Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
The Politics of systemd Part 3
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 8, 9, 10, 11, 12  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1331
Location: United Kingdom

PostPosted: Thu Aug 03, 2017 5:53 am    Post subject: Reply with quote

Amity88 wrote:
Fitzcarraldo wrote:
Amity88 wrote:
It's there is both SLES 12 as well as RHEL 7.

And Ubuntu, since Ubuntu 15.04. Ubuntu Server is popular in commercial installations too.

I know someone with an Internet-facing server running Ubuntu Server 16.04 and he gets much the same attacks as my non-systemd Internet-facing server (i.e. a hell of a lot of attacks, whatever the init system). Providing an Internet-facing server is properly protected with a good firewall and a good NIPS with frequently updated rules sets, as we both are, I don't see why there would be any significant difference in the number and success of attacks on Internet-facing servers using systemd and those not using systemd.


I dunno much about NIPS. I take that they're kinda like an antivirus package on the hardware level which works with packets?

Out of curiosity, what do you think of this (typical?) scenario ?:

1. You have a program listening on a port on the server (e.g. HTTPD on a web server)
2. Say the firewall closes all other ports except for this one.
3. An attacker exploits a vulnerability in this program and gets local restricted access (the firewall would be bypassed)
4. Say he eventually manages to break out of any containers that this program runs in. (I recently heard of a vulnerability in Xen that allowed guests VMs to modify stuff on the host)
5. NOW at this stage, wouldn't it make things worse for us if the server happens to run SystemD? I mean with all the silly holes, it might be trivial to get root and own the system, wouldn't it?

A firewall alone is not going to provide complete protection if you're running e.g. a Web server or Cloud server. What is an Intrusion Prevention System gives a brief explanation of a NIPS. Enterprise NIPS run on their own dedicated hardware (e.g. Cisco Firepower series). IT equipment manufacturers (Cisco, Juniper, Palo Alto Networks, etc.) sell NIPS hardware and, even more sophisticated, next-generation firewall hardware (firewall+NIPS+DPI++). For home and small business use, FOSS SNORT software (from Cisco, since they bought Sourcefire and use SNORT in some of their hardware) is a decent NIPS if configured properly (albeit very compicated to configure and full of pitfalls). SNORT is a NIDS unless you configure it to be a NIPS, and, despite the hundreds of Web blog posts and YouTube videos telling you to configure SNORT to use the afpacket DAQ module to create a NIPS, that is not a secure way to create a NIPS; the way to go is to use SNORT with the nfqueue DAQ so SNORT gets iptables to really drop the packets of exploits rather than SNORT just sending RSTs which HTTP/HTTPS traffic can eventually get through.

Regarding the scenario you postulated, this is one of the reasons for using a NIPS. The firewall lets the packets through but the NIPS will detect the attempted exploit if one of the automatically-downloaded rules (this morning my server downloaded 32,487 SNORT rules, for example) covers the exploit. A NIPS will not protect you from a zero-day exploit though. At that point, I personally would feel more comfortable if my server were a non-systemd system. But then there are plenty of exploits for non-systemd systems too, hence the increasing rules sets that NIPSs download. My non-systemd server is constantly bombarded with attempted exploits that SNORT detects and drops. Actually, the continuous SSH login attempts by script kiddies (mostly from China), annoy me more. But I have created an automated script that adds them to my own SNORT rules set, so they get dropped too.
_________________
Clevo W230SS: amd64, OpenRC, nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64, OpenRC, xf86-video-ati, dual booting with Win 7 Pro 64-bit.
KDE on both laptops.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Thu Aug 03, 2017 6:34 am    Post subject: Reply with quote

Fitzcarraldo wrote:
Regarding the scenario you postulated, this is one of the reasons for using a NIPS.


