From: Pete Batard <pete@akeo.ie>
To: grub-devel@gnu.org
Subject: Re: GRUB 2.06 release
Date: Mon, 19 Oct 2020 17:30:41 +0100 [thread overview]
Message-ID: <1b09ca4d-af2a-ffc3-21e5-cf5ea21d8138@akeo.ie> (raw)
In-Reply-To: <20200729174643.mlv6ip6jcf4bpcde@tomti.i.net-space.pl>
Hi Daniel,
On 2020.07.29 18:46, Daniel Kiper wrote:
> I think this link [1] will explain my long absence... Sorry about that.
>
> I am going to go back to GRUB work next week. I will triage all the patches
> and take all (obvious) fixes. Then I will release rc1 ASAP... All new features
> will be taken after 2.06 release.
>
> Daniel
>
> [1] https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Just wanted to mention that the 2.06 release (btw, is GRUB jumping
straight from 2.04 [1] to 2.06 then?) delay with the BootHole fixes is
starting to create some issues as folks (e.g. Rescuezilla) have started
to take upon themselves to cherry pick from the BootHole patches and
apply them to things like GRUB 2.02, instead of simply upgrading to a
new official release, that would include these fixes.
This has the consequence of actually breaking BIOS boot for ISO -> USB
conversion utilities like Rufus (disclaimer: I am the author of Rufus),
since we need to provide a matching core.img during conversion, that
doesn't exist on the ISO, and obvioulsy the one we provide which was
compiled around the time of release does not include the BootHole fixes,
and will therefore typically fail with "symbol 'grub_calloc' not found".
The end result is that, unless we go through a costly rebuild of all our
core.img's, with custom patches applied, which will of course break the
ability for users to validate that these binaries match the official
GRUB source, we're going to see more and more breakage as downstream
GRUB users are taking it upon themselves to craft their own custom
version in the absence of an official release with the BootHole fixes.
I would therefore like to raise the URGENCY of having a 2.06 release
sooner rather than later, that includes the BootHole fixes. As a matter
of fact, I would suggest that, as soon as a set of vulnerability like
BootHole has been uncovered, all other work should be put on hold until
a formal release has been issued that addresses it, as it becomes more
and more damaging to let too much time pass, by trying to fold it into
the next planned release.
Of course, I am also well aware that workload is the main delaying
constraint, but I would urge you to consider issuing an out-of-band
release as soon as a vulnerability like BootHole has been discovered,
even if it's just to address that specific vulnerability, as not doing
so in a timely manner effectively creates compounded issues.
Thank you,
/Pete
[1] https://ftp.gnu.org/gnu/grub/
next prev parent reply other threads:[~2020-10-19 16:30 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-19 15:01 GRUB 2.06 release Daniel Kiper
2020-02-20 8:46 ` John Paul Adrian Glaubitz
2020-02-25 13:15 ` John Paul Adrian Glaubitz
2020-02-28 12:46 ` Daniel Kiper
2020-02-28 18:26 ` Matt Turner
2020-02-29 1:40 ` Mike Gilbert
2020-03-03 17:26 ` Daniel Kiper
2020-03-03 17:33 ` John Paul Adrian Glaubitz
2020-03-05 13:34 ` Daniel Kiper
2020-03-04 4:39 ` Patrick Steinhardt
2020-03-05 13:50 ` Daniel Kiper
2020-03-07 16:29 ` Patrick Steinhardt
2020-03-11 10:47 ` Daniel Kiper
2020-03-16 16:41 ` Daniel Kiper
2020-04-22 10:24 ` Daniel Kiper
2020-05-29 12:07 ` Daniel Kiper
2020-07-29 17:46 ` Daniel Kiper
2020-10-19 16:30 ` Pete Batard [this message]
2020-10-20 19:00 ` Julian Andres Klode
2020-10-20 19:12 ` Eli Schwartz
2020-10-20 20:05 ` Julian Andres Klode
2020-10-20 20:33 ` Eli Schwartz
2020-10-20 20:06 ` Pete Batard
2020-10-20 20:03 ` Pete Batard
2020-12-14 12:39 ` Daniel Kiper
2020-12-14 12:44 ` John Paul Adrian Glaubitz
2020-12-23 23:25 ` Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1b09ca4d-af2a-ffc3-21e5-cf5ea21d8138@akeo.ie \
--to=pete@akeo.ie \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.