:4.03-8.fc26.x86_64 ppisar > redir-0:2.2.1-16.fc26.x86_64 itamarjp > rpcbind-0:0.2.4-7.rc2.fc26.x86_64 steved > rwhoisd-0:1.5.9.6-6.fc26.x86_64 ppisar > sendmail-0:8.15.2-14.fc26.x86_64 jskarvad > slapi-nis-0:0.56.1-2.fc26.x86_64 abbra > sslh-0:1.18-2.fc26.x86_64 jhogarth > stunnel-0:5.41-1.fc26.x86_64 tmraz > syslog-ng-0:3.9.1-1.fc26.x86_64 marcusk > tcp_wrappers-devel-0:7.6-85.fc26.x86_64 jjelen > tftp-server-0:5.2-20.fc26.x86_64 jsynacek > up-imapproxy-0:1.2.8-0.7.20130726svn14389.fc24.x86_64 cmadams > uwsgi-router-access-0:2.0.15-1.fc26.x86_64 kad > vsftpd-0:3.0.3-5.fc26.x86_64 msehnout > xinetd-2:2.3.15-18.fc26.x86_64 jsynacek > > I added the main contacts on these packages to the bcc to let them > express their opinions on this proposal and usefulness of tcp_wrappers > in case of their package and their upstream community. > > This is not a call for immediate action, but more a discussion, if > there is a way and will to get rid of this dependency. > > As already mentioned, I would like to see that go in one go (eg. > Fedora > 28) so anyone using them currently, can step back to tcpd or swat to > firewall at once for all the services, if possible. Dan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
