On 24 March 2014 16:17, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 03/24/2014 04:48 PM, R P Herrold wrote:
> On Mon, 24 Mar 2014, Stephen Gallagher wrote:
>> Agenda Topics: * tcpwrappers (Does Fedora Server want to support
>> I was hoping we could also hear from QA and rel-eng tomorrow, but
>> I haven't heard confirmation one way or another whether they will
>> have anything to say.
> I see Matt's post earlier today checking the pipermail archive.
> For some reason it appears in broken threading there, and I do not
> recall seeing the earlier piece pass through my eyes ;) 
> Goodness ... how does one do layered defense in depth by REMOVING
> existing function? I must have missed this part of an earlier
This is a follow-on to a lengthy discussion occurring on the
fedora-devel mailing list. It has been suggested that, due to its age,
lack of maintenance and general insecurity that perhaps Fedora should
take a stance and remove it from the distribution, instead
recommending more modern alternatives.
1) General insecurity is Lennart's opinion on parts of the code which
aren't used very much in the field. I will say that if if libwrap2 was
written it would remove a good portion of the code which relies on the old
auth daemon no one uses these days. The code would basically boil
everything down to the service: ipaddress: allow/deny rule.
2) Lack of maintenance has been mostly that the code hasn't had a CVE in
years and has been audited multiple times to make sure it doesn't. That
said I am sure the parts that aren't exercised a lot (looking up via DNS or
authd) could use an axe.
3) The modern alternative suggested is a removal of the code and just
relying on the firewall.
Do not construe this statement as either support for or opposition
> 'want' ???
> Anything purporting to be able to perform in server space does not
> have a choice but to support wrappers
Not necessarily true. One of Fedora's stated purposes is to be
"First". While most people construe this to mean "has the latest
version of all packages", this can also mean that Fedora should lead
the charge in migrating away from old technology if it deems that it
is holding back innovation.
Well in this case, it would not be first as Arch has done this for several
years and I am guessing SuSE is looking to do so itself. I would go more
with the Freedom to change things :). [I would avoid Friends and Features
Stephen J Smoogen.