Posted by foltik 1 day ago
Curses, thwarted again!
Yes, it could be smaller, broken up to remove compression support [0], what have you. But you should criticize the things that are actually problems, not some made-up bullshit about the whole of systemd being linked into everything that talks to it.
Err... What? It's just a factual, non-judgemental description. Unlike your comment, which goes out of its way to call systemd names for whatever reason. Which just makes me less interested in what you have to say. Most people who rely on appeal to emotion to that extent are not in the right.
And yet...
1. practically all hyperscalers use it
2. desktops
3. container images, that power everything from docker to kubernetes use it
It helps that it's actively maintained, battle-tested as hell, and widely audited.
Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.
Is it actually audited? Or is it like OpenSSL... everybody uses it, but nobody looks under the hood cause it's gross in there? (Or well, nobody looked before Heartbleed anyway)
This is 2026, not 2014 when heartbleed came out.
And it runs as PID1 on many distros and these are folks like RHEL, who have a huge interest in keeping it secure.
Pypi has an almost daily exploit announced in common and popular libraries, simply because the dependency graph is so huge. And this is in things that are almost certainly deliberately and by design exposed to insecure user input.
Again, it’s fun to hate on systemd, but in reality you are much more likely to be exploited by something else.
Can you even imagine pypi or npm compromising ssh this way?
Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?
I don’t even know the last time I exposed ssh to the open internet.
But the fact with npm or pypi you can be exploited just by running the software you’ve already installed because the dependencies are everywhere on your system?
I see ssh as a very fundamental part of the system - in BSD terms it's in base not ports. Random packages from npm or pypi, sure, if you installed some slop off the internet and got exploited that's not so surprising. (Even those package managers themselves are not part of the base system, much less anything you install with them). But ssh should be safe!
> The short answer is that they have to. OpenSSH is developed by the OpenBSD community, for the OpenBSD community, and they do not give a flying Fedora about Linux.
What complete horseshit. I stopped reading there.
The OpenSSH Portable branch is maintained by OpenBSD developers and SystemD is a completely optional add-on so why on earth would they make it a dependency? If they didn't care about the Linux community they wouldn't develop this software *for free* for them. They can go write their own GNU SSH then.
It certainly doesn't help that there are 165+ definitions of what constitutes a "complete GNU+Linux system" some of which use SystemD and some which vow never to.
It's not the OpenBSD developers' fault some Linux distros use overly complex plumbing and can't agree on one standard for their OS unlike every other OS out there, including Windows.
The xz backdoor was a Debian and Red Hat issue because they maintained patches to fix problems of their own creation. No one else was affected. Why should the OpenBSD people care? It's not their problem.
> These patches never went into Portable OpenSSH, because the Portable OpenSSH folks were ["not interested in taking a dependency on libsystemd"](link). And they never went into upstream OpenSSH, because OpenBSD doesn't have any need to support SystemD.
The language may have been harsher than it needed to and therefore could be more easily misunderstood, but I believe you are actually in agreement with them
It reeks of trashing your benefactor, who gave you well-written free software, which you then made insecure with your own patches.
If you remove the roof of your car with a chainsaw and are inevitably injured later, is it the car manufacturer's fault they didn't offer that model as a convertible from the factory?
The better question is why are people still trying to assign blame all these years later? The IT world dodged a bullet but has moved on (and likely didn't learn from their mistakes as supply chain attacks are steadily increasing).
> No one person or team really made a mistake here, but with the benefit of hindsight it's clear the attackers perceived that the left hand of Debian/Fedora SSH did not know what the right hand of xz-utils was doing.
with OpenBSD not even being mentioned here
I do not know why you were down-voted, maybe you deserved no up-votes, but down-votes to me were a bit extreme :) But that quote tends to indicate to me the author put a little blame on OpenSSH Developers. Maybe the author did not intend it to be read in the way I read it.
OpenSSH developers should not need to know what or why systemd distros apply patches to OpenSSH, the distro I use, Slackware, did not have this vulnerability because the Slackware team, AFAIK, only adds patches if the package does not compile. If other distros did that this issue would not have occurred.
To me the issue was patching OpenSSH for some systemd thing. Maybe IFUNC was part of the issue, but the real issue was patching OpenSSH.
But I know one thing, I never heard of IFUNC and after reading about it, I will avoid that as much as I can. So at least I was educated :)