> On Tue, 2017-08-15 at 13:58 +0200, Jakub Jelen wrote: >> Hello Fedora devels and users, >> >> more than three years ago, the same topic started discussion if we >> want >> this package in Fedora or not and how [1]. The discussion resulted >> mostly in flames and in the removal of the dependency on tcp_wrappers >> from systemd. But it was quite agreed that it is considered as a >> security layer for some users, if they use it correctly, or something >> that is or should be replaced by firewalls. >> >> So can we discuss it now once more without the affiliation to >> systemd? >> The fact is that we still do not have any other replacement except >> firewalls. But do we need one? >> >> The complete removal of the package is probably not a wise step, even >> though we can not find tcp_wrappers in recent SuSE anymore [2]. It is >> still available in Arch [3] without other tools depending on it. To >> be >> fair, Debian [4] is still building tools (for example openssh) with a >> build-time support for it. >> >> My primary concern is OpenSSH, which upstream dropped support for >> tcp_wrappers three years ago (late 2014) [5] and since then we are >> maintaining one more downstream patch. But this effort should be >> coordinated among other components to simplify the transition for >> users >> who insist on using it (using tcpd). >> >> Removing the dependency will also allow us to trim the default >> install for few more Kb. >> >> If there will be no significant drawbacks, I will progress with >> filling >> a system wide change for Fedora 28 and I will pull the maintainers of >> other tolls using libwrap into the round and discussion. > > Hello, > In Fedora 26, there is over 50 packages using tcp_wrappers as a build- > time dependency: > > > Since I'm listed twice in there... > > With my packages and the situation with build time options I take the > position of enable as much as possible since our users don't get to pick > their compilation options. > > However tcp_wrappers is a legacy thing that no longer belongs in today's > world. > > I have no objection to a flag day in F28 development and dropping the build > option at some point, preferably before the thing that is no longer an alpha > ;) ... ie way before beta. With F-27 now branched off this can happen in F-28/rawhide now _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
