+1
> On Apr 4, 2024, at 5:43 AM, Ruediger Pluem <rpl...@apache.org> wrote:
>
>
>
> On 4/3/24 4:32 PM, Joe Orton wrote:
>> On Tue, Apr 02, 2024 at 12:25:40PM +0200, Rainer Jung wrote:
>>> Hi there,
>>>
>>> in the light of the recent xz attack I was wondering, whether we should also
>>> reduce our library dependencies by no longer using sd_notify() in
>>> mod_systemd (thus loading libsystemd and all of its dependencies), but
>>> instead taking the approach to hard code sd_notify functionality.
>>>
>>> I guess the Linux distributors who patched sshd to use libsystemd for
>>> notification are on their way to do the same for their sshd patches, so we
>>> might soon get an idea how to do that properly.
>>>
>>> This is not meant to become part of out next release (this week), but
>>> hopefully we can manage to code it for the next one.
>>>
>>> WDYT: does this make sense?
>>
>> The trunk mod_systemd has got slightly wider library use than just
>> sd_notify - so it is not quite that simple. If there was an alternative
>> minimal library implementing the sd_* API parts required, that would
>> definitely make sense. I'm not sure that reimplementing them all from
>> scratch makes sense (especially multiplied by N projects doing this).
>>
>
> +1
>
>> It looks like systemd folks have also changed the library implementation
>> to dlopen() the various dependant libraries on demand now rather than
>> directly linking to them, which removes the specific attack vector used
>> here IIUC.
> +1. Unless the systemd folks show that they are unwilling to address issues
> I would stay with libsystemd.
>
> Regards
>
> Rüdiger
