Source: tcp-wrappers Version: 7.6.q-32 Severity: wishlist The main reason why libwrap is an issue in https://lists.debian.org/debian-ssh/2024/04/msg00004.html is that it links to libnsl, which links to libtirpc, which links to libgssapi_krb5. That ends up being quite a heavyweight dependency chain. As far as I can see, libwrap uses libnsl in exactly one place: host_match calls yp_get_default_domain.
I wondered if anything could be done to avoid this or refactor it somehow? If that dependency chain weren't there, I would find it much easier to justify retaining libwrap support in Debian's openssh packaging once its direct dependency on libgssapi_krb5 is gone as planned in the above email. The obvious approach seems to be to dlopen libnsl only when it's needed. As far as I can see, libwrap only needs it when you use the user@host syntax in hosts.{allow,deny}, and people only do that on systems that actually use NIS; such people would very likely have libnsl2 installed for other reasons anyway (e.g. libnss-nis). Everyone else could lose the dependency. It would be a slight increase in the complexity of libwrap, I realize, but since NIS is only used on a minority of systems these days, it would do a lot to reduce the number of libraries in the process spaces of quite a few daemons on typical systems. If such an approach sounds reasonable to you, I don't mind working on a patch. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]