Bug#1131924: Clarify package descriptions vs. unsigned for modules included

[Steven Maddox]

Package: grub-efi-amd64-signed

At the moment grub-efi-amd64-signed vs grub-efi-amd64-unsigned have 
package descriptions that are identical except one says...

--
This package contains the binaries signed by the Debian UEFI CA to be 
used by shim-signed.
--

... and the other says ...

--
This package contains GRUB images that have been built for use with the 
EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface 
has been activated). It can be installed in parallel with other 
flavours, but will not automatically install GRUB as the active boot 
loader nor automatically update grub.cfg on upgrade unless 
grub-efi-amd64 is also installed.
--

But these are not just the only critical differences.

Currently the signed version lacks particular modules which are included 
in unsigned.

So when I was recently debootstrap'ing a new system with recommends 
enabled (as they are by default)... installing grub-efi-amd64 depends 
grub-efi-amd64-bin... which depends grub-efi-amd64-unsigned but 
**recommends** grub-efi-amd64-signed.

Which means 'grub-install' alone prefers the signed... and thus my 
attempt at using normal cryptsetup format (which defaults to argon2 and 
luks2) get me nothing more than a GRUB rescue prompt.  (this is a system 
with just an EFI partition and a single LUKS2 encrypted ext4 for 
*everything* else including boot... something now FINALLY possible with 
grub 2.14).

EVENTUALLY I figured out that somehow preventing recommends fixed the 
appearance of the GRUB rescue prompt... but it was a lot of trial and error.

I'd say the description for the signed package needs to say

a) what modules aren't included vs. unsigned
b) that having this installed knocks out unsigned by default if you 
didn't specify --no-uefi-secure-boot with grub-install

It would have saved me a lot of time :)