From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Thomas Lamprecht <t.lamprecht@proxmox.com>
Subject: Re: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package
Date: Mon, 05 Feb 2024 12:45:34 +0100 [thread overview]
Message-ID: <1707133435.9uxwiemda4.astroid@yuna.none> (raw)
In-Reply-To: <8e981a87-2603-447d-8a6b-c30b7bc896b0@proxmox.com>
On February 2, 2024 7:23 pm, Thomas Lamprecht wrote:
> Am 26/01/2024 um 13:05 schrieb Fabian Grünbichler:
>> installing it at least gives the admin a heads up if our base Debian release is
>> ever faster shipping a newer version of shim or Grub, which would look
>> (something) like this:
>>
>> Reading package lists... Done
>> Building dependency tree... Done
>> Reading state information... Done
>> The following package was automatically installed and is no longer required:
>> proxmox-grub
>> Use 'sudo apt autoremove' to remove it.
>> The following packages will be REMOVED:
>> proxmox-secure-boot-support
>> The following packages will be upgraded:
>> shim-signed shim-signed-common
>> 2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
>>
>> it also allows us to pull in additional signed packages as they become
>> available.
>>
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
>> ---
>> it could also be "armed" similar to proxmox-ve, and require some special action
>> before being removed.. but since the worst case is that the system fails to
>> boot with SB enabled, which still should be possible to disable on all systems
>> where PVE normally runs, that might be overkill..
>
>
> seems OK w.r.t. change, but do we want this to be either part of the shim,
> or a separate repo? So that we do not need to ship a new kernel meta package
> when the shim version pinning needs an update? As it feels a bit unrelated
> to the kernel meta package in general to me.
well, it needs to be updated when either grub or shim have a security
update (or on major releases of course), so there's not really one place
to fit it. we could have a separate repo (or refactor this one to
contain two source packages, but that's fairly ugly as well) - that
would obviously work as well.
next prev parent reply other threads:[~2024-02-05 11:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 12:05 Fabian Grünbichler
2024-02-02 18:23 ` Thomas Lamprecht
2024-02-05 11:45 ` Fabian Grünbichler [this message]
2024-02-06 9:40 ` Thomas Lamprecht
2024-04-11 11:45 ` Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1707133435.9uxwiemda4.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.