Bug 1518761 - [F28 change] dovecot should not require tcp_wrappers
Summary: [F28 change] dovecot should not require tcp_wrappers
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dovecot
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1495181 1596070
TreeView+ depends on / blocked
 
Reported: 2017-11-29 14:49 UTC by Jakub Jelen
Modified: 2018-06-28 08:10 UTC (History)
6 users (show)

Fixed In Version: dovecot-2.2.33.2-2.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-08 13:11:41 UTC
Type: Bug


Attachments (Terms of Use)

Description Jakub Jelen 2017-11-29 14:49:56 UTC
As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not.

For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change.

This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes.

Additional info:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

Comment 2 Michal Hlavinka 2018-01-04 12:58:42 UTC
I just wonder if there really is reason for this. Given that we've already removed tcp_wrappers from dovecot twice. And twice we've got requests from fedora users and rhel customers that they want it back, that they agree it does not provide the security required, but they want it as yet another layer. My guess is that if we remove it (again) we will be adding it back (again) later.

Comment 4 Jakub Jelen 2018-01-04 16:05:56 UTC
Thank you for the comment. Can you point out to such requests, asking for this support? Removing it ad-hoc and in single component is indeed confusing, but if it will go away from whole system (since many upstreams are leaving it), it should be better accepted.

The fedora change lists several migration paths including socket-activation and tcpd, which should have quite the same functionality.

The point here is not to build against it and not to use it out of the box and everywhere.


Note You need to log in before you can comment on or make changes to this bug.