I was just watching this presentation on GRUB from FOSDEM 2019:
and it mentions that Fedora has a large number of downstream patches. Before this, I didn’t realize how MANY PATCHES that GRUB2 has, in various distros. For example
So I need to stop thinking all GRUBS are alike.
I also note this recent Debian bug report, which suggests some GRUB network security issues (which do not appear to be Debian-centric):
I hope GRUB’s network issues can be improved, maybe the additional focus of firmware security researchers?