From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.77) (envelope-from ) id 1SrafZ-0003uN-Nj for garchives@archives.gentoo.org; Wed, 18 Jul 2012 20:16:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 10DC1E070C; Wed, 18 Jul 2012 20:15:56 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 538EBE0655 for ; Wed, 18 Jul 2012 20:14:13 +0000 (UTC) Received: by bkwj4 with SMTP id j4so1829232bkw.40 for ; Wed, 18 Jul 2012 13:14:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=VTj3UZIYIuWMt33QJ2lTg2lzdg5gxORgL7+R2+CK4Sg=; b=q75dh2Zk7veVoH67emeIT21mvNTwvOuU04o1e06NBThbXJlQG13A3+0K5VzAsC4rzm 3Kl6746V0j7uVgnsz1tlgIsK4mpkmPHskc2W36IiHhKItwSPC7pWgcnQgS2uwOSdaCFf Uwb0o1VseDnZiR9ng8OSDBeEGACaK4dXcgWQ3IN0IdvaZ+0rEOPt0ciIglB/+Snyt2Gm mQhQW0DIUvQZvwjgPqGQ/JIItKkXjyoI6iG0NAf9Z9j2QDG6c2qqzuTmEMHcRwMmC8HS U2zhJjQeDe7eu/Ww5GVgD7Dzc9BLPTw0cnC0VcSUo5gRDyWTUj4intYu205ScWwbbD6O 3rYA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.129.4 with SMTP id m4mr2516264bks.55.1342642452369; Wed, 18 Jul 2012 13:14:12 -0700 (PDT) Received: by 10.204.10.12 with HTTP; Wed, 18 Jul 2012 13:14:12 -0700 (PDT) In-Reply-To: References: <5005D70D.3060108@gentoo.org> <1342566449.18313.38.camel@TesterTop4> <50063368.8080106@gentoo.org> <20120718101027.55dd00fe@pomiocik.lan> <5006B7A4.6010202@gentoo.org> <20120718161351.GA19044@serenity.o.westcall.spb.ru> <20120718184012.12446404@googlemail.com> <20120718195809.242f7d99@pomiocik.lan> Date: Wed, 18 Jul 2012 16:14:12 -0400 Message-ID: Subject: Re: [gentoo-dev] Opinion against /usr merge From: Michael Mol To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: a5b2d0ce-ead0-4220-bf50-862daf53f6df X-Archives-Hash: 559916638d255bda5e2f70b04c5464d4 On Wed, Jul 18, 2012 at 4:02 PM, Rich Freeman wrote: > On Wed, Jul 18, 2012 at 3:40 PM, Michael Mol wrote: >> So your initramfs doesn't include network tools such as ping, >> traceroute or wget. Fine. Fundamentally speaking, why shouldn't >> someone else's? > > So, an initramfs is just a piece of kernel functionality. You can do > almost ANYTHING in an initramfs, subject to the limitation that it is > stored in RAM without any backing store. Yup. IIRC, it has effectively the same underlying implementation as tmpfs, using always-dirty file cache pages. > > There are lots of reasons to use an initramfs, and the biggest ones > don't pertain much to Gentoo. Here are some of the big use cases: > > 1. One-size-fits-all kernel. You want to support root and /usr on > any filesystem, on any kind of hard drive, or on a SAN, or who knows > where. That either means saying Y to every driver in the kernel, or > saying M and using an initramfs to load what is needed to get to root. > > 2. One-size-fits-all grub config. You put the smarts in the > initramfs, and use filesystem labels and such to identify partitions. > > 3. Use of labels/UUIDs on partitions. When mdadm decides to renumber > half your devices on a whim or you add a drive and everything bubbles > down by one, your system still boots. > > 4. Cleaner mounting of root, ability to fsck on initial mount, etc. > > 5. When something goes wrong you can get a dash/bash shell instead of > a grub shell. The former is clearly more useful even if you don't > have firefox+X11 in your initramfs. > > 6. Support for booting off of stuff that the kernel can't find on its > own, like SANs/etc. That might require network support in the > initramfs, and that usually isn't a big deal. If somebody can spoof > DNS on your fiber channel interface you've got bigger problems. > > Sure, the more you do with the initramfs the bigger the potential > security risks. Most distros don't have users build either kernels or > initramfs which means they can just push updates, but that requires #1 > above, which I think most Gentoo users would not appreciate. I fall into use cases 3 and 5, myself. Incidentally, bash is also network-aware. (Not sure if the default USE flag set allows it, though.) Were I to explicitly add network-aware tools, I'd probably add either ssh/sftp/scp or links. > > However, the initramfs shouldn't leave much of anything running after > it chroots, so the window should be fairly small. So is the window for spoofing DNS responses. That didn't stop DNS hijacking from being fairly easy. (And why there was a large coordinated, cross-vendor effort to add source-port randomization once it was shown to be easy.) Multi-threaded native code has been my day job for the last five years. I may be a bit biased when it comes to race conditions. -- :wq