[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SECURITY PATCH 116/117] templates: Disable the os-prober by default
From: |
Lennart Sorensen |
Subject: |
Re: [SECURITY PATCH 116/117] templates: Disable the os-prober by default |
Date: |
Wed, 3 Mar 2021 12:28:40 -0500 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Wed, Mar 03, 2021 at 02:13:04PM +0100, Daniel Kiper wrote:
> On Tue, Mar 02, 2021 at 10:49:16PM +0100, Didier Spaier wrote:
> > Le 02/03/2021 à 19:02, Daniel Kiper a écrit :
> > > From: Alex Burmashev <alexander.burmashev@oracle.com>
> > > diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
> > > index 1b91c102f..80685b15f 100644
> > > --- a/util/grub.d/30_os-prober.in
> > > +++ b/util/grub.d/30_os-prober.in
> > > @@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@"
> > > . "$pkgdatadir/grub-mkconfig_lib"
> > > -if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then
> > > +if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then
> > > + gettext_printf "os-prober will not be executed to detect other
> > > bootable partitions.\nSystems on them will not be added to the GRUB boot
> > > configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n"
> > > exit 0
> > > fi
> >
> > This is confusing: now to get boot entries from os-prober one have to
> > set:
> > GRUB_DISABLE_OS_PROBER=true
> > in /etc/default/grub.
> >
> > Either revert that, or (better, in my opinion) label the variable
> > GRUB_ENABLE_OS_PROBER and set it to false by default.
>
> When we worked on this patch we considered that. However, after some
> thinking we stated that renaming to GRUB_ENABLE_OS_PROBER will make
> more confusion. So, we decided to stick to existing name even if it
> is not the best one.
How does that make any sense?
You can disable it by default, but leave the meaning of true and false
and the name the same. Someone would then have to explicitly set
GRUB_DISABLE_OS_PROBER to false if they want to use it still. At least
then it makes some sense.
And what does the code do now if someone already has it set to true in
order to disable it, as is in all existing examples and documentation
about the option? Does it now actually get enabled which is the opposite
of what they wanted?
Something sure looks wrong with this.
--
Len Sorensen
- [SECURITY PATCH 109/117] util/mkimage: Add an option to import SBAT metadata into a .sbat section, (continued)
- [SECURITY PATCH 109/117] util/mkimage: Add an option to import SBAT metadata into a .sbat section, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 115/117] gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 104/117] util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 112/117] kern/misc: Split parse_printf_args() into format parsing and va_list handling, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 106/117] util/mkimage: Reorder PE optional header fields set-up, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 114/117] kern/misc: Add function to check printf() format against expected format, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 116/117] templates: Disable the os-prober by default, Daniel Kiper, 2021/03/02
[SECURITY PATCH 117/117] kern/mm: Fix grub_debug_calloc() compilation error, Daniel Kiper, 2021/03/02
[SECURITY PATCH 110/117] grub-install-common: Add --sbat option, Daniel Kiper, 2021/03/02
[SECURITY PATCH 113/117] kern/misc: Add STRING type for internal printf() format handling, Daniel Kiper, 2021/03/02
[SECURITY PATCH 111/117] shim_lock: Only skip loading shim_lock verifier with explicit consent, Daniel Kiper, 2021/03/02
Re: [SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round, John Paul Adrian Glaubitz, 2021/03/02