From owner-freebsd-security Tue Jan 23 01:59:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA21905 for security-outgoing; Tue, 23 Jan 1996 01:59:52 -0800 (PST) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id BAA21894 for ; Tue, 23 Jan 1996 01:59:49 -0800 (PST) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.3/8.7.3) with SMTP id BAA03233; Tue, 23 Jan 1996 01:58:03 -0800 (PST) Message-Id: <199601230958.BAA03233@precipice.shockwave.com> To: Mark Murray cc: Nathan Lawson , security@FreeBSD.ORG Subject: Re: Ownership of files/tcp_wrappers port In-reply-to: Your message of "Tue, 23 Jan 1996 11:05:19 +0200." <199601230905.LAA00703@grumble.grondar.za> Date: Tue, 23 Jan 1996 01:58:03 -0800 From: Paul Traina Sender: owner-security@FreeBSD.ORG Precedence: bulk From: Mark Murray Subject: Re: Ownership of files/tcp_wrappers port Before my current job I worked in a University's computer centre, and _every_ Un*x box I ever got to work on had wrappers installed. And the organization that I work in uses a firewall because the systems are maintained by over 200 separate people who have varrying degrees of capability as system administrators. I thus formed the opinion that most (wise) folks install them immediately, and such folks would appreciate having them as part of the base system. (I say this also as an anti-bloatist - my record speaks for itself.) > Read: I will wish seriously bad karma on anyone who unilaterally bloats > out the system with the wrapper code. There is NO good reason to > make it anything other than a port -- which makes it OPTIONAL to > install and easy to track 3rd party changes. Who said anything about unilateral? What is the difference between wrappers, bootp and the various eBones bits that got brought in with hardly a squeak? If it was my call, they'd be ports too! I spent over 3 hours today futzing around checking all of the different changes from NetBSD and from the distribution code to insure that we got the right lineage of code and all of the bug fixes and insure they ended up on the right branches. All of this just as a precursor to adding DHCP support. Likewise, with eBones, we've hacked the sources to the point that its now a HUGE job to upgrade to patch level 10. I know this, because I started it and gave up in disgust 2 months ago. Both of your examples dove-tail perfectly with my point: You say why not? I say why? We have to find a better way to maintain software than bring it into the source distribution. It just becomes a bitch to maintain. eBones is one of the few hunks of code that is easy to dyke out of the rest of the distribution, and look at the effort we have to go to do it? A totally separate heirarchy and kludges in all of the system makefiles. Let me state, completely, my objections to adding the tcp wrapper code: (a) there are several similar competing bits of code out there that do similar things -- wrappers is not the only way to go (b) it's already trivial for a user to add this support into the base system should they desire it (c) incorporating it into the base system means more work to support, test, debug, and maintain the code (d) the wrapper changes duplicate much of the access logging and control we have already included directly in the system (e) they don't cover the case of UDP programs If you can address these issues, then I will withdraw my objections. Paul