Inferencium/website
1
0
Fork 0
Code Issues Activity

Update back-end code to new 100-120 column coding style.

Browse Source
This commit is contained in:
inference 2022-12-11 17:29:51 +00:00
parent 6b85ffa35c
commit a3c41df6fa
1 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
blog/systemd-insecurity.html
View File

@ -5,7 +5,7 @@
<!-- Copyright 2022 Inference -->
<!-- License: BSD 3-Clause Clear (with personal content exception) -->
<!-- 0.2.1.3 -->
<!-- 0.2.2.4 -->
<html>
@ -38,8 +38,8 @@
<br>
<br>
<p>Anyone who cares about security may want to switch from systemd as soon as
possible; its lead developer doesn't care about your security at all.</p>
<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
developer doesn't care about your security at all.</p>
<br>
<br>
<h3>Issue #0 - Against CVE Assignment</h3>
@ -59,16 +59,15 @@ Yes, if they're security-related.</p>
<h3>Issue #1 - CVEs Are Not Useful</h3>
<br>
<p>Poettering:<br>
"Humpf, I am not convinced this is the right way to announce this.
We never did that, and half the CVEs aren't useful anyway, hence I am not
sure we should start with that now, because it is either inherently
incomplete or blesses the nonsensical part of the CVE circus which we
really shouldn't bless..."</p>
"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
bless..."</p>
<br>
<p>My thoughts:<br>
CVEs are supposed to be for security, and a log of when they were
found and their severity, so yes, it *is* the correct way to announce it.
It seems as if over 95 security-concious people think the same.</p>
CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
same.</p>
<br>
<p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869"
@ -79,8 +78,7 @@ It seems as if over 95 security-concious people think the same.</p>
<h3>Issue #2 - Security is a Circus</h3>
<br>
<p>Poettering:<br>
"I am not sure I buy enough into the security circus to do that though for
any minor issue..."</p>
"I am not sure I buy enough into the security circus to do that though for any minor issue..."</p>
<br>
<p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654"
@ -91,22 +89,20 @@ any minor issue..."</p>
<h3>Issue #3 - Blaming the User</h3>
<br>
<p>Poettering:<br>
"Yes, as you found out "0day" is not a valid username. I wonder which tool
permitted you to create it in the first place. Note that not permitting
numeric first characters is done on purpose: to avoid ambiguities between
numeric UID and textual user names.<br>
"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
it in the first place. Note that not permitting numeric first characters is done on purpose: to
avoid ambiguities between numeric UID and textual user names.<br>
<br>
systemd will validate all configuration data you drop at it, making it hard
to generate invalid configuration. Hence, yes, it's a feature that we don't
permit invalid user names, and I'd consider it a limitation of xinetd that
it doesn't refuse an invalid username.<br>
systemd will validate all configuration data you drop at it, making it hard to generate invalid
configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
it a limitation of xinetd that it doesn't refuse an invalid username.<br>
<br>
So, yeah, I don't think there's anything to fix in systemd here. I
understand this is annoying, but still: the username is clearly not valid."</p>
So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
still: the username is clearly not valid."</p>
<br>
<p>My thoughts:<br>
systemd was the thing that allowed root access just because a username
started with a number, then Poettering blamed the user.</p>
systemd was the thing that allowed root access just because a username started with a number, then
Poettering blamed the user.</p>
<br>
<p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864"