On 24 March 2014 16:17, Stephen Gallagher <sgallagh@redhat.com> wrote:
Hash: SHA1

On 03/24/2014 04:48 PM, R P Herrold wrote:
> On Mon, 24 Mar 2014, Stephen Gallagher wrote:
>> Agenda Topics: * tcpwrappers (Does Fedora Server want to support
>> them?)
>> I was hoping we could also hear from QA and rel-eng tomorrow, but
>> I haven't heard confirmation one way or another whether they will
>> have anything to say.
> I see Matt's post earlier today checking the pipermail archive.
> For some reason it appears in broken threading there, and I do not
> recall seeing the earlier piece pass through my eyes ;) [1]
> Goodness ... how does one do layered defense in depth by REMOVING
> existing function?   I must have missed this part of an earlier
> thread

This is a follow-on to a lengthy discussion occurring on the
fedora-devel mailing list. It has been suggested that, due to its age,
lack of maintenance and general insecurity that perhaps Fedora should
take a stance and remove it from the distribution, instead
recommending more modern alternatives.

1) General insecurity is Lennart's opinion on parts of the code which aren't used very much in the field. I will say that if if libwrap2 was written it would remove a good portion of the code which relies on the old auth daemon no one uses these days. The code would basically boil everything down to the service: ipaddress: allow/deny rule.

2) Lack of maintenance has been mostly that the code hasn't had a CVE in years and has been audited multiple times to make sure it doesn't. That said I am sure the parts that aren't exercised a lot (looking up via DNS or authd) could use an axe.

3) The modern alternative suggested is a removal of the code and just relying on the firewall. 
Do not construe this statement as either support for or opposition to
this suggestion.

> 'want' ???
> Anything purporting to be able to perform in server space does not
> have a choice but to support wrappers

Not necessarily true. One of Fedora's stated purposes is to be
"First". While most people construe this to mean "has the latest
version of all packages", this can also mean that Fedora should lead
the charge in migrating away from old technology if it deems that it
is holding back innovation.

Well in this case, it would not be first as Arch has done this for several years and I am guessing SuSE is looking to do so itself. I would go more with the Freedom to change things :). [I would avoid Friends and Features :)]

Stephen J Smoogen.