Maybe it's time to get rid of tcpwrappers/tcpd?

Lennart Poettering mzerqung at
Thu Mar 20 17:34:22 UTC 2014


I wonder whether it wouldn't be time to say goodbye to tcpwrappers in
Fedora. There has been a request in systemd upstream to disable support
for it by default, but I am not sure I want to do that unless we can
maybe say goodbye to it for the big picture too.

Why would we get rid of them? 

Well, to make things simpler, primarily. They have not seen any
development since 2003 (that's 11 years I mind you, an eternity in IT).

I doubt there are many people even using them anymore, firewalls are
more comprehensive and a lot more powerful, and while every admin knows
firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
actively make use of them...

The API is awful, too, with lot's of open-coded structures, feature
checks in the headers, fixed length strings, globally exported variables,
non-namespaced symbols, really weird exported compatibility wrappers for
OS calls...

I'd propose we make a clear cut, and just start disabling it in all
services that link to it, instead of letting rot on in Fedora for all

It's bad code, little used, crufty. We have much better stuff now, and
that enables us to say goodbye to the old mess...

I figure there will be a bit of opposition to this change, thus I
thought I start the discussion on the fedora ML first. Unless there are
major concerns I will propose a feature about this in the next few
days. If somebody wants to join me on this and put his name on the
feature proposal I'd be delighted!


Lennart Poettering, Red Hat

More information about the devel mailing list