Source: tcp-wrappers
Version: 7.6.q-32
Severity: wishlist
The main reason why libwrap is an issue in
https://lists.debian.org/debian-ssh/2024/04/msg00004.html is that it
links to libnsl, which links to libtirpc, which links to libgssapi_krb5.
That ends up being quite a heavyweight dependency chain. As far as I
can see, libwrap uses libnsl in exactly one place: host_match calls
yp_get_default_domain.
I wondered if anything could be done to avoid this or refactor it
somehow? If that dependency chain weren't there, I would find it much
easier to justify retaining libwrap support in Debian's openssh
packaging once its direct dependency on libgssapi_krb5 is gone as
planned in the above email.
The obvious approach seems to be to dlopen libnsl only when it's needed.
As far as I can see, libwrap only needs it when you use the user@host
syntax in hosts.{allow,deny}, and people only do that on systems that
actually use NIS; such people would very likely have libnsl2 installed
for other reasons anyway (e.g. libnss-nis). Everyone else could lose
the dependency. It would be a slight increase in the complexity of
libwrap, I realize, but since NIS is only used on a minority of systems
these days, it would do a lot to reduce the number of libraries in the
process spaces of quite a few daemons on typical systems.
If such an approach sounds reasonable to you, I don't mind working on a
patch.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
