Re: Healing the bash fork

[Peter Bex <Peter.Bex () xs4all nl>]

On Wed, Oct 01, 2014 at 12:18:48AM +0000, Zach Wikholm wrote:
> > The main problem is that for a very long time, we apparently had no
> overlap between these groups. At the face of it, it seemed like
> there's absolutely no reason for bash to try to parse generic env
> variables. With no convincing reason to study or test the code, nobody
> did.
>
> There really isn't any overlap anymore. Another issue I think (though I do not believe that this is the case here) is 
> that vulnerabilities announcements are becoming more and more about marketing. Heartbleed brought in a new era in 
> vulnerability releases. But that's another topic for another day...
>
> This feels like time for a new mailing list. I'm sure that there are many other things just like this, and now 
> everybody will be looking for the next "shellshock" in places where nobody has looked before. It's very difficult 
> sometimes to know who to reach to. As far as I can tell oss-security is really more focused on how to get found 
> vulnerabilities to the world in some sort of organized fashion, which is it does well (please correct me if I'm wrong 
> here) but it seems very easy to stray off topic. 

As far as I can tell, oss-security has turned out to be a focal point for
requesting CVE identifiers, but AFAIK the topic is broader than that;
anything regarding security in open source software is on-topic.  See
the description: http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Cheers,
Peter
-- 
http://www.more-magic.net