On Thu, 20.03.14 20:55, Hans de Goede (hdegoede@xxxxxxxxxx) wrote: > > I mean, I really don't mind that tcpd/tcpwrap stays in the archives, if > > people want to make use of that. I am simply proposing to not link > > agains them anymore for everything that is in the default system. > > So as an innocent bystander who happens to be reading along this thread, > I see 2 sides to the story here: > > Lennart says: > 1) It is horrible code > 2) It really really is horrible horrible code > 3) And there are other ways to achieve the same goal, so lets kill it I am not just saying "other ways", but *better* ways. I am also saying that keeping this around makes the OS unnecessarily more complex. > Others say: > 1) There may be other ways but non so easily central managed with with > a unified syntax for all services > > The argument which the others are making actually sounds a lot like > a lot of the arguments in favor of systemd (wrt standardizing, etc.). Well the difference here is pretty much that there was no pre-existing standardization effort for the areas that systemd covered really. However, there's a technically much better, established, better understood alternative to tcpwrappers, and that's a firewall. > And I'm getting the feeling that Lennart is not as much opposed to the > functionality of tcp-wrappers, as that he *really* hates the code. I am actually against this as seperate functionality too. Go high-level with service-specific filtering. Or go low-level with a firewall. Don't waste your time with tcpwrap... > So maybe a solution would be to write a libwrap2 instead ? Oh, please no. We already have firewalls for this. If you want to write new code: I think it would be a lot nicer to simply write a converter for hosts.allow and hosts.deny into iptables rules, plus some warnings if DNS and IDENT matches are used. > So offer something with equivalent functionality (and config file > syntax compatibility), with a nice modern clean API and then systemd > and others can be moved over to that 1 by 1, and once we've no more > users left we can kill of the old beast ? Nope. In systemd we already support one subsystem for filtering just fine, it's called a firewall. I am looking for a way to simplify things, and remove unnecessary redundancies. And just rewriting something that is redundant and a bad idea in the first place, certainly doesn't help there... Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
