[ubuntu/cosmic-proposed] cryptsetup 2:2.0.3-6ubuntu1 (Accepted)
Steve Langasek
steve.langasek at ubuntu.com
Mon Jul 16 20:13:12 UTC 2018
cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low
* Merge from Debian unstable. LP: #1781912.
* Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility. LP: #1651818
* Dropped changes, included in Debian:
- Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop the CRYPTSETUP variable warning from the initramfs hook, as
overlayroot package ships a dropin in conf-hooks.d triggering false
warnings.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
* Dropped changes, no longer needed:
- Add maintscript to drop removed upstart system jobs.
cryptsetup (2:2.0.3-6) unstable; urgency=medium
* debian/TODO.md: Remove mention of parent device detection for mdadm
(#629236) as it's fixed since 2:2.0.3-2.
* debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
fixes.
* debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
add configure flag '--disable-internal-tests'. The internal test suite is
run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
variable contains the string "nocheck".
* debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
When the 2nd column of a crypttab entry denodes a block special device,
resolve the device but don't convert it to /dev/block/$major:$minor.
(Closes: #903246.)
* debian/initramfs/hooks/cryptroot:
+ Treat null device numbers as invalid in resolve_device(), cf.
/Documentation/admin-guide/devices.txt in the kernel source tree.
+ generate_initrd_crypttab(): add '\n' to the local IFS since
get_resume_devno() prints one major:minor pair per line.
* debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ Save process ID of the pcscd daemon at local-top stage, and kill it at
local-bottom stage. Thanks to Pascal Vibet for the patch.
(Closes: #903574.)
+ Fix path to the pcscd executable (the fix for #880750 was incomplete).
* debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
since 2:2.0.3-2.
* debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
$CRYPTTAB_NAME not $crypttarget).
cryptsetup (2:2.0.3-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ Drop c99 std, as the default is now higher than that
* debian/control:
+ Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
crypttab(5).
* debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
read-only mapping. Cf. `cryptsetup --readonly`.
* debian/initramfs/hooks/cryptroot:
+ Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ Avoid processing entries multiple times in get_crypttab_entry(), which
could happen with 'keyscript=decrypt_derived' for instance.
+ Don't complain that the sysfs dir can't be found when the hook failed to
normalize the device (another warning is shown already).
+ If source device is mapped (for instance if it's a logical volume), put
its dm name into the initrd crypttab. LVM2's local-block script doesn't
work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
activate all volumes at initramfs stage. (Closes: #902943.)
* debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
unset then no key file is copied.
* debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ Use major:minor device IDs internally, as this facilitate discovery of
sysfs directories, and we don't have to take care of the udev mangling.
+ Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
means that key files and option values can contain blanks and special
characters encoded as octal sequences.
+ Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
code.
* debian/functions: If the key file is a symlink, warn about insecure
permissions of the target, not the link itself.
* debian/scripts/decrypt_derived: For devices with keys in the kernel
keyring (e.g., LUKS2 by default), refuse to derive anything.
* debian/patches/disable-internal-tests.patch: Add configure option
'--disable-internal-tests' to disable the internal test suite.
* debian/rules: Don't run upstream's internal test suite if
$DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
still run by default.)
* debian/cryptdisks-functions: Restore support for crypttab(5) entries with
regular files as source device. Regression since 2:2.0.3-2.
(Closes: #902879.)
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
cryptsetup (2:2.0.3-4) unstable; urgency=low
* debian/initramfs/hooks/cryptroot:
+ Fix typo in warning message. (Closes: #901971.)
+ sysfs_devdir(): don't croak when the normalized device pathname isn't of
the form /dev/$blk. This is the case in the Debian installer, where the
devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
instead of a symlink to /dev/dm-$index.
+ sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
sysfs directory corresponding to the device) rather than /sys/block/$blk.
While the latter is present for mapped devices, it's not present for
block devices corresponding to disk partitions. See sysfs(5) for
details. (Closes: #902183.)
+ get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
get the UUID of a dm-crypt device's slave (it's normal with plain
dm-crypt devices).
+ get_crypttab_entry(): don't warn that key file doesn't exist if it's
e.g., an existing character special device.
* debian/functions:unlock_mapping(): translate crypttab(5) option
'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
doesn't set the key size but the size of the device in number of 512 byte
sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
* debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
keyscripts (such as decrypt_keyctl) don't work properly if on first try
the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
2:2.0.3-2. (Closes: #902116.)
* debian/scripts/decrypt_keyctl: replace the source device path with the
mapped device name in messages, to match the new askpass behavior.
cryptsetup (2:2.0.3-3) unstable; urgency=low
[ Jonas Meurer ]
* debian/*: run wrap-and-sort(1)
* debian/control:
+ Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
cryptsetup-run. Needed since we moved luksformat between the
packages. (Closes: #901773)
+ Remove all traces of package 'cryptsetup-luks' from dependency
headers. This package has never been part of an official Debian
release and the time it existed is more than 12 years ago.
+ Remove Conflicts/Breaks headers from the split of cryptsetup into
cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
version is from Debian Wheezy, which means that there's three
releases in between. We don't support dist-upgrades with skipped
releases anyway.
+ Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ Remove versioned depends of libcryptsetup12 on libgcrypt20 and
libgpg-error0. Both versions are satisfied since more than three
releases.
+ Remove versioned build-depends on docbook-xsl, dpkg-dev,
libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
satisfied since more than three releases.
* debian/*: Change maintainer contact address to @alioth-lists.debian.net.
[ Guilhem Moulin ]
* debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
fields. (2:2.0.2-2 was never released, the version we released after the
package split was 2:2.0.3-1.)
* debian/initramfs/cryptroot-script: exit immediately when
/lib/cryptsetup/functions is not present. (Closes: #901830.)
* debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
manually excluding mapped devices using another subsystem.
* d/initramfs/hooks/cryptroot:
+ Fix parser for cipher specifications in mapping table of crypt targets.
In particular, the cipher mode wasn't parsed properly, potentially
causing missing modules in initrd.img compiled with MODULES=dep.
Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ Print a warning when the mapping table specifies the cipher in kernel
crypto API format ("capi:" prefix). We don't support these yet.
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The "nights are long in summer" cryptsetup sprint release :-)
Guilhem and Jonas hacked together for three days (and nights), refactored
almost all of the cryptsetup packages, squashed (at least) 19 bugs and
started work on several new features. Yay!
[ Guilhem Moulin ]
* cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
(Closes: #901641.)
* debian/initramfs/*-hook: complete refactoring. Common functions are now in
/lib/cryptsetup/functions (source-able from shell scripts).
(Closes: #784881.)
* debian/initramfs/cryptroot-hook:
+ Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
devices such as LVM2 on top of LUKS (resp. multiple device filesystems
such as btrfs). This approach is more robust than parsing the output of
`lvs` or `btrfs filesystem`.
+ Export relevant crypttab(5) snippet (for devices that need to be
unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
if 1/ the CRYPTSETUP configuration option is unset or null (the
default), and 2/ the hook didn't detect any device to be unlocked at
initramfs stage. The benefit is two-fold: it guides users through the
package split, and warns them that their system might not reboot if the
hook script didn't work properly.
* Remove the 'decrypt_openct' keyscript since openct was last seen in
oldoldstable, cf. #760258 (ROM).
* debian/initramfs/cryptroot-script: refactoring, using functions from
/lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ One can disable the cryptsetup initramfs scripts for a particular boot
by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ No longer sleep for a full minute after exceeding the maximum number of
unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
attempt in order to defeat online brute-force attacks. (Closes: #898495.)
* debian/README.initramfs: Remove mention that the initramfs scripts and the
crypsetup binary are using a different hash algorithm for plain dm-crypt
volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
* debian/cryptdisks.functions:
+ Refactoring, using functions from /lib/cryptsetup/functions.
(Closes: #859953, #891219.)
+ Install to /lib/cryptsetup/cryptdisks-functions.
* crypttab(5):
+ Remove support for the 'precheck' option. The precheck for LUKS devices
is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
filesystem (other that swap).
+ Don't ignore the 'plain' option: disable auto-detection and treat the
device as a plain dm-crypt device. (Closes: #886007.)
+ Add support for some option aliases to unify with systemd's crypttab(5)
options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ Add support for 'keyfile-size=' and 'keyfile-offset=' options.
(Closes: #849335.)
+ Source devices can now be specified using their PARTUUID or PARTLABEL,
similar to fstab(5).
* debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
to setup readonly mappings. (Closes: #782843.)
* debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
once. (Closes: #783194.)
[ Jonas Meurer ]
* debian/doc/crypttab.xml:
+ Add a section about the different crypttab formats of our package and
the systemd cryptsetup wrapper.
+ Document, which options are ignored by the initramfs scripts and which
are unsupported by the systemd implementation. (Closes: #714380)
+ Clarify documentation of option 'tries'. It also applies when using
keyscripts, not only with interactive passphrases. (Closes: #826127)
+ Make it obvious that in case a keyscript is configured, the third option
is passed as argument to the keyscript. Mention the optional requirement
to quote the value. (Closes: #826122)
+ Some minor wording improvements.
* debian/control, debian/combat: Bump debhelper compatibility level to 11.
* debian/rules:
+ Completely refactor the rules file, adapt to debhelper 11 style.
(Closes: #901713)
+ Run the upstream build-time testsuite thanks to dh_auto_test.
+ Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ Install the bug-script into all packages.
+ No longer install the sysvinit initscripts into cryptsetup-udeb.
+ Remove many old build and compile flags, debhelper takes care of most of
them nowadays.
cryptsetup (2:2.0.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* Split cryptsetup package into cryptsetup-run (init scripts and libraries)
and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
package is now a transitional dummy package. (Closes: #783297.)
* debian/cryptsetup-run.preinst: remove logic for rm_conffile
/etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
2:1.0.6-5.
* debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
with crypttab(5) targets that already exist, and only complete
cryptdisks_start targets with crypttab(5) targets that don't exist yet.
(Closes: #827200.)
* debian/initramfs/cryptroot-hook:
+ use copy_file() from hook-functions to copy key files to the initrd.
This ensures that relevant messages are printed in verbose mode.
(Closes: #898516.)
+ remove backward compatibility support for setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ add 'algif_skcipher' kernel module to large initramfs (if the MODULES
variable isn't "dep"). That module is required for unlocking LUKS2
devices.
[ Jonas Meurer ]
* New upstream release 2.0.3
* debian/control:
- Bump standards-version to 4.1.4, no changes required
- Change my mail address to 'jonas at freesources.org'
- Change Vcs links to the new repository on salsa.debian.org
* debian/README.source: minor improvements
* debian/doc/crypttab.xml: Fix typo in manpage
Date: Mon, 16 Jul 2018 08:27:58 -0400
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/cryptsetup/2:2.0.3-6ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Jul 2018 08:27:58 -0400
Source: cryptsetup
Binary: cryptsetup-run cryptsetup-bin cryptsetup-initramfs cryptsetup libcryptsetup12 libcryptsetup-dev cryptsetup-udeb libcryptsetup12-udeb
Architecture: source
Version: 2:2.0.3-6ubuntu1
Distribution: cosmic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Description:
cryptsetup - transitional dummy package for cryptsetup-{run,initramfs}
cryptsetup-bin - disk encryption support - command line tools
cryptsetup-initramfs - disk encryption support - initramfs integration
cryptsetup-run - disk encryption support - startup scripts
cryptsetup-udeb - disk encryption support - commandline tools (udeb) (udeb)
libcryptsetup-dev - disk encryption support - development files
libcryptsetup12 - disk encryption support - shared library
libcryptsetup12-udeb - disk encryption support - shared library (udeb) (udeb)
Closes: 714380 720952 782843 783194 783297 784881 826122 826124 826127 827200 849335 859953 873840 886007 891219 898495 898516 901641 901713 901773 901830 901884 901971 902116 902183 902245 902733 902879 902943 903246 903574
Launchpad-Bugs-Fixed: 1651818 1781912
Changes:
cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low
.
* Merge from Debian unstable. LP: #1781912.
* Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility. LP: #1651818
* Dropped changes, included in Debian:
- Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop the CRYPTSETUP variable warning from the initramfs hook, as
overlayroot package ships a dropin in conf-hooks.d triggering false
warnings.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
* Dropped changes, no longer needed:
- Add maintscript to drop removed upstart system jobs.
.
cryptsetup (2:2.0.3-6) unstable; urgency=medium
.
* debian/TODO.md: Remove mention of parent device detection for mdadm
(#629236) as it's fixed since 2:2.0.3-2.
* debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
fixes.
* debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
add configure flag '--disable-internal-tests'. The internal test suite is
run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
variable contains the string "nocheck".
* debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
When the 2nd column of a crypttab entry denodes a block special device,
resolve the device but don't convert it to /dev/block/$major:$minor.
(Closes: #903246.)
* debian/initramfs/hooks/cryptroot:
+ Treat null device numbers as invalid in resolve_device(), cf.
/Documentation/admin-guide/devices.txt in the kernel source tree.
+ generate_initrd_crypttab(): add '\n' to the local IFS since
get_resume_devno() prints one major:minor pair per line.
* debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ Save process ID of the pcscd daemon at local-top stage, and kill it at
local-bottom stage. Thanks to Pascal Vibet for the patch.
(Closes: #903574.)
+ Fix path to the pcscd executable (the fix for #880750 was incomplete).
* debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
since 2:2.0.3-2.
* debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
$CRYPTTAB_NAME not $crypttarget).
.
cryptsetup (2:2.0.3-5) unstable; urgency=medium
.
[ Jonas Meurer ]
* debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ Drop c99 std, as the default is now higher than that
* debian/control:
+ Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
.
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
crypttab(5).
* debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
read-only mapping. Cf. `cryptsetup --readonly`.
* debian/initramfs/hooks/cryptroot:
+ Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ Avoid processing entries multiple times in get_crypttab_entry(), which
could happen with 'keyscript=decrypt_derived' for instance.
+ Don't complain that the sysfs dir can't be found when the hook failed to
normalize the device (another warning is shown already).
+ If source device is mapped (for instance if it's a logical volume), put
its dm name into the initrd crypttab. LVM2's local-block script doesn't
work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
activate all volumes at initramfs stage. (Closes: #902943.)
* debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
unset then no key file is copied.
* debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ Use major:minor device IDs internally, as this facilitate discovery of
sysfs directories, and we don't have to take care of the udev mangling.
+ Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
means that key files and option values can contain blanks and special
characters encoded as octal sequences.
+ Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
code.
* debian/functions: If the key file is a symlink, warn about insecure
permissions of the target, not the link itself.
* debian/scripts/decrypt_derived: For devices with keys in the kernel
keyring (e.g., LUKS2 by default), refuse to derive anything.
* debian/patches/disable-internal-tests.patch: Add configure option
'--disable-internal-tests' to disable the internal test suite.
* debian/rules: Don't run upstream's internal test suite if
$DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
still run by default.)
* debian/cryptdisks-functions: Restore support for crypttab(5) entries with
regular files as source device. Regression since 2:2.0.3-2.
(Closes: #902879.)
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
.
cryptsetup (2:2.0.3-4) unstable; urgency=low
.
* debian/initramfs/hooks/cryptroot:
+ Fix typo in warning message. (Closes: #901971.)
+ sysfs_devdir(): don't croak when the normalized device pathname isn't of
the form /dev/$blk. This is the case in the Debian installer, where the
devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
instead of a symlink to /dev/dm-$index.
+ sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
sysfs directory corresponding to the device) rather than /sys/block/$blk.
While the latter is present for mapped devices, it's not present for
block devices corresponding to disk partitions. See sysfs(5) for
details. (Closes: #902183.)
+ get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
get the UUID of a dm-crypt device's slave (it's normal with plain
dm-crypt devices).
+ get_crypttab_entry(): don't warn that key file doesn't exist if it's
e.g., an existing character special device.
* debian/functions:unlock_mapping(): translate crypttab(5) option
'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
doesn't set the key size but the size of the device in number of 512 byte
sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
* debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
keyscripts (such as decrypt_keyctl) don't work properly if on first try
the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
2:2.0.3-2. (Closes: #902116.)
* debian/scripts/decrypt_keyctl: replace the source device path with the
mapped device name in messages, to match the new askpass behavior.
.
cryptsetup (2:2.0.3-3) unstable; urgency=low
.
[ Jonas Meurer ]
* debian/*: run wrap-and-sort(1)
* debian/control:
+ Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
cryptsetup-run. Needed since we moved luksformat between the
packages. (Closes: #901773)
+ Remove all traces of package 'cryptsetup-luks' from dependency
headers. This package has never been part of an official Debian
release and the time it existed is more than 12 years ago.
+ Remove Conflicts/Breaks headers from the split of cryptsetup into
cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
version is from Debian Wheezy, which means that there's three
releases in between. We don't support dist-upgrades with skipped
releases anyway.
+ Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ Remove versioned depends of libcryptsetup12 on libgcrypt20 and
libgpg-error0. Both versions are satisfied since more than three
releases.
+ Remove versioned build-depends on docbook-xsl, dpkg-dev,
libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
satisfied since more than three releases.
* debian/*: Change maintainer contact address to @alioth-lists.debian.net.
.
[ Guilhem Moulin ]
* debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
fields. (2:2.0.2-2 was never released, the version we released after the
package split was 2:2.0.3-1.)
* debian/initramfs/cryptroot-script: exit immediately when
/lib/cryptsetup/functions is not present. (Closes: #901830.)
* debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
manually excluding mapped devices using another subsystem.
* d/initramfs/hooks/cryptroot:
+ Fix parser for cipher specifications in mapping table of crypt targets.
In particular, the cipher mode wasn't parsed properly, potentially
causing missing modules in initrd.img compiled with MODULES=dep.
Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ Print a warning when the mapping table specifies the cipher in kernel
crypto API format ("capi:" prefix). We don't support these yet.
.
cryptsetup (2:2.0.3-2) unstable; urgency=medium
.
The "nights are long in summer" cryptsetup sprint release :-)
.
Guilhem and Jonas hacked together for three days (and nights), refactored
almost all of the cryptsetup packages, squashed (at least) 19 bugs and
started work on several new features. Yay!
.
[ Guilhem Moulin ]
* cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
(Closes: #901641.)
* debian/initramfs/*-hook: complete refactoring. Common functions are now in
/lib/cryptsetup/functions (source-able from shell scripts).
(Closes: #784881.)
* debian/initramfs/cryptroot-hook:
+ Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
devices such as LVM2 on top of LUKS (resp. multiple device filesystems
such as btrfs). This approach is more robust than parsing the output of
`lvs` or `btrfs filesystem`.
+ Export relevant crypttab(5) snippet (for devices that need to be
unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
if 1/ the CRYPTSETUP configuration option is unset or null (the
default), and 2/ the hook didn't detect any device to be unlocked at
initramfs stage. The benefit is two-fold: it guides users through the
package split, and warns them that their system might not reboot if the
hook script didn't work properly.
* Remove the 'decrypt_openct' keyscript since openct was last seen in
oldoldstable, cf. #760258 (ROM).
* debian/initramfs/cryptroot-script: refactoring, using functions from
/lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ One can disable the cryptsetup initramfs scripts for a particular boot
by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ No longer sleep for a full minute after exceeding the maximum number of
unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
attempt in order to defeat online brute-force attacks. (Closes: #898495.)
* debian/README.initramfs: Remove mention that the initramfs scripts and the
crypsetup binary are using a different hash algorithm for plain dm-crypt
volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
* debian/cryptdisks.functions:
+ Refactoring, using functions from /lib/cryptsetup/functions.
(Closes: #859953, #891219.)
+ Install to /lib/cryptsetup/cryptdisks-functions.
* crypttab(5):
+ Remove support for the 'precheck' option. The precheck for LUKS devices
is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
filesystem (other that swap).
+ Don't ignore the 'plain' option: disable auto-detection and treat the
device as a plain dm-crypt device. (Closes: #886007.)
+ Add support for some option aliases to unify with systemd's crypttab(5)
options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ Add support for 'keyfile-size=' and 'keyfile-offset=' options.
(Closes: #849335.)
+ Source devices can now be specified using their PARTUUID or PARTLABEL,
similar to fstab(5).
* debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
to setup readonly mappings. (Closes: #782843.)
* debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
once. (Closes: #783194.)
.
[ Jonas Meurer ]
* debian/doc/crypttab.xml:
+ Add a section about the different crypttab formats of our package and
the systemd cryptsetup wrapper.
+ Document, which options are ignored by the initramfs scripts and which
are unsupported by the systemd implementation. (Closes: #714380)
+ Clarify documentation of option 'tries'. It also applies when using
keyscripts, not only with interactive passphrases. (Closes: #826127)
+ Make it obvious that in case a keyscript is configured, the third option
is passed as argument to the keyscript. Mention the optional requirement
to quote the value. (Closes: #826122)
+ Some minor wording improvements.
* debian/control, debian/combat: Bump debhelper compatibility level to 11.
* debian/rules:
+ Completely refactor the rules file, adapt to debhelper 11 style.
(Closes: #901713)
+ Run the upstream build-time testsuite thanks to dh_auto_test.
+ Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ Install the bug-script into all packages.
+ No longer install the sysvinit initscripts into cryptsetup-udeb.
+ Remove many old build and compile flags, debhelper takes care of most of
them nowadays.
.
cryptsetup (2:2.0.3-1) unstable; urgency=medium
.
[ Guilhem Moulin ]
* Split cryptsetup package into cryptsetup-run (init scripts and libraries)
and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
package is now a transitional dummy package. (Closes: #783297.)
* debian/cryptsetup-run.preinst: remove logic for rm_conffile
/etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
2:1.0.6-5.
* debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
with crypttab(5) targets that already exist, and only complete
cryptdisks_start targets with crypttab(5) targets that don't exist yet.
(Closes: #827200.)
* debian/initramfs/cryptroot-hook:
+ use copy_file() from hook-functions to copy key files to the initrd.
This ensures that relevant messages are printed in verbose mode.
(Closes: #898516.)
+ remove backward compatibility support for setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ add 'algif_skcipher' kernel module to large initramfs (if the MODULES
variable isn't "dep"). That module is required for unlocking LUKS2
devices.
.
[ Jonas Meurer ]
* New upstream release 2.0.3
* debian/control:
- Bump standards-version to 4.1.4, no changes required
- Change my mail address to 'jonas at freesources.org'
- Change Vcs links to the new repository on salsa.debian.org
* debian/README.source: minor improvements
* debian/doc/crypttab.xml: Fix typo in manpage
Checksums-Sha1:
cfbf78e1368bef5daa625c66bd7291971cc127af 2947 cryptsetup_2.0.3-6ubuntu1.dsc
a657532362efeccba43a687cd6f98690e64cfeb7 10136680 cryptsetup_2.0.3.orig.tar.gz
1fa0ea9485c3fa8a9ad30f3a077cc2c295dd68fc 106864 cryptsetup_2.0.3-6ubuntu1.debian.tar.xz
90fca310954d6a6bc7583a0bae7a8bfb4b15ceaa 7141 cryptsetup_2.0.3-6ubuntu1_source.buildinfo
Checksums-Sha256:
fb7f4ab70f21b7da0c1ec29ab1753bdfe1f49f80fc547d59cc5067a1275bba13 2947 cryptsetup_2.0.3-6ubuntu1.dsc
127f9ffb32f2c7cf7d9a2aebc3e70623c8337588a8bf32032af2447846444b41 10136680 cryptsetup_2.0.3.orig.tar.gz
9f1b4c2696afb41412121f6c8aec52b3d56025314f51689209fa6af2cba180ee 106864 cryptsetup_2.0.3-6ubuntu1.debian.tar.xz
b6cd003d9ca46744b1a697d18a8fc316e80851f5cbaf385948dc59092b83f74e 7141 cryptsetup_2.0.3-6ubuntu1_source.buildinfo
Files:
a4f68b5d483efaa0339868f17f85b740 2947 admin optional cryptsetup_2.0.3-6ubuntu1.dsc
a48ee58141c665dd90150b4ef8d84860 10136680 admin optional cryptsetup_2.0.3.orig.tar.gz
59c41b343a69905462416aa80d1eba79 106864 admin optional cryptsetup_2.0.3-6ubuntu1.debian.tar.xz
69223f5079bbcbfa5c83078a1e26f4f5 7141 admin optional cryptsetup_2.0.3-6ubuntu1_source.buildinfo
Original-Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel at alioth-lists.debian.net>
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAltM47UaHHN0ZXZlLmxh
bmdhc2VrQHVidW50dS5jb20ACgkQVo0w8yGyEz1a/A/9EXaB44Kxb1MgKxYbF16L
zVo8DIHmnWzMJrwXyuWYfhkAIQcXRgHY8SrflnjlQACtm9McnUMEFyPQnRcBz1p5
FIYD52azI2VoTofZRk0RzprFx2yjXh0V6IGCymaQbaOXxAd+Ie4Vg9uaGFnEGBlH
JxC8WR50fEQZJmDGF/UdSHFfTWI9D1dK0MdVTF7N2bFjPersP+6CB0iE5k9zHb2x
cb5a+LKWO9WfnfyhJ+d4pFtqzNby2ntty/oHE2vfwkWWZUs0uYuHT91rw6IWjXd7
bOLzf5sdPvFGUNhihp6TCsWj+wkq3SM8kZrV0Q+KkACDOoPTsegHcB2LLO581Myq
dE19ILxyXvMryWaxJKlP9IqA8wiy/ZyNmZGnHWpPvWTv4zrphKRFPcZ/PQL7+36M
M/EWAqC6pZaUTkrd7XlWsi8MZfo4jf0NOuhiaCIhrzjf+zdjBpQJHqe0CuSgH/0C
3ZOlwWZu/w73WAQHw9j0J4U/81sHCeQ3dsdUoBifXX8ixtjJBlgPJpucd/027y+0
W0CFOld2DdFoZDOUzZBs91QIJT7WuOE4YVvsDaH0ack/J4+iFEK/J/2d4tYO/+8t
uEk0XF/lmtHyAQfRxa7BLQdqv3+IK0xBYAfo9OktaGj7f5NlmjrQAIsxIHmpH02D
8FnRHHb0vw+KsrTnSJrzPHI=
=piq4
-----END PGP SIGNATURE-----
More information about the Cosmic-changes
mailing list