On Wed, Oct 22, 2014 at 12:43:53PM -0400, C. Jon Larsen wrote:
Incorrect assumption. systemd is a massive security hole waiting to happen and it does not follow the unix philosophy of done 1 thing and do it well/correct.
It does seem to me that this angle, at least, is on-topic for NANOG, and I hope someone has suggestions for how to mitigate it. It seems that we've had two or, arguably, three recent examples (heartbleed, shellshock, arguably poodle) of complicated code that too few people understood and that led to widespread, late-night-inducing emergency action once a serious vulnerability was discovered. Surely that direction of development in a process that runs as PID 1 is something that has significant follow-on effects for network security. But I have no clue what one can do about it. For many years, I liked to keep some Linux and some BSD systems around, because it seemed to me that the different styles tended to encourage diversity and that was a good thing. But management of BSD systems -- particularly the nonsense of rebuilding things from source all the time -- started to look mighty onerous compared to apt-get update; apt-get upgrade. Others apparently agreed, and now there are enough things that work well on Linux but not as well (or not at all) on BSD that the diversity argument isn't as strong. (Also, of course, certain kinds of things, like some kinds of database replication, don't work well across platforms, so there's another reason to converge on a single system.) Debian was always the Linux platform that seemed most insistent on having more than one way to do it, but in recent years that philosophy has made it more work to use than the alternatives; and the alternatives have often gotten good enough that one doesn't care (Ubuntu is the obvious example here). So, now we have an encroaching monoculture, and no real option to do anything about it. Maybe this is just the way the Internet is, now. A -- Andrew Sullivan Dyn, Inc. asullivan@dyn.com v: +1 603 663 0448