Re: Bug#652011: general: Repeated pattern of FHS violation: Dependencies of /sbin and /bin, belong in /lib
On Wed, Dec 14, 2011 at 10:43:38PM +0100, J.A. Bezemer wrote:
> On Wed, 14 Dec 2011, Roger Leigh wrote:
> >The same argument applies to encryption. / and /usr both contain a
> >selection of programs, libraries etc. If you're encrypting one, why
> >would you not encrypt all of it?
> encrypted. But this actually does _not_ slow things down: the Linux
> disk cache is sensibly caching the decrypted data, so often-used
> stuff from /bin and /lib happily remains in already-decrypted cache.
> The interesting stuff from /usr is generally too large and too
> seldomly used to remain cached.
This was brought up last time this came up on -devel. And I think
it kind of misses the point.
You are encrypting / and not encrypting /usr. That's fine. But
it's a workaround. It's not addressing the *real* goal, which is
to encrypt /etc.
That is to say, /usr is a split of /convenience/. The real solution
would be to have /etc as a separately-mounted encrypted filesystem.
So really, keeping /usr separate is a different issue, IMHO. This
isn't a reason to keep the /usr split, it's a reason to support
mounting an encrypted /etc in the initramfs. Such a solution would
also satisfy those that want a read-only root but writable /etc for
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.