
Dear clueless assholes: stop bashing bash and GNU - radmuzom
https://weev.livejournal.com/409835.html
======
thegeomaster
I think that bashing bad _code_ , bad practices and whatever lead to any
security-critical bug (and any bug whatsoever, for that matter), should
happen. If there weren't rants, flame wars and insults in the free software
movement, I guarantee it wouldn't have come near where it is today. It's a big
part of what drives innovation in all spheres, not just this one: the harsh
(and not-so-harsh, sure) comments, the passive-aggressive forks, the
rewritings, the heated discussions.

But bashing a person for writing that code? Never. I can't say my views on
software politics are aligned with Mr. Stallman's, and neither I can say I
have given that much thought to them. But I have enormous respect for everyone
who has contributed to free software and helped shape the world, even with the
smallest contributions... And Mr. Stallman's are one of the biggest. Everyone
in this area should have the deepest respect for the enormous amount of work
this man has done, and given it all to the community. It's hard, if not
impossible, to stumble upon an anticonformist such as Stallman, who honestly
does not care about the superficial things we all, unfortunately, do. I
guarantee he could've leveraged everything he's done and been a multi-
billionare by now. Instead he decided that the benefit the community can get
from his work is far greater than the benefit he himself can get, so he did
the only moral thing to do: he gave it all for free. And look at the GNU
project now, or the FSF. Magnificent stuff.

Mistakes such as this one (and a great majority of developers make dozens of
these on a weekly basis), are probably the most idiotic reason to call out a
person for incompetence or senility. It's ridiculous. It's completely
unacceptable to now demonize a man such as RMS, if not for other reasons, then
because none of us will probably ever come close to what he has done to change
this world for the better.

~~~
jjnoakes
I see many people calling him out not for making a mistake, but for
downplaying its significance when confronted with its full ramifications.

I agree that mistakes happen. But someone who deserves respect, in my opinion,
owns up to mistakes and tries to get them fixed.

Someone who downplays the mistakes in order to save face deserves nothing from
me.

~~~
Donzo
I don't think he wants anything from you. Perhaps you're putting too high a
premium on your gratitude.

~~~
jjnoakes
I sincerely hope that anyone that acts as he does is not looking for anything
from me.

> Perhaps you're putting too high a premium on your gratitude.

I think it's quite the opposite - people demand that he be respected solely
because of what he's contributed to the free software movement, including even
the lowliest gratitude from the smallest voices (of which I'm at the bottom of
the list).

But what really should happen is that each individual action and contribution
should stand on its own, unmarred by its relationship (through its author) to
any other action or contribution.

People (the high and the low of us) should respect the free software movement
and some of the software it has provided to the world, and simultaneously
deride the position that this serious security problem should be shrugged off
or downplayed, despite the fact that the same person or people are responsible
for both.

------
teamhappy
Anybody know Bryan Lunduke? He's a guy giving talks called "Linux sucks" in
which he basically bashes Linux for 20 minutes and then concludes that Linux
is the best FOSS OS community because they can take the bashing (get it?).
He's been giving these talks for quite a while now. Everybody knows Theo de
Raadt is crazy (and Stallman isn't) and of course everybody knows Apple
fanboys tear up every time somebody implies Apple software has a bug in it.

In my experience it's the exact opposite. I've been hearing a lot of
explanations for the bash debacle in the last couple of days and they all
amaze me to a certain degree. Let me share a couple of them with you.

1\. Total breakdown - "No software is ever safe, so what the hell do you want
from me." Yeah, well ... don't write software then.

2\. It's not my fault - "Bash is written in C. C is unsafe." Quite a lot of
people write safe, well tested, maybe even formally verified C code. So, yeah
... don't hack in C maybe.

3\. Linux is still fine - "Bash is just a tiny part of Linux. The rest is
still good to go." Turns out the bash codebase looks a lot like the rest of
the GNU/Linux universe. Old, untested C code that's hard to read and even
harder to understand. That's why nobody dares to touch it in the first place.

4\. It's FOSS - "You can't expect anything to work. Cause, you know, it's
free." If that were true, using FOSS would be a terrible idea.

5\. You're using it wrong. ... just wow.

Can't we just all agree that this kind of thing is an endemic problem in most
of the code bases we use (including my beloved FreeBSD) and we have to figure
it out over the next couple of years. There are loads of tools that should
have never been implemented in C/C++ in the first place (SSH, Make, APT,
etc.). I'd say the best idea is to port a lot of these code bases to languages
like Go or Rust maybe, but if that's not feasible for some reason, at least
write some unit tests and do static code analysis. And, this is probably the
most important point, if you don't want to do any of this, please don't make
lame excuses when it all falls apart eventually.

