usb-creator operates on mounted filesystems, does not display confirmation dialogs, issue warnings about data loss

Bug #445810 reported by Rebecca Menessec
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
usb-creator (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: usb-creator

I think the summary is relatively self-explanatory.

I was attempting to create an installer on a USB flash drive with on a Karmic machine with several pieces of USB media attached, including (apparently unwisely) my backup drive, where I was busily moving data I didn't want to lose when I reinstalled the machine from scratch.

I picked the wrong /dev/sd?, got no warnings, and am now trying to recover the disk from a backup superblock.

usb-creator-gtk needs to make some major usability changes:

* Stop listing /dev/sd[a-z][1-9] devices alongside /dev/sd[a-z] ones. It's a single piece of media, for most purposes. Pick one.
* Identify the devices as best as possible. If Nautilus can show spiffy SD and CF and generic disk icons, so can usb-creator-gtk.
* At an absolute minimum, displaying the current volume label (if there is one) would be enormously helpful.
* Issue at least one generic warning before performing any destructive operations.
* Issue a second warning for ext[2-4] and other Linux filesystems. Possibly a second warning for any non-WinDOS filesystems.
* Either refuse to operate on a mounted filesystem, or warn that it's mounted, and offer to unmount it.
* Stop bypassing back-end tools' refusal to operate on mounted filesystems until usb-creator-gtk has its own set.

mkdosfs (I'm guessing that was what was in operation) has completely gutted the drive. There's nothing left whatever. I did actually have some important information in there, including passwords and package tracking numbers and things.

Revision history for this message
Michał Gołębiowski-Owczarek (mgol) wrote :

I fully agree. Especially that former versions of usb-creator didn't show all these additional entries, only a pendrive partition. Now I see not only a pendrive /dev/sdc1 (which it did in past versions) and even not only my external HDD /dev/sdb1-6, but also /dev/sdb and /dev/sdc. It says nothing to a user and choosing /dev/sdb would - as I read - make all my data from 1 TB disk incaccessible (yeah, I can try to recover them, but...).

I actually think this is of critical importance. Partition-related issues should be reviewed much closer than other bugs. And the final version of Ubuntu definitely shouldn't be shipped with USB Disk Startup Creator in a state it is now.

Besides, for most of my entries there are yellow triangles, sth like a warning - it seems an app can actually tell apart a desired pendrive partition (the only one not triangle-marked - see attached screenshot) from others, it should just go one step further.

komputes (komputes)
Changed in usb-creator (Ubuntu):
status: New → Confirmed
Revision history for this message
komputes (komputes) wrote :

This sounds exactly like my comments on Bug #415103.

As these many issues of usb-creator and not just one bug, perhaps we should go through all the issues and created individual bugs for each.

Revision history for this message
Daniel Richard G. (skunk) wrote :

I'd also point out Bug #443330 and Bug #446891, which have a similar thrust.

I would only demur on the delisting of partition devices---I'd like to be able to install the live system onto one partition of a multi-partition USB drive (e.g. partition 1 is data, and is what comes up under Windows, like a "normal" thumbdrive; partition 2 contains Ubuntu). Everything else is thumbs-up.

Revision history for this message
Michał Gołębiowski-Owczarek (mgol) wrote :

I'm against listing ALL partitions on local disks - they are displayed with warning yellow triangles anyway so why even display them? It can lead to a severe file system damage if an inexperienced user tries this...

Of course, all pendrive partitions should be visible. For most users pendrive already has only one partition so it's not a problem.

Revision history for this message
Daniel Richard G. (skunk) wrote :

Well, the yellow triangles signify either that the partition doesn't have enough free space to do the install, or (I think) that it doesn't have a compatible filesystem (presumably FAT16/FAT32). You may want to blow away a partition, which I think should be allowed, albeit only after clicking through a few klaxons and rotating lights.

For the common case---a USB drive with a single partition---it may make more sense to display something simpler, as listing /dev/sdx + /dev/sdx1 must be pretty confusing for non-technical users.

(Note that the app doesn't list "local disk" devices that are IDE/SATA and such; only those connected as USB mass-storage devices. And then, there is no differentiation between a USB flash-memory pendrive/thumbdrive and a USB magnetic-platter hard drive; you may want to, and should be able to, install the live system to the latter.)

Revision history for this message
Michał Gołębiowski-Owczarek (mgol) wrote :

Then again - even if choosing "triangled" partition should be allowed, it shouldn't be done the current way. It should lie under an option "show other devices (DANGEROUS)" or sth like that. Otherwise it will be confusing for non-technical users anyway.

Revision history for this message
komputes (komputes) wrote :

" the yellow triangles signify either that the partition doesn't have enough free space to do the install, or (I think) that it doesn't have a compatible filesystem (presumably FAT16/FAT32) "

1) It could also mean that the partition is currently mounted (but we don't know because these messages are not passed to the user via notification or tooltip.

2) From looking at other usb-creator bugs, I would say that FAT16 causes issues and FAT32 should be the only supported filesystem format for bootable USB disks created with this utility.

@Daniel, regarding "I'd like to be able to install the live system onto one partition"
Are you currently able to make a disk with two FAT32 partitions (say sdb1 and sdb2) and install ubuntu onto sdb2 using usb-creator?

Note: I will soon try to break apart this cluster-bug into the multiple "one subject" bugs that deal with each issue individually.

Revision history for this message
Daniel Richard G. (skunk) wrote :

> Are you currently able to make a disk with two FAT32 partitions (say sdb1 and sdb2) and install ubuntu onto sdb2 using usb-creator?

Yes, that's exactly how I'm doing it now. With the caveats that...

1. The two partitions have to be created by hand (using e.g. fdisk(8));

2. usb-creator won't play along if the disk geometry is off, so sometimes it is necessary to have usb-creator format the disk first (to set the geometry it wants), then repartition, and then install onto one of the partitions.

Revision history for this message
komputes (komputes) wrote :
Download full text (4.3 KiB)

Although this is a list of bugs, I would like to go through all of Rebecca's originally reported issues at this point. There are some very valid concerns being presented in this Bug. However since there are many issues presented, I have done my best to separate them into bugs that exist and new bugs and give answers to the one that will not have their own bug (in which case you may chose to open one after reading the explanation).

Bug A) Stop listing /dev/sd[a-z][1-9] devices alongside /dev/sd[a-z]
Answer A) I have spoken to the main developer of usb-creator who informs me that .img files for Ubuntu Mobile requires the images to be written directly to the device, and not a partition. As well, and a lot of USB disks come formatted as a single vfat filesystem without a partition table. The first is a corner case and this needs to be discussed with the Design team and the Mobile Team. The second is less important, as the drive can be wiped and a partition table can be created when (re-)formatting the disk. For the majority of users on the Ubuntu Desktop, this should be simplified as they/we are the largest use case. As previously mentioned by Daniel Richard G., the option of being able to have multiple bootable partitions one one disk is not officially supported by usb-creator. If necessary, I would suggest opening a bug for an "Advanced mode" for your use-case and for the Mobile Team's use-case. Bug #506586 was created for the change request to move back to simple device abstraction.

Bug B) Identify the devices as best as possible. If Nautilus can show spiffy SD and CF and generic disk icons, so can usb-creator-gtk. At an absolute minimum, displaying the current volume label (if there is one) would be enormously helpful.
Answer B) Formatting needs to be intuitive and safe. No confirmation is bad, but it not the root of the issue. We need to assist the user in understanding which device they are formatting. USB Creator could wipe the wrong drive as many of us have experienced. We need to identify the DEVICE NAME (taken from lsusb), an icon of a USB Key, USB Drive, SD Card or CF Card icons, current volume label, size, and mount point. Bug #506602 was created for the change request to make formatting safe and intuitive.

Bug C) Issue at least one generic warning before performing any destructive operations.
Answer C) When warning that a device will be formatted, we need to present the Current Drive Name, request a New Name and warn "Please make sure you have backed up all data off this drive. $CURRENTNAME will be formatted to $NEWNAME". Bug #445810 (this bug) as well as Bug #446891 will be marked as a duplicate of the previously reported Bug #443330 (high priority) for the common data loss issue caused by no warning/confirmation.

Bug D) Issue a second warning for ext[2-4] and other Linux filesystems. Possibly a second warning for any non-WinDOS filesystems.
Answer D) One well formulated warning should be useful enough. Should you find that one warning is not enough, this should be brought up again. What is currently positive, is that usb-creator will not show any internal (IDE/SATA disks) which lowers risk of formatting an important filesystem....

