Main Inclusion Report for grub2

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/g/grub2; this package is available for amd64, i386, and powerpc architectures and is an architecture-specific bootloader (though it may be ported to other architectures later). It should also be made available for lpia. This request involves only i386/amd64/lpia; there is no plan to use grub on the powerpc port at present.

2. Rationale:

   • The grub-common package (built from the grub2 source) is a requirement to support installing grub on XFS filesystems.

   • grub2 is being evaluated for a future transition of the default bootloader, and will be optionally available for installation as the bootloader in jaunty. It's not too early to bring it under the security support/maintenance umbrella.

3. Security:

   • CVE entries: no known CVEs against GRUB2, vs. one against GRUB legacy. (Since this is a bootloader, security exposure is limited to problems with boot password handling.)

   • Secunia history: no entries found.

   • Network activity: because grub2 supports multiboot and can bootstrap from the network, there is some network exposure but this should not be remotely exploitable.

4. Quality assurance:

   • While there are no cases in which the package should not work out of the box, due to the hardware-sensitive nature of the package this is still something of an open question that FoundationsTeam/Specs/Grub2ByDefault seeks to answer by making it an install-time option.

   • Installing the grub-pc binary package also does not automatically take over the boot block from grub; this is a good thing since rewriting the MBR is in general a risky operation, and we should be conservative here in the early stages of the transition.

   • There is a high-priority debconf question when installing the grub-pc package on a system that previously had grub installed. This is not a transition that will take place automatically for jaunty.

   • Debian bugs:

     • kernel fails in postinst with grub2: no such file /sbin/update-grub - only an issue on systems upgraded from old versions of Ubuntu; out of scope for the current plans, but needs to be addressed before grub2 becomes default

   • Maintenance in Debian is vigorous

   • Upstream is calm

5. UI standards:

   • The GRUB2 bootloader supports internationalization - unlike the current GRUB1 bootloader.
     • Translations are not included as standard .po files and there is no .pot file in the source package; it's unknown what form these translations take

6. Standards compliance:

   • Package complies with the FHS and Debian Policy

   • Packaging system: cdbs, using simple-patchsys

7. Dependencies:

   • glibc, libncurses, debconf, liblzo2-2, os-prober, base-files: all in main

8. Maintenance:

   • Regardless of whether this package is included in main now, a good deal of work needs to be put into it to make it suitable for transitioning to it as a default bootloader.

   • The package is actively maintained in Debian. The Ubuntu Foundations Team (initially, SteveLangasek) will be responsible for monitoring the package in Ubuntu and responding to bugs.

Reviewers

MIR bug: https://launchpad.net/bugs/331305

SteveLangasek