Bug#983912: grub2: consider renaming signed source packages to grub2-signed-*

Salvatore Bonaccorso carnil at debian.org
Fri Oct 6 20:08:17 BST 2023 

Hi,

On Sun, Nov 20, 2022 at 09:11:09PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Wed, Mar 03, 2021 at 10:52:39AM +0100, Ansgar wrote:
> > Source: grub2
> > Version: 2.04-16
> > Severity: normal
> > X-Debbugs-Cc: ftpmaster at debian.org, debian-release at lists.debian.org
> > 
> > grub2 currently uses grub-efi-signed-* as source package names for the
> > Secure Boot signed packages.  While releasing the last security update
> > we found a small issue with these names:
> > 
> > dak processes source packages in lexiographic order, so it would
> > process grub-efi-signed-* before grub2 when accepting all packages at
> > once from the "embargoed" policy queue.  But the grub-efi-signed-*
> > binary packages have Built-Using: grub2; as grub2 is not accepted from
> > embargoed at this point in time, the /binary/ uploads will be rejected
> > in this case.  (This problem exists in principle with all Built-Using
> > relations.)
> > 
> > We could avoid this particular problem if the source package names of
> > the signed packages sort after grub2, i.e., if they were named
> > grub2-signed-* or grub2-efi-signed-*.  With linux this is already the
> > case (src:linux and src:linux-signed-*).
> > 
> > (As a minor thing, I think the changelog entry in the signed packages
> > should also use the grub maintainer's name, not ftpmaster@ similar to
> > what src:linux-signed-* has, but that is just cosmetics.)
> > 
> > I've Cc'ed debian-release@ as it is already past soft freeze, but I
> > think just renaming the source packages would be unlikely to break
> > anything.
> 
> As we were hit by this issue in the last DSA (DSA 5280-1) again,
> should we attempt to have this changed at least for bookworm?

For DSA 5519-1 I fortunately remembered this bug and did install the
packages in two steps, first dak new-security-install grub2*.changes,
then the grub-efi*.changes.

I still think would be great if we can do the above mentioned renames,
to avoid this problem (or ist maybe realistic that we could tackle the
problem itself at dak level?).

Regards,
Salvatore

More information about the Pkg-grub-devel mailing list