Debian did not link OpenSSH with a 1.5 million-line library, because one doesn't exist. The library is libsystemd, which is comparatively tiny, and it is tiny so that sane things like Type=notify services get supported in more places with less pushback.
Yes, it could be smaller, broken up to remove compression support [0], what have you. But you should criticize the things that are actually problems, not some made-up bullshit about the whole of systemd being linked into everything that talks to it.
> Great. TFA's author thinks he cherry picked a sentence to make the project look bad.
Err... What? It's just a factual, non-judgemental description. Unlike your comment, which goes out of its way to call systemd names for whatever reason. Which just makes me less interested in what you have to say. Most people who rely on appeal to emotion to that extent are not in the right.
> systemd is a monstrous codebase and there lies shitload of exploits in it. Either intentional or accidental.
And yet...
1. practically all hyperscalers use it
2. desktops
3. container images, that power everything from docker to kubernetes use it
It helps that it's actively maintained, battle-tested as hell, and widely audited.
Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.
> It helps that it's actively maintained, battle-tested as hell, and widely audited.
Is it actually audited? Or is it like OpenSSL... everybody uses it, but nobody looks under the hood cause it's gross in there? (Or well, nobody looked before Heartbleed anyway)
And it runs as PID1 on many distros and these are folks like RHEL, who have a huge interest in keeping it secure.
Pypi has an almost daily exploit announced in common and popular libraries, simply because the dependency graph is so huge. And this is in things that are almost certainly deliberately and by design exposed to insecure user input.
Again, it’s fun to hate on systemd, but in reality you are much more likely to be exploited by something else.
> Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.
Can you even imagine pypi or npm compromising ssh this way?
> Can you even imagine pypi or npm compromising ssh this way?
Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?
I don’t even know the last time I exposed ssh to the open internet.
But the fact with npm or pypi you can be exploited just by running the software you’ve already installed because the dependencies are everywhere on your system?
> Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?
I see ssh as a very fundamental part of the system - in BSD terms it's in base not ports. Random packages from npm or pypi, sure, if you installed some slop off the internet and got exploited that's not so surprising. (Even those package managers themselves are not part of the base system, much less anything you install with them). But ssh should be safe!
Debian did not link OpenSSH with a 1.5 million-line library, because one doesn't exist. The library is libsystemd, which is comparatively tiny, and it is tiny so that sane things like Type=notify services get supported in more places with less pushback.
Yes, it could be smaller, broken up to remove compression support [0], what have you. But you should criticize the things that are actually problems, not some made-up bullshit about the whole of systemd being linked into everything that talks to it.
0: https://github.com/systemd/systemd/issues/32028
> Great. TFA's author thinks he cherry picked a sentence to make the project look bad.
Err... What? It's just a factual, non-judgemental description. Unlike your comment, which goes out of its way to call systemd names for whatever reason. Which just makes me less interested in what you have to say. Most people who rely on appeal to emotion to that extent are not in the right.
> systemd is a monstrous codebase and there lies shitload of exploits in it. Either intentional or accidental.
And yet...
1. practically all hyperscalers use it
2. desktops
3. container images, that power everything from docker to kubernetes use it
It helps that it's actively maintained, battle-tested as hell, and widely audited.
Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.
> It helps that it's actively maintained, battle-tested as hell, and widely audited.
Is it actually audited? Or is it like OpenSSL... everybody uses it, but nobody looks under the hood cause it's gross in there? (Or well, nobody looked before Heartbleed anyway)
Is it actually audited?
This is 2026, not 2014 when heartbleed came out.
And it runs as PID1 on many distros and these are folks like RHEL, who have a huge interest in keeping it secure.
Pypi has an almost daily exploit announced in common and popular libraries, simply because the dependency graph is so huge. And this is in things that are almost certainly deliberately and by design exposed to insecure user input.
Again, it’s fun to hate on systemd, but in reality you are much more likely to be exploited by something else.
> Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.
Can you even imagine pypi or npm compromising ssh this way?
> Can you even imagine pypi or npm compromising ssh this way?
Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?
I don’t even know the last time I exposed ssh to the open internet.
But the fact with npm or pypi you can be exploited just by running the software you’ve already installed because the dependencies are everywhere on your system?
> Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?
I see ssh as a very fundamental part of the system - in BSD terms it's in base not ports. Random packages from npm or pypi, sure, if you installed some slop off the internet and got exploited that's not so surprising. (Even those package managers themselves are not part of the base system, much less anything you install with them). But ssh should be safe!