[Merge] ~xnox/ubuntu/+source/grub2-signed:one-grub into ~ubuntu-core-dev/ubuntu/+source/grub2-signed:ubuntu/hirsute-devel
Steve Langasek
steve.langasek at canonical.com
Mon Feb 22 21:57:37 UTC 2021
Review: Needs Fixing
Diff comments:
> diff --git a/debian/changelog b/debian/changelog
> index c220554..93ac4e1 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +grub2-signed (1.163) hirsute; urgency=medium
> +
> + * Add {-bin,-dbg} packages that ship matching modules for the signed EFI
> + apps. LP: #1915536
> + * Use raw-singing input from grub2. LP: #1915536
signing
> +
> + -- Dimitri John Ledkov <xnox at ubuntu.com> Thu, 18 Feb 2021 01:02:04 +0000
> +
> grub2-signed (1.162) hirsute; urgency=medium
>
> * Rebuild with correct permissions, and higher version number.
> diff --git a/debian/control b/debian/control
> index 0b045b4..489fbca 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -2,14 +2,15 @@ Source: grub2-signed
> Section: utils
> Priority: optional
> Maintainer: Colin Watson <cjwatson at ubuntu.com>
> -Build-Depends: debhelper-compat (= 12), lsb-release, python3, python3-apt, grub-efi-amd64-bin (>= 2.04-1ubuntu39) [amd64], grub-efi-arm64-bin (>= 2.04-1ubuntu39) [arm64]
> +Build-Depends: debhelper-compat (= 12), lsb-release, python3, python3-apt
> Standards-Version: 3.9.5
> Vcs-Browser: https://code.launchpad.net/~ubuntu-core-dev/ubuntu/+source/grub2-signed/+git/grub2-signed/+ref/ubuntu/hirsute-devel
> Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/grub2-signed -b ubuntu/hirsute-devel
> +Rules-Requires-Root: no
irrelevant?
>
> Package: grub-efi-amd64-signed
> Architecture: amd64
> -Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${grub2:Version}), grub-efi-amd64 | grub-pc
> +Depends: ${misc:Depends}, grub-efi-amd64-signed-bin (= ${binary:Version}), grub-efi-amd64 | grub-pc
> Recommends: secureboot-db
> Built-Using: grub2 (= ${grub2:Version})
> Description: GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
> @@ -25,9 +26,34 @@ Description: GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
> This package contains a version of GRUB built for use with the EFI-AMD64
> architecture, signed with Canonical's UEFI signing key.
>
> +Package: grub-efi-amd64-signed-bin
I'm not a fan of such a package name when none of the artifacts contained within are signed.
Can you remind me the reason we aren't bringing back the grub2(.04) binary package everywere instead?
> +Architecture: any-amd64
> +Depends: ${misc:Depends}
> +Replaces: grub-efi-amd64-bin (<< 2.04-1ubuntu41)
> +Breaks: grub-efi-amd64-bin (<< 2.04-1ubuntu41)
> +Multi-Arch: foreign
> +Description: GRand Unified Bootloader, version 2 (EFI-AMD64 signed modules)
> + This package contains GRUB modules that have been built for use with the
> + EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface has
> + been activated). It can be installed in parallel with other flavours, but
> + will not automatically install GRUB as the active boot loader nor
> + automatically update grub.cfg on upgrade unless shim-signed is also
> + installed.
> +
> +Package: grub-efi-amd64-signed-dbg
> +Section: debug
> +Architecture: any-amd64
> +Depends: ${misc:Depends}, grub-efi-amd64-signed-bin (= ${binary:Version})
> +Replaces: grub-efi-amd64-dbg (<< 2.04-1ubuntu41)
> +Breaks: grub-efi-amd64-dbg (<< 2.04-1ubuntu41)
> +Multi-Arch: foreign
> +Description: GRand Unified Bootloader, version 2 (AMD64 UEFI debug files signed)
> + This package contains debugging files for grub-efi-amd64-signed-bin. You only
> + need these if you are trying to debug GRUB using its GDB stub.
> +
> Package: grub-efi-arm64-signed
> Architecture: arm64
> -Depends: ${misc:Depends}, grub-efi-arm64 (= ${grub2:Version})
> +Depends: ${misc:Depends}, grub-efi-arm64, grub-efi-arm64-signed-bin (= ${binary:Version})
> Recommends: secureboot-db
> Built-Using: grub2 (= ${grub2:Version})
> Description: GRand Unified Bootloader, version 2 (EFI-ARM64 version, signed)
> diff --git a/debian/grub-efi-amd64-signed-dbg.dirs b/debian/grub-efi-amd64-signed-dbg.dirs
> new file mode 100644
> index 0000000..b565418
> --- /dev/null
> +++ b/debian/grub-efi-amd64-signed-dbg.dirs
.dirs should only be used when you need to create an empty directory in the target .deb, which doesn't seem to be the case here?
> @@ -0,0 +1 @@
> +usr/lib/grub/x86_64-efi
> diff --git a/debian/rules b/debian/rules
> index 5c83889..c83af55 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -2,21 +2,26 @@
>
> include /usr/share/dpkg/default.mk
>
> +SUITE:=hirsute-proposed
> +VERSION:=2.04-1ubuntu41
so we need to manually update debian/rules for every revision? seems high maintenance.
> +
> %:
> dh $@
>
> -destdir := debian/grub-efi-$(DEB_HOST_ARCH)-signed
> -docdir := $(destdir)/usr/share/doc/grub-efi-$(DEB_HOST_ARCH)-signed
> -
> -override_dh_installchangelogs:
> - dh_installchangelogs
> - # Quieten lintian, which otherwise gets confused by our odd version
> - # number.
> - ln $(docdir)/changelog $(docdir)/changelog.Debian
> +override_dh_install:
> + ./download-signed grub2-common $(VERSION) grub2 signed $(SUITE)
> + # don't need control
> + rm -rvf $(VERSION)/control
> + # fixup location of unsigned binaries
> + mkdir -p $(VERSION)/*-efi/monolithic
> + mv $(VERSION)/*-efi-signed/*.efi $(VERSION)/*-efi/monolithic
> + dh_install --sourcedir=$(VERSION)
> + # move debug modules into the debug package
> + mv debian/grub-efi-$(DEB_HOST_ARCH)-signed-bin/usr/lib/grub/*/*.module \
> + debian/grub-efi-$(DEB_HOST_ARCH)-signed-dbg/usr/lib/grub/*/
>
> override_dh_gencontrol:
> - dh_gencontrol -- -v$(DEB_VERSION)+$(shell cat current/version) \
> - -Vgrub2:Version=$(shell cat current/version)
> + dh_gencontrol -- -v$(DEB_VERSION)+$(VERSION) -Vgrub2:Version=$(VERSION)
>
> -override_dh_auto_install:
> - dh_auto_install --destdir=$(destdir)
> +override_dh_clean:
> + rm -rvf $(VERSION)
--
https://code.launchpad.net/~xnox/ubuntu/+source/grub2-signed/+git/grub2-signed/+merge/398409
Your team Ubuntu Core Development Team is requested to review the proposed merge of ~xnox/ubuntu/+source/grub2-signed:one-grub into ~ubuntu-core-dev/ubuntu/+source/grub2-signed:ubuntu/hirsute-devel.
More information about the Ubuntu-reviews
mailing list