<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 24 March 2014 16:17, Stephen Gallagher <span dir="ltr"><<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div class="">On 03/24/2014 04:48 PM, R P Herrold wrote:<br>
> On Mon, 24 Mar 2014, Stephen Gallagher wrote:<br>
><br>
>> Agenda Topics: * tcpwrappers (Does Fedora Server want to support<br>
>> them?)<br>
>><br>
>> I was hoping we could also hear from QA and rel-eng tomorrow, but<br>
>> I haven't heard confirmation one way or another whether they will<br>
>> have anything to say.<br>
><br>
> I see Matt's post earlier today checking the pipermail archive.<br>
> For some reason it appears in broken threading there, and I do not<br>
> recall seeing the earlier piece pass through my eyes ;) [1]<br>
><br>
> Goodness ... how does one do layered defense in depth by REMOVING<br>
> existing function? I must have missed this part of an earlier<br>
> thread<br>
><br>
<br>
</div>This is a follow-on to a lengthy discussion occurring on the<br>
fedora-devel mailing list. It has been suggested that, due to its age,<br>
lack of maintenance and general insecurity that perhaps Fedora should<br>
take a stance and remove it from the distribution, instead<br>
recommending more modern alternatives.<br>
<br></blockquote><div><br></div><div>1) General insecurity is Lennart's opinion on parts of the code which aren't used very much in the field. I will say that if if libwrap2 was written it would remove a good portion of the code which relies on the old auth daemon no one uses these days. The code would basically boil everything down to the service: ipaddress: allow/deny rule.</div>
<div><br></div><div>2) Lack of maintenance has been mostly that the code hasn't had a CVE in years and has been audited multiple times to make sure it doesn't. That said I am sure the parts that aren't exercised a lot (looking up via DNS or authd) could use an axe.</div>
<div><br></div><div>3) The modern alternative suggested is a removal of the code and just relying on the firewall. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Do not construe this statement as either support for or opposition to<br>
this suggestion.<br>
<div class=""><br>
<br>
> 'want' ???<br>
><br>
> Anything purporting to be able to perform in server space does not<br>
> have a choice but to support wrappers<br>
><br>
<br>
</div>Not necessarily true. One of Fedora's stated purposes is to be<br>
"First". While most people construe this to mean "has the latest<br>
version of all packages", this can also mean that Fedora should lead<br>
the charge in migrating away from old technology if it deems that it<br>
is holding back innovation.<br>
<div class=""><a href="https://admin.fedoraproject.org/mailman/listinfo/server" target="_blank"></a></div></blockquote><div><br></div><div>Well in this case, it would not be first as Arch has done this for several years and I am guessing SuSE is looking to do so itself. I would go more with the Freedom to change things :). [I would avoid Friends and Features :)]</div>
<div><br></div></div>-- <br><div dir="ltr">Stephen J Smoogen.<br><br></div>
</div></div>