Hi Jan-Pascal and Helmut, On Mon, Oct 26, 2015 at 09:23:19PM +0100, Jan-Pascal van Best wrote: > Hi Helmut, > > Thanks for showing some care for this package. The main reason for me to > want to support denyhosts was the possibility of the synchronisation > server. I have since written a (AGPL licensed) replacement for the > original, closed source, server, starting from Anne Bezemer's suggestion > in Debian bug#622697. > > I may consider offering to do the security support for denyhosts for at > least the stretch support period, but I'm not sure what that would mean > exactly. Is the main work in following CNEs for the package and fixing > them for Debian (and preferably upstream as well)? > > Another possibility might be to work with fail2ban upstream to also > support my, or another, synchronisation server, but I'm not sure if they > would be willing to accept patches to that effect. > > > * Your upload reintroduces security bug #692229. > You're right. I checked whether all Debian patches had been implemented > upstream, must have missed this one. > > > * Due to the removal of denyhosts from Debian, the following bugs were > > closed by the ftp masters: > > > > #395565 #436417 #497485 #514024 #529089 #546772 #597956 #567209 #611756 > > #622697 #643031 #720130 #729322 #731963 > > > > Please evaluate which of them need to be reopened or failing that > > reopen all of them. > Of course, I was planning to do that.
From security team point of view: If all the previously open security bugs get's fixed, and both maintainer (hey! ;-)) and upstream remain active and on track when issues appear I guess we will be fine to have as well denyhosts in stretch. OTOH, there is fail2ban which is actively developped as well, and so I guess much widely used, so it would be possibly better to concentrate the work effort on fail2ban. Helmut is right here, that it's hard to get all the bits right already, so if we can avoid in the end having to maintain both denyhosts and fail2ban that might be preferable. have you spoken/contacted fail2ban upstream to bring your ideas about the synchronisation server? Please only close this bug in case we would be sure that denyhosts should go in stretch and all the items raised by Helmut are addressed. Regards, Salvatore
signature.asc
Description: PGP signature
