Open jsegitz opened 2 months ago
steve-mcintyre
commented
1 month ago I don't think we (Marcus Meissner, Johannes Segitz) have had our contacts verified. But I've submitted multiple submissions that were accepted with these security contacts. Right answer probably still is N/A
OK, let's do the verification this time then. :-) Mails on the way.
msmeissn
commented
1 month ago "howitzer dactyls misnomers birthday sinuous purport sighting concern Melanesian Adhara" was the requested to be quoted phrase
jsegitz
commented
1 month ago For me it is: châteaux councils gendarmes toolboxes mulch dictatorship odorless recessions simulcasting lockout
steve-mcintyre
commented
1 month ago Contact verification successful - thanks!
jsegitz
commented
1 week ago is there anything I can do to help the review process?
aronowski
commented
6 days ago shim:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.sll,3,SUSE Liberty Linux,shim,15.8-2.el9,mail:security@suse.com
grub2:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.06,https//www.gnu.org/software/grub/
grub.rhel,2,Red Hat Enterprise Linux,grub2,2.06-70.el9_3.2,mail:secalert@redhat.com
grub.sll,2,SUSE,grub2,2.06-70.el9_3.2.2,mailto:security@suse.comWhy are the product-specific generation numbers set the way they are? Were there any earlier ones that had to be denylisted, that I'm not aware of?
The binary is reproducible and the characteristics seem OK, apart from the downstream generation number bothering me. Let's clarify it!
The kernel rpm has been split into two files because of GH file restrictions. Just concatenate them to receive the rpm
Please use a separate repository for the SRPM's contents next time.
is there anything I can do to help the review process?
Reducing the size of the repository would definitely come in handy especially for those on mobile networks:
$ time git clone https://github.com/jsegitz/shim-review.git
Cloning into 'shim-review'...
[...]
real 5m46.794s
user 0m40.157s
sys 0m19.945sWhy are the product-specific generation numbers set the way they are? Were there any earlier ones that had to be denylisted, that I'm not aware of?
Those SBAT numbers have been set to follow upstream RHEL9 as close as possible. We have no custom changes previously made, and no pre-15.8 shims submitted for a review on Liberty 9.
Please use a separate repository for the SRPM's contents next time.
will do so
Reducing the size of the repository would definitely come in handy especially for those on mobile networks:
yes, sorry. There's also some history in there that doesn't need to be there. I'll create a new repository from scratch next time and split out the SRPM's
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/jsegitz/shim-review/tree/SUSE-liberty-15.8-20240514What is the SHA256 hash of your final SHIM binary?
$ sha256sum shimx64.efi
013d595e73d76dc627f2cebf45206064db4249683361f781ddb7f6bb0d61805f shimx64.efi
$ pesign --hash --padding --in=shimx64.efi
hash: be992c206387509db24838c7c8af66eae563f3cdaaa088f5da03cf4891f8146f
What is the link to your previous shim review request (if any, otherwise N/A)?
This is the first request to review shim on SUSE Liberty Linux 9.
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
I don't think we (Marcus Meissner, Johannes Segitz) have had our contacts verified. But I've submitted multiple submissions that were accepted with these security contacts. Right answer probably still is N/A