At this point, NIPS is just another layer of defense-in-depth, as the firewall is a layer, as containers are a layer. With respect to systemd, I don't think defense-in-depth was ever meant to allow one layer in particular to be weak, I think it was meant because weaknesses happen, even with the best of intentions.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1331
Location: United Kingdom

PostPosted: Thu Aug 03, 2017 7:19 am    Post subject: Reply with quote

depontius wrote:
Fitzcarraldo wrote:
Regarding the scenario you postulated, this is one of the reasons for using a NIPS.


At this point, NIPS is just another layer of defense-in-depth, as the firewall is a layer, as containers are a layer. With respect to systemd, I don't think defense-in-depth was ever meant to allow one layer in particular to be weak, I think it was meant because weaknesses happen, even with the best of intentions.

I don't think that either. My intention was not to imply a NIPS is there to allow one layer in particular to be 'weak', as you put it. Certain attacks will not be detected by a firewall because they are perfectly valid traffic from a firewall's point of view, however their content could be malicious from a Web server's point of view, SSH server's point of view, etc. Therefore a NIPS is not what I would call 'defence-in-depth'* in such a situation; it is the only defence. I'm not running systemd on my server, but nevertheless if I did not have a NIPS there are exploits that the firewall would correcly allow to pass through and could attempt to exploit the installation. As I wrote in reply to Amity88, "At that point, I personally would feel more comfortable if my server were a non-systemd system."

* I regard 'defence-in-depth' more as redundancy via different methods of protection against the same threat. For example, I did not mention previously that I also use TCP Wrapper to blacklist SSH attackers in addition to using SNORT to blacklist those same attackers. That is what I classify as 'defence-in-depth'; if the SNORT process crashes for whatever reason and therefore can no longer apply my local SNORT rules against specific SSH attackers, TCP Wrapper will give me that protection until I get SNORT back up and running. In fact I have implemented a third level of redundancy, but I won't go into that here.
_________________
Clevo W230SS: amd64, OpenRC, nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64, OpenRC, xf86-video-ati, dual booting with Win 7 Pro 64-bit.
KDE on both laptops.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1222

PostPosted: Sat Aug 05, 2017 5:11 pm    Post subject: Reply with quote

A friend of mine, whose computer use is pretty much limited to web browsing and email, and who's totally had it with Windows 10, is considering a Chromebook. Just curious...does Chrome OS still use upstart? It appears that's the case, but I wasn't sure.
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1331
Location: United Kingdom

PostPosted: Sat Aug 05, 2017 5:43 pm    Post subject: Reply with quote

tld wrote:
A friend of mine, whose computer use is pretty much limited to web browsing and email, and who's totally had it with Windows 10, is considering a Chromebook. Just curious...does Chrome OS still use upstart? It appears that's the case, but I wasn't sure.

Still uses upstart: See the latest posts in the thread The future of initsystem in Chromium OS. (Mike Frysinger is a Gentoo developer as well, isn't he?)
_________________
Clevo W230SS: amd64, OpenRC, nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64, OpenRC, xf86-video-ati, dual booting with Win 7 Pro 64-bit.
KDE on both laptops.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2038
Location: Illinois, USA

PostPosted: Sat Aug 05, 2017 6:39 pm    Post subject: Reply with quote

In the end the Borg will absorb us all. The time will come when applications won't run without systemd.
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 4809
Location: The Peanut Gallery

PostPosted: Mon Aug 07, 2017 2:21 pm    Post subject: Reply with quote

Tony0945 wrote:
In the end the Borg will absorb us all.
Hehe, but "Resistance is fertile" ;-)

Reaching for NIPS as a "solution" to insecure (aka badly-designed) system software, really is reaching, though.
Yes, I realise they're useful, and needed on open hosts. It's a complete deflection, though, since it's got nothing to do with systemdbust being borked by design.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5079
Location: Removed by Neddy

PostPosted: Wed Aug 23, 2017 12:36 pm    Post subject: Reply with quote

When you consider what sysd devs have been doing and how they are tied into redhat... What about stratis

Earlier this month RH depreciated BTRFS, which seemed odd as they had previously marked it as production ready.

The other day Microsoft removed ReFS from home versions of Windows10, this was MS attempt to provide a more resilient filesystem (NTFS already allowed 2^64 files... It just lacked all the other shinies)

Over on [H] a few threads on ReFS removal exist and I was posting in them and I was comparing windows filesystems (fat, NTFS) to ext versions and how removing ReFS was backwards, even if the featureset of ReFS is very low ...

Looking up what the 3 main Linux contenders were raised a worrying path...
Btrfs.. gnu/Foss/GPL compatible "nextgen" system
Zfs ... Licencing concerns otherwise prime candidate
Stratis .... ???

Turns out stratis is XFS with a Daemon to provide VMF capability "on par" with ZFS . By pushing this into userland, and by RH leads to sysd dependancy seems inevitable. Once you start talking about low-level being an established filesystem and a userland daemon with a "rich API" all via dbus to make admin life easier just ticks too many boxes...

Ubuntu have gone the zfs route while everyone is waiting for btrfs to become really ready but this is a bit worrying...

https://github.com/stratis-storage/stratisd/blob/master/README.md
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Wed Aug 23, 2017 3:48 pm    Post subject: Reply with quote

And in other news... D-Bus Broker (I'm sure someone is sure to call it "DBus Borker" shortly, so I'll save you the trouble.)

https://www.phoronix.com/scan.php?page=news_item&px=D-Bus-Broker
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2038
Location: Illinois, USA

PostPosted: Wed Aug 23, 2017 8:38 pm    Post subject: Reply with quote

depontius wrote:
And in other news... D-Bus Broker (I'm sure someone is sure to call it "DBus Borker" shortly, so I'll save you the trouble.)

Actually it sounds reasonable as long as it is implemented by a professional process with structured documented code not by "code cowboys".
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Wed Aug 23, 2017 10:21 pm    Post subject: Reply with quote

Tony0945 wrote:
"code cowboys".


Hmmmm... "code cowboys" or "software philosophy cowboys"? You decide.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
roki942
Apprentice
Apprentice


Joined: 18 Apr 2005
Posts: 261
Location: Seattle

PostPosted: Thu Aug 24, 2017 2:53 am    Post subject: Reply with quote

For those with more understanding of these things than I.

https://dvdhrm.github.io/rethinking-the-dbus-message-bus/

What do you all think?
Back to top
View user's profile Send private message
CasperVector
n00b
n00b


Joined: 03 Apr 2012
Posts: 39

PostPosted: Thu Aug 24, 2017 7:20 am    Post subject: Reply with quote

roki942 wrote:
For those with more understanding of these things than I.
https://dvdhrm.github.io/rethinking-the-dbus-message-bus/
What do you all think?

This perhaps?
_________________
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
Back to top
View user's profile Send private message
Yamakuzure
Advocate
Advocate


Joined: 21 Jun 2006
Posts: 2028
Location: Bardowick, Germany

PostPosted: Thu Aug 24, 2017 7:47 am    Post subject: Reply with quote

CasperVector wrote:
roki942 wrote:
For those with more understanding of these things than I.
https://dvdhrm.github.io/rethinking-the-dbus-message-bus/
What do you all think?

This perhaps?
Quote:
skabus was born after the author fruitlessly tried for months to make D-Bus work on a commercial embedded project and finally gave up in disgust.
Hear, hear! Sounds good, but it seems the author breaks the first rule of free open source software: "release early, release often"
_________________
elogind
(elogind) - [TRACKER] sys-auth/elogind - Integration into Gentoo
"A conservative is a man who is too cowardly to fight and too fat to run."
-- Elbert Hubbard
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5079
Location: Removed by Neddy

PostPosted: Thu Aug 24, 2017 8:13 am    Post subject: Reply with quote

Dbus broker looks like a good idea but throws sysd arguement "it must be in the kernel" right into the dumpster.. poor code will always be slow and if the type of complains have really existed for that long for an upcoming that has become the lynchpin "of a modern Linux desktop" wtf are these monkies doing.

These should be fixed and it should not have taken 10years and not some BS political spin to force it into the kernel
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
CasperVector
n00b
n00b


Joined: 03 Apr 2012
Posts: 39

PostPosted: Thu Aug 24, 2017 9:05 am    Post subject: Reply with quote

Yamakuzure wrote:
Sounds good, but it seems the author breaks the first rule of free open source software: "release early, release often"

I for one do not quite agree with this: releasing early just for releasing early can lead to poorly conceived software, especially when the development team consists of only one part-time worker with multiple projects to manage.
I mean this can work, but often works suboptimally for projects that require careful design; nevertheless this can be useful for projects with tight time schedules (eg. commercial products in a competitive market).
_________________
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Thu Aug 24, 2017 12:21 pm    Post subject: Reply with quote

CasperVector wrote:
Yamakuzure wrote:
Sounds good, but it seems the author breaks the first rule of free open source software: "release early, release often"

I for one do not quite agree with this: releasing early just for releasing early can lead to poorly conceived software, especially when the development team consists of only one part-time worker with multiple projects to manage.
I mean this can work, but often works suboptimally for projects that require careful design; nevertheless this can be useful for projects with tight time schedules (eg. commercial products in a competitive market).


To paraphrase, "Software should be released as early as possible, but no earler." Does that do it for you?
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
CasperVector
n00b
n00b


Joined: 03 Apr 2012
Posts: 39

PostPosted: Thu Aug 24, 2017 2:24 pm    Post subject: Reply with quote

depontius wrote:
To paraphrase, "Software should be released as early as possible, but no earler." Does that do it for you?

Or even shorter: "it's ready when it's ready" ;)
_________________
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1396

PostPosted: Thu Aug 24, 2017 2:43 pm    Post subject: Reply with quote

Quite frankly, the part that stands out to me, is this part
Quote:
No Spec-Deviation

We do not intend to add features not standardized in the D-Bus Specification, nor do we intend to deviate. However, we do sometimes deviate from the behavior of the reference implementation. All those deviations are carefully considered and documented.

To me, this means they just want to reinvent the wheel, while not bothering to fix the issues. They even said earlier that there is some major issues with the core specifications that can't be fixed with the current specifications. So instead of working to fixing the specification so that it the issue(s) can be solved and still does the same job; they want to recreate it.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5079
Location: Removed by Neddy

PostPosted: Thu Aug 24, 2017 3:22 pm    Post subject: Reply with quote

ct85711 wrote:
Quite frankly, the part that stands out to me, is this part
Quote:
No Spec-Deviation

We do not intend to add features not standardized in the D-Bus Specification, nor do we intend to deviate. However, we do sometimes deviate from the behavior of the reference implementation. All those deviations are carefully considered and documented.

To me, this means they just want to reinvent the wheel, while not bothering to fix the issues. They even said earlier that there is some major issues with the core specifications that can't be fixed with the current specifications. So instead of working to fixing the specification so that it the issue(s) can be solved and still does the same job; they want to recreate it.

Also, as they state they will deviate from the reference implementation, it may be that applications rely on a quirk of dbus due to poor spec and/or buggy dbus. If a rewrite doesn't work with what's out there it will fail
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Zucca
l33t
l33t


Joined: 14 Jun 2007
Posts: 956
Location: KUUSANKOSKI, Finland

PostPosted: Wed Sep 06, 2017 7:58 am    Post subject: Reply with quote

Maybe off-topic, but I kinda have to paste this: https://www.amazon.com/dp/B075DYXZW1
_________________
..: Zucca :..
This space is not for rent.
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1331
Location: United Kingdom

