tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Do not make mksh the default shell on macOS



Joerg Sonnenberger <joerg%bec.de@localhost> writes:

> On Tue, Jul 14, 2020 at 03:00:00AM +0300, Demetrius Iatrakis wrote:
>> I would like to bring revision 1.286 to bootstrap/bootstrap (Enable
>> mksh by default on macOS 10.11+) to the community's attention, as
>> the reason for this change is invalid.  The committer claims to
>> have addressed my concerns, and is currently not responding.  I
>> asked for a second opinion on IRC and received it, but my response
>> to it has not been acknowledged. See https://git.io/JJO9N.
>
> I think Jonathan has been pretty clear that he doesn't agree with you
> and why. I consider SIP fundamentally harmful in the way it is
> implemented and of highly questionable value. It is essentially breaking
> a lot of things for little to no gain in real security and just not
> worth the price of admission. The ctest argument is weak and how it
> works on any other system already. There is also no attack vector here
> given that you are already building and running somewhat arbitrary code.

I think there are multiple opinions about whether SIP is useful or not
and worth the trouble or not.  And surely multiple opinions about the
whether the details of how it is done are wise.

Regardless, it's clear that many people use pksrc on macs wtih SIP
enabled, and that pkgsrc should work with SIP.  However, my somewhat
hazy understanding is that pkgsrc with mksh is less broken on SIP
systems than pkgsrc before the change.

It might be that the pkg_alternatives wrappers should avoid using a
SIP-protected shell, to avoid the environment purging.  It might also be
that SIP should merely decline to respect DYLD_LIBRARY_PATH but not
purge it, so that it is passed through as intended.
 


Home | Main Index | Thread Index | Old Index