> On Fri, Sep 26, 2014 at 05:37:57AM +0800, lolilolicon wrote: >> With the disclosure of the new bash bug (CVE-2014-6271, CVE-2014-7169), >> it seems timely to bring this up. >> >> Dan added dash to core/base around seven years ago [1], intending the >> eventually link /bin/sh to dash instead of bash. >> >> [1] https://mailman.archlinux.org/pipermail/arch-dev-public/2007-November/003053.html >> >> We didn't make the switch, supposedly due to the bashism in our scripts >> which had a #!/bin/sh shebang line? >> >> Seven years passed. >> >> Is there anything preventing us from making the switch from bash to dash >> as /bin/sh now? We can then have dash provide sh instead. > > Yes -- due to the same reasons. Also, I don't understand what the switch has to > do with the CVEs? If they are found -- good; if promptly fixed -- great. At the > very least this means that people are looking at the code... Has anyone proven > a theorem saying that no such bugs exist in dash (zsh, ksh, etc.)? > > Cheers, > One of the primary reasons people wanted to switch to dash in the first place is not usability, but its performance for large shell scripts. For interactive shells, bash may still be more useful. As for shell performance, it was more relevant when bootup and service management relied on shell scripts. That is no longer really the case. With systemd, shell scripts for services and bootup are few and far between, afaik. So why risk breakages? --SM
Attachment:
signature.asc
Description: OpenPGP digital signature
