Comment 3 for bug 1068420

Yes, looks like allowed_sync_hosts should not be considered a security feature (the shared key is what provides security, IP source is pretty spoofable anyway), at best it should be considered a way to catch misconfigurations (among the trusted that know the shared secret).

I agree that it should be documented, though.