Re: making Debian secure by default
Hi,
On Mon, Apr 01, 2024 at 03:33:37AM -0500, Nate Bargmann wrote:
> From what I have read, lzma is not a direct dependency of openssh. It
> turns out that it lzma is a dependency of libsystemd and that
> relationship affected openssh.
>
> Jacob Bachmeyer in analysis
> (https://lists.gnu.org/archive/html/automake/2024-04/msg00000.html)
> says:
>
> Lastly on this topic, some of the blame for this needs to fall on the
> systemd maintainers and their "katamari" architecture. There is no good
> reason for notifications of daemon startup to pull in liblzma, but using
> libsystemd for that purpose does exactly that, and ended up getting
> xz-utils targeted as a means of getting to sshd without the OpenSSH
> maintainers noticing.
>
> End quote.
In my view a great example of the "people other than me just need to
get good" fallacy merged with the group of people predisposed to
hate systemd.
It could have been any direct or indirect dependency of sshd here.
I'm quite sure almost none of them have the required resources and
processes to detect something like this.
I think anyone buying into systemd-blaming here needs to have a good
hard look at their biases. Which is another part of this massive
social problem. It's such a distraction. And here we are in a thread
that started with a bug in a 30+ year old setgid binary.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: