Originally posted by mSparks
View Post
Announcement
Collapse
No announcement yet.
Systemd 251-rc1 Released With Experimental systemd-sysupdate Tool
Collapse
X
-
Last edited by RahulSundaram; 03 April 2022, 04:55 PM.
- Likes 2
-
Originally posted by mSparks View PostYou and the op completely fail to justify WHY systemd or its users need this "feature", and last time I checked Remote Code Execution was "considered harmful". Absolute JOKE you think its up to me to prove an RCE feature is not harmful.
- Likes 3
Comment
-
Originally posted by RahulSundaram View Post
You argued earlier it wasn't optional and now you are readily conceding that it is optional, that is good progress.
Originally posted by RahulSundaram View PostYou have yet to demonstrate what makes only updating integrity checked and signed updates if it is specifically configured to do so a bad idea
Secondly, again, RCE is not a good idea, it will eventually be involved in a data breach, even the android links you provided - which have nothing to do with systemd - have been involved malicious compromises of devices.
e.g.
Comment
-
Originally posted by mSparks View Post
Firstly, good grief no, integrity checking and signing doesn't prove remote code isn't malicious.
Secondly, again, RCE is not a good idea, it will eventually be involved in a data breach, even the android links you provided - which have nothing to do with systemd - have been involved malicious compromises of devices.
e.g.
https://www.securityweek.com/over-ai...ndroid-devices
It is usually used in enterprise setting for updating their own cluster, so if you are just using systemd on your own computer, you should not be concerned.
If somebody gained root access on your computer, it will be a far severe problem and they will be able to do manipulate your computer whatever they like, regardless or whether systemd-sysupdate present or not.
Comment
-
Originally posted by mSparks View PostI never made any such argument.
"There is no "optional" half way measure"
and
"open init to a backdoor autoinstaller"
Now you understand it is entirely optional and not part of init. Otherwise your earlier comment that you are going to stick with an unmaintained older version in order to avoid this optional feature makes even less sense.
Originally posted by mSparks View Post
Firstly, good grief no, integrity checking and signing doesn't prove remote code isn't malicious.
Originally posted by mSparks View Post
Secondly, again, RCE is not a good idea
Originally posted by mSparks View Post
even the android links you provided - which have nothing to do with systemd - have been involved malicious compromises of devices.
- Likes 2
Comment
-
Originally posted by RahulSundaram View Post
You certainly did. You explicitly claimed,
"There is no "optional" half way measure"
and
"open init to a backdoor autoinstaller"
Now you understand it is entirely optional and not part of init.
That doesnt change installing it and enabling it being a bad idea, does it? "no optional half way measure"Last edited by mSparks; 04 April 2022, 06:22 AM.
Comment
-
Originally posted by mSparks View PostYou can also choose not to install it at all.
Originally posted by mSparks View Post
That doesnt change installing it and enabling it being a bad idea, does it? "no optional half way measure"
There is no "optional" half way measure". You have now learned that it doesn't bypass anything, installs only integrity checked and signed updates from the same source as all the other updates and what is a bad idea is to misuse terms like RCE. You have now learned that without demonstrable ability to run arbitrary code, there is no RCE. You are welcome.
- Likes 3
Comment
-
Originally posted by RahulSundaram View Post
Wonderful. You have now learned that it is not part of init, certainly not a backdoor as you earlier said and simply not be installed instead of your original plan of sticking with an unmaintained older version merely to avoid an optional feature. Progress
Except your original claim was "Either it discovers and installs remote code automatically - bypassing the normal update procedure or it doesn't.
There is no "optional" half way measure". You have now learned that it doesn't bypass anything, installs only integrity checked and signed updates from the same source as all the other updates and what is a bad idea is to misuse terms like RCE. You have now learned that without demonstrable ability to run arbitrary code, there is no RCE. You are welcome.
Yes
Wonderful, we agree that not upgrading to a version with it at all is the best way of avoiding it.
In fact, after reading the background I think Im gonna to switch to an install with no systemd at all.Last edited by mSparks; 04 April 2022, 08:15 AM.
Comment
-
Originally posted by mSparks View Post
Wonderful, we agree that not upgrading to a version with it at all is the best way of avoiding it.
- Likes 1
Comment
-
Originally posted by RahulSundaram View Post
Nope. We explicitly don't agree on that. It makes zero sense to not upgrade because of optional features in any project. As long as you don't make technically inaccurate assertions, I don't care though.
luckily this is Linux, everything is optional. All we need to do is differentiate good ideas from bad ones.
autodiscover and install A/B is not a good idea, as made clear by several pages now where you failed to address that point once.
Comment
Comment