From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.1 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 5b24742b for ; Wed, 5 Sep 2018 15:44:13 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 6C229A1CCD; Thu, 6 Sep 2018 01:44:12 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 40E17A1A46; Thu, 6 Sep 2018 01:44:05 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id C1866A1A25; Thu, 6 Sep 2018 01:44:03 +1000 (AEST) Received: from p3plsmtpa09-10.prod.phx3.secureserver.net (p3plsmtpa09-10.prod.phx3.secureserver.net [173.201.193.239]) by minnie.tuhs.org (Postfix) with ESMTPS id 9A805A1B1E for ; Thu, 6 Sep 2018 01:43:53 +1000 (AEST) Received: from medusa.kilonet.net ([72.69.214.193]) by :SMTPAUTH: with ESMTPA id xZyCfroLF1ZwgxZyCfiSv8; Wed, 05 Sep 2018 08:43:53 -0700 Received: from [10.10.25.202] (dellray.kilonet.net [10.10.25.202]) by medusa.kilonet.net (8.14.8/8.15.1) with ESMTP id w85FhqUH008132; Wed, 5 Sep 2018 11:43:52 -0400 (EDT) To: Warner Losh References: <20180830213407.6DC4718C0A6@mercury.lcs.mit.edu> <20180831213451.r7LAj%ca6c@bitmessage.ch> <20180831215854.GB28971@mcvoy.com> <7ed51612-82d7-90ca-ceaf-37b0c869ff93@kilonet.net> <20180901221933.GA2214@thunk.org> <20180902194301.GA22518@thunk.org> From: Arthur Krewat Message-ID: Date: Wed, 5 Sep 2018 11:43:53 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-CMAE-Envelope: MS4wfIyi7I7HecQXw3/CqRg91RogqFCUEeq5FTFh6PnOxREHTGNhpE19vHgtH76/nXdzz3vWXaOXknWSMQX/c041ZoN51yvG3KQTjz9dIXcV/YY9nBkqnyvJ oCI5wlW9WzUndp2Te7B1naJggIGY24/2OdcSYZTlQGtsJlrqTRXYlt+F1Tc8wdcJEZJmjZKcHr/HNP9BEmrdgieh14+lhU8JnRQ= Subject: Re: [TUHS] SunOS code? X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: TUHS main list Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On 9/5/2018 11:26 AM, Warner Losh wrote: > > I'm not sure it does. It proves that bugs aren't instantly found, > true. It doesn't provide perfection, but does make it easier to find / > fix bugs before the bad guys. How long would such a bug have > languished it if were buried inside of DCL.B32 instead of being out in > the open? It depends on how it was found in the first place. A quick Google doesn't tell me much about exactly how it was discovered initially. Nor is there any background information that says it wasn't (or was) exploited before the announcement. Was it discovered because someone (Stéphane Chazelas) was just reading open source code? Or was he trying to do something innocent and it broke in such a way that it was obvious bash was doing something bad? Or was he investigating a break-in and found the vector? Serious questions, I'd love to hear from anyone who knows more. My original point remains: Open Source doesn't necessarily mean more secure if a really bad exploit was allowed to exist for 25 years. No offense intended to anyone on this list. ak