Re: Removing shar(1)

On Wed, Dec 18, 2024 at 3:27 AM Kyle Evans <kevans@freebsd.org> wrote:
> Hi,
> I was reminded the other day that shar(1) exists, though it's use is no
> longer recommended in ports.  The same functionality can be found in
> tar(1) instead, so I think we should deorbit /usr/bin/shar and stop
> promoting it entirely.  sh(1) archives are really problematic from a
> user standpoint for at least one reason best explained by the manpage:
>   It is easy to insert trojan horses into shar files.  It is strongly
>   recommended that all shell archive files be examined before running
>   them through sh(1).  Archives produced using this implementation of
>   shar may be easily examined with the command:
>        egrep -av '^[X#]' shar.file
> It's hard to advocate for their use in good conscience, much like it's
> hard to advocate curl|sh pipes.
> Review: https://reviews.freebsd.org/D48130
> Thanks,
> Kyle Evans

Hey there Kyle :-) Removing tools completely is not a good choice, but
moving them from base to ports in case someone needs to use them for
any reason would be a better choice? :-)

There are still lots of installers using shar like approach, or even
worse things like feeding shell scripts directly from a remote url
(i.e. brew installer on macos).

If people decide to remove shar from base it still should be available
from ports. If the idea is to remove shar completely and provide no
alternative then sounds like NO for me :-)

-- 
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info