On Fri, Sep 26, 2014, at 10:29 PM, Doug Newgard wrote: > Now my question for everyone else is, what will people do *WHEN* a bug > is found in dash? Bash is the most tested shell code base we have, and I > don't buy into the fallacy that a smaller code base is inherently more > secure. Or are you simply relying on security through obscurity? > Email had 1 attachment: > + pubkey.asc > 1k (text/plain) Dash has Debian in its very name. It's the Debian Almquist Shell. Ubuntu also uses it. It might not be as tested as bash, but that doesn't mean it's very rare. I don't think this falls under security through obscurity. Ubuntu and Debian also shifted to it quite a long while back (it has been more than 5 years now). Dash comes from Ash (Almquist Shell), which is from the 90s. The codebase is hardly new. And as for what people will do, why, they will report it like always. Has Arch ever encouraged anything else? -- Cheers! Savya