1518789 – [F28 change] stunnel should not require tcp_wrappers

Bug 1518789 - [F28 change] stunnel should not require tcp_wrappers

Summary: [F28 change] stunnel should not require tcp_wrappers

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	stunnel
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1495181 1596070
TreeView+	depends on / blocked

Reported:	2017-11-29 14:59 UTC by Jakub Jelen
Modified:	2018-06-28 08:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:	stunnel-5.44-1.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-11 17:30:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jakub Jelen 2017-11-29 14:59:51 UTC

As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not.

For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change.

This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes.

Additional info:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

Comment 1 Neal Gompa 2017-11-29 16:48:42 UTC

I don't think it's a good idea to remove this, as your proposed solution doesn't address what to do when stunnel is used in containers (as I do).

Comment 2 Tomas Mraz 2017-11-30 08:33:43 UTC

But the Fedora change was accepted by FESCo already.

BTW, the tcp_wrappers support is constant source of problems at least on the stunnel versions present in RHEL 6 and 7.

It might be fixed in the current Fedora versions however it also might be possible that the stunnel is not used so heavily for these problems to appear on Fedora.

Comment 3 Jakub Jelen 2017-11-30 09:26:48 UTC

Neal,
tcpd should work also in containers, isn't it? As already said, FESCo already approved this change. But if the package will be removed completely or not is not set in the stone. If you would consider it as an option, I am fine with leaving the package in Fedora without devel subpackage.

Comment 4 Neal Gompa 2017-12-01 09:26:16 UTC

If it's really a constant source of problems, I guess it's okay to remove... Does anyone have any documented migration strategies?

Comment 5 Jakub Jelen 2017-12-04 10:13:48 UTC

Several options are outlined in the change page linked in the bug description, either with tcpd (you can take the burden of the constant problems on yourself) or with systemd.

There are other options specific to every application, though I can not find any specific for stunnel. Probably idea for feature request? The libwrap is not enabled by default since 5.0, according to documentation so having alternative to limit access in there would make sense to me.

Note You need to log in before you can comment on or make changes to this bug.