shim (15.4-5~deb10u1-danos3) unstable; urgency=medium

  * Modify debhelper to support Bullseye
  * Remove gcc-8 dependency to support Bullseye

 -- Mike Manning <mmanning@vyatta.att-mail.com>  Tue, 03 Aug 2021 16:34:59 +0100

shim (15.4-5~deb10u1-danos2) unstable; urgency=medium

  * Set Debian Salsa to be our upstream in gbp.conf

 -- Mike Manning <mmanning@vyatta.att-mail.com>  Mon, 02 Aug 2021 22:06:41 +0100

shim (15.4-5~deb10u1-danos1) unstable; urgency=medium

  [ Mike Manning ]
  * Add upstream to tag in gbp.conf
  * Address occasional build failure in gnu-efi

 -- Mike Manning <mmanning@vyatta.att-mail.com>  Mon, 02 Aug 2021 19:34:34 +0100

shim (15.4-5~deb10u1) buster; urgency=medium

  * Add defensive code around calls to db_get. Don't fail if they
    return errors.

 -- Steve McIntyre <93sam@debian.org>  Sat, 08 May 2021 00:14:00 +0100

shim (15.4-4~deb10u1) unstable; urgency=medium

  * Fix up those maintainer scripts - if we're not running on an EFI
    system then exit cleanly.

 -- Steve McIntyre <93sam@debian.org>  Mon, 03 May 2021 21:31:33 +0100

shim (15.4-3~deb10u1) buster; urgency=medium

  * Add maintainer scripts to the template packages to manage
    installing and removing fbXXX.efi and mmXXX.efi when we
    install/remove the shim-helpers-$arch-signed packages.
    Closes: #966845

 -- Steve McIntyre <93sam@debian.org>  Mon, 03 May 2021 21:31:33 +0100

shim (15.4-2~deb10u1) buster; urgency=medium

  * Add two further patches from upstream:
    + fix import_one_mok_state() after split
    + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
      Intel Mac machines)

 -- Steve McIntyre <93sam@debian.org>  Wed, 21 Apr 2021 01:06:27 +0100

shim (15.4-1~deb10u1) buster; urgency=medium

  * New upstream release fixing more bugs: SBAT and arm64 support
  * Print sha256 checksums of the EFI binaries when the build is done
  * Add two patches from upstream:
    + fix i386 binary relocations
    + allocate MOK config table as BootServicesData

 -- Steve McIntyre <93sam@debian.org>  Wed, 31 Mar 2021 19:56:02 +0100

shim (15.3-1~deb10u3) buster; urgency=medium

  * Only include the upstream version in the Debian SBAT metadata, so
    we don't break reproducibility on every minor packaging change.

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 13:31:51 +0000

shim (15.3-1~deb10u2) buster; urgency=medium

  * Add missing build-dep on xxd for build-time unit tests

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 02:26:22 +0000

shim (15.3-1~deb10u1) buster; urgency=medium

  * Rebuild the new upstream version for buster
  * Switch to gcc-8 for building
  * Switch to much-newer release with many fixes
    + Particularly pulling in SBAT changes for better revocation support
    + Remove all our old patches, no longer needed:
      - avoid_null_vsprint.patch
      - check_null_sn_ln.patch
      - fixup_git.patch
      - uname.patch
      - use_compare_mem_gcc9.patch
    + Now includes a vendor copy of gnu-efi with quite a few extra
      fixes needed.
    + Update copyright file to cover these changes
  * Add dbx entries for all our existing grub binaries
    + They're insecure, let's break the chainloading hole.
  * Add Debian SBAT data
    + Add a Debian SBAT template, and rules to use it
    + Adds a build-dep on dos2unix

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 01:09:20 +0000

shim (15+1533136590.3beb971-10) unstable; urgency=medium

  [ Debian Janitor ]
  * Trim trailing whitespace.
  * Use secure copyright file specification URI.
  * debian/copyright: use spaces rather than tabs to start continuation
    lines.
  * Bump debhelper from old 11 to 12.
  * Set debhelper-compat version in Build-Depends.
  * Set upstream metadata fields: Bug-Database, Bug-Submit.
  * Update standards version to 4.4.1, no changes needed.

  [ Steve McIntyre ]
  * Trivial changes to generating the inbuilt dbx if we're using it.
  * Upload to pick up rotated Debian signing keys

 -- Steve McIntyre <93sam@debian.org>  Fri, 24 Jul 2020 01:22:46 +0100

shim (15+1533136590.3beb971-9) unstable; urgency=medium

  [ Steve McIntyre ]

  * In the -helpers-ARCH-signed packages, change the version
    dependency on shim-unsigned to be >= and not =. This will allow
    for installation to still work in the window while we wait for the
    template package to do its second trip through the
    archive. Closes: #955356

 -- Steve McIntyre <93sam@debian.org>  Fri, 24 Jul 2020 00:57:16 +0100

shim (15+1533136590.3beb971-8) unstable; urgency=medium

  [ Steve McIntyre ]
  * Use --padding when calling pesign to generate hashes for the dbx
    list, as recommended by Peter Jones. No actual changes needed in
    our list of hashes at this point - they work out the same either
    way.
  * Switch to using gcc-9 for builds, tweaking a patch from upstream
    to fix a FTBFS. Closes: #925816
  * Update debhelper compat level to 11 for shim and the
    signing-template

 -- Steve McIntyre <93sam@debian.org>  Tue, 24 Mar 2020 16:51:10 +0000

shim (15+1533136590.3beb971-7) unstable; urgency=medium

  [ Ansgar Burchardt ]
  * debian/control: Update Vcs-* fields

  [ Steve McIntyre ]
  * Backport needed crash fixes:
    + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
    + Fix OBJ_create() to tolerate a NULL sn and ln
  * Build using gcc-7 to get better control of reproducibility during the
    lifetime of Buster.
  * Build in a dbx list to blacklist binaries that we know to not be
    secure. Build-depend on a new (bug-fixed) version of pesign to
    generate that list at build time, using a list of known bad hashes.
  * Initial list of known bad hashes is just my personal test binary.

 -- Steve McIntyre <93sam@debian.org>  Wed, 08 May 2019 02:05:01 +0100

shim (15+1533136590.3beb971-6) unstable; urgency=medium

  [ Steve McIntyre ]
  * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
    clashes with the old shim-signed package for fbx64.efi.signed and
    mmx64.efi.signed. Closes: #924619

  [ Helmut Grohne ]
  * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)

 -- Steve McIntyre <93sam@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000

shim (15+1533136590.3beb971-5) unstable; urgency=medium

  [ Ansgar Burchardt ]
  * Correct maintainer address in signing template

  [ Steve McIntyre ]
  * Remove Rules-Requires-Root in the signing template. We manually install
    things owned by root. There might be better ways to do this, but this
    will do for now.

 -- Steve McIntyre <93sam@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000

shim (15+1533136590.3beb971-4) unstable; urgency=medium

  [ Steve McIntyre ]
  * No-change sourceful upload to get rebuilds (and hence build logs) from
    the buildds. Hoping to get this version signed by Microsoft, so let's
    make our setup as clean as possible.

 -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000

shim (15+1533136590.3beb971-3) unstable; urgency=medium

  [ Philipp Hahn ]
  * debian/rules: fixing permissions no longer required
  * debian/rules: Disable ephemeral key on Debian.
  * Rename binary package to 'shim-unsigned'
  * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)

  [ Luca Boccassi ]
  * Override lintian error about template rules file.
  * Include /usr/share/dpkg/architecture.mk instead of shelling out.
  * Add uname.patch to avoid embedding the kernel architecture in the
    binary and to use a fixed string instead.

  [ Steve McIntyre ]
  * Change maintenance address to be the EFI team
  * Add me and vorlon to the Uploaders list
  * Rename the helper binary packages to shim-helpers-$arch.
  * Update the signing-template JSON metadata to match new practice:
    + Move all the data under a new top-level "packages" key
    + Add an empty "trusted_certs" key - the helper binaries do not do any
      further verification with an embedded key.

 -- Steve McIntyre <93sam@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000

shim (15+1533136590.3beb971-2) unstable; urgency=medium

  * Update debian/watch.
  * Update VCS to point to salsa.
  * Fix debian/rules syntax for arm64 build.
  * Enable build for i386.
  * Ensure DEB_HOST_ARCH is set even if not present in the environment.
  * Update Standards-Version.
  * Update debian/copyright (drop reference to file no longer in source)

 -- Steve Langasek <vorlon@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000

shim (15+1533136590.3beb971-1) unstable; urgency=medium

  * New upstream release.
    - debian/patches/second-stage-path: dropped; the default loader path now
      includes an arch suffix.
    - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
  * Drop remaining patches that were not being applied.
  * Sync packaging from Ubuntu:
    - debian/copyright: Update upstream source location.
    - debian/control: add a Build-Depends on libelf-dev.
    - Enable arm64 build.
    - debian/patches/fixup_git.patch: don't run git in clean; we're not
      really in a git tree.
    - debian/rules, debian/shim.install: use the upstream install target as
      intended, and move files to the target directory using dh_install.
    - define RELEASE and COMMIT_ID for the snapshot.
    - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
    - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
      options: set MAKELEVEL.
    - Define an EFI_ARCH variable, and use that for paths to shim. This
      makes it possible to build a shim for other architectures than amd64.
    - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
      in the "right" final directories, and makes boot.csv for us.
    - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
      at compile-time for MokManager and fallback.
    - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
      and MokManager.

 -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000

shim (15-1vyatta4) unstable; urgency=medium

  * Add noobs build profile (Closes: VRVDR-53810)

 -- James Wheatley <jammy@att.com>  Mon, 17 May 2021 13:54:41 +0100

shim (15-1vyatta3) unstable; urgency=medium

  * DANOS Import master

 -- Vyatta Package Maintainers <DL-vyatta-help@att.com>  Thu, 07 Nov 2019 13:24:05 +0000
