On Thu, Mar 20, 2014 at 4:05 PM, Matthew Miller <mattdm at mattdm.org> wrote: > On Thu, Mar 20, 2014 at 12:55:56PM -0700, Keith Keller wrote: > > > What do you think? Do you rely on hosts.allow/hosts.deny a primary > security > > > mechanism? As defense-in-depth? Do you have policies which mandate it? > > I currently use it in conjunction with denyhosts, but have been > > considering moving to something like sshguard with iptables instead. If > > hosts.deny support disappeared then I would simply go that route when > > necessary. > > May I ask what the reason is for considering dropping tcp wrappers > > support? > > I think the main reasons are: upstream library isn't actually maintained > since June 2001. The API is somewhat ugly and crufty. Possibly also one > more > place to check, making systems administration harder. > > > -- > Matthew Miller mattdm at mattdm.org <http://mattdm.org/> > > The reasoning here seems to ignore one of the main tenets of open source -- people contribute with the purpose of scratching their own itch. If there is such a time when tcp wrappers stops working due to bug or other changes, it's going to break a LOT of stuff. At that point, many people will have a huge itch to scratch, and there will be a spontaneous coalescense of support and code from the people who need it. Why does there need to be a dedicated maintainer for something to be included/useful? That seems like a bureaucratic requirement that doesn't take into account the nature of open source. The project (tcp wrappers) exists as its own entity and will have a maintainer at the time when it needs one. The only improvement that could be made is figuring out where a canonical code repository should exist for it. Where is this discussion taking place in the Fedora community? ❧ Brian Mathis P.S. Is this somehow related to your Next proposal and trying to make Fedora "exciting"?