Update webpage "Blog - #1" from version "9.0.0-beta.1" to "9.0.1-beta.1"

2024-03-18 02:40:37 +00:00 · 2024-03-18 02:40:37 +00:00 · 6aa565643a
commit 6aa565643a
parent 8b840152d9
1 changed files with 85 additions and 89 deletions
--- a/blog/systemd_insecurity.xhtml
+++ b/blog/systemd_insecurity.xhtml
@ -1,10 +1,10 @@
 <!DOCTYPE html>
 <!-- Inferencium - Website - Blog - #1 -->
-<!-- Version: 9.0.0-beta.1 -->
+<!-- Version: 9.0.1-beta.1 -->
 <!-- Copyright 2022 Jake Winters -->
-<!-- SPDX-License-Identifier: BSD-3-Clause -->
+<!-- SPDX-License-Identifier: BSD-3-Clause WITH AdditionRef-Inferencium-Personal-exception -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
@ -47,8 +47,7 @@
 				developer doesn't care about your security at all.</p>
 				<section id="issue-0">
 					<h2><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>
-										<blockquote>"You don't assign CVEs to every single random bugfix we do, do
+						<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
 										you?"</blockquote>
 						<p>- Lennart Poettering, systemd lead developer</p>
 						<p><b>My thoughts:</b> Yes, if they're security-related.</p>
 						<p>Source:
@ -56,41 +55,38 @@
 				</section>
 				<section id="issue-1">
 					<h2><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>
-										<blockquote>"Humpf, I am not convinced this is the right way to announce this.
+						<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did
-										We never did that, and half the CVEs aren't useful anyway, hence I am not sure
+						that, and half the CVEs aren't useful anyway, hence I am not sure we should start with that now,
-										we should start with that now, because it is either inherently incomplete or
+						because it is either inherently incomplete or blesses the nonsensical part of the CVE circus
-										blesses the nonsensical part of the CVE circus which we really shouldn't
+						which we really shouldn't bless..."</blockquote>
 										bless..."</blockquote>
 						<p>- Lennart Poettering, systemd lead developer</p>
-										<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they
+						<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they were found
-										were found and their severity, so yes, it <em>is</em> the correct way to
+						and their severity, so yes, it <em>is</em> the correct way to announce it. It seems as if over
-										announce it. It seems as if over 95 security-concious people think the same.</p>
+						95 security-concious people think the same.</p>
 						<p>Source:
 						<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>
 				</section>
 				<section id="issue-2">
 					<h2><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>
-										<blockquote>"I am not sure I buy enough into the security circus to do that
+						<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
-										though for any minor issue..."</blockquote>
+						issue..."</blockquote>
 						<p>- Lennart Poettering, systemd lead developer</p>
 						<p>Source:
 						<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>
 				</section>
 				<section id="issue-3">
 					<h2><a href="#issue-3">Issue #3 - Blaming the User</a></h2>
-										<blockquote><p>"Yes, as you found out "0day" is not a valid username. I wonder
+						<blockquote><p>"Yes, as you found out "0day" is not a valid username. I wonder which tool
-										which tool permitted you to create it in the first place. Note that not
+						permitted you to create it in the first place. Note that not permitting numeric first characters
-										permitting numeric first characters is done on purpose: to avoid ambiguities
+						is done on purpose: to avoid ambiguities between numeric UID and textual user names.</p>
-										between numeric UID and textual user names.</p>
+						<p>systemd will validate all configuration data you drop at it, making it hard to generate
-										<p>systemd will validate all configuration data you drop at it, making it hard to
+						invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and
-										generate invalid configuration. Hence, yes, it's a feature that we don't permit
+						I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.</p>
-										invalid user names, and I'd consider it a limitation of xinetd that it doesn't
+						<p>So, yeah, I don't think there's anything to fix in systemd here. I understand this is
-										refuse an invalid username.</p>
+						annoying, but still: the username is clearly not valid."</p></blockquote>
 										<p>So, yeah, I don't think there's anything to fix in systemd here. I understand
 										this is annoying, but still: the username is clearly not valid."</p></blockquote>
 						<p>- Lennart Poettering, systemd lead developer</p>
-										<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a
+						<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a username
-										username started with a number, then Poettering blamed the user.</p>
+						started with a number, then Poettering blamed the user.</p>
 						<p>Source:
 						<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>
 				</section>