Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
On Sun, Jul 25, 2021 at 04:01:23PM +0500, Roman Mamedov wrote:
>Starting from 1.34~1+deb10u1 and its corresponding "***WARNING***", now the
>arm64 shim "is no longer signed".
>As a result, after a mundane package upgrade and a reboot, all of my remote
>arm64 machines do not boot anymore. I was not aware that the cloud provider
>actually uses this "secure boot", else I'd pay more attention to that
Which provider is using secure boot on arm64 at this point? I've not
heard of any. Can you share details of package versions etc. for that
>In any case, relying on the user reading upgrade notes, and then to scramble
>rolling back the upgrade and holding the affected package ASAP, else the
>system is bricked, is not a responsible package policy.
>I would humbly suggest that you kept the latest signed version frozen at least
>in "buster" with no further updates, until the signing issue is resolved. Or
>as of now, release another update with the signed version in place.
Sorry, but that's not an option - the older version of shim left
multiple high-security issues open, allowing people to easily break
into a Secure Boot setup.
Steve McIntyre, Cambridge, UK. firstname.lastname@example.org
'There is some grim amusement in watching Pence try to run the typical
"politician in the middle of a natural disaster" playbook, however
incompetently, while Trump scribbles all over it in crayon and eats some
of the pages.' -- Russ Allbery