PostPosted: Wed Sep 06, 2017 12:46 pm    Post subject: Reply with quote

Zucca wrote:
Maybe off-topic, but I kinda have to paste this: https://www.amazon.com/dp/B075DYXZW1

That gave me a good laugh this morning. I'm looking forward to the reviews, they're bound to be hilarious too.
_________________
Clevo W230SS: amd64, OpenRC, nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64, OpenRC, xf86-video-ati, dual booting with Win 7 Pro 64-bit.
KDE on both laptops.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39297
Location: 56N 3W

PostPosted: Wed Sep 06, 2017 4:27 pm    Post subject: Reply with quote

Reminds me of Fly Fishing by J. R. Hartley :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 4809
Location: The Peanut Gallery

PostPosted: Sat Sep 09, 2017 7:25 pm    Post subject: Reply with quote

Fitzcarraldo wrote:
steveL, just for information (I have no axe to grind and am not an advocate either way), the Brazilian nationwide project ('ProInfo') did and does exist, funded by the Federal Government, although much of the information on the Web is obviously in Portuguese. You are right that Userful and its Brazilian representative ThinNetworks have since moved to promoting thin clients instead of multiseat in the X.Org fashion.
I've never doubted its existence; only the "technical arguments" presented as to why Poeterring's deluded vision of "multiseat" is in any way a useful thing.
Note the "multiseat" discussed is not X, which has had the concept of "display" since the beginning. That's all "seat" is: a neologism for an existing, well-defined term.
At most it's from fdo, which is at best a clique in any case (imo of nubs, judging by the ones who are most vocal, and keep pushing idiocy on us.)

With respect, the rest of your post is a sidetrack imo; you imply it's only "technical difficulties with drivers" (and source availability) that have stopped people using "seats" effectively, but as you've just agreed, even the company providing the hardware (who clearly have no such issue) moved away from Poeterring's deluded "vision" of "multiseat technology" and back to the standard X thin-client model.
QED.

The post was interesting, but ultimately only agreed with the analysis I gave above, before I followed the links given to do some basic checking.
In a nutshell, splitting the GUI side is a dumb idea. This could easily have been thought-through upfront, instead of wasting so many admins' time with ill-conceived and badly-designed "technology".
If nothing else, just by listening to some of the people who initially respond as to why and how it's a bad idea, instead of persecuting them as "haters" for informed opinion. [1]

--
[1] like: "seats are nothing more than a rebadging of the X display, so let's talk in terms of the display instead." [2]
or: "end-user devices are only getting cheaper, and more capable; why do we need to share them?" (in essence: "what are you really trying to do?")

If you think there's some frustration here, then you are spot on: the frustration is that we never get to move on to the more interesting discussion, because of the political muddying of the waters (and the associated "messages" that keep repeating themselves.)
As such, these types of campaigns are a drain of headspace, which is precisely the point of them: just like Microsoft before them, RedHat is well-aware that "developer mindshare" is a critical factor. And just like with Microsoft, ultimately it's users who lose out from the restricted playing-field.

RedHat is giving the voluntary contributors enough bathwater to argue about, while their baby is spirited out the door.

[2] I'm not saying that I am particularly well-informed; there are many better examples, which I keep giving (like LAD, kernel-networking, etc.)
I am just fed up of having to repeat myself to address the same "message" and its associated illogic, while no-one seems to take any interest in the real discussion (on how we put together capable desktops without sacrificing every software-engineering principle and basic good practice along the way.)
Gentoo users are better than that.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Sat Sep 09, 2017 8:33 pm    Post subject: Reply with quote

steveL wrote:
just like Microsoft before them, RedHat is well-aware that "developer mindshare" is a critical factor.


Queue the image of LP jumping around on stage, shouting, "Developers! Developers! Developers! Developers!"
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2, 3 ... 8, 9, 10, 11, 12  Next
Page 9 of 12

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum