[CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

Mon Mar 24 15:15:04 UTC 2014
Brian Mathis <brian.mathis+centos at betteradmin.com>

On Thu, Mar 20, 2014 at 4:05 PM, Matthew Miller <mattdm at mattdm.org> wrote:

> On Thu, Mar 20, 2014 at 12:55:56PM -0700, Keith Keller wrote:
> > > What do you think? Do you rely on hosts.allow/hosts.deny a primary
> security
> > > mechanism? As defense-in-depth? Do you have policies which mandate it?
>
> I currently use it in conjunction with denyhosts, but have been
> > considering moving to something like sshguard with iptables instead.  If
> > hosts.deny support disappeared then I would simply go that route when
> > necessary.
> > May I ask what the reason is for considering dropping tcp wrappers
> > support?
>
> I think the main reasons are: upstream library isn't actually maintained
> since June 2001. The API is somewhat ugly and crufty. Possibly also one
> more
> place to check, making systems administration harder.
>
>
> --
> Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
>
>

The reasoning here seems to ignore one of the main tenets of open source --
people contribute with the purpose of scratching their own itch.  If there
is such a time when tcp wrappers stops working due to bug or other changes,
it's going to break a LOT of stuff.  At that point, many people will have a
huge itch to scratch, and there will be a spontaneous coalescense of
support and code from the people who need it.

Why does there need to be a dedicated maintainer for something to be
included/useful?  That seems like a bureaucratic requirement that doesn't
take into account the nature of open source.  The project (tcp wrappers)
exists as its own entity and will have a maintainer at the time when it
needs one.

The only improvement that could be made is figuring out where a canonical
code repository should exist for it.

Where is this discussion taking place in the Fedora community?


❧ Brian Mathis


P.S. Is this somehow related to your Next proposal and trying to make
Fedora "exciting"?