From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id kMoJFIK/S2PgQwAAbAwnHQ (envelope-from ) for ; Sun, 16 Oct 2022 10:23:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id sCMdFIK/S2OZZgEA9RJhRA (envelope-from ) for ; Sun, 16 Oct 2022 10:23:30 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E37724134 for ; Sun, 16 Oct 2022 10:23:29 +0200 (CEST) Received: from localhost ([::1]:57242 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ojyvh-0002bH-0v for larch@yhetil.org; Sun, 16 Oct 2022 04:23:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57220) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ojyvR-0002YK-OH for guix-devel@gnu.org; Sun, 16 Oct 2022 04:23:14 -0400 Received: from mail-ej1-x643.google.com ([2a00:1450:4864:20::643]:37597) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ojyvQ-0005Dh-7X; Sun, 16 Oct 2022 04:23:13 -0400 Received: by mail-ej1-x643.google.com with SMTP id a26so18820644ejc.4; Sun, 16 Oct 2022 01:23:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=bvzHiu/zUaf0gPT0SM117SiHBrpwaMjtWBQV/ER8kgE=; b=MRyQHIsBBSxcjbb4XhDrvaX9cLhwUzGn6LYAJ9GuqY6sC/G9X5qCIxavR/uCBWbz4H 0c/OdFX2V6T6J+T4e8MNdhoBg1156/UlBE+2/Mv5fViFfYw+K3kSAfn/oJdcZkOIZTbQ dWK/wdRfcjDN0BQepYI3nCV8Rwarzr/tIrpiNYb965vJEsps1XVVZ3vkLquy1Id2QMm4 gaZtLo9/ZEuwYOt4Ae/LmNfO3I4MdfIRtjhuxbz+LqPcB0JMmLo+WVKqXNRJSZN+6YY2 onNjR/7mHzUNY6OLMoSs6Q0ZITNCR4jqLvJ/9gZe2DnPcD+xrXasjMQ0AMl3qoqRuiek YItg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=bvzHiu/zUaf0gPT0SM117SiHBrpwaMjtWBQV/ER8kgE=; b=Jc43zxwLECaqtO8Yzd3ICBGFuvo+r3BRixS8n/D51ZuTud4YZebIBkNl1CWvtMdeBq pj1M/oc5qEIwY6jkTg/DzotzZAwY4R3uynQ/TVhMj95SBkoJtGyFA3orEPyby4Rsrq2R QZpUXyiyUSTyQfgH0ohllp2pdYjRlLZiJurwSUPo/SYjG+H9092Nj8YB6j6iFfoVXWfl h2uhLX5DNphVPYjuZxTNBcJ/jduMDeKjsxGCOdam+Df+d3bKT7GLU6ZnRW9/NZPwd87B j/dV6aLSNc09vZTm9NCdNpyyvsSEDcFyR6aQQrDpDMo73x3e/4fV1GyalIxfj0hWjpB3 ppOQ== X-Gm-Message-State: ACrzQf1ArxPBObzjx2ROdW3CkOHEK+zW1Po63PdcMezWhBga/Q6DHa3a 0bnMku3DBQfeIbgKzEBlp74= X-Google-Smtp-Source: AMsMyM7Cml+zlcu0+6Fqvg0hm9T+xj4ReXyjXNHX1pn/Y2JktX+yvBJy3ScMi+ClHw5IGGQprrdI6A== X-Received: by 2002:a17:907:9625:b0:78d:bb06:9072 with SMTP id gb37-20020a170907962500b0078dbb069072mr4486347ejc.472.1665908589382; Sun, 16 Oct 2022 01:23:09 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id t20-20020aa7db14000000b0045d59e49acbsm2300800eds.7.2022.10.16.01.23.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Oct 2022 01:23:08 -0700 (PDT) Message-ID: <43a037a3c3e51a9b85a617a387d4d49ff21c6492.camel@gmail.com> Subject: Re: What 'sh' should 'system' use? From: Liliana Marie Prikler To: Philip McGrath , Ludovic =?ISO-8859-1?Q?Court=E8s?= Cc: guix , Maxime Devos Date: Sun, 16 Oct 2022 10:23:02 +0200 In-Reply-To: <5928822.lOV4Wx5bFT@bastet> References: <2284386.8hzESeGDPO@bastet> <4651725.rnE6jSC6OK@bastet> <7d61f502c9907fd9564e4052c8100aabd4d2828c.camel@gmail.com> <5928822.lOV4Wx5bFT@bastet> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.0 MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::643; envelope-from=liliana.prikler@gmail.com; helo=mail-ej1-x643.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1665908609; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=bvzHiu/zUaf0gPT0SM117SiHBrpwaMjtWBQV/ER8kgE=; b=L+xIdbYEqjwGe5w2AyNCZFsm5QK3/gnCFRuAGHSzJjr6txkaw4pTiVwZ7uaDloPe3lGLcA 4v+hZ2CKuN5svxv3Rt5hh12BNCeX1hlXkKKGvOugGX7wjLXPd+uuf0ssGoM84vAJxvTfY8 9+n8mbmgEmrGC/VGtO/wM+xtOo6ajAtTAackkkCYZZeLoihkc0perlJ2r91ietL7Q1wwUy qc35hQz+07QQmdN/xuMwiTB265Jx7QxctsF8zWSiiV1yxmpDFbqyoGWkfx30Nlckr2KaE2 CoiOhtwor77F21j1ZuQ7uEhaxsVNJNYtA8Wy6KsQwED07Js5/Il3KQJXaR0aJg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1665908609; a=rsa-sha256; cv=none; b=AWjMDOa7iAB3Nq/Ko/J6rzTnnsKoWMB3pe0tWDQZ9quUtM7MXjaTdKrvkmCsJqCBzKYY4g ENNJEFDVEEhJP4oKj856vRCY61ZJ5UfBCr8ec31LpkDm8WMaOyv+6FJgIqgD7MiJ4ypq6s gl4L7kRufeTIZU9ReQWM9qzMLIpthB0wE1OQ8Xp1k9G2GIAzfyS8isdk3MzmDz0/A8OPOi vvZdCo5uU6/NoZkzeqckMYDsgCyEtCd4ZVbN6ds6gaqDzi7rjDejitmwCk8QrnbAB9Yhr0 9TKSMUIMIPIkfK+XI9Uk4Mh0IeVMcuEdSVus1v1Am/iuEq/tkqWhFYtYOCFC7g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=MRyQHIsB; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.40 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=MRyQHIsB; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E37724134 X-Spam-Score: -1.40 X-Migadu-Scanner: scn1.migadu.com X-TUID: KH1MMQdKCsuZ Am Sonntag, dem 16.10.2022 um 03:56 -0400 schrieb Philip McGrath: > I don't think I understand this. Does it mean that, in the following, > I am running a Bash that wouldn't have security bugs fixed? If so, > that seems quite bad! You would, but note that in order to exploit this, you would have to exploit glibc =E2=80=93 which can be grafted and could also be built agains= t a fixed bash. That is, we'd first have to define bash-static-fixed and then glibc-fixed whose bash-static input is replaced with bash-static- fixed. Note that this makes sense for a single package, but obviously doesn't scale well. Cheers