as much as i like dash or ksh
the reasoning to switch is just plain stupid

bugs get found, bugs get fixed
gnome reasoning infesting fedora (or was it the other way around?)

Personally I like the idea of a system with interchangeable parts and where there are several independently developed variants of just about every component. This requires that communications between the parts (including shell scripts) adhere to a strict minimal common standard. "Network effects" - aka "lock-in" is generally a bad thing I think because it reduces choice (compare this to the whole debate surrounding systemd assimilating desktop-critical functions like udev, logind, ... creating a "network effect" prodding distributions to adopt to it).

... and people discuss ways to reduce the occurence of such security bugs. Using a minimal shell is one way of doing that. Not relying on shell scripts much is another.

Probably just phoronix infested by silly comments.

From what I've heard, upstream Bash doesn't want to fix the problem.

Can you provide a citation?

upstream bash, aka GNU, has fixed it a while ago
all major distribution maintainers have been notified and probably all of them have provided patched packages
(slackware i know provided updated packages on the same date the vulnerability got announced to the public)

@Rahul
the fact that bash even provides such a mechanism is useless to most people indeed
despite that, GNU has (afaik) always been expedient in patching security related bugs

not to mention that this has been blown out of proportion
it is a big hole but to exploit it the cracker would have to gain access to the system in the first place
CGI, afaik, can be set to not execute shell scripts, and SSH needs the users password


also there are way greater holes in other software
cve's for bash
cve's for PHP
cve's for pidgin
pidgin is my favorite; it sent binary code to choose the user's image by executing that code
it's probably fixed now, but it made me smile

I commend Bash maintainers for fixing the problems quickly but you are clearly understimating the impact. From wikipedia

"On 26 September, the security firm Incapsula noted 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses, in the previous 24 hours; 55% of the attacks were coming from China and the United States.^[7] By 30 September, the website performance firm CloudFlare said it was tracking approximately 1.5 million attacks and probes per day related to the bug.^[8]"

It is never a good excuse to say there are security bugs in other software, so this isn't a big deal. The default system shell is far more critically important than say Pidgin is for Linux users. Also the discussion wasn't merely about security but also size, performance etc.

It seems a very good idea to switch shell, and it something they should have done a long time ago.
Debian already did this long time ago, others should have too.

dash is a lightweight, minimalistic shell to be used by the the system to execute shell scripts.

Bash is full featured, end-user shell with all the bells and whistles and is to be used by the humans when interacting with the terminal.

Bash should never have been used by the system in the first place. Bash is great, but it serves a different purpose.
Dash would be a horrible shitty shell to be used by users, but its not what it is made for, it is purpose is to be a shell used by the system.

No, I looked and then hoped someone would clarify, which is why I didn't state it as a fact, but a rumour.

People did above, so I'm glad I was misinformed.

y
dash is a POSIX shell, mostly
ksh is also a great shell

however, how light a shell is is not really that important as it shares almost all the memory it uses with other running shells (about 0.5MB is not shared on my computer)
things like autocompletion and history also take up some memory
all in all i find bash ok, only thing i find a bit off is executing subshell commands in a fork instead of the current process

also debian cares about older computers that have under 256MB RAM, while fedora you can't even install on them (without hacking the installer)
edit: at least debian did care, i'm not sure anymore

all in all i also think dash or ksh is a better shell for a couple reasons, security not being one of them
i, myself, will still use bash because of it's history and autocompletion and will write shell scripts in POSIX only