On Fri, Sep 26, 2014 at 05:37:57AM +0800, lolilolicon wrote: > With the disclosure of the new bash bug (CVE-2014-6271, CVE-2014-7169), > it seems timely to bring this up. > > Dan added dash to core/base around seven years ago [1], intending the > eventually link /bin/sh to dash instead of bash. > > [1] https://mailman.archlinux.org/pipermail/arch-dev-public/2007-November/003053.html > > We didn't make the switch, supposedly due to the bashism in our scripts > which had a #!/bin/sh shebang line? > > Seven years passed. > > Is there anything preventing us from making the switch from bash to dash > as /bin/sh now? We can then have dash provide sh instead. Yes -- due to the same reasons. Also, I don't understand what the switch has to do with the CVEs? If they are found -- good; if promptly fixed -- great. At the very least this means that people are looking at the code... Has anyone proven a theorem saying that no such bugs exist in dash (zsh, ksh, etc.)? Cheers, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
pgp6lzintPfAd.pgp
Description: PGP signature
