Skip to content

[bookworm] Set Protected: yes for -signed packages so they cannot easily be removed

Luca Boccassi requested to merge bluca/grub:bookworm into bookworm

This ensures that the = depends in grub-efi-amd64-signed does not cause it to be removed when it is out of sync with src:grub2

(cherry picked from commit ba5ad2ad)

Also enable Salsa CI and configure it for stable.

Tested on bookworm+amd64+uefi+sb by taking the package built on Salsa, doing local signatures with a cert enrolled in mok, and building the signed package with the Protected field from the template package.

root@debian:~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@debian:~# dpkg -l | grep grub
ii  grub-common                      2.06-13+deb12u1+salsaci+20241204+1   amd64        GRand Unified Bootloader (common files)
ii  grub-efi-amd64                   2.06-13+deb12u1+salsaci+20241204+1   amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii  grub-efi-amd64-bin               2.06-13+deb12u1+salsaci+20241204+1   amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
ii  grub-efi-amd64-signed            1+2.06+13+deb12u1+salsaci+20241204+1 amd64        GRand Unified Bootloader, version 2 (amd64 UEFI signed by Debian)
ii  grub-efi-amd64-signed-template   2.06-13+deb12u1+salsaci+20241204+1   amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 signing template)
ii  grub2-common                     2.06-13+deb12u1+salsaci+20241204+1   amd64        GRand Unified Bootloader (common files for version 2)
root@debian:~# apt remove grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  grub-efi-amd64-signed
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  grub-efi-amd64-signed
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 15.8 MB disk space will be freed.
E: Removing essential system-critical packages is not permitted. This might break the system.
#

Merge request reports