[Discuss] Debian 12 in the Cloud

[slitt at troubleshooters.com (Steve Litt)]

markw at mohawksoft.com said on Fri, 31 May 2024 09:37:38 -0400



>The xz thing is totally different. That was a masterful bit of
>espionage. It was two years in the making, and if we don't think this
>is elsewhere as well, unrelated to systemd, then I'm sure we are
>kidding ourselves.

Hi Markw,

I read, understood, believe and respect what you said about not being a
systemd fan and am not trying to imply otherwise. All I'm doing is to
provide a viewpoint on your paragraph quoted above...

Instead of the paragraph above, imagine saying it about bicycle locks.
"If we don't think bicycle theft happens even without bicycle
locks, then I'm sure we're kidding ourselves." Although this is
factually true, it leaves out the point that an unlocked bicycle is
stealable by a much less skilled thief, and in a bike rack full of
locked bikes, it will be the first to go. And if a lot of people
don't lock their bikes, it brings many more bike thieves into the
"industry". Systemd makes exploits easier, and easier exploits
encourage more script kiddies to get into the game.

Then there's another twist on what you said that goes something like
the following:

"If we don't think systemd exploiter are elsewhere as well, unrelated
to the people who exploited xz, then I'm sure we're kidding ourselves."
In other words, systemd is such a juicy target with such a huge attack
surface that we can be pretty sure there are other exploits out there
related to systemd.

Meanwhile, the runit init system is less than 16K lines of code:

[slitt at mydesk runit-2.1.2]$ (find . | xargs wc -l | grep total) 2>/dev/null
  15684 total

Systemd has about 80 times more lines of code than runit. I know this
doesn't 1 to 1 correspond to attack surface, but it's a reasonable
approximation.

SteveT

Steve Litt 

Autumn 2023 featured book: Rapid Learning for the 21st Century
http://www.troubleshooters.com/rl21