Re: Debian openssh option review: considering splitting out GSS-API key exchange
On Wed, Apr 03, 2024 at 04:38:19PM +0200, Marc Haber wrote:
> On Wed, 03 Apr 2024 14:10:37 +0100, "Jonathan Dowland"
> <jmtd@debian.org> wrote:
> >For you and fellow greybeards, perhaps: I'd be surprised if many people
> >younger than us have even heard of tcp wrappers. I don't think the
> >muscle memory of a diminishing set of users is a strong argument,
> >especially given it's a preference rather than a requirement, and
> >alternatives do exist.
>
> It is possible to have that alternative not present without being
> noticed (for example, a firewall build script failing, but sshd start
> nof failing), whilea security measure built into the very daemon is
> way harder to be accidentally disabled while keeping the daemon
> running.
While I'm still not totally convinced, one possible alternative here is
https://bugs.debian.org/1068311. That would still mean one more library
than strictly needed (once the GSS-API stuff is split out), but at least
it would be one small library rather than a big linkage chain over 30
times the size. I could probably justify keeping it in that case.
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: