[yast-devel] netcat dependency of yast2-core and -printer
Hi, We had yet another complaint that a customer does not want to install "netcat" for security reasons (no need to discuss), but we cannot even tell him to rpm -e it to quieten his paranoia because it is required by yast2-core and yast2-printer. yast2-core has a netcat dependency because it uses it to do some connect tests in the ag_hostnames agent. Is this specific agent still in use? yast2-printer has it in some tools, where it is unclear to me if they are run during regular usage. I wonder if we can get rid of the hard netcat dependency here. Ciao, Marcus -- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Dne čtvrtek 12 duben 2007 07:22 Marcus Meissner napsal(a):
Hi,
We had yet another complaint that a customer does not want to install "netcat" for security reasons (no need to discuss), but we cannot even tell him to rpm -e it to quieten his paranoia because it is required by yast2-core and yast2-printer.
yast2-core has a netcat dependency because it uses it to do some connect tests in the ag_hostnames agent.
Is this specific agent still in use?
yast2-printer has it in some tools, where it is unclear to me if they are run during regular usage.
I wonder if we can get rid of the hard netcat dependency here.
yast2-printer uses netcat in order to test accessibility of remote printers. Not having the netcat package installed would mean to lose this functionality. A workaround which should be possible is to remove it from dependencies but ask for the installation before test which requires it is executed. Jiri -- Regards, Jiri Srain YaST Team Leader --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: jsrain@suse.cz Lihovarska 1060/12 tel: +420 284 028 959 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz
On Thu, Apr 12, 2007 at 07:22:15AM +0200, Marcus Meissner wrote:
Hi,
We had yet another complaint that a customer does not want to install "netcat" for security reasons (no need to discuss), but we cannot even tell him to rpm -e it to quieten his paranoia because it is required by yast2-core and yast2-printer.
yast2-core has a netcat dependency because it uses it to do some connect tests in the ag_hostnames agent.
Is this specific agent still in use?
Yes, various modules use it to scan the local network for machines that have a particular TCP or RPC port open when the user clicks Browse. We could - implement the port scan without netcat (using /dev/tcp/host/port) - change the agent so that it gracefully degrages and returns nothing if netcat is not installed - deprecate the agent and use DNS-SD or SLP instead -- Martin Vidner, YaST developer http://en.opensuse.org/User:Mvidner Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Hello, On Apr 12 07:22 Marcus Meissner wrote (shortened):
We had yet another complaint that a customer does not want to install "netcat" for security reasons (no need to discuss), but we cannot even tell him to rpm -e it to quieten his paranoia because it is required by yast2-core and yast2-printer. ... yast2-printer has it in some tools, where it is unclear to me if they are run during regular usage.
Those tools are /usr/lib/YaST2/bin/listen_remote_ipp - runs during system installation to check if there is a broadcasting CUPS server - needs netcat in listen mode and I don't know how to listen via bash ('</dev/udp/localhost/631' does not listen but tries to connect to UDP port 631 on localhost). /usr/lib/YaST2/bin/test_remote_ipp /usr/lib/YaST2/bin/test_remote_lpd /usr/lib/YaST2/bin/test_remote_socket - are used to test a remote IPP/LPD/socket connection when a local queue for a remote IPP/LPD/socket destination is set up (e.g. when a queue for a network printer is set up). - uses netcat in test mode with a timeout (netcat -w $TIMEOUT -z ...) and at the moment I think it is complicated to emulate it via bash.
I wonder if we can get rid of the hard netcat dependency here.
No problem: Let the tools test if netcat is executable and let them fail with an angry error message if not ;-) Or for those who love overcomplicated "solutions": Let YaST install netcat if such a tool is to be run which forces our users to supply the media if they just want to set up a queue for a network printer ;-) Seriously: I think there is no need for a hard RPM requirement because YaST can run even without those tools. Therefore a soft RPM requirement (e.g. a "Recommends") together with test if netcat is executable in the tools might be best? Nevertheless I think it is overcomplicated and misleading to make unexperienced customers only feel happy but actually do not solve their issue because let them remove netcat doesn't add any security. I think we should better tell even those unexperienced customers the truth because otherwise such customers may learn later that we cheated instead of telling them the truth. At least I would never ever buy something from someone who cheated me once. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Hi, I guess then we should just leave the requirements as is and try to educate the ultra paranoid customer. Ciao, marcus -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
participants (4)
-
Jiri Srain -
Johannes Meixner -
Marcus Meissner -
Martin Vidner