gpc、やっぱり開発止まってたのね。
Quo vadis, GPC?
Quo vadis, GPC?
Frank Heckenbach ih8mj at fjf.gnu.de
Tue Jul 27 00:16:43 CEST 2010
Hi everybody,
since GPC development has mostly stalled, I've thought about if and
how its development could be continued. Here are my current thoughts
about it. Since the text is quite long, I put it on the web:
http://fjf.gnu.de/gpc-future.html
As I write there, I don't see much future in the current way of
developing GPC, but also alternative development models will not be
a task for a single person. In other words, without some new
contributors, there is probably no chance for GPC development to
continue.
以下略
メール中にリンクのあったこれにもいろいろと
Quo vadis, GPC?
Quo vadis, GPC?
As you have surely noticed, GPC development has stalled recently and questions about GPC's future have been
raised. I've thought about the issues for a while, and here are my thoughts.
I started as GPC's main developer and maintainer some 10 years ago, following Peter Gerwinski and followed by
Waldek Hebisch, though with some overlap each time. Recently, GPC development has almost come to a standstill
as all three of us have focused on other projects, and have not had the time nor the necessity to do significant
GPC development.
Back then, Peter Gerwinski, and occasionally I, professionally worked on some larger Pascal projects. These
projects are now finished (as far as we are concerned), so for our professional work, there is currently no
more interest in GPC. In recent years, Peter and I have done our professional work in other languages, mainly C++.
以下略
良くまとまってるんで訳したらいいんじゃないすかね
Shellshock
Shellshock
Shellshock
David A. Wheeler
2014-10-08
This paper covers the basics of the shellshock bash vulnerability, a discussion on ways to detect or prevent
future Shellshock-like vulnerabilities, a timeline of what happened when, and some information about the specific
CVEs (vulnerability identifiers). It ends with a few conclusions.
Shellshock basics
The shellshock vulnerability is a vulnerability in the widely-used bash command shell. This vulnerability had a
huge impact. Here I will discuss the initial disclosure, the realization that there was a bigger problem, how
to detect the shellshock vulnerability, naming shellshock, and the general aftermath.
Timeline
Below is a timeline of shellshock, including citations to justify it. There were many unintentionally-incorrect
reports of times, so the data below differs from many earlier (incorrect) reports. My sincere thanks to those who
helped, including Stéphane Chazelas (e.g., for vulnerability insertion dates and report times) and Eric Blake
(e.g., for bash patch dates). Remember that people do not necessarily represent the organizations they work for.
略
1989-08-05 08:32:05 -0700 (timezone estimated) Shellshock vulnerability accidentally introduced into the development version of bash by then-lead bash developer Brian Fox, as part of an addition to support function export and import. The date of insertion is confirmed by a bash ChangeLog. The “code is very simple, it just replaces the = with a space in the environment entry and interprets it”. Chet Ramey notes on 1989-09-02 that an advantage of bash over ksh is that bash supports function export. A later post by Brian Fox on 1989-09-08 04:54:05 EDT also notes that bash 1.03 can export functions, and explains how: “Upon reading in the environment, if a string of the form “name=() {“ is found, then that is a function definition.” This is the mechanism that turns out to be vulnerable. More information is posted at StackExchange responses to “When was the shellshock (CVE-2014-6271/7169) bug introduced, and what is the patch that fully fixes it?” The timezone is estimated from the fact that Brian Fox moved to Santa Barbara in 1987 and daylight savings time would have been in effect (thanks to David Woodhouse for reminding me of the latter correction). Note that this date is relatively soon after the first beta release of bash (1989-06-07), and bash development had only begun in late 1987. My thanks to Eric Kobrin (Akamai) who found this information and also to Stéphane Chazelas who posted the information to oss-security on 2014-10-04 09:19:07 +0100 (alternate link). This date (and supporting information) was difficult to track down, so many early reports gave the wrong date for vulnerability insertion (1992 is incorrect).
1989-09-01 18:52:08 -0700 (timezone estimated) Brian Fox releases version 1.03 of bash with the vulnerability included in it. The sources for this information are the same as the previous entry; here is a brief discussion about this date.
2014-09-12 16:10:35 +0100 Stéphane Chazelas reports the vulnerability in bash to Chet Ramey (the lead bash developer) and the security contacts of Debian, Red Hat, Ubuntu and Mandriva (SUSE was added later). This included “details of the bug and the SSH and HTTP (Apache header) vectors and mitigation and a bit fat warning that it was very serious and not to be disclosed”. This newly-found vulnerability was assigned the identifier CVE-2014-6271. Stéphane Chazelas found this vulnerability in the morning of the same day (2014-09-12 in the UK), after reflecting on an earlier vulnerability he had reported in libc (CVE-2014-0475) that had involved environment variables and was aggrevated by design choices in bash. As is routinely done, release of details was briefly embargoed. Private discussions were held about the best way to solve the problem, and patches were developed by the bash developer Chet Ramey for a planned coordinated announcement. There were conflicting reports about the date; the dates and other information reported by Stéphane Chazelas himself are used here (because he is a primary source). The article “Stéphane Chazelas: the man who found the web’s ‘most dangerous’ internet security bug” by Ben Grubb, The Sydney Morning Herald, September 27, 2014, provides some interesting early information, but it includes an incorrect date of 2014-09-09 as the report date, and it also incorrectly claims that the previous vulnerability Chazelas reported was in bash (it was actually in GNU libc, and merely aggrevated by bash functionality). The article “Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant” by Nicole Perlrothsept, The New York Times, 2014-09-25 gives the correct Shellshock report date, 2014-09-12.
2014-09-14 14:29:48 +0100 Stéphane Chazelas proposes that this vulnerability be named “bashdoor”. However, this proposed name is not mentioned in early announcements of the vulnerability, and in the end this name does not catch on.
2014-09-16 22:00:02 -0400 Chet Ramey has all final (before disclosure) fixes for the current and all past versions of bash back to 3.0 by 2014-09-16. Source: Stéphane Chazelas.
略
(C) Copyright 2014 David A. Wheeler.
なんと1989年から潜んでいたとは
