Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:shim User: [email protected] Usertags: pu
Hi! This is a new upstream version of shim, built for trixie. This includes some SBAT-based revocations, plus a range of security updates from upstream. We also want to get a new shim built and signed by Microsoft using both the old and new UEFI CA root keys, to extend our Secure Boot support to cover both older and newer machines. The old CA root expires in June, but Microsoft have said they will happily continue to sign with that up until the end of its life. As always with shim, I've reviewed every upstream code change. I'm *not* including a full debdiff as we've moved three upstream releases from 15.8 to 16.1 here. The changes are not minimal, but in the case of shim we need to be as close to upstream as possible for the sake of getting stuff reviewed and signed. The only local patch to the upstream source now is to fix building with the latest binutils. There are some trivial changes to packaging. I've tested locally using CI and also by hand on various machines and all looks good here. Obviously, once this is accepted and autobuilt I'll need to submit things for review and signing elsewhere. Then we'll be want shim-signed updating too. Please give me the go-ahead and I'll upload the new source.
