

FSF statement on the Bash “shellshock” vulnerability - of
https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

======
cjensen
There is a time and a place for banging the Free Software drum and pointing
out the deficiencies in proprietary software.

This is not the time. The statement is incredibly tone-deaf.

~~~
Sanddancer
Aye. Especially given how the patch was pretty much just as exploitable, and
the patched patch looked just moderately so. Were this more than a press
release, it would be discussing a plan of action as to any sort of auditing
plan to make sure bugs like this in the future are discovered /before/ they
start causing trouble.

OpenBSD has shown that small organizations can audit and maintain code with a
focus on security and correctness. Why hasn't the FSF, with its greater level
of resources, managed to do the same?

~~~
jiggy2011
The FSF does not maintain the software, it is a purely political organisation.
The GNU project is responsible for bash.

~~~
Sanddancer
The FSF owns the copyrights, controls the licensing, etc. They are they
corporation that owns the software under the GNU banner.

~~~
jiggy2011
Does copyright really mean much if all the software is GNU? Do they both share
the same source of funding? How much is spent on political activities (that
openbsd does not engage in)?

------
ChuckMcM
They make an interesting point that such responses are harder in the
proprietary world, but the counter argument is that security bugs in Windows
(as an example) get hotfixed and pushed via the update mechanism pretty
quickly.

I believe a better message would be that "Even when the vendor who supplied
you bash isn't helping you can fix it." but that will depend on what the Apple
experience is with bash, which is currently not so hot.

------
IvyMike
> the solution is to put energy and resources into auditing and improving

Sadly but not surprisingly, when your labor pool consists of volunteers, few
of them sign up for this thankless task. I don't know how to solve this
problem.

I never liked "given enough eyeballs, all bugs are shallow". In the worst
case, it devolves into "someone else will do it".

~~~
blcknight
I think it's a big misconception that the labor pool for libre software is
volunteers, it's paid -- by Red Hat, IBM, Intel, Canonical, etc. In this case,
bash had plenty of resources to be fixed quickly, it wasn't a problem at all.

There's unwieldy projects like OpenSSL that probably have far too critical of
a task for few too few developers, but generally, most open source products
are developed by _paid_ developers and are doing just fine

~~~
IvyMike
When you've got that many people in charge of security, nobody's in charge of
security. In the end, who is responsible for this bug being out in the wild?

------
netcraft
Has apple released a shellshock bash fix yet? A little googling doesn't show
one, just a bunch of hand waving saying most users aren't affected.

~~~
drivingmenuts
There's a more-current version of Bash available thru Homebrew, though I'm
unsure if it completely fixes the issue or not. I'm leaning more toward "not",
since apparently, no patch completely fixes the issue yet.

