On Fri, Sep 26, 2014 at 4:20 PM, Martti Kühne <mysatyre@xxxxxxxxx> wrote:
[...]
> Despite that I'm still not convinced as to why
> the issue in question is such a big deal, I must say it's unlikely
> we're better off with a less active, less used shell.
Put simply, bash has too much bloat. That includes obscure dark corners
like function export/import, where bash interprets an ENV whose value
starts with '() {' as a function definition. And this behavior is not
inhibited even when bash is invoked as sh.
In contrast, a minimal implementation of the POSIX shell implements only
such well defined features. That means security people know where to
look for bugs. Being Minimal in itself also promises fewer bugs.
I do not have hard numbers about dash; but I think it's to be trusted.
It has a long history. It's maintained. It's not being actively
developed, because it does not have features to add, and it does not
have bugs to fix that resulted from added features. It's used by
debian-based distros as /bin/sh so it's not exactly lacking testing.
The only real "cultural incompatibility" I see in Arch's switching to
dash as /bin/sh is that dash is "too Debian". dash is "feature
complete"; it's not going to push the POSIX shell standard forward. That
it *follows* the standard. That it's not bleeding edge.
But who wants /bin/sh to bleed?
