Re: Bash patches and the flack.
"Long and short - the issue was discovered, and about 4 days later a set of suggested fixes were discussed, and the first set of fixes was put in place, those were tested and one tester found an additional unique path that had a similar flaw."
It's worth noting that similar holes have been picked up in sh and ksh (at least), as people start poking round to see if other shells have problems.
The problem with "legacy code" is that because it's legacy everyone assumes that it's safe to run and audited (this is a constant refrain raised here against updating things). The last few days (and the X bug last year) is a clear example of why such a stance is a logical fallacy and that ALL legacy code should be considered dangerous unless there's a recent auditing statement for it.
Note that in all cases, holes in legacy software have generally been discovered within minutes of people going looking for them. The implication is that the vast majority of such code is a minefield of undiscovered issues.
Biting the hand that feeds IT
