On Fri, Sep 26, 2014 at 05:37:57AM +0800, lolilolicon wrote:
With the disclosure of the new bash bug (CVE-2014-6271, CVE-2014-7169), it seems timely to bring this up.
Dan added dash to core/base around seven years ago , intending the eventually link /bin/sh to dash instead of bash.
We didn't make the switch, supposedly due to the bashism in our scripts which had a #!/bin/sh shebang line?
Seven years passed.
Is there anything preventing us from making the switch from bash to dash as /bin/sh now? We can then have dash provide sh instead.
Yes -- due to the same reasons. Also, I don't understand what the switch has to do with the CVEs? If they are found -- good; if promptly fixed -- great. At the very least this means that people are looking at the code... Has anyone proven a theorem saying that no such bugs exist in dash (zsh, ksh, etc.)?