bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shellshock-vulnerable version still most obvious on ftp.gnu.org

From: Steve Simmons
Subject: Re: Shellshock-vulnerable version still most obvious on ftp.gnu.org
Date: Thu, 6 Nov 2014 10:45:54 -0500 
On Nov 6, 2014, at 10:14 AM, Ian Jackson <ijackson@chiark.greenend.org.uk> 
wrote:

> Chet Ramey writes ("Re: Shellshock-vulnerable version still most obvious on 
> ftp.gnu.org"):
>> On 11/6/14, 7:47 AM, Ian Jackson wrote:
>>> But in the current environment it's looking rather quaint.  We could
>>> probably provide a full tarball for each patch release.
>> 
>> That is supposed to be one of the advantages of using git.  You can always
>> get a tarball of the latest release with all patches applied using
>> 
>> http://git.savannah.gnu.org/cgit/bash.git/snapshot/bash-master.tar.gz
> 
> Right.  That's great.  But that's not the official primary
> distribution channel for bash, as I understand it.
> 
> Thanks,
> Ian.

Don't get me wrong, I love git and it's my mechanism of choice for updates. But 
that requires folks to be pretty up-to-date themselves on how to do stuff. As 
we were doing the shellshock updates here, I found it a helluva lot easier to 
deal with legacy system owners who couldn't do much more than cut and paste of
  gunzip bash-N.M.P.tgz
  tar xpf bash-N.M.P.tar ; cd bash-N.M.P
     ./configure && make && make install
They've never run patch, and in some cases don't even have a patch command. 
Luckily those folks have legacy admins like me.

For them I built up-to-date tarballs of all the bash-N.M.P versions. Not only 
was it a big win for them, it also turned out to be useful for me when trying 
to install onto hosts that didn't have git or reasonably recent autoconf chains.

There are a lot of systems out there with custom device drivers for ten- and 
twenty-year-old equipment that are monitoring satellites nobody ever thought 
would stay up this long, or controlling custom-built devices that need to run 
for another 5 years to finish their longitudinal surveys. We're lucky that most 
of them at least have a cc and make that works, and we for damned sure don't 
have the money to go rebuild them in place with up-to-the-minute tool chains. 
Making those folks happy and secure makes my life happier and more secure.

In short, current tarballs are a win, both for the relatively naive admin and 
for the old guys. I'm fer it.

Steve
reply via email to
[Prev in Thread] Current Thread [Next in Thread]