Bug 1518761

Summary: [F28 change] dovecot should not require tcp_wrappers
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bennie.joubert, dan, janfrode, mhlavink, nmavrogi, pokorra.mailinglists
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dovecot-2.2.33.2-2.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-08 13:11:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1495181, 1596070    

Description Jakub Jelen 2017-11-29 14:49:56 UTC 
As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not.

For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change.

This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes.

Additional info:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
Comment 2 Michal Hlavinka 2018-01-04 12:58:42 UTC 
I just wonder if there really is reason for this. Given that we've already removed tcp_wrappers from dovecot twice. And twice we've got requests from fedora users and rhel customers that they want it back, that they agree it does not provide the security required, but they want it as yet another layer. My guess is that if we remove it (again) we will be adding it back (again) later.
Comment 4 Jakub Jelen 2018-01-04 16:05:56 UTC 
Thank you for the comment. Can you point out to such requests, asking for this support? Removing it ad-hoc and in single component is indeed confusing, but if it will go away from whole system (since many upstreams are leaving it), it should be better accepted.

The fedora change lists several migration paths including socket-activation and tcpd, which should have quite the same functionality.

The point here is not to build against it and not to use it out of the box and everywhere.