On Wed, 01.10.14 22:39, Rahul Sundaram (metherid@xxxxxxxxx) wrote: > Hi > > Is it worth considering using Dash as the default (non-interactive) shell > in Fedora? Other distributions including Ubuntu and Debian ( > https://lwn.net/Articles/343924/) have been using dash as the default shell > and Android uses mksh. While this appears to have been done primary to > increase bootup efficiency (which is not relevant with systemd), it might > help with security > > Since the recent Shellshock aka Bashdoor vulnerability, there have been > some discussions about more distributions switching over ( > http://lwn.net/SubscriberLink/614218/019d9a52b0eaae3d/) and I was wondering > whether it is worth considering for Fedora? FWIW, both dash and mksh is > already packaged in Fedora. This sounds really wrong to me. If you change /bin/sh to dash, then you'll have to map two shell binaries into memory (since the login shell is going to stay on bash), hence the resource usage grows. You increase the number of packages and minimal footprint of our OS images since we need to install one more package. You also increase the attack surface, since there'll be two shells running. You have to maintain + security-fix more code, since you have two packages to look after (Yes, by adding dash to the default stack you just put the extra burden on Fedora to quickly update two packages instead of just one in case of a security problem). You create a *lot* of porting work for all those scripts. You *break* all scripts that currently reference /bin/sh in the shebang-line but use bashisms. Also, many of the bashisms are actually pretty useful, hence you replace a more powerful language by a crappier one. You create an entirely new problem for our users, by making them *think* whether they actually mean /bin/sh or /bin/bash. You confuse users by disallowing certain expressions in scripts that work fine if you type them on the interactive shell. So, in order to keep things simpler, faster, more secure, more maintainable, more compatible, let's please stick with one shell and one shell only, and let's stay with bash. Thank you. Let's not waste our time with this, please! Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct