[kwlug-disc] What is all this about systemd?
Paul Nijjar
paul_nijjar at yahoo.ca
Wed Sep 3 13:50:38 EDT 2014
On Tue, Sep 02, 2014 at 02:55:38PM -0400, Khalid Baheyeldin wrote:
> Lennart Poettering, systemd developer, outlines what he (and others in the
> systemd cabal) see as wrong with Linux distros, and what they propose to
> fix it.
>
> They totally miss that packaging has been a solved problem for ages (since
> .deb was invented), and that centralized repositories have existed for over
> a decade (Debian, Ubuntu).
>
> http://0pointer.net/blog/revisiting-how-we-put-together-linux-systems.html
>
Didn't these guys learn from the Java security debacle? In particular,
the following paragraph worries me:
> Note that in this design apps are actually developed against a
> single, very specific runtime, that contains all libraries it can
> link against (including a specific glibc version!). Any library that
> is not included in the runtime the developer picked must be included
> in the app itself. This is similar how apps on Android declare one
> very specific Android version they are developed against. This
> greatly simplifies application installation, as there's no
> dependency hell: each app pulls in one runtime, and the app is
> actually free to pick which one, as you can have multiple installed,
> though only one is used by each app.
"Hi! I am a piece of malware, and I would like to request the buggy,
unpatched runtime that has a security hole I can exploit! I know you
updated this runtime to get rid of the security hole, but I am
incompatible with the patched version because I am malware."
Also: "I am an application developer and cannot trust that the end
user will have every library I need. So I will provide libraries with
my app and never update them, because updating is hard."
I guess the answer to these questions has to be signature revocation.
I have heard this kind of "Write once, run everywhere" scheme before.
It sounds as if it will dramatically increase the amount of work
application developers have to do in preparing their software for
disribution, since dealing with problematic updates for arbitrary
distributions will be their problem, not the problem of distribution
packagers.
I do not know what I think of this proposal. I agree with Chris that
it sounds neat, and it is good that these guys are thinking about ways
to improve the UNIX infrastructure. But I also hope that there are
some powerful distributions that explore other possibilities.
- Paul
--
http://pnijjar.freeshell.org
Join us for Software Freedom Day on Sept 20: http://kwlug.org/sfd
More information about the kwlug-disc
mailing list