On 02/11/2017 08:21 AM, Luke Kenneth Casson Leighton wrote:
https://www.theregister.co.uk/2017/01/24/systemd_flaw/
"Newer" versions of systemd deployed by Fedora or Ubuntu have been secured, but Debian systems are still running an older version and therefore need updating.
systemd is a suite for building blocks for Linux systems that provides system and service management technology. Security specialists view it with suspicion and ***>>>complaints about function creep are not uncommon<<<***.
https://betanews.com/2016/10/07/systemd-vulnerability-linux-crash/
The reason he has decided to disclose the bug publicly was to bring further attention to problems with a widely used component in Linux called systemd that Ayer believes is "defective by design".
However, others believe disclosing such a bug without first contacting systemd's developers is irresponsible. Ayer was critical of systemd for being overly complex and made the argument that Linux developers have "fallen behind other operating systems in writing secure and robust software".
This is all FUD. Of course systemd ends up with vulnerabilities because of bugs. So does Linux, Bash, OpenSSL, SSH, Apache, etc. Debian responds to those vulnerabilities by fixing them. There is no fundamental difference with systemd.
If you want to talk about vulnerabilities, a years-old snapshot of Debian Testing is almost certainly *filled* with vulnerabilities all over the place, and only technically minded people will know how to fix them, because this is an old Testing snapshot. So in the name of "ethics" where it's somehow unethical to distribute a 100% libre program you don't like, you'll be giving any non-technical users an insecure system that they don't know how to update, and if they do find out how, they'll just be left wondering why it wasn't updated in the first place. Most likely, they'll assume that you are incompetent or just don't care.
And this is especially bad considering that of all the distros you offered, Debian is the most user-friendly, if you distribute *stable, stock* Debian. That was the only reason why I ordered some Debian cards. Knowing that you are not delivering what I want to be on the card that I'm going to give to my mother, I see now that this was completely pointless. I'm going to have to do all of the work to make sure she has a system she can use properly because you refuse to cooperate just by delivering the current, stable, stock Debian.
This is not something that personally affects me very much; I should be able to figure out how to install Debian on my own, and I was planning to do so anyway. But you are making it needlessly difficult for your project to succeed by taking this zealous hardline stance against systemd; it means that only retailers that know how to install whatever OS the user wants (e.g. Think Penguin) will be able to sell anything that non-technical people can use. You can forget your dream of having EOMA68 hardware on Wal-mart's shelf in that case.