Quoting Simon Hobson (li...@thehobsons.co.uk): > Rick Moen <r...@linuxmafia.com> wrote: > > > Remember that bit I posted about how /usr/bin/ssh makes dynamic library > > calls to sonames of two Kerberos libraries, even on the overwhelming > > majority of systems that do not implement Kerberos? > ... > > 'Trust' in the sense you use the word just isn't in that. > > But it is. > Have you actually checked any (or all) of the libraries to be sure ?
This is a bit silly, so-broad-as-to-be-meaningless application of the word 'trust'. I don't, in the general case, personally inspect any of the binaries or libraries on my systems, nor in the general case do I compile those myself, nor do I perform local diverse double-compiling to prevent application of Ken Thompson's 1984 'Reflections on Trusting Trust' moby hack, either. https://www.schneier.com/blog/archives/2006/01/countering_trus.html https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Now, are we done with the ritual paranoia dance? > The point is, which you seem to keep missing, is that I do not have > this level of trust in anyone pushing systemd. No, I 'get' your oft-repeated personal opinion. I'm just not impressed with the allegedly sinister, alleged threat of distro-maintained interface glue package libsystemd0. Nor am I impressed with the alleged problem of any 'amount of noise surrounding' that topic or any other. Because I have a few clues about software and open source, and have reasonable confidence I follow what's going on, on an ongoing basis. > Plus, as someone else pointed out, to permit libsystemd0 (or equivs > *IFF* it doesn't break packages - which it does with ClamAV) is > tacitly accepting that these packages are OK to blindly depend on it. You seem to be using some strange, emotionally tinged sense of the words 'accept' and 'OK'. Am I tacitly 'accepting' that Kerberos libraries are 'OK' on my Kerberos-less systems because I am 'accepting' the dynamic library links in /usr/bin/ssh? I don't even really know what that means. I tolerate the fact that the dynamic library call to two locally-pointless Kerberos libraries exist, in the sense that I've not rushed out and recompiled/rebuilt package openssh-client to eliminate the vestigial and basically meaningless library dependency. Which in turn because I'm a bit busy and have other, better things to worry about. If I _really_ needed a new hobby, I suppose I could run Gentoo/Funtoo and spend my idle hours on USE flags and running compiles to eliminate every vestigial library call -- but I don't. > If the packagers can package that dependency and not get pushback from > the users, then there's no incentive to consider if it might not be > "right". And why the Gehenna would they do that? Do they have some blood feud with your clan? To my knowledge, they don't with mine. I lead a rather more blessedly boring life, and have time for things like gardening, and occasionally administering Linux systems. I don't even have it in for the Kerberos people, and to my knowledge they have only benign (if complex and poorly documented) plans for my greater metropolitan region -- though I keep a wary eye to the south where dread Stanford University lies, a hotbed of Kerberos radicalism. They even do AFS there! (Perhaps they can be forced to pay for a border fence.) > It comes back to - how much is it "programmers are lazy" vs how much > is "well actually it is real work". Please figure that out and report back to us. I'll mail you a shiny pre-Ted Heath-era pre-decimalisation penny for your efforts. ;-> _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
