【已解决】现在删除shim-signed-common包是安全的吗?

2021/5/4我运行命令sudo apt full-upgrade进行更新时,apt-listchanges提醒说:

shim-signed (1.34) unstable; urgency=medium

Debian no longer supports UEFI Secure Boot on arm64 systems

Shim and other EFI programs have always been difficult to build on
arm64, compared to x86 platforms. Binutils for amd64 and i386
includes explicit support for creating programs in the PE/COFF
binary format that EFI uses, but this has never been added for
arm64.

In the past, shim developers added some local hacks into the shim
package to generate a mostly-compliant PE/COFF EFI binary without
this toolchain support, and that seemed to be sufficient for
use. Everything seemed to work. However, during the development
and testing phase of shim 15.3 and 15.4, we found found significant
issues with this approach. New security features needed in shim
(SBAT) showed up severe problems with the lack of proper toolchain
support. See Significant problems with Aarch64 (and Arm?) builds · Issue #366 · rhboot/shim · GitHub for more
details. The old hacks around binutils are no longer sustainable.

Statistics tell us that very few people have attempted to use arm64
Secure Boot with Debian so far. In the interests of releasing needed
updates in a timely manner, we have decided for the time being to
disable signed shim support for Debian arm64.

We hope to re-introduce arm64 Secure Boot support as soon as
possible in the future.

– Steve McIntyre 93sam@debian.org Mon, 03 May 2021 18:28:58 +0100

看起来这一变更主要会影响到arm64用户,由于我是amd64用户,应该不会受影响。
但是,紧接着apt提示说:

下列软件包是自动安装的而且不需要了:
shim-signed-common mokutil

看起来,更新后的shim-signed软件包删除了对软件包shim-signed-common的依赖。我查看了软件包shim-signed的变更说明:

shim-signed (1.34) unstable; urgency=medium

  • Build against new signed binaries corresponding to 15.4-2
    Closes: #971129, #987991
  • WARNING: arm64 shim is no longer signed, due to major
    toolchain problems. See NEWS.Debian for more
    information. Separated out the binary package for arm64 to allow
    for a different description, and tweaked the Makefile too.
  • Update build-deps and Standards-Version
  • Tweak Makefile setup - do our verification testing chained from
    the “all” target, not “clean”. Closes: #936002
  • Don’t include apport stuff in the Debian build, it’s not useful.
  • Tweak dh_install* usage for docs.
  • Add Spanish translation for debconf templates, thanks to
    Camaleón. Closes: #987339
  • Multiple bugfixes in postinst and postrm handling:
    • Call grub-install using the correct grub target in postinst
    • Also call grub-install using the correct grub target in the
      postrm, and clean up the shim binary from the ESP
    • In each case, also check and use the correct configured options
      for grub-install
    • Move the postinst grub-install code from the -common package to
      the arch-specific packages, to make sure it’s always called when
      needed.
    • Only run grub-install etc. if we’re actually on an EFI-booted
      system.

– Steve McIntyre 93sam@debian.org Mon, 03 May 2021 20:13:04 +0100

涉及该问题的变更似乎是:

Move the postinst grub-install code from the -common package to
the arch-specific packages, to make sure it’s always called when
needed.

apt show shim-signed-common报告说:

This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA.

This package contains common helper scripts for all versions of the shim-signed package.

所以shim-signed-common只是一些帮助脚本,现在维护者认为软件包shim-signed不再需要依赖软件包shim-signed-common,因此该软件包应该可以被安全地删除?还是应当暂时保留它以等待维护者可能在未来将这两个包重新建立依赖关系?有任何建议吗?

注释:我使用NVIDIA的专有驱动,因此我已经禁用了安全启动,软件包shim-signed的变化应该不会造成重大影响。

2021/5/5更新:运行命令sudo apt full-upgrade时,软件包shim-signed收到了更新,更新后的软件包shim-signed再次依赖于软件包shim-signed-common,因此问题已经解决。
总结:这再次提醒unstable用户不要随意运行命令sudo apt full-upgrade,由于unstable通常处于开发的最前沿,因此依赖关系可能不稳定,对于自动安装且不需要的软件包和要求删除的软件包必须保持高度谨慎。

There are a couple of things you can do in order to ease your life as a testing/sid user such as:

Use apt upgrade instead of apt full-upgrade to avoid unwanted removal of any packages that you depend on.

from DebianUnstable

apt(8):

upgrade (apt-get(8))

upgrade is used to install available upgrades of all packages currently installed on the system from the sources configured via sources.list(5). New packages will be installed if required to satisfy dependencies, but existing packages will never be removed. If an upgrade for a package requires the removal of an installed package the upgrade for this package isn’t performed.
full-upgrade (apt-get(8))

full-upgrade performs the function of upgrade but will remove currently installed packages if this is needed to upgrade the system as a whole.

apt full-upgrade的威胁在于在依赖关系被破坏时它可能错误地删除软件包,如果进行认真检查,在unstable分发上运行该命令不会存在太大问题。
而且,改为运行命令apt upgrade不能解决这里的问题。软件包shim-signed-common同样可以被自动删除,apt full-upgrade没有要求删除它。
我认为如果小心检查,命令apt full-upgrade可以在unstable上使用。如果它要求删除意外的软件包,这表明依赖关系已经被损坏,正确的做法应当是暂时不要更新。