On Sun, Dec 01, 2013 at 12:11:11PM -0600, Steve Langasek wrote:
> > More review and more usage will lead to more bugs being found, we should
> > rather applaud Red Hat for investing resources and be diligent. After all
> > Red Hat is the only distro staffing a proactive product security team
> > (f
On Sun, Dec 01, 2013 at 09:50:49PM +, Ian Jackson wrote:
> If we were to adopt systemd as pid 1, which sections of the systemd
> source code would we probably want to adopt as well ? Or to put it
> another way, which other existing programs would be obsoleted ?
Again, very good question. And
On Sun, Dec 01, 2013 at 11:11:43PM +0100, Sune Vuorela wrote:
> On Sunday 01 December 2013 21:50:49 Ian Jackson wrote:
> > This leads me to a question which I find myself asking, after reading
> > the systemd debate page:
> > If we were to adopt systemd as pid 1, which sections of the systemd
> >
On Sunday 01 December 2013 21:50:49 Ian Jackson wrote:
> This leads me to a question which I find myself asking, after reading
> the systemd debate page:
>
> If we were to adopt systemd as pid 1, which sections of the systemd
> source code would we probably want to adopt as well ? Or to put it
>
Sune Vuorela writes ("Bug#727708: systemd (security) bugs (was: init system
question)"):
> Note that the non-pid1-parts of systemd, like logind for example, are pieces
> we need no matter what init system we choose. The question is more if we can
> use them as provided by ups
Hi,
On Sun, 01 Dec 2013, Steve Langasek wrote:
> > More review and more usage will lead to more bugs being found, we should
> > rather applaud Red Hat for investing resources and be diligent. After all
> > Red Hat is the only distro staffing a proactive product security team
> > (from which everyo
On Thursday 28 November 2013 13:43:27 Ian Jackson wrote:
> > CVE summary Debian BTS Redhat
> > 2012-0871 systemd-logind insecure file creation ? 795853
> Furthermore, I think it is fair to look at bugs in non-pid-1 parts of
> the syste
On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
> On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
> > All distributions "care" about not having security issues in their code, but
> > that's not the same thing as actually doing the work to audit the code. In
> > p
On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
> [EOD from me due to a lack of time, but that needed to be said]
And thank you for saying it.
--
http://www.cafepress.com/trunktees -- geeky funny T-shirts
http://gtdfh.branchable.com/ -- GTD for hackers
--
To UNSUBSCRIBE, em
On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
> All distributions "care" about not having security issues in their code, but
> that's not the same thing as actually doing the work to audit the code. In
> practice this only happens when dedicated resources are turned on the code
>
Hi Ian,
Ian Jackson writes:
> My point was that someone who is writing an init system for concurrent
> startup and dynamic service management needs to have a good
> understanding of concurrent system design, and in particular of race
> hazards. I wouldn't expect a person or people who had such a
Le vendredi 29 novembre 2013 à 17:55 +0100, Josselin Mouette a écrit :
> Indeed, systemd has not been written with security in mind.
Obviously, such a subjective judgment of valor does not mean the same to
me as to other developers. It is easy to quote it out of context and say
“oh, look! some sy
As a system administrator, the idea of a 'kitchen sink' init system
terrifies me. I would need exceptionally high confidence in its authors
and design principles before allowing it to run as root on my systems
and depend on it to boot even to single user. I wouldn't even invest
much time enquirin
On Fri, 2013-11-29 at 12:37 +, Ian Jackson wrote:
> Uoti Urpala writes ("Bug#727708: systemd (security) bugs (was: init system
> question)"):
> > My guess is that most people do not consider that "exciting" or really
> > care - thinking of system st
On Fri, Nov 29, 2013 at 05:11:52PM +, Ian Jackson wrote:
> It is very alarming that web browsers are being presented as the
> security benchmark for our new init system.
So, I tend to agree with Joss here - Web browsers is the biggest attack
surface that we have today, bar none. I don't think
* Josselin Mouette (j...@debian.org) [131129 19:21]:
> It is quite alarming that a member of the Technical Committee
> demonstrates lacks in security knowledge
I would prefer if you could stop doing ad-hominem attacks (independend
on whom - this is not an acceptable behaviour).
Andi
--
To UNS
Le vendredi 29 novembre 2013 à 17:11 +, Ian Jackson a écrit :
> Josselin Mouette writes ("Bug#727708: systemd (security) bugs (was: init
> system question)"):
> > Personally, I find the flow of bugs (including security bugs) for
> > moderately recent software the
On Fri, Nov 29, 2013 at 05:55:39PM +0100, Josselin Mouette wrote:
> Indeed, systemd has not been written with security in mind. Neither have
> sysvinit nor upstart, AFAICT.
I wouldn't presume to say whether the systemd authors had security in mind
while writing it. But I will stand by the overall
Josselin Mouette writes ("Bug#727708: systemd (security) bugs (was: init system
question)"):
> Personally, I find the flow of bugs (including security bugs) for
> moderately recent software the sign of a healthy project. A simple look
> at a few packages in the BTS will show
Le jeudi 28 novembre 2013 à 13:43 +, Ian Jackson a écrit :
> In summary, I agree with Andrew Kanaber's view that the security and
> bug history of systemd is worrying.
Personally, I find the flow of bugs (including security bugs) for
moderately recent software the sign of a healthy project. A
Uoti Urpala writes ("Bug#727708: systemd (security) bugs (was: init system
question)"):
> [Ian Jackson:]
> > Here are a couple of exciting snippets:
> > https://bugzilla.redhat.com/show_bug.cgi?id=708537
> >
> > Problems with runlevel emulation doing ma
On Thu, Nov 28, 2013 at 11:15:09PM +0100, Michael Stapelberg wrote:
> > I should say that it is hard to write code with no security bugs at
> > all. But I think our benchmark for security bugs in our init system
> > ought to be "very few", particularly if we are making a specific
> > implementatio
Hi Ian,
Ian Jackson writes:
>> CVE summary Debian BTS Redhat
>> 2012-0871systemd-logind insecure file creation ? 795853
>> 2012-1101DoS from systemctl status 662029 799902
>> 2012-1174TOCTOU deletion
Ian Jackson wrote:
> It isn't always 100% clear to me from reading these which of them
> apply to systemd's init replacement. But reading the systemd debate
> page makes it clear that the other components in the systemd upstream
> package are seen by systemd proponents as part of their offering, a
Andrew Kanaber :
> The debian-devel post I was thinking of is
> <441543.92540...@smtp118.mail.ir2.yahoo.com>
> but it actually only mentions three vulnerabilities, there's a more complete
> list of the ones that have affected Debian at
> https://security-tracker.debian.org/tracker/source-package/
A friend of mine mentioned to me in the pub that he had seem alarming
reports of systemd security bugs. Naturally I asked for more
information and he promised me an email with some references.
So, here's what Andrew sent me. Thanks to Andrew for doing this
legwork.
I'll reply substantively in a
26 matches
Mail list logo
