On 4/23/2014 1:54 AM, Corinna Vinschen wrote:
Assuming you're updating your Linux distro. You're using tcp_wrappers in conjunction with OpenSSH for years. The distro update comes with OpenSSH 6.7, now without tcp_wrappers support. But the OpenSSH update is just one updated package of several hundreds or thousands. How many users will not even get the information that their tcp_wrappers installation doesn't work anymore? tcp_wrappers might be an old concept, but simply pulling the plug and removing the few lines required to support it seems a bit heavy-handed considering what effect this may have.
Absolutely. While I agree with some of the impetus behind the abandonment of tcpwrappers, I do think it's time for FOSS projects to stop operating as if their projects comprise the Alpha and Omega of peoples' systems.
At the very least, a full cycle of announcing the retirement/obsoletion of the feature in question, followed by issuing a "heads up!" to all distros to warn them that potentially significant consequences will result from people upgrading past a certain version.
While systems that "fail badly", i.e., result in unreachable SSHDs are no doubt quickly noticed and redressed by sysadmins, of more worry are those that simply "work as before" but without the limitations defined at some point in the nebulous past by sysadmins before them.
I realise that these maintenance tasks are mostly unpaid and thankless, and such recommendations are no doubt unwelcome as addition burdens, but this *IS* ssh we're talking about.
I don't know about others in the Linux/BSD-server-sphere, but aside from only DNS, I cannot think of a single thing I expect to work "perfectly" let alone "securely", hundreds of times per day. To me, it's more important than httpd.
=M= _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
