Also, I don't think we should get hung up too much on the libsystemd thing. I know people like to hit on systemd,
I know, and one of the problems that results from having just a
torrent of undeserved criticism is that it naturally predisposes
the maintainers to reflexively disregard all criticism. To be
clear: I *like* systemd. One of the things I like about it is
that while the project is fairly large, the individual
functions/services are modular and mostly independent of each
other. But that isn't really true of libsystemd. I understand
that there are some dependencies between different components of
libsystemd, but sd-daemon doesn't seem to have any dependencies on
sd-journal, for example.
but the attacker could have used various other vehicle libs for their goal, too. I mean, sshd uses PAM, and that pull in variety of things through its modules
PAM modules aren't a problem for the same reason that the
compression libraries aren't a problem now that they're
dlopen()ed.