-shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium
+shim (15.4-6) UNRELEASED; urgency=high
+
+ * Add arm64 patch to tweak section layout and stop crashing
+ problems. Upstream issue #371. Closes: #990082, #990190
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 22 Jun 2021 22:16:54 +0100
+
+shim (15.4-5) unstable; urgency=medium
+
+ * Add defensive code around calls to db_get. Don't fail if they
+ return errors.
+
+ -- Steve McIntyre <93sam@debian.org> Thu, 06 May 2021 00:37:49 +0100
+
+shim (15.4-4) unstable; urgency=medium
+
+ * Fix up those maintainer scripts - if we're not running on an EFI
+ system then exit cleanly.
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 04 May 2021 17:53:21 +0100
+
+shim (15.4-3) unstable; urgency=medium
+
+ * Add maintainer scripts to the template packages to manage
+ installing and removing fbXXX.efi and mmXXX.efi when we
+ install/remove the shim-helpers-$arch-signed packages.
+ Closes: #966845
+
+ -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100
+
+shim (15.4-2) unstable; urgency=medium
+
+ * Add two further patches from upstream:
+ + fix import_one_mok_state() after split
+ + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
+ Intel Mac machines)
+
+ -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 00:23:02 +0100
+
+shim (15.4-1) unstable; urgency=medium
+
+ * New upstream release fixing more bugs: SBAT and arm64 support
+ * Print sha256 checksums of the EFI binaries when the build is done
+ * Add two patches from upstream:
+ + fix i386 binary relocations
+ + allocate MOK config table as BootServicesData
+
+ -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 18:25:00 +0100
+
+shim (15.3-3) unstable; urgency=medium
+
+ * Update the timestamp for the 15.3-2 upload.
+ * Only include the upstream version in the Debian SBAT metadata, so
+ we don't break reproducibility on every minor packaging change.
+
+ -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:21:05 +0000
+
+shim (15.3-2) unstable; urgency=medium
+
+ * Add missing build-dep on xxd for build-time unit tests
+
+ -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:21:53 +0000
+
+shim (15.3-1) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * Switch to much-newer release with many fixes
+ + Particularly pulling in SBAT changes for better revocation support
+ + Remove all our old patches, no longer needed:
+ - avoid_null_vsprint.patch
+ - check_null_sn_ln.patch
+ - fixup_git.patch
+ - uname.patch
+ - use_compare_mem_gcc9.patch
+ + Now includes a vendor copy of gnu-efi with quite a few extra
+ fixes needed.
+ + Update copyright file to cover these changes
+ * Switch to using gcc-10 rather than gcc-9. Closes: #978521
+ * Add dbx entries for all our existing grub binaries
+ + They're insecure, let's break the chainloading hole.
+ * Add Debian SBAT data
+ + Add a Debian SBAT template, and rules to use it
+ + Adds a build-dep on dos2unix
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 23 Mar 2021 23:39:48 +0000
+
+shim (15+1533136590.3beb971-10) unstable; urgency=medium
+
+ [ Debian Janitor ]
+ * Trim trailing whitespace.
+ * Use secure copyright file specification URI.
+ * debian/copyright: use spaces rather than tabs to start continuation
+ lines.
+ * Bump debhelper from old 11 to 12.
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Bug-Submit.
+ * Update standards version to 4.4.1, no changes needed.
+
+ [ Steve McIntyre ]
+ * Trivial changes to generating the inbuilt dbx if we're using it.
+ * Upload to pick up rotated Debian signing keys
+
+ -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
+
+shim (15+1533136590.3beb971-9) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * In the -helpers-ARCH-signed packages, change the version
+ dependency on shim-unsigned to be >= and not =. This will allow
+ for installation to still work in the window while we wait for the
+ template package to do its second trip through the
+ archive. Closes: #955356
+
+ -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100
+
+shim (15+1533136590.3beb971-8) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * Use --padding when calling pesign to generate hashes for the dbx
+ list, as recommended by Peter Jones. No actual changes needed in
+ our list of hashes at this point - they work out the same either
+ way.
+ * Switch to using gcc-9 for builds, tweaking a patch from upstream
+ to fix a FTBFS. Closes: #925816
+ * Update debhelper compat level to 11 for shim and the
+ signing-template
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
+
+shim (15+1533136590.3beb971-7) unstable; urgency=medium
+
+ [ Ansgar Burchardt ]
+ * debian/control: Update Vcs-* fields
+
+ [ Steve McIntyre ]
+ * Backport needed crash fixes:
+ + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
+ + Fix OBJ_create() to tolerate a NULL sn and ln
+ * Build using gcc-7 to get better control of reproducibility during the
+ lifetime of Buster.
+ * Build in a dbx list to blacklist binaries that we know to not be
+ secure. Build-depend on a new (bug-fixed) version of pesign to
+ generate that list at build time, using a list of known bad hashes.
+ * Initial list of known bad hashes is just my personal test binary.
+
+ -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
+
+shim (15+1533136590.3beb971-6) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
+ clashes with the old shim-signed package for fbx64.efi.signed and
+ mmx64.efi.signed. Closes: #924619
+
+ [ Helmut Grohne ]
+ * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
+
+shim (15+1533136590.3beb971-5) unstable; urgency=medium
+
+ [ Ansgar Burchardt ]
+ * Correct maintainer address in signing template
+
+ [ Steve McIntyre ]
+ * Remove Rules-Requires-Root in the signing template. We manually install
+ things owned by root. There might be better ways to do this, but this
+ will do for now.
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
+
+shim (15+1533136590.3beb971-4) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * No-change sourceful upload to get rebuilds (and hence build logs) from
+ the buildds. Hoping to get this version signed by Microsoft, so let's
+ make our setup as clean as possible.
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
+
+shim (15+1533136590.3beb971-3) unstable; urgency=medium
[ Philipp Hahn ]
* debian/rules: fixing permissions no longer required
[ Luca Boccassi ]
* Override lintian error about template rules file.
+ * Include /usr/share/dpkg/architecture.mk instead of shelling out.
+ * Add uname.patch to avoid embedding the kernel architecture in the
+ binary and to use a fixed string instead.
+
+ [ Steve McIntyre ]
+ * Change maintenance address to be the EFI team
+ * Add me and vorlon to the Uploaders list
+ * Rename the helper binary packages to shim-helpers-$arch.
+ * Update the signing-template JSON metadata to match new practice:
+ + Move all the data under a new top-level "packages" key
+ + Add an empty "trusted_certs" key - the helper binaries do not do any
+ further verification with an embedded key.
- -- Luca Boccassi <bluca@debian.org> Fri, 15 Feb 2019 19:50:10 +0000
+ -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
shim (15+1533136590.3beb971-2) unstable; urgency=medium
shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
[ Helen Koike ]
- * debian/copyright: add OpenSSL license
+ * debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
- + sbsigntool-not-pesign
+ + sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.