Re: Cemtos 7 : Systemd alternatives ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Mon, Jul 14, 2014 at 12:20 PM, Andrew Wyatt <andrew@xxxxxxxxxxx> wrote:
> >> >
>> > http://heartbleed.com/
>> >
>> > Oh, wait.
>>
>> Openssl doesn't have much to do with Unix/linux.  It is just one of a
>> bazillion application level programs that you might run.  Are you
>> going to include all bugs in all possible windows apps in your
>> security comparison?
>>
>
> OpenSSL is a library, not an application,

And not used unless an application uses it.

>>
>> But init/upstart/systemd are very special things in the unix/linux
>> ecosystem.  They become the parent process of everything else.  For
>> everything else, the only way to create a process is fork(), with it's
>> forced inheritance of environment and security contexts.
>>
>
> Yes, they sure are, you're right about that.  Without an init (of any
> kind), you only have a kernel.  You don't have mounted filesystems, or
> anything else.

And no other processes....


>> In any case, giant monolithic programs that try to do everything
>> sometimes become become better than a toolbox, but it tends to be
>> rare.  First, it takes years to fix the worst of the bugs - but maybe
>> that has already happened in fedora...  And after that it is an
>> improvement only if the designers really did anticipate every possible
>> need.   Otherwise the old unix philosophy that processes are cheap -
>> if you need another one to do something, use it - is still in play.
>> If you need something to track how many times something has been
>> respawned or to check/clean related things at startup/restart you'll
>> probably still need a shell there anyway.
>>
>>
> It's very rare.  I wasn't speaking to this though in this instance, I was
> only speaking to Windows security not being any better or worse than
> anything else.

Yes, using window vs. unix/linux is an overreach as an analoy here -
and unnecessary.  It's just a matter of 'big, new, monolithic' code
bases  vs. a small set of well-tested reusable tools.   We could just
run everything under java if we wanted. But. how many years old is
java and how often are there still mandatory updates of the whole
thing because of some recently noticed security bug in some part of
it?

-- 
   Les Mikesell
     lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux