[arch-general] [arch-dev-public] dropping tcp_wrapper support

[Peggy Wilkins]

On Sat, Jul 16, 2011 at 1:42 PM, Thomas S Hatch <thatch45 at gmail.com> wrote:

> In the end, I tell people that using tcp_wrappers is unnecessary and unwise,
> iptables is VERY powerful, and once you understand how rules are constructed
> and parsed it is an easy and manageable solution.

I have nothing to say against iptables and other full firewall
solutions.  However, for my part running a number of desktops for
other people at work with only sshd as a service, tcp wrappers plus
denyhosts (plus disabling password authentication for good measure)
already does exactly what I want.  Performance doesn't enter into this
issue for us, we have so many spare CPU cycles it's comical.

Everyone doesn't have the same circusmstances and needs.  I just would
like this option to continue because I'm using it now and I find it
useful and it meets my immediate needs.  I also don't need my time at
work diverted into a sudden project to write firewall rules that work
for every desktop.

> Thanks to the Arch devs for taking this out, this was the right move and I
> will argue that it has made Arch more secure by not supporting outdated
> security constructs.

I view it as taking away my freedom to choose to run what I want in
the simplest possible way.  This is a major change.  A large part of
the reason I chose Arch is because it is straightforward to configure,
hence doesn't require a lot of my time (which is properly spent
running servers, not desktops) -- an easy way to get Linux on the
desktop for our site which is otherwise all Windows desktops.  I
already know the limitations of my choice (and I use full firewalls in
other situations).

Surely there is a good compromise possible...