Package: shim-signed Version: 1.47+15.8-1 Severity: wishlist [ Filing this wishlist bug here, even if it's not a direct issue in shim-signed itself. ]
While fwupd is clearly the right answer for updating CAs and KEKs on most system, there are cases where it might not work or may not be *allowed* to work. Imagine a restricted network environment where servers are not allowed to initiate https connections to arbitrary websites like LVFS, for example. It would be useful to package up the already-signed CA and KEK updates that we know about. We could then use efivar (or similar? maybe part of fwupd itself?) to install these updates when desired. We should be wary of doing this *automatically*, as the fwupd authors already have found some systems which do not work well with these updates. At the very least, we'd need a quirks list to allow/block the updates here. These are just initial thoughts - comments welcome... -- System Information: Debian Release: 13.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.90+deb13-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed depends on: ii grub-efi-amd64-bin 2.12-9+deb13u2 ii grub2-common 2.12-9+deb13u2 ii shim-helpers-amd64-signed 1+15.8+1 ii shim-signed-common 1.47+15.8-1 shim-signed recommends no packages. shim-signed suggests no packages. -- debconf information excluded
