:: Re: [DNG] ..are we|Devuan safe from…
Top Page
Delete this message
Reply to this message
Author: Olaf Meeuwissen
To: Ludovic Bellière
CC: dng
Subject: Re: [DNG] ..are we|Devuan safe from this systemd backdoor malware, taking our kernels from Debian?
Hi Ludovic, list,

Ludovic Bellière writes:

> Hi terryc,
> Those are *not* systemd libraries. They're services files or helpers
> shipped with the various packages you install.


> It is not possible to get
> rid of them without forking nearly all debian packages,

This is not quite correct. You can tell dpkg to --path-exclude files
that match a glob pattern. See `man dpkg` for details. Putting this
in your /etc/dpkg.cfg will make sure all dpkg invocations use it, apt

So, adding for example

path-exclude = /lib/systemd/*

would keep prevent installation of any matching files that a *.deb would
otherwise install. You still have to clean up existing matching files
yourself of course.

So for those of you hell-bent on keeping files reeking of systemd off of
your systems, you can and you can do this yourselves. If it happens to
break stuff, you get to keep the pieces but I guess mentioning breakage
here on the list will certainly peek some people's attention.

> which is beyond the scope of the devuan project.

Forking all packages that provide files you can easily prevent from
getting installed yourself is indeed beyond the scope of de Devuan
project if you ask me. There's plenty of other stuff to be done.

> The service files are text files and benign.

I've found them to waste disk space on the one hand and provide useful
info to fix issues on the other. Your experience may vary.

> Your system **is without** systemd.

> On dim, 02 mai 2021, terryc wrote:
>> Unfortunately there are systemd libraries installed by Devuan-beowulf
>> desktop installation DVD.
>> There are in
>> /ver/lib/

Huh> /ver/lib, really? I think you mean /usr/lib.

>> /lib
>> /etc and
>> /run
>> It appears to be something in the base system as both the headless
>> systems I recently set up have/had* them.

As I mentioned in a previous post, I found that rsyslog and the use of
LVM have a dependency on libsystemd0. That dependency can be satisfied
by installing libelogind0 instead of it.

>> Optins selected were
>> console stuff
>> print server,
>> ssh server
>> and what ever is last.
>> One system did have xfce-xfce4 selected, but the libraries and not
>> dependant on these.
>> *rm -rf systemd on the relevant directories doesn't seem to affect
>> anything. I did this as 'aptitude search systemd' didn't list any
>> packages installed.
>> Memo to self; use minimal installation next time.

Hope this helps,
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join