Package: ipxe Version: 1.0.0+git-20120202.f6840ba-1 Severity: important The latest version of ipxe adds an entry to the grub menu by default. I don't believe it should do so by default, only if the user either installs a separate package (ipxe-grub or similar) or sets a configuration option, preferably the former to creating a new configuration option.
I would guess that most users have ipxe installed because qemu-kvm depends on it, rather than because they use it directly. popcon seems to agree: http://qa.debian.org/popcon-graph.php?packages=qemu-kvm+ipxe&show_installed=on&want_legend=on&from_date=&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1 (Note in particular that qemu-kvm started depending on ipxe on 2011-07-26, and starting about that time ipxe sharply rose from near-0 to shadowing the qemu-kvm graph.) Most such users seem unlikely to use ipxe on the host system. In addition, having ipxe available from grub by default could break a system's security policy, which can otherwise carefully prevent booting anything other than the built-in options on the disk, and disable any other way to boot in both the BIOS and grub. (I haven't tagged this as a security bug because that would represent a fairly uncommon and definitely non-default configuration, but I could easily imagine a user not noticing a new boot option until the next time their system got rebooted.) Having ipxe available from grub definitely seems useful; it just shouldn't occur by default just from having the ipxe package installed, especially when that usually occurs as the result of a dependency. - Josh Triplett -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
