[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] i386-pc: build verifiers API as module
|
From: |
Daniel Kiper |
|
Subject: |
Re: [PATCH v2] i386-pc: build verifiers API as module |
|
Date: |
Fri, 26 Mar 2021 18:01:01 +0100 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Wed, Mar 24, 2021 at 12:44:52PM +0800, Michael Chang via Grub-devel wrote:
> On Tue, Mar 23, 2021 at 05:33:12PM +0100, Daniel Kiper wrote:
> > On Mon, Mar 22, 2021 at 08:45:27PM +0000, Colin Watson wrote:
>
> [snip]
>
> > > rounds of security megapatches we've also seen that the amount of
> > > divergence between upstream and various distributions in
> > > security-critical code is in fact a serious problem that needs to be
> > > addressed, and so I'm not happy about adding more to it for things that
> > > touch e.g. the verifiers framework - obviously a security-critical
> > > component.
> > >
> > > However, we probably won't have any choice. Bugs of the form "I
> > > couldn't upgrade without reinstalling my entire system" are quite likely
> > > to be considered critical by any distribution worth its salt, regardless
> >
> > How long are you going to support such systems? 1, 5 or 10 years? This
> > approach makes GRUB upstream as a hostage of small MBR gaps users.
> > Anyway, I think we have to make users aware that small MBR gaps are not
> > supported any longer. Otherwise we will be playing whack-a-mole game
> > which we will loose sooner or later.
>
> IMHO It is doing the right thing to declare MBR gap is not supported, it
> is also doing the right thing to not breaking updates. We are yet to
> seek out or arrive at right time to have short MBR gap completely out of
> the game. Maybe a few years later nobody would care as the legacy pc
> bios is diminishing, or at some point of time everyone here would agree
> that we really have to blow up the limit in order to move on and convey
> a clear message that people who is running short mbr gap won't receive
> grub updates any longer unless they change it - given we have give
> acceptable grace period for them to do the migration ...
After some thinking it seems to me we can do this. I can take "i386-pc:
build verifiers API as module", "kern/misc: Move grub_printf_fmt_check
to gfxmenu" and similar patches into 2.06. I will revert after the
release all the patches which adds ifdefery or make code ugly and do not
benefit other platforms than i386-pc. This way you will have support for
small MBR gaps in 2.06 and I will have clean code after 2.06 release.
Does it work for you guys?
Daniel
- [PATCH v2] i386-pc: build verifiers API as module, Michael Chang, 2021/03/18
- Re: [PATCH v2] i386-pc: build verifiers API as module, Daniel Kiper, 2021/03/22
- Re: [PATCH v2] i386-pc: build verifiers API as module, Colin Watson, 2021/03/22
- Re: [PATCH v2] i386-pc: build verifiers API as module, Colin Watson, 2021/03/22
- Re: [PATCH v2] i386-pc: build verifiers API as module, Glenn Washburn, 2021/03/22
- Re: [PATCH v2] i386-pc: build verifiers API as module, Colin Watson, 2021/03/22
- Re: [PATCH v2] i386-pc: build verifiers API as module, Daniel Kiper, 2021/03/23
- Re: [PATCH v2] i386-pc: build verifiers API as module, Lennart Sorensen, 2021/03/23
- Re: [PATCH v2] i386-pc: build verifiers API as module, Michael Chang, 2021/03/24
- Re: [PATCH v2] i386-pc: build verifiers API as module,
Daniel Kiper <=
- Re: [PATCH v2] i386-pc: build verifiers API as module, James Bottomley, 2021/03/22
Re: [PATCH v2] i386-pc: build verifiers API as module, Michael Chang, 2021/03/23
Re: [PATCH v2] i386-pc: build verifiers API as module, Daniel Kiper, 2021/03/23
Re: [PATCH v2] i386-pc: build verifiers API as module, Michael Chang, 2021/03/23
Re: [PATCH v2] i386-pc: build verifiers API as module, Daniel Kiper, 2021/03/26