Request: Safer defaults #415
Description
Introduction
Rust affords much safety to sh for memory allocation.
However, the POSIX sh family, as well as all other known shell languages, make mistakes that end up harming the user.
IFStends to persist across script file boundaries, corrupting processing.- Failing commands corrupt downstream processing.
- Unset variables corrupt processing.
- File globs present ambiguity across shell implementations, shell versions, and operating systems.
- Failing piped commands corrupt processing.
If we faithfully implement the POSIX specification, then these inherent shell scripting design flaws have carried through into all Rust shell implementations, including brush, posixutils-rs, etc.
Mitigation
Some engineers elect to manually opt into safety mechanisms, like:
unset IFS
set -eufo pipefail`The options should not occur directly in a shebang, but appear immediately after the shebang. A shebang's arity or argv, should be limited to no more than 2 across UNIX kin, or risk subtle portability problems. Also, invoking scripts as <interpreter> <script> ends up skipping the shebang line entirely.
set -o pipefail is notably missing support in (da)sh of Debian family, long after its adoption by the official POSIX specification.
Does posixutils-rs support set -o pipefail? Ideally yes. Ideally, posixutils-rs publishes its same Rust sh implementation with a second name. So that every user from Alpine to z/OS may explicitly opt into the posixutils-rs implementation, via shebang lines. Thus resolving ambiguity about pipefail support in otherwise #!/bin/sh scripts.
By the way, postixutils-rs's sh interpreter should also be published with its own unique name. With packages ideally published to Homebrew, Debian, Ubuntu, Fedora, RHEL, etc. So that even in environments where the stock /bin/sh interpreter is still unsafe C based, the user at least has the option of selecting
In any case, the unspoken requirement to explicitly opt into these safety modes has resulted in the vast majority of shell scripts being unsound, unsuitable for downstream scripting, nor CI/CD use.
Solution
Could posixutils-rs please provide a safe variant of sh, with the above mentioned options on by default in all contexts except the REPL?
We could call it crush (Cordoned Rust User SHell). Or something better.