bionic is good, as soon as I add the bionic-proposed sources.list entry
(containing 1.37~18.04.10), the package is treated as essential.
# apt autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
efibootmgr grub-common grub-efi-amd64 grub-efi-amd64-bin
grub-efi-amd64-signed grub2-common libefiboot1 libefivar1 libfreetype6 mokutil
os-prober sbsigntool secureboot-db shim shim-signed
0 upgraded, 0 newly installed, 15 to remove and 0 not upgraded.
After this operation, 33.2 MB disk space will be freed.
Do you want to continue? [Y/n] ^C
# sudo vim /etc/apt/sources.list
# apt update
[...]
# apt autoremove
[...]
0 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
# apt remove shim-signed
[...]
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
shim-signed
0 upgraded, 0 newly installed, 1 to remove and 28 not upgraded.
After this operation, 1397 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
** Description changed:
[Impact]
System unbootable because shim-signed was marked auto and removed during
upgrade.
[Test case]
- lxc launch ubuntu:focal shimtest
- lxc exec shimtest apt install shim-signed
- lxc exec shimtest apt-mark auto shim-signed
- lxc exec shimtest apt autoremove # check it's listed
- lxc exec shimtest mount -t tmpfs tmpfs /boot/efi # hack around check
- lxc exec shimtest do-release-upgrade -d
- lxc exec shimtest apt policy shim-signed # ensure shim is still there
+
+ Install shim-signed, mark autoremovable, and ensure that
+ 1. autoremove does not remove it
+ 2. removing manual triggers essential remove warning
[Regression potential]
Scripts removing shim-signed will fail and need to pass
--allow-remove-essential now.
[Original bug report]
I just did a set of package updates in focal that ended up with shim
shim-signed mokutil being autoremoved.
I rebooted without noticing, and had to manually recover the system
thereafter. :(
Julian says there was a period of time where these were marked auto. I
suppose that I installed during this window, and now some dependency
change meant that as far as apt was concerned they weren't required any
more.
Can we please consider never proposing these packages for autoremoval?
apt has NeverAutoRemove for this which could be used, or some other
appropriate method.
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898729
Title:
shim can end up being removed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1898729/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
