←back to thread

InitWare, a portable systemd fork running on BSDs and Linux

(github.com)
167 points sunshine-o | 3 comments | 03 Apr 25 12:11 UTC | HN request time: 0s | source
Show context
exceptione ◴[03 Apr 25 17:18 UTC] No.43572744[source]
The list of dropped components is quite large. The cryptsetup, cryptenroll, unified kernel images, kernel signing and systemd-boot work nicely together.

I think Systemd has a view that those things should reliably work together. I do not fancy a revival of the past where the user has to cobble a mesh of hopefully compatible libraries to achieve the same, taking weeks to study the Arch manual and resolving tons of gotcha's, all to be broken by next week's update.

The integration of all this stuff is now actively under test and maintenance with systemd.

And yes, the mentioned services also have an impact on the scope of service managing. Because if you have a unit that depends on a disk that needs to be unencrypted, this has to be resolved somehow in the right time.

I personally have had no need for systemd-resolved, but I think for *desktop* the list of droppable components is not large.

So maybe we should first have a conversation about the *desktop* vs *container-os* purpose?

replies(5): >>43573274 #>>43573308 #>>43573459 #>>43575409 #>>43576185 #
udev4096 ◴[03 Apr 25 18:04 UTC] No.43573274[source]
systemd has definitely made huge improvements to boot security which not a lot of "systemd haters" see. this is a great post from lennart: https://0pointer.de/blog/brave-new-trusted-boot-world.html
replies(3): >>43574018 #>>43574595 #>>43574860 #
swe02 ◴[03 Apr 25 20:19 UTC] No.43574860[source]
As someone who uses systemd, "boot security" is pointless. If someone has enough access to your hardware to try booting a different kernel, they have time to load a signed shim that passes secure boot and launches unsigned code.

The only boot security real users need is disk encryption.

replies(4): >>43575370 #>>43575381 #>>43575773 #>>43578248 #
1. craftkiller ◴[03 Apr 25 21:37 UTC] No.43575773[source]
> signed shim

How would they sign such a shim without my keys? I don't leave Microsoft keys enrolled on my laptop.

replies(1): >>43576840 #
2. wkat4242 ◴[03 Apr 25 23:50 UTC] No.43576840[source]
You don't but 99.99% of people do :) Especially because most Linux distros use a key signed by Microsoft by default.
replies(1): >>43581741 #
3. akdev1l ◴[04 Apr 25 13:06 UTC] No.43581741[source]
The “people” don’t really matter.

Anyone who needs a secure boot environment is having their own MOK and probably a private CA.