F36 Change: Retire the NIS(+) user-space utility programs (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/retire_NIS_user_space_utils
== Summary ==
This change is about retiring the ypbind, yp-tools, and ypserv
packages, and removal of the {nis,yp}domainname user-space utility
programs from the hostname package.
== Owner ==
* Name: [[User:besser82 | Björn Esser]]
* Email: besse...@fedoraproject.org
== Detailed Description ==
Those utility programs used to be present on virtually any UNIX system
for decades, but are starting to become more and more deprecated.
Also NIS(+) is known for not being secure at all. As we are going to
[https://fedoraproject.org/wiki/Changes/drop_NIS_support_from_PAM
remove the support for NIS(+) in PAM] during this development cycle,
we also should get rid of those.
== Feedback ==
There was some discussion on
[https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/thread/T662DD2FD3YNPTVTOPCYFQRSOQCJWCSZ/
the fedora-devel mailing-list]. Some people are reluctant about the
removal of NIS(+) user-space support, while most are okay with it as
there are more secure alternatives (LDAP, FreeIPA, etc.) available.
The FPL is +1 on doing so.
== Benefit to Fedora ==
With this change we start directing our users and developers to move
away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.
== Scope ==
* Proposal owners:
** Retire the ypbind, yp-tools, and ypserv packages from Fedora.
** Remove the {nis,yp}domainname user-space utility programs from the
hostname package.
* Other developers:
** Test this change.
* Release engineering: [https://pagure.io/releng/issue/10352 #10352]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
Users that were relying on support for NIS(+) will need to move to
secure alternatives like LDAP and/or FreeIPA.
== How To Test ==
Check whether the named utility programs are still installed on your
system after upgrading. If they are gone, everything is fine.
== User Experience ==
For some users this change may be a bit disruptive and it may require
some learning curve for switching to alternative solutions.
== Dependencies ==
There are actually no external dependencies.
== Contingency Plan ==
* Contingency mechanism: Unretire the packages and build them for Fedora 36.
* Contingency deadline: At beta freeze.
* Blocks release? Yes.
== Documentation ==
The documentation about those utility programs should be dropped, if
there even is any.
== Release Notes ==
The NIS(+) user-space utility programs have been removed from the distribution.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
___
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
F36 Change: Drop NIS(+) support from PAM (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/drop_NIS_support_from_PAM == Summary == This change is about dropping user-authentication using NIS(+) from PAM. == Owner == * Name: [[User:besser82 | Björn Esser]] * Email: besse...@fedoraproject.org * Name: [[User:ipedrosa | Iker Pedrosa]] * Email: ipedr...@redhat.com == Detailed Description == NIS(+) was introduced by Sun/Oracle to easily share files and system users between UNIX-alike systems within the same network, and has been around for some decades. Its simplicity though opens a variety of possible security issues, like not being able the verify whether the shared information is actually correct and/or trustworthy. That said, and with several more secure options (LDAP, Kerberos, Samba, etc.) to achieve the same goal, we should at least remove support for NIS for user authentication. == Feedback == There was some discussion on [https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/thread/T662DD2FD3YNPTVTOPCYFQRSOQCJWCSZ/ the fedora-devel mailing-list]. Some people are reluctant about the removal of NIS(+) support from PAM, while most are okay with it as there are more secure alternatives (LDAP, FreeIPA, etc.) available. == Benefit to Fedora == With this change we start directing our users and developers to move away from NIS(+) to secure alternatives like LDAP and/or FreeIPA. == Scope == * Proposal owners: ** Adapt the pam spec file to build without support for NIS(+). ** Communicate the removal of the PAM configuration for user-authentication using NIS with the authselect maintainers; also offer assistance to implement the needed changes. * Other developers: ** Apply the pull-request to the authselect package. ** Test this change. * Release engineering: [https://pagure.io/releng/issue/10351 #10351] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: N/A == Upgrade/compatibility impact == Users that were relying on support for NIS(+) will need to move to secure alternatives like LDAP and/or FreeIPA. == How To Test == There is no need to test, as when configure switch is removed, support is dropped. == User Experience == For some users this change may be a bit disruptive and it may require some learning curve for switching to alternative solutions. == Dependencies == * The authselect package needs to be updated to drop its PAM configuration for user-authentication using NIS. * Apart from that there are actually no rpms, that directly depend on the change of the functionality of the affected PAM module. == Contingency Plan == * Contingency mechanism: Revert the changes made to the affected packages and rebuild them. * Contingency deadline: At beta freeze. * Blocks release? Yes. == Documentation == The documentation about sharing system users and files over NIS should be dropped, if there even is any. == Release Notes == Support for NIS(+) has been dropped from PAM. Users, who are currently using NIS(+) to share UNIX users / groups within a network, should migrate their setups to use LDAP or some other secure service providing comparable functionalities before updating to Fedora 36. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Fedora Linux 35 Final is NO-GO
Due to outstanding blocker bugs[1], F35 Final RC1 was declared NO-GO in today's Go/No-Go meeting[2]. The next Fedora Linux 35 Final Go/No-Go meeting[3] will be held at 1700 UTC on Thursday 28 October in #fedora-meeting. We will aim for the "target date #2" milestone of 2 November. The release schedule[4] has been updated accordingly. [1] https://qa.fedoraproject.org/blockerbugs/milestone/35/final/buglist [2] https://meetbot.fedoraproject.org/fedora-meeting/2021-10-21/f35-final-go_no_go-meeting.2021-10-21-17.00.html [3] https://calendar.fedoraproject.org/meeting/10102/ [4] https://fedorapeople.org/groups/schedule/f-35/f-35-key-tasks.html -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
