2014-10-02 10:06:50 -0400, shawn wilson: [...] > I hate the idea of dash. It's not more secure (see vmware cve for an > example) and I think it was more of an accident than anything else this > didn't hit dash too. [...]
That CVE is not about a bug in dash. There are a few misconceptions around that CVE. See https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660/comments/4 for more details. Whatever dash bugs may have are easily fixed. The good thing with it is that it has *fewer* features, and especially fewer of the ksh misfeatures (many of which copied by bash, some of them fixed/improved in zsh), so it's more efficient and likely to be safer than bash/mksh/zsh so is a much more obvious choice for /bin/sh, that is the system's command line interpreter (used in system(), popen()) or interpreter for POSIX sh scripts. By all means, use zsh or bash... as your interactive shell, but please keep /bin/sh minimum, and don't bring as broken a feature as the ksh arrays into the sh language. Switching to dash for /bin/sh is one of the great things Debian has done. -- Stephane -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141013213741.ge6...@chaz.gmail.com
