On 2014-10-02 10:25, Rahul Sundaram wrote: >> It doesn't even avoid Debian & Ubuntu having a security problem, since >> they still need to fix bash. > > Sure. Unless they stop shipping bash, they got to fix security problems. > That is no surprise. The real question is whether it reduced the impact of > the issue for their users. > >> What makes you think the dash doesn't have vulnerabilities too? > > Do note that I explicitly avoided making any such specific claims and > instead proposed it as a discussion point for a good reason. Having said > that, the general understanding appears to be that a minimal software with > a smaller footprint has less potential issues. It's easy to forget that there have been much more serious vulnerabilities in dash than in bash as far as I can remember: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html -- Timothée Ravier -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
