* [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only @ 2017-07-12 15:42 William Hubbs 2017-07-12 15:50 ` M. J. Everitt ` (2 more replies) 0 siblings, 3 replies; 30+ messages in thread From: William Hubbs @ 2017-07-12 15:42 UTC (permalink / raw To: gentoo-dev [-- Attachment #1.1: Type: text/plain, Size: 195 bytes --] OpenRC 0.28 will mount efivars read only by default due to concerns about users bricking systems by writing to this filesystem unexpectedly. Here is the newsitem covering this change. William [-- Attachment #1.2: 2017-07-15-efivars_readonly.en.txt --] [-- Type: text/plain, Size: 668 bytes --] Title: Mounting efivars read only Author: William Hubbs <williamh@gentoo.org> Content-Type: text/plain Posted: 2017-07-15 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: <=sys-apps/openrc-0.28 OpenRC 0.28 mounts efivars read only due to concerns about changes in this file system making systems unbootable. If you need to change something in this path, you will need to re-mount it read-write, make the change and re-mount it read-only. Also, you can override this behavior by adding a line for efivars to fstab if you want efivars mounted read-write. For more information on this issue, see the following url: https://github.com/openrc/openrc/issues/134 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 15:42 [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only William Hubbs @ 2017-07-12 15:50 ` M. J. Everitt 2017-07-12 20:03 ` Mike Gilbert 2017-07-13 10:30 ` Kristian Fiskerstrand 2 siblings, 0 replies; 30+ messages in thread From: M. J. Everitt @ 2017-07-12 15:50 UTC (permalink / raw To: gentoo-dev [-- Attachment #1.1: Type: text/plain, Size: 406 bytes --] On 12/07/17 16:42, William Hubbs wrote: > OpenRC 0.28 will mount efivars read only by default due to concerns > about users bricking systems by writing to this filesystem unexpectedly. > > Here is the newsitem covering this change. > > William > Very sensible .. I seem to recall something about systemd doing the reverse by default .. and this becoming a regular occurrence. +1 for sanity. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 15:42 [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only William Hubbs 2017-07-12 15:50 ` M. J. Everitt @ 2017-07-12 20:03 ` Mike Gilbert 2017-07-12 21:44 ` William Hubbs 2017-07-14 0:09 ` DarKRaveR 2017-07-13 10:30 ` Kristian Fiskerstrand 2 siblings, 2 replies; 30+ messages in thread From: Mike Gilbert @ 2017-07-12 20:03 UTC (permalink / raw To: Gentoo Dev On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote: > OpenRC 0.28 will mount efivars read only by default due to concerns > about users bricking systems by writing to this filesystem unexpectedly. > > Here is the newsitem covering this change. > > William > This will break boot loader installers, like grub-install and bootctl (systemd-boot). Please update any relevant documents on the wiki, or find someone who can do it for you. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 20:03 ` Mike Gilbert @ 2017-07-12 21:44 ` William Hubbs 2017-07-12 23:04 ` Matt Turner 2017-07-13 2:38 ` Mike Gilbert 2017-07-14 0:09 ` DarKRaveR 1 sibling, 2 replies; 30+ messages in thread From: William Hubbs @ 2017-07-12 21:44 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 687 bytes --] On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote: > On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote: > > OpenRC 0.28 will mount efivars read only by default due to concerns > > about users bricking systems by writing to this filesystem unexpectedly. > > > > Here is the newsitem covering this change. > > > > William > > > > This will break boot loader installers, like grub-install and bootctl > (systemd-boot). Please update any relevant documents on the wiki, or > find someone who can do it for you. I'm not stopping anyone from making those updates, so if someone knows what needs to be changed, go for it. :-) William [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 21:44 ` William Hubbs @ 2017-07-12 23:04 ` Matt Turner 2017-07-13 0:29 ` Lucas Ramage 2017-07-13 2:38 ` Mike Gilbert 1 sibling, 1 reply; 30+ messages in thread From: Matt Turner @ 2017-07-12 23:04 UTC (permalink / raw To: gentoo development On Wed, Jul 12, 2017 at 2:44 PM, William Hubbs <williamh@gentoo.org> wrote: > On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote: >> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote: >> > OpenRC 0.28 will mount efivars read only by default due to concerns >> > about users bricking systems by writing to this filesystem unexpectedly. >> > >> > Here is the newsitem covering this change. >> > >> > William >> > >> >> This will break boot loader installers, like grub-install and bootctl >> (systemd-boot). Please update any relevant documents on the wiki, or >> find someone who can do it for you. > > I'm not stopping anyone from making those updates, so if someone knows > what needs to be changed, go for it. :-) That's now how this works. You can't leave something as crucial as boot loader installation documentation in a bad state. It's your responsibility to ensure that happens. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 23:04 ` Matt Turner @ 2017-07-13 0:29 ` Lucas Ramage 2017-07-13 0:42 ` Matt Turner 0 siblings, 1 reply; 30+ messages in thread From: Lucas Ramage @ 2017-07-13 0:29 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1450 bytes --] What needs to be changed for the bootloaders? I may be able to assist. On Wed, Jul 12, 2017 at 7:04 PM, Matt Turner <mattst88@gentoo.org> wrote: > On Wed, Jul 12, 2017 at 2:44 PM, William Hubbs <williamh@gentoo.org> > wrote: > > On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote: > >> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> > wrote: > >> > OpenRC 0.28 will mount efivars read only by default due to concerns > >> > about users bricking systems by writing to this filesystem > unexpectedly. > >> > > >> > Here is the newsitem covering this change. > >> > > >> > William > >> > > >> > >> This will break boot loader installers, like grub-install and bootctl > >> (systemd-boot). Please update any relevant documents on the wiki, or > >> find someone who can do it for you. > > > > I'm not stopping anyone from making those updates, so if someone knows > > what needs to be changed, go for it. :-) > > That's now how this works. You can't leave something as crucial as > boot loader installation documentation in a bad state. > > It's your responsibility to ensure that happens. > > -- Regards, [image: View my Portfolio] <https://lramage94.github.io> Lucas Ramage / Software Engineer ramage.lucas94@gmail.com / (941)-467-2354 Visit online journal lramage94.github.io [image: Google Plus] <https://plus.google.com/+LucasRamage>[image: Linkedin] <https://www.linkedin.com/pub/lucas-ramage/4a/719/757> [-- Attachment #2: Type: text/html, Size: 4589 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 0:29 ` Lucas Ramage @ 2017-07-13 0:42 ` Matt Turner 2017-07-13 1:27 ` Lucas Ramage 2017-07-13 6:30 ` Andrew Savchenko 0 siblings, 2 replies; 30+ messages in thread From: Matt Turner @ 2017-07-13 0:42 UTC (permalink / raw To: gentoo development On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote: > What needs to be changed for the bootloaders? I may be able to assist. The documentation should be updated to say that with OpenRC 0.28 that you'll have to remount efivars as RW before you can install the bootloader (e.g., grub-install) The command I use locally to remount rw (since I have configured efivars to be mounted read-only in fstab) is mount -o remount,rw /sys/firmware/efi/efivars ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 0:42 ` Matt Turner @ 2017-07-13 1:27 ` Lucas Ramage 2017-07-13 6:30 ` Andrew Savchenko 1 sibling, 0 replies; 30+ messages in thread From: Lucas Ramage @ 2017-07-13 1:27 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 933 bytes --] I am working on it! Thanks! On Wed, Jul 12, 2017 at 8:42 PM, Matt Turner <mattst88@gentoo.org> wrote: > On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> > wrote: > > What needs to be changed for the bootloaders? I may be able to assist. > > The documentation should be updated to say that with OpenRC 0.28 that > you'll have to remount efivars as RW before you can install the > bootloader (e.g., grub-install) > > The command I use locally to remount rw (since I have configured > efivars to be mounted read-only in fstab) is > > mount -o remount,rw /sys/firmware/efi/efivars > > -- Regards, [image: View my Portfolio] <https://lramage94.github.io> Lucas Ramage / Software Engineer ramage.lucas94@gmail.com / (941)-467-2354 Visit online journal lramage94.github.io [image: Google Plus] <https://plus.google.com/+LucasRamage>[image: Linkedin] <https://www.linkedin.com/pub/lucas-ramage/4a/719/757> [-- Attachment #2: Type: text/html, Size: 3888 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 0:42 ` Matt Turner 2017-07-13 1:27 ` Lucas Ramage @ 2017-07-13 6:30 ` Andrew Savchenko 2017-07-13 11:09 ` Rich Freeman 1 sibling, 1 reply; 30+ messages in thread From: Andrew Savchenko @ 2017-07-13 6:30 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 826 bytes --] On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote: > On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote: > > What needs to be changed for the bootloaders? I may be able to assist. > > The documentation should be updated to say that with OpenRC 0.28 that > you'll have to remount efivars as RW before you can install the > bootloader (e.g., grub-install) > > The command I use locally to remount rw (since I have configured > efivars to be mounted read-only in fstab) is > > mount -o remount,rw /sys/firmware/efi/efivars We don't have that much efi bootloaders. Maybe it will be better to update their scripting to remount efivars rw and back ro when needed? The same way we have non-efi bootloaders to mount /boot partition when needed. Best regards, Andrew Savchenko [-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 6:30 ` Andrew Savchenko @ 2017-07-13 11:09 ` Rich Freeman 2017-07-13 11:35 ` M. J. Everitt 2017-07-13 11:43 ` Andrew Savchenko 0 siblings, 2 replies; 30+ messages in thread From: Rich Freeman @ 2017-07-13 11:09 UTC (permalink / raw To: gentoo-dev On Thu, Jul 13, 2017 at 2:30 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: > On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote: >> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote: >> > What needs to be changed for the bootloaders? I may be able to assist. >> >> The documentation should be updated to say that with OpenRC 0.28 that >> you'll have to remount efivars as RW before you can install the >> bootloader (e.g., grub-install) >> >> The command I use locally to remount rw (since I have configured >> efivars to be mounted read-only in fstab) is >> >> mount -o remount,rw /sys/firmware/efi/efivars > > We don't have that much efi bootloaders. Maybe it will be better > to update their scripting to remount efivars rw and back ro when > needed? The same way we have non-efi bootloaders to mount /boot > partition when needed. > Presumably you'd only want to remount it if it was mounted ro to start, since it sounds like openrc will be diverging from systemd behavior here. While it seems like a good idea I'm not sure how big an improvement it is in the larger scheme. We're worried about root accidentially modifying efivars, but we have no safeguards against root writing to /dev/sda, and the latter seems much more likely to cause harm, and is harder to fix. -- Rich ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 11:09 ` Rich Freeman @ 2017-07-13 11:35 ` M. J. Everitt 2017-07-13 12:17 ` Andrew Savchenko 2017-07-13 14:29 ` Mike Gilbert 2017-07-13 11:43 ` Andrew Savchenko 1 sibling, 2 replies; 30+ messages in thread From: M. J. Everitt @ 2017-07-13 11:35 UTC (permalink / raw To: gentoo-dev [-- Attachment #1.1: Type: text/plain, Size: 780 bytes --] On 13/07/17 12:09, Rich Freeman wrote: > Presumably you'd only want to remount it if it was mounted ro to > start, since it sounds like openrc will be diverging from systemd > behavior here. > > While it seems like a good idea I'm not sure how big an improvement it > is in the larger scheme. We're worried about root accidentially > modifying efivars, but we have no safeguards against root writing to > /dev/sda, and the latter seems much more likely to cause harm, and is > harder to fix. > In case you weren't aware, Rich, rewriting the efivars actually writes to the system BIOS, which renders the computer completely unbootable .. not quite the same as erasing the boot sector of your hard disk, where you simply plug in another device, and Off you go ... [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 11:35 ` M. J. Everitt @ 2017-07-13 12:17 ` Andrew Savchenko 2017-07-13 14:29 ` Mike Gilbert 1 sibling, 0 replies; 30+ messages in thread From: Andrew Savchenko @ 2017-07-13 12:17 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1120 bytes --] On Thu, 13 Jul 2017 12:35:50 +0100 M. J. Everitt wrote: > On 13/07/17 12:09, Rich Freeman wrote: > > Presumably you'd only want to remount it if it was mounted ro to > > start, since it sounds like openrc will be diverging from systemd > > behavior here. > > > > While it seems like a good idea I'm not sure how big an improvement it > > is in the larger scheme. We're worried about root accidentially > > modifying efivars, but we have no safeguards against root writing to > > /dev/sda, and the latter seems much more likely to cause harm, and is > > harder to fix. > > > In case you weren't aware, Rich, rewriting the efivars actually writes > to the system BIOS, which renders the computer completely unbootable .. > not quite the same as erasing the boot sector of your hard disk, where > you simply plug in another device, and Off you go ... It may be even worse. Some parts of efivars may be stored not in the BIOS chip, but on other chips like AC control or IME. So simple BIOS reflashing (e.g. from backup BIOS available on many boards) will not help. Best regards, Andrew Savchenko [-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 11:35 ` M. J. Everitt 2017-07-13 12:17 ` Andrew Savchenko @ 2017-07-13 14:29 ` Mike Gilbert 2017-07-13 14:35 ` Ben Kohler 2017-07-13 14:58 ` Andrew Savchenko 1 sibling, 2 replies; 30+ messages in thread From: Mike Gilbert @ 2017-07-13 14:29 UTC (permalink / raw To: Gentoo Dev On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote: > On 13/07/17 12:09, Rich Freeman wrote: >> Presumably you'd only want to remount it if it was mounted ro to >> start, since it sounds like openrc will be diverging from systemd >> behavior here. >> >> While it seems like a good idea I'm not sure how big an improvement it >> is in the larger scheme. We're worried about root accidentially >> modifying efivars, but we have no safeguards against root writing to >> /dev/sda, and the latter seems much more likely to cause harm, and is >> harder to fix. >> > In case you weren't aware, Rich, rewriting the efivars actually writes > to the system BIOS, which renders the computer completely unbootable .. > not quite the same as erasing the boot sector of your hard disk, where > you simply plug in another device, and Off you go ... > We are actually talking about protecting people who run something like rm -rf /sys/firmware/efi/efivars/ as root. If you are dumb enough to do something like that, you almost deserve to spend a couple hundred on a new motherboard. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 14:29 ` Mike Gilbert @ 2017-07-13 14:35 ` Ben Kohler 2017-07-13 14:58 ` Andrew Savchenko 1 sibling, 0 replies; 30+ messages in thread From: Ben Kohler @ 2017-07-13 14:35 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 933 bytes --] On Thu, Jul 13, 2017 at 9:29 AM, Mike Gilbert <floppym@gentoo.org> wrote: > > We are actually talking about protecting people who run something like > rm -rf /sys/firmware/efi/efivars/ as root. > > If you are dumb enough to do something like that, you almost deserve > to spend a couple hundred on a new motherboard. > > While I can think of a few ways you can accidentally do this via bindmounts and such, I think it's also worth mentioning that this "bricking" only happens on a very very small number of systems with a specific buggy UEFI implementation, the vast majority of UEFI hardware will not be "bricked" by wiping efivars. I'm still onboard with protecting users from this out of the box, but it's not like without this change, we'll have gentoo boxes dropping dead all over the place every week. We're protecting from something that requires both a very specific firmware bug AND serious user error, to trigger. -Ben [-- Attachment #2: Type: text/html, Size: 1466 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 14:29 ` Mike Gilbert 2017-07-13 14:35 ` Ben Kohler @ 2017-07-13 14:58 ` Andrew Savchenko 2017-07-13 15:06 ` Andrew Savchenko ` (2 more replies) 1 sibling, 3 replies; 30+ messages in thread From: Andrew Savchenko @ 2017-07-13 14:58 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1856 bytes --] On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote: > On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote: > > On 13/07/17 12:09, Rich Freeman wrote: > >> Presumably you'd only want to remount it if it was mounted ro to > >> start, since it sounds like openrc will be diverging from systemd > >> behavior here. > >> > >> While it seems like a good idea I'm not sure how big an improvement it > >> is in the larger scheme. We're worried about root accidentially > >> modifying efivars, but we have no safeguards against root writing to > >> /dev/sda, and the latter seems much more likely to cause harm, and is > >> harder to fix. > >> > > In case you weren't aware, Rich, rewriting the efivars actually writes > > to the system BIOS, which renders the computer completely unbootable .. > > not quite the same as erasing the boot sector of your hard disk, where > > you simply plug in another device, and Off you go ... > > > > We are actually talking about protecting people who run something like > rm -rf /sys/firmware/efi/efivars/ as root. > > If you are dumb enough to do something like that, you almost deserve > to spend a couple hundred on a new motherboard. Or just rm -rf / [pedantic] of course with newer rm versions one needs to run: rm -rf --no-preserve-root / or rm -rf /* /.* [/pedantic] But in some scenarios this command is normal. E.g. user installs Gentoo from some live dvd/flash, makes some mistakes, understands that system is broken beyond repair and decides to start over again. If there is no need to recreate filesystem itself or partition layout, running rm -rf / as above is quite reasonable. When running this command user expects to kill the data, but not the hardware. That is my point. I can't call such action dumb. Best regards, Andrew Savchenko [-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 14:58 ` Andrew Savchenko @ 2017-07-13 15:06 ` Andrew Savchenko 2017-07-13 15:40 ` Rich Freeman 2017-07-13 16:45 ` Mike Gilbert 2 siblings, 0 replies; 30+ messages in thread From: Andrew Savchenko @ 2017-07-13 15:06 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 2288 bytes --] On Thu, 13 Jul 2017 17:58:29 +0300 Andrew Savchenko wrote: > On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote: > > On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote: > > > On 13/07/17 12:09, Rich Freeman wrote: > > >> Presumably you'd only want to remount it if it was mounted ro to > > >> start, since it sounds like openrc will be diverging from systemd > > >> behavior here. > > >> > > >> While it seems like a good idea I'm not sure how big an improvement it > > >> is in the larger scheme. We're worried about root accidentially > > >> modifying efivars, but we have no safeguards against root writing to > > >> /dev/sda, and the latter seems much more likely to cause harm, and is > > >> harder to fix. > > >> > > > In case you weren't aware, Rich, rewriting the efivars actually writes > > > to the system BIOS, which renders the computer completely unbootable .. > > > not quite the same as erasing the boot sector of your hard disk, where > > > you simply plug in another device, and Off you go ... > > > > > > > We are actually talking about protecting people who run something like > > rm -rf /sys/firmware/efi/efivars/ as root. > > > > If you are dumb enough to do something like that, you almost deserve > > to spend a couple hundred on a new motherboard. > > Or just rm -rf / > [pedantic] > of course with newer rm versions one needs to run: > rm -rf --no-preserve-root / > or > rm -rf /* /.* > [/pedantic] > > But in some scenarios this command is normal. E.g. user installs > Gentoo from some live dvd/flash, makes some mistakes, understands > that system is broken beyond repair and decides to start over again. > If there is no need to recreate filesystem itself or partition > layout, running rm -rf / as above is quite reasonable. > > When running this command user expects to kill the data, but not > the hardware. That is my point. I can't call such action dumb. One more example: remember the bumblebee install script bug[1]: due to a typo the whole /usr was removed, the same may happen with /sys one day. If simple file removal results in dead hardware this is no go. [1] https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123 Best regards, Andrew Savchenko [-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 14:58 ` Andrew Savchenko 2017-07-13 15:06 ` Andrew Savchenko @ 2017-07-13 15:40 ` Rich Freeman 2017-07-13 16:45 ` Mike Gilbert 2 siblings, 0 replies; 30+ messages in thread From: Rich Freeman @ 2017-07-13 15:40 UTC (permalink / raw To: gentoo-dev On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: > > But in some scenarios this command is normal. E.g. user installs > Gentoo from some live dvd/flash, makes some mistakes, understands > that system is broken beyond repair and decides to start over again. > If there is no need to recreate filesystem itself or partition > layout, running rm -rf / as above is quite reasonable. > Honestly, this is one of those reasons that I think the handbook should be tweaked to use a container instead of a chroot. That fixes a lot of special filesystem issues and general makes things cleaner. With systemd it is pretty trivial due to nspawn, but I'm not sure how hard it would be to make this change on an openrc-based install CD (presumably you'd need to include lxc tools on it, though a bit of scripting with unshare is probably sufficient). -- Rich ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 14:58 ` Andrew Savchenko 2017-07-13 15:06 ` Andrew Savchenko 2017-07-13 15:40 ` Rich Freeman @ 2017-07-13 16:45 ` Mike Gilbert 2017-07-13 16:47 ` Mike Gilbert 2 siblings, 1 reply; 30+ messages in thread From: Mike Gilbert @ 2017-07-13 16:45 UTC (permalink / raw To: Gentoo Dev On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: > On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote: >> On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote: >> > On 13/07/17 12:09, Rich Freeman wrote: >> >> Presumably you'd only want to remount it if it was mounted ro to >> >> start, since it sounds like openrc will be diverging from systemd >> >> behavior here. >> >> >> >> While it seems like a good idea I'm not sure how big an improvement it >> >> is in the larger scheme. We're worried about root accidentially >> >> modifying efivars, but we have no safeguards against root writing to >> >> /dev/sda, and the latter seems much more likely to cause harm, and is >> >> harder to fix. >> >> >> > In case you weren't aware, Rich, rewriting the efivars actually writes >> > to the system BIOS, which renders the computer completely unbootable .. >> > not quite the same as erasing the boot sector of your hard disk, where >> > you simply plug in another device, and Off you go ... >> > >> >> We are actually talking about protecting people who run something like >> rm -rf /sys/firmware/efi/efivars/ as root. >> >> If you are dumb enough to do something like that, you almost deserve >> to spend a couple hundred on a new motherboard. > > Or just rm -rf / > [pedantic] > of course with newer rm versions one needs to run: > rm -rf --no-preserve-root / > or > rm -rf /* /.* > [/pedantic] > > But in some scenarios this command is normal. E.g. user installs > Gentoo from some live dvd/flash, makes some mistakes, understands > that system is broken beyond repair and decides to start over again. > If there is no need to recreate filesystem itself or partition > layout, running rm -rf / as above is quite reasonable. > > When running this command user expects to kill the data, but not > the hardware. That is my point. I can't call such action dumb. > > Best regards, > Andrew Savchenko Point taken. Although, if the user is in the process of installing Gentoo, efivarfs is likely to be mounted rw anyway so that the user can install a boot loader. Having grub-install perform the remount would minimize this small risk I suppose. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 16:45 ` Mike Gilbert @ 2017-07-13 16:47 ` Mike Gilbert 0 siblings, 0 replies; 30+ messages in thread From: Mike Gilbert @ 2017-07-13 16:47 UTC (permalink / raw To: Gentoo Dev On Thu, Jul 13, 2017 at 12:45 PM, Mike Gilbert <floppym@gentoo.org> wrote: > On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: >> On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote: >>> On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote: >>> > On 13/07/17 12:09, Rich Freeman wrote: >>> >> Presumably you'd only want to remount it if it was mounted ro to >>> >> start, since it sounds like openrc will be diverging from systemd >>> >> behavior here. >>> >> >>> >> While it seems like a good idea I'm not sure how big an improvement it >>> >> is in the larger scheme. We're worried about root accidentially >>> >> modifying efivars, but we have no safeguards against root writing to >>> >> /dev/sda, and the latter seems much more likely to cause harm, and is >>> >> harder to fix. >>> >> >>> > In case you weren't aware, Rich, rewriting the efivars actually writes >>> > to the system BIOS, which renders the computer completely unbootable .. >>> > not quite the same as erasing the boot sector of your hard disk, where >>> > you simply plug in another device, and Off you go ... >>> > >>> >>> We are actually talking about protecting people who run something like >>> rm -rf /sys/firmware/efi/efivars/ as root. >>> >>> If you are dumb enough to do something like that, you almost deserve >>> to spend a couple hundred on a new motherboard. >> >> Or just rm -rf / >> [pedantic] >> of course with newer rm versions one needs to run: >> rm -rf --no-preserve-root / >> or >> rm -rf /* /.* >> [/pedantic] >> >> But in some scenarios this command is normal. E.g. user installs >> Gentoo from some live dvd/flash, makes some mistakes, understands >> that system is broken beyond repair and decides to start over again. >> If there is no need to recreate filesystem itself or partition >> layout, running rm -rf / as above is quite reasonable. >> >> When running this command user expects to kill the data, but not >> the hardware. That is my point. I can't call such action dumb. >> >> Best regards, >> Andrew Savchenko > > Point taken. > > Although, if the user is in the process of installing Gentoo, efivarfs > is likely to be mounted rw anyway so that the user can install a boot > loader. Having grub-install perform the remount would minimize this > small risk I suppose. s/grub-install/efibootmgr/; grub-install does not update efivarfs directly, but rather calls efibootmgr to do it. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 11:09 ` Rich Freeman 2017-07-13 11:35 ` M. J. Everitt @ 2017-07-13 11:43 ` Andrew Savchenko 2017-07-13 11:54 ` Rich Freeman 1 sibling, 1 reply; 30+ messages in thread From: Andrew Savchenko @ 2017-07-13 11:43 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 2148 bytes --] On Thu, 13 Jul 2017 07:09:45 -0400 Rich Freeman wrote: > On Thu, Jul 13, 2017 at 2:30 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: > > On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote: > >> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote: > >> > What needs to be changed for the bootloaders? I may be able to assist. > >> > >> The documentation should be updated to say that with OpenRC 0.28 that > >> you'll have to remount efivars as RW before you can install the > >> bootloader (e.g., grub-install) > >> > >> The command I use locally to remount rw (since I have configured > >> efivars to be mounted read-only in fstab) is > >> > >> mount -o remount,rw /sys/firmware/efi/efivars > > > > We don't have that much efi bootloaders. Maybe it will be better > > to update their scripting to remount efivars rw and back ro when > > needed? The same way we have non-efi bootloaders to mount /boot > > partition when needed. > > > > Presumably you'd only want to remount it if it was mounted ro to > start, since it sounds like openrc will be diverging from systemd > behavior here. > > While it seems like a good idea I'm not sure how big an improvement it > is in the larger scheme. We're worried about root accidentially > modifying efivars, but we have no safeguards against root writing to > /dev/sda, and the latter seems much more likely to cause harm, and is > harder to fix. Writing to /dev/sda may kill data stored there, but hardware itself will survive. Writing to efivars kills hardware and this is the motivation for this change. See [1] and [2] for details. Poettering says this is OK to hard brick device, well fine, this is systemd way. OpenRC is smarter here and protects users from unintended disaster. Data can be restored from backup, but hard bricked hardware may become completely dead beyond repair or require a very complicated soldering. So I see this issue much more serious than writing to /dev/sda. [1] https://github.com/openrc/openrc/issues/134 [2] https://github.com/systemd/systemd/issues/2402 Best regards, Andrew Savchenko [-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 11:43 ` Andrew Savchenko @ 2017-07-13 11:54 ` Rich Freeman 2017-07-13 12:14 ` Andrew Savchenko 0 siblings, 1 reply; 30+ messages in thread From: Rich Freeman @ 2017-07-13 11:54 UTC (permalink / raw To: gentoo-dev On Thu, Jul 13, 2017 at 7:43 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: > On Thu, 13 Jul 2017 07:09:45 -0400 Rich Freeman wrote: >> On Thu, Jul 13, 2017 at 2:30 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: >> > On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote: >> >> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote: >> >> > What needs to be changed for the bootloaders? I may be able to assist. >> >> >> >> The documentation should be updated to say that with OpenRC 0.28 that >> >> you'll have to remount efivars as RW before you can install the >> >> bootloader (e.g., grub-install) >> >> >> >> The command I use locally to remount rw (since I have configured >> >> efivars to be mounted read-only in fstab) is >> >> >> >> mount -o remount,rw /sys/firmware/efi/efivars >> > >> > We don't have that much efi bootloaders. Maybe it will be better >> > to update their scripting to remount efivars rw and back ro when >> > needed? The same way we have non-efi bootloaders to mount /boot >> > partition when needed. >> > >> >> Presumably you'd only want to remount it if it was mounted ro to >> start, since it sounds like openrc will be diverging from systemd >> behavior here. >> >> While it seems like a good idea I'm not sure how big an improvement it >> is in the larger scheme. We're worried about root accidentially >> modifying efivars, but we have no safeguards against root writing to >> /dev/sda, and the latter seems much more likely to cause harm, and is >> harder to fix. > > Writing to /dev/sda may kill data stored there, but hardware itself > will survive. Writing to efivars kills hardware and this is the > motivation for this change. See [1] and [2] for details. Poettering > says this is OK to hard brick device, well fine, this is systemd > way. OpenRC is smarter here and protects users from unintended > disaster. Reading through those apparently bricking is considered to be a hardware bug. Granted, it is still desirable to avoid. In any case, tools would still need to be compatible with both approaches. Apparently there are commands like systemctl reboot --firmware-setup that expect this to be writable. If we aren't going to make the default ro under systemd then tools will need to handle both cases. If we decide to change the default for systemd (or put a line in the default fstab) then this issue would go away. -- Rich ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 11:54 ` Rich Freeman @ 2017-07-13 12:14 ` Andrew Savchenko 2017-07-13 12:45 ` Rich Freeman 0 siblings, 1 reply; 30+ messages in thread From: Andrew Savchenko @ 2017-07-13 12:14 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 2032 bytes --] On Thu, 13 Jul 2017 07:54:44 -0400 Rich Freeman wrote: [...] > >> Presumably you'd only want to remount it if it was mounted ro to > >> start, since it sounds like openrc will be diverging from systemd > >> behavior here. > >> > >> While it seems like a good idea I'm not sure how big an improvement it > >> is in the larger scheme. We're worried about root accidentially > >> modifying efivars, but we have no safeguards against root writing to > >> /dev/sda, and the latter seems much more likely to cause harm, and is > >> harder to fix. > > > > Writing to /dev/sda may kill data stored there, but hardware itself > > will survive. Writing to efivars kills hardware and this is the > > motivation for this change. See [1] and [2] for details. Poettering > > says this is OK to hard brick device, well fine, this is systemd > > way. OpenRC is smarter here and protects users from unintended > > disaster. > > Reading through those apparently bricking is considered to be a > hardware bug. Granted, it is still desirable to avoid. Yes, it can be considered as a hardware bug, as well as thousands of other issues, look at how many quirks are inside the kernel. This is how it works: software works around hardware bugs, because software is so much easier to update than hardware. > In any case, tools would still need to be compatible with both > approaches. Apparently there are commands like systemctl reboot > --firmware-setup that expect this to be writable. If we aren't going > to make the default ro under systemd then tools will need to handle > both cases. If we decide to change the default for systemd (or put a > line in the default fstab) then this issue would go away. I see no problems with compatibility. In case of software needs to write to efivars (bootloader installation, etc) algo is simple: flag = false; if (mounted(efivars) == RO) { remount(efivars, RW); flag = true; } do_usual_stuff(); if (flag) remount(efivars, RO); Best regards, Andrew Savchenko [-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 12:14 ` Andrew Savchenko @ 2017-07-13 12:45 ` Rich Freeman 0 siblings, 0 replies; 30+ messages in thread From: Rich Freeman @ 2017-07-13 12:45 UTC (permalink / raw To: gentoo-dev On Thu, Jul 13, 2017 at 8:14 AM, Andrew Savchenko <bircoph@gentoo.org> wrote: > > I see no problems with compatibility. In case of software needs to > write to efivars (bootloader installation, etc) algo is simple: > > flag = false; > if (mounted(efivars) == RO) { remount(efivars, RW); flag = true; } > do_usual_stuff(); > if (flag) remount(efivars, RO); > Certainly. I was just pointing out that we shouldn't make assumptions. Honestly, that is probably better in the openrc case as well, in case a user should want to mount efivars differently for whatever reason. -- Rich ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 21:44 ` William Hubbs 2017-07-12 23:04 ` Matt Turner @ 2017-07-13 2:38 ` Mike Gilbert 1 sibling, 0 replies; 30+ messages in thread From: Mike Gilbert @ 2017-07-13 2:38 UTC (permalink / raw To: Gentoo Dev On Wed, Jul 12, 2017 at 5:44 PM, William Hubbs <williamh@gentoo.org> wrote: > On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote: >> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote: >> > OpenRC 0.28 will mount efivars read only by default due to concerns >> > about users bricking systems by writing to this filesystem unexpectedly. >> > >> > Here is the newsitem covering this change. >> > >> > William >> > >> >> This will break boot loader installers, like grub-install and bootctl >> (systemd-boot). Please update any relevant documents on the wiki, or >> find someone who can do it for you. > > I'm not stopping anyone from making those updates, so if someone knows > what needs to be changed, go for it. :-) > > William > Give me a few days, and I'll be happy to help with that. I don't have a lot of free time this week, but I should have some time this weekend. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 20:03 ` Mike Gilbert 2017-07-12 21:44 ` William Hubbs @ 2017-07-14 0:09 ` DarKRaveR 2017-07-14 11:02 ` Lucas Ramage 1 sibling, 1 reply; 30+ messages in thread From: DarKRaveR @ 2017-07-14 0:09 UTC (permalink / raw To: gentoo-dev Am 12.07.2017 um 22:03 schrieb Mike Gilbert: > On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote: >> OpenRC 0.28 will mount efivars read only by default due to concerns >> about users bricking systems by writing to this filesystem unexpectedly. >> >> Here is the newsitem covering this change. >> >> William >> > This will break boot loader installers, like grub-install and bootctl > (systemd-boot). Please update any relevant documents on the wiki, or > find someone who can do it for you. > Not only bootloader installers. It will break things like efibootmgr which can be used to change EFI bootmanager's behavior/configuration. I am not sure how sane these tools react when efivar is RO. Regards -Sven ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-14 0:09 ` DarKRaveR @ 2017-07-14 11:02 ` Lucas Ramage 0 siblings, 0 replies; 30+ messages in thread From: Lucas Ramage @ 2017-07-14 11:02 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 927 bytes --] The documentation is being updated. There is no need to worry about that. On Thu, Jul 13, 2017, 8:09 PM DarKRaveR <dark@verfeiert.org> wrote: > Am 12.07.2017 um 22:03 schrieb Mike Gilbert: > > On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> > wrote: > >> OpenRC 0.28 will mount efivars read only by default due to concerns > >> about users bricking systems by writing to this filesystem unexpectedly. > >> > >> Here is the newsitem covering this change. > >> > >> William > >> > > This will break boot loader installers, like grub-install and bootctl > > (systemd-boot). Please update any relevant documents on the wiki, or > > find someone who can do it for you. > > > > Not only bootloader installers. > It will break things like efibootmgr which can be used to change EFI > bootmanager's behavior/configuration. > I am not sure how sane these tools react when efivar is RO. > > Regards > > -Sven > > [-- Attachment #2: Type: text/html, Size: 1358 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-12 15:42 [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only William Hubbs 2017-07-12 15:50 ` M. J. Everitt 2017-07-12 20:03 ` Mike Gilbert @ 2017-07-13 10:30 ` Kristian Fiskerstrand 2017-07-13 13:52 ` William Hubbs 2 siblings, 1 reply; 30+ messages in thread From: Kristian Fiskerstrand @ 2017-07-13 10:30 UTC (permalink / raw To: gentoo-dev [-- Attachment #1.1: Type: text/plain, Size: 810 bytes --] On 07/12/2017 05:42 PM, William Hubbs wrote: > OpenRC 0.28 will mount efivars read only by default due to concerns > about users bricking systems by writing to this filesystem unexpectedly. > > Here is the newsitem covering this change. Although the changes seems sensible, I'm wondering if a news item is necessary for this case versus other documentation and script updates to reflect this change. For one thing it seems it will have minimal effect on a running system and not needing a migration path / configuration updates except in cases where bootloader installs are done; how intuitive is the feedback in this process when it is read-only? -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 10:30 ` Kristian Fiskerstrand @ 2017-07-13 13:52 ` William Hubbs 2017-07-13 23:30 ` William Hubbs 0 siblings, 1 reply; 30+ messages in thread From: William Hubbs @ 2017-07-13 13:52 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1232 bytes --] On Thu, Jul 13, 2017 at 12:30:12PM +0200, Kristian Fiskerstrand wrote: > On 07/12/2017 05:42 PM, William Hubbs wrote: > > OpenRC 0.28 will mount efivars read only by default due to concerns > > about users bricking systems by writing to this filesystem unexpectedly. > > > > Here is the newsitem covering this change. > > Although the changes seems sensible, I'm wondering if a news item is > necessary for this case versus other documentation and script updates to > reflect this change. For one thing it seems it will have minimal effect > on a running system and not needing a migration path / configuration > updates except in cases where bootloader installs are done; how > intuitive is the feedback in this process when it is read-only? I