Possibly demote fwupdate to universe?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Invalid
|
Undecided
|
Unassigned | ||
fwupdate (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
fwupdate-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
snapd (Ubuntu) |
Invalid
|
Undecided
|
John Lenton |
Bug Description
In cosmic there has been a major transition in the firmware updating stack. fwupdate's library and EFI application were subsumed into fwupd 1.1.0+.
fwupd will manage the installation of the EFI binary now at runtime. fwupdate is still around as a reference implementation that doesn't use glib or support CAB packaged files.
As such should fwupdate be dropped down to universe and fwupdate-signed be dropped from the archive?
I'm hesitant to say yes because it's used in system-image seed and installed into ubuntu core. I don't know how this will affect Ubuntu core.
If it is decided to demote to universe and drop the signed package then the packaging needs to be configured to strip the generation of the EFI signing archive too.
Related branches
- Ubuntu Core Development Team: Pending requested
-
Diff: 2171 lines (+1831/-0) (has conflicts)48 files modifiedSTRUCTURE (+31/-0)
boot (+3/-0)
build-essential (+3/-0)
cloud-image (+11/-0)
desktop (+65/-0)
desktop-default-languages (+17/-0)
desktop-minimal (+169/-0)
desktop-minimal-default-languages (+17/-0)
desktop.minimal-remove (+190/-0)
development (+85/-0)
doc/langpacks.txt (+17/-0)
installer (+3/-0)
lamp-server (+13/-0)
languages/STRUCTURE (+16/-0)
languages/desktop-de (+24/-0)
languages/desktop-en (+27/-0)
languages/desktop-es (+20/-0)
languages/desktop-fr (+19/-0)
languages/desktop-it (+19/-0)
languages/desktop-minimal-de (+11/-0)
languages/desktop-minimal-en (+7/-0)
languages/desktop-minimal-es (+11/-0)
languages/desktop-minimal-fr (+11/-0)
languages/desktop-minimal-it (+11/-0)
languages/desktop-minimal-pt (+11/-0)
languages/desktop-minimal-ru (+11/-0)
languages/desktop-minimal-zh (+23/-0)
languages/desktop-pt (+24/-0)
languages/desktop-ru (+16/-0)
languages/desktop-zh (+9/-0)
live (+35/-0)
mail-server (+17/-0)
minimal (+3/-0)
openssh-server (+10/-0)
print-server (+15/-0)
required (+3/-0)
samba-server (+17/-0)
server (+65/-0)
server-ship (+277/-0)
server-ship-live (+45/-0)
ship (+69/-0)
ship-live (+35/-0)
standard (+3/-0)
supported (+212/-0)
supported-desktop-extra (+62/-0)
supported-kiosk (+6/-0)
system-image (+46/-0)
wsl (+17/-0)
Here is the IRC transcript that prompted this bug:
<superm1> hi can an AA remove and block these from syncing https:/ /launchpad. net/ubuntu/ +source/ fwupdate- amd64-signed https:/ /launchpad. net/ubuntu/ +source/ fwupdate- arm64-signed https:/ /launchpad. net/ubuntu/ +source/ fwupdate- i386-signed ? They're causing problems with https:/ /launchpad. net/ubuntu/ +source/ fwupdate- signed/ 1.20 archive. ubuntu. com/ubuntu/ dists/cosmic- proposed/ main/uefi/ fwupdate- amd64/current/ fwupx64. efi.signed http:// archive. ubuntu. com/ubuntu/ dists/cosmic- proposed/ main/uefi/ fwupd-amd64/ 1.1.1-1/ fwupdx64. efi.signed why are there two of these? /git.launchpad. net/~ubuntu- core-dev/ ubuntu- seeds/+ git/platform/ commit/ ?id=e44246ad2a6 5dacc3e816715d0 df7bd86cd9a2ac
<slangasek> superm1: hi! I had noticed things going on there and wanted to ask why both fwupd and fwupdate are now producing artifacts for EFI signing
<slangasek> maybe that's all resolved now and we only need to handle the -signed packages now
<superm1> slangasek, i sent some mail to sil2100 to explain it all
<superm1> but i guess that didn't float around to everyone that needs to know
<slangasek> yes, emailing an individual has that effect :)
<superm1> heh. so basically starting with fwupd 1.1.0 the library and EFI binaries were subsumed into the fwupd project
<superm1> they are installed dynamically at runtime now
<superm1> lots of various reasons for this, but the general expectation is that due to this change less bugs, better control on the process, easier to support problems
<superm1> the fwupdate project still exists and can be treated as a simple reference implementation of EFI firmware updates if you don't care about all the other stuff
<superm1> in my mind fwupdate and fwupdate-signed should move to universe in cosmic
<slangasek> superm1: http://
<superm1> see above two comments
<slangasek> so
<superm1> I unseeded fwupdate for this purpose on the next meta upload: https:/
<slangasek> we shouldn't be signing two streams of EFI binaries
<slangasek> we shouldn't be signing something that's just a "reference implementation"
<cyphermox> moo?
<superm1> Moo
<slangasek> and it's regrettable if sil2100 accepted these for signing on the basis of your conversation
<slangasek> we should instead drop the signing request bits from the package
<superm1> Debian is still going to sign both of them
<slangasek> I'm not responsible for Debian's EFI keys :)
<superm1> and let folks decide if they want to use one or the other
<cyphermox> oh my
<superm1> Sledge told me that infinity and cjwatson had interest in Debian's EFI signing system as well and are going to look into it. If Ubuntu adopts something akin to it it will be more difficult to drop the signed bits only from Ubuntu for fwupdate
<slangasek> sorry, if Ubuntu adopts something akin to what?
<superm1> the signing process for EFI binaries
<slangasek> ok
<superm1> right now what happens in Debian is that template packages are created and go itno the archive as binary packages
<slangasek> so, regardless, my expectation is that the set of objects signed with the EFI key will be gated on archive admin signoff
<superm1> a signing service runs and installs these template packages and produ...