On Mon, Jun 24, 2013 at 06:45:20PM +0200, Hans Putter wrote: > Indeed, this bug has been caused by the missing execution marks of > all files in /etc/grub.d, as a test has proved. > > Thanks for your hint! > > To prevent further trouble, this should be documented in all the > files which are connected with grub2.
That would be a pretty excessive number of files! Besides, once we make the change indicated in this bug's new title there should be no need for additional documentation. > Furthermore, all procedures which touch /boot/grub/grub.cfg should be > obliged : > > - to create a security copy of this file and to announce its name and > directory to the user; This is *not* a security problem. No vulnerability exists here; it was a failed upgrade whose proximate cause was, I'm afraid, an inadequately-tested local change of a kind that we didn't insure against quite well enough. It doesn't in general help to try to turn bugs into security problems. > - to ask the user in case of leaving grub.cfg empty, whether he wants > to continue. If he does not, grub.cfg must be restored with the > original content before the procedure goes to exit. As I mentioned in an earlier message, and retitled this bug to that effect, the correct fix here is to have grub-script-check return an error when checking a file with no useful commands. Once that is done, everything will work as you request. > I hope that the Debian developers and their security team agree to > this demand Perhaps this is just a language-barrier thing, but you may not be aware that in English the word "demand" is very peremptory, and comes across as rude; it's the sort of thing a government does to citizens who fail to pay their taxes. You may have meant "request". Cheers, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
