[CentOS] Fixing grub/shim issue Centos 7

Fri Aug 7 12:53:32 UTC 2020
Johnny Hughes <johnny at centos.org>

On 8/7/20 5:30 AM, Phil Perry wrote:
> On 07/08/2020 10:01, Johnny Hughes wrote:
>> On 8/7/20 3:46 AM, Nicolas Kovacs wrote:
>>> Le 07/08/2020 à 09:40, Alessandro Baggi a écrit :
>>>> Probably many users have not updated their machines between the bug
>>>> release and
>>>> the resolution (thanks to your fast apply in the weekend, thank you)
>>>> and many
>>>> update their centos machines on a 2 months base (if not worst). I
>>>> think also
>>>> that many users of CentOS user base have not proclamed their
>>>> disappointement/the issue on this list or in other channels. For
>>>> example I
>>>> simply updated in the wrong time.
>>>
>>> I'm using yum-cron to keep all my server updated on a daily basis.
>>>
>>> And my question "How could this have passed Q & A" was obviously
>>> directed at
>>> Red Hat... and *not* at Johnny Hughes and the CentOS team who do
>>> their best to
>>> deliver the best possible downstream system. I raise my morning
>>> coffee mug to
>>> your health, guys.
>>>
>>> Cheers,
>>>
>>> Niki
>>>
>> I can assure you .. a BUNCH of testing was done.  Because of the scope
>> of this udpate, the CentOS team was looped in during the embargo stage
>> (we normally are not .. Red Hat Engineering got permission to make this
>> happen for this issue). Normally we see things that are open source only
>> .. not embargoed content.  Once the embargo gets lifted, the items
>> become open source.  Kudos to the RH team for making this happen.
>>
>> The CentOS team worked with the RHEL team on this update for several
>> days (more than a week, for sure, maybe 2 weeks)
>>
>> I gained MUCH respect for all those guys .. especially  Peter Jones.  He
>> is Mr.Secure Boot.
>>
>> I personally tested both the c8 and c7 solutions on several machines
>> (All i have access to actually, including several personal machines that
>> have secureboot).  I saw some of the testing that happened on the RHEL
>> side.  It was extensive.
>>
> 
> I'll just add to Johnny's already comprehensive reply. As a member of
> the CentOS QA team, I personally tested the update on 3 physical
> machines and all worked fine. Moreover, the QA team was not able to
> replicate the issue on a single physical machine available to them - the
> first indication of a problem came from public reports. We give up a
> huge amount of our personal time and resources to ensure CentOS (and
> RHEL) are the very best products they can be. I'm unsure what more could
> have been done.

Thanks Phil,

I very much appreciate all you and the rest of the QA team do.

I know it is a knee jerk reaction to say .. how did that not get caught.
 I actually said it MYSELF for this very issue.  But looking back, I am
not sure how we could have caught it.

"Stuff Happens"  :)

There are just a huge number of possible combinations.

> 
>> Microsoft, Debian, Ubuntu and others also had issues with this .. so if
>> you are losing trust, you are losing it with all OS vendors WRT this
>> issue.
>>
>> All I can say is .. this issue was the hardest thing I have been
>> involved with since starting with the CentOS Project 17 years ago.
>>
>> Obviously, everyone involved in this build would have prevented this
>> from happening if they could have.  Secureboot is complicated.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20200807/f848033a/attachment-0005.sig>