-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Agenda Topics: * tcpwrappers (Does Fedora Server want to support them?)
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say.
On Mon, 24 Mar 2014, Stephen Gallagher wrote:
Agenda Topics:
- tcpwrappers (Does Fedora Server want to support them?)
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say.
I see Matt's post earlier today checking the pipermail archive. For some reason it appears in broken threading there, and I do not recall seeing the earlier piece pass through my eyes ;) [1]
Goodness ... how does one do layered defense in depth by REMOVING existing function? I must have missed this part of an earlier thread
'want' ???
Anything purporting to be able to perform in server space does not have a choice but to support wrappers
-- Russ herrold
[1] https://lists.fedoraproject.org/pipermail/server/2014-March/thread.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/24/2014 04:48 PM, R P Herrold wrote:
On Mon, 24 Mar 2014, Stephen Gallagher wrote:
Agenda Topics: * tcpwrappers (Does Fedora Server want to support them?)
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say.
I see Matt's post earlier today checking the pipermail archive. For some reason it appears in broken threading there, and I do not recall seeing the earlier piece pass through my eyes ;) [1]
Goodness ... how does one do layered defense in depth by REMOVING existing function? I must have missed this part of an earlier thread
This is a follow-on to a lengthy discussion occurring on the fedora-devel mailing list. It has been suggested that, due to its age, lack of maintenance and general insecurity that perhaps Fedora should take a stance and remove it from the distribution, instead recommending more modern alternatives.
Do not construe this statement as either support for or opposition to this suggestion.
'want' ???
Anything purporting to be able to perform in server space does not have a choice but to support wrappers
Not necessarily true. One of Fedora's stated purposes is to be "First". While most people construe this to mean "has the latest version of all packages", this can also mean that Fedora should lead the charge in migrating away from old technology if it deems that it is holding back innovation.
On 24 March 2014 16:17, Stephen Gallagher sgallagh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/24/2014 04:48 PM, R P Herrold wrote:
On Mon, 24 Mar 2014, Stephen Gallagher wrote:
Agenda Topics: * tcpwrappers (Does Fedora Server want to support them?)
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say.
I see Matt's post earlier today checking the pipermail archive. For some reason it appears in broken threading there, and I do not recall seeing the earlier piece pass through my eyes ;) [1]
Goodness ... how does one do layered defense in depth by REMOVING existing function? I must have missed this part of an earlier thread
This is a follow-on to a lengthy discussion occurring on the fedora-devel mailing list. It has been suggested that, due to its age, lack of maintenance and general insecurity that perhaps Fedora should take a stance and remove it from the distribution, instead recommending more modern alternatives.
1) General insecurity is Lennart's opinion on parts of the code which aren't used very much in the field. I will say that if if libwrap2 was written it would remove a good portion of the code which relies on the old auth daemon no one uses these days. The code would basically boil everything down to the service: ipaddress: allow/deny rule.
2) Lack of maintenance has been mostly that the code hasn't had a CVE in years and has been audited multiple times to make sure it doesn't. That said I am sure the parts that aren't exercised a lot (looking up via DNS or authd) could use an axe.
3) The modern alternative suggested is a removal of the code and just relying on the firewall.
Do not construe this statement as either support for or opposition to this suggestion.
'want' ???
Anything purporting to be able to perform in server space does not have a choice but to support wrappers
Not necessarily true. One of Fedora's stated purposes is to be "First". While most people construe this to mean "has the latest version of all packages", this can also mean that Fedora should lead the charge in migrating away from old technology if it deems that it is holding back innovation. https://admin.fedoraproject.org/mailman/listinfo/server
Well in this case, it would not be first as Arch has done this for several years and I am guessing SuSE is looking to do so itself. I would go more with the Freedom to change things :). [I would avoid Friends and Features :)]
Am 24.03.2014 23:56, schrieb Stephen John Smoogen:
- General insecurity is Lennart's opinion on parts of the code which aren't used very much in the field. I will
say that if if libwrap2 was written it would remove a good portion of the code which relies on the old auth daemon no one uses these days. The code would basically boil everything down to the service: ipaddress: allow/deny rule.
- Lack of maintenance has been mostly that the code hasn't had a CVE in years and has been audited multiple times
to make sure it doesn't. That said I am sure the parts that aren't exercised a lot (looking up via DNS or authd) could use an axe.
