[PATCH] Don't rely on /bin/sh for running scripts

patches and low-level development discussion
 help / color / mirror / code / Atom feed

* [PATCH] Don't rely on /bin/sh for running scripts
@ 2026-05-27 10:11 Alyssa Ross
  0 siblings, 0 replies; only message in thread
From: Alyssa Ross @ 2026-05-27 10:11 UTC (permalink / raw)
  To: devel; +Cc: Dan Connolly

/bin/sh might be too old to run our scripts.  We probably have a
modern shell available via Nix though, so we can avoid causing
problems for users of stale distros by using sh from path instead of
/bin/sh.  I've left the scripts with /bin/sh shebangs because I don't
think there's a great alternative (using /usr/bin/env doesn't seem
much better when there are features of env that might or might not be
available), but those shebangs should now never be used as part of a
build.

Reported-by: Dan Connolly <dckc@madmode.com>
Link: https://inbox.spectrum-os.org/spectrum-discuss/CAD2YivbRwDUzgXv32A2Otetunny1MXsbuROj7VV8C7EYrAdNiw@mail.gmail.com
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
Dan, thanks again for your report.  I've been giving this a lot of 
thought in the background over the last few weeks.  I don't think 
there's one solution that's better in every way than all the others, 
but I think this is the best compromise.

 Documentation/development/built-in-vms.adoc |  2 +-
 host/initramfs/Makefile                     |  8 ++++----
 host/rootfs/Makefile                        | 10 +++++-----
 img/app/Makefile                            |  8 ++++----
 lib/common.mk                               |  5 ++++-
 release/checks/integration/lib.c            |  7 ++++---
 release/checks/integration/meson.build      |  2 +-
 release/live/Makefile                       |  8 ++++----
 vm/sys/net/Makefile                         |  8 ++++----
 9 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/Documentation/development/built-in-vms.adoc b/Documentation/development/built-in-vms.adoc
index d044e75..fb6b947 100644
--- a/Documentation/development/built-in-vms.adoc
+++ b/Documentation/development/built-in-vms.adoc
@@ -46,7 +46,7 @@ if the only change to the Nix files is modifying the packages
 installed in the VM.
 
 The list of files used for images is stored in a separate file,
-file-list.mk.  To update it, run scripts/genfiles.sh, which will
+file-list.mk.  To update it, run `sh scripts/genfiles.sh`, which will
 regenerate it from the output of `git ls-files`.  This script uses
 Git's index to generate the list, so only staged changes will be
 reflected in its output.
diff --git a/host/initramfs/Makefile b/host/initramfs/Makefile
index 89f9a39..523b4b3 100644
--- a/host/initramfs/Makefile
+++ b/host/initramfs/Makefile
@@ -36,9 +36,9 @@ build/mountpoints:
 	find build/mountpoints -mindepth 1 -exec touch -d @0 {} ';'
 
 build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk $(ROOT_FS_IMAGES)
-	../../scripts/make-gpt.sh $@.tmp \
-	    $(ROOT_FS_VERITY):verity:$$(../../scripts/format-uuid.sh "$$(dd if=$(ROOT_FS_VERITY_ROOTHASH) bs=32 skip=1 count=1 status=none)"):Spectrum_'$(VERSION).verity' \
-	    $(ROOT_FS_IMAGE):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 $(ROOT_FS_VERITY_ROOTHASH))"):Spectrum_'$(VERSION)'
+	$(SHELL) ../../scripts/make-gpt.sh $@.tmp \
+	    $(ROOT_FS_VERITY):verity:$$($(SHELL) ../../scripts/format-uuid.sh "$$(dd if=$(ROOT_FS_VERITY_ROOTHASH) bs=32 skip=1 count=1 status=none)"):Spectrum_'$(VERSION).verity' \
+	    $(ROOT_FS_IMAGE):root:$$($(SHELL) ../../scripts/format-uuid.sh "$$(head -c 32 $(ROOT_FS_VERITY_ROOTHASH))"):Spectrum_'$(VERSION)'
 	mv $@.tmp $@
 
 clean:
@@ -46,7 +46,7 @@ clean:
 .PHONY: clean
 
 run: $(dest) $(ROOT_FS_VERITY_ROOTHASH) $(RUN_IMAGE)
-	@../../scripts/run-qemu.sh -m 4G \
+	@$(SHELL) ../../scripts/run-qemu.sh -m 4G \
 	    -machine virtualization=on \
 	    -kernel $(KERNEL) \
 	    -initrd $(dest) \
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 4f01e3e..dbfe65e 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -74,7 +74,7 @@ $(ROOT_FS_IMAGE): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_
 	    for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(DIRS) ;\
 	    printf 'build/fifo\n%s\n' $(FIFOS) ;\
-	} | ../../scripts/make-erofs.sh $@
+	} | $(SHELL) ../../scripts/make-erofs.sh $@
 
 build/etc/update-url:
 	mkdir -p build/etc
@@ -113,9 +113,9 @@ clean:
 .PHONY: clean
 
 build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk build/verity-timestamp $(ROOT_FS_IMAGES)
-	../../scripts/make-gpt.sh $@.tmp \
-	    $(ROOT_FS_VERITY):verity:$$(../../scripts/format-uuid.sh "$$(dd if=$(ROOT_FS_VERITY_ROOTHASH) bs=32 skip=1 count=1 status=none)"):Spectrum_'$(VERSION).verity' \
-	    $(ROOT_FS_IMAGE):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 $(ROOT_FS_VERITY_ROOTHASH))"):Spectrum_'$(VERSION)'
+	$(SHELL) ../../scripts/make-gpt.sh $@.tmp \
+	    $(ROOT_FS_VERITY):verity:$$($(SHELL) ../../scripts/format-uuid.sh "$$(dd if=$(ROOT_FS_VERITY_ROOTHASH) bs=32 skip=1 count=1 status=none)"):Spectrum_'$(VERSION).verity' \
+	    $(ROOT_FS_IMAGE):root:$$($(SHELL) ../../scripts/format-uuid.sh "$$(head -c 32 $(ROOT_FS_VERITY_ROOTHASH))"):Spectrum_'$(VERSION)'
 	mv $@.tmp $@
 
 debug:
@@ -133,7 +133,7 @@ run: build/empty build/live.img $(ROOTFS_VERITY_ROOTHASH)
 	exec 3<>"$$ext" && \
 	rm -f "$$ext" && \
 	set +x && \
-	exec ../../scripts/run-qemu.sh -cpu max -m 4G \
+	exec $(SHELL) ../../scripts/run-qemu.sh -cpu max -m 4G \
 	    -machine virtualization=on \
 	    -kernel $(KERNEL) \
 	    -initrd $(INITRAMFS) \
diff --git a/img/app/Makefile b/img/app/Makefile
index 1de1b04..db453d4 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -26,7 +26,7 @@ $(imgdir)/appvm/vmlinux: $(KERNEL)
 
 $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk build/rootfs.erofs
 	mkdir -p $$(dirname $@)
-	../../scripts/make-gpt.sh $@.tmp \
+	$(SHELL) ../../scripts/make-gpt.sh $@.tmp \
 	    build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root
 	mv $@.tmp $@
 
@@ -54,7 +54,7 @@ build/rootfs.erofs: ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUIL
 	    for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(DIRS) ;\
 	    printf 'build/fifo\n%s\n' $(FIFOS) ;\
-	} | ../../scripts/make-erofs.sh $@
+	} | $(SHELL) ../../scripts/make-erofs.sh $@
 
 
 build/etc/s6-rc: $(S6_RC_FILES) file-list.mk
@@ -91,7 +91,7 @@ start-virtiofsd: scripts/start-virtiofsd.elb
 .PHONY: start-virtiofsd
 
 run-qemu: $(imgdir)/appvm/blk/root.img start-vhost-user-net start-virtiofsd
-	@../../scripts/run-qemu.sh -m 256 -cpu max -kernel $(KERNEL) -vga none \
+	@$(SHELL) ../../scripts/run-qemu.sh -m 256 -cpu max -kernel $(KERNEL) -vga none \
 	    -drive file=$(imgdir)/appvm/blk/root.img,if=virtio,format=raw,readonly=on \
 	    -append "root=PARTLABEL=root nokaslr" \
 	    -gdb unix:build/gdb.sock,server,nowait \
@@ -113,7 +113,7 @@ run-qemu: $(imgdir)/appvm/blk/root.img start-vhost-user-net start-virtiofsd
 
 run-cloud-hypervisor: $(imgdir)/appvm/blk/root.img start-vhost-user-gpu start-vhost-user-net start-virtiofsd
 	rm -f build/vmm.sock build/vsock.sock
-	@../../scripts/run-cloud-hypervisor.sh \
+	@$(SHELL) ../../scripts/run-cloud-hypervisor.sh \
 	    --api-socket path=build/vmm.sock \
 	    --memory size=1G,shared=on \
 	    --disk path=$(imgdir)/appvm/blk/root.img,readonly=on \
diff --git a/lib/common.mk b/lib/common.mk
index 84091a8..9896efe 100644
--- a/lib/common.mk
+++ b/lib/common.mk
@@ -1,5 +1,8 @@
 # SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021, 2023, 2025 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2021, 2023, 2025-2026 Alyssa Ross <hi@alyssa.is>
+
+# Use sh from path — easier to make sure it's up to date than /bin/sh.
+SHELL = sh
 
 BACKGROUND = background
 CPIO = cpio
diff --git a/release/checks/integration/lib.c b/release/checks/integration/lib.c
index 3a7ecdf..0f898f4 100644
--- a/release/checks/integration/lib.c
+++ b/release/checks/integration/lib.c
@@ -190,6 +190,7 @@ struct vm *start_qemu(struct config c)
 	struct utsname u;
 	int console_listener, console_conn;
 	char *arch, *args[] = {
+		"sh",
 		(char *)c.run_qemu,
 		"-drive", nullptr,
 		"-drive", nullptr,
@@ -214,8 +215,8 @@ struct vm *start_qemu(struct config c)
 		c.serial.optval ? (char *)c.serial.optval : "chardev:socket",
 		nullptr,
 	};
-	char **efi_arg = &args[2], **img_arg = &args[4],
-	     **user_data_arg = &args[6], **console_arg = &args[8];
+	char **efi_arg = &args[3], **img_arg = &args[5],
+	     **user_data_arg = &args[7], **console_arg = &args[9];
 	struct vm *r = malloc(sizeof *r);
 
 	if (!r) {
@@ -252,7 +253,7 @@ struct vm *start_qemu(struct config c)
 			exit(EXIT_FAILURE);
 		}
 
-		execv(c.run_qemu, args);
+		execvp(args[0], args);
 		perror("execv");
 		exit(EXIT_FAILURE);
 	}
diff --git a/release/checks/integration/meson.build b/release/checks/integration/meson.build
index 7bf8f51..f0ef334 100644
--- a/release/checks/integration/meson.build
+++ b/release/checks/integration/meson.build
@@ -7,7 +7,7 @@ project('spectrum-integration-tests', 'c',
 
 add_project_arguments('-D_GNU_SOURCE', language : 'c')
 
-run_qemu = find_program('../../../scripts/run-qemu.sh')
+run_qemu = files('../../../scripts/run-qemu.sh')
 
 lib = static_library('spectrum-integration-test', 'lib.c')
 
diff --git a/release/live/Makefile b/release/live/Makefile
index 85319d0..4bf38a0 100644
--- a/release/live/Makefile
+++ b/release/live/Makefile
@@ -8,10 +8,10 @@ include ../../lib/common.mk
 dest = build/live.img
 
 $(dest): ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk build/boot.fat $(ROOT_FS_IMAGES)
-	../../scripts/make-gpt.sh $@.tmp \
+	$(SHELL) ../../scripts/make-gpt.sh $@.tmp \
 	    build/boot.fat:c12a7328-f81f-11d2-ba4b-00a0c93ec93b \
-	    $(ROOT_FS_VERITY):verity:$$(../../scripts/format-uuid.sh "$$(dd if=$(ROOT_FS_VERITY_ROOTHASH) bs=32 skip=1 count=1 status=none)"):Spectrum_'$(VERSION).verity:162' \
-	    $(ROOT_FS_IMAGE):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 $(ROOT_FS_VERITY_ROOTHASH))"):Spectrum_'$(VERSION):20000' \
+	    $(ROOT_FS_VERITY):verity:$$($(SHELL) ../../scripts/format-uuid.sh "$$(dd if=$(ROOT_FS_VERITY_ROOTHASH) bs=32 skip=1 count=1 status=none)"):Spectrum_'$(VERSION).verity:162' \
+	    $(ROOT_FS_IMAGE):root:$$($(SHELL) ../../scripts/format-uuid.sh "$$(head -c 32 $(ROOT_FS_VERITY_ROOTHASH))"):Spectrum_'$(VERSION):20000' \
 	    /dev/null:verity:18f2ccff-92f1-4bb1-a80e-24f76ecda90c:_empty:162 \
 	    /dev/null:root:ec0c5ff3-f6b1-4adf-82b4-61336c4d135f:_empty:20000
 	mv $@.tmp $@
@@ -43,7 +43,7 @@ run: build/empty $(dest)
 	exec 4<>"$$userdata" && \
 	rm -f "$$userdata" && \
 	set +x && \
-	exec ../../scripts/run-qemu.sh -m 4G \
+	exec $(SHELL) ../../scripts/run-qemu.sh -m 4G \
 	    -machine virtualization=on \
 	    -cpu max \
 	    -smbios type=11,value=io.systemd.stub.kernel-cmdline-extra=console=hvc0 \
diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
index 7ad5e5c..e080954 100644
--- a/vm/sys/net/Makefile
+++ b/vm/sys/net/Makefile
@@ -25,7 +25,7 @@ $(vmdir)/netvm/vmlinux: $(KERNEL)
 
 $(vmdir)/netvm/blk/root.img: ../../../scripts/make-gpt.sh ../../../scripts/sfdisk-field.awk build/rootfs.erofs
 	mkdir -p $$(dirname $@)
-	../../../scripts/make-gpt.sh $@.tmp \
+	$(SHELL) ../../../scripts/make-gpt.sh $@.tmp \
 	    build/rootfs.erofs:root:ea21da27-0391-48da-9235-9d2ab2ca7844:root
 	mv $@.tmp $@
 
@@ -43,7 +43,7 @@ build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(B
 	    for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file "$${file#image/}"; done ;\
 	    for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(DIRS) ;\
-	} | ../../../scripts/make-erofs.sh $@
+	} | $(SHELL) ../../../scripts/make-erofs.sh $@
 
 build/etc/s6-rc: $(S6_RC_FILES) file-list.mk
 	mkdir -p $$(dirname $@)
@@ -65,7 +65,7 @@ start-vhost-user-net:
 	../../../scripts/start-passt.elb
 
 run-qemu: $(vmdir)/netvm/blk/root.img
-	@../../../scripts/run-qemu.sh -m 256 -cpu max -kernel $(KERNEL) -vga none \
+	@$(SHELL)../../../scripts/run-qemu.sh -m 256 -cpu max -kernel $(KERNEL) -vga none \
 	    -drive file=$(vmdir)/netvm/blk/root.img,if=virtio,format=raw,readonly=on \
 	    -append "root=PARTLABEL=root nokaslr" \
 	    -gdb unix:build/gdb.sock,server,nowait \
@@ -82,7 +82,7 @@ run-qemu: $(vmdir)/netvm/blk/root.img
 run-cloud-hypervisor: $(vmdir)/netvm/blk/root.img start-vhost-user-net
 	rm -f build/vmm.sock
 	@../../../scripts/with-taps.elb \
-	    ../../../scripts/run-cloud-hypervisor.sh \
+	    $(SHELL) ../../../scripts/run-cloud-hypervisor.sh \
 	    --api-socket path=build/vmm.sock \
 	    --memory size=256M,shared=on \
 	    --disk path=$(vmdir)/netvm/blk/root.img,readonly=on \

base-commit: 5b3151fd08d1f1e3e166a328449fe6fe5092f316
-- 
2.54.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-27 10:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-27 10:11 [PATCH] Don't rely on /bin/sh for running scripts Alyssa Ross

Code repositories for project(s) associated with this public inbox

	https://spectrum-os.org/git/crosvm
	https://spectrum-os.org/git/doc
	https://spectrum-os.org/git/mktuntap
	https://spectrum-os.org/git/nixpkgs
	https://spectrum-os.org/git/spectrum
	https://spectrum-os.org/git/ucspi-vsock
	https://spectrum-os.org/git/www

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).