[Discuss] Debian 12 in the Cloud

[richard.pieri at gmail.com (Rich Pieri)]

On Tue, 4 Jun 2024 02:04:16 -0400
Steve Litt <slitt at troubleshooters.com> wrote:

> >You said there is a correlation even if it's not 1:1.
> >
> >I said that no such correlation exists. It's a myth.  
> 
> I'll need to see the URL to the statistical survey showing that in
> order to accept it.

I accept, and completely agree, that smaller, simpler code *can be*
everything you say: easier to understand, easier to test, etc. It's a
good programming philosophy to have.

The myth is that size of attack surface *is* directly correlated with
line count. This myth assumes that every line of every program is of
consistent quality, and that every line of every program has the same
exposure to attack. On the one hand, I don't know of any statistical
surveys which demonstrate that neither assumption is true in the real
world. On the other, do we really need such a thing in order prove that
Daniel J. Bernstein writes better, safer code than Lennart Poettering?


> The preceding timeline sounds reasonable and I believe it. However, it
> doesn't contradict my point that systemd has too many dependencies for
> them to handle, and distros deploying systemd can't do all the due
> diligence to make sure it isn't a pathway to a supply chain attack.

I have never denied the base assertion: systemd started life as a
buggy mess, and has grown far too complicated with far too many
dependencies to be reasonably managed.

My disagreement is over the assertion that this badness is why the XZ
supply chain attack happened. This simply is not true. The *form* of
the attack was tailored to that specific dependency chain, but the
reason why systemd and XZ were attacked and exploited is because they
exist. If that dependency chain did not exist, if systemd were better
designed, then the attack would have taken a different form, one
tailored to that reality instead of ours.

-- 
\m/ (--) \m/