Hey Mario, Thanks for opening this, you beat me to it. :-)
On Fri, Jun 05, 2026 at 06:08:38AM -0500, Mario Limonciello wrote: >Package: release.debian.org >Severity: normal > >fwupd plays a sometimes non-obvious but crucial role in the story for >supporting systems with UEFI secure boot. > >The Microsoft CA associated with the signing of shim is about to expire. >Microsoft and the shim community have been working to prepare the ecosystem >for this change. It involves being able to update the trust chain in the >UEFI 'db'. > >This change is to be pushed via a signed update to the Linux Vendor Firmware >Service (LVFS), but in order to accept the change a newer fwupd is needed. > >The minimum version of fwupd required is 2.0.12, for which neither bookworm >nor trixie are new enough. > >This issue is demonstrated here: >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138871 > >Due to update safety checks introduced in the fwupd engine, it is not feasible >to >backport just this functionality. It would actually be significantly more >risky to do such a change because of how error prone and large such a backport >would be. > >On the otherhand 2.0.20 is well tested, and even downstream distributions >like Ubuntu are adopting it across all their LTS releases. > >Here is their tracker: >https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578 > >So I would like to do the following in Debian: > >1) Update Trixie to 2.0.20 fwupd release. > >2.0.20 is already in trixie-backports. Basically bump the upload in backports >to a new changelog entry to target stable. > >I have the proposal for this done here already: > >https://salsa.debian.org/efi-team/fwupd/-/tree/trixie?ref_type=heads > >2) Update Bookworm's libxmlb (0.3.10-2) to trixie's version of libxmlb >(0.3.22-1) > >This is needed for a build dependency of fwupd 2.0.20. > >3) Update Bookworm's libjcat (0.1.9-1) to trixie's version of libjcat (0.2.3-1) > >This is needed for a build dependency of fwupd 2.0.20. > >4) Update Bookworm to 2.0.20 fwupd release. > >This requires some slight changes from the trixie backport. >This is mostly because of changes to gobject introspection in newer glib >versions. > >I have the proposal for this staged on this branch: > >https://salsa.debian.org/efi-team/fwupd/-/tree/bookworm?ref_type=heads > >--- > >I realize this is a very big ask and unusual for a stable update; but ensuring >the boot process for systems utilizing UEFI secure boot continues to work and >is secure >is paramount IMO. Thanks for prepping the changes here already - I agree that this is really important and agree with your proposed updates. -- Steve McIntyre, Cambridge, UK. [email protected] Welcome my son, welcome to the machine.
