Bug#727708: systemd (security) bugs (was: init system question)

[Moritz Mühlenhoff <jmm@inutil.org>]

On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
> All distributions "care" about not having security issues in their code, but
> that's not the same thing as actually doing the work to audit the code.  In
> practice this only happens when dedicated resources are turned on the code
> in question, and having more companies using the code does not magically
> make that happen.

[I took care of the systemd DSA people are referring to]

The issue people are talking about were discovered during a review of
the Red Hat Product Security Team (most likely triggered by the inclusion
of systemd into RHEL7).
So in fact having more companies use the code exactly made that magically
happen.

For every complex code base a thorough review will unveil security-related
implementation bugs and the ones found for systemd are not exactly earth-
shattering.

More review and more usage will lead to more bugs being found, we should
rather applaud Red Hat for investing resources and be diligent. After all
Red Hat is the only distro staffing a proactive product security team
(from which everyone is profiting outside of RH as well). I don't consider
the lack of reported security issues for the contenders as a credible 
indication of them being more secure.

FWIW, the main reason I'm personally in favour of adopting systemd is precisely 
security (in terms of sandboxing and restricting services). See
http://0pointer.de/blog/projects/security.html for some pointers.

[EOD from me due to a lack of time, but that needed to be said]

Cheers,
        Moritz