I personally feel bad for Chet about this whole thing. For those of you
(probably most of you) who do not know Chet has been maintaining Bash
for free in his spare time for the last 25 years. He began working on it
because he was not satisified with the shells available at that time:
In 1989 or so, I was doing network services and server support for
[Case Western Reserve] University (CWRU), and was not satisfied with
the shells I had available for that work. [1]
I had the priviledge of hearing Chet speak about his experiences
maintaining Bash.[2] From my perspective he has done a really great job
over the years making software that many people love to use and abuse.
So while this is a really bad network security situation for the
internet at large I think it is dubious to hold Chet or even Bash at
particular fault. Rather, we are all at fault. We have been writing
software that just shells out to Bash or sh or z-shell for years because
it is convient. We could have easily have written our subprocess code in
better ways but it was easy to use shells and we used them, even when we
didn't really understand them.
So while this is a really bad network security situation for the internet at large I think it is dubious to hold Chet or even Bash at particular fault. Rather, we are all at fault. We have been writing software that just shells out to Bash or sh or z-shell for years because it is convient. We could have easily have written our subprocess code in better ways but it was easy to use shells and we used them, even when we didn't really understand them.
[1] http://www.computerworld.com.au/article/222764/a-z_programmi...
[2] The venue was Link State a student run conference here at CWRU