On Tue 22 Jun 2021 at 08:59:13 (+0100), Gareth Evans wrote: > A recent dist-upgrade on Buster (in a scripted cron job run at 01:00 daily) > failed due to apt-listbugs complaining about the boot-breaking bug in > shim-signed, and pinning v1.33 in the process. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990082
AFAICT it looks as though you were just a victim of bad timing. I happened to upgrade the point release at Start-Date: 2021-06-19 17:27:11, and my term.log shows: Setting up fluidsynth (1.1.11-1+deb10u1) ... Setting up shim-helpers-amd64-signed (1+15.4+5~deb10u1) ... Installing for x86_64-efi platform. Installation finished. No error reported. Setting up python-libxml2 (2.9.4+dfsg1-7+deb10u2) ... Setting up shim-signed:amd64 (1.36~1+deb10u1+15.4-5~deb10u1) ... Installing for x86_64-efi platform. Installation finished. No error reported. Secure Boot not enabled on this system. Processing triggers for mime-support (3.62) ... By 01:00 next morning, the grave bug stopped your upgrade from finishing. I guess that's a disadvantage of unattended upgrades: you don't see the bug reports as they occur. (I download any updates automatically, which serves as an announcement, but always upgrade manually.) > The next (manual) dist-upgrade removed shim-signed v1.33 > > $ cat /var/log/apt/history.log > Start-Date: 2021-06-20 18:33:29 > Commandline: apt-get -y dist-upgrade > Requested-By: xxxxxxxxx (1000) > Upgrade: shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, > 1.36~1+deb10u1+15.4-5~deb10u1) > Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7) > End-Date: 2021-06-20 18:33:30 > > unattended-upgrades (which I had forgotten was installed) upgraded some > related packages earlier the same day, but not shim-signed itself: > > $ cat /var/log/apt/history.log > Start-Date: 2021-06-20 06:26:31 > Commandline: /usr/bin/unattended-upgrade > Upgrade: shim-helpers-amd64-signed:amd64 (1+15+1533136590.3beb971+7+deb10u1, > 1+15.4+5~deb10u1), shim-unsigned:amd64 (15+1533136590.3beb971-7+deb10u1, > 15.4-5~deb10u1) > End-Date: 2021-06-20 06:26:34 > > The only references to shim-signed in apt history logs were the initial > Buster installation, and the recent removal: > > /var/log/apt$ grep -n "shim-signed:" history.log* > history.log:209:Remove: shim-signed:amd64 (1.33+15+1533136590.3beb971-7) > history.log.6:33:Install: [...] shim-signed:amd64 > (1.33+15+1533136590.3beb971-7) [...] > > > As I don't currently use secure boot, I ignored the bug warnings when I > reinstalled it and dependencies (the buster-updates version per the email > from debian-stable-announce yesterday > https://lists.debian.org/debian-stable-announce/2021/06/msg00001.html AIUI that's the correct thing to do in our situation. (It's an upgrade rather than a reinstall: my new shim-signed{,-common} debs arrived at noon yesterday.) > ...but still: > > $ apt policy shim-signed > shim-signed: > Installed: 1.36~1+deb10u2+15.4-5~deb10u1 > Candidate: 1.36~1+deb10u2+15.4-5~deb10u1 > > $ apt-listbugs list shim-signed > Retrieving bug reports... Done > Parsing Found/Fixed information... Done > grave bugs of shim-signed (→ ) <Outstanding> > b1 - #990082 - High chance of boot problems with buster's version of arm64 > shim > grave bugs of shim-signed (→ ) <Resolved in some Version> > b2 - #987991 - shim-signed: Recent dbx update blacklists shimx64.efi > (1.33+15+1533136590.3beb971-7) (Fixed: shim-signed/1.34) > Summary: > shim-signed(2 bugs) > > $ apt-listbugs list shim-signed-common > critical bugs of shim-signed-common (→ ) <Outstanding> > b1 - #990158 - shim-signed-common: No UEFI boot with error "Could not create > MokListXRT" > Summary: > shim-signed-common(1 bug) > > Is this referring to the non buster-updates package? No. But I don't use secure boot, so I haven't been following along with the shim's problem. (That is the same state of play shown by my system.) > Can anyone enlighten me as to: > > Why might shim-signed v1.33 have been removed by dist-upgrade despite the > previous upgrade attempt having been aborted by apt-listbugs? $ aptitude why shim-signed i grub-efi-amd64 Depends grub-efi-amd64-bin (= 2.02+dfsg1-20+deb10u4) i A grub-efi-amd64-bin Recommends grub-efi-amd64-signed i A grub-efi-amd64-signed Recommends shim-signed $ so I have no dependency, only a Recommends. I don't know your option settings, nor how they (or mine) react to a broken package, but apt-get *dist-*upgrade certainly has the privilege of removing packages in order to reach a satisfactory state. > What's the best way to reinstall an older package version and its old > dependencies if affected by something like this, and it isn't to be found in > /var/cache/apt/archives? In this case, you would probably follow Steve's instructions in the bug report. And in general, you could use the pkg_version_number options in, say, apt-get to downgrade. (As it says, with care.) Nice to see a report where all the necessary info and logs are laid out. Cheers, David.
