[Python-apps-team] Bug#581122: mercurial-common: bashism in /bin/sh script

Javi Merino cibervicho at gmail.com
Tue May 11 09:40:22 UTC 2010 

On 11/05/10 11:12, Thomas Arendsen Hein wrote:
> * Javi Merino <cibervicho at gmail.com> [20100511 10:48]:
>> Hi, I think the attached patch fixes the bashism by creating a function
>> that returns a random number instead of relying on the $RANDOM magic
>> variable.
>>
>> I'll try to get it accepted upstream.
> 
> I'm not sure if something based on /dev/urandom will be accepted
> upstream as /dev/urandom is not available everywhere.

Whoah, yes, you are right. I thought /dev/urandom is not POSIX. I
thought it was...

>> On 11/05/10 07:42, Raphael Geissert wrote:
>>> While performing an archive wide checkbashisms (from the 'devscripts' package)
>>> check I've found your package containing a /bin/sh script making use
>>> of a bashism.
>>>
>>> checkbashisms' output:
>>>> possible bashism in ./usr/share/doc/mercurial-common/examples/hgeditor line
>>>> 30 ($RANDOM):
>>>> HGTMP="${TMPDIR-/tmp}/hgeditor.$RANDOM.$RANDOM.$RANDOM.$$"
> 
> This is only a half-bashism, on shells without special support for
> $RANDOM the variable simply evaluates to the empty string.
> 
> This is just "hgeditor....$$", so it is easier to create name
> collisions, but still no security risk as the script simply aborts
> in this case.
> 
> I guess the ideal solution would be to rewrite hgeditor in python,
> but if you can replace the creation of the temporary directory with
> a simple call to
>   python -c "something"
> it would be enough to solve your current problem.

Okay, I've changed it to rely on python to get the random numbers. Do
you think the attached patch has more chances to be accepted upstream?

Regards,
Javi (Vicho)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hgeditor_fix_RANDOM_bashism.patch
Type: text/x-patch
Size: 527 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20100511/09b08f2f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20100511/09b08f2f/attachment-0001.pgp>

More information about the Python-apps-team mailing list