| 20 Feb 2023 |
 @elvishjerricco:matrix.org | Janne Heß: Can you explain that dream? | 09:04:34 |
| @elvishjerricco:matrix.org | Do you just mean no bash or python or any other shebang-isms required? | 09:04:47 |
 @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
Janne Heß: Can you explain that dream? Having no interpreter at all (also no recovery shell obviously) to prevent any way of arbitrary code execution | 09:05:15 |
| @elvishjerricco:matrix.org | ahhh | 09:05:27 |
| @elvishjerricco:matrix.org | Getting rid of bash seems... extremely unlikely | 09:05:38 |
| @elvishjerricco:matrix.org | I guess the activation unit is the only one that uses bash though | 09:06:10 |
| @elvishjerricco:matrix.org | so maybe | 09:06:12 |
| @janne.hess:helsinki-systems.de | That was going to be my next question :D | 09:06:20 |
| @janne.hess:helsinki-systems.de | pkgs.writeCBin goes brrrrr | 09:06:25 |
| @elvishjerricco:matrix.org | it would impose a pretty substantial restriction though | 09:06:34 |
| @elvishjerricco:matrix.org | but a substantial restriction on a niche thing is probly ok? | 09:06:48 |
| @janne.hess:helsinki-systems.de | 🤔 | 09:06:56 |
| @elvishjerricco:matrix.org | the big problem is, as evident by the linked PR, wrapper script | 09:07:05 |
| @elvishjerricco:matrix.org | * the big problem is, as evident by the linked PR, wrapper scripts | 09:07:06 |
| @janne.hess:helsinki-systems.de | Will investigate. Asking because we have a certrain customer who is interested in this | 09:07:20 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
the big problem is, as evident by the linked PR, wrapper scripts nixos test that takes the initrd and does find /nix/store -name bash -or -name irb -or -name … seems likely. If anyone really wants their bean shell in there, so be it | 09:08:01 |
| @elvishjerricco:matrix.org | hm? My point was that e.g. if you want cryptsetup stuff or gzip stuff (vconsole), you need wrapper scripts via makeWrapper that just set environment variables before executing the real program | 09:09:24 |
| @elvishjerricco:matrix.org | those scripts are almost universally bash in nixos | 09:09:47 |
| @elvishjerricco:matrix.org | oh but I guess isn't there a C version of makeWrapper? | 09:10:06 |
