Re-install libwrap in OpenSSH

Stephan von Krawczynski skraw at ithnet.com
Thu May 21 16:21:34 AEST 2015


On Thu, 21 May 2015 08:51:59 +1000 (AEST)
Damien Miller <djm at mindrot.org> wrote:

> I saw the abusive email you sent to me the other day. It's basically
> the perfect way to get developers to ignore you, which is exactly what
> I'm going to do now.

I have not really expected a positive answer from someone removing a perfectly
well ten-liner from code just to make thousands of people having to completely
change their configs and possibly add more then the ten lines to other
configs. That is not software development, that is sabotage.
Thanks for top-posting, shows your true commitment.

 
> On Wed, 20 May 2015, Stephan von Krawczynski wrote:
> 
> > Hello all,
> > 
> > after a useless discussion on the opensuse ML I had to find out that they
> > buried the removal news of libwrap last year in some half-sentence. So this is
> > unfortunately pretty late for the topic. Nevertheless it is pretty obvious
> > that you did not get any feedback from people using ssh over decades in
> > server-administration. Let me make a clear point: libwrap removal was a pretty
> > bad idea. It is a well-used security feature that is _not_ replaceable by your
> > match-statement. As a first libwrap has features that match does not have.
> > Second libwrap is easy-to-use and offers a possibility to make securtiy
> > adjustments in _one_ file for nearly all services, whereas you propose to edit
> > proprietary config files of all services with proprietary config statements
> > for each service. If you have 20 of those you end up editing 20 config files
> > in 20 different places in the fs with at least 20 different statements. This
> > is _shit_. I am not against your match statement, leave it as is. But do not
> > drop libwrap. If you deny libwrap somebody will fork the project for sure.
> > libwrap has not changed for years because it simply works. And firewall rules
> > are no replacement for it, because libwrap is not only an ip filter. It seems
> > you did not know that when you made the wrong decision. Please cc me in case
> > as I am not reading the list.
> > 
> > -- 
> > Regards,
> > Stephan
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > 


-- 
Regards,
Stephan


More information about the openssh-unix-dev mailing list