Posted: 2022-01-29 (UTC+00:00)
-Updated: 2022-11-14 (UTC+00:00)
-Posted: 2022-01-29 (UTC+00:00)
+Updated: 2022-11-14 (UTC+00:00)
+Anyone who cares about security may want to switch from systemd as soon as possible; its lead -developer doesn't care about your security at all.
-Poettering:
-"You don't assign CVEs to every single random bugfix we do, do you?"
My thoughts:
-Yes, if they're security-related.
Source:
-systemd GitHub Issue 5998
Poettering:
-"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
-CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
-inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
-bless..."
My thoughts:
-CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
-it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
-same.
Source:
-systemd GitHub Issue 6225
Poettering:
-"I am not sure I buy enough into the security circus to do that though for any minor issue..."
Source:
-systemd GitHub Issue 5144
Poettering:
-"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
-it in the first place. Note that not permitting numeric first characters is done on purpose: to
-avoid ambiguities between numeric UID and textual user names.
-
-systemd will validate all configuration data you drop at it, making it hard to generate invalid
-configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
-it a limitation of xinetd that it doesn't refuse an invalid username.
-
-So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
-still: the username is clearly not valid."
My thoughts:
-systemd was the thing that allowed root access just because a username started with a number, then
-Poettering blamed the user.
Source:
-systemd GitHub Issue 6237
Anyone who cares about security may want to switch from systemd as soon as possible; its lead + developer doesn't care about your security at all.
+Poettering:
+ "You don't assign CVEs to every single random bugfix we do, do you?"
My thoughts:
+ Yes, if they're security-related.
Source:
+ systemd GitHub Issue 5998
Poettering:
+ "Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
+ CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
+ inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
+ bless..."
My thoughts:
+ CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
+ it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
+ same.
Source:
+ systemd GitHub Issue 6225
Poettering:
+ "I am not sure I buy enough into the security circus to do that though for any minor issue..."
Source:
+ systemd GitHub Issue 5144
Poettering:
+ "Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
+ it in the first place. Note that not permitting numeric first characters is done on purpose: to
+ avoid ambiguities between numeric UID and textual user names.
+
+ systemd will validate all configuration data you drop at it, making it hard to generate invalid
+ configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
+ it a limitation of xinetd that it doesn't refuse an invalid username.
+
+ So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
+ still: the username is clearly not valid."
My thoughts:
+ systemd was the thing that allowed root access just because a username started with a number, then
+ Poettering blamed the user.
Source:
+ systemd GitHub Issue 6237