On Fri, 18 Aug 2017 17:42:21 +0200
Jakub Jelen <[email protected]> wrote:
> On Tue, 2017-08-15 at 13:58 +0200, Jakub Jelen wrote:
> > Hello Fedora devels and users,
> >
> > more than three years ago, the same topic started discussion if we
> > want
> > this package in Fedora or not and how [1]. The discussion resulted
> > mostly in flames and in the removal of the dependency on
> > tcp_wrappers from systemd. But it was quite agreed that it is
> > considered as a security layer for some users, if they use it
> > correctly, or something that is or should be replaced by firewalls.
> >
> > So can we discuss it now once more without the affiliation to
> > systemd?
> > The fact is that we still do not have any other replacement except
> > firewalls. But do we need one?
> >
> > The complete removal of the package is probably not a wise step,
> > even though we can not find tcp_wrappers in recent SuSE anymore
> > [2]. It is still available in Arch [3] without other tools
> > depending on it. To be
> > fair, Debian [4] is still building tools (for example openssh) with
> > a build-time support for it.
> >
> > My primary concern is OpenSSH, which upstream dropped support for
> > tcp_wrappers three years ago (late 2014) [5] and since then we are
> > maintaining one more downstream patch. But this effort should be
> > coordinated among other components to simplify the transition for
> > users
> > who insist on using it (using tcpd).
> >
> > Removing the dependency will also allow us to trim the default
> > install for few more Kb.
> >
> > If there will be no significant drawbacks, I will progress with
> > filling
> > a system wide change for Fedora 28 and I will pull the maintainers
> > of other tolls using libwrap into the round and discussion.
>
> Hello,
> In Fedora 26, there is over 50 packages using tcp_wrappers as a build-
> time dependency:
the query shows packages with run-time (not build-time) dependencies,
in some cases it's an indirect dependency, so the actual list is shorter
> $ dnf repoquery --whatrequires 'libwrap.so.0()(64bit)'|grep x86_64
> 389-ds-base-snmp-0:1.3.6.6-2.fc26.x86_64 rmeggins
> aeskulap-0:0.2.2-0.27.beta1.fc26.x86_64 jenslody
> apcupsd-0:3.14.14-5.fc26.x86_64 tibbs
> apcupsd-cgi-0:3.14.14-5.fc26.x86_64
> apcupsd-gui-0:3.14.14-5.fc26.x86_64
> apt-cacher-ng-0:0.9.0-3.fc26.x86_64 kenjiro
> audit-0:2.7.7-1.fc26.x86_64 sgrubb
> bacula-client-0:7.4.7-1.fc26.x86_64 slaanesh
> bacula-director-0:7.4.7-1.fc26.x86_64
> bacula-libs-0:7.4.7-1.fc26.x86_64
> bacula-storage-0:7.4.7-1.fc26.x86_64
> bacula2-client-0:2.4.4-24.fc26.x86_64 limb
> conserver-0:8.2.1-3.fc24.x86_64 jkastner
> ctk-devel-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64 bizdelnick
> ctk-dicom-0:0.1-0.2.20151015gitbdc8cac.fc26.x86_64
> cyrus-imapd-0:3.0.1-7.fc26.x86_64 landgraf
> dcmtk-0:3.6.1-4.fc24.x86_64 ignatenkobrain
> dovecot-1:2.2.31-3.fc26.x86_64 mhlavink
> exim-0:4.89-1.fc26.x86_64 dwmw2
> flow-tools-0:0.68.5.1-18.fc26.x86_64 stingray
> foghorn-0:0.1.6-12.fc26.x86_64 rohara
> gsi-openssh-server-0:7.5p1-1.fc26.x86_64 ellert
> libvirt-snmp-0:0.0.3-7.fc24.x86_64 mprivozn
> libyaz-0:5.14.11-6.fc26.x86_64 guidograzioli
> lldpd-0:0.9.7-5.fc26.x86_64 jhogarth
> net-snmp-1:5.7.3-15.fc26.x86_64 jsafrane
> net-snmp-agent-libs-1:5.7.3-15.fc26.x86_64
> nfs-utils-1:2.1.1-5.rc4.fc26.x86_64 steved
> ngircd-0:24-2.fc26.x86_64 ixs
> nrpe-0:3.0.1-4.fc26.x86_64 smooge
> nut-0:2.7.4-7.fc26.x86_64 mhlavink
> ocserv-0:0.11.8-1.fc26.x86_64 nmav
> openhpi-subagent-0:2.3.4-28.fc26.x86_64 sharkcz
> openldap-servers-0:2.4.44-10.fc26.x86_64 mhonek
> opensips-snmpstats-0:2.2.3-1.fc26.x86_64 ivaxer
> openssh-server-0:7.5p1-2.fc26.x86_64 jjelen
> pptpd-0:1.4.0-11.fc26.x86_64 jskarvad
> prelude-manager-0:3.1.0-2.fc26.x86_64 totol
> proftpd-0:1.3.6-1.fc26.x86_64 itamarjp
> ptpd-0:2.3.1-4.fc24.x86_64 pbrobinson
> pulseaudio-libs-0:10.0-4.fc26.x86_64 lennart
> quagga-0:1.1.1-2.fc26.x86_64 mruprich
> quota-rpc-1:4.03-8.fc26.x86_64 ppisar
> redir-0:2.2.1-16.fc26.x86_64 itamarjp
> rpcbind-0:0.2.4-7.rc2.fc26.x86_64 steved
> rwhoisd-0:1.5.9.6-6.fc26.x86_64 ppisar
> sendmail-0:8.15.2-14.fc26.x86_64 jskarvad
> slapi-nis-0:0.56.1-2.fc26.x86_64 abbra
> sslh-0:1.18-2.fc26.x86_64 jhogarth
> stunnel-0:5.41-1.fc26.x86_64 tmraz
> syslog-ng-0:3.9.1-1.fc26.x86_64 marcusk
> tcp_wrappers-devel-0:7.6-85.fc26.x86_64 jjelen
> tftp-server-0:5.2-20.fc26.x86_64 jsynacek
> up-imapproxy-0:1.2.8-0.7.20130726svn14389.fc24.x86_64 cmadams
> uwsgi-router-access-0:2.0.15-1.fc26.x86_64 kad
> vsftpd-0:3.0.3-5.fc26.x86_64 msehnout
> xinetd-2:2.3.15-18.fc26.x86_64 jsynacek
>
> I added the main contacts on these packages to the bcc to let them
> express their opinions on this proposal and usefulness of tcp_wrappers
> in case of their package and their upstream community.
>
> This is not a call for immediate action, but more a discussion, if
> there is a way and will to get rid of this dependency.
>
> As already mentioned, I would like to see that go in one go (eg.
> Fedora
> 28) so anyone using them currently, can step back to tcpd or swat to
> firewall at once for all the services, if possible.
Dan
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
