[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#652011: general: Repeated pattern of FHS violation: Dependencies of /sbin and /bin, belong in /lib

On Wed, Dec 14, 2011 at 10:43:38PM +0100, J.A. Bezemer wrote:
> On Wed, 14 Dec 2011, Roger Leigh wrote:
> [..]
> >The same argument applies to encryption.  / and /usr both contain a
> >selection of programs, libraries etc.  If you're encrypting one, why
> >would you not encrypt all of it?
> Speed.
> encrypted. But this actually does _not_ slow things down: the Linux
> disk cache is sensibly caching the decrypted data, so often-used
> stuff from /bin and /lib happily remains in already-decrypted cache.
> The interesting stuff from /usr is generally too large and too
> seldomly used to remain cached.

This was brought up last time this came up on -devel.  And I think
it kind of misses the point.

You are encrypting / and not encrypting /usr.  That's fine.  But
it's a workaround.  It's not addressing the *real* goal, which is
to encrypt /etc.

That is to say, /usr is a split of /convenience/.  The real solution
would be to have /etc as a separately-mounted encrypted filesystem.
So really, keeping /usr separate is a different issue, IMHO.  This
isn't a reason to keep the /usr split, it's a reason to support
mounting an encrypted /etc in the initramfs.  Such a solution would
also satisfy those that want a read-only root but writable /etc for
admin convenience.


  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Reply to: