:: Re: [DNG] grub-efi-amd64-signed bug…
Top Page
Delete this message
Reply to this message
Author: Olaf Meeuwissen
Date:  
To: fsmithred
CC: dng
Subject: Re: [DNG] grub-efi-amd64-signed bug: hardcoded link -> unbootable system
Hi,

fsmithred via Dng writes:

> On 8/6/21 5:57 PM, Adrian Zaugg wrote:
>> In der Nachricht vom Friday, 6 August 2021 03:25:58 CEST steht:
>>> Which Beowulf iso did you use? I think we fixed this in the 3.1.1
>>> point-release isos, but you still may hit it on an upgrade.
>>
>> It happened on upgraded systems.
>>
>> Thanx for fixing the ISO.
>>
>> Don't you see a way to prevent the issue happening on upgraded systems, e.g.
>> blacklisting grub-efi-amd64-signed or using another mechanism?
>>
>> Regards, Adrian.
>>
>> BTW: I uninstalled grub-efi-amd64-signed without concern because of Debian bug
>> #906124 [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906124]
>
> If grub-efi-amd64-signed is getting installed on upgrade from ascii to
> beowulf, one way I can think of preventing it is to pin that package
> before doing the upgrade. For example:
>
> in /etc/apt/preferences.d/no-signed
>
> Package: grub-efi-amd64-signed
> Pin: release n=beowulf
> Pin-Priority: -1
>
> Aha! I see that grub-efi-amd64-bin Recommends grub-efi-amd64-signed, so
> another way to block it is to block Recommends.
>
> in /etc/apt/apt.conf.d/00norecommends
>
> APT::Install-Recommends "no";
>
> or else add '--no-install-recommends' to a command-line install.


While I personally have that set in my apt.conf.d somewhere, it may be a
bit drastic for the average user.

> I can't think of any clean ways for us to do this for the end user. Maybe
> someone else has a better idea.


I don't know if it's better but perhaps doing the upgrade of grub as a
separate first step, like so

apt-get install grub-efi-amd64-bin grub-efi-amd64-signed-

Note the trailing `-` which instructs apt-get to remove the package.
You may need to add an explicit version to grub-efi-amd64-bin for it
to actually upgrade. Something like

  apt-get install grub-efi-amd64-bin=2.02+dfsg1-20+deb10u4 \
          grub-efi-amd64-signed-


This is completely untested, so if apt-get starts barfing all kinds of
conflicts then I recommend *not* going ahead with this.

If all apt-get wants to do is upgrade and/or add a few packages to make
it work, that should be okay.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join