[Szpadel]

agree, i wanted to just add that this paper might be right for projects that are not actively developed anymore something like bash or coreutils etc, as there this is fairly well tested code and there aren't that many added features that could introduce issues.

for anything that is actively developed it's a whole other story, even if you are confident that the current codebase is safe, each added feature has a risk that it breaks some unwritten contract somewhere and introduces security issues.

eg. look at recent vulnerability in sudo, at and second sight it was safe and secure, triggering it required unobvious corner case.

how many of similar issues you could have in your codebase that could be dormant for years?

[knome]

>like bash or coreutils

both of these projects are still actively developed.

* https://lists.gnu.org/archive/html/bash-announce/2022-09/msg...

* https://lists.gnu.org/archive/html/coreutils-announce/2023-0...

[Szpadel]

I didn't mean that those projects are not maintained, rater that there aren't intensive changes anymore.

Coreutils:

> There have been 26 commits by 3 people in the 29 days since 9.2

Bash looks like didn't has any commit this year yet

[spoiler]

> Bash looks like didn't has any commit this year yet

Does anyone know why this is? Is it because doing anything would cause POSIX divergence? Nobody wants to (because it's an "ugh experience")? It's considered effectively complete?

Genuinely curious.

I don't actually use Bash for my personal shell, thought. I do write bash scripts semi-regularly though.

[knome]

All of the commits are from Chet Ramey, who the wiki says took over maintenance on bash just shy of 30 years ago.

It looks like its busy in the devel branch.

https://git.savannah.gnu.org/cgit/bash.git/log/?h=devel

The last commit from anyone else was Jari Aalto in 2009? Wow.

If he's committing on behalf of anyone else, it isn't mentioned in git.

The AUTHORS file is mostly Chet Ramey with occasional input from other FSF members.