On Sun, 10 Mar 2013 16:46:41 +0100 Michał Górny wrote: > On Sun, 10 Mar 2013 15:26:29 +0000 > Ciaran McCreesh wrote: > > On Sun, 10 Mar 2013 14:48:06 +0100 > > Michał Górny wrote: > > > Well, unless we're talking about a theoretical package mangler > > > which intentionally uses internal, old version of bash to prove > > > the point. > > > > That's a good idea, maybe we'll do that. Sounds like a good way of > > doing better input validation. Perhaps we could patch our internal > > bash to make it easier to catch certain other errors too. > > Please don't forget to bundle a few rootkits inside, so your users > won't have to wait for security issues to be found in the ye ol' bash > version you'll use. You mean, in the bash that will be being run as root, that is accessible exclusively to packages, all of which are allowed to run things as root, install set*id binaries, etc? -- Ciaran McCreesh