Dash as default shell

Reindl Harald h.reindl at thelounge.net
Thu Oct 2 15:57:21 UTC 2014

Am 02.10.2014 um 17:53 schrieb Rahul Sundaram:
> On Thu, Oct 2, 2014 at 11:38 AM, Miloslav Trmač  wrote:
>     The expected security improvement is essentially nonexistent.  In the current case of importing functions from
>     the environment (and we could have a looong philosophical conversation about whether this is a vulnerability in
>     bash or in its callers, where the likely outcome is “not a vulnerability in bash but by far easiest to fix in
>     bash”)
> Why would this be a philosophical discussion when there were clearly bugs in the parser allowing things it
> shouldn't even if you consider the use cases valid otherwise?

because the conclusion that dash is not vulerable for
other things is invalid - that needs to be proven and
not derived from known and *fixed* bugs in bash

not that i am against using things with less footprint
for many reasons, just the conclusion is wrong

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141002/40dc003f/attachment.sig>

More information about the devel mailing list