On Thu, Apr 16, 2009 at 8:56 PM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: >> Not really -- I want to also encrypt stuff in /etc, /tmp and in /var >> (configs, temp files, and app state data). > > Not sure if that makes too much sense. > > Either you are paranoid or you are not. Which means either you encrypt > everything. Or you encrypt only /home. Anything in between makes not > much sense. That's not really a good argument -- in fact, it's not an argument at all. There is absolutely nothing worth encrypting in /usr, while the rest of the system may contain sensitive data. It has nothing to do with being "paranoid" -- it's a very sensible trade-off between disk encryption and performance + battery life, and it makes very good sense -- I'd like to see a compelling argument for encrypting /usr (apart from the danger of trojaning, which you're still running as long as you boot from a /boot partition and not a trusted source, like a keyfob that you never part with). Perhaps, if you are worried that someone will come after you for installing proprietary codecs or pirated software, but that's not something I'm concerned about. > Also, while you might not directly notice this, but you silently lose > a lot of functionality by doing this. Quite a few udev rules require > stuff from /usr. If /usr is not available then they will be skipped. How does my partitioning scheme make /usr unavailable at any point? It's an unencrypted partition on sda2 -- considering that the rest is a LUKS-encrypted LVM volume, the probability of something else failing before ext3 on sda2 becomes unavailable is orders of magnitude higher. > Believe me: having /usr seperate is currently broken on Fedora. How do > I know? I used to run such a setup myself. And instead of trying to > fix that brokeness by moving more and more stuff to / let's just get > rid of this mess completely. You wanted a reason not to? I gave a reason not to. If we decide that the benefits of doing away with /usr outweigh drawbacks, then I will find a way to live with it. I simply wanted to point out that being able to mount the majority of system binaries on a separate partition from the rest of the system has a tangible benefit. Regards, -- Konstantin Ryabitsev Montréal, Québec -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
