Originally posted by sinepgib
View Post
Announcement
Collapse
No announcement yet.
systemd's mkosi-initrd Talked Up As Better Alternative To Current Initrd Handling
Collapse
X
-
-
Originally posted by hamishmb View PostOkay, good, but will it be usable without systemd? I use systemd myself, but I don't especially want all the new shiny features to only work for people using systemd - it's nice to have choice.
Comment
-
Originally posted by jacob View Post
Without knowing the details I don't see why it wouldn't.
If everything has to be signed by the distro, the host simply cannot update the initramfs after compiling the Nvidia kernel modules, and this amazing trust chain can't be applied.
Edit: to reply to the various comments posted after the quoted one, I still thinks this is an issue. General-purpose distros cannot simply require you to use a Geforce RTX 2000 or newer, so I unfortunately think that this isn't going to be widely implemented anytime soon.Last edited by tachi; 18 September 2022, 03:39 PM.
Comment
-
Originally posted by tachi View Post
Nvidia kernel modules have to be compiled on the host as far as I know (that's what happens when installing the nvidia-driver package on Debian for instance), and then the initramfs has to be updated too.
If everything has to be signed by the distro, the host simply cannot update the initramfs after compiling the Nvidia kernel modules, and this amazing trust chain can't be applied.
Edit: to reply to the various comments posted after the quoted one, I still thinks this is an issue. General-purpose distros cannot simply require you to use a Geforce RTX 2000 or newer, so I unfortunately think that this isn't going to be widely implemented anytime soon.
I'd also say that if you want to run a self-built kernel and initramfs, the whole point of being able to sign it with the distro's key is moot. You're on own to make sure that what you run is not compromised.
- Likes 2
Comment
-
Originally posted by jacob View Post
The nVidia module must be built from source in the general case, if the distro can't assume which kernel version and config is being used. That's why Debian does it. But on Fedora or Ubuntu, running custom kernels is more or less unsupported and I don't know if anyone amongst their user bases ever bothered to do it. Nothing stops those distros from packaging and signing a binary nvidia.ko built for the kernel they're shipping.
I'd also say that if you want to run a self-built kernel and initramfs, the whole point of being able to sign it with the distro's key is moot. You're on own to make sure that what you run is not compromised.
I think that they do things the way they do because, just like Ubuntu, they ship different kernel packages (different versions, normal vs cloud vs rt releases, etc). They could ship n different drivers though (as they already do to support older cards), if the license permits it; package managers should be able to handle dependency versions just fine.
To be clear, I'd love this to become a reality, but I was pointing out some of my main concerns
Comment
-
Originally posted by markg85 View PostOr put differently, i don't want this new system. I see no benefit at all from a user point of view.
This is just yet another landgrab by systemd, because the more pieces of the system you co-opt the harder it is to remove the dependency you artificially induce a few months later. "Cancer" really is the perfect analogy for it.
At this point, there's been so much poor handling of things by the systemd team that even on the rare occasions that they actually produce something beneficial, you have to take a step back and work out the ways in which it could be abused by a malicious actor, the same way you do when MS suddenly joins a standards group and starts pushing some extensions they'd like added to it.
Comment
-
Originally posted by sinepgib View PostThen there are some less dramatic issues like journald not being optional at all (you can make it so it only proxies logs, but you can't avoid loading it), so it wastes a little bit of RAM. There was once an experiment to use it on embedded that used about 6MB of RAM but, as you said, it never really caught up.
The fact that journald also insists on trying to burn multiple GB of storage on binary bullshit duplicated logs is usually a bigger issue than the handful of MB it uses, even on embedded systems, because anything with enough RAM to run that monolithic mess in the first place can probably afford to waste another 6MB for no reason.
Comment
-
Originally posted by arQon View PostThe RAM wastage is less of a problem than the pettiness of journald inserting itself into the system in such a way that it can't be removed even if unused and unwanted, despite the constantly-repeated lie of systemd being "modular".
Originally posted by arQon View PostThe fact that journald also insists on trying to burn multiple GB of storage on binary bullshit duplicated logs is usually a bigger issue than the handful of MB it uses, even on embedded systems, because anything with enough RAM to run that monolithic mess in the first place can probably afford to waste another 6MB for no reason.
Regardless, if you decide to use either one solution to produce logs, common sense is using only one of them: if you set journald to log, then don't run a syslog daemon, and conversely, if you want a syslog daemon, just set journald to proxy-only mode.
Comment
Comment