On Tue, 25 Apr 2023 at 15:33, Alexander Larsson <alexl@xxxxxxxxxx> wrote: > > On Tue, Apr 25, 2023 at 1:19 PM Miklos Szeredi <miklos@xxxxxxxxxx> wrote: > > > > On Thu, 20 Apr 2023 at 09:44, Alexander Larsson <alexl@xxxxxxxxxx> wrote: > > > +There are two ways to tune the default behaviour. The kernel config > > > +option OVERLAY_FS_VERITY, or the module option "verity=BOOL". If > > > +either of these are enabled, then verity mode is "on" by default, > > > +otherwise it is "validate". > > > > I'm not sure that enabling verity by default is safe. E.g. a script > > mounts overalyfs but doesn't set the verity mount, since it's on by > > default. Then the script is moved to a different system where the > > default is off, which will result in verity not being enabled, even > > though that was not intended. Is there an advantage to allowing to > > change the default? I know it's done for most of the overlayfs > > options, but I think this is different. > > I sort of agree, in particular because many filesystems still don't > support verity, or need it to be specifically enabled. > So, what about dropping "validate" and go with modes: "off, on, > require", where "off" is the default? Okay. Thanks, Miklos