SoylentNews is people
SoylentNews
The 2017 Pwnie winner for lamest vendor response goes to Lennart Poettering for systemd. According to CSO which has reported on it, the Pwnie winners which were announced a few days ago, the summary for Lennart and systemd reads as follows:
The most spectacular mishandling of a security vulnerability by a vendor ended up winning a Pwnie for Lennart Poettering due to SystemD bugs 5998, 6225, 6214, 5144, 6237. The nomination reads: "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
(Score: 0) by Anonymous Coward on Monday July 31 2017, @05:13AM (43 children)
In the end, it's Readhat pulling all the strings, but it's poettering that gets all the hate. Why? Because the dubmfuck is a moron and doesn't know it. Or maybe he does, but feels the paycheck is worth it.
(Score: 2) by RamiK on Monday July 31 2017, @05:59AM (27 children)
He's smart enough to understand making a good design with security in mind is exactly what his employers are trying to avoid.
That's the trouble with tools from the service industry. They're designed to need constant servicing. And being fair, I don't see a lot of software in the UNIX verse that just does its job and doesn't need constant tinkering.
compiling...
(Score: 5, Touché) by PiMuNu on Monday July 31 2017, @07:32AM (26 children)
> I don't see a lot of software in the UNIX verse that just does its job
sed
grep
awk
cat
emacs
bash
etc etc
I guess unix-verse is still targeted at people who prefer a command line to a GUI.
(Score: 5, Funny) by FakeBeldin on Monday July 31 2017, @07:41AM (7 children)
You misspelled "vi" ;-)
(Score: 3, Funny) by zocalo on Monday July 31 2017, @08:19AM (3 children)
UNIX? They're not even circumcised! Savages!
(Score: 2) by KGIII on Monday July 31 2017, @10:42AM (2 children)
Not even a good editor is on the list! ;-)
"So long and thanks for all the fish."
(Score: 0) by Anonymous Coward on Monday July 31 2017, @04:27PM (1 child)
sed -r -i -e 's/^Not even a good.*/what about sed?/g' parent-comment
(Score: 2) by KGIII on Monday July 31 2017, @04:53PM
'just does its job' == 'good'
emacs is a lovely OS, but a horrible editor. I'm pretty sure people use it only because they haven't figured out how to exit it. ;-)
"So long and thanks for all the fish."
(Score: 0) by Anonymous Coward on Monday July 31 2017, @03:18PM (1 child)
I think that's spelled 'M-x vim-mode'
(Score: 0) by Anonymous Coward on Monday July 31 2017, @03:21PM
My bad, it's actually
'M-x evil-mode' now (Extensible VI Layer, heh, must... not.. like... bad... puns... nope, can't help it :) )
(Score: 2) by Azuma Hazuki on Monday July 31 2017, @06:13PM
And *you* misspelled "nano" :)
I am "that girl" your mother warned you about...
(Score: 5, Insightful) by ledow on Monday July 31 2017, @08:13AM (3 children)
Yep.
Those small, modular, single-purpose commands that tend to work in perpetuity. Hell, I have a entire book on my shelf that describes the way that sed & awk can be used, and yet they are tiny and have barely changed in years.
And only change when NEW TYPES of attack come out (which is basically never if all you do it cat a given file to the screen, or act on stdin to output on stdout).
Gosh, I wonder why they were designed that way, rather than a hulking great thing that takes over all functions, inserts itself into critical code paths, reinvents the wheel badly, and offers all kinds of opportunities for misconfiguration, bad defaults (you wanted root, right?) and untested codepaths.
The irony is that systemd is possibly the antithesis of every bit of security-related advice anyone has ever given.
I blame Red Hat as much as Lennart, for allowing it to continue.
(Score: 2) by tonyPick on Monday July 31 2017, @08:29AM
+1 to this - Yes, using grep/sed/whatever from command line has a learning curve. I went through it in the mid 90's, and it's gained a couple of flags, but it's still all pretty much the same when it comes to getting useful work done.
Meanwhile you have to relearn the interface for shiny GUI toy of the month, which will be thrown away every six months, and is still less functional.
(Score: 1, Informative) by Anonymous Coward on Monday July 31 2017, @09:03AM (1 child)
You don't cat a file to the screen, you cat it to a terminal. And doing so with text from unknown origin may well be a security problem:
https://nvd.nist.gov/vuln/detail/CVE-2003-0063 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-2008-2383 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-2010-2713 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-2012-3515 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-2014-3121 [nist.gov]
Note that less by default converts those escape sequences to safe text, so it is a safer way to view text files.
(Score: 5, Insightful) by ledow on Monday July 31 2017, @11:13AM
Those are:
XTerm
XTerm
VTE
QEmu
and rxvt
DATA HANDLING ISSUES. Nothing to do with cat. It's like saying that "Apache" compromised your database because an employer put the whole list in a public_html folder.
And cat is dumb - it's the things that try to get clever and interpret data (e.g. terminals, less, etc.) that are the ones most likely to cause the problems. Acting on untrusted data is something that no program should mess with lightly. These programs did it and got it wrong. cat doesn't try. Which is why the CVEs listed have nothing to do with cat, but what happens when you put an escape sequence FROM ANY SOURCE into XTerm, etc. without checking it properly first.
(Score: 2) by TheRaven on Monday July 31 2017, @08:39AM (2 children)
sudo mod me up
(Score: 2) by PiMuNu on Monday July 31 2017, @10:18AM (1 child)
A couple of other people made the same comment. I would put security issues as a corner case, because they pertain to web servers - which is not the majority of users (well, pre-IOT at least).
(Score: 3, Insightful) by TheRaven on Monday July 31 2017, @01:49PM
sudo mod me up
(Score: 2) by RamiK on Monday July 31 2017, @10:17AM (3 children)
Coreutils takes heavy maintenance: https://git.savannah.gnu.org/cgit/coreutils.git/log/ [gnu.org]
Busybox are doing better but at the expense of features that people want.
Unless you use ed to edit all your text and "wget --post-data=foobar" to browser the web, you're not using a command line app. Vi... emacs... w3m... Those aren't command line apps. Those are just easy-to-code ugly-as-sin terminal GUIs.
Don't get me wrong. I use those cli tools too. But it's not a preference. It's laziness. It gets the job done and doesn't take too much to fix. But it's still using the wrong tool for the job and when it comes to the whole system approach, it's a mistake. A market failure if you will. But not one I can fix. Just one I can identify.
compiling...
(Score: 2) by PiMuNu on Monday July 31 2017, @11:23AM (2 children)
> But it's still using the wrong tool for the job and when it comes to the whole system approach, it's a mistake.
For data processing and coding, CLI tools are correct. Most of my CPU cycles are spent doing this stuff. Most of my user cycles are spent writing code and making presentations, and here I agree a GUI is better approach.
> A market failure if you will.
Totally agree here. If I was in charge of linux (whatever that means) I would dump my spare resource into fixing open office... clearly this is the blocking issue in linux on the desktop.
(Score: 0) by Anonymous Coward on Monday July 31 2017, @07:53PM
If I was in charge of linux (whatever that means) I would dump my spare resource into fixing open office
If that means that you would make it 100.00 percent compatible with M$Orifice, it's important to note that M$Orifice isn't even compatible M$Orifice.
If you aren't using THE SAME VERSION of M$'s stuff as the guy who created the document, there can be differences in rendering.
Hell, if you connect a different printer to your box than that of the originator, there can be differences in rendering.
...and I still don't understand why people distribute documents to be *read* in an *editable* format.
...and a PROPRIETARY format at that.
...and, if you actually do need to -collaborate- on the -creation- of documents, the online things seem much more universal.
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday July 31 2017, @09:43PM
> For data processing and coding, CLI tools are correct.
Not really. A proper language, even interpreted like python, that doesn't sacrifice half its syntax for the sake of command prompt convenience would always produce better, faster and more editable results. CLI tools are for administrative operations. Small mass renaming... Finding all the files with foobar in their content... Small one-off operations that server operators need to perform occasionally. The way those tools are used in installation scripts and the like is just wrong. Web-servers calling those tools is wrong. Data analysis using those tools is wrong.
Shell scripts should glue and pipe. Not do complex logic and heuristics. Demanding those features from those tools has been the cause of some of the worst bugs and security issues for decades while adding nothing beyond what other scripting languages are already doing better.
(Score: 2) by chromas on Monday July 31 2017, @04:05PM (4 children)
The problem is none of these have been replaced by systemd yet. vi and emacs are, of course, soon-to-be on their way out. With advanced tools like hostnamectl, localectl—all the "*ctl"s—why would you need a text editor?
You guys really overblow the whole systemd is anti-Unix-way anyhow. Systemd has lots of single-purpose utilities. For instance, systemd-hostnamed does one thing and does it well. And it's an important job, too.
(Score: 3, Insightful) by tangomargarine on Monday July 31 2017, @04:31PM (3 children)
You're ignoring the part of the Unix philosophy where all those little tools are supposed to be easily individually replaceable. Systemd's various tools are all bolted together.
Usually somebody in these conversations claims that "modular" means "well they compile to separate executables...so what if you can't swap out any of them?"
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by chromas on Monday July 31 2017, @04:50PM (2 children)
Oh, sorry, I was being sardonic, but not enough I guess :D
I was hoping the "systemd-hostnamed" would give it away. It's a whole entire tool just for editing /etc/hostname. This is a thing that actually exists.
(Score: 2) by tangomargarine on Monday July 31 2017, @07:23PM
Systemd in general is the incarnation of Poe's Law. Inverse Poe's Law? You think they must be joking then you find out no, they're actually serious.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Monday July 31 2017, @08:45PM
Sweet jesus! Yeah, can't have people knowing how to fix their own computers. Must insert some 3rd party software so you can intercept the commands before the user finds ou**destroys their own computer**.
(Score: 2) by tangomargarine on Monday July 31 2017, @04:26PM
If you're not constantly tinkering with emacs I think you're doing it wrong ;)
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by iWantToKeepAnon on Monday July 31 2017, @05:41PM
Ummm, shellshock anyone?
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 1, Interesting) by Anonymous Coward on Monday July 31 2017, @06:38AM (13 children)
Well... he is rolling around in cash as the misery caused by his whims are felt by other folks and all he has to do ignore the deluge of internet name calling and labeling.
If that was his purpose in life, making money, then I'd say he's pretty successful... so I wouldn't say he's a "dumbfuck" or a "moron". Of course everyone has different moral standards and goals in life.
(Score: 2) by kaszz on Monday July 31 2017, @06:50AM (11 children)
Remedy: Make him suffer the consequences?
End to externalization of costs. Nice banking account you got there..
(Score: 2, Insightful) by pvanhoof on Monday July 31 2017, @01:53PM (10 children)
Remedy: don't use his software. You are not required to do so. It's free and/or open source software. You can modify it yourself. You can replace it. You can create a replacement. What makes you believe you have to use it? Since you want to make the author of it suffer, I assume you are forced to use it? In which country is that? I never heard of a place that requires people, by law, or by force, to use systemd. Not even China as far as I know.
(Score: 3, Interesting) by kaszz on Monday July 31 2017, @02:48PM (8 children)
The problem is his systemd is infesting more and more software and the cost/gain for establishing a feedback loop becomes more attractive with time.
It's like saying if you don't like the water utility you are free to unsubscribe it. Works in theory..
(Score: 2) by pvanhoof on Monday July 31 2017, @03:06PM
Last time I checked there are entire distributions devoted to replacing systemd with something else. Hardly like the water utility. More like a brand of a car, or a often used component in many car brands. Or maybe, if you take it to the extreme, like a Diesel engine.
(Score: 2) by digitalaudiorock on Monday July 31 2017, @04:04PM (6 children)
As someone who uses Gentoo with no systemd it's definitely possible, but yea, it sucks having to hope that not too many important software projects drink the systemd kool aide. Things could start getting more and more difficult.
By the way...not much sense in debating pvanhoof. There's one of him in every systemd discussion anywhere on the web. He goes on about how this is all just "systemd hate", passive aggressively pretending to the the "reasonable" one in the discussion, and proceeds to troll the thread no less that eight pro-systemd comments (and counting)...none of which have been modded up, and several which have been modded down.
(Score: 2) by kaszz on Monday July 31 2017, @04:29PM (4 children)
Any notable compatibility trouble with free software going the systemd route?
(Score: 2) by digitalaudiorock on Monday July 31 2017, @05:30PM (3 children)
If you're asking if I've run into issues, not really, however I simply don't use anything, like Gnome for example, that requires it. So far nothing I really care about has become an issue. Hopefully most sane projects out there will continue to realize that making end user software dependent on a specific init system is basically turning into Windows ;)...which is pretty much what systemd is to anyone paying attention.
What REALLY sucks if you ask me is that it will become impossible to find a good binary server distribution. CentOS 6 for example is simply rock solid. You couldn't pay me to use 7. That scene is just plain sad.
(Score: 2) by kaszz on Monday July 31 2017, @05:59PM (2 children)
What is your train of thought on this?
(Score: 2) by digitalaudiorock on Monday July 31 2017, @06:52PM (1 child)
I think there are some out there (notably Redhat) who would actually like Linux to effectively turn into Windows in that all end user software can always leverage the same interfaces exposed by one and only one monolithic init system that can be assumed to always be there. The over engineered way they approach everything even looks indistinguishable from he nightmarish way Windows does everything. That would be the end of Linux as far as I'm concerned...because it all flies in the face of everything that's make 'nix operating systems survive this long.
This would be a concern even if systemd wasn't actively trying to replace tried and true shit (DNS etc etc) that they have no clue about. That just makes it worse.
(Score: 2) by kaszz on Monday July 31 2017, @07:00PM
I think it's time for some anti-systemd software.
(Score: 2) by FakeBeldin on Monday July 31 2017, @08:08PM
Thanks for the tip - there are indeed a lot of posts by pvanhoof further down that fit your description.
(Score: 2) by http on Tuesday August 01 2017, @10:58PM
If you're not familiar with systemd, you are fuck off out of here as far as working in pretty much any org (picked at random) that uses Linux. The exceptions are... exceptions. Oh, and good luck being the new hire that tries to say, "we're switching everything to BSD because it's actually documented."
I think you'll find the threat of homelessness and starvation fairly coercive.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by pvanhoof on Monday July 31 2017, @01:51PM
Rolling around in cash ..
The average salary at Red Hat for a Senior Software Developer is $96,984. That's not super much for software development in the US. I don't know about the details of Poettering's contract with Red Hat, of course.
source [payscale.com]
(Score: 0) by Anonymous Coward on Monday July 31 2017, @04:23PM
There had better be a WriteHat method in that API too
(Score: 5, Insightful) by rleigh on Monday July 31 2017, @07:00AM (1 child)
He deserved this prestigious award for his efforts.
(Score: 2) by KGIII on Monday July 31 2017, @10:46AM
He certainly worked hard to achieve the award.
"So long and thanks for all the fish."
