#1139252 bookworm-pu: package fwupd/2.0.20-1+deb12u1

#1139252#5
Date:
2026-06-07 16:55:33 UTC
From:
To:
[ Apologies, I thought I'd already sent this a couple of days
  back. :-( ]

Hey folks,

Related to the wider issue report in #1135716:

We should update fwupd in bookworm to aid with the UEFI Secure Boot CA
updates process that I've laid out in

https://wiki.debian.org/SecureBoot/CAChanges

and in #1138871

As well as in trixie (#1139251), we'd therefore like to update to
2.0.20 in bookworm. We know that version works for the CA updates, but
it does involve a major step forward in what we have in bookworm here.

We'd also need to update a couple of the build-deps to match what's
in trixie:

* libjcat
* libxmlb

but those are much more straightforward.

Mario has already prepped the changes in git, but not yet uploaded
anything. We'd like to get approval before doing that please.

The debdiff is large, too large to sensibly include in mail. :-(

#1139252#12
Date:
2026-06-08 13:27:32 UTC
From:
To:

#1139252#17
Date:
2026-06-08 13:27:32 UTC
From:
To:

#1139252#22
Date:
2026-06-08 19:46:37 UTC
From:
To:
Control: tag -1 moreinfo

These will need to happen first for fwupd to build against, with their own
request bugs and debdiffs please.

Is there a source debdiff for fwupd too?

Thanks,

#1139252#29
Date:
2026-06-10 01:40:34 UTC
From:
To:

#1139252#39
Date:
2026-06-14 13:46:06 UTC
From:
To:
Mario has followed up with that (as jmw and I have seen), but it's way
too large for the BTS and/or list to have seen. Basically, I
acknowledge that this *is* a very large step forward but I think it's
justified here. We really need to get the UEFI CA updates onto most
people's machines.

#1139252#44
Date:
2026-06-27 12:27:06 UTC
From:
To:
Control: tag -1 moreinfo

The BTS does get big diffs, it's only the list which struggles.

I've discussed with Adam because yes, this is normally unacceptable because
(amongst others):

 - there's a SONAME change, which means a library transition, which is not
   really something we're set up for in stable
 - the proposal is essentially unreviewable by human means
 - it is critical infrastructure and has a high potential impact on
   millions of machines (including bricking)
 - it needs other library updates first, with their own reverse
   dependencies and a whole chain of implications there

However if we don't update fwupd, we and/or users are left with a pickle if
there is a security update for shim (including an SBAT revocation for grub)
in the next two years (assuming it becomes 2023-signed only):

 - if we release the shim update, users must partially upgrade to trixie in
   a hurry, then apply the dbx/KEK updates via fwupd, then complete the
   upgrade including shim. A reboot at any stage in that process
   will likely fail. Users who have not caught wind of what is going on will
   simply be faced with failed package installation. Users should not have to
   do an unplanned major upgrade to install a simple security update.
 - if we steer fwupd towards backports, it will stop existing soon and
   users who do not take steps in the next few weeks are later left with
   the same problem
 - if we keep fwupd back and hope there isn't a grub/shim update, then it
   becomes *us* (well, LTS) who are stuck having to do major unplanned
   things in a rush.

The likelihood of there being a short-notice shim update in the next two
years we assess to be somewhere between possible and probable, but short of
certain. Although Debian will no longer support bookworm by then, it is
undoubtedly in our users' interests that LTS can do a good job during that
time (SC4).

We'd rather have that pain now in a more controlled way. Therefore we will
proceed with this update proposal despite the increased risks.

Looking at the proposed diff itself:

 - the version again needs to be ~deb12u1 not +deb12u1
 - I do not understand the SONAME change when there are only added symbols
   as far as I can see? Avoiding that makes a big difference to the
   rebuilds required for libfwupd2->3.

Thanks,

#1139252#49
Date:
2026-06-27 12:49:12 UTC
From:
To:
Yes; like the other packages that need to bump.
The individual ABI changes that went with the SONAME bump are documented
here.

https://github.com/fwupd/fwupd/blob/2.0.20/libfwupd/README.md

I don't believe they are added symbols only.  I do recall for example
that we dropped fwupd_build_machine_id() in 2.0.0 (and oldstable is at
1.8.12).

https://github.com/fwupd/fwupd/commit/740d0817d

There are multiple cases like this.

So unfortunately I think this does mean a need for a rebuild and some
testing of of gnome-software, plasma-discover, and gnome-firmware to do
the upgrade.

#1139252#59
Date:
2026-06-27 17:46:44 UTC
From:
To:
Thanks Adrian for finding those.

I've got gnome-firmware building successfully, I'll attach the debdiff.

will follow up with the others later when I get them working.

#1139252#64
Date:
2026-06-27 20:45:01 UTC
From:
To:
Oh, I had a completely dim moment and forgot the old symbols file is
removed completely - just skimmed the new one and got confused. Sorry.

Please coordinate with affected maintainers to get things ready, and
ideally affected packages would get a versioned build-dep now which will
make things easier later. I'll get the two other libraries sorted out.

Keep me posted.

Thanks,

#1139252#69
Date:
2026-06-28 03:09:42 UTC
From:
To:
OK - I've got gnome-software and plasma-discover building too.  Attached
are the debdiffs.

Do you suggest filing a bug with all 3 packages and requesting
maintainers to ack doing an NMU for their packages referencing this bug?

#1139252#74
Date:
2026-06-28 09:22:16 UTC
From:
To:
I think a p-u bug for each package, including patch, with 'affects' and
explicitly copying the maintainers would make the fewest round-trips.

#1139252#79
Date:
2026-06-29 20:28:02 UTC
From:
To:
One doubt in my mind - should we wait until we have an ack for the 3
rdepends bookworm-pu bugs so all 4 can upload at same time?

#1139252#84
Date:
2026-06-29 20:26:19 UTC
From:
To:
Hi,

Please go ahead with a fixed version as discussed.

Thanks,

#1139252#91
Date:
2026-06-29 21:12:25 UTC
From:
To:
No, they will be queued together and I'll handle ordering. More important
is to get the final packages uploaded and visible.