Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just a reminder that there are plenty of systemd-less distros available. Also a reminder that those distros would have been safe from the nearly-solar-winds-level backdooring of Linux distros from XZ utils.



Also remember that systemd-using distros like, say, Arch were also safe from the nearly-solar-winds-level backdooring because the backdoor targeted specific distros widely used as servers. Obviously the solution to security from backdoors is only using distros that aren't popular for servers


That backdoor was never pushed out of the testing branches for distros.


It was in OpenSUSE Tumbleweed for a few days actually (RPM-based + rolling release + did the sshd patch). I was affected by it and it was fun watching the reliable ~100ms difference in `time /usr/sbin/sshd -h` with and without `TERM=foo`


Not sure of the relevance of this comment, can you elaborate? Were you the one that caught it? Our balls were inches from the bandsaw. Systemd made it possible to compromise SSH through an unrelated, single-maintainer lib that wasn’t even a dependency.

Edit: never mind, I see you are a systemd crusader.


Oh well I guess it didn't matter then.


Can you even hear what you are saying? Don't you find it ridiculous to blame the XZ backdoor on systemd, instead of the actual hacker?

Even if systemd did not exist, the hacker would have just picked something else to infiltrate.


Of course, the actual hacker was to blame, but systemd was implicated. The fact that the attacker was willing to settle for compromising just Debian and Red Hat systems indicated that they perceived the path from xz to libsystemd was the easiest way to effect the backdoor and that doing it any other way would have been too much work for marginally little gain (Red Hat and Debian systems being so common).


> Don't you find it ridiculous to blame the XZ backdoor on systemd, instead of the actual hacker?

This is a great argument against all computer security. If you believe in securing your computer, you're supporting hackers. Because if you ever believe that a lock has failed, you're saying the thief is innocent; that's how logic works.


Well, you conveniently ignored half of my point. Even without ssh depending on systemd (dependency introduced by distro maintainers, not systemd, mind you), a backdoor in xz can still exploit your system in a myriad of ways.

And secondly, I would say even if nobody is going to blame me, I would still secure my systems. Why? To protect my data of course.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: