[Discuss] Debian 12 in the Cloud

[Kent Borg]

On 6/2/24 07:42, Rich Pieri wrote:
> Numbers of lines of code does not correlate with attack surface.
> Neither does code complexity.

Silliness.

Lines of code isn't identical to the size of the attack surface, but it 
has to be strongly correlated, the same way that not wearing a seat belt 
isn't identical to "you will die in a car crash", but it is strongly so 
correlated. I can't say I have seen studies to prove it, but I have 
personally seen that more lines of code means less is known about what 
is really going on inside that code, which means lower odds that the 
right (and safe) stuff is going on in there.

- The fact that test and build processes are intertwined and so 
complicated that they can't be trusted to produce the right output—and 
people apparently think this complexity is a reasonable state of 
affairs—should be an embarrassment, not an excuse.

- The fact that people might want to make systemd happier by patching 
OpenSSH should be an embarrassment, not an excuse. (The fact that anyone 
would patch OpenSSH at *all* should be an embarrassment.)

- The fact that it was possible for any bad guys to thread through this 
chaos and plant a backdoor in sshd (sshd!) should be taken as evidence 
that it is a horribly embarrassing mess, not an excuse.


-kb


P.S. And to unfairly beat up on the proverbial "some random person in 
Nebraska": The fact the the xz test code is so obscure that no one 
understands it should be embarrassment, not an excuse. (Test code should 
be simpler than the stuff it is testing.)