[arch-dev-public] dropping tcp_wrapper support
Eric Bélanger
snowmaniscool at gmail.com
Wed Jul 13 16:30:21 EDT 2011
On Wed, Jul 13, 2011 at 10:59 AM, Dan McGee <dpmcgee at gmail.com> wrote:
> On Wednesday, July 13, 2011, Stéphane Gaudreault <stephane at archlinux.org> wrote:
>> Le 13 juillet 2011 08:10:26 Dave Reisner a écrit :
>>> On Wed, Jul 13, 2011 at 12:55:51PM +1000, Allan McRae wrote:
>>> > On 13/07/11 12:27, Dave Reisner wrote:
>>> > >I'd like to pick up something Dan proposed about a year ago, which is
>>> > >dropping support for tcp_wrappers. Its last official upstream release
>>> > >was 1997, and we currently add 10 patches to it from 3 different
>>> > >distros
>>> > >in order to make it compile, fix bugs, and add features (ipv6). We
>>> > >also
>>> > >add in an odd default of ALL: ALL in the config file, meaning that the
>>> > >first thing most people do on a new arch system is add a line to
>>> > >/etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
>>> > >blanket deny. To my knowledge, there isn't anything tcp_wrappers does
>>> > >that iptables can't do more eloquently, and without the need to be
>>> > >linked against an external library.
>>> > >
>>> > >Therefore, I'd like to propose that we just dump this. The rebuild
>>> > >list
>>> > >would be small, at 20 packages:
>>> > >
>>> > >archboot
>>> > >dante
>>> > >esound
>>> > >exim
>>> > >gdm
>>> > >inetutils
>>> > >libmysqlclient
>>> > >mailutils
>>> > >net-snmp
>>> > >nfs-utils
>>> > >openldap
>>> > >openssh
>>> > >quota-tools
>>> > >rrdtool
>>> > >socat
>>> > >stunnel
>>> > >syslog-ng
>>> > >tftp-hpa
>>> > >vsftpd
>>> > >xinetd
>>> > >
>>> > >Is there any pressing reason to hang onto this aging library?
>>> >
>>> > For reference:
>>> >
>>> > Dan's original email about this:
>>> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-September/01
>>> > 7872.html
>>> >
>>> > and the follow-up a few months later:
>>> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-December/018
>>> > 754.html
>>> >
>>> > Given the lack of strong opinion either way last time, I'd lean on
>>> > dropping the package just because it seems to have no upstream
>>> > development and all the patching that is required. So just create a
>>> > rebuild list and get as many of those packages rebuilt without
>>> > tcp_wrappers and go from there.
>>> >
>>> > Allan
>>>
>>> and just to follow up, the todo list for this is:
>>>
>>> http://www.archlinux.org/todo/86/
>>>
>>> dave
>>
>> No objection, but a comment.
>>
>> You started that discussion and created the todo list after only 10 hours. As
>> we are not all in the same timezone, it is likely that some people could not
>> express their opinion within such a short period. I would suggest to wait at
>> least 24 hours before taking action.
>>
>> Stéphane
>
> I would say the same, but a todo list isn't a to-done list, so keep
> that in mind. He also pointed out that I got little to no feedback
> when I asked about this both a year and six months ago, so
> expectations are pretty low this time around. I'm sure if there were
> serious objections people would raise them and we could address them.
>
> This is worthy of a news article once we move packages to core only
> because it could expose some services people didn't previously expect
> to need to protect.
>
> -Dan
>
What about packages from extra/community? Do we put the
tcp_wrapper-less packages in testing so we move everything to the main
repos at the same time with a front page news? Or is the front page
news only intended for the core packages?
More information about the arch-dev-public
mailing list