From 8815afe80a81727d5c37348d4358711da15577c1 Mon Sep 17 00:00:00 2001
From: Kate <kit-ty-kate@outlook.com>
Date: Wed, 22 Feb 2023 16:25:08 +0000
Subject: [PATCH 1/2] Enforce the macOS sandbox script to use /bin/bash instead
 of /usr/bin/env bash for a more consistent experience

---
 master_changes.md                      | 1 +
 src/state/shellscripts/sandbox_exec.sh | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/master_changes.md b/master_changes.md
index e1d1f404886..57a68653133 100644
--- a/master_changes.md
+++ b/master_changes.md
@@ -204,6 +204,7 @@ users)
   * Get rid of OPAM_USER_PATH_RO (never used on macOS and no longer needed on Linux) [#4795 @kit-ty-kate]
   * Print error message if command doesn't exist [#4971 @kit-ty-kat - fix #4112]
   * Resolve symlink for `ccache` directory [#5267 @rjbou - fix #5194]
+  * Enforce the macOS sandbox script to use /bin/bash instead of /usr/bin/env bash for a more consistent experience [#5451 @kit-ty-kate]
 
 ## VCS
   * Pass --depth=1 to git-fetch in the Git repo backend [#4442 @dra27]
diff --git a/src/state/shellscripts/sandbox_exec.sh b/src/state/shellscripts/sandbox_exec.sh
index ab27cd269f8..1972eda354b 100644
--- a/src/state/shellscripts/sandbox_exec.sh
+++ b/src/state/shellscripts/sandbox_exec.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 set -ue
 
 POL='(version 1)(allow default)(deny network*)(deny file-write*)'

From 1a04be3c7e36cab7535f34ac0d8eed2c158065e2 Mon Sep 17 00:00:00 2001
From: Kate <kit.ty.kate@disroot.org>
Date: Tue, 28 Feb 2023 16:13:36 +0000
Subject: [PATCH 2/2] sandbox_exec.sh: Add a note describing the reason behind
 the use of /bin/bash

Co-authored-by: David Allsopp <david.allsopp@metastack.com>
---
 src/state/shellscripts/sandbox_exec.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/state/shellscripts/sandbox_exec.sh b/src/state/shellscripts/sandbox_exec.sh
index 1972eda354b..7d639474b9c 100644
--- a/src/state/shellscripts/sandbox_exec.sh
+++ b/src/state/shellscripts/sandbox_exec.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This script is only used on macOS, where /bin/bash is both guaranteed to exist and
+# and to be for the native architecture, which is why /usr/bin/env bash is not used.
+# See https://github.com/ocaml/opam/issues/5450
 set -ue
 
 POL='(version 1)(allow default)(deny network*)(deny file-write*)'