The phrase "toy operating system" was unfortunate. There are operating systems that it describes accurately, but here it is distracting, focuses attention on tht wrong issue, as some of the responses to it make clear.
It is nevertheless true that the discovered presence of one vulnerability in a package makes the presence of other exploitable ones in it more likely. Worse, a widely publicized, very serious vulnerability like this one focuses the attention of would-be hackers on such a package; and this attentiuon in turn makes the discovery of any other vulnerabilities trhat may be present more likely. Stability is also a problem. This vulnerability has been patched against, variously, in different places where BASH is used. These patches, produced very quickly, have, if history is any guide, certainly introduced errors. (They may even have introduced further vulnerabilities, but this is less likely.) It would have been better to rework BASH itself, but doing so now will probably make matters worse for a time. Any decision to include BASH on the UNIX side of z/OS should thus be implemented very deliberately. To do it swiftly or soon would reflect hubris that the gods would punish in the same swift, condign fashion. John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
