XPost: linux.debian.maint.boot
To: debian-boot@lists.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------Q2HZ3DMfUbvhNuYxcXb1Rg1Z
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

RGVhciBSZWxlYXNlIFRlYW0gY29sbGVhZ3VlcywgZGVhciBCb290IHRlYW0gY29sbGVhZ3Vl cywNCg0KSSBqdXN0IHNlbnQgb3V0IGEgYml0cyBmcm9tIHRoZSBSVCB3aGVyZSBJJ20gY2xh aW1pbmcgdGhhdCBib29rd29ybSBpcyANCmluIGEgZ29vZCBzdGF0ZS4gQW5kIG5vdyBJJ20g Z29pbmcgdG8gYmUgZXh0cmVtZWx5IGJvbGQgbm93OiBhaW0gZm9yIHRoZSANCnNob3J0ZXN0 IGZyZWV6ZSBpbiBEZWJpYW4gaGlzdG9yeS4gV2hhdCBkbyBwZW9wbGUgdGhpbmsgb2YgdGhl IGlkZWEgdG8gDQpzdGFydCBwaWNraW5nIGEgcmVsZWFzZSBkYXRlIGFscmVhZHk/DQoNClll cywgSSBrbm93IHRoZSBkZWJpYW4taW5zdGFsbGVyIGlzIG5vdCBhIGRvbmUgZGVhbCwgc28g a2liaSwgcGxlYXNlIGxldCANCnVzIGtub3cgd2hlcmUgeW91IHRoaW5rIHdlIHN0YW5kIHdp dGggZC1pIChicmllZmx5IGlzIE9LLCBJIGtub3cgeW91IA0Kbm9ybWFsbHkgcmVwb3J0IGV4 dGVuc2l2ZWx5IGVsc2V3aGVyZSkgYW5kIHdoZW4geW91IHRoaW5rIGQtaSBjYW4gDQpyZWFs aXN0aWNhbGx5IGJlIGluIGEgcmVsZWFzYWJsZSBzdGF0ZS4gKFNheWluZzogImluIEp1bmUi IGlzIGZpbmUsIHRoYW4gDQp3ZSBjYW4gcGxhbiBhY2NvcmRpbmdseSkuDQoNCkFkYW0sIEkg dGhpbmsgd2UnZCBhbHNvIHdhbnQgdG8gZG8gYSBwb2ludCByZWxlYXNlIGJlZm9yZSB0aGF0 IHRpbWUsIA0KZS5nLiB0byBpbmNsdWRlIGEgZml4IGZvciBidWcgIzEwMjk4MDMuIFdoYXQg ZG8geW91IHRoaW5rIGFib3V0IGl0Pw0KDQpJJ20gbm90IGF3YXJlIG9mIGRpZmZpY3VsdCBi bG9ja2VycywgZGlkIEkgbWlzcyBhIGJ1ZyBoZXJlIG9yIHRoZXJlPyBJdCANCndvdWxkIGJl IGdvb2QgdG8gcG9pbnQgdXMgZGlyZWN0bHkgYXQgaXQuDQoNClBhdWwNCi9tZSBjcm9zc2Vz IGhpcyBmaW5nZXJzLg0K

--------------Q2HZ3DMfUbvhNuYxcXb1Rg1Z--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmPv6f0FAwAAAAAACgkQnFyZ6wW9dQrY Nwf/TGgcwceWrB3CByndjxwpa7sMgE0Yf15kXTWzoAXiv3zU+Gwpf8QtqMN/6lIxxMIrfd6UWnid 0Ubu0Gz6FDGPs8/LrCx+vG2ofYEY58s8ThOO5QjK959iPadUGb7ypx/WG1q74bdhR5NdBZDT6m2U cUSQbOAtr4R/aVqFNbCP0/S/0FJvI60uP55SandfJLZbUoDjza7o1uj3LwHctBHykxIvpOR3HrCN zwGCEloUsXBX4pGU5nAah5+1ygtdrotVGMXR80dk/JhJtxx4L6V+Co9+fk+ugcN8h81DF8CV0Uof JD0yCDg7+7uXL0lN7lJFW2IbomJzpGNS9QMOxG3sVQ==
=NSX1
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Hi Paul,

Paul Gevers <elbrus@debian.org> (2023-02-17):

Yes, I know the debian-installer is not a done deal, so kibi, please
let us know where you think we stand with d-i (briefly is OK, I know
you normally report extensively elsewhere) and when you think d-i can realistically be in a releasable state. (Saying: "in June" is fine,
than we can plan accordingly).

