BASH security vulnerability

[Artemgy]

Marc,

> In a meeting this morning the issue of the BASH security vulnerability was brought up as a reason not to go the Ubuntu open
> source route. I need to find out if this security vulnerability is something we should be worried about to the point of not moving 
> forward with this project. It would mean 1000 of computers being sent for recycling instead of repurposing them with FOSS.

The need to understand security risks and implement measures against
them is consistent, regardless of the flavour of operating system you
run. Yes, Linux systems are vulnerable to ShellShock, like Macs have
been vulnerable to Flashback and Windows machines have been vulnerable
to Conficker. And it's not just the operating system - don't forget that
browsers on ANY operating system have been vulnerable to Blackhole, and
even the specialised software written to control nuclear power plants
has been vulnerable to Stuxnet! 

Most major operating systems have automated update mechanisms that can
effortlessly deliver protection from such vulnerabilities, and Ubuntu is
no exception. The sad irony is that, in order to keep "100% uptime" for
"critical services", many administrators of public-facing servers choose
to turn such automatic updates off. They have their reason, as updates
sometimes introduce a slightly modified behaviour, and they don't want
to upset the intricately balanced way their servers have been set up,
Fortunately most people who run a thousand or more desktops would
happily leave this automated protection, or at least have a group of
"pilot PCs" who get the updates a week before everyone else to make sure
the security updates don't cause any little niggles.

> I work for a school board in Montreal, Quebec and we are transitioning
> over to GAFE. This transition has allowed the acceptance of Ubuntu
> (Lubuntu) as a perfect solution for converting our older labs which
> painfully run on Windows 7.

I hope that you disuade your colleagues from throwing away valuable
equipment (and subsequently cash) merely on the basis of Fear,
Uncertainty and Doubt. Many, many people have enjoyed rejuvenating their
hardware with lightweight operating systems like Lubuntu only to find
that the community support of the ecosystem around it makes it so easy
to find answers to their questions.

And they benefit not only the freedom of myriad software packages
available for use without payment, but from the liberty to build upon
and extend what they are given in the first place that turns FOSS
computers into a a truly valuable resource, especially in an educational
environment where people can really make the most of what they have
available.

Vulnerable? - Yes, for a time! - like so many bits of computer code have
been over the years. However open source, and the communities built
around using it, are founded on transparency. The vendor-commercial,
closed source world contains opportunities and temptation to cover up
some vulnerabilities users might be facing - in the long run FOSS users
may actually find themselves in a more highly informed and empowered
position.

Hope this helps
Artemgy