@cowanon @11112011 @BroDoYouEvenDrift @Creepella @Jdogg247 @Nonetrix @Oblivia @SandiaMesa @anornymorse @bagofshit @bootersmchooties @cowanon @endchannel3 @fluffy @georgia @jack @jasonl8446 @jyushimatsu @leyonhjelm @matrix @mrmcmayhem @pasture @r000t @sjw
Ha, I didn't realize the question was real, it looked like those systemd persecution complex questions.
A real answer is it is broken by design. The lead dev (also responsible for PulseAudio and D-Bus) has a habit of responding to reports of security vulnerabilities and random crashes with "why do you dickheads care about this you just hate progress and you persecute me". It's of dubious value, and the main defense he presents (still!) is just a laundry list of problems with sysvinit. (Everyone knows the problems with sysvinit and this, of course, does not mean that systemd is good, or even better. More importantly, EVERYONE KNOWS THE PROBLEMS WITH SYSVINIT, and thus a new thing has to be worth the trouble of learning a new set of failure modes which, it turns out, are even worse and more numerous.) Attached is a text file I squirreled away for an occasional laugh, named lennart_poettering_is_sad_and_you_should_be_nice_to_him.txt, and which contains some "they sent me death threats" and some "the problem is straight white males".
The reason there are so many bugs is that the thing is absolutely massive. According to sloccount, sysvinit is 8,324 lines and depends on nothing. systemd is 265,666 lines and depends on libcryptsetup, PAM, zlib, curl, microhttpd, rfkill (YES IT WANTS TO INITIALIZE YOUR WIFI), Python (build time *and* runtime), dbus, FUCKING XKBD, and so on. It includes a web server and an HTTP client. It includes a DNS server and client. It doesn't attempt to replace /sbin/init, it attempts to take over the management of everything: log files, DNS resolution, /dev, everything. It's impossible to audit and all of it runs as root because it's all in pid 1. All this shit in one address space that runs as root in an impossibly huge codebase with a massive list of dependencies (each of which exponentially increases the complexity of the codebase from a security perspective, as a library can hand you a pointer and whatever you do with it may be secure in one version or subtly corrupt memory in another).
In short, it is an absolute shitshow that nobody asked for and we have all now somehow received, except those of us that use good distros or that don't use Linux at all (an option that is sensible and getting more sensible by the day).
Now, one might ask why an init system, which has the job of starting up a handful of daemons, should need to talk to the network at all, or why it should default to using Google's DNS and NTP servers, which are set at compile-time. One might ask why one year nobody was using systemd and suddenly the next year all of the distros (except Slackware and CRUX) had replaced their init systems with systemd. One might wonder how (or *if*) the developers of systemd expected this to be secure and reliable while tossing in servers and clients for several disparate network protocols and parsing XML. One might wonder exactly why Lennart gets so angry about security vulnerability reports and starts screeching when someone affixes a CVE number to a bug report. One might openly speculate about the very cozy relationship that IBM (which owns RedHat) and Google (which suddenly became the default DNS and NTP server for billions of systems globally) enjoy with DARPA and the Pentagon.
If someone then considered what might be the unifying factor behind all of these mysteries, they might wonder aloud, "Hey, do you think this software glows in the dark so you can run it over with your car?"
...And they might accidentally wander into the train tracks if they said that close enough to an Alexa device.lennart_poettering_is_sad_and_y…