~~~
vacri
_I 'd say the best idea is to port a lot of these code bases to languages like
Go or Rust maybe_

So your answer to to the criticism of "this code is ancient" for core utils is
"let's port them to languages that haven't finished maturing yet"? Rust in
particular is only two years old, and the recommended version is "the nightly
build". That sounds super-stable for core utils...

~~~
teamhappy
I also said it's a problem we have to tackle in the next couple of years. You
don't have to start porting today. I write command line tools (and that kind
of thing) in Go and it's a great experience. Go shines once you come back to
an old code base, or have to review code you didn't write. Rust made the list
because somebody already ported the GNU core utils to Rust
([https://github.com/uutils/coreutils](https://github.com/uutils/coreutils)).
Feel free to use C++11/14, OCaml, D or what have you. I hope we agree that C
isn't the best choice.

------
dschiptsov
The clueless assholes could not be stopped, because it is another name for the
vast majority - the 84%.)

The problem is the same as with openssl's flaws - when we accept all the
contributions without detailed code-review we often incorporate code written
by over-enthusiastic amateurs (and sometimes even over-confident idiots).

Lots of problem of really open open-source projects (sorry for this tautology)
are from the fact that they are open for everyone.

Imagine everyone could commit (without code review) in Haskell compiler tree,
Linux kernel or, say, OpenBSD. But in early times of GNU movements this was a
very common case.

So, the problem is in the lack of code-reviews, not in GNU movement, let alone
Stallman himself.

It is quite easy for ignorant to under-emphasize the importance of GNU tools
to what we now call the Internet. It is not just bash, which is very important
tool, but in the first place Emacs, GCC, Binutils, GNU make, flex, bison - all
the development tools which made possible the raise of early BSD and Linux
systems. It is impossible to imagine the world of free, open source software
without GNU toolchan.

Nowadays I very much like the example of nginx - it has bigger market share
than IIS, while originally was a solo effort, compared to millions of dollars
and man-hours which have been spent on development and marketing of IIS. This
is how open source model works. Another good example is Erlan/OTP.

~~~
mackwic
Oh come on, you can't seriously say that Erlang/OTP is _good open source_.
It's mildly-good _corporate_ open-source, that's not making it good open
source in any way. But that's off-topic.

The thing is, code review is a necessary thing where the audience is large,
the tool is critical, and the tooling (here, the compiler) doesn't give any
warranty in term of code correctness.

Code review are important, but it's an human process, which have its own flows
and inconsistence. That's no silver bullet, no more than static checking,
strong typing, and test suites. If you want to warrant, you'll have to prove.
If you want to prove, you'll have to take time and do it mathematically. This
process would have killed any OSS project, that's simply not feasible.

Shit happens, man. That's no reason for protectionism, elitism, and OSS
aristocracy. OSS is open and should stay open whatever it cost, period.

Moreover, even if this hole is big, environment has always been a real
security hole in Unix. ksh, anyone ? Or worst: csh ? The situation has greatly
improved since, and we have all rights to be disappointed to lost a security
we all took for granted. That shouldn't make us forget the road we already
crossed.

~~~
dschiptsov
Why, after OTP has been open sourced the project got lots of reviews, bug-
reports and bug-fixes and overall quality has been even more improved.

The same ideas works with crucial projects such as openssh. No one could count
how many eyes was on the code to find a flaw in the code or a way to exploit.

btw, Erlang/OTP is so good, that nowadays when you are using your mobile, your
data most probably at least once is going through an Ericsson hardware and an
Erlang VM within it.

As for code review, almost every major project does it nowadays, you like it
or not.

~~~
mackwic
It is very good software, no doubt. Erlang wouldn't be so efficient without
OTP. It's just a bad example of a good OSS project because it's not really a
community project but more like "some guys from ericson which accepted some
contributions and opened the code". It's like saying that the C# compiler is a
good OSS project. It's a good project, sure, but not a good OSS one (yes, the
C# compiler is now open source, and the code is amazing).

You want a good OSS project ? Take Gnome, take VLC, take Qt, take the
libc^W^W^W, well not the libc. ;-)

You got the idea.

About code review, I persist in my point: it's a good practice, but we need
this only because a code that pass the checks (compilation, analysis, tests)
doesn't mean that this code works. There was an article about "security by
being careful" but I don't find the url anymore. Shame.

Anyway, I'm a Ocaml believer and be assured that when your compiler can give
you that level of assurance, you don't review the same: you know you're not
half as good as the compiler to catch errors, and that's a damn good feeling.

------
chris_wot
I'm amazed that he's being bashed for this. There are a LOT of security flaws
out there, this one is - as Stallman says - a blip on the radar.

~~~
jsmthrowaway
Nobody is bashing Stallman, least of all that _Guardian_ article. I'm honestly
not sure what weev is trying to white knight here, but the post is so
hilariously off base that I lost what respect for him I had.

The point made in the _G_ by an interviewee (not the author) about the Bash
codebase and undermining "all bugs are shallow" is actually quite good in the
face of two giant counterexamples, and I would have liked to have seen
Stallman counter that. He didn't, and instead took another opportunistic shot
at proprietary software, just like the FSF's tone-deaf statement.

That weev would get The World vs. Stallman from that, then invest his time
into a defense of poor Stallman and shame the world for not giving him money
(when his politics and ideals create an economic scenario where he is unlikely
to ever receive money from those who benefit most, and ostensibly he accepted
this decades ago), is just bananas. I will continue to criticize whatever I
like, bash's codebase and GNU process potentially being on the list, and I do
not need weev's permission or acceptance to do so.

Maybe if we on HN and in Silicon Valley culture found his racial epithet
organization amusing, he wouldn't have to talk about us like a lower class.

~~~
chris_wot
Given that rms never said the "all bugs are shallow" statement, I'm not
surprised he didn't comment. You are thinking of ESR I think.

~~~
jsmthrowaway
Didn't say it was his. He can comment on it when the topic is process failures
that led us to this situation (not saying whether there were any, mind, just
that's the topic).

~~~
chris_wot
Fair enough. However, it's possible that there weren't many eyes on the code.
Now there are... it will be interesting to see if someone forks bash.

------
vezzy-fnord
Protip: Just because it's a GNU project doesn't mean RMS is behind it. RMS is
an invaluable figure, but sometimes the cult of personality around him is
ridiculous (though I'd wager this is mostly because of him becoming a 4chan
meme).

------
clarry
So is it wrong to criticize bad code for being bad if it was written by Mother
Theresa?

I think that if code is bad, it should be pointed out. Some will take it as
bashing. Doesn't matter. We all want to run well written, secure software.
When you're getting exploited, it doesn't matter if the code was written by a
saint.

~~~
spindritf
He doesn't think the code is bad.

 _Shellshock is not a critical failure in bash. It is a critical failure in
thousands of people who knew a tool so useful that they decided to deploy it
far beyond its scope. A tool so resilient that it it did not fall over when
everyone deployed against best practices. Everyone knew in the nineties that
when you execute a UNIX command with untrusted input, you clear away the
environment variables first. Anyone that has untrusted input embedded within a
shell script does not know what they are doing. The fact that there is a way
to get bash to execute untrusted code is unsurprising. The thing that
surprises me is the sheer number of developers who thought it would be
otherwise in complete contrast to UNIX parables and common sense._

FTFA.

~~~
vertex-four
> Everyone knew in the nineties that when you execute a UNIX command with
> untrusted input, you clear away the environment variables first.

CGI was standardised in 1997 to use environment variables to pass information
into the CGI program. I'm sure software existed before that that does the same
- procmail, perhaps?

No software that's been touched in the past two decades should assume that the
environment variable is safe. Especially not a shell, which gets used for all
sorts of network-processing-related things.

~~~
nailer
Postfix is of a similar age and does exactly as weev says.

------
mempko
If you see a TV on the side of the road and take it. Is it the person's fault
if it burns your house down?

I am not saying programmers who make free software leave it out like garbage.
I am saying people who use free software for their benefit treat it that way,
yet act as though they bought it.

------
keithpeter
Is it actually the case that Stallman has no permanent home? If so, is that by
choice or circumstance? He has done _so much_.

~~~
oftenwrong
On his personal FAQ, he says:

>Until around 1998, my office at MIT was also my residence. I was even
registered to vote from there. Nowadays I have a separate residence in
Cambridge not far from MIT. However, I am rarely there, since I am nearly
always travelling out of town.

[https://www.stallman.org/rms-lifestyle.html](https://www.stallman.org/rms-
lifestyle.html)

In general, there is a lot about RMS that runs contrary to societal norms. He
marches to the beat of his own drummer.

~~~
jsmthrowaway
And he wants it that way, which weev missed, apparently.

------
zak_mc_kracken
So there's been one article that is mildly (to put it nicely) critical of rms
about the ShellShock exploit and this guy blows a gasket calling thousands of
people clueless assholes?

He needs to grow up.

------
Tharkun
What does Shellshock have to do with RMS? RMS didn't author Bash. And I can't
see any Shellshock related RMS bashing. So why the angry post?

~~~
fmoralesc
There was a backlash of sorts against the statement the FSF did regarding
Shellshock.[1]

[1]: [https://www.fsf.org/news/free-software-foundation-
statement-...](https://www.fsf.org/news/free-software-foundation-statement-on-
the-gnu-bash-shellshock-vulnerability)

------
theoh
I think this post misses the point. It is notoriously difficult to write
robust code for most varieties of unix shell. This has been the case for
decades. It's a bad situation and the GNU project's attempts to remedy it
(e.g. Guile) haven't got any traction. It is an embarrassment.

~~~
wirrbel
I really love the idea of GNU, yet the FSF seems to more interested about
"principles" than shipping good code and empowering collaboration.

In times of Github and low-entry barrier participation, GNU sticks to the old
ways like a dinosaur - petrifying.

It reminds me a little of vim, as bash, it has a really old code base, old-
style function headers (not ANSI C). For Vim it took a github-based fork
(neovim) to get a big community on board, establish tests and perform the
necessary refactoring. All of this is great, just as the work of the founders
of these programs. The criticism is not aimed at the work that was done by the
"founders" of these landmark programs, but the stagnation of development and
refactoring.

~~~
anon1385
The FSF are quite explicit about the fact that they don't really care about
code quality. Their recent statements about shellshock are just the most
recent examples of that.

GNU is primarily a political project, not a software project.

If you want software that puts code quality ahead of politics then you should
look to one of the BSDs.

------
bjornsing
> Anyone that has untrusted input embedded within a shell script does not know
> what they are doing.

That's obviously false. To the contrary, I have serious concerns about the
judgement of anyone that thinks an interpreter like bash should parse the
contents of _every_ environment variable on startup.

------
Pxtl
am am I the only one who has always been kind of creeped out by environment
variables? They just seem to exist so far outside of the normal security
system.

~~~
judk
Replace "environment variables" by "command line arguments", and the issue is
essentially the same

~~~
cpncrunch
Not really...you have to actually make some effort to parse a command line
argument (and you would hopefully do some sanitization at that point). The
problem with environment variables is that they are passed automatically from
parent to child processes.

------
gandalfu
I just joined the FSF.

------
Mankhool
I stopped reading at, "a__holes".

~~~
Mankhool
Mr. Auernheimer needs to learn to write like an adult if he wants to be taken
seriously.

~~~
hahainternet
Stopping reading because someone said something offensive is not an adult
behaviour, so the irony here is palpable. Read the fucking article.

~~~
zak_mc_kracken
The problem is not being offensive but being childish. The vocabulary used
gives you a hint about the level of arguments you are about to read, and if
you read the rest of the article, you realize that the author of the post is
indeed quite immature.

~~~
cpncrunch
The article was fairly mature. However what would make me more skeptical about
anything weev writes is the fact that he is an angry paranoid due to his drug
use
([http://seclists.org/fulldisclosure/2009/Oct/82](http://seclists.org/fulldisclosure/2009/Oct/82)).

His account of his gay hacking incident is interesting. How could he possibly
know it was gay people who flagged his posts ? That's either paranoia, ironic
trolling, or homophobia. I thought maybe he was just trolling when he says
that gay people flagged him, but after reading the Lisa Simpson post above, I
think he might actually believe it.

No intelligent person would do drugs like heroin if they did a little research
and understood about neurotransmitter receptor downregulation. Basically,
doing any drugs (including alcohol, caffeine or nicotine) will downregulate
your neurotransmitter receptors for up to 2 weeks after a single dose
(depending on the amount), resulting in the exact OPPOSITE effect of the drugs
for up to 2 weeks afterwards. (With chronic use, the downregulation can take
years to reverse).

In summary, he is one truly fucked up dude due to the drugs.

~~~
cpncrunch
1 downvote, lolz. I wonder who that could be?

~~~
cpncrunch
Everything I said was factual. If I made any errors, feel free to correct me
rather than downvoting.

------
quakershake
Anyone who bashes open source code for bugs is an idiot. Maybe the "community"
should start auditing code instead of blogging and tweeting about how awful
things are. This functionality has been around for so long it is generational.

+1 to the person(s) responsible for finding this.

Everyone complaining should stfu

~~~
nailer
I actually think it's fine to have an opinion on any piece of software.

However weev is completely correct in telling people that shell environment
variables were an obviously bad place for arbitrary data set by people on the
internet back in the 90s. The shell wasn't designed for that, it's known to be
insecure.

HNs defence of Apache doing silly things seems to be more love of Apache and
lack of knowledge of Unix fundamentals than hate of free tools.

~~~
quakershake
Agreed. Misuse is a problem. However sometimes being too flexible opens itself
up to unintended misuse.

It seems as if though foss is so reliable that people start to act entitled
when shit hits the fan. Software has never been problem free and never will.

I'm just glad I haven't seen a libreBash or some other lame fork instead of
just adding more eyes to the existing functioning project.

~~~
hiphopyo
Isn't Zsh basically libreBash though?

~~~
nailer
Bash is already libre - see
[http://www.gnu.org/software/bash/](http://www.gnu.org/software/bash/)

