Re: Major version update of fwupd (and deps) in stable releases for UEFI CA expiry

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmme58oACgkQb6RY3R2w
P3GHOw//cgkSzhjW+lRX8rGBVvEeMntHVVVDN+xq0PD9HIzJd0xAvLudX7+Ue01H
D15E17idWPdzETKDEMimdMZyXYIpzNgFqgHbm86vZ+ypH5zz6LFNZGkLT7gx3Hjr
c/Fi4ARpKPnX5/pLW+S8MiWpPB/44T8HnQ2NahC6Vhqp4p6U8LQHUuKc67wjjK1D
IaS6E1VWtsfxPcT2wKI+0ciSkYH256GbhS5aydSF2WbNXNrK1+fZxfYk0DOBeML+
F5gETvW83s5uzegDXRmyz1T9SSkGGfVkhor6Na/h+nq+DXGgAlkq4yy0StChFpaT
sLCFUhemR1pEZJtTYGLqCnkGB3EYzSgjlCSY+QC2caQ/hU6UnBY4bJ8nbuUXHf5t
vHeLLLct1vk+wHEaJuUJgOZIdaKzeuGPeSKDRZ+cs5LTMWYedOSsZwcTf8SaFQy+
nw4YKq7Wl6VzUW3bJU9f3h/uazuOt2rEImcgKU5Aoz33iGbkvY4IRLIdnMwjBaAF
0w8ZIufSD7bgk7xSZcR9mWgQEo3MLRc20ImbXYpxmcUX1zkUZla1AG0HKIF5Jlom
k2DPc+zrh5vV98ZPXL/tE+Lx5Tn9UxLxLDvogo+A6eEEzb40AgDXUt0cmf4dB1/d
cCFctEqbR5j35n3XJbPntVBHhKj7V6W1Jm53YgPM+UrFi0ljRmk=
=v4sI
-----END PGP SIGNATURE-----
On Wed, Feb 25, 2026 at 11:58:35AM +1300, Matthew Ruffell wrote:
> Hi Mate,
>
> Can you please explain exactly what versions you had in mind to backport to
> exactly what releases? Is this fwupd | 2.0.19-1ubuntu2 from resolute going
> to questing, noble, jammy? The same for libjcat and libxmlb?

This sounds correct.

>
> What about focal, bionic, xenial? trusty? Would this go to the primary archive,
> or to the esm archive?

I can say we have no plans to provide updates to ESM releases in the
primary archive.

It may not be feasible to provide any updates for ESM releases whatsoever;
rendering any future secure boot support conditional on ESM users installing
the snap and manually using that, as is the case currently for device
firwmare.

>
> Would this change to the 2023 CA break booting for older images? Do all images
> need to be respun to new point releases?

The 2023 CA is being added to db. To receive further updates to the boot stack,
the 2023 CA needs to be installed.

The next shim update will no longer be compatible with the 2011 CA, and
future grub, fwupd, kernel updates will be switching to a new Canonical
CA as well which will only be trusted by a future shim.

This does not remove or revoke the 2011 CA. Whether that will happen at
some point is a question for the far future.

> Looking at the rdepends of fwupd, libjcat and libxml, gnome-software is a clear
> user of these packages. Is gnome-software on these stable releases compatible
> with the new packages? Ubuntu itself does not rely on gnome-software, but I
> assume there are official and non official flavours that do.

gnome-software and plasma-discover need rebuilds against libfwupd3 on
jammy and focal. It needs to be investigated whether that requires
source changes or not.

>
> Do you have a brief list of commits that you investigated when you decided it
> was not practical to backport to previous fwupd releases? How many
> patches is it?

It depends on a complete refactoring of the plugin system, a new
metadata format, and took months to develop and test and make sure
that it works that it's not feasible to identify and validate any
combination of commits.

>
> Have you spoken to Richard Hughes and Mario Limonciello upstream about how we
> should go about solving this problem? From what I can see, the 1_9_X branch is
> still active. How about getting upstream to backport patches to that branch and
> make a release? Is it even possible?

There is no advantage to upgrading from 1.7 to 1.9 vs 1.7 to 2.0.

>
> In your [Testcase], this will need more than a basic functionality smoketest.
> Have you spoken to the Hardware Certification Lab about getting some test
> hardware you can use various releases like focal, jammy, etc to perform real
> firmware updates on? Just testing a basic CA upgrade in a VM doesn't quite feel
> enough testing for real world usage.

It's a good point, but it's worth pointing out that focal and jammy use
a fwupd so old that it no longer receives updates from lvfs and is
rendered unusable, users are already actively missing out on published
security updates for certified devices.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en