On Sat, Mar 30, 2024 at 12:46:51PM +0100, Marc SCHAEFER wrote: > sshd has a dependancy to systemd, and thus includes a lot of libraries, > which augments its attack surface.
libsystemd, not systemd. > The recent xz-utils issue [1] has lead to this post by someone suggesting > (with a patch, apparently) to confine the sshd -> systemd dependancy > in a subprocess [2]. > > Maybe you want to look into it? We could do something like that, but I'd prefer to go with the patch upstream is working on in https://bugzilla.mindrot.org/show_bug.cgi?id=2641. I'm going to be doing some testing of that soon. There's also work on the libsystemd side to load decompression libraries only when actually needed, which they wouldn't be in this case. -- Colin Watson (he/him) [cjwat...@debian.org]