Bug#1039058: shim-signed: Incorrectly depends on grub packages (grub-efi-amd64-bin, grub2-common)
Hello Wolf, maintainers,
On 25/06/2023 at 09:35, Wolf wrote:
Was attempting to uninstall grub after switching to systemd-boot
and adding it via mokutil to the allowed binaries for shim-signed.
(...)
Effective workaround after shim-signed got uninstalled and system
could no longer boot Linux: Extracted the shim-signed bootloader from
the .deb and manually copied the file back into place as a stopgap.
Side effect of workaround:
No automatic updates when updates to shim-signed is released, need
to notice it + unpack the update manually.
I guess shim-signed depends on grub2-common and grub-efi-amd64-bin
packages because its postinst script calls grub-install to reinstall
GRUB+shim files in the EFI partition on install or update. So even if
the package dependency was removed and shim-signed could be installed
without grub*, shim files in the EFI partition still would not be updated.
I am not the maintainer, but here is my opinion on this topic:
Calling grub-install in shim-signed postinst script is messy and wrong.
- It duplicates code from grub-efi-amd64 postinst script and must be
kept in sync with it, e.g. to handle new debconf settings
(force-extra-removable, no-nvram...).
- Also it runs grub-install even if grub-efi-amd64 is not installed.
Wouldn't a dpkg trigger to run grub-efi-amd64 (or any other bootloader
using shim) postinst script on shim-signed update be a better option ?
Reply to: