[Discuss] Debian 12 in the Cloud

[richard.pieri at gmail.com (Rich Pieri)]

On Sat, 1 Jun 2024 23:03:37 -0400
Steve Litt <slitt at troubleshooters.com> wrote:

> Systemd has about 80 times more lines of code than runit. I know this
> doesn't 1 to 1 correspond to attack surface, but it's a reasonable
> approximation.

Numbers of lines of code does not correlate with attack surface.
Neither does code complexity. At the most absurd lower end, a program
that sanitizes strings has more lines of code and is longer and more
complex than a similar program which does not sanitize strings. I hope
we all agree that the "longer and more complex" version is probably the
more secure version.

Smaller and simpler is easier for fewer people to understand and
maintain. No argument there. But code quantity is not and has never
been a measure of code quality. I hold that systemd is bad not because
it is big and complex, but because the much of the code is buggy
rubbish, and I would hold this opinion if it were half the size of
runit.

And this is all entirely irrelevant to the XZ supply chain attack,
because the backdoor isn't in the source code. It's in the test
harness. If you used 'git clone' then you would never see it because
the payload was excluded by the .gitignore file. You had to use the
tarball, and you had to build under specific conditions, for the
payload to be injected into the source at build time.

-- 
\m/ (--) \m/