Disappearning shim-signed after failed dist-upgrade

To: debian-user@lists.debian.org
Subject: Disappearning shim-signed after failed dist-upgrade
From: "Gareth Evans" <donotspam@fastmail.fm>
Date: Tue, 22 Jun 2021 08:59:13 +0100
Message-id: <[🔎] ce26f573-ace0-4639-97a6-0556fd29be4c@www.fastmail.com>

A recent dist-upgrade on Buster (in a scripted cron job run at 01:00 daily) failed due to apt-listbugs complaining about the boot-breaking bug in shim-signed, and pinning v1.33 in the process.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990082

The next (manual) dist-upgrade removed shim-signed v1.33

$ cat /var/log/apt/history.log
Start-Date: 2021-06-20  18:33:29
Commandline: apt-get -y dist-upgrade
Requested-By: xxxxxxxxx (1000)
Upgrade: shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, 1.36~1+deb10u1+15.4-5~deb10u1)
Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
End-Date: 2021-06-20  18:33:30

unattended-upgrades (which I had forgotten was installed) upgraded some related packages earlier the same day, but not shim-signed itself:

$ cat /var/log/apt/history.log
Start-Date: 2021-06-20  06:26:31
Commandline: /usr/bin/unattended-upgrade
Upgrade: shim-helpers-amd64-signed:amd64 (1+15+1533136590.3beb971+7+deb10u1, 1+15.4+5~deb10u1), shim-unsigned:amd64 (15+1533136590.3beb971-7+deb10u1, 15.4-5~deb10u1)
End-Date: 2021-06-20  06:26:34

The only references to shim-signed in apt history logs were the initial Buster installation, and the recent removal:

/var/log/apt$ grep -n "shim-signed:" history.log*
history.log:209:Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
history.log.6:33:Install: [...] shim-signed:amd64 (1.33+15+1533136590.3beb971-7) [...]


As I don't currently use secure boot, I ignored the bug warnings when I reinstalled it and dependencies (the buster-updates version per the email from debian-stable-announce yesterday
https://lists.debian.org/debian-stable-announce/2021/06/msg00001.html

...but still:

$ apt policy shim-signed
shim-signed:
  Installed: 1.36~1+deb10u2+15.4-5~deb10u1
  Candidate: 1.36~1+deb10u2+15.4-5~deb10u1

$ apt-listbugs list shim-signed
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
grave bugs of shim-signed (→ ) <Outstanding>
 b1 - #990082 - High chance of boot problems with buster's version of arm64 shim
grave bugs of shim-signed (→ ) <Resolved in some Version>
 b2 - #987991 - shim-signed: Recent dbx update blacklists shimx64.efi (1.33+15+1533136590.3beb971-7) (Fixed: shim-signed/1.34)
Summary:
 shim-signed(2 bugs)

$ apt-listbugs list shim-signed-common
critical bugs of shim-signed-common (→ ) <Outstanding>
 b1 - #990158 - shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
Summary:
 shim-signed-common(1 bug)

Is this referring to the non buster-updates package?

Can anyone enlighten me as to:

Why might shim-signed v1.33 have been removed by dist-upgrade despite the previous upgrade attempt having been aborted by apt-listbugs?

What's the best way to reinstall an older package version and its old dependencies if affected by something like this, and it isn't to be found in /var/cache/apt/archives?

Thanks,
Gareth

Reply to:

Follow-Ups:
- Re: Disappearing shim-signed after failed dist-upgrade
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: A feasible method to add examples to man pages?
Next by Date: Auto install security updates only?
Previous by thread: Re: bad fstab entry prevents ssh from starting [where do i file a bugreport?]
Next by thread: Re: Disappearing shim-signed after failed dist-upgrade
Index(es):
- Date
- Thread