On 07/03/2015 07:35 AM, Eugene Bolshakoff wrote:
> Hello All,
>
> This is something like "philosophical" post about our future in
> poettering universe.
>
> Working as system administrator, I am thinking about it, because of more
> and more Linux distributives switching to should-not-be-named daemon.
>
> And, of course, servers will be updated in few years, and it becames
> impossible to avoid using poettering things in everyday work. I can
> avoid it on my own workstations and servers, but I will be forced to use
> binary logging in journald, logind and so on if my company updates its
> servers to new Linux distros.
> Developers should support new startup schemes and new logging features.
>
> My colleagues and friends working with Linux don't think about this as
> about something bad and strange, a lot of people are able (or are
> forced) to switch, they talk about it as about something everyday.

I don't know enough to say for certain what the risks are of the
systemd approach. But I do know there is a general problem
facing the free software community-- how do you protect the
individual user when more and more computing is happening
across interconnected machines?

Just take the recent post to this list about Chromium downloading
a binary blob for speech commands. The OP addressed the message
to "Chromium users", probably under the following hidden premises:
* Chromium users should assess their risks individually. They can then
choose to take any action that the free software license of Chromium
provides for them: a) run/uninstall the code, b) read the code, c) modify
the code, or d) redistribute modifications of the code.
* If the user chooses to do nothing and leak data through binary blobs,
the irresponsibility and potential harm is theirs and theirs alone.

But back in the real world, that ethical stance is laughably irrelevant.
The truth is it does not matter what the miniscule userbase of Chromium
does or doesn't do with their binaries. The other 90% of the coffee
house hipsters have hot mics feeding data to _Chrome_. Turning off one
in twenty light bulbs on the porch isn't going to keep the bugs away.

The good news in your case is that systemd is 100% free software, so
you have all the tools you need to track its development and gain a
comprehensive understanding of its security risks. I doubt any
community other than Devaun is _actually_ going to do that work, so
someone here with the time and inclination might want to get intimate
intimate with that codebase. Without that, you're just pushing the problem
to all the other servers of the world. And, ironically, you're hoping that
you've overstated the risks-- that all those systemds aren't vulnerable to
being turned into weapons that can effortlessly DDOS your lonely little
secure box off the internet.

-Jonathan