On Thu, Mar 20, 2014 at 4:05 PM, Matthew Miller mattdm@mattdm.org wrote:
On Thu, Mar 20, 2014 at 12:55:56PM -0700, Keith Keller wrote:
What do you think? Do you rely on hosts.allow/hosts.deny a primary
security
mechanism? As defense-in-depth? Do you have policies which mandate it?
I currently use it in conjunction with denyhosts, but have been
considering moving to something like sshguard with iptables instead. If hosts.deny support disappeared then I would simply go that route when necessary. May I ask what the reason is for considering dropping tcp wrappers support?
I think the main reasons are: upstream library isn't actually maintained since June 2001. The API is somewhat ugly and crufty. Possibly also one more place to check, making systems administration harder.
-- Matthew Miller mattdm@mattdm.org http://mattdm.org/
The reasoning here seems to ignore one of the main tenets of open source -- people contribute with the purpose of scratching their own itch. If there is such a time when tcp wrappers stops working due to bug or other changes, it's going to break a LOT of stuff. At that point, many people will have a huge itch to scratch, and there will be a spontaneous coalescense of support and code from the people who need it.
Why does there need to be a dedicated maintainer for something to be included/useful? That seems like a bureaucratic requirement that doesn't take into account the nature of open source. The project (tcp wrappers) exists as its own entity and will have a maintainer at the time when it needs one.
The only improvement that could be made is figuring out where a canonical code repository should exist for it.
Where is this discussion taking place in the Fedora community?
❧ Brian Mathis
P.S. Is this somehow related to your Next proposal and trying to make Fedora "exciting"?