On Wed, Sep 13, 2017 at 6:10 AM, Jan Kurik <jkurik@xxxxxxxxxx> wrote: > = Proposed System Wide Change: Deprecate TCP wrappers = > https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers > > Change owner(s): > * Jakub Jelen <jjelen AT redhat DOT com > > > TCP wrappers is a simple tool to block incoming connection on > application level. This was very useful 20 years ago, when there were > no firewalls in Linux. This is not the case for today and connection > filtering should be done in network level or completely in application > scope if it makes sense. After recent discussions I believe it is time > to go for this package, if not completely, than at least as a > dependency of modern daemons in system by default. > > == Detailed Description == > Last version of tcp_wrappers was released 20 years ago (with later > addition of IPv6 support). At that time, it was very powerful tool to > "block all traffic", but these days we can do the same thing using > firewalls/iptables/nftables for all traffic on network level or > similar filtering exists in most of the applications. > > One of the motivating factors for this change was removal of TCP > wrappers support from systemd and openssh in 2014, based on the thread > on fedora devel list [1]. I started another thread during 2017 [2] > which is trying to explain the reasons why we should do that with > other constructive ideas. > > Another factor which has driven the deprecation of this package is the > lack of any upstream community around it. Although the threats on > networking communications increase, the threat coverage of this > package has remained the same the last two decades, suggesting that > new threats are now being handled on different components. > > [1] https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html > [2] https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/2IBVP66BM6HUZVRTFIVURNZUR2XSUMOD/ > > > == Scope == > * Proposal owners: > Deprecate tcp_wrappers in Fedora, remove dependency on other pacakges > maintained and notify other maintainers to follow the same procedure. > > * Other developers: > Remove dependency of your software on tcp_wrappers > > * Release engineering: > https://pagure.io/releng/issues/7029 > > List of deliverables: > Not affected > > Policies and guidelines: If package will not be retired, update > packaging guidelines to NOT RECOMMEND building against tcp_wrappers > > Trademark approval: N/A (not needed for this Change) So, I'm a comaintainer of a package that uses libwrap and such (stunnel), and I don't particularly want to lose the tcp_wrappers support in it, because I use stunnel in containers to set up secure tunnels across a number of systems. Unlike firewall rules (which apply globally to the host), the hosts.deny rules apply only within the container, which is the behavior I want. Also, your recommended alternative of using tcpd doesn't work if the package containing it is gone (tcp_wrappers). -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
