Re: Disappearing shim-signed after failed dist-upgrade
On Tue 22 Jun 2021, at 19:13, David Wright <deblis@lionunicorn.co.uk> wrote:
> On Tue 22 Jun 2021 at 08:59:13 (+0100), Gareth Evans wrote:
> > A recent dist-upgrade on Buster (in a scripted cron job run at 01:00 daily) failed due to apt-listbugs complaining about the boot-breaking bug in shim-signed, and pinning v1.33 in the process.
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990082
>
> AFAICT it looks as though you were just a victim of bad timing.
> I happened to upgrade the point release at Start-Date:
> 2021-06-19 17:27:11, and my term.log shows:
>
> Setting up fluidsynth (1.1.11-1+deb10u1) ...
> Setting up shim-helpers-amd64-signed (1+15.4+5~deb10u1) ...
> Installing for x86_64-efi platform.
> Installation finished. No error reported.
> Setting up python-libxml2 (2.9.4+dfsg1-7+deb10u2) ...
> Setting up shim-signed:amd64 (1.36~1+deb10u1+15.4-5~deb10u1) ...
> Installing for x86_64-efi platform.
> Installation finished. No error reported.
> Secure Boot not enabled on this system.
> Processing triggers for mime-support (3.62) ...
>
> By 01:00 next morning, the grave bug stopped your upgrade from
> finishing. I guess that's a disadvantage of unattended upgrades:
> you don't see the bug reports as they occur. (I download any
> updates automatically, which serves as an announcement, but
> always upgrade manually.)
>
> > The next (manual) dist-upgrade removed shim-signed v1.33
> >
> > $ cat /var/log/apt/history.log
> > Start-Date: 2021-06-20 18:33:29
> > Commandline: apt-get -y dist-upgrade
> > Requested-By: xxxxxxxxx (1000)
> > Upgrade: shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, 1.36~1+deb10u1+15.4-5~deb10u1)
> > Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
> > End-Date: 2021-06-20 18:33:30
> >
> > unattended-upgrades (which I had forgotten was installed) upgraded some related packages earlier the same day, but not shim-signed itself:
> >
> > $ cat /var/log/apt/history.log
> > Start-Date: 2021-06-20 06:26:31
> > Commandline: /usr/bin/unattended-upgrade
> > Upgrade: shim-helpers-amd64-signed:amd64 (1+15+1533136590.3beb971+7+deb10u1, 1+15.4+5~deb10u1), shim-unsigned:amd64 (15+1533136590.3beb971-7+deb10u1, 15.4-5~deb10u1)
> > End-Date: 2021-06-20 06:26:34
> >
> > The only references to shim-signed in apt history logs were the initial Buster installation, and the recent removal:
> >
> > /var/log/apt$ grep -n "shim-signed:" history.log*
> > history.log:209:Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
> > history.log.6:33:Install: [...] shim-signed:amd64 (1.33+15+1533136590.3beb971-7) [...]
> >
> >
> > As I don't currently use secure boot, I ignored the bug warnings when I reinstalled it and dependencies (the buster-updates version per the email from debian-stable-announce yesterday
> > https://lists.debian.org/debian-stable-announce/2021/06/msg00001.html
>
> AIUI that's the correct thing to do in our situation. (It's an upgrade
> rather than a reinstall: my new shim-signed{,-common} debs arrived at
> noon yesterday.)
>
> > ...but still:
> >
> > $ apt policy shim-signed
> > shim-signed:
> > Installed: 1.36~1+deb10u2+15.4-5~deb10u1
> > Candidate: 1.36~1+deb10u2+15.4-5~deb10u1
> >
> > $ apt-listbugs list shim-signed
> > Retrieving bug reports... Done
> > Parsing Found/Fixed information... Done
> > grave bugs of shim-signed (→ ) <Outstanding>
> > b1 - #990082 - High chance of boot problems with buster's version of arm64 shim
> > grave bugs of shim-signed (→ ) <Resolved in some Version>
> > b2 - #987991 - shim-signed: Recent dbx update blacklists shimx64.efi (1.33+15+1533136590.3beb971-7) (Fixed: shim-signed/1.34)
> > Summary:
> > shim-signed(2 bugs)
> >
> > $ apt-listbugs list shim-signed-common
> > critical bugs of shim-signed-common (→ ) <Outstanding>
> > b1 - #990158 - shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
> > Summary:
> > shim-signed-common(1 bug)
> >
> > Is this referring to the non buster-updates package?
>
> No. But I don't use secure boot, so I haven't been following along
> with the shim's problem. (That is the same state of play shown by my system.)
>
> > Can anyone enlighten me as to:
> >
> > Why might shim-signed v1.33 have been removed by dist-upgrade despite the previous upgrade attempt having been aborted by apt-listbugs?
>
> $ aptitude why shim-signed
> i grub-efi-amd64 Depends grub-efi-amd64-bin (=
> 2.02+dfsg1-20+deb10u4)
> i A grub-efi-amd64-bin Recommends grub-efi-amd64-signed
>
> i A grub-efi-amd64-signed Recommends shim-signed
>
> $
>
> so I have no dependency, only a Recommends. I don't know your option
> settings, nor how they (or mine) react to a broken package, but
> apt-get *dist-*upgrade certainly has the privilege of removing
> packages in order to reach a satisfactory state.
>
> > What's the best way to reinstall an older package version and its old dependencies if affected by something like this, and it isn't to be found in /var/cache/apt/archives?
>
> In this case, you would probably follow Steve's instructions in the
> bug report. And in general, you could use the pkg_version_number
> options in, say, apt-get to downgrade. (As it says, with care.)
> Nice to see a report where all the necessary info and logs are laid out.
Thanks
> Cheers,
> David.
Is there any way to find out why a package was removed? I have googled but can't find any such command or log reference, nor indeed anything of relevance in my apt history or cron script logs.
Also, why does
apt-listbugs list shim-signed
still show the bug supposedly fixed by the buster-updates package... reversion? (even though with a higher version number)?
Thanks,
Gareth
Reply to: