Am 02.10.2014 um 22:45 schrieb Rahul Sundaram:
> On Thu, Oct 2, 2014 at 11:57 AM, Reindl Harald wrote:
>     because the conclusion that dash is not vulerable for
>     other things is invalid
> I am afraid there was no such conclusions.  To acknowledge known bugs in bash 
> doesn't require anyone to conclude that dash doesn't have bugs

then that paragraph refer to Shellshock was not really appropriate without
make really clear that this is not a panic reaction in context of already
fixed bash bugs

it's sadly a common reaction if somewhere critical bugs where fixed try
to migrate to something else instead take a breath and consider that
the currently used one has now more focus than ever before and got more
attention from security specialists while the suggested replacement
might not

> Since the recent Shellshock aka Bashdoor vulnerability, there have been some 
> discussions about more distributions
> switching over ( and I 
> was wondering whether it is worth
> considering for Fedora?  FWIW, both dash and mksh is already packaged in 
> Fedora.

as already said:

also don't forget that currently a lot of people look into
bash in security context because of the things happened
short ago and it's wide use

besides that the known issues are fixed it could go easily
in the wrong direction switch to something different which
may also have it's own issues nobody cared until now and
has less focus in security context than bash now has

Attachment: signature.asc
Description: OpenPGP digital signature

devel mailing list
Fedora Code of Conduct:

Reply via email to