[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Getting rid of /usr for F12?



On Thu, Apr 16, 2009 at 8:56 PM, Lennart Poettering
<mzerqung 0pointer de> wrote:
>> Not really -- I want to also encrypt stuff in /etc, /tmp and in /var
>> (configs, temp files, and app state data).
>
> Not sure if that makes too much sense.
>
> Either you are paranoid or you are not. Which means either you encrypt
> everything. Or you encrypt only /home. Anything in between makes not
> much sense.

That's not really a good argument -- in fact, it's not an argument at
all. There is absolutely nothing worth encrypting in /usr, while the
rest of the system may contain sensitive data. It has nothing to do
with being "paranoid" -- it's a very sensible trade-off between disk
encryption and performance + battery life, and it makes very good
sense -- I'd like to see a compelling argument for encrypting /usr
(apart from the danger of trojaning, which you're still running as
long as you boot from a /boot partition and not a trusted source, like
a keyfob that you never part with). Perhaps, if you are worried that
someone will come after you for installing proprietary codecs or
pirated software, but that's not something I'm concerned about.

> Also, while you might not directly notice this, but you silently lose
> a lot of functionality by doing this. Quite a few udev rules require
> stuff from /usr. If /usr is not available then they will be skipped.

How does my partitioning scheme make /usr unavailable at any point?
It's an unencrypted partition on sda2 -- considering that the rest is
a LUKS-encrypted LVM volume, the probability of something else failing
before ext3 on sda2 becomes unavailable is orders of magnitude higher.

> Believe me: having /usr seperate is currently broken on Fedora. How do
> I know? I used to run such a setup myself. And instead of trying to
> fix that brokeness by moving more and more stuff to / let's just get
> rid of this mess completely.

You wanted a reason not to? I gave a reason not to. If we decide that
the benefits of doing away with /usr outweigh drawbacks, then I will
find a way to live with it. I simply wanted to point out that being
able to mount the majority of system binaries on a separate partition
from the rest of the system has a tangible benefit.

Regards,
-- 
Konstantin Ryabitsev
Montréal, Québec


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]