<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/20/2014 12:24 AM, Orion Poplawski
wrote:<br>
</div>
<blockquote cite="mid:532A6D73.5010503@cora.nwra.com" type="cite">
<pre wrap="">On 03/19/2014 02:56 PM, Matthew Miller wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, Mar 19, 2014 at 02:32:40PM -0600, Orion Poplawski wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hmm, I like this alternative a lot. I'm probably taking this too
far, but I'm thinking of:
fail2ban-server - core components with minimal deps
fail2ban-firewalld - firewalld support/configuration - requires firewalld
fail2ban-hostsdeny - tcp_wrappers hosts.deny support - requires tcp_wrappers
fail2ban-mail - mail actions - requires /usr/bin/mail
fail2ban-sendmail - sendmail actions - requires /usr/sbin/sendmail
fail2ban-shorewall - shorewall support - requires shorewall
fail2ban-systemd - systemd journal configuration
fail2ban - default component - installs -firewalld,-sendmail,-systemd
fail2ban-all - installs everything - also requires /usr/bin/whois
Comments?
</pre>
</blockquote>
<pre wrap="">
That _might_ be going overboard. But it certainly does allow a lot of
flexibility. Somewhere there is a balance between that flexibility and the
extra packaging work and potential user confusion, and I'm not exactly sure
where that line is in this case. :)
</pre>
</blockquote>
<pre wrap="">
This seemed reasonable to me so I've gone with it in rawhide now.
Testing welcome.
</pre>
</blockquote>
<br>
I am concerned that this looks like configuring the fail2ban package
by installing more packages. If we started doing it everywhere
multiple packages interact, it would combinatorially explode the
number of packages and make the system harder to maintain, not
easier. Among other things, it would make managing the subsystem on
Fedora different than everywhere else including upstream.<br>
<br>
It's certainly a neat trick (down with obscure config files!), but
the approach does not scale. Taking this to extreme, we'd be doing
yum install emacs-vim-mode.<br>
<br>
</body>
</html>