When to mount /lib and /usr/lib ?

Siggy Brentrup ubuntu at psycho.i21k.de
Fri Sep 18 04:34:12 BST 2009 

Sorry, I forgot this one in my postponed folder :(.


Hi Steve,

thanks for your reply.  I was wondering why I didn't have your gpg key
in my keyring until I realized it's a new one. From 1995 to 2004 I was
known as bsb at debian.org.

On Thu, Sep 17, 2009 at 00:23 -0700, Steve Langasek wrote:
> On Thu, Sep 17, 2009 at 12:03:37AM +0200, Siggy Brentrup wrote:

> > The question now is if it's early enough to mount /lib when rc?.d
> > scripts are run or should it even be done early in inittab?  Also take
> > into consideration that calculating the SHA256 sum of the whole /lib
> > partition takes about 20s while /usr/lib requires an ample 90s.

> No.  /lib must be on the root filesystem.  Whatever you're doing here, if it
> needs to be done before /lib is mounted then it needs to be done in the
> initramfs.

In my approach /lib is on the root filesystem and is later on shadowed
by mounting a memory stick partition with identical contents on /lib.
This works fine with mounting by label in /etc/fstab but has a grave
security issue if you can't be sure the stick isn't exchanged by an
identically looking one with malicious library code on it.  

Annoying saw-like sounds from the HD are gone, everything seems to be
noticibly faster.

In order to be sure that a partition to be mounted is identical to
the one created after the last upgrade I verify it's sha256sum before
actually mounting a partition.

I'm doing all this because I have to extend the useful life of my Vaio
laptop for some months, I can't afford to buy a new laptop before say
spring 2010 if things go bad and they seem to do so.  I'm publishing
it on launchpad because there are others in similar situations who want
to run current software on outdated machines.  I know some of them in
my home town, they are just too timid to speak up.

Thanks for your response
  Siggy
-- 
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org+
|29 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de|
|www.Ubucon.de|or:                bsb-at-psycho-dot-i21k-dot-de|
+-------> ceterum censeo javascriptum esse restrictam <--------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20090918/e538f402/attachment-0002.pgp

More information about the ubuntu-devel mailing list