Comment 4 for bug 1570617

The Security Team did not have enough time to review edk2 for 16.04. It will need a farily indepth audit to determine if we can support it since it uses and implements crypto, uses and implements networking, uses and implements TPM interfaces, etc.

There is a lot of code in the edk2 package and it may not be easy to support years from now. Upstream does not cut new releases very often and while they do have service pack releases, they don't release them very often, either. The service pack release notes are vague and some of the descriptions of bugs fixed sound like they may be CVE worthy. It isn't clear to me if upstream is proactive regarding CVE requests for issues.

We will perform a post-16.04 review of edk2 to determine supportability and look at the potentially problematic areas of the code mentioned above.