Think whatever you shall about systemd of course, but please stop with the blind belief mud slinging:
- systemd didn't create the patch to include libsystemd, distros did
- current systemd versions already remove liblzma from their dependencies, the affected distros are behind on systemd updates though
- you can implement notify in standalone code in about the same effort as it takes to use the dependency, there wasn't really a good reason for distro's to be adding this dependency to such a critical binary. systemd documents the protocol independently to make this easy. distros having sketchy patches to sshd has a long history, remember the debian weak key fiasco?
I wonder if the fact they "had" to use a dependency and jump through a number of hoops suggest they're not involved in the conspiracy? As if they had this sort of access and effort surely systemd itself would be an easier target?
But that's not saying this is the only conspiracy, maybe there's hundreds of other similar things in published code right now, and one was noticed soon after introduction merely due to luck.
I'm not bitter, I'm wary of systemd in a security context. Their vulns seem to be a result of poor choices made deliberately rather than mistakes or sloppy coding (e.g. defaulting to running units as root when the UID/username couldn't be parsed). Lennart was staunchly anti-CVE, which to me seems again like making a deliberate choice that will only hinder a secure implementation.
I haven't followed systemd too closely, has their stance on CVEs at least evolved?
