Systemd Named 'Lamest Vendor' At Pwnie Security Awards

Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports: The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.

looking up lamity on alphabet.com

they are not #1 by any means.. cease fire stand down,, kindness is contagious so is violence deception dishonor.. spiritual bankruptcy can be fatal..

Re:Should systemd be rewritten in Rust?

[Aighearach]

The real point that professionals can read between the lines is that this code has been gone over by a gazillion haters already, and a huge number of real and potential bugs have been fixed without having been first used in exploits. This is a huge victory for systemd, and it is a strong sign that is going to be rock solid in the future.

It is the same as when we were talking about bug rates on windows 15+ years ago on here. It is exactly the same. When people focus on a system they will find its bugs. And software starts out with bugs. Any new feature starts out with bugs. And design flaws. And the features that go largely unchanged over time, but receive bugfixes, will be very solid and reliable. It doesn't matter what the starting condition was.

In the 1990s there was a thing called "Matt's Scripts," and while it was very kind and generous of Matt to write these scripts and give them away for free online, the problem was that they all contained huge security flaws. So you use this script so that people can email you from your home page, and now spammers are using your website to send spams in your name. All the scripts had these problems. He was panned all around the world, magazines wrote articles warning people not to use it, etc., etc. But Matt was undeterred. And he understood, spammers are bad. So he just listened to all the complaints, looked at their teardowns of his code, and fixed his code. It took years, really, because each fix introduced new bugs. But he wasn't adding features, he was just fixing bugs, and so even with a high bug rate, his scripts eventually became rock-solid and there were no more open bugs.

Hate cannot destroy bad code, and the virtue of Stubbornness is an absolute shield for hated code.

Re: Misleading title

[Zero__Kelvin]

You should have followed the links and informed yourself. You would have seen that each bug was properly addressed, and that this is about some disagreements about how to classify them, if CVEs should be filed, and when that happens how to document that a fix is related to a CVE. There is nothing about this that amounts to "There are serious bugs, and they won't fix them!" Also, none of these bugs were "horrendous", but your understanding of them as well as what a normal development process looks like might be. I guess we'll find out if you follow the links and try to understand what you read. This does however get some press for the Pwnies, and that is all it does.