On Tue, Sep 05, 2023 at 12:26:56PM -0400, M. Zhou wrote: > On Tue, 5 Sep 2023 18:11:55 +0200 "Miguel A. Vallejo" > <ea4...@gmail.com> wrote: > > M. Zhou wrote: > > > > > But after that I noticed that the most important > > > package grub-efi-amd64-signed:amd64 (1+2.06+13, > > > 1+2.12~rc1+7) was not upgraded along with the other > > > grub packages. > > > > You are right. I revised apt log and grub-efi-amd64-signed was NOT > > updated, in fact, the version I have installed now is 1+2.06+13, but > > all other grub packages haveĀ 2.06-3~deb11u5. > > > > Now, if I run apt update, and apt list --upgradable it shows: > > > > grub-common/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06- > 3~deb11u5] > > grub-efi-amd64-bin/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06- > 3~deb11u5] > > grub-efi-amd64-signed/unstable 1+2.12~rc1+7 amd64 [upgradable from: > 1+2.06+13] > > grub-efi-amd64/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06- > 3~deb11u5] > > grub2-common/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06- > 3~deb11u5] > > > > > > All of them with version 2.12~rc1-7 > > > > Is it safe to upgrade now? I'll wait a bit until I hear from the > > package maintainers. > > I am able to boot with 2.12~rc1-7 now. And my currrent status is > > grub-common/unstable,now 2.12~rc1-7 amd64 [installed] > grub-efi-amd64-bin/unstable,now 2.12~rc1-7 amd64 [installed,automatic] > grub-efi-amd64-signed/unstable,now 1+2.12~rc1+7 amd64 > [installed,automatic] > grub-efi-amd64/unstable,now 2.12~rc1-7 amd64 [installed,automatic] > grub2-common/unstable,now 2.12~rc1-7 amd64 [installed,automatic] > > I reinstalled grub using 2.12~rc1-7. > But I still cannot guarantee it is safe to upgrade. > > > I believe the issue is the missing versioned dependency, which > allowed partial upgrade. > > If you check the testing, you will find that > > grub-efi-amd64-signed/1+2.06+13 Depends: grub-common (>= 2.06-13) > > Then, if we upgrade grub-common to 2.12~rc1-7, without > upgrading grub-efi-amd64-signed itself, then the boot is broken. > > TLDR: the boot is broken with the following partial upgrade: > grub-common/2.12~rc1-7 > grub-efi-amd64-signed/2.06+13 > > A possible fix might be specifying > Depends: grub-common (>= 2.12~rc1-7)), grub-common (<= 2.13~) > to prevent incompatible grub-common and grub-efi-amd64-signed > from co-existing. Although it does not help this time. >
Thanks for confirming this, this makes sense, if you boot without secure boot, the signed grub 2.06 could then try to upload incompatible modules from 2.12~rc1 and crash. The 2.12~rc1-8 and -9 uploads change this in two steps to avoid this by making the signed package require a matching unsigned one again, and by making the existing -bin package Breaks << 1+2.12~rc1 such that you cannot partially upgrade those with incompatible older grubs. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en