On 9/5/2018 11:26 AM, Warner Losh wrote:
I'm not sure it does. It proves that bugs aren't instantly found,
true. It doesn't provide perfection, but does make it easier to find /
fix bugs before the bad guys. How long would such a bug have
languished it if were buried inside of DCL.B32 instead of being out in
the open?
It depends on how it was found in the first place. A quick Google
doesn't tell me much about exactly how it was discovered initially. Nor
is there any background information that says it wasn't (or was)
exploited before the announcement. Was it discovered because someone
(Stéphane Chazelas) was just reading open source code? Or was he trying
to do something innocent and it broke in such a way that it was obvious
bash was doing something bad? Or was he investigating a break-in and
found the vector? Serious questions, I'd love to hear from anyone who
knows more.
My original point remains: Open Source doesn't necessarily mean more
secure if a really bad exploit was allowed to exist for 25 years.
No offense intended to anyone on this list.
ak