Bug#1040901: linux modules must not be signed with CA key, bump ABI every upload

To: 1040901@bugs.debian.org
Subject: Bug#1040901: linux modules must not be signed with CA key, bump ABI every upload
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 12 Jul 2023 15:53:11 +0200
Message-id: <[🔎] 20230712155146.GA2190992@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 1040901@bugs.debian.org
In-reply-to: <[🔎] 20230712095229.GA1878283@debian.org>
References: <[🔎] 20230712095229.GA1878283@debian.org> <[🔎] 20230712095229.GA1878283@debian.org>

On Wed, Jul 12, 2023 at 10:05:03AM +0200, Julian Andres Klode wrote:
> Source: linux
> Version: 6.3.0-7.7
> Severity: grave
> Tags: security
> X-Debbugs-Cc: jak@debian.org
> 
> I know there's some work in progress but it appears we don't have a bug
> for it yet. I raised this yesterday in our weekly upstream shim/grub
> cabal meetings and Debian's current approach to sign modules with the
> same key and not bump ABI on every upload should be considered a bug.

FWIW, I'm adding this formally as a requirement to the shim-review
process in

https://github.com/rhboot/shim-review/pull/337

So that we do not accidentally accept submissions with this bug
anymore.
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

References:
- Bug#1040901: linux modules must not be signed with CA key, bump ABI every upload
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Bug#1040910: Nvidia firmware missing on Testing
Next by Date: Bug#1040955: linux-image-6.1.0-10-amd64 | drm/i915 Intel GFX Driver crashes kernel
Previous by thread: Processed: Re: linux modules must not be signed with CA key, bump ABI every upload
Next by thread: Bug#1040901: linux modules must not be signed with CA key, bump ABI every upload
Index(es):
- Date
- Thread