Almost tempted to include the satire tag.
I am not convinced that funding has a linear relationship to security. Can my funding dollars go towards changing mindsets? Using different languages?
Well, on Unix, it is hard to replace shell as a language to something different…
There are many alternative shells. sh, ash, dash, ksh, pdksh, mksh, csh, tcsh, …
I think more complex and feature rich shells like bash are fine for interactive/user logins. I think system tooling should either use “real” (read: non-shell) languages, or stick with posix compliant sh semantics (which should work with sh, ash, dash, etc). I am also of the opinion that /bin/sh should also very much not be simply linked to bash.
CGI scripts being invoked though a bash context via system()? madness!
I am also of the opinion that /bin/sh should also very much not be simply linked to bash.
Agreed. While I understand the appeal of reducing maintenance overhead, the maintenance of /bin/sh should be very minimal. And if the concern is scripting features, then there are a wealth of other shells (and languages) available which provide them, and are only a shebang away.
Debian already does this:
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash
$ cat /etc/debian_version
and Bash actually disables a bunch of Bash semantics when rush as /bin/sh. (Not all of them, though. The effort to migrate /bin/sh to dash on Debian uncovered an absolutely hilarious number of scripts with a /bin/sh hashbang that depended on bash-isms or bash syntax. That’s a separate issue, but clearly related.)
Do you really think replacing bash with tcsh would have any positive effect on security?
Where did I say that?
I said /bin/sh should not be bash, and that bash (and tcsh!) should be limited to interactive/user/login shell usage.
For interactive/login shells, I personally use mksh, but I certainly don’t expect everyone to.
“PR Team not shellshocked by shellshock”
Development of Bash, and GNU in general, is almost exclusively a volunteer effort, and you can contribute. We are reviewing Bash development, to see if increased funding can help prevent future problems. If you or your organization use Bash and are potentially interested in supporting its development, please contact us.
This is IMHO the most important paragraph there.
The OpenBSD Foundation managed to rally six figure donation sums in support of LibreSSL and continued development+maintenance of other major security projects (OpenSSH) in light of the Heartbleed bug. Perhaps this incident could encourage the same or greater response from the community in support of the FSF.
Or better yet, become a member!