I know I am stupid for commenting on a security alert that I don't know that much about, but hey, this is the Internet right? Here it goes:
I'm not liking these hackish security fixes in Unix/Linux. Bash is a programming language. It has features. Programs abuse these features and create security holes in themselves. Fix the programs, or maybe quit using them. Maybe quit using bash. Did you read the part "what about programs that rely on these features?" The answer is "that is bad practice". Dude, these programs are putting arbitrary unaudited stuff in environment variables, and passing them to bash, a language that NOBODY understands, a language with no semantics. That is good practice? Next thing you will tell me that people trying to take bash out of the system (think systemd) are evil. Uh, sorry for the rant, not sure where that came from. -- Anthony Carrico
signature.asc
Description: OpenPGP digital signature
