Bug 244275 - Unnecessary Requires - shorewall and tcpwrappers
Unnecessary Requires - shorewall and tcpwrappers
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban (Show other bugs)
el6
All Linux
medium Severity high
: ---
: ---
Assigned To: Adam Miller
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 15:49 EDT by Jonathan Underwood
Modified: 2014-03-17 20:07 EDT (History)
11 users (show)

See Also:
Fixed In Version: fail2ban-0.8.8-3.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 781341 (view as bug list)
Environment:
Last Closed: 2014-03-17 20:07:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Simple patch to remove the unnecessary requirement of shorewall (1.03 KB, patch)
2009-07-11 12:27 EDT, BJ Dierkes
no flags Details | Diff
Patch to add a subpackage for shorewall config and dependency (2.00 KB, patch)
2009-07-11 12:28 EDT, BJ Dierkes
no flags Details | Diff

  None (edit)
Description Jonathan Underwood 2007-06-14 15:49:04 EDT
Description of problem:
fail2ban doesn't require shorewall to function, and in fact, as we ship it, it
makes use of the Fedora firewall - installing an extra firewall which is the not
used in the default configuration is a bit gratuitous and confusing to the user.

Also, the Requires: tcpwrappers isn't needed unless the user decides to enable
the tcpwrapper action (disabled by default)
Comment 1 Tim Niemueller 2007-12-19 05:26:09 EST
Maybe the shorewall dependency can be factored out to another package
fail2ban-shorewall which would contain /etc/fail2ban/action.d/shorewall.conf and
depends on shorewall?

What would be really helpful is /etc/fail2ban/jail.d where you can put small
subconfigs, instead of having to merge it all together in jail.conf. This way
also the jail.conf parts regarding shorewall could be put into the sub-package.
Comment 2 Axel Thimm 2007-12-22 07:33:14 EST
> What would be really helpful is /etc/fail2ban/jail.d where you can put small
> subconfigs, instead of having to merge it all together in jail.conf. This way
> also the jail.conf parts regarding shorewall could be put into the sub-package.

I don't think this works with upstream fail2ban yet, but it is a good idea. Do
you want to ask upstream to include *.d functionality in the next release?
Comment 3 Bug Zapper 2008-05-14 09:05:23 EDT
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Bug Zapper 2008-11-25 20:54:57 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Robert Vogelgesang 2009-02-16 08:43:56 EST
Is there any reason why this bug is _still_ not fixed? shorewall is definitely not used by the default configuration.  This silly extra "Require" is the only reason why I have to build replacement RPMs for internal distribution of fail2ban.

Havin g multiple firewall tools on one machine is crazy, at least as long as these don't share identical configuration files.
Comment 6 Matthew Miller 2009-03-24 16:03:46 EDT
I'm putting this back to "rawhide".
Comment 7 Bug Zapper 2009-06-09 05:15:18 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 BJ Dierkes 2009-07-10 18:50:53 EDT
Would be nice if we could get some attention on this bug primarily due to its age.  There are similar requests downstream for the EPEL packages, though the EPEL maintainer is waiting for Fedora to make this change first.

Thank you.
Comment 9 BJ Dierkes 2009-07-11 12:27:15 EDT
Created attachment 351351 [details]
Simple patch to remove the unnecessary requirement of shorewall
Comment 10 BJ Dierkes 2009-07-11 12:28:42 EDT
Created attachment 351352 [details]
Patch to add a subpackage for shorewall config and dependency

This is an alternative to patch 351351... depending on how the maintainer wishes to proceed.
Comment 11 Axel Thimm 2009-07-14 03:12:26 EDT
I think this is just an EPEL bug, why not fix it in the EPEL cvs? I'd go with something like BJ's patch in comment #10.

For anecdotal reference just comparing the use of fail2ban with iptables and shorewall by google hits it comes up with something like 1:4 (15,500:69,800), which means that a large portion of fail2ban users will expect shorewall support out of the bix and will be surprised to have to look for further subpackages, or to have to manually install some dependencies of fail2ban.
Comment 12 Matthew Miller 2009-07-14 11:02:59 EDT
Re: EPEL — the Fedora package also has a hard-requirement of shorewall.

Re: anecdotal reference — In that case, patch #351351 (don't split the package, but don't have a hard requirement) seems like the way to go.
Comment 13 BJ Dierkes 2009-07-14 11:56:16 EDT
Honestly, my only concern is with EPEL... but the changes make sense for both.  If you consider that EPEL was created for *Enterprise Linux... it would be safe to assume that a SysAdmin installing fail2ban would know very well what they want and how they want to implement.  Forcing the install of shorewall on a SysAdmin in the enterprise just seems rude.  ;)

For Fedora I can see your point as the audience would more than likely have less SysAdmins and more Users/Power Users.  Either way... if you are installing fail2ban you probably also know how to do something like 'yum search shorewall'.

If you go with something like my initial patch in comment #9, you can just throw in a few lines of comment into %{_sysconfdir}/fail2ban/action.d/shorewall.conf that let you know "hey, you probably need to install x, y, z packages via yum to enable shorewall support".  Or the patch in comment #10, is obvious or understood that you need to install fail2ban-shorewall to enable shorewall support.

Either way, thank you for giving this tracker some attention.
Comment 14 Robert Vogelgesang 2009-09-23 12:21:47 EDT
Can we please have this issue fixed for the upcoming Fedora 12 release? There are only a few days left until the beta development freeze.

I don't really care which one of the proposed patches "wins" in the end.

Re: comment #11: If just the "Requires:" for shorewall would be removed, the support for shorewall would still be there, and people using both fail2ban and shorewall will still be happy.  But all the other who prefer different firewalling solutions, are not forced to install shorewall.  Is there any _real_ reason why such a solution would not be acceptable to anyone?
Comment 15 Axel Thimm 2009-09-23 13:40:27 EDT
> Can we please have this issue fixed for the upcoming Fedora 12 release?

I thought the bug tended to be "fixed" only for EPEL, or not? And checking the pkgdb it mentions maxamillion as the maintainer. Is this user even in the Cc of this bug to be aware of the issue?
Comment 16 BJ Dierkes 2009-09-23 13:48:40 EDT
maxamillion, the maintainer of the EPEL package, said he was intent on following upstream (you/Fedora) and did not want to deviate from the Fedora packages.
Comment 17 R P Herrold 2010-02-01 14:13:33 EST
Can we get a one word delete of at least 'shorewall  please?
Comment 18 Matthew Miller 2010-02-01 14:21:09 EST
Moving back to rawhide again.
Comment 19 Bug Zapper 2010-03-15 07:52:14 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle.
Changing version to '13'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 20 Ruben Kerkhof 2010-11-03 20:51:01 EDT
Moving back to rawhide again.
Comment 21 Matthew Miller 2010-11-03 21:18:07 EDT
Can we have someone other than the maintainer fix this?
Comment 22 Tim Niemueller 2011-04-21 18:14:06 EDT
Anything going to happen here or should we just close it if nobody cares enough to fix it?
Comment 23 Adam Miller 2012-01-12 22:46:49 EST
Since this is just the EPEL package and I don't maintain fail2ban for Fedora, I will be keeping it in line with Fedora proper. Please feel free to discuss this with the Fedora package maintainer.
Comment 24 Matthew Miller 2013-02-14 20:58:02 EST
(In reply to comment #23)
> Since this is just the EPEL package and I don't maintain fail2ban for
> Fedora, I will be keeping it in line with Fedora proper. Please feel free to
> discuss this with the Fedora package maintainer.

Fedora package has now dropped the requirements.

Note You need to log in before you can comment on or make changes to this bug.