On Wed, 2017-09-13 at 06:15 -0400, Neal Gompa wrote: > On Wed, Sep 13, 2017 at 6:10 AM, Jan Kurik <jkurik@xxxxxxxxxx> wrote: > > = Proposed System Wide Change: Deprecate TCP wrappers = > > https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers > > > > Change owner(s): > > * Jakub Jelen <jjelen AT redhat DOT com > > > > > TCP wrappers is a simple tool to block incoming connection on > > application level. This was very useful 20 years ago, when there > > were > > no firewalls in Linux. This is not the case for today and > > connection > > filtering should be done in network level or completely in > > application > > scope if it makes sense. After recent discussions I believe it is > > time > > to go for this package, if not completely, than at least as a > > dependency of modern daemons in system by default. > > > > == Detailed Description == > > Last version of tcp_wrappers was released 20 years ago (with later > > addition of IPv6 support). At that time, it was very powerful tool > > to > > "block all traffic", but these days we can do the same thing using > > firewalls/iptables/nftables for all traffic on network level or > > similar filtering exists in most of the applications. > > > > One of the motivating factors for this change was removal of TCP > > wrappers support from systemd and openssh in 2014, based on the > > thread > > on fedora devel list [1]. I started another thread during 2017 [2] > > which is trying to explain the reasons why we should do that with > > other constructive ideas. > > > > Another factor which has driven the deprecation of this package is > > the > > lack of any upstream community around it. Although the threats on > > networking communications increase, the threat coverage of this > > package has remained the same the last two decades, suggesting that > > new threats are now being handled on different components. > > > > [1] https://lists.fedoraproject.org/pipermail/devel/2014-March/1969 > > 13.html > > [2] https://lists.fedoraproject.org/archives/list/devel@lists.fedor > > aproject.org/thread/2IBVP66BM6HUZVRTFIVURNZUR2XSUMOD/ > > > > > > == Scope == > > * Proposal owners: > > Deprecate tcp_wrappers in Fedora, remove dependency on other > > pacakges > > maintained and notify other maintainers to follow the same > > procedure. > > > > * Other developers: > > Remove dependency of your software on tcp_wrappers > > > > * Release engineering: > > https://pagure.io/releng/issues/7029 > > > > List of deliverables: > > Not affected > > > > Policies and guidelines: If package will not be retired, update > > packaging guidelines to NOT RECOMMEND building against tcp_wrappers > > > > Trademark approval: N/A (not needed for this Change) > > So, I'm a comaintainer of a package that uses libwrap and such > (stunnel), and I don't particularly want to lose the tcp_wrappers > support in it, because I use stunnel in containers to set up secure > tunnels across a number of systems. Unlike firewall rules (which > apply > globally to the host), the hosts.deny rules apply only within the > container, which is the behavior I want. > > Also, your recommended alternative of using tcpd doesn't work if the > package containing it is gone (tcp_wrappers). It is not yet decided if the package will go away altogether or just as a dependency of other packages. I would rather go with the first possibility, but the second is still here as a backup. At this point we are also in the process of investigating a replacement in systemd, which should take care of such simple use cases as containers with a single stunnel service. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
