Re: Healing the bash fork

[Loganaden Velvindron <loganaden () gmail com>]

On Wed, Oct 1, 2014 at 8:14 PM, Greg KH <greg () kroah com> wrote:
> On Wed, Oct 01, 2014 at 12:08:15PM -0400, Jason Cooper wrote:
> > On Wed, Oct 01, 2014 at 08:55:35AM -0700, Greg KH wrote:
> > > On Wed, Oct 01, 2014 at 07:15:56AM -0400, Jason Cooper wrote:
> > > > On Wed, Oct 01, 2014 at 01:08:09PM +0200, Hanno Böck wrote:
> > > > > Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT)
> > > > > schrieb "David A. Wheeler" <dwheeler () dwheeler com>:
> > > > >
> > > > > > Finally: *PLEASE* let me know if you have any good ideas on how to
> > > > > > find vulnerabilities like this ahead-of-time. My article "How to
> > > > > > Prevent the Next
> > > > > > Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html) lists a
> > > > > > number of ways that Heartbleed-like vulnerabilities could have been
> > > > > > detected ahead-of-time, in ways that are general enough to be
> > > > > > useful.  I'd like to do the same with Shellshock, so we can quickly
> > > > > > eliminate a whole class of problems.
> > > > >
> > > > > The "class of problems" here is imho that we have a bunch of tools that
> > > > > get rare attention from anyone, are run by few volunteers, but they're
> > > > > an essential part in running the Internet.
> > > > >
> > > > > Just think about busybox, curl, wget, coreutils, gettext, gzip, ... - a
> > > > > vuln in any of these could have severe consequences.
> > > > >
> > > > > Maybe the topic here should be: "How can we get the (whitehat) IT
> > > > > seucrity community to have a deeper look at neglected but important
> > > > > opensource projects."
> > > >
> > > > The LF has the Core Infrastructure Initiative:
> > > >
> > > >   http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faq
> > >
> > > Yes, that's exactly what that group is doing, and they have a huge list
> > > of these types of projects that they are looking into funding to help
> > > prevent this type of thing from happening again.  I'll go add bash to
> > > the list there as I don't think it is currently on it at the moment.
> >
> > Could we also update the FAQ to include "How to recommend a project?"?
> > A few days ago I tried to recommend bash.  I dug around, and finally
> > just sent an email to Ted.  Which I don't think is the correct answer
> > ;-)
>
> It isn't, but Ted is a good contact for it :)
>
> Fixing the FAQ is on the list of things to do that was discussed at the
> last meeting, hopefully it will be done soon.
>
> thanks,
>
> greg k-h

I believe that small companies can benefit from committing engineering
efforts to audit Open Source software that they all rely heavily upon.

I keep arguing and try to talk to managers that they need to become
more active in Open Source, as they would also benefit in terms of
less downtime, and better vulnerability management. Having a good Open
Source strategy helps IT managers have better control of their IT
infrastructure. On top of training IT staff, maybe it's a good time to
introduce the idea of "Strong Open Source rating", and committing 10%
of their IT employees working hours to improve relevant Open Source
projects.

-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.