Re: systemd requiring Linux >= 3.7
Thanks for the link to Lucas Nussbaum's blog entry, that was very useful.
Given that debsecan typically seems to show fewer, less serious CVEs in
sid/jessie than stable/wheezy for the workloads I have, I will do what I
can to run Jessie for now.
There are certainly a bunch of important privilege escalation and bypass
issues fixed leading up to 3.7 kernels (and since!), only some of which
can be mitigated - but with a tight enough .config, I'd say it's the
userland application vulnerabilities which are going to be the less
complex attack vectors for a given system.
On 25/10/14 02:31, W. Martin Borgert wrote:
> Quoting email@example.com:
>> Could you give me your thoughts on what a negative vote on the
>> current proposal would mean in practice?
> The impact of different results has been analysed by Lucas Nussbaum:
> "Tentative summary of the amendments of the init system coupling GR"
> For Debian 8 (Jessie), there is no need to fear anything. For later
> versions it is hard to tell, because it does not depend much on the
> vote, but mainly of what both upstream and Debian developers will do.
> Just take a look in the crystal ball:
> If systemd works well for most people, less effort will be put in
> alternatives. If many people have problems with systemd, e.g. in
> the embedded community, alternatives will continue to be relevant.
> Maybe there will be sufficient pressure on hardware companies to
> support newer kernels on their hardware?
> Maybe in two, three years from now, there are good reasons, such as
> security aspects, not to run a <= 3.7 kernel anyway?
> If security is not a concern, maybe just keep Debian 6/7/8 forever?