Re: Upcoming changes to Debian Linux kernel packages

To: debian-kernel@lists.debian.org, debian-boot@lists.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org, dkms@packages.debian.org, Bastian Blank <waldi@debian.org>
Subject: Re: Upcoming changes to Debian Linux kernel packages
From: Andreas Beckmann <anbe@debian.org>
Date: Sun, 24 Sep 2023 23:10:36 +0200
Message-id: <[🔎] a9afc64a-18b7-9c02-dc05-b0216ec12af2@debian.org>
In-reply-to: <[🔎] 20230924130147.qwnjrq4nvkm75wbt@shell.thinkmo.de>
References: <[🔎] 20230924130147.qwnjrq4nvkm75wbt@shell.thinkmo.de>

On 24/09/2023 15.01, Bastian Blank wrote:

## Kernel modules will be signed with an ephemeral key

The modules will not longer be signed using the Secure Boot CA like the
EFI kernel image itself.  Instead a key will be created during the build
and thrown away after.

Do I correctly assume that change only affects the modules shipped bythe linux-image packages and not third-party modules built with dkms?

## Header and tool packages will not longer contain version

This means that only headers of one single version can be available on
the system at one time.  This might be a bit inconvinient for dkms, as
it can't longer build modules for multiple versions.

That sounds problematic in case of third party modules. If it ispossible to have multiple linux-image-* packages installed, but onlyheaders for one of them, the third-party modules will only be availablefor one of the kernel versions for sure (maybe there are still oldmodule builds available, but no guarantee especially after thethird-party module got updated). This will make switching betweendifferent kernel versions difficult to impossible, e.g. it may be hardto go back to a working older kernel version in case the new one doesnot work properly (or the third-party module cannot be built or does notwork for the new version).

Regarding getting the correct linux-header-* packages installed for theinstalled linux-image-* packages:

Maybe linux-image-* could have
  Recommends: linux-headers-* | no-linux-headers

s.t. the correct linux-headers-* are installed by default (installationof recommends is enabled by default) for all installed linux-image-*packages. no-linux-headers would be an opt-out package that can beinstalled manually if someone does not want to get linux-headers-*installed at all. It should never be installed automatically.

For dkms it is hard recommend the correct linux-header-* package, rightnow we haveRecommends: linux-headers-generic | linux-headers-686-pae |linux-headers-amd64 | linux-headerswhich does not really work for the non-default kernel flavor, e.g. the-cloud or -i386 kernel. So some improvement on the kernel side would benice here.



Andreas

Reply to:

Follow-Ups:
- Re: Upcoming changes to Debian Linux kernel packages
  - From: Bastian Blank <waldi@debian.org>

References:
- Bug#1040901: Upcoming changes to Debian Linux kernel packages
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Bug#1052554: Acknowledgement (linux-image-6.5.0-1-amd64: amdgpu crashes)
Next by Date: Re: Upcoming changes to Debian Linux kernel packages
Previous by thread: Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages
Next by thread: Re: Upcoming changes to Debian Linux kernel packages
Index(es):
- Date
- Thread