| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Also adjust for the changes in the format of the package source
definition.
|
|
Enhance the text here and include a copy of Peter's key too
|
|
Signed-off-by: Steve McIntyre <steve@einval.com>
|
|
We're seeing quite a few vendors using non-CA "CA" keys, and this is
likely to cause problems in future.
|
|
Signed-off-by: Steve McIntyre <steve@einval.com>
|
|
|
|
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
The reviewers should be able to easily verify, that an organization is a
legal entity, to prevent abuse. Ask for the information, which can prove
the genuineness with certainty.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
As discussed during the May 27, 2024 meeting, the applicants shall be
informed about this venue being a community peer-review work and how to
help us speed up the process, rather than frequently chasing us for
reviews.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
If security contacts have already been verified in an earlier
application and haven't changed since the current one, let's point to
that earlier application as part of the current one.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
|
|
Allows to revoke a family of UKIs from a vendor, independently
of the systemd-stub generation numbers.
|
|
|
|
Currently, the wording isn't clear (to me, at least) if it's asking
for the shim SBAT or not; this clarifies that.
|
|
The .sbat identifier of systemd-boot was split from the identifier of
systemd-stub (which is used by UKI/kernel.efi binaries) after the previous
release, so clarify this with concrete examples.
Signed-off-by: Luca Boccassi <bluca@debian.org>
|
|
|
|
Since the files in the docs/ directory were migrated from shim-review
Wiki, some formatting errors remained. These have been fixed for
the Markdown version, as well the text got some updates to reflect the
current state of this initiative.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
|
|
Signed-off-by: Luca Boccassi <bluca@debian.org>
|
|
|
|
This also adds more details about the CVEs and unifies the spelling of GRUB2.
|
|
|
|
|
|
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
In commonmark, `---` and `===` can be used to mark either [setext
headings] or [thematic breaks] (aka horizontal lines). Headings take
precendence, so if you aren't careful with line breaks you can make a
heading where you meant to have a horizontal line. See [example] for a
case of this happening.
Fortunately, `***` is unambiguous: it will always create a horizontal
line instead of a heading. Switch all the separators to that format so
that we never have to worry about accidental headings again.
[setext headings]: https://spec.commonmark.org/0.30/#setext-headings
[thematic breaks]: https://spec.commonmark.org/0.30/#thematic-breaks
[example]: https://github.com/rhboot/shim-review/blob/b8ebe98d7198174e95d9e62e4522c145ee9caa5b/README.md#this-should-include-logs-for-creating-the-buildroots-applying-patches-doing-the-build-creating-the-archives-etc
|
|
On a few questions the `---` separators were missing or placed differently.
|
|
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
[julian: fix typo]
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
If people have arbitrary extra kernel patches, they could well break
SB. Let's check?
|
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Also update list of GRUB2 CVEs and add one more lockdown bypass fix.
|
|
|
|
* Change "Make sure you have provided the following information" to
"Confirm the following are included in your repo, checking each box".
"Make sure" makes it seem like the checklist is provided for your
convenience, if you want to use it. [I don't think that's the case](https://github.com/rhboot/shim-review/issues/203#issuecomment-917067024).
* Move the "link to your branch" to a full question
- Remove the "in the form user/repo@tag". It seems okay
[when people don't use that format](https://github.com/rhboot/shim-review/issues/233#issue-1165661688).
That also doesn't work for non-github repos.
- Add an example github url, to help communicate precisely what's
wanted.
* Add a question about the SHA256 to make sure that submitters changing
the tag can't change the binary without setting off flags.
|
|
Update the process described in README.md to be slightly clearer.
* The checklist in the ISSUE_TEMPLATE asks for your tag, not your branch
so we should match that.
* "when you have accepted tag" might be ambiguous in this context.
We're talking about git tags and issue tags/labels. Acceptance is
indicated with a github label, so let's try to clearly state that.
|
|
Changes to:
* Formatting
* Capitalization
* Sentence structure, where appropriate
* Question-ifying (please confirm [...]. -> Do you [...]?)
I had a hard time understanding a few of the questions, and spent some
time looking through the history to understand when they were added and
how they evolved. Some of them were phased differently between
ISSUE_TEMPLATE and README, so when in doubt I've erred on the side of
keeping more detailed versions of questions.
|
|
This is a bit of a workflow change. Based on the conversation in
https://github.com/rhboot/shim-review/pull/207, seems like the README
should be the source of truth for submissions.
I've tried to remove duplicates. When in doubt I've used the history to
see what questions were added at the same time and considered
similar-but-different phrasing to be "duplicated".
For now all added questions have been tacked on the end. Grouping by
subject can come later.
|
|
This is almost entirely changes to capitalization, spacing, etc. There
are a few places where I've added words where I felt they'd be
uncontroversial.
|
|
This changes the headers and horizontal rules to be the same style in
both documents. This makes it a little easier for submitters to copy
answers from one to the other, and hopefully easier for maintainers to
update the questions (only one format to manage).
|
|
|
|
This attempts to fix two problems: first, that pgp.mit.edu isn't
reliable enough to regularly use, and second that we're getting shim
review requests are not providing the information we need to verify
emails.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
This is the standard Contributor Covenant.
See-also: https://www.contributor-covenant.org/
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Shim-15.3 should not be used. Point to shim-15.4 release instead.
Signed-off-by: Chris Co <chrco@microsoft.com>
|
