Re: Dash as default shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 01.10.14 22:39, Rahul Sundaram (metherid@xxxxxxxxx) wrote:

> Hi
> 
> Is it worth considering using Dash as the default (non-interactive) shell
> in Fedora?  Other distributions including Ubuntu and Debian (
> https://lwn.net/Articles/343924/) have been using dash as the default shell
> and Android uses mksh.  While this appears to have been done primary to
> increase bootup efficiency (which is not relevant with systemd), it might
> help with security
> 
> Since the recent Shellshock aka Bashdoor vulnerability, there have been
> some discussions about more distributions switching over (
> http://lwn.net/SubscriberLink/614218/019d9a52b0eaae3d/) and I was wondering
> whether it is worth considering for Fedora?  FWIW, both dash and mksh is
> already packaged in Fedora.

This sounds really wrong to me.

If you change /bin/sh to dash, then you'll have to map two shell
binaries into memory (since the login shell is going to stay on bash),
hence the resource usage grows. You increase the number of packages
and minimal footprint of our OS images since we need to install one
more package. You also increase the attack surface, since there'll be
two shells running. You have to maintain + security-fix more code,
since you have two packages to look after (Yes, by adding dash to the
default stack you just put the extra burden on Fedora to quickly
update two packages instead of just one in case of a security
problem). You create a *lot* of porting work for all those
scripts. You *break* all scripts that currently reference /bin/sh in
the shebang-line but use bashisms. Also, many of the bashisms are
actually pretty useful, hence you replace a more powerful language by
a crappier one. You create an entirely new problem for our users, by
making them *think* whether they actually mean /bin/sh or
/bin/bash. You confuse users by disallowing certain expressions in
scripts that work fine if you type them on the interactive shell.

So, in order to keep things simpler, faster, more secure, more
maintainable, more compatible, let's please stick with one shell and
one shell only, and let's stay with bash. Thank you.

Let's not waste our time with this, please!

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux