Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
On Wed, 05 May 2021 19:04:10 +0900 Olaf Meeuwissen via Dng wrote: > Hi Martin, list, > Martin Steigerwald writes: > > > Hi! > > > > goli...@devuan.org - 02.05.21, 22:15:48 CEST: > >> On 2021-05-02 06:08, terryc wrote: > >> > Unfortunately there are systemd libraries installed by > >> > Devuan-beowulf > >> > desktop installation DVD. > >> > >> [snip] > >> > >> And they are harmless. > >> > >> Why are systemd files present in Devuan? > >> https://dev1galaxy.org/viewtopic.php?id=1925 > > > > No systemd library on my Devuan systems: > > > > % dpkg -l | grep systemd > > [no output] > > I forgot about dpkg's -l option, having gotten used to dpkg-query > -W :-) > > > Also none via locate. > > > > Using Plasma as desktop together with elogind. > > No libsystemd0 on my beowulf machine but I did find it on a chimaera > system I installed just a few days ago (using the alpha installer). > > Curiousity peaked, I hunted it down and it turns out that my console > only chimaera system installed it to satisfy Depends: for rsyslog, > lvm2 and liblvm2cmd2.03. The latter two depend on libsystemd0 (>= > 222). > > But wait a sec! I've got lvm2 installed on my beowulf system too and > there's no libsystemd0 to be found there! What gives? > > Turns out that libelogind0 is installed there and that happens to > sport a Provides: libsystemd0 (= 241.4). On chimaera the versioned > dependency equals 246.10 (as of writing). > > So people trying to get rid of the libsystemd0 package might try > > apt install libelogind0 libsystemd0- > > but IIRC (and I'm relying on *very* vague memory here!) not all > desktop environments will work with that. FWIW, my beowulf machine > is running fine with Xfce. > Hi, as far as I can tell having tested briefly all DEs supported by the Debian buster installer, while working on my buster to beowulf migration script, nowadays all of them work with elogind/libelogind. The only problematic Display Manager was Gnome's gdm3 which could be easily substituted with slim or lightdm. Ciao, Tito > Hope this helps, > -- > Olaf Meeuwissen, LPIC-2FSF Associate Member since > 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 > A88A F84A 2DD9 Support Free Software > https://my.fsf.org/donate Join the Free Software > Foundation https://my.fsf.org/join > ___ Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Olaf Meeuwissen - 05.05.21, 12:04:10 CEST: > No libsystemd0 on my beowulf machine but I did find it on a chimaera > system I installed just a few days ago (using the alpha installer). > > Curiousity peaked, I hunted it down and it turns out that my console > only chimaera system installed it to satisfy Depends: for rsyslog, > lvm2 and liblvm2cmd2.03. The latter two depend on libsystemd0 (>= > 222). > > But wait a sec! I've got lvm2 installed on my beowulf system too and > there's no libsystemd0 to be found there! What gives? > > Turns out that libelogind0 is installed there and that happens to > sport a Provides: libsystemd0 (= 241.4). On chimaera the versioned > dependency equals 246.10 (as of writing). > > So people trying to get rid of the libsystemd0 package might try > > apt install libelogind0 libsystemd0- > > but IIRC (and I'm relying on *very* vague memory here!) not all > desktop environments will work with that. FWIW, my beowulf machine > is running fine with Xfce. Exactly that. I am using elogind with KDE's Plasma. On Devuan Ceres with LVM 2. No libsystemd. Best, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Hi Ludovic, list, Ludovic Bellière writes: > Hi terryc, > > Those are *not* systemd libraries. They're services files or helpers > shipped with the various packages you install. Correct. > It is not possible to get > rid of them without forking nearly all debian packages, This is not quite correct. You can tell dpkg to --path-exclude files that match a glob pattern. See `man dpkg` for details. Putting this in your /etc/dpkg.cfg will make sure all dpkg invocations use it, apt included. So, adding for example path-exclude = /lib/systemd/* would keep prevent installation of any matching files that a *.deb would otherwise install. You still have to clean up existing matching files yourself of course. So for those of you hell-bent on keeping files reeking of systemd off of your systems, you can and you can do this yourselves. If it happens to break stuff, you get to keep the pieces but I guess mentioning breakage here on the list will certainly peek some people's attention. > which is beyond the scope of the devuan project. Forking all packages that provide files you can easily prevent from getting installed yourself is indeed beyond the scope of de Devuan project if you ask me. There's plenty of other stuff to be done. > The service files are text files and benign. I've found them to waste disk space on the one hand and provide useful info to fix issues on the other. Your experience may vary. > Your system **is without** systemd. > On dim, 02 mai 2021, terryc wrote: > >> Unfortunately there are systemd libraries installed by Devuan-beowulf >> desktop installation DVD. >> >> There are in >> /ver/lib/ Huh> /ver/lib, really? I think you mean /usr/lib. >> /lib >> /etc and >> /run >> >> It appears to be something in the base system as both the headless >> systems I recently set up have/had* them. As I mentioned in a previous post, I found that rsyslog and the use of LVM have a dependency on libsystemd0. That dependency can be satisfied by installing libelogind0 instead of it. >> Optins selected were >> console stuff >> print server, >> ssh server >> and what ever is last. >> >> One system did have xfce-xfce4 selected, but the libraries and not >> dependant on these. >> >> *rm -rf systemd on the relevant directories doesn't seem to affect >> anything. I did this as 'aptitude search systemd' didn't list any >> packages installed. >> >> Memo to self; use minimal installation next time. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Hi Martin, list, Martin Steigerwald writes: > Hi! > > goli...@devuan.org - 02.05.21, 22:15:48 CEST: >> On 2021-05-02 06:08, terryc wrote: >> > Unfortunately there are systemd libraries installed by >> > Devuan-beowulf >> > desktop installation DVD. >> >> [snip] >> >> And they are harmless. >> >> Why are systemd files present in Devuan? >> https://dev1galaxy.org/viewtopic.php?id=1925 > > No systemd library on my Devuan systems: > > % dpkg -l | grep systemd > [no output] I forgot about dpkg's -l option, having gotten used to dpkg-query -W :-) > Also none via locate. > > Using Plasma as desktop together with elogind. No libsystemd0 on my beowulf machine but I did find it on a chimaera system I installed just a few days ago (using the alpha installer). Curiousity peaked, I hunted it down and it turns out that my console only chimaera system installed it to satisfy Depends: for rsyslog, lvm2 and liblvm2cmd2.03. The latter two depend on libsystemd0 (>= 222). But wait a sec! I've got lvm2 installed on my beowulf system too and there's no libsystemd0 to be found there! What gives? Turns out that libelogind0 is installed there and that happens to sport a Provides: libsystemd0 (= 241.4). On chimaera the versioned dependency equals 246.10 (as of writing). So people trying to get rid of the libsystemd0 package might try apt install libelogind0 libsystemd0- but IIRC (and I'm relying on *very* vague memory here!) not all desktop environments will work with that. FWIW, my beowulf machine is running fine with Xfce. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Στις 5/5/21 11:49 π.μ., ο/η Dr. Nikolaus Klepp έγραψε: And there's alway the possibillity of 3rd party software, e.g. Teams, Appimages, ... true... i misread original question, thought it was asking about devuan installation process and not already installed systems.. d. OpenPGP_signature Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Anno domini 2021 Wed, 5 May 11:42:09 +0300 Dimitris via Dng scripsit: > only thing i can think of, is by installing unverified firmware files > from a removable drive during installation, mainly because i'm not sure > how verifiable firmware blobs are... > every other package (including a DE) is always installed from > authenticated sources/mirrors (and mostly reproducible these days), so > it should be assumed malware-free. > > 2c. > d. > > And there's alway the possibillity of 3rd party software, e.g. Teams, Appimages, ... Nik -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Στις 4/5/21 11:05 μ.μ., ο/η Arnt Karlsen έγραψε: So, there ya go: Avoid installing and running it. It's called system administration simple and powerful advice :) ..very true. Are there ways to trick common Devuan installs into automatically installing these bad things? (Other than tricking newbie etc users, sysadmins etc into doing it?) only thing i can think of, is by installing unverified firmware files from a removable drive during installation, mainly because i'm not sure how verifiable firmware blobs are... every other package (including a DE) is always installed from authenticated sources/mirrors (and mostly reproducible these days), so it should be assumed malware-free. 2c. d. OpenPGP_signature Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
