

Free Software Foundation Statement on the GNU Bash “shellshock” Vulnerability - Tsiolkovsky
https://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

======
Jasper_
It's glad to see the FSF put out a statement on this. Unfortunately, I wish
they took more proactive approach towards this rather than asking for money.
That won't solve the problem.

Good code quality, transparency into maintainership, and an open development
community are essential to make sure that eyeballs fall on the code.

bash's development is done by one person (Chet Ramey), without any
transparency into changes at all:

[http://git.savannah.gnu.org/cgit/bash.git/log/](http://git.savannah.gnu.org/cgit/bash.git/log/)

The commit that fixed the CVE didn't even mark it as a security release. It's
just like every other Patch Release. This is not how you safely maintain a
critical component of an OS.

This will not be the last time we find a security issue in bash.

