Josselin Mouette writes ("Bug#727708: systemd (security) bugs (was: init system question)"): > Personally, I find the flow of bugs (including security bugs) for > moderately recent software the sign of a healthy project. A simple look > at a few packages in the BTS will show that packages with lots of > reported bugs are packages with lots of users and features, regardless > of the quality of their code: Linux, X, Iceweasel, GNOME, KDE all come > to mind as being full of bugs, including security bugs.
All of those components are to a greater or lesser extent optional. What we are being asked is to make use of systemd mandatory. > Indeed, systemd has not been written with security in mind. What an alarming comment on a program which has ultimate privilege, is intended to be universally deployed even in the most demanding security environment, crosses security boundaries (without, IMO, a sufficient justification), and is being touted as the single systemwide manager for security features like cgroups ! > Neither have sysvinit nor upstart, AFAICT. I will leave the upstart maintainers to comment on this in more detail, but sysvinit has had remarkably few security bugs for a program of its vintage. This is because it has very few, and very restricted, interfaces to untrusted parts of the system. > Just like we don’t hold the Mozilla developers responsible > for security issues in brand-new Javascript engines that maybe 10 > developers in the world could understand. The security record of web browsers is indeed atrocious. It is the result of a persistent swamp of bad design decisions, hideous overcomplexity, plain bad code, and lack of attention to mitigation measures. Google's efforts in this area are to be applauded, even though I have serious privacy problems with Google. It is very alarming that web browsers are being presented as the security benchmark for our new init system. Ian. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org