Re: UEFI Revocation List being distributed by Debian
* Paul Wise:
> This sort of data is liable to be out of date if included in the
> source code of fwupd, I think this should be separate to fwupd in the
> same way that tzdata is separate to glibc and DNSSEC root keys are
> separate to DNS servers and the web PKI CAs should be separate to web
> browsers. I suggest that fwupd download it directly from the UEFI
> website and update the copy within the boot firmware that way.
It also has to be optional and disabled by default because a future
dbx update may be specifically designed to stop Debian systems from
booting. No Debian user will want to install such an update.