Date:        Sat, 31 Aug 2002 09:25:51 -0400
    From:        John Franklin <franklin@elfie.org>
    Message-ID:  <20020831132550.GA12656@deathmitten.example.org>

  | On home-user machines, this is probably overkill.  But I don't like t=
he
  | idea of a single crunchgen'd rescue either.  While this may seem
  | hypocritical, I *would* endorse a rescue kernel with md image.  =


All of you people looking for ways to avoid having a /rescue are
missing half of the point.

Sure, you can boot single user mode, and use it if things get bad, and
for that, having it buried inside an install type kernel, or on a separat=
e
unmounted partition (or even away in a drawer on a floppy or CD) will wor=
k
for that (with varying amounts of inconvenience).

But none of those help when you have just done

	mv /lib/ld.so /lib/ld.so.old

intending to install a new one, and then you notice there's no way
to actually install the new version any more.

But /rescue/cp /new/ld.so /lib

and you're done - provided that /rescue is actually there, mounted,
ready to use.  Of course, this is just the same as would have been done
before with /bin/cp (that is, it is not an advantage of /rescue over
static linking /bin - just a requirement that /rescue remain on /,
as that's the only thing guaranteed mounted, and regardless of how many
copies of it, in what formats, you also put elsewhere.

On the other hand, the people pretending that /rescue is somehow unsafer
than static /sbin /bin are just deluding themselves.   I wouldn't say it
is safer, but it is no worse, crunchgen'd or not.

What's more, there are zillions of single points of failure that exist
now and we have all been living with.   Block 0 on the drive (or wherever=

your system's firmware reads for booting) has to exist, on i386 if you're=

not using the drive as dedicated NetBSD then also block 0 in the partitio=
n.
Then / /boot /sbin and /bin all need to exist and work correctly currentl=
y.
As well as at least /sbin/init and /bin/sh (or /bin/csh).   And then to
actually do anything more interesting than "echo *" and "test -d / || ech=
o help"
a whole bunch of other things need to exist.

Requiring just / /rescue and /rescue/big-binary to actually exist (after
booting, which isn't being changed of course) is certainly not worse.

And even if things go bad, and you can't boot that way, you absolutely ne=
ed
a way of booting that isn't using your normal root filesystem - just in c=
ase
that drive dies hard (like flames & smoke erupt from it...).   Whether th=
at's
booting from floppy, or CD, or the net, or just another drive (in a diffe=
rent
cabinet if you want some safety) you absolutely have to have such a metho=
d,
or any talk at all about boot recovery is just noise.  This is required f=
or
sane operation, regardless of what is static or dynamic in /.   If you ha=
ve
it, you know you can always use it, and worrying about obscure bizarre fa=
ilure
possibilities is just paranoia.

kre