Hi, On Wed, Mar 03, 2021 at 10:52:39AM +0100, Ansgar wrote: > Source: grub2 > Version: 2.04-16 > Severity: normal > X-Debbugs-Cc: ftpmas...@debian.org, debian-rele...@lists.debian.org > > grub2 currently uses grub-efi-signed-* as source package names for the > Secure Boot signed packages. While releasing the last security update > we found a small issue with these names: > > dak processes source packages in lexiographic order, so it would > process grub-efi-signed-* before grub2 when accepting all packages at > once from the "embargoed" policy queue. But the grub-efi-signed-* > binary packages have Built-Using: grub2; as grub2 is not accepted from > embargoed at this point in time, the /binary/ uploads will be rejected > in this case. (This problem exists in principle with all Built-Using > relations.) > > We could avoid this particular problem if the source package names of > the signed packages sort after grub2, i.e., if they were named > grub2-signed-* or grub2-efi-signed-*. With linux this is already the > case (src:linux and src:linux-signed-*). > > (As a minor thing, I think the changelog entry in the signed packages > should also use the grub maintainer's name, not ftpmaster@ similar to > what src:linux-signed-* has, but that is just cosmetics.) > > I've Cc'ed debian-release@ as it is already past soft freeze, but I > think just renaming the source packages would be unlikely to break > anything.
As we were hit by this issue in the last DSA (DSA 5280-1) again, should we attempt to have this changed at least for bookworm? Regards, Salvatore
