On Thu, Sep 25, 2014 at 04:29:05PM +0100, Ian Jackson wrote: > Package: bash > Version: 4.1-3 > > I have prepared bash packages which do not honour any shell functions > they find in the environment. IMO that is a crazy feature, which > ought to be disabled. (I'm running this on chiark now and nothing has > visibly broken yet.) > > Packages (i386) for squeeze, wheezy and sid are here: > http://www.chiark.greenend.org.uk/~ian/bash-noshellfunctions/ > > dgit format git branches are here: > git://git.chiark.greenend.org.uk/~ianmdlvl/bash.git > http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/bash.git/ > > A codesearch [1] shows that this change will break very few things. > Arguably we (Debian) should apply this in sid (hence this bug report). > Doing it in security updates to stable releases is sadly too risky. > But people who want to take that risk themselves are welcome to > install my packages. > > (It took me merely a few moments with the source code to prepare the > code patch. But then I had to spend an hour or two wrestling with the > patch systems of the packages in squeeze and wheezy. I would like to > take this opportunity to say how much I appreciate the work of the > security team, who have to cope on a daily basis with [CoC violation] > such as that found in the squeeze and wheezy bash Debian `source' > packages.)
Note that an upstreamable change would be to, at the very least, disable it in posix mode (the one you get when running bash as sh), since export -f is, after all, a bashism. Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140926030040.ga20...@glandium.org
