On Wed, Mar 03, 2021 at 10:52:39AM +0100, Ansgar wrote:
> Source: grub2
> Version: 2.04-16
> Severity: normal
> X-Debbugs-Cc: ftpmas...@debian.org, debian-release@lists.debian.org
> grub2 currently uses grub-efi-signed-* as source package names for the
> Secure Boot signed packages.  While releasing the last security update
> we found a small issue with these names:
> dak processes source packages in lexiographic order, so it would
> process grub-efi-signed-* before grub2 when accepting all packages at
> once from the "embargoed" policy queue.  But the grub-efi-signed-*
> binary packages have Built-Using: grub2; as grub2 is not accepted from
> embargoed at this point in time, the /binary/ uploads will be rejected
> in this case.  (This problem exists in principle with all Built-Using
> relations.)
> We could avoid this particular problem if the source package names of
> the signed packages sort after grub2, i.e., if they were named
> grub2-signed-* or grub2-efi-signed-*.  With linux this is already the
> case (src:linux and src:linux-signed-*).
> (As a minor thing, I think the changelog entry in the signed packages
> should also use the grub maintainer's name, not ftpmaster@ similar to
> what src:linux-signed-* has, but that is just cosmetics.)
> I've Cc'ed debian-release@ as it is already past soft freeze, but I
> think just renaming the source packages would be unlikely to break
> anything.

As we were hit by this issue in the last DSA (DSA 5280-1) again,
should we attempt to have this changed at least for bookworm?


Reply via email to