From: Robert Millan <rmh@aybabtu.com>
To: The development of GRUB 2 <grub-devel@gnu.org>
Subject: Re: grub-probe detects ext4 wronly as ext2
Date: Fri, 4 Jul 2008 02:08:29 +0200 [thread overview]
Message-ID: <20080704000829.GE4074@thorin> (raw)
In-Reply-To: <1215104875.8123.23.camel@localhost>
On Thu, Jul 03, 2008 at 07:07:55PM +0200, Javier Martín wrote:
> > The question here is whether we should increase complexity with interfaces
> > that don't provide any usefulness to the user, just to make it easier to
> > do potentially dangerous things. If a user understands the implications
> > and really doesn't mind making her system bootability unreliable, then she
> > should have no problem modifiing the source to do it.
> The system bootability is already unreliable with the current code,
You mean because grub-probe is not conservative enough when determining whether
a filesystem can be accessed? I think we agreed that this needs fixing.
> and
> as I already explained, it will be unreliable as long as the filesystem
> drivers use the "best-effort" politics you support.
If grub-probe says "you can't rely on this filesystem being readable by
GRUB", then we're bound to that. You don't make it any more reliable by
adding user input into the equation.
However, you can avoid the problem by refusing to access that filesystem
(perhaps by disabling font loading, or whatever we needed from it). It's
at that point you can rely on GRUB being able to boot.
When I talk about real GRUB being "best-effort", it's not reliability that
is at stake here; we already got that from grub-probe. This is a minor
problem IMHO; it's just about having read access to as many filesystems
as possible (other than the one we need for booting) vs not risking
corruption during data read. I seriously think we're wasting our time
here. Really, it's not worth it. This whole discussion is not about how
we engineer a new feature or solve a bug, but about how we deal with a
_temporary_ limitation in our code.
> I'm just proposing
> that we change the default politics in the bootloader to "nearly
> conservative" and then having an user-controllable option to enable
> "best-effort" behaviour. I've had GRUB since at least 2004, and I've
> done a few nasty things in its command line from the start; but only now
> I feel comfortable enough to modify its source, so don't assume that a
> knowledgeable/advanced user will be brave enough to modify the source of
> his _bootloader_ just like that. I don't understand why you're so
> adamant against sensible defaults AND the possibility of a rational,
> free choice.
Because it's a gratuitous increase in complexity of the user interface. It's
a choice about a bug, which is due to be fixed, and for which an informed
answer will always be the same.
> > This looks like a more general problem. I wonder if we should really address
> > it at the filesystem level. e.g. the filesystem could be perfectly fine but
> > the files in it went corrupt; if the data you're reading is corrupt, does it
> > matter at which point it was corrupted?
> It does, if the data on disk is not corrupted and our filesystem driver
> reads wrong data because in its "best-effort" trials to read the data it
> forfeits the "specification"-mandated behaviour of aborting on finding
> incompatible feature flags. We would be INTRODUCING errors in the data,
> instead of just reading erroneous data because of a crash or something
> like that.
When the problem is you've read corrupt data, and you have to handle this
gracefuly, it doesn't make any difference that it was your fault because
you violated a spec, it's still the same problem.
> This is fine for update-grub, but the GRUB2 scripting language is
> complex enough that detecting every file access without missing any can
> get quite complex, and we'd need to embed even more code in the kernel
> (the hash verifier). I've implemented MD5 and SHA1 in various
> programming languages as a simple challenge and I can tell you that,
> while not the toughest thing in the world, it's not simple to get right
> and it means even less space in an already big core.img.
Why in the kernel? It's essential that during install time you can rely on
/boot/grub being readable (otherwise I don't think we should support
install at all).
> I'm finding this discussion increasingly unproductive
Hey, at least we agree on something :-)
--
Robert Millan
<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)
next prev parent reply other threads:[~2008-07-04 0:09 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-29 18:11 grub-probe detects ext4 wronly as ext2 Felix Zielcke
2008-06-29 18:46 ` Javier Martín
2008-06-29 19:17 ` Bean
2008-06-29 19:53 ` Javier Martín
2008-06-29 21:19 ` Robert Millan
2008-06-30 3:02 ` Javier Martín
2008-06-30 7:10 ` Felix Zielcke
2008-06-30 11:14 ` Isaac Dupree
2008-06-30 12:12 ` Javier Martín
2008-06-30 12:27 ` Bean
2008-06-30 12:43 ` Javier Martín
2008-07-01 16:08 ` Robert Millan
2008-07-01 16:25 ` Pavel Roskin
2008-07-01 18:42 ` Javier Martín
2008-07-01 19:01 ` Pavel Roskin
2008-07-01 20:48 ` Robert Millan
2008-07-01 23:05 ` Javier Martín
2008-07-01 23:28 ` Javier Martín
2008-07-02 14:22 ` Robert Millan
2008-07-02 16:03 ` Pavel Roskin
2008-07-02 19:32 ` Javier Martín
2008-07-03 14:02 ` Robert Millan
2008-07-03 14:21 ` Isaac Dupree
2008-07-03 17:07 ` Javier Martín
2008-07-04 0:08 ` Robert Millan [this message]
2008-07-04 1:20 ` Javier Martín
2008-08-05 17:23 ` Felix Zielcke
2008-08-06 10:36 ` Felix Zielcke
2008-08-11 0:35 ` Javier Martín
2008-08-11 7:56 ` Felix Zielcke
2008-07-04 1:32 ` Javier Martín
2008-07-04 6:49 ` Bean
2008-07-04 8:33 ` Felix Zielcke
2008-07-04 10:34 ` Javier Martín
2008-07-04 11:29 ` Bean
2008-07-04 12:00 ` Javier Martín
2008-07-04 14:09 ` Robert Millan
2008-07-04 14:33 ` Javier Martín
2008-07-04 14:11 ` Bean
2008-07-04 14:34 ` Javier Martín
2008-07-04 14:04 ` Robert Millan
2008-07-04 14:23 ` Robert Millan
2008-07-04 14:21 ` Robert Millan
2008-07-04 14:45 ` Javier Martín
2008-07-04 18:57 ` Robert Millan
2008-07-04 20:41 ` Javier Martín
2008-07-05 12:07 ` Robert Millan
2008-07-05 18:36 ` Javier Martín
2008-07-16 15:09 ` Javier Martín
2008-07-16 15:27 ` Felix Zielcke
2008-07-16 16:38 ` Javier Martín
2008-07-16 17:13 ` Felix Zielcke
2008-07-16 17:21 ` Felix Zielcke
2008-07-16 17:44 ` Felix Zielcke
2008-07-16 19:07 ` Javier Martín
2008-07-16 19:33 ` Felix Zielcke
2008-07-19 14:27 ` Robert Millan
2008-08-11 14:14 ` Javier Martín
2008-08-27 13:58 ` Felix Zielcke
2008-08-30 11:17 ` Robert Millan
2008-08-30 21:28 ` Javier Martín
2008-09-24 17:05 ` Javier Martín
2009-02-04 7:41 ` Felix Zielcke
2009-02-04 13:08 ` Javier Martín
2009-02-07 19:30 ` Felix Zielcke
2009-02-07 23:54 ` Javier Martín
2009-02-08 0:28 ` Robert Millan
2008-07-01 16:03 ` Robert Millan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080704000829.GE4074@thorin \
--to=rmh@aybabtu.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.