Bug 2319051 - Please branch and build tcp_wrappers for EPEL 10
Summary: Please branch and build tcp_wrappers for EPEL 10
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: tcp_wrappers
Version: epel10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2319060
Blocks: 2313927
TreeView+ depends on / blocked
 
Reported: 2024-10-16 03:27 UTC by Orion Poplawski
Modified: 2024-10-30 06:39 UTC (History)
4 users (show)

Fixed In Version: tcp_wrappers-7.6-107.el10_0
Clone Of:
Environment:
Last Closed: 2024-10-17 01:31:37 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Orion Poplawski 2024-10-16 03:27:07 UTC
Please branch and build tcp_wrappers in epel10.

If you do not wish to maintain tcp_wrappers in epel10,
or do not think you will be able to do this in a timely manner,
the EPEL Packagers SIG would be happy to be a co-maintainer of the package;
please add the epel-packagers-sig group through
https://src.fedoraproject.org/rpms/tcp_wrappers/addgroup
and grant it commit access, or collaborator access on epel* branches.

I would also be happy to be a co-maintainer (FAS: orion).

Comment 1 Orion Poplawski 2024-10-16 03:30:04 UTC
Missing a dep:

DEBUG util.py:461:  No matching package to install: 'libnsl2-devel'

Comment 2 Peter Bieringer 2024-10-16 03:59:14 UTC
Branches created, "orion" added with permissions "commit" to the project.

Hopefully you can solve the issue easily.

Comment 3 Orion Poplawski 2024-10-16 04:09:06 UTC
Thanks.  I'm going to leave this open until I manage to get it built.

Comment 4 Xavier Bachelot 2024-10-16 21:42:20 UTC
I thought tcp_wrappers was not a thing anymore.
And actually I found trace of it being deprecated since Fedora 28 :
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

Are you sure you really want to carry this piece of code for the next 10 years ?

Comment 5 Carl George 🎩 2024-10-16 23:16:30 UTC
Strangely, despite that change proposal being accepted, tcp_wrappers does not provide deprecated() like it should.

https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/

It seems that all the work focused on removing dependencies on libwrap.so from packages in Fedora, but the package leading to this request (fail2ban-hostsdeny) is using an explicit requires instead.

https://src.fedoraproject.org/rpms/fail2ban/blob/rawhide/f/fail2ban.spec#_189

Could this be as simple as removing that explicit requires to avoid shipping tcp_wrappers in EPEL 10?

Comment 6 Carl George 🎩 2024-10-16 23:24:17 UTC
On a second look, fail2ban-hostsdeny only has the file /etc/fail2ban/action.d/hostsdeny.conf, which seems pretty closely tied to tcp_wrappers.  Maybe a better approach would be to remove (or conditionally disable) that subpackage.

Comment 7 Peter Bieringer 2024-10-17 05:28:20 UTC
(In reply to Xavier Bachelot from comment #4)
> I thought tcp_wrappers was not a thing anymore.
> And actually I found trace of it being deprecated since Fedora 28 :
> https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

Do you know about any flexible alternative, protecting a designated services by combination of
 - white/blacklisting IPv4/IPv6
 - white/blacklisting by reverse lookup of IPv4/IPv6
 - using script for country code lookup and block/allow by e.g. 
https://www.axllent.org/docs/ssh-geoip/ (I have an improved version active since years)

> Are you sure you really want to carry this piece of code for the next 10
> years ?

Why not if at least somehow maintained?

Comment 8 Carl George 🎩 2024-10-17 20:27:40 UTC
According to the CHANGES file, the last release was in 1997.  It is very clearly no longer maintained.  I can't even find an issue tracker.  Let's say a critical security vulnerability was discovered in the software tomorrow.  How would you handle this?

Comment 9 Peter Bieringer 2024-10-18 05:08:46 UTC
pkgs.org shows a bunch of current distribution still packaging tcp_wrappers

It has a homepage: http://ftp.porcupine.org/pub/security/index.html

And the author is very well known: Wietse Venema (postfix and others)

At least FreeBSD has an issue tracker

And it looks like it has still a user community

Also there are some interesting filter scripts available:

https://github.com/topics/tcp-wrappers

Looks like the only thing missing is a repository somehow...will try to contact author.

Comment 10 Peter Bieringer 2024-10-30 06:39:36 UTC
Wietse successfully contacted, he pushed now code to GitHub: https://github.com/tcp-wrappers/code

And also he uploaded the tarballs into a dedicated project: https://github.com/tcp-wrappers/tarballs

So someone can also start submitting the bunch of patches on-top as PRs from

https://src.fedoraproject.org/rpms/tcp_wrappers/tree/rawhide


Note You need to log in before you can comment on or make changes to this bug.