[Bug 1801626] [NEW] secureboot-db installs new vars without explict owner permission

Patrick Hibbs 1801626 at bugs.launchpad.net
Sun Nov 4 23:59:18 UTC 2018 

Public bug reported:

The latest secureboot-db package pulled via an apt-get upgrade installed
several DBX entries into my system's secure boot EFI vars without
explicit permission.

This system is in setup mode, and it doesn't even have a PK installed.
Installing DBX entries should not happen in this case. Especially
without explicit consent of the system's owner / administrator. Why is
this enabled by default? The ubuntu installer doesn't even have the
option for turning it off. (It shouldn't be enabled by default in the
first place.)

This is a severe trust violation. I would expect ubuntu to do better
than randomly install Secure Boot entries as part of system update. (Or
should I start disabling the updater dialogs like I did with Windows 7
when MS started pulling crap like this with their update service?)

** Affects: secureboot-db (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1801626

Title:
  secureboot-db installs new vars without explict owner permission

Status in secureboot-db package in Ubuntu:
  New

Bug description:
  The latest secureboot-db package pulled via an apt-get upgrade
  installed several DBX entries into my system's secure boot EFI vars
  without explicit permission.

  This system is in setup mode, and it doesn't even have a PK installed.
  Installing DBX entries should not happen in this case. Especially
  without explicit consent of the system's owner / administrator. Why is
  this enabled by default? The ubuntu installer doesn't even have the
  option for turning it off. (It shouldn't be enabled by default in the
  first place.)

  This is a severe trust violation. I would expect ubuntu to do better
  than randomly install Secure Boot entries as part of system update.
  (Or should I start disabling the updater dialogs like I did with
  Windows 7 when MS started pulling crap like this with their update
  service?)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1801626/+subscriptions

More information about the foundations-bugs mailing list