Dash as default shell
Reindl Harald
h.reindl at thelounge.net
Thu Oct 2 15:57:21 UTC 2014
Am 02.10.2014 um 17:53 schrieb Rahul Sundaram:
> On Thu, Oct 2, 2014 at 11:38 AM, Miloslav Trmač wrote:
> The expected security improvement is essentially nonexistent. In the current case of importing functions from
> the environment (and we could have a looong philosophical conversation about whether this is a vulnerability in
> bash or in its callers, where the likely outcome is “not a vulnerability in bash but by far easiest to fix in
> bash”)
>
> Why would this be a philosophical discussion when there were clearly bugs in the parser allowing things it
> shouldn't even if you consider the use cases valid otherwise?
because the conclusion that dash is not vulerable for
other things is invalid - that needs to be proven and
not derived from known and *fixed* bugs in bash
not that i am against using things with less footprint
for many reasons, just the conclusion is wrong
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141002/40dc003f/attachment.sig>
More information about the devel
mailing list