dropping tcp_wrapper support

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

dropping tcp_wrapper support

dave reisner
I'd like to pick up something Dan proposed about a year ago, which is
dropping support for tcp_wrappers. Its last official upstream release
was 1997, and we currently add 10 patches to it from 3 different distros
in order to make it compile, fix bugs, and add features (ipv6). We also
add in an odd default of ALL: ALL in the config file, meaning that the
first thing most people do on a new arch system is add a line to
/etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
blanket deny. To my knowledge, there isn't anything tcp_wrappers does
that iptables can't do more eloquently, and without the need to be
linked against an external library.

Therefore, I'd like to propose that we just dump this. The rebuild list
would be small, at 20 packages:

archboot
dante
esound
exim
gdm
inetutils
libmysqlclient
mailutils
net-snmp
nfs-utils
openldap
openssh
quota-tools
rrdtool
socat
stunnel
syslog-ng
tftp-hpa
vsftpd
xinetd

Is there any pressing reason to hang onto this aging library?

Regards,
Dave

Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Jan Alexander Steffens (heftig)
On Tue, Jul 12, 2011 at 11:27 PM, Dave Reisner <[hidden email]> wrote:

> I'd like to pick up something Dan proposed about a year ago, which is
> dropping support for tcp_wrappers. Its last official upstream release
> was 1997, and we currently add 10 patches to it from 3 different distros
> in order to make it compile, fix bugs, and add features (ipv6). We also
> add in an odd default of ALL: ALL in the config file, meaning that the
> first thing most people do on a new arch system is add a line to
> /etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
> blanket deny. To my knowledge, there isn't anything tcp_wrappers does
> that iptables can't do more eloquently, and without the need to be
> linked against an external library.
>
> Therefore, I'd like to propose that we just dump this. The rebuild list
> would be small, at 20 packages:
>
> archboot
> dante
> esound
> exim
> gdm
> inetutils
> libmysqlclient
> mailutils
> net-snmp
> nfs-utils
> openldap
> openssh
> quota-tools
> rrdtool
> socat
> stunnel
> syslog-ng
> tftp-hpa
> vsftpd
> xinetd
>
> Is there any pressing reason to hang onto this aging library?
>
> Regards,
> Dave
>
>

I support this.
Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Allan McRae
In reply to this post by dave reisner
On 13/07/11 12:27, Dave Reisner wrote:

> I'd like to pick up something Dan proposed about a year ago, which is
> dropping support for tcp_wrappers. Its last official upstream release
> was 1997, and we currently add 10 patches to it from 3 different distros
> in order to make it compile, fix bugs, and add features (ipv6). We also
> add in an odd default of ALL: ALL in the config file, meaning that the
> first thing most people do on a new arch system is add a line to
> /etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
> blanket deny. To my knowledge, there isn't anything tcp_wrappers does
> that iptables can't do more eloquently, and without the need to be
> linked against an external library.
>
> Therefore, I'd like to propose that we just dump this. The rebuild list
> would be small, at 20 packages:
>
> archboot
> dante
> esound
> exim
> gdm
> inetutils
> libmysqlclient
> mailutils
> net-snmp
> nfs-utils
> openldap
> openssh
> quota-tools
> rrdtool
> socat
> stunnel
> syslog-ng
> tftp-hpa
> vsftpd
> xinetd
>
> Is there any pressing reason to hang onto this aging library?
>

For reference:

Dan's original email about this:
http://mailman.archlinux.org/pipermail/arch-dev-public/2010-September/017872.html

and the follow-up a few months later:
http://mailman.archlinux.org/pipermail/arch-dev-public/2010-December/018754.html

Given the lack of strong opinion either way last time, I'd lean on
dropping the package just because it seems to have no upstream
development and all the patching that is required.  So just create a
rebuild list and get as many of those packages rebuilt without
tcp_wrappers and go from there.

Allan
Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Tom Gundersen
In reply to this post by dave reisner
On Wed, Jul 13, 2011 at 4:27 AM, Dave Reisner <[hidden email]> wrote:

> I'd like to pick up something Dan proposed about a year ago, which is
> dropping support for tcp_wrappers. Its last official upstream release
> was 1997, and we currently add 10 patches to it from 3 different distros
> in order to make it compile, fix bugs, and add features (ipv6). We also
> add in an odd default of ALL: ALL in the config file, meaning that the
> first thing most people do on a new arch system is add a line to
> /etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
> blanket deny. To my knowledge, there isn't anything tcp_wrappers does
> that iptables can't do more eloquently, and without the need to be
> linked against an external library.
>
> Therefore, I'd like to propose that we just dump this.

+1

-t
Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Dale Blount
In reply to this post by dave reisner
On Tue, 2011-07-12 at 22:27 -0400, Dave Reisner wrote:

> I'd like to pick up something Dan proposed about a year ago, which is
> dropping support for tcp_wrappers. Its last official upstream release
> was 1997, and we currently add 10 patches to it from 3 different distros
> in order to make it compile, fix bugs, and add features (ipv6). We also
> add in an odd default of ALL: ALL in the config file, meaning that the
> first thing most people do on a new arch system is add a line to
> /etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
> blanket deny. To my knowledge, there isn't anything tcp_wrappers does
> that iptables can't do more eloquently, and without the need to be
> linked against an external library.
>
> Therefore, I'd like to propose that we just dump this.

+1

Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

dave reisner
In reply to this post by Allan McRae
On Wed, Jul 13, 2011 at 12:55:51PM +1000, Allan McRae wrote:

> On 13/07/11 12:27, Dave Reisner wrote:
> >I'd like to pick up something Dan proposed about a year ago, which is
> >dropping support for tcp_wrappers. Its last official upstream release
> >was 1997, and we currently add 10 patches to it from 3 different distros
> >in order to make it compile, fix bugs, and add features (ipv6). We also
> >add in an odd default of ALL: ALL in the config file, meaning that the
> >first thing most people do on a new arch system is add a line to
> >/etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
> >blanket deny. To my knowledge, there isn't anything tcp_wrappers does
> >that iptables can't do more eloquently, and without the need to be
> >linked against an external library.
> >
> >Therefore, I'd like to propose that we just dump this. The rebuild list
> >would be small, at 20 packages:
> >
> >archboot
> >dante
> >esound
> >exim
> >gdm
> >inetutils
> >libmysqlclient
> >mailutils
> >net-snmp
> >nfs-utils
> >openldap
> >openssh
> >quota-tools
> >rrdtool
> >socat
> >stunnel
> >syslog-ng
> >tftp-hpa
> >vsftpd
> >xinetd
> >
> >Is there any pressing reason to hang onto this aging library?
> >
>
> For reference:
>
> Dan's original email about this:
> http://mailman.archlinux.org/pipermail/arch-dev-public/2010-September/017872.html
>
> and the follow-up a few months later:
> http://mailman.archlinux.org/pipermail/arch-dev-public/2010-December/018754.html
>
> Given the lack of strong opinion either way last time, I'd lean on
> dropping the package just because it seems to have no upstream
> development and all the patching that is required.  So just create a
> rebuild list and get as many of those packages rebuilt without
> tcp_wrappers and go from there.
>
> Allan

and just to follow up, the todo list for this is:

http://www.archlinux.org/todo/86/

dave

Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Paul Mattal
+1
Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Stéphane Gaudreault-2
In reply to this post by dave reisner
Le 13 juillet 2011 08:10:26 Dave Reisner a écrit :

> On Wed, Jul 13, 2011 at 12:55:51PM +1000, Allan McRae wrote:
> > On 13/07/11 12:27, Dave Reisner wrote:
> > >I'd like to pick up something Dan proposed about a year ago, which is
> > >dropping support for tcp_wrappers. Its last official upstream release
> > >was 1997, and we currently add 10 patches to it from 3 different
> > >distros
> > >in order to make it compile, fix bugs, and add features (ipv6). We
> > >also
> > >add in an odd default of ALL: ALL in the config file, meaning that the
> > >first thing most people do on a new arch system is add a line to
> > >/etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
> > >blanket deny. To my knowledge, there isn't anything tcp_wrappers does
> > >that iptables can't do more eloquently, and without the need to be
> > >linked against an external library.
> > >
> > >Therefore, I'd like to propose that we just dump this. The rebuild
> > >list
> > >would be small, at 20 packages:
> > >
> > >archboot
> > >dante
> > >esound
> > >exim
> > >gdm
> > >inetutils
> > >libmysqlclient
> > >mailutils
> > >net-snmp
> > >nfs-utils
> > >openldap
> > >openssh
> > >quota-tools
> > >rrdtool
> > >socat
> > >stunnel
> > >syslog-ng
> > >tftp-hpa
> > >vsftpd
> > >xinetd
> > >
> > >Is there any pressing reason to hang onto this aging library?
> >
> > For reference:
> >
> > Dan's original email about this:
> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-September/01
> > 7872.html
> >
> > and the follow-up a few months later:
> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-December/018
> > 754.html
> >
> > Given the lack of strong opinion either way last time, I'd lean on
> > dropping the package just because it seems to have no upstream
> > development and all the patching that is required.  So just create a
> > rebuild list and get as many of those packages rebuilt without
> > tcp_wrappers and go from there.
> >
> > Allan
>
> and just to follow up, the todo list for this is:
>
> http://www.archlinux.org/todo/86/
>
> dave

No objection, but a comment.

You started that discussion and created the todo list after only 10 hours. As
we are not all in the same timezone, it is likely that some people could not
express their opinion within such a short period. I would suggest to wait at
least 24 hours before taking action.

Stéphane
Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Dan McGee
On Wednesday, July 13, 2011, Stéphane Gaudreault <[hidden email]> wrote:

> Le 13 juillet 2011 08:10:26 Dave Reisner a écrit :
>> On Wed, Jul 13, 2011 at 12:55:51PM +1000, Allan McRae wrote:
>> > On 13/07/11 12:27, Dave Reisner wrote:
>> > >I'd like to pick up something Dan proposed about a year ago, which is
>> > >dropping support for tcp_wrappers. Its last official upstream release
>> > >was 1997, and we currently add 10 patches to it from 3 different
>> > >distros
>> > >in order to make it compile, fix bugs, and add features (ipv6). We
>> > >also
>> > >add in an odd default of ALL: ALL in the config file, meaning that the
>> > >first thing most people do on a new arch system is add a line to
>> > >/etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
>> > >blanket deny. To my knowledge, there isn't anything tcp_wrappers does
>> > >that iptables can't do more eloquently, and without the need to be
>> > >linked against an external library.
>> > >
>> > >Therefore, I'd like to propose that we just dump this. The rebuild
>> > >list
>> > >would be small, at 20 packages:
>> > >
>> > >archboot
>> > >dante
>> > >esound
>> > >exim
>> > >gdm
>> > >inetutils
>> > >libmysqlclient
>> > >mailutils
>> > >net-snmp
>> > >nfs-utils
>> > >openldap
>> > >openssh
>> > >quota-tools
>> > >rrdtool
>> > >socat
>> > >stunnel
>> > >syslog-ng
>> > >tftp-hpa
>> > >vsftpd
>> > >xinetd
>> > >
>> > >Is there any pressing reason to hang onto this aging library?
>> >
>> > For reference:
>> >
>> > Dan's original email about this:
>> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-September/01
>> > 7872.html
>> >
>> > and the follow-up a few months later:
>> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-December/018
>> > 754.html
>> >
>> > Given the lack of strong opinion either way last time, I'd lean on
>> > dropping the package just because it seems to have no upstream
>> > development and all the patching that is required.  So just create a
>> > rebuild list and get as many of those packages rebuilt without
>> > tcp_wrappers and go from there.
>> >
>> > Allan
>>
>> and just to follow up, the todo list for this is:
>>
>> http://www.archlinux.org/todo/86/
>>
>> dave
>
> No objection, but a comment.
>
> You started that discussion and created the todo list after only 10 hours. As
> we are not all in the same timezone, it is likely that some people could not
> express their opinion within such a short period. I would suggest to wait at
> least 24 hours before taking action.
>
> Stéphane

I would say the same, but a todo list isn't a to-done list, so keep
that in mind. He also pointed out that I got little to no feedback
when I asked about this both a year and six months ago, so
expectations are pretty low this time around. I'm sure if there were
serious objections people would raise them and we could address them.

This is worthy of a news article once we move packages to core only
because it could expose some services people didn't previously expect
to need to protect.

-Dan
Reply | Threaded
Open this post in threaded view
|

Re: dropping tcp_wrapper support

Eric Bélanger
On Wed, Jul 13, 2011 at 10:59 AM, Dan McGee <[hidden email]> wrote:

> On Wednesday, July 13, 2011, Stéphane Gaudreault <[hidden email]> wrote:
>> Le 13 juillet 2011 08:10:26 Dave Reisner a écrit :
>>> On Wed, Jul 13, 2011 at 12:55:51PM +1000, Allan McRae wrote:
>>> > On 13/07/11 12:27, Dave Reisner wrote:
>>> > >I'd like to pick up something Dan proposed about a year ago, which is
>>> > >dropping support for tcp_wrappers. Its last official upstream release
>>> > >was 1997, and we currently add 10 patches to it from 3 different
>>> > >distros
>>> > >in order to make it compile, fix bugs, and add features (ipv6). We
>>> > >also
>>> > >add in an odd default of ALL: ALL in the config file, meaning that the
>>> > >first thing most people do on a new arch system is add a line to
>>> > >/etc/hosts.allow along the lines of 'sshd: ALL' (or just delete the
>>> > >blanket deny. To my knowledge, there isn't anything tcp_wrappers does
>>> > >that iptables can't do more eloquently, and without the need to be
>>> > >linked against an external library.
>>> > >
>>> > >Therefore, I'd like to propose that we just dump this. The rebuild
>>> > >list
>>> > >would be small, at 20 packages:
>>> > >
>>> > >archboot
>>> > >dante
>>> > >esound
>>> > >exim
>>> > >gdm
>>> > >inetutils
>>> > >libmysqlclient
>>> > >mailutils
>>> > >net-snmp
>>> > >nfs-utils
>>> > >openldap
>>> > >openssh
>>> > >quota-tools
>>> > >rrdtool
>>> > >socat
>>> > >stunnel
>>> > >syslog-ng
>>> > >tftp-hpa
>>> > >vsftpd
>>> > >xinetd
>>> > >
>>> > >Is there any pressing reason to hang onto this aging library?
>>> >
>>> > For reference:
>>> >
>>> > Dan's original email about this:
>>> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-September/01
>>> > 7872.html
>>> >
>>> > and the follow-up a few months later:
>>> > http://mailman.archlinux.org/pipermail/arch-dev-public/2010-December/018
>>> > 754.html
>>> >
>>> > Given the lack of strong opinion either way last time, I'd lean on
>>> > dropping the package just because it seems to have no upstream
>>> > development and all the patching that is required.  So just create a
>>> > rebuild list and get as many of those packages rebuilt without
>>> > tcp_wrappers and go from there.
>>> >
>>> > Allan
>>>
>>> and just to follow up, the todo list for this is:
>>>
>>> http://www.archlinux.org/todo/86/
>>>
>>> dave
>>
>> No objection, but a comment.
>>
>> You started that discussion and created the todo list after only 10 hours. As
>> we are not all in the same timezone, it is likely that some people could not
>> express their opinion within such a short period. I would suggest to wait at
>> least 24 hours before taking action.
>>
>> Stéphane
>
> I would say the same, but a todo list isn't a to-done list, so keep
> that in mind. He also pointed out that I got little to no feedback
> when I asked about this both a year and six months ago, so
> expectations are pretty low this time around. I'm sure if there were
> serious objections people would raise them and we could address them.
>
> This is worthy of a news article once we move packages to core only
> because it could expose some services people didn't previously expect
> to need to protect.
>
> -Dan
>

What about packages from extra/community? Do we put the
tcp_wrapper-less packages in testing so we move everything to the main
repos at the same time with a front page news?  Or is the front page
news only intended for the core packages?