From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1lORQi-000662-Q2
	for mharc-grub-devel@gnu.org; Mon, 22 Mar 2021 16:45:40 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37270)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cjwatson@debian.org>)
 id 1lORQg-00065l-9j
 for grub-devel@gnu.org; Mon, 22 Mar 2021 16:45:38 -0400
Received: from painless-a.thn.aa.net.uk ([2001:8b0:62::26]:49690
 helo=alt2.a-painless.mh.aa.net.uk)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cjwatson@debian.org>)
 id 1lORQe-0000KZ-Ap
 for grub-devel@gnu.org; Mon, 22 Mar 2021 16:45:38 -0400
Received: from
 f.b.1.7.2.1.e.f.f.f.a.c.5.0.a.6.4.1.b.e.2.f.f.b.0.b.8.0.1.0.0.2.ip6.arpa
 ([2001:8b0:bff2:eb14:6a05:caff:fe12:71bf] helo=riva.pelham.vpn.ucam.org)
 by painless-a.thn.aa.net.uk with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <cjwatson@debian.org>)
 id 1lORQb-0004Zu-4V; Mon, 22 Mar 2021 20:45:33 +0000
Received: from ns1.pelham.vpn.ucam.org ([172.20.153.2] helo=riva.ucam.org)
 by riva.pelham.vpn.ucam.org with esmtp (Exim 4.92)
 (envelope-from <cjwatson@debian.org>)
 id 1lORQV-0005NZ-Ll; Mon, 22 Mar 2021 20:45:27 +0000
Date: Mon, 22 Mar 2021 20:45:27 +0000
From: Colin Watson <cjwatson@debian.org>
To: Glenn Washburn <development@efficientek.com>
Cc: The development of GNU GRUB <grub-devel@gnu.org>,
 Daniel Kiper <dkiper@net-space.pl>, mchang@suse.com,
 Marco A Benatto <mbenatto@redhat.com>,
 Javier Martinez Canillas <javierm@redhat.com>
Subject: Re: [PATCH v2] i386-pc: build verifiers API as module
Message-ID: <20210322204527.GO26923@riva.ucam.org>
References: <20210318113026.24963-1-mchang@suse.com>
 <20210322152000.ebheegnkkhpqa4d3@tomti.i.net-space.pl>
 <20210322161626.GN26923@riva.ucam.org>
 <20210322151906.5946fb23@crass-HP-ZBook-15-G2>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210322151906.5946fb23@crass-HP-ZBook-15-G2>
User-Agent: Mutt/1.10.1 (2018-07-13)
Received-SPF: none client-ip=2001:8b0:62::26; envelope-from=cjwatson@debian.org;
 helo=alt2.a-painless.mh.aa.net.uk
X-Spam_score_int: -14
X-Spam_score: -1.5
X-Spam_bar: -
X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399,
 SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 20:45:38 -0000

On Mon, Mar 22, 2021 at 03:19:06PM -0500, Glenn Washburn wrote:
> On Mon, 22 Mar 2021 16:16:26 +0000
> Colin Watson <cjwatson@debian.org> wrote:
> > On Mon, Mar 22, 2021 at 04:20:00PM +0100, Daniel Kiper wrote:
> > > NAK for this patch and others "fixing" small MBR gaps. I am not
> > > going to deal with this kind of issues any longer because a few
> > > folks in the world cannot/do not want/... reinstall their systems.
> > > Sorry guys.
> > 
> > I'd just like to say that I think this is an unfortunate mistake, and
> > puts distributions in an invidious position.
> 
> Forgive my ignorance, this seems like a fairly simple patch. While I
> personally do not like maintaining patches just solely for myself, my
> understanding is that distros are quite accustomed to carrying patches
> for very long periods of time (indefinitely?). Is part of the push back
> because its onerous for distro/package maintainers? Or is this more a
> coming from a matter of principal?

We certainly can and do carry our own patches, but it's pretty
unsatisfying when the reasons for rejecting them upstream don't actually
make sense (as for "buffer: Sync up out-of-range error message" and
"kern/dl: Disable grub_dl_unload_unneeded").  In the last couple of
rounds of security megapatches we've also seen that the amount of
divergence between upstream and various distributions in
security-critical code is in fact a serious problem that needs to be
addressed, and so I'm not happy about adding more to it for things that
touch e.g. the verifiers framework - obviously a security-critical
component.

However, we probably won't have any choice.  Bugs of the form "I
couldn't upgrade without reinstalling my entire system" are quite likely
to be considered critical by any distribution worth its salt, regardless
of whether upstream cares about them, and so this is likely to be just
another way in which in practice distributions end up diverging from
upstream.  I think that's worth at least a bit of pushback.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]