[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd requiring Linux >= 3.7

Thanks for the link to Lucas Nussbaum's blog entry, that was very useful.

Given that debsecan typically seems to show fewer, less serious CVEs in
sid/jessie than stable/wheezy for the workloads I have, I will do what I
can to run Jessie for now.

There are certainly a bunch of important privilege escalation and bypass
issues fixed leading up to 3.7 kernels (and since!), only some of which
can be mitigated - but with a tight enough .config, I'd say it's the
userland application vulnerabilities which are going to be the less
complex attack vectors for a given system.

On 25/10/14 02:31, W. Martin Borgert wrote:
> Quoting csirac2@yahoo.com.au:
>> Could you give me your thoughts on what a negative vote on the  
>> current proposal would mean in practice?
> The impact of different results has been analysed by Lucas Nussbaum:
> "Tentative summary of the amendments of the init system coupling GR"
> (http://www.lucas-nussbaum.net/blog/?p=845)
> For Debian 8 (Jessie), there is no need to fear anything. For later
> versions it is hard to tell, because it does not depend much on the
> vote, but mainly of what both upstream and Debian developers will do.
> Just take a look in the crystal ball:
> If systemd works well for most people, less effort will be put in
> alternatives. If many people have problems with systemd, e.g. in
> the embedded community, alternatives will continue to be relevant.
> Maybe there will be sufficient pressure on hardware companies to
> support newer kernels on their hardware?
> Maybe in two, three years from now, there are good reasons, such as
> security aspects, not to run a <= 3.7 kernel anyway?
> If security is not a concern, maybe just keep Debian 6/7/8 forever?
> Cheers

Reply to: