> Should the shim-signed package have a dependency on a kernel that is new enough?
For better or worse, there is no straightforward way to express such a dependency. But also, the fundamental problem here is not that shim-signed has new requirements. The fundamental problem is that you and other users have been running a kernel that has had no security updates for over 2 years and didn't know it. While it was stated at the time that these kernels would have security support for a limited time and that users who had these kernels installed would not be automatically rolled forward to the next series (as this might introduce regressions in hardware support), evidently this information was not communicated in a way that made it clear to users that they were out of security support.
I will look into what can be done to improve the communication to users in all the usual places that information about security updates are communicated, to let users know they are running unsupported kernels.
Thanks for confirming.
> Should the shim-signed package have a dependency on a kernel that is new enough?
For better or worse, there is no straightforward way to express such a dependency. But also, the fundamental problem here is not that shim-signed has new requirements. The fundamental problem is that you and other users have been running a kernel that has had no security updates for over 2 years and didn't know it. While it was stated at the time that these kernels would have security support for a limited time and that users who had these kernels installed would not be automatically rolled forward to the next series (as this might introduce regressions in hardware support), evidently this information was not communicated in a way that made it clear to users that they were out of security support.
I will look into what can be done to improve the communication to users in all the usual places that information about security updates are communicated, to let users know they are running unsupported kernels.