On 2014-03-21, Fernando Cassia <fcassia at gmail.com> wrote: > > Interesting double negative. Implies that once the "technical barriers" are > removed, then it's OK to remove old features for change's sake. ;) If, as Matthew says, the codebase hasn't been maintained since 2001, then we should have concerns about unfound security issues, as well as concerns that, if others find security problems, nobody is responsible for fixing them. If tcpwrappers had a current maintainer this wouldn't be an issue. There's certainly at least one technical reason to prefer other options like iptables over tcpwrappers. I've had instances where an attacker made dozens of ssh probes per second; tcpwrappers was able to reject these, but sshd was so overwhelmed that it was unable to exchange host keys with legitimate clients. iptables would have blocked these attacks more effectively, letting sshd handle the legitimate client sessions properly. Certainly others have posted legitimate reasons to prefer tcpwrappers over iptables in this thread, too. Your sole position seems to be "it's old so it should be kept", which is just as illegitimate a position as "it's old so it should be discarded". If you have valid technical arguments justifying keeping tcpwrappers you should make them, as others have. > Aren't political reasons the reason they are thinking of removing ' em?. Matthew cited an old and unwieldy API, its status as being unmaintained, and its existence as an extra place to check for sysadmins (I'm dubious about this last). None of these strike me as being political. > Certainly I see no technical problem with tcp wrappers. The technical problem is that there's no maintainer. Are you volunteering (and capable)? -- kkeller at wombat.san-francisco.ca.us