- The modern alternative suggested is a removal of the code and just relying on the firewall
which is *not* layered security http://www.spinics.net/lists/fedora-devel/msg196606.html
On Tue, Mar 25, 2014 at 03:42:59AM +0100, Reindl Harald wrote:
- The modern alternative suggested is a removal of the code and just
relying on the firewall
which is *not* layered security http://www.spinics.net/lists/fedora-devel/msg196606.html
Not alone, certainly. The suggestion, I think, would be that in most cases you can get an equivalent layer through application-specific configuration, and that plus host firewall plus network firewall (possibly both per subnet and at the border) provides reasonable defense in depth.
I'm not personally saying that tcp_wrappers _can't_ provide another useful layer in some situations; just trying to be fair to the argument.
----- Original Message -----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Agenda Topics:
- tcpwrappers (Does Fedora Server want to support them?)
One topic, does not have to be for this meeting. There was Documentation FAD happening this week - one thing I promised to Docs guys was to collect requirements on them. Do you have any particular ideas how it should look like (to work for Server product), what would you like to see documented etc.
One reminder (not sure it has to be meeting topic) - Change proposals are due Apr 8th, so in two weeks. I don't see much showing up from any WGs, maybe we do not plan any changes at all :).
Thanks Jaroslav
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMwmD8ACgkQeiVVYja6o6N5cwCdEF1Ac2tGkOJhZSF2Jq82r+9z xGQAn0h/+TbpVrKLSyZNRpY4K7P6lnfI =q0I3 -----END PGP SIGNATURE----- _______________________________________________ server mailing list server@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/server
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2014 07:15 AM, Jaroslav Reznik wrote:
----- Original Message ----- Agenda Topics: * tcpwrappers (Does Fedora Server want to support them?)
One topic, does not have to be for this meeting. There was Documentation FAD happening this week - one thing I promised to Docs guys was to collect requirements on them. Do you have any particular ideas how it should look like (to work for Server product), what would you like to see documented etc.
Good idea. I'll add it to today's agenda.
One reminder (not sure it has to be meeting topic) - Change proposals are due Apr 8th, so in two weeks. I don't see much showing up from any WGs, maybe we do not plan any changes at all :).
I'll also add this to the agenda.
Thanks Jaroslav
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say.
_______________________________________________ server mailing list server@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/server
_______________________________________________ server mailing list server@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/server
On Tue, 2014-03-25 at 07:15 -0400, Jaroslav Reznik wrote:
----- Original Message -----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Agenda Topics:
- tcpwrappers (Does Fedora Server want to support them?)
One topic, does not have to be for this meeting. There was Documentation FAD happening this week - one thing I promised to Docs guys was to collect requirements on them. Do you have any particular ideas how it should look like (to work for Server product), what would you like to see documented etc.
This seems like a good place to introduce myself. At the Docs FAD over the weekend it was decided that someone from Docs should become involved with each WG, so I am going to attempt to help the Server WG in any way I can. The biggest question the Docs group needs answered right now is what do you need from us?
One reminder (not sure it has to be meeting topic) - Change proposals are due Apr 8th, so in two weeks. I don't see much showing up from any WGs, maybe we do not plan any changes at all :).
Thanks Jaroslav
I was hoping we could also hear from QA and rel-eng tomorrow, but I haven't heard confirmation one way or another whether they will have anything to say. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMwmD8ACgkQeiVVYja6o6N5cwCdEF1Ac2tGkOJhZSF2Jq82r+9z xGQAn0h/+TbpVrKLSyZNRpY4K7P6lnfI =q0I3 -----END PGP SIGNATURE----- _______________________________________________ server mailing list server@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/server
server mailing list server@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/server
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2014 08:04 AM, Zach Oglesby wrote:
On Tue, 2014-03-25 at 07:15 -0400, Jaroslav Reznik wrote:
----- Original Message -----
Agenda Topics: * tcpwrappers (Does Fedora Server want to support them?)
One topic, does not have to be for this meeting. There was Documentation FAD happening this week - one thing I promised to Docs guys was to collect requirements on them. Do you have any particular ideas how it should look like (to work for Server product), what would you like to see documented etc.
Thanks, Zach and welcome!
We're going to be having a public IRC meeting in #fedora-meeting-1 at 1500 UTC (about three hours from now). It would be great if you could join us. I'll make sure that doc needs are on the agenda.
server@lists.fedoraproject.org
-
Jaroslav Reznik -
Matthew Miller -
R P Herrold -
Reindl Harald -
Stephen Gallagher -
Stephen John Smoogen -
Zach Oglesby