I have to call this out as a very poor comparision. I would love to know the linux kernel commits in 2019 vs CVE's in a percentage, vs systemd commits in 2019 vs CVE's in a percentage (or 2018 or 2017).

Now compare systemd CVE's with OpenRC or runit CVE's or any other init system and then you have an argument. But comparing it to the kernel with hundreds of people commiting changes is weak.

This comment is not defending nor attacking systemd.

Systemd has a historic of refusing to fill CVEs, even for incredibly bad vulnerabilities.

Compared to sysvinit, upstart, or procd, say, to remain in the same domain space?

(Though the implication that systemd is an OS Kernel is ... interesting.)

Don't you know? systemd is the world's most popular operating system! A shame it has such a terrible init system...

Do you have a source for it?

In 2017, the Linux Kernel had over 450 CVEs, while systemd had 5.

https://www.cvedetails.com/product/47/Linux-Linux-Kernel.htm... https://www.cvedetails.com/vulnerability-list/vendor_id-7971...

So far in 2019, the gap has narrowed: "only" 45 CVEs so far for the Linux kernel, and 7 for systemd.

A quick look at the list of CVEs in the grandparent comment indicates that there are at least 3 different Assigning CNAs for systemd CVEs: MITRE Corporation, Red Hat, Inc. and Canonical Ltd.

My conclusion is that the systemd project is not its own CNA and therefore not in a position to authoritatively decide which systemd bugs get CVE numbers assigned and which do not.

Sure

https://www.cvedetails.com/product/47/Linux-Linux-Kernel.htm...

https://www.cvedetails.com/product/38088/Freedesktop-Systemd...

For a piece of software used by millions of machines, that's a very low CVE count.