Re: New buster-lts upload of shim

To: Utkarsh Gupta <guptautkarsh2102@gmail.com>, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: New buster-lts upload of shim
From: Steve McIntyre <steve@einval.com>
Date: Thu, 9 Mar 2023 14:43:09 +0000
Message-id: <[🔎] 20230309144309.GS3445887@tack.einval.com>
In-reply-to: <Y9l3fFkjELEZlC/F@eldamar.lan>
References: <20230131155655.GR1836860@tack.einval.com> <Y9laMQWpggdsEd5h@eldamar.lan> <CAPP0f97vGcn-xcmFPZ7XMYiAzqBe1Xfpck7r4xUkayo7vh5Wjw@mail.gmail.com> <20230131200030.GJ9680@tack.einval.com> <Y9l3fFkjELEZlC/F@eldamar.lan>

Hey all!

On Tue, Jan 31, 2023 at 09:18:04PM +0100, Salvatore Bonaccorso wrote:
>Utkarsh,
>
>On Tue, Jan 31, 2023 at 08:00:30PM +0000, Steve McIntyre wrote:
>> On Wed, Feb 01, 2023 at 01:18:46AM +0530, Utkarsh Gupta wrote:
>> >Hi Steve,
>> >
>> >On Tue, Jan 31, 2023 at 11:43 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
>> >> > I've just uploaded a new shim update for buster, based on the latest
>> >> > update in unstable today. Please accept it quickly so we can get the
>> >> > binaries out and signed ASAP?
>> >>
>> >> The upload is already accepted, but I'm including as well the LTS list
>> >> for information (as the update should be accompanied with a DLA
>> >> describing the update).
>> >
>> >Thank you for the upload. I can prepare the paperwork but can you
>> >point out what bugs we're fixing in this update? I need to write
>> >something in the advisory. :)
>> 
>> It will eventually (once we get the signed version through) fix a few
>> bugs, such as (skimming the BTS):
>> 
>>  * #995940
>>  * #995155
>> 
>> and maybe others. More importantly, it's needed to keep us updated
>> with recent shim requirements so Secure Boot will continue to
>> work. Our older shim binaries are at risk of being blocked soon-ish.
>> 
>> I'd be tempted to hold back on the DLA and write a single one for shim
>> and shim-signed when that turns up.
>
>Some helpful context might be here: https://lists.debian.org/debian-boot/2023/01/msg00221.html
>
>For the DLA, I think the situation is very similar to grub or linux,
>only for the main source package the advisory is actually issued, but
>not for the signed packages (but I might have missunderstood what you
>wanted to propose).

As you'll have probably seen, I've uploaded shim-signed last
night. Next up, some grub updates...

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
'There is some grim amusement in watching Pence try to run the typical
 "politician in the middle of a natural disaster" playbook, however
 incompetently, while Trump scribbles all over it in crayon and eats some
 of the pages.'   -- Russ Allbery

Reply to:

Follow-Ups:
- Re: New buster-lts upload of shim
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: EC SRM key for bookworm?
Next by Date: Re: New buster-lts upload of shim
Previous by thread: EC SRM key for bookworm?
Next by thread: Re: New buster-lts upload of shim
Index(es):
- Date
- Thread