Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

To: submit@bugs.debian.org
Subject: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
From: Roman Mamedov <rm@romanrm.net>
Date: Sun, 25 Jul 2021 16:01:23 +0500
Message-id: <[🔎] 20210725160123.03e0a9bf@natsu>
Reply-to: Roman Mamedov <rm@romanrm.net>, 991478@bugs.debian.org

Package: shim-signed
Severity: grave

Starting from 1.34~1+deb10u1 and its corresponding "***WARNING***", now the
arm64 shim "is no longer signed".

As a result, after a mundane package upgrade and a reboot, all of my remote
arm64 machines do not boot anymore. I was not aware that the cloud provider
actually uses this "secure boot", else I'd pay more attention to that
"WARNING".

In any case, relying on the user reading upgrade notes, and then to scramble
rolling back the upgrade and holding the affected package ASAP, else the
system is bricked, is not a responsible package policy.

I would humbly suggest that you kept the latest signed version frozen at least
in "buster" with no further updates, until the signing issue is resolved. Or
as of now, release another update with the signed version in place.

P.S. just noticed 1.36~1+deb10u2 tried to do something about the boot breakage
- evidently that did not help.

-- 
With respect,
Roman

Reply to:

Follow-Ups:
- Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: Bug#990447: fwupdmgr: Unable to install new updates
Next by Date: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
Previous by thread: Re: fbx64.efi hangs after Debian 10.10 shim update
Next by thread: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
Index(es):
- Date
- Thread