|
|
Subscribe / Log in / New account

Bits from the Debian Release Team: release update

The Debian release team has a few words about the upcoming Debian 9 "stretch" release. "At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 "stretch" would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support." If stretch does not release with Secure Boot support, it is possible that it will be introduced later. Other than that, the number of Release Critical bugs continues to drop and the team is considering the arrangements for the stretch release.

From:  Jonathan Wiltshire <jmw-AT-debian.org>
To:  debian-devel-announce-AT-lists.debian.org
Subject:  Bits from the Release Team: release update
Date:  Thu, 27 Apr 2017 21:25:40 +0100
Message-ID:  <20170427202540.gu7wuxd7rny5nfta@powdarrmonkey.net>

Hi,

We're approaching the final sprint towards Debian 9 "stretch".

If you're still planning a BSP for stretch, now is the time to get it
organised!

Secure Boot
===========

At a recent team meeting, we decided that support for Secure Boot
in the forthcoming Debian 9 "stretch" would no longer be a blocker
to release. The likely, although not certain outcome is that stretch
will not have Secure Boot support.

We appreciate that this will be a disappointment to many users and
developers. However, we need to balance that with the limited time
available for the volunteer teams working on this feature, and the
risk of bugs being introduced through rushed development.

It's possible that Secure Boot support could be introduced at some
point in stretch's lifetime.

RC bug status
=============

At the time of writing, 143 RC bugs affected stretch. Just one of
them is marked as a blocker and unfixed in sid:
#861175 in cairocffi.

Preparing for release
=====================

We are beginning to consider the arrangements for releasing stretch.

A release date is still undecided. Meanwhile, please continue to
help with:

 - RC bugs
 - release note contributions
 - upgrade testing

There are a number of internal items still to be dealt with, so a firm
release date will be announced later.

For the Release Team:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

to post comments

Bits from the Debian Release Team: release update

Posted Apr 28, 2017 3:46 UTC (Fri) by ayers (guest, #53541) [Link] (9 responses)

Indeed, this is very disappointing news. Does anyone have a comprehensive link to the status of Secure Boot in 'stretch'? I'd really be interested in an analysis, what other major features may not be available 'stretch' due to RC bugs.

I'm not questioning the decision itself (to likely drop secue boot) as I lack any insight of what the current issues are. I guess I'm mostly disappoointed by the fact that the need for support for such major components is being communicated to users, when it is likely too late to organize any support to do anything about it.

I also fear, that the lack of Secure Boot may really impair the viability of installing Debian on modern hardware especially in coorporate environments.

None the less, I would like to say that I am very greatfull for the work being done by the debian developers and the release team!

Bits from the Debian Release Team: release update

Posted Apr 28, 2017 4:31 UTC (Fri) by pabs (subscriber, #43278) [Link] (2 responses)

See the details from the release team meeting where this was decided:

http://meetbot.debian.net/debian-release/2017/debian-rele...

Bits from the Debian Release Team: release update

Posted Apr 28, 2017 8:11 UTC (Fri) by amacater (subscriber, #790) [Link] (1 responses)

The critical bit is support in dak - the Debian archive kit - the bit that builds the whole Project.

This is not code that is changed often - usually stable over many years / several releases and so it's not something to mess with lightly is how I read this. We do want a working release mechanism.

Now that the shim is signed by Microsoft, there's nothing to stop the project from sorting out signed kernels and images and so on in a point release part way through Stretch lifetime, I'd guess.

[Not release team, not anything particularly, speaking for myself and not on behalf of Debian Project particularly ... your mileage may vary etc. Usual disclaimers apply.]

Bits from the Debian Release Team: release update

Posted Apr 29, 2017 3:43 UTC (Sat) by pabs (subscriber, #43278) [Link]

dak changes reasonably regularly:

https://anonscm.debian.org/git/mirror/dak.git/log/

Bits from the Debian Release Team: release update

Posted Apr 29, 2017 1:49 UTC (Sat) by jebba (guest, #4439) [Link] (5 responses)

I've installed Debian Stretch on a number of new workstations and servers (latest Supermicro motherboards) in a corporate environment and it has been just fine, no need for "secure" boot.

Bits from the Debian Release Team: release update

Posted Apr 30, 2017 2:23 UTC (Sun) by zlynx (guest, #2285) [Link] (4 responses)

Secure Boot *is* a feature. Some people want it.

I know that we don't need it. I haven't seen anything but some tablet/convertible PCs that actually require it.

Bits from the Debian Release Team: release update

Posted May 1, 2017 14:43 UTC (Mon) by rahvin (guest, #16953) [Link] (3 responses)

Absolutely, end to end signing is possible. This offers some very interesting possibilities for users or businesses that are looking for securely signed code systems. Secure boot is a feature that people will be demanding at some point, and I wouldn't be surprised if that point is already here in security sensitive business. Make no mistake as the tools proliferate and other things like TPM 2.0 get out there we're likely to see these tools expand and gain very useful end user capabilities.

Bits from the Debian Release Team: release update

Posted May 2, 2017 11:44 UTC (Tue) by ballombe (subscriber, #9523) [Link] (2 responses)

You can use secure boot with Debian already.

This is just about Debian installer support for setting up secure boot with the built-in Microsoft key.
This requires a secure infrastructure to sign the debian bootloader etc. which is not available yet.

If you enroll your own key, none of this concern you.

Bits from the Debian Release Team: release update

Posted May 5, 2017 20:06 UTC (Fri) by wx (guest, #103979) [Link] (1 responses)

Are you saying the same infrastructure that's already used to sign Debian packages is now considered insecure? That doesn't sound like good news to me... Care to explain?

Bits from the Debian Release Team: release update

Posted May 6, 2017 2:38 UTC (Sat) by pabs (subscriber, #43278) [Link]

The Debian infrastructure currently only signs things with OpenPGP. It doesn't yet support the type of signing that Secure Boot requires.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds