3:40 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Agenda Topics:
* tcpwrappers (Does Fedora Server want to support them?)
I was hoping we could also hear from QA and rel-eng tomorrow, but I
haven't heard confirmation one way or another whether they will have
anything to say.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMwmD8ACgkQeiVVYja6o6N5cwCdEF1Ac2tGkOJhZSF2Jq82r+9z
xGQAn0h/+TbpVrKLSyZNRpY4K7P6lnfI
=q0I3
-----END PGP SIGNATURE-----
3:48 p.m.
On Mon, 24 Mar 2014, Stephen Gallagher wrote:
Agenda Topics:
* tcpwrappers (Does Fedora Server want to support them?)
I was hoping we could also hear from QA and rel-eng tomorrow, but I
haven't heard confirmation one way or another whether they will have
anything to say.
I see Matt's post earlier today checking the pipermail
archive. For some reason it appears in broken threading
there, and I do not recall seeing the earlier piece pass
through my eyes ;) [1]
Goodness ... how does one do layered defense in depth by
REMOVING existing function? I must have missed this part of
an earlier thread
'want' ???
Anything purporting to be able to perform in server space does
not have a choice but to support wrappers
-- Russ herrold
[1] https://lists.fedoraproject.org/pipermail/server/2014-March/thread.html
5:17 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/24/2014 04:48 PM, R P Herrold wrote:
On Mon, 24 Mar 2014, Stephen Gallagher wrote:
> Agenda Topics: * tcpwrappers (Does Fedora Server want to support
> them?)
>
> I was hoping we could also hear from QA and rel-eng tomorrow, but
> I haven't heard confirmation one way or another whether they will
> have anything to say.
I see Matt's post earlier today checking the pipermail archive.
For some reason it appears in broken threading there, and I do not
recall seeing the earlier piece pass through my eyes ;) [1]
Goodness ... how does one do layered defense in depth by REMOVING
existing function? I must have missed this part of an earlier
thread
This is a follow-on to a lengthy discussion occurring on the
fedora-devel mailing list. It has been suggested that, due to its age,
lack of maintenance and general insecurity that perhaps Fedora should
take a stance and remove it from the distribution, instead
recommending more modern alternatives.
Do not construe this statement as either support for or opposition to
this suggestion.
'want' ???
Anything purporting to be able to perform in server space does not
have a choice but to support wrappers
Not necessarily true. One of Fedora's stated purposes is to be
"First". While most people construe this to mean "has the latest
version of all packages", this can also mean that Fedora should lead
the charge in migrating away from old technology if it deems that it
is holding back innovation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMwrt0ACgkQeiVVYja6o6OLJgCdHgPp5JRi0lxsHT04MJlwDlzg
ukUAnj+Sch7+XXRw/85PZyMA9A6l3tzx
=4+4O
-----END PGP SIGNATURE-----
5:56 p.m.
On 24 March 2014 16:17, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/24/2014 04:48 PM, R P Herrold wrote:
> On Mon, 24 Mar 2014, Stephen Gallagher wrote:
>
>> Agenda Topics: * tcpwrappers (Does Fedora Server want to support
>> them?)
>>
>> I was hoping we could also hear from QA and rel-eng tomorrow, but
>> I haven't heard confirmation one way or another whether they will
>> have anything to say.
>
> I see Matt's post earlier today checking the pipermail archive.
> For some reason it appears in broken threading there, and I do not
> recall seeing the earlier piece pass through my eyes ;) [1]
>
> Goodness ... how does one do layered defense in depth by REMOVING
> existing function? I must have missed this part of an earlier
> thread
>
This is a follow-on to a lengthy discussion occurring on the
fedora-devel mailing list. It has been suggested that, due to its age,
lack of maintenance and general insecurity that perhaps Fedora should
take a stance and remove it from the distribution, instead
recommending more modern alternatives.
1) General insecurity is Lennart's opinion on parts of the code which
aren't used very much in the field. I will say that if if libwrap2 was
written it would remove a good portion of the code which relies on the old
auth daemon no one uses these days. The code would basically boil
everything down to the service: ipaddress: allow/deny rule.
2) Lack of maintenance has been mostly that the code hasn't had a CVE in
years and has been audited multiple times to make sure it doesn't. That
said I am sure the parts that aren't exercised a lot (looking up via DNS or
authd) could use an axe.
3) The modern alternative suggested is a removal of the code and just
relying on the firewall.
Do not construe this statement as either support for or opposition
to
this suggestion.
> 'want' ???
>
> Anything purporting to be able to perform in server space does not
> have a choice but to support wrappers
>
Not necessarily true. One of Fedora's stated purposes is to be
"First". While most people construe this to mean "has the latest
version of all packages", this can also mean that Fedora should lead
the charge in migrating away from old technology if it deems that it
is holding back innovation.
<https://admin.fedoraproject.org/mailman/listinfo/server>
Well in this case, it would not be first as Arch has done this for several
years and I am guessing SuSE is looking to do so itself. I would go more
with the Freedom to change things :). [I would avoid Friends and Features
:)]
--
Stephen J Smoogen.
9:42 p.m.
Am 24.03.2014 23:56, schrieb Stephen John Smoogen:
1) General insecurity is Lennart's opinion on parts of the code
which aren't used very much in the field. I will
say that if if libwrap2 was written it would remove a good portion of the code which
relies on the old auth daemon
no one uses these days. The code would basically boil everything down to the service:
ipaddress: allow/deny rule.
2) Lack of maintenance has been mostly that the code hasn't had a CVE in years and
has been audited multiple times
to make sure it doesn't. That said I am sure the parts that aren't exercised a
lot (looking up via DNS or authd)
could use an axe.
3) The modern alternative suggested is a removal of the code and just relying on the
firewall
which is *not* layered security
http://www.spinics.net/lists/fedora-devel/msg196606.html
6:04 a.m.
On Tue, Mar 25, 2014 at 03:42:59AM +0100, Reindl Harald wrote:
> 3) The modern alternative suggested is a removal of the code and
just
> relying on the firewall
which is *not* layered security
http://www.spinics.net/lists/fedora-devel/msg196606.html
Not alone, certainly. The suggestion, I think, would be that in most cases
you can get an equivalent layer through application-specific configuration,
and that plus host firewall plus network firewall (possibly both per subnet
and at the border) provides reasonable defense in depth.
I'm not personally saying that tcp_wrappers _can't_ provide another useful
layer in some situations; just trying to be fair to the argument.
--
Matthew Miller -- Fedora Project -- <mattdm(a)fedoraproject.org>
6:15 a.m.
----- Original Message -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Agenda Topics:
* tcpwrappers (Does Fedora Server want to support them?)
One topic, does not have to be for this meeting. There was Documentation
FAD happening this week - one thing I promised to Docs guys was to
collect requirements on them. Do you have any particular ideas how it
should look like (to work for Server product), what would you like to
see documented etc.
One reminder (not sure it has to be meeting topic) - Change proposals
are due Apr 8th, so in two weeks. I don't see much showing up from
any WGs, maybe we do not plan any changes at all :).
Thanks
Jaroslav
I was hoping we could also hear from QA and rel-eng tomorrow, but I
haven't heard confirmation one way or another whether they will have
anything to say.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMwmD8ACgkQeiVVYja6o6N5cwCdEF1Ac2tGkOJhZSF2Jq82r+9z
xGQAn0h/+TbpVrKLSyZNRpY4K7P6lnfI
=q0I3
-----END PGP SIGNATURE-----
_______________________________________________
server mailing list
server(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/server
6:49 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/25/2014 07:15 AM, Jaroslav Reznik wrote:
----- Original Message ----- Agenda Topics: * tcpwrappers (Does
Fedora Server want to support them?)
> One topic, does not have to be for this meeting. There was
> Documentation FAD happening this week - one thing I promised to
> Docs guys was to collect requirements on them. Do you have any
> particular ideas how it should look like (to work for Server
> product), what would you like to see documented etc.
Good idea. I'll add it to today's agenda.
> One reminder (not sure it has to be meeting topic) - Change
> proposals are due Apr 8th, so in two weeks. I don't see much
> showing up from any WGs, maybe we do not plan any changes at all
> :).
I'll also add this to the agenda.
> Thanks Jaroslav
I was hoping we could also hear from QA and rel-eng tomorrow, but
I haven't heard confirmation one way or another whether they will
have anything to say.
> _______________________________________________ server mailing
> list server(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/server
_______________________________________________ server mailing
list server(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/server
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMxbTwACgkQeiVVYja6o6MuFgCbB3NEpe9Ysihr2q1QidWAcKbn
bk0An1KvM3s3IYRGLhFV/My5C29ZfOVe
=zTpM
-----END PGP SIGNATURE-----
7:04 a.m.
On Tue, 2014-03-25 at 07:15 -0400, Jaroslav Reznik wrote:
----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Agenda Topics:
> * tcpwrappers (Does Fedora Server want to support them?)
One topic, does not have to be for this meeting. There was Documentation
FAD happening this week - one thing I promised to Docs guys was to
collect requirements on them. Do you have any particular ideas how it
should look like (to work for Server product), what would you like to
see documented etc.
This seems like a good place to introduce myself. At the Docs FAD over
the weekend it was decided that someone from Docs should become involved
with each WG, so I am going to attempt to help the Server WG in any way
I can. The biggest question the Docs group needs answered right now is
what do you need from us?
One reminder (not sure it has to be meeting topic) - Change
proposals
are due Apr 8th, so in two weeks. I don't see much showing up from
any WGs, maybe we do not plan any changes at all :).
Thanks
Jaroslav
> I was hoping we could also hear from QA and rel-eng tomorrow, but I
> haven't heard confirmation one way or another whether they will have
> anything to say.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlMwmD8ACgkQeiVVYja6o6N5cwCdEF1Ac2tGkOJhZSF2Jq82r+9z
> xGQAn0h/+TbpVrKLSyZNRpY4K7P6lnfI
> =q0I3
> -----END PGP SIGNATURE-----
>
_______________________________________________
> server mailing list
> server(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/server
_______________________________________________
server mailing list
server(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/server
7:11 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/25/2014 08:04 AM, Zach Oglesby wrote:
On Tue, 2014-03-25 at 07:15 -0400, Jaroslav Reznik wrote:
> ----- Original Message -----
Agenda Topics: * tcpwrappers (Does Fedora Server want to support
them?)
>>
>> One topic, does not have to be for this meeting. There was
>> Documentation FAD happening this week - one thing I promised to
>> Docs guys was to collect requirements on them. Do you have any
>> particular ideas how it should look like (to work for Server
>> product), what would you like to see documented etc.
>>
Thanks, Zach and welcome!
We're going to be having a public IRC meeting in #fedora-meeting-1 at
1500 UTC (about three hours from now). It would be great if you could
join us. I'll make sure that doc needs are on the agenda.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMxcmIACgkQeiVVYja6o6OjAQCfYIf4M4tv6mZEBXeUZIDmh2WD
4dEAn1k+LIi5O6rIYeau5F37cCfXAvdW
=BOP0
-----END PGP SIGNATURE-----
3677
days inactive
3678
days old
server@lists.fedoraproject.org
9 comments
7 participants
participants (7)
-
Jaroslav Reznik -
Matthew Miller -
R P Herrold -
Reindl Harald -
Stephen Gallagher -
Stephen John Smoogen -
Zach Oglesby