Quoting Simon Hobson (linux@???):
> Rick Moen <rick@???> wrote:
>
> > Remember that bit I posted about how /usr/bin/ssh makes dynamic library
> > calls to sonames of two Kerberos libraries, even on the overwhelming
> > majority of systems that do not implement Kerberos?
> ...
> > 'Trust' in the sense you use the word just isn't in that.
>
> But it is.
> Have you actually checked any (or all) of the libraries to be sure ?

This is a bit silly, so-broad-as-to-be-meaningless application of the word
'trust'. I don't, in the general case, personally inspect any of the
binaries or libraries on my systems, nor in the general case do I
compile those myself, nor do I perform local diverse double-compiling to
prevent application of Ken Thompson's 1984 'Reflections on Trusting
Trust' moby hack, either.

https://www.schneier.com/blog/archives/2006/01/countering_trus.html
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Now, are we done with the ritual paranoia dance?

> The point is, which you seem to keep missing, is that I do not have
> this level of trust in anyone pushing systemd.

No, I 'get' your oft-repeated personal opinion. I'm just not impressed
with the allegedly sinister, alleged threat of distro-maintained
interface glue package libsystemd0. Nor am I impressed with the alleged
problem of any 'amount of noise surrounding' that topic or any other.

Because I have a few clues about software and open source, and have
reasonable confidence I follow what's going on, on an ongoing basis.

> Plus, as someone else pointed out, to permit libsystemd0 (or equivs
> *IFF* it doesn't break packages - which it does with ClamAV) is
> tacitly accepting that these packages are OK to blindly depend on it.

You seem to be using some strange, emotionally tinged sense of the words
'accept' and 'OK'.

Am I tacitly 'accepting' that Kerberos libraries are 'OK' on my
Kerberos-less systems because I am 'accepting' the dynamic library links
in /usr/bin/ssh? I don't even really know what that means.

I tolerate the fact that the dynamic library call to two
locally-pointless Kerberos libraries exist, in the sense that I've not
rushed out and recompiled/rebuilt package openssh-client to eliminate
the vestigial and basically meaningless library dependency. Which in
turn because I'm a bit busy and have other, better things to worry about.

If I _really_ needed a new hobby, I suppose I could run Gentoo/Funtoo
and spend my idle hours on USE flags and running compiles to eliminate
every vestigial library call -- but I don't.

> If the packagers can package that dependency and not get pushback from
> the users, then there's no incentive to consider if it might not be
> "right".

And why the Gehenna would they do that? Do they have some blood feud
with your clan? To my knowledge, they don't with mine. I lead a rather
more blessedly boring life, and have time for things like gardening, and
occasionally administering Linux systems.

I don't even have it in for the Kerberos people, and to my knowledge
they have only benign (if complex and poorly documented) plans for my
greater metropolitan region -- though I keep a wary eye to the south
where dread Stanford University lies, a hotbed of Kerberos radicalism.
They even do AFS there! (Perhaps they can be forced to pay for a border
fence.)

> It comes back to - how much is it "programmers are lazy" vs how much
> is "well actually it is real work".

Please figure that out and report back to us. I'll mail you a shiny
pre-Ted Heath-era pre-decimalisation penny for your efforts. ;->