Am 02.10.2014 um 17:53 schrieb Rahul Sundaram: > On Thu, Oct 2, 2014 at 11:38 AM, Miloslav Trmač wrote: > The expected security improvement is essentially nonexistent. In the > current case of importing functions from > the environment (and we could have a looong philosophical conversation > about whether this is a vulnerability in > bash or in its callers, where the likely outcome is “not a vulnerability > in bash but by far easiest to fix in > bash”) > > Why would this be a philosophical discussion when there were clearly bugs in > the parser allowing things it > shouldn't even if you consider the use cases valid otherwise?
because the conclusion that dash is not vulerable for other things is invalid - that needs to be proven and not derived from known and *fixed* bugs in bash not that i am against using things with less footprint for many reasons, just the conclusion is wrong
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
