logoalt Hacker News

TacticalCodertoday at 2:47 AM3 repliesview on HN

> GNU IFUNC is the real culprit behind CVE-2024-3094

I disagree.

TFA's author lists four steps to make CVE-2024-3094 work, the first being:

    - Some Linux distros modify OpenSSH to depend on SystemD
SystemD contains something like 1.5+ million lines of code.

I'll state it more clearly:

    - non Linux distro using OpenSSH weren't affected

    - Linux distro not modifying OpenSSH to accommodate systemd weren't affected
> These patches never went into Portable OpenSSH, because the Portable OpenSSH folks were "not interested in taking a dependency on libsystemd".

Great. TFA's author thinks he cherry picked a sentence to make the project look bad. I think they should have been more vocal and said: "we're not interested in taking a dependency on that monstrous pile of steaming shit that Microsoft's systemd is".

systemd is a monstrous codebase and there lies shitload of exploits in it. Either intentional or accidental.

systemd is going to be the reason I abandon Linux on my main system and on my server (I may still run systemd-less Linux VMs and containers).

I can't stand it and I cannot the stand the people defending that horrible piece of turd and from reading many comments here on HN I know I'm far from the only one hating on that kitchen sink.

Replies

tadfishertoday at 5:34 AM

Debian did not link OpenSSH with a 1.5 million-line library, because one doesn't exist. The library is libsystemd, which is comparatively tiny, and it is tiny so that sane things like Type=notify services get supported in more places with less pushback.

Yes, it could be smaller, broken up to remove compression support [0], what have you. But you should criticize the things that are actually problems, not some made-up bullshit about the whole of systemd being linked into everything that talks to it.

0: https://github.com/systemd/systemd/issues/32028

pwdisswordfishqtoday at 5:01 AM

> Great. TFA's author thinks he cherry picked a sentence to make the project look bad.

Err... What? It's just a factual, non-judgemental description. Unlike your comment, which goes out of its way to call systemd names for whatever reason. Which just makes me less interested in what you have to say. Most people who rely on appeal to emotion to that extent are not in the right.

k_roytoday at 3:57 AM

> systemd is a monstrous codebase and there lies shitload of exploits in it. Either intentional or accidental.

And yet...

1. practically all hyperscalers use it

2. desktops

3. container images, that power everything from docker to kubernetes use it

It helps that it's actively maintained, battle-tested as hell, and widely audited.

Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.

show 2 replies