Daniel Kahn Gillmor
2010-Feb-16 22:14 UTC
[Secure-testing-team] grub2 embeds code from mkisofs/genisoimage/cdrkit
Package: grub2 Subject: grub2 embeds code from mkisofs/genisoimage/cdrkit i''m cc''ing the secure testing team, as they are identified as people who maintain debian''s embedded code copies page referenced here: https://wiki.debian.org/EmbeddedCodeCopies I was digging around in grub2 today, and realized that a substantial portion of the code for genisoimage has been forked/imported into grub-mkisofs. it''s possible that these two programs both derive from the now-deprecated mkisofs, rather than deriving one from the other. For particular review, consider the code in cdrkit:genisoimage/ against the code in grub2:util/mkisofs/ Upstream appears to have added this copy only a few months ago, according to ChangeLog: 2009-11-09 Robert Millan <rmh.grub at aybabtu.com> * conf/common.rmk (bin_UTILITIES): Add `grub-mkisofs''. i asked on freenode''s #grub about this (as the tail of a rather long digression i''m trying to sort out), and had this exchange:> 16:21 < dkg0> what''s the reason for not using genisoimage itself? > 16:22 < phcoder> dkg0: it doesn''t allow choosing a stable UUID > 16:22 < dkg0> that''s the only problem with genisoimage? > 16:25 < phcoder> I don''t know. > 16:28 < dkg0> just seems like it might be easier to reuse the existing tool than to rebuild it separatelyinterestingly, i only see grub-mkisofs used once in grub, which is in grub-mkrescue.in -- if we could change that to be a direct invocation of genisoimage (maybe resolving phcoder''s concern about stable UUIDs?), we might be able to drop grub-mkisofs entirely, which would eliminate the embedded code copy concern. (this assumes that no other packages have started to make use of grub-mkisofs in the meantime). Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100216/e13ac20e/attachment-0001.pgp>