Dash as default shell

Rahul Sundaram metherid at gmail.com
Thu Oct 2 15:53:18 UTC 2014


Hi

On Thu, Oct 2, 2014 at 11:38 AM, Miloslav Trmač  wrote:

>
> OK, then; care to explicitly list the advantages you expect to see from
> such a switch, and why they outweigh the disadvantages and the migration
> costs?
>

I don't have a predrawn conclusion that I am advocating strongly for here
but I am convinced it is worth a discussion.   So far from the discussions
I have seen the advantages as reduced size ( dash is significantly smaller
than bash) and this can be a nice advantage for containers etc,  POSIX
correctness (/bin/sh should be only used by shell scripts that don't rely
on Bash specific features),  performance (Zdenek Kabelac posted some
numbers)

On the flip side, there is probably some shell scripts that needs to be
fixed to use /bin/bash explicitly as opposed to assuming /bin/sh will
always be a symlink to bash. I can help write guidelines, check scripts,
file bug reports etc but even if we do fix the scripts we include within
the distribution (likely minimal since Debian/Ubuntu has switched over
several years back), users might have to fix their scripts which we don't
control.  Any user ability to reconfigure the default system shell has some
added complexity at the packaging level.   Dash also might need a security
review from someone competent to do it (ie) not me.


The expected security improvement is essentially nonexistent.  In the
> current case of importing functions from the environment (and we could have
> a looong philosophical conversation about whether this is a vulnerability
> in bash or in its callers, where the likely outcome is “not a vulnerability
> in bash but by far easiest to fix in bash”)
>

Why would this be a philosophical discussion when there were clearly bugs
in the parser allowing things it shouldn't even if you consider the use
cases valid otherwise?

Rahul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141002/515df2c2/attachment.html>


More information about the devel mailing list