oss-sec mailing list archives
Re: Healing the bash fork
From: Colin Mahns <goatman93 () gmail com>
Date: Wed, 01 Oct 2014 16:36:32 -0400
I'd love it if more companies dedicated back money or time to FLOSS projects they benefit from, but it might be a hard sell. Not every company has the same mentality that they need to give back to stay successful. Others might think "giving back" entails to things they might receive tax breaks on too, rather than something that keeps them from wasting time and money in the future... On October 1, 2014 3:53:52 PM EDT, Loganaden Velvindron <loganaden () gmail com> wrote:
On Wed, Oct 1, 2014 at 8:14 PM, Greg KH <greg () kroah com> wrote:On Wed, Oct 01, 2014 at 12:08:15PM -0400, Jason Cooper wrote:On Wed, Oct 01, 2014 at 08:55:35AM -0700, Greg KH wrote:On Wed, Oct 01, 2014 at 07:15:56AM -0400, Jason Cooper wrote:On Wed, Oct 01, 2014 at 01:08:09PM +0200, Hanno Böck wrote:Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT) schrieb "David A. Wheeler" <dwheeler () dwheeler com>:Finally: *PLEASE* let me know if you have any good ideas onhow tofind vulnerabilities like this ahead-of-time. My article"How toPrevent the Next Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html)lists anumber of ways that Heartbleed-like vulnerabilities couldhave beendetected ahead-of-time, in ways that are general enough tobeuseful. I'd like to do the same with Shellshock, so we canquicklyeliminate a whole class of problems.The "class of problems" here is imho that we have a bunch oftools thatget rare attention from anyone, are run by few volunteers, butthey'rean essential part in running the Internet. Just think about busybox, curl, wget, coreutils, gettext,gzip, ... - avuln in any of these could have severe consequences. Maybe the topic here should be: "How can we get the (whitehat)ITseucrity community to have a deeper look at neglected butimportantopensource projects."The LF has the Core Infrastructure Initiative:http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faqYes, that's exactly what that group is doing, and they have a hugelistof these types of projects that they are looking into funding tohelpprevent this type of thing from happening again. I'll go add bashtothe list there as I don't think it is currently on it at themoment.Could we also update the FAQ to include "How to recommend aproject?"?A few days ago I tried to recommend bash. I dug around, and finally just sent an email to Ted. Which I don't think is the correctanswer;-)It isn't, but Ted is a good contact for it :) Fixing the FAQ is on the list of things to do that was discussed atthelast meeting, hopefully it will be done soon. thanks, greg k-hI believe that small companies can benefit from committing engineering efforts to audit Open Source software that they all rely heavily upon. I keep arguing and try to talk to managers that they need to become more active in Open Source, as they would also benefit in terms of less downtime, and better vulnerability management. Having a good Open Source strategy helps IT managers have better control of their IT infrastructure. On top of training IT staff, maybe it's a good time to introduce the idea of "Strong Open Source rating", and committing 10% of their IT employees working hours to improve relevant Open Source projects. -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Current thread:
- Re: Healing the bash fork, (continued)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
- Re: Healing the bash fork Peter Bex (Sep 30)
- Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Stuart D. Gathman (Oct 01)
- Re: Healing the bash fork Hanno Böck (Oct 01)
- Re: Healing the bash fork Jason Cooper (Oct 01)
- Re: Healing the bash fork Greg KH (Oct 01)
- Re: Healing the bash fork Jason Cooper (Oct 01)
- Re: Healing the bash fork Greg KH (Oct 01)
- Re: Healing the bash fork Loganaden Velvindron (Oct 01)
- Re: Healing the bash fork Colin Mahns (Oct 01)
- Re: Healing the bash fork Jason Cooper (Oct 01)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
- Re: Healing the bash fork Florian Weimer (Oct 01)
- Re: Healing the bash fork David A. Wheeler (Oct 02)
- Re: Healing the bash fork David A. Wheeler (Oct 06)