From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id kMoJFIK/S2PgQwAAbAwnHQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 16 Oct 2022 10:23:30 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id sCMdFIK/S2OZZgEA9RJhRA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 16 Oct 2022 10:23:30 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id E37724134
	for <larch@yhetil.org>; Sun, 16 Oct 2022 10:23:29 +0200 (CEST)
Received: from localhost ([::1]:57242 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1ojyvh-0002bH-0v
	for larch@yhetil.org; Sun, 16 Oct 2022 04:23:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:57220)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <liliana.prikler@gmail.com>)
 id 1ojyvR-0002YK-OH
 for guix-devel@gnu.org; Sun, 16 Oct 2022 04:23:14 -0400
Received: from mail-ej1-x643.google.com ([2a00:1450:4864:20::643]:37597)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <liliana.prikler@gmail.com>)
 id 1ojyvQ-0005Dh-7X; Sun, 16 Oct 2022 04:23:13 -0400
Received: by mail-ej1-x643.google.com with SMTP id a26so18820644ejc.4;
 Sun, 16 Oct 2022 01:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:user-agent:content-transfer-encoding:references
 :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject
 :date:message-id:reply-to;
 bh=bvzHiu/zUaf0gPT0SM117SiHBrpwaMjtWBQV/ER8kgE=;
 b=MRyQHIsBBSxcjbb4XhDrvaX9cLhwUzGn6LYAJ9GuqY6sC/G9X5qCIxavR/uCBWbz4H
 0c/OdFX2V6T6J+T4e8MNdhoBg1156/UlBE+2/Mv5fViFfYw+K3kSAfn/oJdcZkOIZTbQ
 dWK/wdRfcjDN0BQepYI3nCV8Rwarzr/tIrpiNYb965vJEsps1XVVZ3vkLquy1Id2QMm4
 gaZtLo9/ZEuwYOt4Ae/LmNfO3I4MdfIRtjhuxbz+LqPcB0JMmLo+WVKqXNRJSZN+6YY2
 onNjR/7mHzUNY6OLMoSs6Q0ZITNCR4jqLvJ/9gZe2DnPcD+xrXasjMQ0AMl3qoqRuiek
 YItg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=mime-version:user-agent:content-transfer-encoding:references
 :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=bvzHiu/zUaf0gPT0SM117SiHBrpwaMjtWBQV/ER8kgE=;
 b=Jc43zxwLECaqtO8Yzd3ICBGFuvo+r3BRixS8n/D51ZuTud4YZebIBkNl1CWvtMdeBq
 pj1M/oc5qEIwY6jkTg/DzotzZAwY4R3uynQ/TVhMj95SBkoJtGyFA3orEPyby4Rsrq2R
 QZpUXyiyUSTyQfgH0ohllp2pdYjRlLZiJurwSUPo/SYjG+H9092Nj8YB6j6iFfoVXWfl
 h2uhLX5DNphVPYjuZxTNBcJ/jduMDeKjsxGCOdam+Df+d3bKT7GLU6ZnRW9/NZPwd87B
 j/dV6aLSNc09vZTm9NCdNpyyvsSEDcFyR6aQQrDpDMo73x3e/4fV1GyalIxfj0hWjpB3
 ppOQ==
X-Gm-Message-State: ACrzQf1ArxPBObzjx2ROdW3CkOHEK+zW1Po63PdcMezWhBga/Q6DHa3a
 0bnMku3DBQfeIbgKzEBlp74=
X-Google-Smtp-Source: AMsMyM7Cml+zlcu0+6Fqvg0hm9T+xj4ReXyjXNHX1pn/Y2JktX+yvBJy3ScMi+ClHw5IGGQprrdI6A==
X-Received: by 2002:a17:907:9625:b0:78d:bb06:9072 with SMTP id
 gb37-20020a170907962500b0078dbb069072mr4486347ejc.472.1665908589382; 
 Sun, 16 Oct 2022 01:23:09 -0700 (PDT)
Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at.
 [85.127.52.93]) by smtp.gmail.com with ESMTPSA id
 t20-20020aa7db14000000b0045d59e49acbsm2300800eds.7.2022.10.16.01.23.08
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 16 Oct 2022 01:23:08 -0700 (PDT)
Message-ID: <43a037a3c3e51a9b85a617a387d4d49ff21c6492.camel@gmail.com>
Subject: Re: What 'sh' should 'system' use?
From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: Philip McGrath <philip@philipmcgrath.com>, Ludovic
 =?ISO-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix <guix-devel@gnu.org>, Maxime Devos <maximedevos@telenet.be>
Date: Sun, 16 Oct 2022 10:23:02 +0200
In-Reply-To: <5928822.lOV4Wx5bFT@bastet>
References: <2284386.8hzESeGDPO@bastet> <4651725.rnE6jSC6OK@bastet>
 <7d61f502c9907fd9564e4052c8100aabd4d2828c.camel@gmail.com>
 <5928822.lOV4Wx5bFT@bastet>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.0 
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::643;
 envelope-from=liliana.prikler@gmail.com; helo=mail-ej1-x643.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1665908609;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=bvzHiu/zUaf0gPT0SM117SiHBrpwaMjtWBQV/ER8kgE=;
	b=L+xIdbYEqjwGe5w2AyNCZFsm5QK3/gnCFRuAGHSzJjr6txkaw4pTiVwZ7uaDloPe3lGLcA
	4v+hZ2CKuN5svxv3Rt5hh12BNCeX1hlXkKKGvOugGX7wjLXPd+uuf0ssGoM84vAJxvTfY8
	9+n8mbmgEmrGC/VGtO/wM+xtOo6ajAtTAackkkCYZZeLoihkc0perlJ2r91ietL7Q1wwUy
	qc35hQz+07QQmdN/xuMwiTB265Jx7QxctsF8zWSiiV1yxmpDFbqyoGWkfx30Nlckr2KaE2
	CoiOhtwor77F21j1ZuQ7uEhaxsVNJNYtA8Wy6KsQwED07Js5/Il3KQJXaR0aJg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1665908609; a=rsa-sha256; cv=none;
	b=AWjMDOa7iAB3Nq/Ko/J6rzTnnsKoWMB3pe0tWDQZ9quUtM7MXjaTdKrvkmCsJqCBzKYY4g
	ENNJEFDVEEhJP4oKj856vRCY61ZJ5UfBCr8ec31LpkDm8WMaOyv+6FJgIqgD7MiJ4ypq6s
	gl4L7kRufeTIZU9ReQWM9qzMLIpthB0wE1OQ8Xp1k9G2GIAzfyS8isdk3MzmDz0/A8OPOi
	vvZdCo5uU6/NoZkzeqckMYDsgCyEtCd4ZVbN6ds6gaqDzi7rjDejitmwCk8QrnbAB9Yhr0
	9TKSMUIMIPIkfK+XI9Uk4Mh0IeVMcuEdSVus1v1Am/iuEq/tkqWhFYtYOCFC7g==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=MRyQHIsB;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -1.40
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=MRyQHIsB;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: E37724134
X-Spam-Score: -1.40
X-Migadu-Scanner: scn1.migadu.com
X-TUID: KH1MMQdKCsuZ

Am Sonntag, dem 16.10.2022 um 03:56 -0400 schrieb Philip McGrath:
> I don't think I understand this. Does it mean that, in the following,
> I am running a Bash that wouldn't have security bugs fixed? If so,
> that seems quite bad!
You would, but note that in order to exploit this, you would have to
exploit glibc =E2=80=93 which can be grafted and could also be built agains=
t a
fixed bash.  That is, we'd first have to define bash-static-fixed and
then glibc-fixed whose bash-static input is replaced with bash-static-
fixed.  Note that this makes sense for a single package, but obviously
doesn't scale well.

Cheers