From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9F39C9348D for ; Mon, 5 Feb 2024 12:46:12 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6F1C115DB3 for ; Mon, 5 Feb 2024 12:45:42 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 5 Feb 2024 12:45:41 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9741F442E7 for ; Mon, 5 Feb 2024 12:45:41 +0100 (CET) Date: Mon, 05 Feb 2024 12:45:34 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion , Thomas Lamprecht References: <20240126120512.415674-1-f.gruenbichler@proxmox.com> <8e981a87-2603-447d-8a6b-c30b7bc896b0@proxmox.com> In-Reply-To: <8e981a87-2603-447d-8a6b-c30b7bc896b0@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1707133435.9uxwiemda4.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.064 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2024 11:46:12 -0000 On February 2, 2024 7:23 pm, Thomas Lamprecht wrote: > Am 26/01/2024 um 13:05 schrieb Fabian Gr=C3=BCnbichler: >> installing it at least gives the admin a heads up if our base Debian rel= ease is >> ever faster shipping a newer version of shim or Grub, which would look >> (something) like this: >>=20 >> Reading package lists... Done >> Building dependency tree... Done >> Reading state information... Done >> The following package was automatically installed and is no longer requ= ired: >> proxmox-grub >> Use 'sudo apt autoremove' to remove it. >> The following packages will be REMOVED: >> proxmox-secure-boot-support >> The following packages will be upgraded: >> shim-signed shim-signed-common >> 2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. >>=20 >> it also allows us to pull in additional signed packages as they become >> available. >>=20 >> Signed-off-by: Fabian Gr=C3=BCnbichler >> --- >> it could also be "armed" similar to proxmox-ve, and require some special= action >> before being removed.. but since the worst case is that the system fails= to >> boot with SB enabled, which still should be possible to disable on all s= ystems >> where PVE normally runs, that might be overkill.. >=20 >=20 > seems OK w.r.t. change, but do we want this to be either part of the shim= , > or a separate repo? So that we do not need to ship a new kernel meta pack= age > when the shim version pinning needs an update? As it feels a bit unrelate= d > to the kernel meta package in general to me. well, it needs to be updated when either grub or shim have a security update (or on major releases of course), so there's not really one place to fit it. we could have a separate repo (or refactor this one to contain two source packages, but that's fairly ugly as well) - that would obviously work as well.