All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pete Batard <pete@akeo.ie>
To: grub-devel@gnu.org
Subject: Re: GRUB 2.06 release
Date: Mon, 19 Oct 2020 17:30:41 +0100	[thread overview]
Message-ID: <1b09ca4d-af2a-ffc3-21e5-cf5ea21d8138@akeo.ie> (raw)
In-Reply-To: <20200729174643.mlv6ip6jcf4bpcde@tomti.i.net-space.pl>

Hi Daniel,

On 2020.07.29 18:46, Daniel Kiper wrote:
> I think this link [1] will explain my long absence... Sorry about that.
> 
> I am going to go back to GRUB work next week. I will triage all the patches
> and take all (obvious) fixes. Then I will release rc1 ASAP... All new features
> will be taken after 2.06 release.
> 
> Daniel
> 
> [1] https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

Just wanted to mention that the 2.06 release (btw, is GRUB jumping 
straight from 2.04 [1] to 2.06 then?) delay with the BootHole fixes is 
starting to create some issues as folks (e.g. Rescuezilla) have started 
to take upon themselves to cherry pick from the BootHole patches and 
apply them to things like GRUB 2.02, instead of simply upgrading to a 
new official release, that would include these fixes.

This has the consequence of actually breaking BIOS boot for ISO -> USB 
conversion utilities like Rufus (disclaimer: I am the author of Rufus), 
since we need to provide a matching core.img during conversion, that 
doesn't exist on the ISO, and obvioulsy the one we provide which was 
compiled around the time of release does not include the BootHole fixes, 
and will therefore typically fail with "symbol 'grub_calloc' not found".

The end result is that, unless we go through a costly rebuild of all our 
core.img's, with custom patches applied, which will of course break the 
ability for users to validate that these binaries match the official 
GRUB source, we're going to see more and more breakage as downstream 
GRUB users are taking it upon themselves to craft their own custom 
version in the absence of an official release with the BootHole fixes.

I would therefore like to raise the URGENCY of having a 2.06 release 
sooner rather than later, that includes the BootHole fixes. As a matter 
of fact, I would suggest that, as soon as a set of vulnerability like 
BootHole has been uncovered, all other work should be put on hold until 
a formal release has been issued that addresses it, as it becomes more 
and more damaging to let too much time pass, by trying to fold it into 
the next planned release.

Of course, I am also well aware that workload is the main delaying 
constraint, but I would urge you to consider issuing an out-of-band 
release as soon as a vulnerability like BootHole has been discovered, 
even if it's just to address that specific vulnerability, as not doing 
so in a timely manner effectively creates compounded issues.

Thank you,

/Pete

[1] https://ftp.gnu.org/gnu/grub/


  reply	other threads:[~2020-10-19 16:30 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-19 15:01 GRUB 2.06 release Daniel Kiper
2020-02-20  8:46 ` John Paul Adrian Glaubitz
2020-02-25 13:15   ` John Paul Adrian Glaubitz
2020-02-28 12:46     ` Daniel Kiper
2020-02-28 18:26       ` Matt Turner
2020-02-29  1:40       ` Mike Gilbert
2020-03-03 17:26 ` Daniel Kiper
2020-03-03 17:33   ` John Paul Adrian Glaubitz
2020-03-05 13:34     ` Daniel Kiper
2020-03-04  4:39   ` Patrick Steinhardt
2020-03-05 13:50     ` Daniel Kiper
2020-03-07 16:29       ` Patrick Steinhardt
2020-03-11 10:47   ` Daniel Kiper
2020-03-16 16:41     ` Daniel Kiper
2020-04-22 10:24       ` Daniel Kiper
2020-05-29 12:07         ` Daniel Kiper
2020-07-29 17:46           ` Daniel Kiper
2020-10-19 16:30             ` Pete Batard [this message]
2020-10-20 19:00               ` Julian Andres Klode
2020-10-20 19:12                 ` Eli Schwartz
2020-10-20 20:05                   ` Julian Andres Klode
2020-10-20 20:33                     ` Eli Schwartz
2020-10-20 20:06                   ` Pete Batard
2020-10-20 20:03                 ` Pete Batard
2020-12-14 12:39             ` Daniel Kiper
2020-12-14 12:44               ` John Paul Adrian Glaubitz
2020-12-23 23:25               ` Daniel Kiper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1b09ca4d-af2a-ffc3-21e5-cf5ea21d8138@akeo.ie \
    --to=pete@akeo.ie \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.