On February 2, 2024 7:23 pm, Thomas Lamprecht wrote: > Am 26/01/2024 um 13:05 schrieb Fabian Grünbichler: >> installing it at least gives the admin a heads up if our base Debian release >> is >> ever faster shipping a newer version of shim or Grub, which would look >> (something) like this: >> >> Reading package lists... Done >> Building dependency tree... Done >> Reading state information... Done >> The following package was automatically installed and is no longer required: >> proxmox-grub >> Use 'sudo apt autoremove' to remove it. >> The following packages will be REMOVED: >> proxmox-secure-boot-support >> The following packages will be upgraded: >> shim-signed shim-signed-common >> 2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. >> >> it also allows us to pull in additional signed packages as they become >> available. >> >> Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> >> --- >> it could also be "armed" similar to proxmox-ve, and require some special >> action >> before being removed.. but since the worst case is that the system fails to >> boot with SB enabled, which still should be possible to disable on all >> systems >> where PVE normally runs, that might be overkill.. > > > seems OK w.r.t. change, but do we want this to be either part of the shim, > or a separate repo? So that we do not need to ship a new kernel meta package > when the shim version pinning needs an update? As it feels a bit unrelated > to the kernel meta package in general to me.
well, it needs to be updated when either grub or shim have a security update (or on major releases of course), so there's not really one place to fit it. we could have a separate repo (or refactor this one to contain two source packages, but that's fairly ugly as well) - that would obviously work as well. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