----BEGIN VERY WILD GUESS----

With a release going out this week-end, I think the next one with
bugfixes or improvements based on user or developer feedback couldn't
happen before 2 weeks. And I'd expect 2 more releases after that to iron
things out, with at least 1 week between each.

That'd mean end of March, beginning April at the soonest.

Depending on what we encounter, and possible changes in other packages
in the archive, we might have various delays, so it's probably best to
add 2-4 extra weeks to that.

I'll let Steve comment on the bootloader aspect (brand new shim just
arrived, not sure how much time / how many iterations we might need to
get it in shape for bookworm; plus we've gotten some fixes in grub but I
think some further changes are planned).

----END VERY WILD GUESS----


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmPwA1wACgkQ/5FK8MKz VSB9cQ//e8PhEg3DbeVDV2DTFasngg4wmI4Tt5Cv8zLBJf/3LND+u2Z19WVAsdHX b0xG+Ur5JXv9G8hb6XZ/MUIjs8FxVtZQ5JHF3tHDis15913HM6sAD4W2uz1SY+2c RHqtNlah8tYm9Pdr29mn9Frd3o3I3dZA2+UhI+XQ6My4w6lUBzpLkPFscRDQDJwB 0PsjBlKOR/ask3gi8md6tf7SW7o3F9bJFJuTvyvro4+XGxBNAiNoBqYO467mknxN xrZUpN0zddxBBlf/YtXkYl4OX5Rew+u3rWdSjJ2yWuy6t0BB3XNnWYlWPPv6r6Eu 8wewtAvf4MbVrelq9lCmL00ksIXEB1akHWXrGLK7UN7Wvfrj7l9Lln+H/1HfQMja YOIAvIRFqy1E5DkYUvlWhfBtt9WGy+Ld/EbS+Rz0nHKDH364w//Yama+MuAut7EL teh66D7iszkHDMmKSM03zizRirD4w4EIwbAHnxfvnRHkdqb3R2uED2wJqH3PKib0 Xclmk3gjjpP+ETCLUYql7YAxDDNktwThw24W2nomPummFnKob6B3Pcn1wenS6zqP UdNm5lxQD6kvAPj768aHmSbbjJxbEPUaLkbFMi7VErmfz9ghg3ondtJX5URJTOnZ XP6CDfPLDHrmuemvX435JgYAOEmXgTOIe17/Kpl/Kr/ECpZeid4=
=cuFM
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.maint.boot

Hey folks,

Cyril and I are in broad agreement on stuff, just adding a couple of
points...

On Fri, Feb 17, 2023 at 11:44:47PM +0100, Cyril Brulebois wrote:

Hi Paul,

Paul Gevers <elbrus@debian.org> (2023-02-17):

Yes, I know the debian-installer is not a done deal, so kibi, please
let us know where you think we stand with d-i (briefly is OK, I know
you normally report extensively elsewhere) and when you think d-i can
realistically be in a releasable state. (Saying: "in June" is fine,
than we can plan accordingly).

----BEGIN VERY WILD GUESS----

With a release going out this week-end, I think the next one with
bugfixes or improvements based on user or developer feedback couldn't
happen before 2 weeks. And I'd expect 2 more releases after that to iron >things out, with at least 1 week between each.

That'd mean end of March, beginning April at the soonest.

Depending on what we encounter, and possible changes in other packages
in the archive, we might have various delays, so it's probably best to
add 2-4 extra weeks to that.

+1

I'll let Steve comment on the bootloader aspect (brand new shim just
arrived, not sure how much time / how many iterations we might need to
get it in shape for bookworm; plus we've gotten some fixes in grub but I >think some further changes are planned).

Exactly. I'm just doing the packaging updates for shim-signed now, and obviously I'll be doing a lump of testing too. I don't expect any more
updates for *shim* itself before bookworm, but there might be a couple
of rounds of bugfixing and testing for shim-signed here.

Grub could do with a bit more effort. There are a few edge-cases I'd
like to pick up on, and (as you know!) quite a few RC bugs yet. Now we
have a working arm64 shim, I suspect there will be a little more work
needed to validate arm64 SB; I think we might be missing some needed
patches there. Maybe 3-4 weeks for grub stuff altogether </handwave>.

--
Steve McIntyre, Cambridge, UK. steve@einval.com You lock the door
And throw away the key
There's someone in my head but it's not me

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot
To: debian-boot@lists.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------tp0zS38hPHiSkUX9ovKSMbi8
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGkgYWxsLA0KDQpPbiAxOC0wMi0yMDIzIDAwOjU3LCBTdGV2ZSBNY0ludHlyZSB3cm90ZToN Cj4gT24gRnJpLCBGZWIgMTcsIDIwMjMgYXQgMTE6NDQ6NDdQTSArMDEwMCwgQ3lyaWwgQnJ1 bGVib2lzIHdyb3RlOg0KPj4gVGhhdCdkIG1lYW4gZW5kIG9mIE1hcmNoLCBiZWdpbm5pbmcg QXByaWwgYXQgdGhlIHNvb25lc3QuDQoNCj4+IGl0J3MgcHJvYmFibHkgYmVzdCB0bw0KPj4g YWRkIDItNCBleHRyYSB3ZWVrcyB0byB0aGF0Lg0KPiANCj4gKzENCg0KVGhhbmtzIGtpYmkg YW5kIFNsZWRnZSBmb3IgdGhlIGZlZWRiYWNrLiBXaXRoIHN1Y2ggYSB0aW1lIGxpbmUgSSBw cm9wb3NlIA0Kd2UgZGVsYXkgdGhlIGRpc2N1c3Npb24gb2YgYSByZWxlYXNlIGRhdGUgYnkg YXQgbGVhc3QgYSBtb250aC4gSW4gbXkgDQpleHBlcmllbmNlLCB3ZSdyZSBhYmxlIHRvIGZp bmQgYSBkYXRlIGFwcHJveGltYXRlbHkgNiB3ZWVrcyBhaGVhZCwgc28gDQp3aXRoIH5lbmQg QXByaWwgYXQgdGhlIGVhcmxpZXN0LCB3ZSdsbCBoYXZlIHNvbWUgdGltZS4gVGhhdCB3aWxs IGFsc28gDQplbmFibGVzIHVzIHRvIGp1ZGdlIGJldHRlciBpZiB0aGF0J3MgKHN0aWxsKSBm ZWFzaWJsZSBmcm9tIGFsbCB0aGUgb3RoZXIgDQphbmdsZXMgdG9vLg0KDQpQYXVsDQo=

--------------tp0zS38hPHiSkUX9ovKSMbi8--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmPxIeQFAwAAAAAACgkQnFyZ6wW9dQrW WAgAnChxP2ws/36E5vy+TFQDqoXO5/NeVOne8YgU1+C87GLuxui+cC2AhqiI4T9/DiMdaTp537K/ wo4Nbht457mDlJV2mxc4w86qNiFcSsH3vAq19fgr4Xu+55T+XIxV4bsqjPZAsObRkoEXEw5oDDEB Txl4OIDWnK1gS6Ra7Y1SDoDgbHA4TbKH7fZ09so+F1SAmafsw4NVmbDWANpiJ1dVhasEoWVvGEHW SnErDfTow5eskwtdma1ccBZktDE3YA/sGZvTsq2hUocIqPXS5VheR7hqoW35fuVVBQ/empCFcRkv sODVIPUEXBS51XU81K/zyHv3c6hGJMlXhwnrMqTnTw==
=JG8w
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

Hi,

Sorry for the delayed reply, apparently I'm further behind than I
realised. :-(

On Fri, 2023-02-17 at 21:56 +0100, Paul Gevers wrote:
[...]

