2014-03-20 18:59 GMT+01:00 Paul Wouters <paul@nohats.ca>:

On Thu, 20 Mar 2014, Lennart Poettering wrote:

I wonder whether it wouldn't be time to say goodbye to tcpwrappers in
Fedora.

I'd be happy to see those go.

Those who depend on it though, should see some "failed closed"
behaviour, so their service does not suddenly become more exposed.

Wouldn't failing closed essentially involve keeping libwrap, keeping all the callers, keeping the existing parser, only ignoring most of the rule and treating any rule matching the daemon name as DENY? At that point we might just as well keep the non-controversially-safe functionality like IP checks working.

Mirek