have no idea; I've never used an efi system. For people who are not using efi systems, and as long as you don't mess with your boot loader, you are correct that this change means nothing. There is no migration path and nothing really for a user to do. This is already documented in NEWS.md upstream and in the ChangeLog. I can spin up the release in an hour or so, and if there is no need for a newsitem, I will consider the newsitem canceled. William [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only 2017-07-13 13:52 ` William Hubbs @ 2017-07-13 23:30 ` William Hubbs [not found] ` <CAJ0EP434FLFWQCTTqNr16oij=VfYem4ARr+C_-9NoQPBucWKmw@mail.gmail.com> 0 siblings, 1 reply; 30+ messages in thread From: William Hubbs @ 2017-07-13 23:30 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1523 bytes --] On Thu, Jul 13, 2017 at 08:52:23AM -0500, William Hubbs wrote: > On Thu, Jul 13, 2017 at 12:30:12PM +0200, Kristian Fiskerstrand wrote: > > On 07/12/2017 05:42 PM, William Hubbs wrote: > > > OpenRC 0.28 will mount efivars read only by default due to concerns > > > about users bricking systems by writing to this filesystem unexpectedly. > > > > > > Here is the newsitem covering this change. > > > > Although the changes seems sensible, I'm wondering if a news item is > > necessary for this case versus other documentation and script updates to > > reflect this change. For one thing it seems it will have minimal effect > > on a running system and not needing a migration path / configuration > > updates except in cases where bootloader installs are done; how > > intuitive is the feedback in this process when it is read-only? > > I have no idea; I've never used an efi system. > > For people who are not using efi systems, and as long as you don't mess > with your boot loader, you are correct that this change means nothing. > There is no migration path and nothing really for a user to do. > > This is already documented in NEWS.md upstream and in the ChangeLog. > > I can spin up the release in an hour or so, and if there is no need for a > newsitem, I will consider the newsitem canceled. No one objected to me putting out the release, so it is now available. I'll give another 24 hours for someone to tell me if they think we still need a newsitem. Thanks, William [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
[parent not found: <CAJ0EP434FLFWQCTTqNr16oij=VfYem4ARr+C_-9NoQPBucWKmw@mail.gmail.com>]
* Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only [not found] ` <CAJ0EP434FLFWQCTTqNr16oij=VfYem4ARr+C_-9NoQPBucWKmw@mail.gmail.com> @ 2017-07-14 0:05 ` Mike Gilbert 0 siblings, 0 replies; 30+ messages in thread From: Mike Gilbert @ 2017-07-14 0:05 UTC (permalink / raw To: Gentoo Dev [-- Attachment #1: Type: text/plain, Size: 1768 bytes --] On Jul 13, 2017 7:42 PM, "Mike Gilbert" <floppymaster@gmail.com> wrote: On Jul 13, 2017 7:30 PM, "William Hubbs" <williamh@gentoo.org> wrote: On Thu, Jul 13, 2017 at 08:52:23AM -0500, William Hubbs wrote: > On Thu, Jul 13, 2017 at 12:30:12PM +0200, Kristian Fiskerstrand wrote: > > On 07/12/2017 05:42 PM, William Hubbs wrote: > > > OpenRC 0.28 will mount efivars read only by default due to concerns > > > about users bricking systems by writing to this filesystem unexpectedly. > > > > > > Here is the newsitem covering this change. > > > > Although the changes seems sensible, I'm wondering if a news item is > > necessary for this case versus other documentation and script updates to > > reflect this change. For one thing it seems it will have minimal effect > > on a running system and not needing a migration path / configuration > > updates except in cases where bootloader installs are done; how > > intuitive is the feedback in this process when it is read-only? > > I have no idea; I've never used an efi system. > > For people who are not using efi systems, and as long as you don't mess > with your boot loader, you are correct that this change means nothing. > There is no migration path and nothing really for a user to do. > > This is already documented in NEWS.md upstream and in the ChangeLog. > > I can spin up the release in an hour or so, and if there is no need for a > newsitem, I will consider the newsitem canceled. No one objected to me putting out the release, so it is now available. I'll give another 24 hours for someone to tell me if they think we still need a newsitem. Thanks, William We still need documentation updates for packages that use efivarfs, but apparently you don't care. Sorry, I missed the replies from Lucas. [-- Attachment #2: Type: text/html, Size: 2865 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2017-07-14 11:02 UTC | newest] Thread overview: 30+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-07-12 15:42 [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only William Hubbs 2017-07-12 15:50 ` M. J. Everitt 2017-07-12 20:03 ` Mike Gilbert 2017-07-12 21:44 ` William Hubbs 2017-07-12 23:04 ` Matt Turner 2017-07-13 0:29 ` Lucas Ramage 2017-07-13 0:42 ` Matt Turner 2017-07-13 1:27 ` Lucas Ramage 2017-07-13 6:30 ` Andrew Savchenko 2017-07-13 11:09 ` Rich Freeman 2017-07-13 11:35 ` M. J. Everitt 2017-07-13 12:17 ` Andrew Savchenko 2017-07-13 14:29 ` Mike Gilbert 2017-07-13 14:35 ` Ben Kohler 2017-07-13 14:58 ` Andrew Savchenko 2017-07-13 15:06 ` Andrew Savchenko 2017-07-13 15:40 ` Rich Freeman 2017-07-13 16:45 ` Mike Gilbert 2017-07-13 16:47 ` Mike Gilbert 2017-07-13 11:43 ` Andrew Savchenko 2017-07-13 11:54 ` Rich Freeman 2017-07-13 12:14 ` Andrew Savchenko 2017-07-13 12:45 ` Rich Freeman 2017-07-13 2:38 ` Mike Gilbert 2017-07-14 0:09 ` DarKRaveR 2017-07-14 11:02 ` Lucas Ramage 2017-07-13 10:30 ` Kristian Fiskerstrand 2017-07-13 13:52 ` William Hubbs 2017-07-13 23:30 ` William Hubbs [not found] ` <CAJ0EP434FLFWQCTTqNr16oij=VfYem4ARr+C_-9NoQPBucWKmw@mail.gmail.com> 2017-07-14 0:05 ` Mike Gilbert
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox