On Tue, Oct 20, 2020 at 03:12:49PM -0400, Eli Schwartz wrote:
> On 10/20/20 3:00 PM, Julian Andres Klode wrote:
> > On Mon, Oct 19, 2020 at 05:30:41PM +0100, Pete Batard wrote:
> >> Just wanted to mention that the 2.06 release (btw, is GRUB jumping straight
> >> from 2.04 [1] to 2.06 then?) delay with the BootHole fixes is starting to
> >> create some issues as folks (e.g. Rescuezilla) have started to take upon
> >> themselves to cherry pick from the BootHole patches and apply them to things
> >> like GRUB 2.02, instead of simply upgrading to a new official release, that
> >> would include these fixes.
> > 
> > That's a misunderstanding, nobody would upgrade existing OS to 2.06, you
> > can't just upgrade the entire bootloader in a stable OS. You'd only
> > upgrade the latest in-development version and cherry-pick fixes to old
> > releases.
> 
> Well, only rolling release distros would.
Sure
> 
> I'd like to instead propose a third option though. grub could benefit
> from a policy to fork off maintenance branches for CVE fixes, and all
> distros would upgrade to 2.04.1 (or 2.02.1), then later on a couple of
> rolling release distros would upgrade to 2.06 once it is released.

I don't know. It would have made the effort significantly harder to
rebase to 2.04.1 instead of just appending the patches to the ton
of patches we already have.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en