Recently there has been a discussion within upstream fwupd to start including the UEFI dbx revocation list directly with the fwupd package. During the code review for this as part of reviewing the terms included with it there are concerns if this would fit within the DFSG. Would it be possible to request a review of these terms to determine if this is appropriate to distribute in Debian?
Furthermore, if it is not acceptable to distribute this raw data in Debian, one of the options being considered is to programmatically re-generate a list of invalid hashes but without the signatures in the original file. Would that be acceptable to distribute in Debian instead?