Bug 1518789

Summary: [F28 change] stunnel should not require tcp_wrappers
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: stunnelAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: avagarwa, ngompa13, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: stunnel-5.44-1.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-11 17:30:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1495181, 1596070    

Description Jakub Jelen 2017-11-29 14:59:51 UTC
As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not.

For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change.

This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes.

Additional info:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

Comment 1 Neal Gompa 2017-11-29 16:48:42 UTC
I don't think it's a good idea to remove this, as your proposed solution doesn't address what to do when stunnel is used in containers (as I do).

Comment 2 Tomas Mraz 2017-11-30 08:33:43 UTC
But the Fedora change was accepted by FESCo already.

BTW, the tcp_wrappers support is constant source of problems at least on the stunnel versions present in RHEL 6 and 7.

It might be fixed in the current Fedora versions however it also might be possible that the stunnel is not used so heavily for these problems to appear on Fedora.

Comment 3 Jakub Jelen 2017-11-30 09:26:48 UTC
Neal,
tcpd should work also in containers, isn't it? As already said, FESCo already approved this change. But if the package will be removed completely or not is not set in the stone. If you would consider it as an option, I am fine with leaving the package in Fedora without devel subpackage.

Comment 4 Neal Gompa 2017-12-01 09:26:16 UTC
If it's really a constant source of problems, I guess it's okay to remove... Does anyone have any documented migration strategies?

Comment 5 Jakub Jelen 2017-12-04 10:13:48 UTC
Several options are outlined in the change page linked in the bug description, either with tcpd (you can take the burden of the constant problems on yourself) or with systemd.

There are other options specific to every application, though I can not find any specific for stunnel. Probably idea for feature request? The libwrap is not enabled by default since 5.0, according to documentation so having alternative to limit access in there would make sense to me.