On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote: > On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote: > > All distributions "care" about not having security issues in their code, but > > that's not the same thing as actually doing the work to audit the code. In > > practice this only happens when dedicated resources are turned on the code > > in question, and having more companies using the code does not magically > > make that happen.
> [I took care of the systemd DSA people are referring to] > The issue people are talking about were discovered during a review of the > Red Hat Product Security Team (most likely triggered by the inclusion of > systemd into RHEL7). > So in fact having more companies use the code exactly made that magically > happen. No, this is a function of one specific company having a proactive security review policy (for which they should be commended). It has nothing to do with how many companies are using the software. > More review and more usage will lead to more bugs being found, we should > rather applaud Red Hat for investing resources and be diligent. After all > Red Hat is the only distro staffing a proactive product security team > (from which everyone is profiting outside of RH as well). I don't consider > the lack of reported security issues for the contenders as a credible > indication of them being more secure. Red Hat shipped upstart as their init system in RHEL 6. This did not result in any CVEs being issued for upstart. What conclusions should we draw from this? > FWIW, the main reason I'm personally in favour of adopting systemd is > precisely security (in terms of sandboxing and restricting services). See > http://0pointer.de/blog/projects/security.html for some pointers. I think such built-in sandboxing features are interesting, but not decisive. They represent an incremental improvement over the status quo for sandboxing, and aren't anything that couldn't be delivered as a feature in upstart, for example, if there were demand for it. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature