Hey folks, Following up on both bugs...
On Wed, Mar 25, 2026 at 02:53:52PM +0000, Steve McIntyre wrote: >Package: release.debian.org >Severity: normal >Tags: trixie >X-Debbugs-Cc: [email protected] >Control: affects -1 + src:shim >User: [email protected] >Usertags: pu > >Hi! > >This is a new upstream version of shim, built for trixie. This >includes some SBAT-based revocations, plus a range of >security updates from upstream. > >We also want to get a new shim built and signed by Microsoft using >both the old and new UEFI CA root keys, to extend our Secure Boot >support to cover both older and newer machines. The old CA root >expires in June, but Microsoft have said they will happily continue to >sign with that up until the end of its life. > >As always with shim, I've reviewed every upstream code change. > >I'm *not* including a full debdiff as we've moved three upstream >releases from 15.8 to 16.1 here. The changes are not minimal, but in >the case of shim we need to be as close to upstream as possible for >the sake of getting stuff reviewed and signed. The only local patch to >the upstream source now is to fix building with the latest >binutils. There are some trivial changes to packaging. > >I've tested locally using CI and also by hand on various machines and >all looks good here. > >Obviously, once this is accepted and autobuilt I'll need to submit >things for review and signing elsewhere. Then we'll be want >shim-signed updating too. > >Please give me the go-ahead and I'll upload the new source. I know I've not given you much to go on here - is there anything I can do to help you more? I'm hoping to get the reviews for these builds pushed into Microsoft shortly, for which I need these to be accepted for *-pu building at least. Is that OK? Cheers, Steve -- Steve McIntyre, Cambridge, UK. [email protected] We don't need no education. We don't need no thought control.
