Bug#727708: systemd (security) bugs (was: init system question)
Le jeudi 28 novembre 2013 à 13:43 +0000, Ian Jackson a écrit :
> In summary, I agree with Andrew Kanaber's view that the security and
> bug history of systemd is worrying.
Personally, I find the flow of bugs (including security bugs) for
moderately recent software the sign of a healthy project. A simple look
at a few packages in the BTS will show that packages with lots of
reported bugs are packages with lots of users and features, regardless
of the quality of their code: Linux, X, Iceweasel, GNOME, KDE all come
to mind as being full of bugs, including security bugs.
Indeed, systemd has not been written with security in mind. Neither have
sysvinit nor upstart, AFAICT. Yes, it would be better if *all*
developers had a better grasp of secure programming, but on the other
hand, asking the first people to use some advanced kernel interfaces to
understand all their security implications is unfair. Just like we don’t
hold the Mozilla developers responsible for security issues in brand-new
Javascript engines that maybe 10 developers in the world could
understand.
As Michael mentioned, systemd has a broader scope than alternatives.
You’d have to use a system providing similar features as a basis for a
fair comparison, and such a system doesn’t really exist in the Unix
world. If you only take into account the features that are also provided
by upstart or sysvinit/insserv, you won’t find that many of these bugs
apply. Compare that to the number of unfixable bugs in sysvinit due to
broken design.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Reply to: