undefined | Better HN

0 pointsjnxx1y ago0 comments

It is not just systemd which uses xz. For example, Debian's dpkg links xz-utils.

0 comments

However, this particular attack only works through libsystemd to compromise sshd and it is related to systemd's kitchen sink "design".

JdeBP1y ago

It's related to excessive coupling between modules and low coherence.

There is a way for programs to implement the systemd readiness notification protocol without using libsystemd, and thus without pulling in liblzma, which is coupled to libsystemd even though the readiness notification protocol does not require any form of compression. libsystemd provides a wide range of things which have only weak relationships to each other.

There are in fact two ways, as two people independently wrote their own client code for the systemd readiness notification protocol, which really does not require the whole of libsystemd and its dependencies to achieve. (It might be more than 2 people nowadays.)

* https://jdebp.uk/FGA/unix-daemon-readiness-protocol-problems...

EvmRoot1y ago

This is only evidence that libsystemd is popular. If you want to 0wn a bunch of systems, or even one particular system but make it non-obvious, you choose a popular package to mess with.

BeOS isn't getting a lot of CVEs attached to it, these days. That doesn't mean its good or secure, though.

varjag1y ago

All that could change if BeOS adopts systemd.

Matl1y ago

It's easy to have your existing biases validated if you already dislike systemd. The reality is that systemd is much more coherently designed than its predecessors from a 'end user interface' point of view, hence why its units are largely portable etc. which was not the case for sysvinit.

The reality is that it is not systemd specifically but our modern approach to software design where we tend to rely on too much third party code and delight in designing extremely flexible, yet ultimately extremely complex pieces of software.

I mean this is even true as far as the various CPU attack vectors have shown in recent years, that yes speculative execution is a neat and 'clever' optimization and that we rely on it for speed, but that maybe that was just too clever a path to go down and we should've stuck with simpler designs that would maybe led to slower speedups but a more solid foundation to build future CPU generations on.

account421y ago

Let's be real, sshd loading random libraries it doesn't actually need because distros patched in a kitchen sink library is inexcusable. That kitchen sink library is libsystemd and it follows the same kitchen sink design principle that systemd-opponents have been criticising all along. But its easier to accuse them of being biased rather consider that maybe they have a point.

ds-tech_media1y ago

People hate systemd from an ethical, philosophical, and ideological standpoint. People love systemd for the efficiency, economics, etc. It's like ideal vs production.

j / k navigate · click thread line to collapse