Bug#570156: grub2 embeds code from mkisofs/genisoimage/cdrkit

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Feb 16 22:14:48 UTC 2010 

Package: grub2
Subject: grub2 embeds code from mkisofs/genisoimage/cdrkit

i'm cc'ing the secure testing team, as they are identified as people who
maintain debian's embedded code copies page referenced here:

 https://wiki.debian.org/EmbeddedCodeCopies

I was digging around in grub2 today, and realized that a substantial
portion of the code for genisoimage has been forked/imported into
grub-mkisofs.

it's possible that these two programs both derive from the
now-deprecated mkisofs, rather than deriving one from the other.

For particular review, consider the code in cdrkit:genisoimage/ against
the code in grub2:util/mkisofs/

Upstream appears to have added this copy only a few months ago,
according to ChangeLog:

2009-11-09  Robert Millan  <rmh.grub at aybabtu.com>

	* conf/common.rmk (bin_UTILITIES): Add `grub-mkisofs'.


i asked on freenode's #grub about this (as the tail of a rather long
digression i'm trying to sort out), and had this exchange:

> 16:21 < dkg0> what's the reason for not using genisoimage itself?
> 16:22 < phcoder> dkg0: it doesn't allow choosing a stable UUID
> 16:22 < dkg0> that's the only problem with genisoimage?
> 16:25 < phcoder> I don't know.
> 16:28 < dkg0> just seems like it might be easier to reuse the existing tool than to rebuild it separately

interestingly, i only see grub-mkisofs used once in grub, which is in
grub-mkrescue.in -- if we could change that to be a direct invocation of
genisoimage (maybe resolving phcoder's concern about stable UUIDs?), we
might be able to drop grub-mkisofs entirely, which would eliminate the
embedded code copy concern.  (this assumes that no other packages have
started to make use of grub-mkisofs in the meantime).

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20100216/e13ac20e/attachment.pgp>

More information about the Pkg-grub-devel mailing list