On Fri, Sep 26, 2014 at 6:06 AM, Leonid Isaev firstname.lastname@example.org wrote:
Is there anything preventing us from making the switch from bash to dash as /bin/sh now? We can then have dash provide sh instead.
Yes -- due to the same reasons.
Care to elaborate? Is there a wiki page tracking progress on this, or something?
Also, I don't understand what the switch has to do with the CVEs? If they are found -- good; if promptly fixed -- great.
The bug is not really fixed. As far as I can tell the bug has been present since forever, but nobody discovered it due to the fact that function export is an obscure little known feature.
If you look into the reason of this bug, to see how this feature works, if you're like many others, you will feel a bit uneasy about using bash as /bin/sh.
At the very least this means that people are looking at the code... Has anyone proven a theorem saying that no such bugs exist in dash (zsh, ksh, etc.)?
No, there's no such theorem... But we can still use some heuristics,
dash is small. Less code = fewer bugs. (For reasonably mature projects.) dash is the closest thing to sh. Anything that has the #!/bin/sh line should be written in pure sh. If you want bash, ask for bash.