Re: Disappearing shim-signed after failed dist-upgrade
On Sun 27 Jun 2021 at 05:31:05 (+0100), Gareth Evans wrote:
> On Tue 22 Jun 2021, at 19:13, David Wright <deblis@lionunicorn.co.uk> wrote:
> > On Tue 22 Jun 2021 at 08:59:13 (+0100), Gareth Evans wrote:
> > > A recent dist-upgrade on Buster (in a scripted cron job run at 01:00 daily) failed due to apt-listbugs complaining about the boot-breaking bug in shim-signed, and pinning v1.33 in the process.
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990082
> >
> > AFAICT it looks as though you were just a victim of bad timing.
> > I happened to upgrade the point release at Start-Date:
> > 2021-06-19 17:27:11, and my term.log shows:
> >
> > Setting up fluidsynth (1.1.11-1+deb10u1) ...
> > Setting up shim-helpers-amd64-signed (1+15.4+5~deb10u1) ...
> > Installing for x86_64-efi platform.
> > Installation finished. No error reported.
> > Setting up python-libxml2 (2.9.4+dfsg1-7+deb10u2) ...
> > Setting up shim-signed:amd64 (1.36~1+deb10u1+15.4-5~deb10u1) ...
> > Installing for x86_64-efi platform.
> > Installation finished. No error reported.
> > Secure Boot not enabled on this system.
> > Processing triggers for mime-support (3.62) ...
> >
> > By 01:00 next morning, the grave bug stopped your upgrade from
> > finishing. I guess that's a disadvantage of unattended upgrades:
> > you don't see the bug reports as they occur. (I download any
> > updates automatically, which serves as an announcement, but
> > always upgrade manually.)
> >
> > > The next (manual) dist-upgrade removed shim-signed v1.33
> > >
> > > $ cat /var/log/apt/history.log
> > > Start-Date: 2021-06-20 18:33:29
> > > Commandline: apt-get -y dist-upgrade
> > > Requested-By: xxxxxxxxx (1000)
> > > Upgrade: shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, 1.36~1+deb10u1+15.4-5~deb10u1)
> > > Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
> > > End-Date: 2021-06-20 18:33:30
> > >
> > > unattended-upgrades (which I had forgotten was installed) upgraded some related packages earlier the same day, but not shim-signed itself:
> > >
> > > $ cat /var/log/apt/history.log
> > > Start-Date: 2021-06-20 06:26:31
> > > Commandline: /usr/bin/unattended-upgrade
> > > Upgrade: shim-helpers-amd64-signed:amd64 (1+15+1533136590.3beb971+7+deb10u1, 1+15.4+5~deb10u1), shim-unsigned:amd64 (15+1533136590.3beb971-7+deb10u1, 15.4-5~deb10u1)
> > > End-Date: 2021-06-20 06:26:34
> > >
> > > The only references to shim-signed in apt history logs were the initial Buster installation, and the recent removal:
> > >
> > > /var/log/apt$ grep -n "shim-signed:" history.log*
> > > history.log:209:Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
> > > history.log.6:33:Install: [...] shim-signed:amd64 (1.33+15+1533136590.3beb971-7) [...]
> > >
> > >
> > > As I don't currently use secure boot, I ignored the bug warnings when I reinstalled it and dependencies (the buster-updates version per the email from debian-stable-announce yesterday
> > > https://lists.debian.org/debian-stable-announce/2021/06/msg00001.html
> >
> > AIUI that's the correct thing to do in our situation. (It's an upgrade
> > rather than a reinstall: my new shim-signed{,-common} debs arrived at
> > noon yesterday.)
