Bug#727708: systemd (security) bugs

[Russ Allbery <rra@debian.org>]

Steve Langasek <vorlon@debian.org> writes:
> On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:

>> The issue people are talking about were discovered during a review of
>> the Red Hat Product Security Team (most likely triggered by the
>> inclusion of systemd into RHEL7).  So in fact having more companies use
>> the code exactly made that magically happen.

> No, this is a function of one specific company having a proactive security
> review policy (for which they should be commended).  It has nothing to do
> with how many companies are using the software.

I don't think that's strictly true.  The more organizations use a piece of
software, the more likely one or more of them will have proactive security
review policies and will do such reviews.  In other words, the size of the
community is relevant to how much security verification software gets.

> I think such built-in sandboxing features are interesting, but not
> decisive.  They represent an incremental improvement over the status quo
> for sandboxing, and aren't anything that couldn't be delivered as a
> feature in upstart, for example, if there were demand for it.

I don't think capability is really the discussion that we're having, at
least in the comparison between systemd and upstart's init components.
The question is more whether there are sufficient resources in the upstart
community that such development is likely.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>