From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.1 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 4b33ed8c for ; Wed, 5 Sep 2018 12:55:49 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 0E866A1AA2; Wed, 5 Sep 2018 22:55:48 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id CC1E6A1A24; Wed, 5 Sep 2018 22:55:10 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 0B811A1A24; Wed, 5 Sep 2018 22:55:06 +1000 (AEST) Received: from p3plsmtpa07-06.prod.phx3.secureserver.net (p3plsmtpa07-06.prod.phx3.secureserver.net [173.201.192.235]) by minnie.tuhs.org (Postfix) with ESMTPS id CAB38A1A23 for ; Wed, 5 Sep 2018 22:55:02 +1000 (AEST) Received: from medusa.kilonet.net ([72.69.214.193]) by :SMTPAUTH: with ESMTPA id xXKnfc0mP0GwuxXKofXDcx; Wed, 05 Sep 2018 05:55:02 -0700 Received: from [10.10.25.202] (dellray.kilonet.net [10.10.25.202]) by medusa.kilonet.net (8.14.8/8.15.1) with ESMTP id w85Ct1p6025769 for ; Wed, 5 Sep 2018 08:55:01 -0400 (EDT) To: tuhs@minnie.tuhs.org References: <20180830213407.6DC4718C0A6@mercury.lcs.mit.edu> <20180831213451.r7LAj%ca6c@bitmessage.ch> <20180831215854.GB28971@mcvoy.com> <7ed51612-82d7-90ca-ceaf-37b0c869ff93@kilonet.net> <20180901221933.GA2214@thunk.org> <20180902194301.GA22518@thunk.org> From: Arthur Krewat Message-ID: Date: Wed, 5 Sep 2018 08:55:02 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-CMAE-Envelope: MS4wfE0gsiu3KDCdqmf1sTNhva5YULTOU/9ixR9NI9tQSsfm8l6RlyquIqQ41yQVEwrVizBqwzl2QFx/Jt4iFT8MfbS4WYVyV35i0W0WMW5kKceRKZ+WXOed C5fuWO1Do+nVxSxg5o+Uar7r5qIKLZFawRyAHLwOt+5FUed9fY0AG3CaIyhHS9qMYcALRUabI43ZsQ== Subject: Re: [TUHS] SunOS code? X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On 9/5/2018 2:31 AM, Gilles Gravier wrote: > It's the common example that I use to tell people that opensourcing > software makes it more secure because the good guys have access to the > source code at the same time as the bad guys, which gives them a fair > chance to fix bugs before the bad guys use them. Bash/Shellshock kinda proves that premise incorrect, although it's pretty much the worst-case example, but still...  ;) Announced in 2014, it goes back to September 1989 (according to a wikipedia article, so I'm not sure about that date's accuracy). https://en.wikipedia.org/wiki/Shellshock_(software_bug) https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 https://www.cvedetails.com/product/17/IBM-AIX.html?vendor_id=14 https://www.cvedetails.com/product/20/HP-Hp-ux.html?vendor_id=10 https://www.cvedetails.com/product/19755/Oracle-Solaris.html?vendor_id=93 It could be argued that the above CVE results are either under-reported (closed-source), or over-reported (open-source). Or vice-versa ;) ak