> >
> > > ...but still:
> > >
> > > $ apt policy shim-signed
> > > shim-signed:
> > > Installed: 1.36~1+deb10u2+15.4-5~deb10u1
> > > Candidate: 1.36~1+deb10u2+15.4-5~deb10u1
> > >
> > > $ apt-listbugs list shim-signed
> > > Retrieving bug reports... Done
> > > Parsing Found/Fixed information... Done
> > > grave bugs of shim-signed (→ ) <Outstanding>
> > > b1 - #990082 - High chance of boot problems with buster's version of arm64 shim
> > > grave bugs of shim-signed (→ ) <Resolved in some Version>
> > > b2 - #987991 - shim-signed: Recent dbx update blacklists shimx64.efi (1.33+15+1533136590.3beb971-7) (Fixed: shim-signed/1.34)
> > > Summary:
> > > shim-signed(2 bugs)
> > >
> > > $ apt-listbugs list shim-signed-common
> > > critical bugs of shim-signed-common (→ ) <Outstanding>
> > > b1 - #990158 - shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
> > > Summary:
> > > shim-signed-common(1 bug)
> > >
> > > Is this referring to the non buster-updates package?
> >
> > No. But I don't use secure boot, so I haven't been following along
> > with the shim's problem. (That is the same state of play shown by my system.)
> >
> > > Can anyone enlighten me as to:
> > >
> > > Why might shim-signed v1.33 have been removed by dist-upgrade despite the previous upgrade attempt having been aborted by apt-listbugs?
> >
> > $ aptitude why shim-signed
> > i grub-efi-amd64 Depends grub-efi-amd64-bin (=
> > 2.02+dfsg1-20+deb10u4)
> > i A grub-efi-amd64-bin Recommends grub-efi-amd64-signed
> >
> > i A grub-efi-amd64-signed Recommends shim-signed
> >
> > $
> >
> > so I have no dependency, only a Recommends. I don't know your option
> > settings, nor how they (or mine) react to a broken package, but
> > apt-get *dist-*upgrade certainly has the privilege of removing
> > packages in order to reach a satisfactory state.
> >
> > > What's the best way to reinstall an older package version and its old dependencies if affected by something like this, and it isn't to be found in /var/cache/apt/archives?
> >
> > In this case, you would probably follow Steve's instructions in the
> > bug report. And in general, you could use the pkg_version_number
> > options in, say, apt-get to downgrade. (As it says, with care.)
>
> > Nice to see a report where all the necessary info and logs are laid out.
> Thanks
>
> Is there any way to find out why a package was removed? I have googled but can't find any such command or log reference, nor indeed anything of relevance in my apt history or cron script logs.
Do you mean at this step, quoted above:
> > > The next (manual) dist-upgrade removed shim-signed v1.33
> > >
> > > $ cat /var/log/apt/history.log
> > > Start-Date: 2021-06-20 18:33:29
> > > Commandline: apt-get -y dist-upgrade
> > > Requested-By: xxxxxxxxx (1000)
> > > Upgrade: shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, 1.36~1+deb10u1+15.4-5~deb10u1)
> > > Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7)
> > > End-Date: 2021-06-20 18:33:30
>From the manpage, dist-upgrade "handles changing dependencies with new
versions of packages [ … ] may therefore remove some packages".
I presume whatever was causing shim-signed to be installed on your
system has itself become uninstalled. Did you try running
$ aptitude why shim-signed
on your own system, to see which that is?
>From man apt-listbugs, "When [apt-listbugs] is invoked by APT, any
non-zero exit status will cause the installation/upgrade to be aborted".
So the first run, in the middle of the night, aborted because of the
error. (I don't know if that was an upgrade or dist-upgrade, because
it's "hidden" behind /usr/bin/unattended-upgrade.)
But your evening run of apt-get -y dist-upgrade was unconstrained,
and so shim-signed could be removed because it was no longer being
held onto as a Depends or Recommends.
> Also, why does
>
> apt-listbugs list shim-signed
>
> still show the bug supposedly fixed by the buster-updates package... reversion? (even though with a higher version number)?
Although apt-listbugs can focus its check onto specific architectures
and versions of packages, that might rely on a perfect formatting of
the bug report. I've never followed up on this, because I perform
upgrades manually on my systems, so the final arbiter on apt-listbugs
complaints is my eyeball.
With unattended and automatic upgrades, there's still a role for the
sysadmin to monitor the logs. The good news is that breaking these
particular packages (that install your booting scheme) doesn't in
itself break booting (as Nicolas pointed out recently), but only your
ability to modify/upgrade it.
Cheers,
David.
Reply to: