Bug#927816: unblock: shim-signed/1.30
Control: tags -1 -moreinfo
On Tue, Apr 23, 2019 at 07:41:00PM +0000, Niels Thykier wrote:
>Control: tags -1 moreinfo
>
>Steve McIntyre:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package shim-signed
>>
>> We've just got new signatures back from Microsoft to match our shim
>> binaries for amd64, i386 and arm64. I've fixed up the packaging a lot
>> to accommodate the new arches (previously we had amd64 only).
>>
>> We've made a lot of progress with shim, and we're nearing the end of
>> the process for Secure Boot in Buster. I'm asking for this unblock
>> today to cover most of what we need, with potentially a further
>> unblock for a new set of signed binaries with some shim bugfixes to
>> come. That'll depend on how long new signatures take to come. (Yay!).
>>
>> The main set of changes here are in version 1.29.
>>
>> [...]
>
>Hi,
>
>Thanks for the work on shim-signed.
>
>I am mostly happy with the changes, except for ...
>
>> diff -Nru shim-signed-1.28+nmu1/debian/control shim-signed-1.30/debian/control
>> --- shim-signed-1.28+nmu1/debian/control 2018-11-04 07:09:26.000000000 +0000
>> +++ shim-signed-1.30/debian/control 2019-04-22 23:59:15.000000000 +0100
>> @@ -1,15 +1,34 @@
>> Source: shim-signed
>> Section: utils
>> Priority: optional
>> -Maintainer: Steve Langasek <vorlon@debian.org>
>> -Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
>> -Standards-Version: 3.9.4
>> +Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
>> +Uploaders: Steve McIntyre <93sam@debian.org>, Steve Langasek <vorlon@debian.org>
>> +Build-Depends: debhelper (>= 9),
>> +# Need shim-unsigned version 15+1533136590.3beb971-5 so we can check the
>> +# signature on the right version of shim. Version -6 saw arm64 toolchain
>> +# changes that changed the binary. Ugh. :-(
>> + shim-unsigned (= 15+1533136590.3beb971-5),
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>Testing has -6, so shim-signed is B-D'ing on a non-existent package
>version. IOW it will not be buildable in buster and unblocking it (plus
>forcing it) would imply breaking the self-containedness of buster.
ACK. The existing version in Buster is just as unbuildable, in fact,
so this is not a regression. Sorry. :-(
The shim<->shim-signed relationship is a difficult one for us to
handle, due to the significant delay in getting things signed. I was
hoping in this release that we'd be saved by reproducibility, then gcc
changes altered the binary output for the arm64 build between
shim-unsigned -5 and -6.
Please could we have a force-unblock for this now? This will give us a
signifcant improvement over what we have, in terms of supporting two
more architectures.
As I've mentioned already IRL (but mentioning here for the record
too!), I'm planning one more set of changes to shim in the next few
days. That would be for cherry-picking some upstream fixes that are
very much wanted. I'm just checking with doko right now about any more
gcc uploads that might cause more binary changes for us - I *really*
want this to be the last upload for Buster and it would help a lot if
the reproducibility is reliable now.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
You raise the blade, you make the change... You re-arrange me 'til I'm sane...
Reply to: