Bug#983912: grub2: consider renaming signed source packages to grub2-signed-*

Ansgar ansgar at debian.org
Wed Mar 3 09:52:39 GMT 2021


Source: grub2
Version: 2.04-16
Severity: normal
X-Debbugs-Cc: ftpmaster at debian.org, debian-release at lists.debian.org

grub2 currently uses grub-efi-signed-* as source package names for the
Secure Boot signed packages.  While releasing the last security update
we found a small issue with these names:

dak processes source packages in lexiographic order, so it would
process grub-efi-signed-* before grub2 when accepting all packages at
once from the "embargoed" policy queue.  But the grub-efi-signed-*
binary packages have Built-Using: grub2; as grub2 is not accepted from
embargoed at this point in time, the /binary/ uploads will be rejected
in this case.  (This problem exists in principle with all Built-Using
relations.)

We could avoid this particular problem if the source package names of
the signed packages sort after grub2, i.e., if they were named
grub2-signed-* or grub2-efi-signed-*.  With linux this is already the
case (src:linux and src:linux-signed-*).

(As a minor thing, I think the changelog entry in the signed packages
should also use the grub maintainer's name, not ftpmaster@ similar to
what src:linux-signed-* has, but that is just cosmetics.)

I've Cc'ed debian-release@ as it is already past soft freeze, but I
think just renaming the source packages would be unlikely to break
anything.

Ansgar



More information about the Pkg-grub-devel mailing list