On Wed, Oct 22, 2014 at 12:43:53PM -0400, C. Jon Larsen wrote:

> Incorrect assumption. systemd is a massive security hole waiting to happen
> and it does not follow the unix philosophy of done 1 thing and do it
> well/correct. 

It does seem to me that this angle, at least, is on-topic for NANOG,
and I hope someone has suggestions for how to mitigate it.  It seems
that we've had two or, arguably, three recent examples (heartbleed,
shellshock, arguably poodle) of complicated code that too few people
understood and that led to widespread, late-night-inducing emergency
action once a serious vulnerability was discovered.  Surely that
direction of development in a process that runs as PID 1 is something
that has significant follow-on effects for network security.

But I have no clue what one can do about it.  For many years, I liked
to keep some Linux and some BSD systems around, because it seemed to
me that the different styles tended to encourage diversity and that
was a good thing.  But management of BSD systems -- particularly the
nonsense of rebuilding things from source all the time -- started to
look mighty onerous compared to apt-get update; apt-get upgrade.
Others apparently agreed, and now there are enough things that work
well on Linux but not as well (or not at all) on BSD that the
diversity argument isn't as strong.  (Also, of course, certain kinds
of things, like some kinds of database replication, don't work well
across platforms, so there's another reason to converge on a single
system.)  Debian was always the Linux platform that seemed most
insistent on having more than one way to do it, but in recent years
that philosophy has made it more work to use than the alternatives;
and the alternatives have often gotten good enough that one doesn't
care (Ubuntu is the obvious example here).

So, now we have an encroaching monoculture, and no real option to do
anything about it.  Maybe this is just the way the Internet is, now.


Andrew Sullivan
Dyn, Inc.
v: +1 603 663 0448

Reply via email to