Am 02.10.2014 um 17:53 schrieb Rahul Sundaram: > On Thu, Oct 2, 2014 at 11:38 AM, Miloslav Trmač wrote: > The expected security improvement is essentially nonexistent. In the current case of importing functions from > the environment (and we could have a looong philosophical conversation about whether this is a vulnerability in > bash or in its callers, where the likely outcome is “not a vulnerability in bash but by far easiest to fix in > bash”) > > Why would this be a philosophical discussion when there were clearly bugs in the parser allowing things it > shouldn't even if you consider the use cases valid otherwise? because the conclusion that dash is not vulerable for other things is invalid - that needs to be proven and not derived from known and *fixed* bugs in bash not that i am against using things with less footprint for many reasons, just the conclusion is wrong
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
