Ubuntu 26.10 Looks To Strip Its GRUB Bootloader To The Bare Minimum For Better Security (www.phoronix.com)

submitted 1 day ago by cm0002@literature.cafe to c/linux@programming.dev

30 comments fedilink hide all child comments

top 30 comments

sorted by: hot top controversial new old

[-] grue@lemmy.world 28 points 1 day ago

Ripping out all of these GRUB features would basically mandate that most Ubuntu 26.10+ installations are done with the /boot partition being done on a raw EXT4 partition. Thus no more encrypted boot partition and having to rely on an EXT4 boot partition even if you are a diehard Btrfs / XFS / OpenZFS fan. Or you could opt for the non-signed GRUB bootloader that would be more full-featured albeit lacking Secure Boot and security compliance.

Reducing the signed GRUB builds to the minimum support necessary they feel would "[substantially] improve security". Users wanting those features back could use the non-signed GRUB builds albeit losing out on UEFI Secure Boot and security support.

How the Hell is any of that supposed to "improve" security? Something is fishy here.

[-] Dran_Arcana@lemmy.world 9 points 1 day ago

The simpler the arbitrary string/blob parsing logic the less this happens

https://app.opencve.io/cve/?product=grub2&vendor=gnu

I agree with you that it'd be nice if the cuts were a little shallower and allowed for an encrypted boot partition, but you could still have the system reasonably secure by encrypting the data partitions and signing the entire boot process to detect and abort decryption if the boot partition doesn't match signatures. You already have to do this with the efi partition if you're particularly paranoid about that attack vector, so this really isn't a new one.

[-] 0x0@lemmy.zip 17 points 1 day ago

Alternate title: Ubuntu hasn't discovered LILO.

[-] fruitcantfly@programming.dev 29 points 1 day ago

It’s probably easier to strip down GRUB, than it is to resurrect and add missing features to a project that has been dead for 10+ years

[-] 0x0@lemmy.zip 2 points 1 day ago* (last edited 1 day ago)

It's default for Slackware so i'd hardly call it dead.
And i doubt it's easier to strip a behemoth than it is to add features to a small code-base.

[-] fruitcantfly@programming.dev 3 points 1 day ago* (last edited 1 day ago)

I guess they have their own fork of it?

Upstream hasn’t seen a new release, nor any commits, since 2015: https://lilo.joonet.de/

ETA: It is also my understanding that LILO fundamentally does not support reading filesystems, while Canonical want to keep SquashFS, among others. Adding support for that to LILO, along with whatever other features are missing, would likely be a major undertaking

[-] 0x0@lemmy.zip 1 points 20 hours ago

I guess they have their own fork of it?

Upstream hasn’t seen a new release, nor any commits, since 2015: https://lilo.joonet.de/

Perhaps.
Has lilo needed any changes, though?
If it hasn't, then no commits and no feature creep.

[-] fruitcantfly@programming.dev 2 points 18 hours ago

Development stopped not because LILO didn’t need any changes, but because of its limitations (source):

NOTE: I have finished development of LILO at December 2015 because of some limitations (e.g. with BTFS, GPT, RAID). If someone want to develop this nice software further, please let me know ...

Also, I dunno what your position is on this, but it is amusing to see calls for Canonical to replace GPL licensed software, with something with a more lenient license (BSD-3-clause). Normally that would cause outrage around here

[-] 0x0@lemmy.zip 1 points 5 hours ago

I recall something about LILO nor supporting RAID when i tried it a few years ago.

but it is amusing to see calls for Canonical to replace GPL licensed software,

Par for the course with Canonical™, much like all the rust rewrites.

[-] dgriffith@aussie.zone 7 points 1 day ago* (last edited 1 day ago)

You mean

Not shown: user staring at a screen that is blank except for those two characters

[-] kilgore_trout@feddit.it 1 points 1 day ago

There are alternatives to LILO nowadays.

[-] muhyb@programming.dev 12 points 1 day ago

I did the same thing some time ago and installed systemd-boot.

[+] GreenKnight23@lemmy.world -12 points 1 day ago

bet you're regretting that with the recent news...

[-] TrickDacy@lemmy.world 16 points 1 day ago* (last edited 1 day ago)

Why would they exactly? Adding an age field would not likely have any impact on a bootloader. Also I'm not really sure what you reactionaries are thinking will happen. That laws will get passed but Linux as a whole will just refuse to follow the laws? It's a very incomplete thought process you all are stuck in. If the laws get passed, the entire Linux community is not just going to be able to ignore them.

[-] BladeFederation@piefed.social 5 points 1 day ago* (last edited 1 day ago)

I agree with you that there have been a lot of reactionary takes to this news. But I do think that many if not all Linux distributions can choose to ignore it, yes. I think it's inherently unenforceable. How is California supposed to have say over a random guy in the Netherlands who makes a distro? Even a distros based in California should be able to put a disclaimer that this OS is not to be used in the state of California. Maybe make a California version with age verification at worst. And then everyone will proceed to use the non age verification version because what is the government going to do? Kick in every door and manually check if your computer OS is in compliance? Even if they went to that extent (they won't), what is the criteria for criminally charging someone? What if you are just visiting California, do you have to reinstall your OS for a few days?

[-] TrickDacy@lemmy.world 3 points 1 day ago

I honestly don't know what enforcement actions would be taken, but I do think a company like Canonical could be held liable for anything seen as defying such new laws. Maybe you're right. That would make me happy if you are.

[-] BladeFederation@piefed.social 2 points 1 day ago* (last edited 1 day ago)

That does seem to be the intention, to hold companies liable, I just dont see how that would possibly work. Similar situations have happened with DMCA copyright stuff. Some foreign pirate sites were fined by the American government, and the sites literally told them to fuck off.

And what if some countries create laws that state you cannot recklessly gather users' personal information? Who do you obey? Do you pay a fine no matter what? Are you banned in one country? How would that be enforced?

Not only do I fundamentally disagree with what they're trying to do, it simply doesn't make sense in the first place, nor does their implementation.

[-] paraplu@piefed.social 2 points 1 day ago

I agree that a disclaimer might be the simplest path, but may not always be an option. I recall reading that for at least one distro their license didn't allow for geographic disclaimers.

Having a date field that defaults to 1/1/1970 or having the API needing to be toggled on (with a notice that California users may required to turn it on) could both be privacy respecting options.

Adding these features in a way that's intentionally unhelpful isn't necessarily rolling over, but may shield against lawsuits (IANAL).

[-] BladeFederation@piefed.social 2 points 1 day ago

That's certainly possible. It's hard to know for sure how it will look in practice, or if they will even attempt to enforce it in the first place. So many laws are "feel good" laws where nobody wants to say they're against protecting the children but nobody actually gives a shit about.

[-] clay_pidgin@sh.itjust.works 7 points 1 day ago

I don't like the idea on general, but I agree with the developer whose thread I read that suggested systemd was a good place to store the data so we don't end up with several layers from kernel to distro publisher to DE trying to roll their own.

[-] muhyb@programming.dev 7 points 1 day ago

Actually I'm even using systemd-boot on a systemd-free system as well. As far as I know, while it's part of systemd, it's not actually part of the suite. It's just a bootloader.

[-] jimmy90@lemmy.world -1 points 1 day ago

don't tell me you were predicting systemd would destroy linux and you oppose rust being in the kernel got any other takes for us genius?

[-] GreenKnight23@lemmy.world -1 points 1 day ago

systemd is scope creep cancer for Linux. the fact that an init system is making changes that store user information says enough why systemd is terrible. systemd is a solution looking for a problem to solve.

rust is a fad language that young devs use as a crutch because they refuse to learn c. the rust devs who are desperate to rewrite the kernel to rust are the embodiment of the problem that systemd exemplifies. they are the problem in search of a solution that nobody asked for.

in both cases, I couldn't care less because my opinions don't reflect me or my personality, they are simply just opinions.

it seems you mistook me for someone who would feel personally attacked when my opinions are questioned. your dismissive language of a simple comment shows how fragile your ego is and how you require community acceptance to fortify your opinions because they're based on an emotional bias instead of on observable truths.

[-] fruitcantfly@programming.dev 3 points 1 day ago

and another thing: im not mad. please dont put in the newspaper that i got mad.

[-] victorz@lemmy.world 11 points 1 day ago

How does Canonical make money anyway? It's been going for like two decades now...

[-] Speculater@lemmy.world 23 points 1 day ago* (last edited 1 day ago)

It appears to be mostly commercial or industry support type stuff and licensing fees for servers.

https://medium.com/@bokiko/ubuntu-is-free-but-the-company-behind-it-made-292-million-last-year-213c3ab5351a

[-] xSikes@feddit.online 9 points 1 day ago

Ubuntu Pro is a big one. FIPS 140-3 compliance for enterprise and gov/defense

[-] altphoto@lemmy.today 5 points 1 day ago

Well it's been a good ride. Time to mint.

[-] BoxOfFeet@lemmy.world 5 points 1 day ago

I've tried distro hopping occasionally over the last couple years. I keep coming back to Mint. It just fits my tastes and it works.

[-] altphoto@lemmy.today 1 points 16 hours ago

Yeah. The more I hear about it, the more I'm liking it.

this post was submitted on 25 Mar 2026

88 points (100.0% liked)

Linux

12991 readers

467 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev