On Sun, 2005-04-10 at 12:49 +0200, Arjan van de Ven wrote: > > Well it's listed under Packages Deprecated > > * ncpfs — No longer part of Fedora Core profile > > > > I guest my question is, why is it being deprecated? > > the thing you need to realize is that novell added tcp/ip support to > netware somewhere in the 1990's ;) > most of these tools are both hardly maintained and often for the pre-tcp > era of netware... Well the kernel module for NCPFS supports IPX, UDP and TCP (in 2.4 and later kernels) to connect to Netware servers. Later versions of the NCPFS package don't need IPX support in the kernel and Novell/SuSE has been helping out by submitting patches. The latest version (2.2.6) looks to fix the security issues in the 2.2.4 version that is shipped with fedora. > I don't know the exact reason for this one, but in general one should > realize that network facing tools by their nature are a security risk. > For things like the apache webserver you accept that because 1) the risk > is relatively low because of the "many eyes on the omnipresent tool" > concept and 2) the value it provides is very high. For ncpfs I would > argue the opposite is sort of true; it's relatively obscure which by > their nature means both undertested and underreviewed and at the same > time the value added by the thing is also somewhat less than that of the > apache web server. Imo this balance should always be a consideration for > package inclusion in any distribution. Looking at the change log for the 2.2.6 version it looks like it's getting attention by Novell/SuSE. So I guess it's probably getting better maintained now than it was a couple years ago. Frankly it would be nice to see support for pam_nds that Dr. Pollet created after filling some bug reports seems to work well in a few peoples environments. The pam_nds portion of NCPFS is probably the least mature portion of the package so can understand it being left out. I guess I would like to see ncpfs updated to the current 2.2.6 version and considered "Part of the Fedora Core Profile" and not Deprecated. If it has been dropped from RHEL 4 then I guess that would be bad as a future upgrade path for our systems running RH 7.3 that I have been using Legacy to update (not a situation I'm totally happy with). Regards, Paul Berger