What do people think of the idea
to start picking a release date already?

[...]

Adam, I think we'd also want to do a point release before that time,
e.g. to include a fix for bug #1029803. What do you think about it?

Yes. We also really want to get a debian-archive-keyring update into
bullseye before the release, or we can't use the new keys to sign the
bookworm release files. But first we need to get it into unstable. I'm
aware that we're very late here, sorry. :-(

ftp-master have now published their bookworm keys, so we can get those incorporated. For the SRM side, you probably saw that we've been
considering moving to an EC key. From the very limited responses to the discussion I started on debian-release, I'm still not entirely sure if
that's feasible / a good idea.

It would also be good to finally get the shim updates into bullseye at
the same time, unless Steve tells me that's a bad plan. :-)

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.boot

On Thu, Mar 09, 2023 at 05:05:28PM +0000, Adam Barratt wrote:

Sorry for the delayed reply, apparently I'm further behind than I
realised. :-(

:-/ *hugs*

On Fri, 2023-02-17 at 21:56 +0100, Paul Gevers wrote:
[...]

What do people think of the idea
to start picking a release date already?

[...]

Adam, I think we'd also want to do a point release before that time,
e.g. to include a fix for bug #1029803. What do you think about it?

Yes. We also really want to get a debian-archive-keyring update into
bullseye before the release, or we can't use the new keys to sign the >bookworm release files. But first we need to get it into unstable. I'm
aware that we're very late here, sorry. :-(

ftp-master have now published their bookworm keys, so we can get those >incorporated. For the SRM side, you probably saw that we've been
considering moving to an EC key. From the very limited responses to the >discussion I started on debian-release, I'm still not entirely sure if
that's feasible / a good idea.

It would also be good to finally get the shim updates into bullseye at
the same time, unless Steve tells me that's a bad plan. :-)

:-) I uploaded the latest signed shim last night expressly to have it
in the next bullseye point release. Do you want an unblock for that?

I'm also looking at some (small!) updates for grub too.

--
Steve McIntyre, Cambridge, UK. steve@einval.com “Why do people find DNS so difficult? It’s just cache invalidation and
naming things.”
-– Jeff Waugh (https://twitter.com/jdub)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adam,

On Thu, 09 Mar 2023 17:05:28 +0000, Adam wrote:

ftp-master have now published their bookworm keys, so we can get those incorporated. For the SRM side, you probably saw that we've been
considering moving to an EC key. From the very limited responses to the discussion I started on debian-release, I'm still not entirely sure if
that's feasible / a good idea.

Does the signing method update have to be one-method-for-another, or
is there is a way to phase-in a new method before phasing-out the old?

(my question is inspired by a recent talk by djb and Tanje Lange that discusses[1] an encryption migration at Google that involved use of
two algorithms in parallel. I realize that we're talking about
integrity signing rather than confidentiality, and it's also possible
that I'm creating a time-wasting distraction here, so.. take with a
grain of salt)

Thanks,
James

[1] - https://media.ccc.de/v/fire-shonks-2022-49246-post-quantum-cryptography-detours-delays-and-disasters#t=500

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Mar 09, 2023 at 09:55:50PM +0000, James Addison wrote:

Hi Adam,

On Thu, 09 Mar 2023 17:05:28 +0000, Adam wrote:

ftp-master have now published their bookworm keys, so we can get those incorporated. For the SRM side, you probably saw that we've been considering moving to an EC key. From the very limited responses to the discussion I started on debian-release, I'm still not entirely sure if that's feasible / a good idea.

Does the signing method update have to be one-method-for-another, or
is there is a way to phase-in a new method before phasing-out the old?

It's going to be a straight swap. There's no advantage to over-complicating
it, given we don't support skipping suites.

--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)