Read more...

Revision history for this message
Daniel Richard G. (skunk) wrote :

komputes, thank you for delineating all these various related issues affecting usb-creator! It seemed like all the bugs were blurring together :-)

I pretty much agree with everything you've said, including bug D (Linux filesystems don't warrant extra warnings against impending destruction).

The only caveat I'd bring up is with bug E. I agree that usb-creator should consider mounted filesystems off-limits. However, right now, when you start up usb-creator, it basically detects and mounts all unmounted USB drive partitions (even those that are gone after a "Safely remove drive" action)---it's like everything was plugged back in again. If usb-creator is going to leave mounted drives alone, that behavior is going to have to change.

Revision history for this message
komputes (komputes) wrote :

Hi Daniel,

Thank for the appreciation. It took a few hours but I hope it was worth it and results in more efficient task list for the developers, therefore creating a better application.

The difference between "Unmount", "Eject" and "Safely Remove Drive" present when right-clicking on external or optical devices in Ubuntu 9.10 are:

    * unmount - because you want to unmount the media without ejecting it (for example if you were going to reformat or to check the file system for errors)

    * eject - to eject the disc (CD/Floppy - Open door or mechanical push-out)

    * safely remove - to safely remove the drive without ejecting the media (note that if it's an internal card reader it will then be unavailable until you next reboot)

If you say that after using "Safely remove drive" the drive still shows up in usb-creator then that should be reported as a new bug. Please reproduce the issue, then use the command 'ubuntu-bug usb-creator' to create the bug. Afterwards, upload ~/.usb-creator.log to that bug. You may also want to post the bug number here afterwards. Thank you.

Revision history for this message
Daniel Richard G. (skunk) wrote :

I understand the distinction between unmount, eject and safe-remove, but the issue isn't that a drive "still" appears in usb-creator after being removed. (Note that I'm only talking about the safe-remove action, not physical disconnection from the USB bus.)

What happens is that on startup, usb-creator does some sort of udev/dbus-fu that causes all plugged-in USB drive partitions to reappear (if they aren't mounted already) on the desktop---icons, automount, everything. The drive/partition that had been previously unmounted, or safe-removed, is suddenly present again as if it had been reconnected and redetected, in addition to being listed in usb-creator's list of devices.

Revision history for this message
komputes (komputes) wrote :

Hi Daniel,

I understand what you are saying, however after a discussion with Evan, I would support the point of view that this is not a usb-creator bug. I completely agree that using 'safely remove' should not allow any application to access the device (unmount - yes, safely remove - no).

That said, usb-creator shouldn't have access to safely removed drive that were safely removed (no application should)> Ah, but it does - why is that? Let's delve in...

If you believe that a device needs to be physically removed and reinserted after the 'safely remove' process, then that particular hook should drop the device out of udev. The 'safely remove' functionality in gnome does not drop the device out of udev. I suspect gio is the hook which is guilty of making the device still available to udev and therefore to usb-creator.

Therefore it's a gnome bug not a usb-creator one where the functionality of 'safely remove' should be changed. I would request that you report this bug. Not sure against which package though. I think it may be gvfs if not gnome-utils or gnome-mount, soryyu... not sure. Hope this helps!

Revision history for this message
Daniel Richard G. (skunk) wrote :

I don't think the Gnome/udev behavior in and of itself is a problem; there are times when a "Redetect all connected filesystems" function would be useful, and in the absence of that, I've often started up and immediately exited usb-creator solely for that effect. It's inconvenient to have to physically disconnect and reconnect a drive as the only way to get the system to notice it again.

The problem is that usb-creator does this on startup, and then if it is to operate only on unmounted partitions, there would be none that the user could select (because, duh, it just re-mounted all of them).

Why couldn't usb-creator just *not* do that when it starts up, and scan for available partitions via traditional means, much like "fdisk -l"?

Revision history for this message
komputes (komputes) wrote :

So the issue is that usb-creator shouldn't mount anything on its own, and leave it up to the system to mount the disk. In that case, I would ask that you file a feature request for this behavior. Please let me know the bug number when this is done. Thank you.

Revision history for this message
Daniel Richard G. (skunk) wrote :

Okay, I've just filed Bug #507309, which addresses that issue specifically.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.