Re: Do not make mksh the default shell on macOS

[Demetrius Iatrakis <demetrius.iatrakis%gmail.com@localhost>]

> I consider SIP fundamentally harmful in the way it is implemented
> and of highly questionable value. It is essentially breaking a lot
> of things for little to no gain in real security and just not worth
> the price of admission.

The debate on whether SIP is harmful has not been settled.  Therefore,
the premise that "SIP is fundamentally harmful" cannot be used to
justify this revision.

> The ctest argument is weak

Please justify this.  The argument in point 11 seems to be the
reason that SIP forbids this in the first place, since the shell
can already run arbitrary code.   I would also like to expand on
point 11 here: allowing the use of dynamic linker environment
variables for the shell implies that there are legitimate uses for
dynamic linker environment variables for the shell itself.  No such
uses have been identified.

> and how it works on any other system already.

I'm not sure if the argument in point 11 applies to the use of
LD_LIBRARY_PATH on other systems, but if so, this would still mean
that the problem is with pkg_alternatives, not SIP.  Forbidding the
use of dynamic linker environment variables just makes the potential
source of bugs obvious.

> There is also no attack vector here given that you are already
> building and running somewhat arbitrary code.

Nevertheless, using a program that loads libraries that it's not
supposed to does not seem prudent to me.  Requiring proof of a
security vulnerability to revert a change also seems too high a
standard; it suffices to prove that there is no legitimate use for
dynamic linker environment variables for the shell itself.



-- 
Demetrius Iatrakis