Hacker News new | past | comments | ask | show | jobs | submit login

Honest question: does this mean this vulnerability has been in bash for essentially its entire history and someone only discovered it now?

Seems quite likely that someone would have discovered it sooner, especially since it's so simple to exploit.




Ease of exploitation and ease of discovery have basically nothing to do with each other.

Relatedly, "many eyes makes all bugs shallow" is, and always has been, totally horsepuckey. (And despite it being horsepuckey, and horsepuckey which is trivially exploitable in that if you believe it you'll produce software which can get owned by people who are better at e.g. counting to four than you are, people still believe it to this day.)


> Relatedly, "many eyes makes all bugs shallow" is, and always has been, totally horsepuckey.

Consider that the contraction of the more complete saying "Many eyes make bugs shallower than they would be if there were only few eyes".


But then there's the "Many eyes lead to a sense of complacency" issue -- like "No-one ever got fired for buying IBM|Microsoft|Blackberry"


Given that this is a 20 year old bug, that suggests that the number of eyes on this code were either zero or uninterested.

Also, the BEAST bug was identified 20 years ago and nothing was done until Thai and Juliano caused a mild panic.


This has been there for nearly the entire history of Bash, like 2 decades.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: