[TUHS] SunOS code?

Arthur Krewat krewat at kilonet.net
Thu Sep 6 01:43:53 AEST 2018


On 9/5/2018 11:26 AM, Warner Losh wrote:
>
> I'm not sure it does. It proves that bugs aren't instantly found, 
> true. It doesn't provide perfection, but does make it easier to find / 
> fix bugs before the bad guys. How long would such a bug have 
> languished it if were buried inside of DCL.B32 instead of being out in 
> the open?

It depends on how it was found in the first place. A quick Google 
doesn't tell me much about exactly how it was discovered initially. Nor 
is there any background information that says it wasn't (or was) 
exploited before the announcement. Was it discovered because someone 
(St├ęphane Chazelas) was just reading open source code? Or was he trying 
to do something innocent and it broke in such a way that it was obvious 
bash was doing something bad? Or was he investigating a break-in and 
found the vector? Serious questions, I'd love to hear from anyone who 
knows more.

My original point remains: Open Source doesn't necessarily mean more 
secure if a really bad exploit was allowed to exist for 25 years.

No offense intended to anyone on this list.

ak







More information about the TUHS mailing list