As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not. For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change. This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes. Additional info: https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
Hmm...reading that document seems that its misses some points. One is that it assumes that blocking traffic is the prime purpose. The reality is that it was created to verify that forward and reverse lookup paths of the connection match. Firewalls cannot do that. The reason there hasn't been any updates in 20 years is because its a mature piece of code that needs little maintenance. Also, there have been a number of iptables failures over the years where tcp_wrappers was the only thing preventing disaster. I personally do not think it is wise to dump tcp_wrappers.
Hello Steve, this was the reason why it was discussed earlier before filling the Fedora change and filling the bugs more than 3 months ago [1]. If I see right, you were directly in CC of that message as every other maintainer of affected packages. Certainly, in the past it was useful, but these days, most of the tools already do the reverse lookups [2] and traffic blocking on their own. But this should not be anything we should depend on. There are other secure ways to verify your peer is really who claims to be. [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/LGTBBFKUZ62TWEPNX6JZZV56PIUVO3NT/ [2] https://github.com/openssh/openssh-portable/blob/9145a73/auth.c#L762
I totally disagree with the premise that IPTables is good enough. However, tcp_wrappers-devel is now gone and building audit requires the removal. Audit is now built without tcp_wrappers support.
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
audit-2.8.3-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2c1484e4cd
audit-2.8.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ea91f55218
audit-2.8.3-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2c1484e4cd
audit-2.8.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ea91f55218
This was intended as a Fedora 28 change so it should not have been pushed to Fedora 27 to avoid exposing users who configured tcp_wrappers and depend on this functionality, if you still consider it as an important part of audit system.
This is a limitation of Bodhi's interface for doing one note for multiple packages. F27 update was not done by git merge master. It was hand edited to preserve the old settings. There was another big change of renaming audit-lib-python to audit-libs-python2 and I didn't want that to bleed into F27 either. If you want to verify, you can checkout the audit package and switch to the F27 branch and look at it.
I was hoping so that you took a care of that, but I wanted to make sure. Thank you for clarification.
audit-2.8.3-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
FYI, the update gets split into separate updates per release anyway, so you could have filed 2 separate updates with separate notes, or edited the notes for the F27 updates (after the automatic split) to match reality.
audit-2.8.3-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2c1484e4cd
audit-2.8.3-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2c1484e4cd
audit-2.8.3-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.