[Bug 1955386] Please test proposed package

Ɓukasz Zemczak 1955386 at bugs.launchpad.net
Wed May 31 16:24:20 UTC 2023 

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.3
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1955386

Title:
  fwupd / fwupd-efi split on version 1.7.x

Status in OEM Priority Project:
  Fix Released
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-efi package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  Fix Released
Status in fwupd source package in Bionic:
  Fix Committed
Status in fwupd-signed source package in Bionic:
  Fix Committed
Status in fwupd source package in Focal:
  Fix Released
Status in fwupd-signed source package in Focal:
  Fix Released
Status in fwupd source package in Impish:
  Fix Released
Status in fwupd-signed source package in Impish:
  Won't Fix

Bug description:
  [Impact]
  As the current fwupd is 1.7.x and it's fwupd / fwupd-efi source pkg has been splited, we need a new way of packaging and landing those in ubuntu.

  Likewise, on bionic we want to move to newer signed fwupd-efi binaries.
  [Test plan]
  Install fwupd-signed built from fwupd-efi and the new fwupd and check that it creates boot entry. We patched out building the UEFI binary only but kept the plugin, so we need to ensure the plugin still works correctly.

  [Where problems could occur]
  Could have messed up disabling the UEFI bits and then people can't do UEFI firmware upgrades anymore.

  [Other info]
  We do not have a task for fwupd-efi as it is binary copied and we can't add it to the changelog.

  [[bionic]]
  On bionic the implementation is as follows (which differs from later branches where we backported 1.7):

  - src:fwupd continues to build unsigned binaries and installs them,
  but does not submit them for signing.

  - src:fwupd-unsigned binaries are not installable together with fwupd,
  as fwupd < 1.7.7 is broken due to them locating the binaries in
  /usr/libexec. Hence they are only used as building input and not
  installed on end user systems. They don't have to be: insecure systems
  can continue to use the stub shipped in fwupd itself (previous point).

  - fwupd-signed is no longer provided on i386 and armhf. It is built
  from the binary-copied fwupd-efi now.

  How does this impact users?

  - Users without fwupd-signed installed will continue to use the old
  EFI stub shipped by fwupd itself.

  - Users on amd64 and arm64 with fwupd-signed installed will receive an
  upgrade to the fwupd-signed built from fwupd-efi 1.4. If secure boot
  is disabled, they'll continue to use fwupd's old EFI stub as fwupd
  only uses the .signed one if secure boot is enabled.

  - Users on i386 and armhf with fwupd-signed installed will remain with
  their installed fwupd-signed version.

  - Users on i386 and armhf installing fwupd freshly will pull in an
  older version of fwupd-signed from security until the new fwupd is
  released there. Not optimal. However, fwupd does not look for the
  .signed version if the boot was not secure.

  Alternatives:

  - We can add Breaks: fwupd-signed (<< 1.51) to fwupd, however this
  might be ill-advised: We want to make sure that the update to fwupd is
  actually being installed by apt upgrade and not kept back due to APT
  deciding keeping fwupd-signed installed is more important (on i386,
  armhf).

  - We can make fwupd always use a .signed version if available.
  Possibly later versions do. Introduces unnnecessary regression
  potential.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1955386/+subscriptions

More information about the foundations-bugs mailing list