| I thought of mentioning this - specifically, people who use the .qmail file in the mail directory. Anyway, djb uses shell scripts liberally in his software projects but I've never seen him include a shell script with Bash-isms. That tells me he does not _assume_ his users to be using Bash. Everyone has a choice. And if you are trying to practice "secure" computing, then some choices are wiser than others. If a user thinks Bash is the bee's knees, then djb's software will work just fine; it does not discriminate against that user. But if a user does not use Bash, and prefers to use a more simple, POSIX-like shell, that will work just fine too. This is purely my opinion but unlike so many other software authors, djb does not appear to discriminate against people who prefer simple software systems that are not loaded with "features"; he does not intentionally or unintentionally force them to embrace complexity or be ignored. That said, it also appears he is a self-professed Ubuntu user these days. For example, read his latest blog.cr.yp.to entry. I do not understand how he can tolerate the amount of complexity in Ubuntu that is on by default and hidden from the user. But maybe I'm just too stupid to understand. There seems to be a choice of at least two options: 1. keep Bash installed and try to determine every possible untrusted user input accepting or internet facing application that might at some time use the system shell, or 2. uninstall Bash and use a barebones POSIX-like shell without extra features. Preserving the continued use of shell scripts with Bash-isms as a reason to choose option #1 does not make sense to me. Maybe there are other "compelling" reasons? (Interactive shell features?) With a little effort, these Bash script authors could probably learn to write scripts that do not use Bash-isms. Is that really so terrible as to make option #2 untenable? If there are enormous Bash scripts being relied on in security senstive settings which "cannot" be rewritten in POSIX shell, then maybe the mistake was ever "deploying" such monstrosities in the first place. Shell scripts, no matter what shell, should always be relatively small assuming the author has any common sense. |
It's not that simple. True, djb doesn't say you need bash. But qmail uses /bin/sh (not configurable without recompiling). Try changing /bin/sh to, say, ksh on Ubuntu and watch as nothing else on the system works. The distributions make use of shell-specific features.