Comment 34 for bug 1574727

Having reviewed and discussed the changes to grub in the SRU queue, I have concluded that the grub2 SRU is both insufficient (because upgrade ordering does not ensure that the update-secureboot-policy command is available when grub is upgraded) and unnecessary (because shim-signed should apply the policy itself, so grub doesn't need to).

I am rejecting / removing the grub2 and grub2-signed SRUs for this. shim-signed needs a reupload, so that it directly calls update-secureboot-policy in postinst on upgrade - not just when triggered by another package.

Later, when we are changing grub to refuse to boot kernels whose signature doesn't verify, we will need to ensure that an appropriate version of shim-signed is installed first. But that should be done with a Breaks against older versions of shim, not with conditional postinst logic.