Code review comment for ~eslerm/ubuntu-cve-tracker:grub2-boilerplate
Revision history for this message
| Dimitri John Ledkov (xnox) wrote | # |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
> trusty/esm_grub2: ignored (JUSTIFICATION NEEDED)
We cannot update secureboot-db because it would invalidate installer media, just like other ESM. We cannot update to new signing keys of kernel for trusty because GA trusty kernel lacks features needed by the new keys signing policies. This leaves grub as pointless to update, sort of, as it can be always circumvented. Separately secureboot on servers on Trusty is rarely used, making patching it sort of useless too. In essence it is patching grub in trusty would only give a false sense of security.
We could upgrade grub2 to the new grub2-unsigned split. But that doesn't solve the installer problem.
I agree with everything else in the templates. I wonder if trusty ones need unique explanation or assesment. Or like case by case patching only if it affects secureboot.