[merlincorey]

> If I booted a RedHat (5.2 came out in 2009ish) or FreeBSD machine from 2009 without patches, and put it on the internet, I'm pretty sure it'd be hosed just as bad (shellshock, heartbleed, ?). the difference is, everyone would tell me I'm an idiot for putting a machine online from 2009.

As a tongue in cheek (but totally true) correction, FreeBSD from 2009 would NOT be vulnerable to the shellshock vulnerability unless you explicitly install `bash` and make it the shell used by apache-cgi.

By default, FreeBSD lacks bash.

[alex_anglin]

True, but FreeBSD can't guarantee perpetual security for releases. It also doesn't provide warranties, like the majority of software out there.

FWIW, I do hold FreeBSD in high regard. It's just that expecting perfection security-wise from complex systems is a fools errand.

[asdfgadsfgasfdg]

> It's just that expecting perfection security-wise from complex systems is a fools errand.

I think that may have been the OP's point. Bash is more complex than sh has to be hence because FreeBSD choose the simpler option they avoid the inherent security implications of complex systems.

(I use bash myself and don't use FreeBSD.)

[dotancohen]

Exactly, FreeBSD uses the simplest solution for the task, in the name of security. FreeBSD isn't "secure from Heartbleed because they don't use Bash" but rather, FreeBSD is "secure because by default only the most basic, necessary software is installed" which happened to be sh instead of bash.