> While /usr/bin/env is more or less available on all POSIX systems
> /bin/bash might not be. This is particular the case on NixOS and the BSD
> family (/usr/local/bin/bash). Downstream packagers would often rewrite
> those shebangs back automatically as they can rely on absolute paths
> but having portable shebangs in the repository helps to run the code
> without any further modification.
>
The reason almost everyone hardcodes bash to /bin/bash is the potential
environment attack where someone create malicious "bash" and export it in PATH:
https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html
Well, if they rewrite your env and PATH you can't trust anything you do on that box ever. If wg is started with a malicious environment where IFS is set to "/" so that
"/bin/bash" (or any absolute-path-named-program) turns into " bin bash" then an evil PATH pointing to that "bin" would still start a bad script for you.
May the most significant bit of your life be positive.