I wonder how much the anti-systemd shills in this thread are getting paid by Microsoft to try and sabotage the evolution of an effective open platform.

Because let's face it, no intelligent person would think the cluster of bloated, poorly suited scripts most of these shills advocate are actually a good solution, it's just Microsoft scared of a modern open platform. They want you to be stuck in the dark ages.

Enemies of systemd are enemies of free and open source software. Truth.

If you pull the embedded card, you're going to have to explain what is wrong with the standard busybox. You know, the thing used in 99% of embedded linux.

There were a couple trolls which is to be expected in a phoronix thread about anything. It's quite silly to attribute it to a conspiracy involving Microsoft.

systemd-networkd was written with containers and servers as the main initial use cases, not embedded systems or desktops. In a container, the performance improvement over the existing Linux dhcp clients is incredible and greatly speeds up spinning up a container. On a system talking to a dhcp server over the network, that's much less important since there's a whole lot of extra latency and most consumer routers are incredibly slow to start with. It could work well on an embedded system, but there are existing lightweight alternatives to dhclient / dhcpcd

It also has a nice plain text configuration format and good support for dealing with edge cases like bridges and bonding.

busybox is fine, it provide many tools that you could need but is not exactly standard and for certain task/usages requires a lot of hand tuning but could be better than systemd depending your use case.

until now busybox is basically the only way to have a semi decent small linux system from ultralow - high end embeded but the side effect is every embed device is totally unique and is really hard to support 3rd party aggregates or even extend functionality. I mean once you decide to leave your confort zone of GPIO led displays and a small autostarted C app that collect data and send result to an tty to a world of smart interactive touch enable devices busybox become really hard to deal with and is very error prone and this is what systemd and wayland are focused on solve on embedded(with a bit of Qt5) thanks to the smartphones revolution, now even a crappy ARM cortex SoCs has gotten loooot better and many have enough GPU to handle accelerated interactivity(the drivers are horrible tho, FUCK YOU QUALCOMM).

so and this is my point, you need the right tool for the job, aka if you only need to capture data and send to an tty(industrial sensors for example) for later analyze don't be a moron, go grab busybox and minimal kernel image set to autostart you C app and flash it to a rom because anything else is overkill but if you wanna provide smart visualization and analisis devices with touch screens, network support, security(for personel access/access hierarchy/etc) then you need systemd because you need to handle multiple services, initialization order, network autostart, ondemand services tosave power, basic OS integrity, etc. and systemd can do so standarly which make your job lot easier in the future specially if you wanna add functionality later.

sure busybox(+other tools ofc) can do both but for the second scenario is a lot harder and require you to reinvent the wheel everytime(and normally your wheel end up been unique so only you can understand it)

Please do not respond to this guy, "Truth" is a well known troll, like endman and beetreetime.

Not so cool

This is only useful if the service runs with a privileged user. A unprivileged user (nobody, http, dhcp, etc) can only access to the files that are owned by him.

Exploitable security bugs are profitable... Those "reports" will come in the form of 0days, discovered by chance by security researchers; they will make fun of them, and corporations opposing Linux will profit from the bad publicity.
BTW, I'm still wondering if there is any security researcher auditing systemd...

Err, android's only Mac, tmk, is selinux.

What kind of policies would you accept? As I said, I really want to see Arch usable for everyone I know and not just myself, but they need good MAC that I can trust with a comprehensive included policy set. I just don't see the likelihood of out of tree patches being added to the Arch stock kernel, so I don't even see the road that leads to getting it into the stock kernel. And if it isn't in the stock one, there are all the aur or extended kernel mods like ck or pf that won't build it, and you end up compiling your own kernels if you want the latter stuff. Albeit, having used the ck and pf patchsets, I always end up going back to stock just because the maintenance and circumstantial breakage gets excessive. And my last point of contention is that grsecurity is not used in any major mainstream distribution,

I'll try it the grsecurity Arch kernel this weekend, though. Is there an IRC / mailing list for its development? I do want to get involved at some point with policy creation, albeit I'm coming from a guy who has only contributed to Suse apparmor profiles and has never used the gr tools. I'll need to get some reading done...

Some initial impressions though, after reading the wiki pages, READMEs from the grsec site, and a new superuser posts about it:

1. They don't try to mainline it because they don't want parts in the mainline kernel, they want the whole package - and they perceive the kernel developers as security hostile. Honestly, my biggest issue with this project is that it looks like it can never become mainline, and thus it can never become popular. This is why I've always supported apparmor - it is flawed, it is insufficient, it breaks a lot, but it is better than nothing and usable. I have no gripes with it if the majority of the Arch ecosystem considers adopting it, though.

2. Is there a way to only use per subject policies, rather than user policies? For single user systems polkit and systemd already do the appropriate resource allocations to unprivileged users, the user profiles seem redundant in that context - usually the DAC policies of the packages themselves are more than sufficient, and what I really want is binary hardening and restricted policies so exploited network facing software can't start jacking the entire system. I get where they have value on, say, a huge LDAP server, where just having custom groups for each user class is insufficient.

3. I thought the stock kernel already does ASLR and has noexec page flags.

The profiles look very apparmor-esque, though, which is good. Trying to do any access control in SELinux makes me want to devour brains since mine melted. Network access controls are nice and fine grained...

Damn it, the more I'm reading about gr, I'm strongly regretting my writing it off years ago under the pretense "it is not mainline, it can never be serious". Kind of hypocritical to think the LSM model is a broken wreck and ridiculous while not considering out of tree security models that avoid using it.

Also, this is making me really want to think about switching my server to Arch from Debian just for the gr kernel.