I was just watching this presentation on GRUB from FOSDEM 2019:
https://fosdem.org/2019/schedule/event/grub_upstream_and_distros/
and it mentions that Fedora has a large number of downstream patches. Before this, I didn’t realize how MANY PATCHES that GRUB2 has, in various distros. For example
https://src.fedoraproject.org/rpms/grub2/tree/master
https://build.opensuse.org/package/show/openSUSE:Factory/grub2
https://sources.debian.org/patches/grub2/2.04%7Erc1-2/
So I need to stop thinking all GRUBS are alike.
I also note this recent Debian bug report, which suggests some GRUB network security issues (which do not appear to be Debian-centric):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930217
I hope GRUB’s network issues can be improved, maybe the additional focus of firmware security researchers?
Firmware Security 