[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution



Hi Roman,

On Sun, Jul 25, 2021 at 04:01:23PM +0500, Roman Mamedov wrote:
>Package: shim-signed
>Severity: grave
>
>Starting from 1.34~1+deb10u1 and its corresponding "***WARNING***", now the
>arm64 shim "is no longer signed".
>
>As a result, after a mundane package upgrade and a reboot, all of my remote
>arm64 machines do not boot anymore. I was not aware that the cloud provider
>actually uses this "secure boot", else I'd pay more attention to that
>"WARNING".

Which provider is using secure boot on arm64 at this point? I've not
heard of any. Can you share details of package versions etc. for that
please?

>In any case, relying on the user reading upgrade notes, and then to scramble
>rolling back the upgrade and holding the affected package ASAP, else the
>system is bricked, is not a responsible package policy.
>
>I would humbly suggest that you kept the latest signed version frozen at least
>in "buster" with no further updates, until the signing issue is resolved. Or
>as of now, release another update with the signed version in place.

Sorry, but that's not an option - the older version of shim left
multiple high-security issues open, allowing people to easily break
into a Secure Boot setup.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
'There is some grim amusement in watching Pence try to run the typical
 "politician in the middle of a natural disaster" playbook, however
 incompetently, while Trump scribbles all over it in crayon and eats some
 of the pages.'   -- Russ Allbery


Reply to: