[SRU][J][PATCH 1/6] UBUNTU: [Packaging] Move and update signature inclusion list
Juerg Haefliger
juerg.haefliger at canonical.com
Mon Jan 23 09:30:17 UTC 2023
Sorry for the late reply. Just stumbled over your reply :-(
> On 15.12.22 08:27, Juerg Haefliger wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1642368
> >
> > Move the signature inclusion list from the source tree to the debian/
> > directory to keep the upstream source clean. While at it, remove modules
> > that are no longer in the staging area.
> >
> > Signed-off-by: Juerg Haefliger <juergh at canonical.com>
> > Acked-by: Tim Gardner <tim.gardner at canonical.com>
> > Signed-off-by: Andrea Righi <andrea.righi at canonical.com>
> >
> > (cherry picked from commit 4ec3305301067590bd5502ae09512883924d3d3f kinetic:linux)
> > Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
> > ---
>
> I am a bit ambivalent with this set. On one side I understand that allowing all
> staging drivers can be a security problem. On the other hand Jammy was released
> that way and retracting signing means a regression for people under secure boot.
The current state can also be considered a security regression. So it's a
security vs a functional regression. I think the security regression is more
severe given that more people are affected by it.
> So this needs to be considered very carefully.
Well, if we keep jammy as-is people who are affected will just notice when
they upgrade from jammy since all later releases only sign the selected
staging drivers again.
> I stumbled over this change which
> modifies the list of modules to sign. It comes directly from Kinetic (v5.19) and
> drops drivers, claiming those are out of staging. But is this really true for
> Jammy (v5.15)?
Yes, I do try to do my job properly ;-)
Jammy 5.15:
./fs/exfat
./drivers/net/wireless/realtek/rtlwifi/rtl8192c
./drivers/net/wireless/realtek/rtlwifi/rtl8192ce
./drivers/net/wireless/realtek/rtlwifi/rtl8192cu
./drivers/net/wireless/realtek/rtlwifi/rtl8192de
./drivers/net/wireless/realtek/rtlwifi/rtl8192ee
./drivers/net/wireless/realtek/rtlwifi/rtl8192se
...Juerg
> -Stefan
>
> > {drivers/staging => debian}/signature-inclusion | 7 -------
> > 1 file changed, 7 deletions(-)
> > rename {drivers/staging => debian}/signature-inclusion (73%)
> >
> > diff --git a/drivers/staging/signature-inclusion b/debian/signature-inclusion
> > similarity index 73%
> > rename from drivers/staging/signature-inclusion
> > rename to debian/signature-inclusion
> > index 7e937c7fc0e3..f919d4dfddfa 100644
> > --- a/drivers/staging/signature-inclusion
> > +++ b/debian/signature-inclusion
> > @@ -2,13 +2,6 @@
> > # This file lists the staging drivers that are safe for signing
> > # and loading in a secure boot environment with signed module enforcement.
> > #
> > -exfat.ko
> > -rtl8192c-common.ko
> > -rtl8192ce.ko
> > -rtl8192cu.ko
> > -rtl8192de.ko
> > -rtl8192ee.ko
> > -rtl8192se.ko
> > r8188eu.ko
> > r8192e_pci.ko
> > r8192u_usb.ko
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230123/167ebb13/attachment.sig>
More information about the kernel-team
mailing list