Re: Devuan smugness
Or alternatively a poorly put-together package might include such a unit file and then you end up with a service running as root when you weren't expecting it.
Most people agree that it's a difficult security hole to exploit easily, but that doesn't detract from the fact that it it a security hole. The issue people have is the systemd team's response to this bug report (mainly your man Poettering here) and to other bug reports that people submit. The response is essentially "I refuse to acknowledge this is a bug - this is an issue with everyone else."
In a world where everyone else is scrambling to fix years of sub-optimal security in code (both open-source and closed-source), the systemd team seem to be adopting a policy of doesn't-apply-to-us, which is bizarre when the code they're writing is such a fundamental part of the operating system.