On pe, 22 loka 2021, Ian McInerney via devel wrote:
On Thu, Oct 21, 2021 at 9:38 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
https://fedoraproject.org/wiki/Changes/retire_NIS_user_space_utils
== Summary ==
This change is about retiring the ypbind, yp-tools, and ypserv
packages, and removal of the {nis,yp}domainname user-space utility
programs from the hostname package.
== Owner ==
* Name: [[User:besser82 | Björn Esser]]
* Email: besser82@xxxxxxxxxxxxxxxxx
== Detailed Description ==
Those utility programs used to be present on virtually any UNIX system
for decades, but are starting to become more and more deprecated.
Also NIS(+) is known for not being secure at all. As we are going to
[https://fedoraproject.org/wiki/Changes/drop_NIS_support_from_PAM
remove the support for NIS(+) in PAM] during this development cycle,
we also should get rid of those.
== Feedback ==
There was some discussion on
[
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/T662DD2FD3YNPTVTOPCYFQRSOQCJWCSZ/
the fedora-devel mailing-list]. Some people are reluctant about the
removal of NIS(+) user-space support, while most are okay with it as
there are more secure alternatives (LDAP, FreeIPA, etc.) available.
The FPL is +1 on doing so.
== Benefit to Fedora ==
With this change we start directing our users and developers to move
away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.
== Scope ==
* Proposal owners:
** Retire the ypbind, yp-tools, and ypserv packages from Fedora.
Have you talked with the maintainers of these packages at all? I can't
recall if any of them replied in the RFC thread before, but it would be (in
my opinion) very bad form to retire a package without asking for the
maintainer's input and opinions.
(It might even be good to get one of/some of the maintainers as change
owners on this proposal as well to show they are involved in this).
-Ian
** Remove the {nis,yp}domainname user-space utility programs from the
hostname package.
* Other developers:
** Test this change.
* Release engineering: [https://pagure.io/releng/issue/10352 #10352]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
Users that were relying on support for NIS(+) will need to move to
secure alternatives like LDAP and/or FreeIPA.
== How To Test ==
Check whether the named utility programs are still installed on your
system after upgrading. If they are gone, everything is fine.
== User Experience ==
For some users this change may be a bit disruptive and it may require
some learning curve for switching to alternative solutions.
== Dependencies ==
There are actually no external dependencies.
This is not correct at all. FreeIPA does depend on nisdomainname utility
(part of hostname package).
SUDO depends on the correct value returned from getdomainname() in order
to support netgroups in LDAP-stored SUDO rules. Same rules are
implemented by FreeIPA and SSSD.
However, I think this is *not* deprecated technology question. Domain
name information is the part of UTS information in the kernel.
According to glibc implementation, getdomainname() pulls the domain name
from uname() syscall:
https://sourceware.org/git/?p=glibc.git;a=blob;f=misc/getdomain.c;h=09bb3b0e2cc214b406387294ad90b3c01e2d9a71;hb=HEAD
where 'domainname' is GNU extension. It represents a name of the domain
this host belongs to. Note that the domain name itself is not a DNS
domain name as it represents a higher abstraction level entity which can
be roughly mapped to a whole IPA or AD domain. This is how we actually
are using it in FreeIPA.
Someone has to set the domain name upon startup. So far, only
nisdomainname tool was doing that. If that is removed, then SUDO will
definitely break.
This does not require presence of NIS infrastructure but does require
properly configured NIS domain name on each client. Which means we must be
able to continue configuring NIS domain name.
== Contingency Plan ==
* Contingency mechanism: Unretire the packages and build them for Fedora
36.
* Contingency deadline: At beta freeze.
* Blocks release? Yes.
== Documentation ==
The documentation about those utility programs should be dropped, if
there even is any.
== Release Notes ==
The NIS(+) user-space utility programs have been removed from the
distribution.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure