On Mon, Apr 1, 2024 at 5:55 PM Charles Curley <charlescur...@charlescurley.com> wrote: > > On Mon, 1 Apr 2024 19:00:29 +0000 > Andy Smith <a...@strugglers.net> wrote: > > > In my view a great example of the "people other than me just need to > > get good" fallacy merged with the group of people predisposed to > > hate systemd. > > > > It could have been any direct or indirect dependency of sshd here. > > I'm quite sure almost none of them have the required resources and > > processes to detect something like this. > > Easy, now. No-one is attacking systemd, and I don't think anyone wanted > to start a systemd war. This could also have happened under System V > initialization. > > I have no doubt that this sort of thing has happened in the past, and I > fully expect it will happen again in the future. However, the defect > has been caught and repaired. The system for dealing with > vulnerabilities is working, if not perfectly. The question now is: what > lessons can we learn from it.
++. Right now, Linux does not have a classification system to identify critical projects, or help with resources for those projects. I don't like using the word "Linux", but I don't know how to describe the ecosystem. For critical projects, I'm talking about the cURL, OpenSSL's OpenSSH, Wget's and Xz's of the world. These are critical to a base Linux system. When they have a memory bug or a CVE, action needs to be taken. The free software world does not even know what the list is. (And I'm not talking about the other useless fodder that shows up in repos). Other vulnerable projects include ncurses and libnettle. Ncurses is run by Thomas Dickey (https://invisible-island.net/). libnettle is run by Niels Möller (https://www.lysator.liu.se/~nisse/nettle/). Both are one-man shows with no continuity plans. Dickey does not even run a public version control system. You have to download his release tarballs. There's nothing to make pull requests against. If DIckey or Möller got hit by a bus crossing the street, there would be problems for years. Selling support for critical projects does not seem to work. I seem to recall Werner Koch of GnuPG roughing it when relying on support contracts to fund a project. So one of the first steps would be to identify critical projects, shore up their governance, and then help the project with additional resources, like a grant and trusted eyeballs. Jeff
