Tweet
Originally posted by asdfblah
View Post
-
Also always always report bashisms in scripts using /bin/sh as upstream bugs rather than maintaining everything yourself -
It is interesting to see how people suddenly are fleeing towards other shells. But does that really make sense? Nobody can assure you that other shells don't have similar problems. After some mass use they might exhibit also flaws and defects. Or does any of those have regular code audits?
I'm not into any shell bashing (no pun
) but it's interesting to see people's reactions.
Stop TCPA, stupid software patents and corrupt politicians!Comment
-
Is it really clever and secure if everybody starts using the same shell - dash?
Comment
-
Yup, I agree. Fleeing to a different shell won't magically solve the MAIN problem: We NEED to have the shells (whichever) audited.Originally posted by Adarion View PostComment
-
On the other hand this has the positive effect of ensuring that sh scripts are really sh scripts and not bash scripts. Which means that they'll work in any sh-compliant sh as opposed to only in bash, removing that single point of failureOriginally posted by Adarion View PostIt is interesting to see how people suddenly are fleeing towards other shells. But does that really make sense? Nobody can assure you that other shells don't have similar problems. After some mass use they might exhibit also flaws and defects. Or does any of those have regular code audits?
I'm not into any shell bashing (no pun ) but it's interesting to see people's reactions.Comment
-
The problem is bash is designed to be a feature rich user shell. Something like dash is designed to be a system shell that no user use, but is the one implicitly used for system functions.Originally posted by Adarion View PostIt is interesting to see how people suddenly are fleeing towards other shells. But does that really make sense? Nobody can assure you that other shells don't have similar problems. After some mass use they might exhibit also flaws and defects. Or does any of those have regular code audits?
I'm not into any shell bashing (no pun ) but it's interesting to see people's reactions.Comment
-
The system shell should be a fast, small, minimalistic, secure shell without bells and whistles.
The user shell needs more bells and whistles such as command history, autocompletion, line editing features, etc.Comment
-
Before we all jump ship off of Bash and OpenSSL, why don't the community form security groups and audit the codes. Try to fix/mainain these mature projects before jumping to less mature ones with a code with potentially more bugs. Seems to silly to change based on one well known bug.Comment
-
Since ArchLinux was brought up, it should be noted that the developers there are leaning towards not switching to dash, and part of the reason is security (how dash handles setuid): https://bugs.archlinux.org/task/42134#comment128011Comment
Comment