Hello Debian Developers

Since the grub 2.06 upload, os-prober is now disabled by default. This
means that other operating systems are no longer detected and added to
grub by default in Debian 12.

This makes some sense, since mounting foreign filesystems and reading
files on them, extracting some text and using it as variable in shell
scripts could well be dangerous if those foreign filesystems are
infected with malware that takes advantage of this.

However, I'm not sure this is a good default for Debian Live at this
time. Many people who install from Debian Live are dual-boot users, and currently, they'll have to do an additional step that's relatively easy
for any system administrator, but far more complicated than any other
step to configure Debian at that point (edit a file as root and then run update-grub, and, they'll need to know that they need to do this).

Julien posted about this on ubuntu-devel a while back too: https://lists.ubuntu.com/archives/ubuntu-devel/2021-December/041769.html

I haven't followed further on to which solution they went with, but
since it's so late in the development cycle, wouldn't it make sense to
enable os-prober for Live systems for Debian 12, and then look at some
of the better solutions (like only probing at install time, and keeping
a cached results for grub) for Debian 13?

-Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

jcc@debian.org wrote:

Since the grub 2.06 upload, os-prober is now disabled by default. This
means that other operating systems are no longer detected and added to
grub by default in Debian 12.

...

I haven't followed further on to which solution they went with, but
since it's so late in the development cycle, wouldn't it make sense to
enable os-prober for Live systems for Debian 12, and then look at some
of the better solutions (like only probing at install time, and keeping
a cached results for grub) for Debian 13?

I'm also pondering tweaking things in d-i to re-enable os-prober if
the system looks like it might have some other OS installed. Yes, I
realise that may sound odd(!), but I can see a number of users
complaining that their dual-boot system doesn't work any more... :-/

--
Steve McIntyre, Cambridge, UK. steve@einval.com < sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 06, 2023 at 02:38:53PM +0000, Steve McIntyre wrote:

jcc@debian.org wrote:

Since the grub 2.06 upload, os-prober is now disabled by default. This >means that other operating systems are no longer detected and added to
grub by default in Debian 12.

I haven't followed further on to which solution they went with, but
since it's so late in the development cycle, wouldn't it make sense to

I'm also pondering tweaking things in d-i to re-enable os-prober if
the system looks like it might have some other OS installed. Yes, I
realise that may sound odd(!), but I can see a number of users
complaining that their dual-boot system doesn't work any more... :-/

At this point, I'd just enable os-prober unconditionally, and think of a wrapped solution for the future. The "disable os-prober" change trades
a major usage regression for hardening an issue that can be trivially
exploited in a number of other ways anyway.

Our current current state of resistance against physical access is bad
enough that _today_ I'd say this sacrifice is not worth it. I don't quite
see any short-term developments that would improve it (there's plenty of snakeoil, disturbing DRM schemes, while no one bothers to deploy projects that'd make physical security friendly to the user. But /rant.).

Thus my suggestions would be either:
* just re-enabling os-prober, or
* checking if we're on an encrypted filesystem.
Your idea of checking whether there's a second OS installed has its merit,
but would mysteriously fail to offer boot choice if we're the old OS (ie, possibly the one being replaced and kept just in case).


Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Q: Is it ok to combine wired, wifi, and/or bluetooth connections
⢿⡄⠘⠷⠚⠋⠀ in wearable computing?
⠈⠳⣄⠀⠀⠀⠀ A: No, that would be mixed fabric, which Lev19:19 forbids.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

kilobyte wrote:

At this point, I'd just enable os-prober unconditionally, and think of a

Erm, *no*?!

os-prober corrupts data when called (in virtualisation/emulation
guests, at the very least).


Steve wrote:

I'm also pondering tweaking things in d-i to re-enable os-prober if
the system looks like it might have some other OS installed. Yes, I

But what if the system has *both* other OSes installed *and* is
used as virtualisation host (when booting Debian) at the same time?

You’ll still get data corruption of unrelated data (VM guests).
I consider that inacceptable, but apparently YMMV…

bye,
//mirabilos
--
[...] if maybe ext3fs wasn't a better pick, or jfs, or maybe reiserfs, oh but what about xfs, and if only i had waited until reiser4 was ready... in the be- ginning, there was ffs, and in the middle, there was ffs, and at the end, there was still ffs, and the sys admins knew it was good. :) -- Ted Unangst über *fs

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[ Following up on the older discussion... ]

tg@debian.org wrote:

kilobyte wrote:

At this point, I'd just enable os-prober unconditionally, and think of a

Erm, *no*?!

os-prober corrupts data when called (in virtualisation/emulation
guests, at the very least).

Steve wrote:

I'm also pondering tweaking things in d-i to re-enable os-prober if
the system looks like it might have some other OS installed. Yes, I

But what if the system has *both* other OSes installed *and* is
used as virtualisation host (when booting Debian) at the same time?

You’ll still get data corruption of unrelated data (VM guests).
I consider that inacceptable, but apparently YMMV…

And this debate is exactly the problem. There is no single good answer
here, and two different sets of people will lose, depending on what we
choose as a default:

* (Potentially new) users install Debian as part of a dual-/multi-
boot system and now (as os-prober is disabled by default) they
don't get an option to boot the other OS(es) easily. I've seen
situations like this before, and I understand that people worry
here: "OMG what happened to the Windows system I still need?"

* People with currently-running guests potentially end up with data
corruption problems when updating grub on the host.

What I've done now is:

1. Added debconf handling for enabling/disabling os-prober in
/etc/default/grub to make it easier to handle things.

2. Made some *limited* tweaks to grub-installer, the d-i component
that sets up GRUB. It already runs os-prober in a massively
over-complicated way (see below).

If *that* os-prober run detects other OSes installed, we will now
use the new grub debconf setting to enable os-prober on the new
system. If no other OS is detected during installation, we will
disable os-prober there.

Either way, the user will be prompted about os-prober *at a low
priority* so that they can override things via preseed or answering
the question in d-i expert mode.

I think this is the best route forward, from the available options. If
you're in the tiny set of people running Debian on a dual-boot *and*
running guests while you update grub then you'll need to manage that
on your own: disable os-prober and come up with your own method of
adding extra boot options (or similar). /etc/grub.d is designed for
this kind of thing if you need it.

The current set of options here with grub and grub-installer are
*huge*, and IMHO the code is getting impossible to follow or
maintain. :-(

*After bookworm*, I plan to take a machete to grub-installer and do
some long-needed cleanup.

1. There's currently support in grub-installer for doing a *one-off*
os-prober run and adding a semi-hard-coded list of other OSes found
there, then not running os-prober in future on the installed
system. This is going away; I'm not convinced that it's *ever*
worked proparly and of course it doesn't deal with future changes
to the system.

2. I'm planning on killing support for grub-legacy, which is *way*
overdue. It's been dead upstream for over a decade already...

For GRUB itself:

1. We have a *lot* of patches on top of upstream GRUB, which makes it
hard to keep in step with security updates etc. I hope to find time
to rationalise things, following on from work that Colin was doing
earlier.

2. I'd like to simplify options more and reduce the number of packages
we ship here too. Let's see...

--
Steve McIntyre, Cambridge, UK. steve@einval.com < sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)