[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] i386-pc: build verifiers API as module
From: |
Daniel Kiper |
Subject: |
Re: [PATCH v2] i386-pc: build verifiers API as module |
Date: |
Mon, 12 Apr 2021 15:15:53 +0200 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Fri, Mar 26, 2021 at 06:01:01PM +0100, Daniel Kiper wrote:
> On Wed, Mar 24, 2021 at 12:44:52PM +0800, Michael Chang via Grub-devel wrote:
> > On Tue, Mar 23, 2021 at 05:33:12PM +0100, Daniel Kiper wrote:
> > > On Mon, Mar 22, 2021 at 08:45:27PM +0000, Colin Watson wrote:
> >
> > [snip]
> >
> > > > rounds of security megapatches we've also seen that the amount of
> > > > divergence between upstream and various distributions in
> > > > security-critical code is in fact a serious problem that needs to be
> > > > addressed, and so I'm not happy about adding more to it for things that
> > > > touch e.g. the verifiers framework - obviously a security-critical
> > > > component.
> > > >
> > > > However, we probably won't have any choice. Bugs of the form "I
> > > > couldn't upgrade without reinstalling my entire system" are quite likely
> > > > to be considered critical by any distribution worth its salt, regardless
> > >
> > > How long are you going to support such systems? 1, 5 or 10 years? This
> > > approach makes GRUB upstream as a hostage of small MBR gaps users.
> > > Anyway, I think we have to make users aware that small MBR gaps are not
> > > supported any longer. Otherwise we will be playing whack-a-mole game
> > > which we will loose sooner or later.
> >
> > IMHO It is doing the right thing to declare MBR gap is not supported, it
> > is also doing the right thing to not breaking updates. We are yet to
> > seek out or arrive at right time to have short MBR gap completely out of
> > the game. Maybe a few years later nobody would care as the legacy pc
> > bios is diminishing, or at some point of time everyone here would agree
> > that we really have to blow up the limit in order to move on and convey
> > a clear message that people who is running short mbr gap won't receive
> > grub updates any longer unless they change it - given we have give
> > acceptable grace period for them to do the migration ...
>
> After some thinking it seems to me we can do this. I can take "i386-pc:
> build verifiers API as module", "kern/misc: Move grub_printf_fmt_check
> to gfxmenu" and similar patches into 2.06. I will revert after the
> release all the patches which adds ifdefery or make code ugly and do not
> benefit other platforms than i386-pc. This way you will have support for
> small MBR gaps in 2.06 and I will have clean code after 2.06 release.
>
> Does it work for you guys?
Does anybody care?
Daniel
- Re: [PATCH v2] i386-pc: build verifiers API as module,
Daniel Kiper <=