[arch-general] A good time to switch to dash as /bin/sh?

[lolilolicon]

On Fri, Sep 26, 2014 at 6:06 AM, Leonid Isaev <lisaev at umail.iu.edu> wrote:
>
>> Is there anything preventing us from making the switch from bash to dash
>> as /bin/sh now? We can then have dash provide sh instead.
>
> Yes -- due to the same reasons.

Care to elaborate?
Is there a wiki page tracking progress on this, or something?

> Also, I don't understand what the switch has to
> do with the CVEs? If they are found -- good; if promptly fixed -- great.

The bug is not really fixed. As far as I can tell the bug has been
present since forever, but nobody discovered it due to the fact that
function export is an obscure little known feature.

If you look into the reason of this bug, to see how this feature works,
if you're like many others, you will feel a bit uneasy about using bash as
/bin/sh.

> At the
> very least this means that people are looking at the code... Has anyone proven
> a theorem saying that no such bugs exist in dash (zsh, ksh, etc.)?

No, there's no such theorem... But we can still use some heuristics,

dash is small. Less code = fewer bugs. (For reasonably mature projects.)
dash is the closest thing to sh.
Anything that has the #!/bin/sh line should be written in pure sh.
If you want bash, ask for bash.