(Score: 3, Touché) by inertnet on Monday July 31 2017, @07:39AM
On the site it just says: "The winners of the Pwnie Awards will be announced at a ceremony in Las Vegas on July 26th, 2017". That's 5 days ago.
https://pwnies.com/winners/ [pwnies.com]
(Score: 5, Insightful) by Marand on Monday July 31 2017, @07:43AM (20 children)
Neither the summary nor its two links appear to provide context or links to the relevant bug reports, so for anyone interested, here are the links:
5998 [github.com], 6225 [github.com], 6214 [github.com], 5144 [github.com], and 6237 [github.com]
(Credit goes to The Register; I pulled the links from from their coverage [theregister.co.uk] of the topic.)
The first two (5998, 6225) and 6237 are especially worth reading. Poettering's remarks give some insight into the special blend of arrogance and ignorance he seems to possess. The more I see of him, the easier it is to understand how abominations like PulseAudio were created. He's so absolutely certain of his superiority in all things that he doesn't even seem to consider that the other party might have a point, and immediately moves to shut down any discussion whenever there's disagreement. If he can't do it literally — like locking a bug report immediately after getting the final word — then he does it figuratively, such as by suggesting that someone disagreeing with GNOME bloat just "hates handicapped people".
He gets a lot of hate, and it's easy to see why. He seems to be on a mission to displace Ulrich Drepper as most hated open source programmer. (Speaking of, didn't Drepper also work for RedHat? There may be a link here. Master and apprentice, perhaps?)
(Score: 2) by TheRaven on Monday July 31 2017, @08:41AM
You can usually get away with arrogance or incompetence, but not both. The people who possess neither are a lot better to work with.
sudo mod me up
(Score: 5, Interesting) by Runaway1956 on Monday July 31 2017, @08:49AM
From the first link I clicked:
"I mean, I am fine with security bureaucracy if it actually helps anyone, but you just create noise where there shouldn't be any. And that way you just piss off the upstreams whose cooperation you actually should be interested in. Your at least made sure that my own interest in helping your efforts goes to zero"
Wonder how that would translate into day-to-day life.
"Waitress, there's a fly in my soup."
"Well, I understand that you probably don't like flies, but let's not make a big deal of this. We don't want to piss off the cook, do we?"
Similar conversations with the painter who painted your living room green, instead of yellow? Or the auto mechanic who put mis-matched tires on your car? Oh yeah, the doctor who took your lung out, because he confused you with another patient?
(Score: 2) by opinionated_science on Monday July 31 2017, @10:55AM (17 children)
trying to be a *bit* objective, but in the first two bugs (the only ones I read), LP is consistently arguing on the pointless of CVE bugs - i.e. flagging it as CVE when it probably isn't.
I did giggle at his "I know you use CVE as a currency...".
LP did *not* disagree on the null pointer reference. He was protesting on the elevation to "world ending bug".
Anyone else see it this way?
(Score: 0) by Anonymous Coward on Monday July 31 2017, @11:37AM (1 child)
No, the guy is a weasel...
(Score: 1, Flamebait) by pvanhoof on Monday July 31 2017, @01:44PM
Please quote the entire text he said when name-calling somebody based on a quote. You have the green site for drama.
(Score: 1, Disagree) by pvanhoof on Monday July 31 2017, @01:37PM (13 children)
I see it the same way. But the group of people who yell and dramatise and call for the assassination of Poettering have scared all the sensible, reasonable people away. Poettering even acknowledges they made a misjudgement. He just doesn't want CVE's to be used politically (ie. against systemd).
To be honest, I also don't see the "really big serious" security issue here. If you can make unit files, you were root. That means the system was already compromised. It's bad that systemd can't deal with strange input coming from its own configuration files. But no dramaqueen had to be slaughtered for that. So why is everybody yelling and dramatising?
Politics, and anti-systemd hate. That's why. Sensible people are ignoring it since years now. Because of that the dramaqueens are rampant in all debates.
(Score: 0) by Anonymous Coward on Monday July 31 2017, @02:09PM (2 children)
If Poettering would have just been a competent leader and made competent desiccations no drama would be there to exploit. Unfortunately he has a really shitty attitude and therefore deserves the award he got.
If Systemd would have listened to all the blowback people gave it from the beginning and would have constructively taken it into account to improve their code none of this drama and shit flying everywhere would have happened.
Whenever a group of coders do not take a constructive attitude about their code baby ,and what it might not handle perfectly, combined with a spokesperson/head administrator who makes really bad calls when it comes to how to administer bugs you will run into situations were these kind of awards are warranted and deserved.
(Score: 2) by pvanhoof on Monday July 31 2017, @03:04PM (1 child)
Not saying anything about the award. I'm sure Poettering gets the joke. I am referring to the drama people say about Poettering and systemd here. I've actually seen calls to assassinate him. Also on this site.
That's absurd.
(And, may I say, illegal in some countries. As this call for assassination is hatespeech and calling for violence. And no it's not funny or "just a joke")
(Score: 2) by MichaelDavidCrawford on Monday July 31 2017, @08:19PM
I've been arrested for it twice.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by digitalaudiorock on Monday July 31 2017, @03:00PM (3 children)
So it's somehow not an issue when the end user themselves creates a unit file with user 0day and systemd quietly "sanitizes" the "input"...that is, it ignores the user, and quietly runs as root? Apparently LP agrees with you, and that's the problem. This shows that they put NO thought at all into the ramifications of their error handling. That sort of shit isn't even programming 101, it's just common sense for most of us. The only sane options where were to either a) accept the user if it was a valid user, or b) hard fail and refuse to start the service due to an invalid configuration...NOT to quietly use root.
This is just as stupid as the DNS issue where they were stripping underscores from DNS names because they "shouldn't be there". Again...blindly "sanitizing" the input thus guaranteeing that they were attempting to look up an incorrect name. These people are provably clueless. The scary part is that their basic design concepts from the beginning about about 1000 times worse than their clueless execution.
(Score: 2) by pvanhoof on Monday July 31 2017, @03:16PM (2 children)
Relax. You are throwing a lot of stupid here and about about 1000 worse than clueless this and that. With that communicationstyle, you're not helping yourself making your (probably reasonable) argument.
I'm sure the idea was that a init system cannot make worse choices like not booting the system in case of a misconfiguration. Because then the system is broken beyond repair (since init 1 or init single from GRUB might also no longer work, you'd have to do something like init sh=/bin/sh and mount the FS writable yourself and stuff like that).
Maybe they should indeed in the unit files have something like "This is a boot critical service that should, if the user doesn't exist, fall back to root user". I'm not a systemd developer nor a init expert. But I can certainly imagine that just refusing to start the service can be the wrong choice, too. Because them deleting a user can mean that the system no longer boots.
I wonder what inetd and xinetd do in this situation. Do they fall back to root too?
(Score: 3, Insightful) by sjames on Monday July 31 2017, @04:49PM
So not at all beyond repair then.
Running as root when explicitly told not to is just plain wrong and dangerous. The correct answer is don't run that service at all and move on. Next best (a distant second) would be run as nobody and hope for the best.
(Score: 2) by Gaaark on Tuesday August 01 2017, @02:16PM
Not fully up on this (my memory is failing me.... tired beyond belief), but shouldn't it fall back to root LOGIN instead of root logged in?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Insightful) by digitalaudiorock on Monday July 31 2017, @03:23PM (4 children)
Anyone with a clue knows it's actually quite the opposite...sensible people have long since ignored the pro-systemd trolls trying portraying everything as "anti-systemd hate"...you know...sort of like you are now.
(Score: 2) by pvanhoof on Monday July 31 2017, @03:53PM (3 children)
Sure. If you think that. Meanwhile I'll followup on who is actually writing code here.
(Score: 2) by digitalaudiorock on Monday July 31 2017, @04:11PM
What's that supposed to mean? You know nothing about me. I'm the creator / lead developer of an enterprise class piece of software running in hundreds of data centers around the world at companies you've definitely heard of. How about you quit trolling the thread and go fuck yourself.
(Score: 0) by Anonymous Coward on Monday July 31 2017, @09:00PM
Woopty woo we've got a meritocratic person here who thinks that someone in a position of power must obviously have gotten their by their inherent superiority. It is like Trump supporters, he says he's rich so he must be a smart amazing person. Looooooooooooool
Systemd is a cancer, only blind MORONS can't see that. Either your brain is not very good, or you've swallowed some idea about the world being a nice place where people aren't corrupt tools. Either way you're a moron falling for Poettering's bullshit.
Someone said not to debate you, you're just a shill trying to legitimize systemd and make people doubt the nay sayers. Hopefully you're not actually a shill and you can grow beyond your naive viewpoint, but if you are a shill then please evaluate your life choices. They are not good.
(Score: 0) by Anonymous Coward on Wednesday August 16 2017, @07:02PM
So what works best, 10000 lines of dumb code, or 1 line of thoughtful code?
(Score: 4, Informative) by kaszz on Monday July 31 2017, @04:41PM
Just get this:
* systemd is shit. And lack input validation like sane software.
* Poettering is arrogant and incompetent. And if he is competent, he surely doesn't show it where it counts.
* RedHat is Poetterings master.
* Poettering and RedHat should be made to suffer the cost they try to externalize, not be assassinated.
* CVE is about security problems. systemd is a security problem. So is the author of it and the company the author works for.
* Security is a serious issue these days. So any move to compromise it by design will have their personal flame festival.
(Score: 4, Informative) by Marand on Tuesday August 01 2017, @08:23AM
You missed much of the fun, then. Those were mostly interesting because the condescending attitude and the "I have no interest in helping you because you disagree with me about CVEs" shit at the end. The last one, while longer, does a better job of showing the arrogance + ignorance combination I mentioned. He's so caught up with arguing that usernames starting with a digit are invalid (they're not) and trying to prove it's NOTABUG WONTFIX that he basically ignores any evidence to the contrary, or dismisses that evidence as wrong.
Plus he completely misses that "systemd doesn't like this username, so systemd defaults to root" is a bad idea because it's unexpected privilege elevation, because it's technically working as intended (an invalid value for a setting will quietly revert to a default value, in this case root as the default user) and that's all that matters because it means he's right that it's NOTABUG. He won't even consider that maybe silently reverting to root instead of giving an error is a bad default behaviour.
And on the subject of ignorance, there's also this bug [github.com], where their home-grown "rm -rf" equivalent can follow ".." upward, eventually trashing the entire system. His immediate response is "I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?" Which is bad enough by itself, because "that other program does it too!" is a poor justification for justifying your tool trashing the OS, but he's also wrong about it, and when others pointed it out he locked it to shut down people calling him out on not knowing fuck-all about how the OS he works on even operates.
Also, here's the video I referenced [youtube.com] in the previous comment about his "do you hate handicapped people?" remark. That part starts around 22:22 [youtu.be], and this is where he gets on stage at the end. [youtu.be] Most of it was tame, just a bit rude to be arguing with the presenter for so much of his presentation, but accusing the guy of disliking foreigners and disabled people over a disagreement about loading a full GNOME session for the login greeter was just shitty.
(Score: 5, Funny) by WizardFusion on Monday July 31 2017, @09:07AM (4 children)
Now he can say he's won an award for his work. He pride will blossom.
It doesn't matter than it's a shitty award, just that it is an award.
(Score: 2) by aristarchus on Monday July 31 2017, @09:45AM
Suitable for framing?
(Score: 2) by gawdonblue on Monday July 31 2017, @12:45PM (2 children)
Here's a photo of Poettering's award [nocookie.net].
(Score: 2) by Gaaark on Tuesday August 01 2017, @02:23PM
FAAAATHER!!!!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday August 01 2017, @08:49PM
OH, in that case, suitable for insertion. But I still say he should be framed.