Why system administrators hate security researchers every so often
So now that we know what's wrong, how do we fix it? The answer is to clean up the technical debt, to go through the code and make systematic changes to bring it up to 2014 standards.
This will fix a lot of bugs, but it will break existing shell-scripts that depend upon those bugs. That's not a problem -- that's what upping the major version number is for. [...]
I cannot put this gently, so here it goes: FAIL.
The likely effect of any significant amount of observable Bash behavior changes (for behavior that is not itself a security bug) will be to leave security people feeling smug and the problem completely unsolved. Sure, the resulting Bash will be more secure. A powered off computer in a vault is more secure too. What it is not is useful, and the exact same thing is true of cavalierly breaking things in the name of security.
Bash's current behavior is relied on by a great many scripts written by a great many people. If you change any significant observable part of that behavior, so that scripts start breaking, you have broken the overall system that Bash is a part of. Your change is not useful. It doesn't matter if you change Bash's version number because changing the version number does nothing to magically fix those broken scripts.
Fortunately (for sysadmins), the Bash maintainers are extremely unlikely
to take changes that will cause significant breakage in scripts. Even if
the Bash maintainers take them, many distribution maintainers will not
take them. In fact the distributions who are most likely to not take the
fixes are the distributions that most need them, ie the distributions
that have Bash as
/bin/sh and thus where the breakage will cause the
most pain (and Bashisms in such scripts are not necessarily bugs). Hence such a version of Bash, if one is ever
developed by someone, is highly likely to leave security researchers
feeling smug about having fixed the problem even if people are too
obstinate to pick up their fix and to leave systems no more secure than
But then, this is no surprise. Security researchers have been ignoring the human side of their nominal field for a long time.
(As always, social problems are the real problems. If your proposed technical solution to a security issue is not feasible in practice, you have not actually fixed the problem. As a corollary, calling for such fixes is much the same as hoping magical elves will fix the problem.)