On Sun, Dec 01, 2013 at 09:50:49PM +, Ian Jackson wrote:
If we were to adopt systemd as pid 1, which sections of the systemd
source code would we probably want to adopt as well ? Or to put it
another way, which other existing programs would be obsoleted ?
Again, very good question. And
On Sun, Dec 01, 2013 at 12:11:11PM -0600, Steve Langasek wrote:
More review and more usage will lead to more bugs being found, we should
rather applaud Red Hat for investing resources and be diligent. After all
Red Hat is the only distro staffing a proactive product security team
(from
On Sun, Dec 01, 2013 at 11:11:43PM +0100, Sune Vuorela wrote:
On Sunday 01 December 2013 21:50:49 Ian Jackson wrote:
This leads me to a question which I find myself asking, after reading
the systemd debate page:
If we were to adopt systemd as pid 1, which sections of the systemd
source
On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
All distributions care about not having security issues in their code, but
that's not the same thing as actually doing the work to audit the code. In
practice
On Thursday 28 November 2013 13:43:27 Ian Jackson wrote:
CVE summary Debian BTS Redhat
2012-0871 systemd-logind insecure file creation ? 795853
Furthermore, I think it is fair to look at bugs in non-pid-1 parts of
the systemd
Hi,
On Sun, 01 Dec 2013, Steve Langasek wrote:
More review and more usage will lead to more bugs being found, we should
rather applaud Red Hat for investing resources and be diligent. After all
Red Hat is the only distro staffing a proactive product security team
(from which everyone is
Sune Vuorela writes (Bug#727708: systemd (security) bugs (was: init system
question)):
Note that the non-pid1-parts of systemd, like logind for example, are pieces
we need no matter what init system we choose. The question is more if we can
use them as provided by upstream or we need
On Sunday 01 December 2013 21:50:49 Ian Jackson wrote:
This leads me to a question which I find myself asking, after reading
the systemd debate page:
If we were to adopt systemd as pid 1, which sections of the systemd
source code would we probably want to adopt as well ? Or to put it
Le vendredi 29 novembre 2013 à 17:55 +0100, Josselin Mouette a écrit :
Indeed, systemd has not been written with security in mind.
Obviously, such a subjective judgment of valor does not mean the same to
me as to other developers. It is easy to quote it out of context and say
“oh, look! some
Hi Ian,
Ian Jackson ijack...@chiark.greenend.org.uk writes:
My point was that someone who is writing an init system for concurrent
startup and dynamic service management needs to have a good
understanding of concurrent system design, and in particular of race
hazards. I wouldn't expect a
On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
All distributions care about not having security issues in their code, but
that's not the same thing as actually doing the work to audit the code. In
practice this only happens when dedicated resources are turned on the code
in
On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
[EOD from me due to a lack of time, but that needed to be said]
And thank you for saying it.
--
http://www.cafepress.com/trunktees -- geeky funny T-shirts
http://gtdfh.branchable.com/ -- GTD for hackers
--
To UNSUBSCRIBE,
Le jeudi 28 novembre 2013 à 13:43 +, Ian Jackson a écrit :
In summary, I agree with Andrew Kanaber's view that the security and
bug history of systemd is worrying.
Personally, I find the flow of bugs (including security bugs) for
moderately recent software the sign of a healthy project. A
Josselin Mouette writes (Bug#727708: systemd (security) bugs (was: init system
question)):
Personally, I find the flow of bugs (including security bugs) for
moderately recent software the sign of a healthy project. A simple look
at a few packages in the BTS will show that packages with lots
On Fri, Nov 29, 2013 at 05:55:39PM +0100, Josselin Mouette wrote:
Indeed, systemd has not been written with security in mind. Neither have
sysvinit nor upstart, AFAICT.
I wouldn't presume to say whether the systemd authors had security in mind
while writing it. But I will stand by the overall
Le vendredi 29 novembre 2013 à 17:11 +, Ian Jackson a écrit :
Josselin Mouette writes (Bug#727708: systemd (security) bugs (was: init
system question)):
Personally, I find the flow of bugs (including security bugs) for
moderately recent software the sign of a healthy project. A simple
On Fri, Nov 29, 2013 at 05:11:52PM +, Ian Jackson wrote:
It is very alarming that web browsers are being presented as the
security benchmark for our new init system.
So, I tend to agree with Joss here - Web browsers is the biggest attack
surface that we have today, bar none. I don't think
On Fri, 2013-11-29 at 12:37 +, Ian Jackson wrote:
Uoti Urpala writes (Bug#727708: systemd (security) bugs (was: init system
question)):
My guess is that most people do not consider that exciting or really
care - thinking of system states in terms of runlevels is mostly
obsolete
As a system administrator, the idea of a 'kitchen sink' init system
terrifies me. I would need exceptionally high confidence in its authors
and design principles before allowing it to run as root on my systems
and depend on it to boot even to single user. I wouldn't even invest
much time
A friend of mine mentioned to me in the pub that he had seem alarming
reports of systemd security bugs. Naturally I asked for more
information and he promised me an email with some references.
So, here's what Andrew sent me. Thanks to Andrew for doing this
legwork.
I'll reply substantively in
Andrew Kanaber akana...@chiark.greenend.org.uk:
The debian-devel post I was thinking of is
441543.92540...@smtp118.mail.ir2.yahoo.com
but it actually only mentions three vulnerabilities, there's a more complete
list of the ones that have affected Debian at
Ian Jackson wrote:
It isn't always 100% clear to me from reading these which of them
apply to systemd's init replacement. But reading the systemd debate
page makes it clear that the other components in the systemd upstream
package are seen by systemd proponents as part of their offering, and
Hi Ian,
Ian Jackson ijack...@chiark.greenend.org.uk writes:
CVE summary Debian BTS Redhat
2012-0871systemd-logind insecure file creation ? 795853
2012-1101DoS from systemctl status 662029 799902
On Thu, Nov 28, 2013 at 11:15:09PM +0100, Michael Stapelberg wrote:
I should say that it is hard to write code with no security bugs at
all. But I think our benchmark for security bugs in our init system
ought to be very few, particularly if we are making a specific
implementation
24 matches
Mail list logo