Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-storage-ng for
openSUSE:Factory checked in at 2025-11-02 22:33:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-storage-ng (Old)
and /work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1980 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-storage-ng"
Sun Nov 2 22:33:06 2025 rev:178 rq:1313165 version:5.0.37
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-storage-ng/yast2-storage-ng.changes
2025-08-07 16:48:52.908465422 +0200
+++
/work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1980/yast2-storage-ng.changes
2025-11-02 22:33:07.996082077 +0100
@@ -1,0 +2,13 @@
+Fri Oct 10 09:44:39 UTC 2025 - Stefan Schubert <[email protected]>
+
+- Add umask=0077 fstab option to vfat partitions in order to reduce
+ security risks (bsc#1250510).
+- 5.0.37
+
+-------------------------------------------------------------------
+Wed Sep 24 10:34:05 UTC 2025 - Stefan Schubert <[email protected]>
+
+- Using PbkdFunction::PBKDF2 for none efi systems (bsc#1249670).
+- 5.0.36
+
+-------------------------------------------------------------------
Old:
----
yast2-storage-ng-5.0.35.tar.bz2
New:
----
yast2-storage-ng-5.0.37.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-storage-ng.spec ++++++
--- /var/tmp/diff_new_pack.aS4y9I/_old 2025-11-02 22:33:08.604107567 +0100
+++ /var/tmp/diff_new_pack.aS4y9I/_new 2025-11-02 22:33:08.604107567 +0100
@@ -17,7 +17,7 @@
Name: yast2-storage-ng
-Version: 5.0.35
+Version: 5.0.37
Release: 0
Summary: YaST2 - Storage Configuration
License: GPL-2.0-only OR GPL-3.0-only
++++++ yast2-storage-ng-5.0.35.tar.bz2 -> yast2-storage-ng-5.0.37.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/package/yast2-storage-ng.changes
new/yast2-storage-ng-5.0.37/package/yast2-storage-ng.changes
--- old/yast2-storage-ng-5.0.35/package/yast2-storage-ng.changes
2025-08-06 14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/package/yast2-storage-ng.changes
2025-10-23 10:08:23.000000000 +0200
@@ -1,4 +1,17 @@
-------------------------------------------------------------------
+Fri Oct 10 09:44:39 UTC 2025 - Stefan Schubert <[email protected]>
+
+- Add umask=0077 fstab option to vfat partitions in order to reduce
+ security risks (bsc#1250510).
+- 5.0.37
+
+-------------------------------------------------------------------
+Wed Sep 24 10:34:05 UTC 2025 - Stefan Schubert <[email protected]>
+
+- Using PbkdFunction::PBKDF2 for none efi systems (bsc#1249670).
+- 5.0.36
+
+-------------------------------------------------------------------
Mon Jul 28 10:59:39 UTC 2025 - Stefan Schubert <[email protected]>
- Do not generate grub2 error messages and proposals if a BLS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/package/yast2-storage-ng.spec
new/yast2-storage-ng-5.0.37/package/yast2-storage-ng.spec
--- old/yast2-storage-ng-5.0.35/package/yast2-storage-ng.spec 2025-08-06
14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/package/yast2-storage-ng.spec 2025-10-23
10:08:23.000000000 +0200
@@ -16,7 +16,7 @@
#
Name: yast2-storage-ng
-Version: 5.0.35
+Version: 5.0.37
Release: 0
Summary: YaST2 - Storage Configuration
License: GPL-2.0-only OR GPL-3.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/src/lib/y2storage/filesystems/type.rb
new/yast2-storage-ng-5.0.37/src/lib/y2storage/filesystems/type.rb
--- old/yast2-storage-ng-5.0.35/src/lib/y2storage/filesystems/type.rb
2025-08-06 14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/src/lib/y2storage/filesystems/type.rb
2025-10-23 10:08:23.000000000 +0200
@@ -414,7 +414,11 @@
case to_sym
when :vfat
# "iocharset=utf8" breaks VFAT case insensitivity (bsc#1080731)
- opt.reject { |o| o == "iocharset=utf8" }
+ ret = opt.reject { |o| o == "iocharset=utf8" }
+ # Protecting vfat partitions in order to reduce security risks
+ # (bsc#1250510).
+ ret += ["dmask=0077"] unless ret.find_index { |x|
x.start_with?("dmask=") }
+ ret
else
opt
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/src/lib/y2storage/guided_proposal.rb
new/yast2-storage-ng-5.0.37/src/lib/y2storage/guided_proposal.rb
--- old/yast2-storage-ng-5.0.35/src/lib/y2storage/guided_proposal.rb
2025-08-06 14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/src/lib/y2storage/guided_proposal.rb
2025-10-23 10:08:23.000000000 +0200
@@ -63,6 +63,7 @@
#
# @return [InitialGuidedProposal]
def initial(settings: nil, devicegraph: nil, disk_analyzer: nil)
+ settings.encryption_pbkdf =
GuidedProposal.check_pbkdf(settings.encryption_pbkdf) if settings
proposal = InitialGuidedProposal.new(
settings: settings,
devicegraph: devicegraph,
@@ -75,6 +76,19 @@
log.error("Initial proposal failed")
proposal
end
+
+ # Checks if the given pbkdf can be used for the installation.
+ #
+ # @param pbkdf which has to be checked [PbkdFunction]
+ # @return updated PbkdFunction
+ def check_pbkdf(pbkdf)
+ # none efi system has to use PBKDF2
+ unless Y2Storage::Arch.new.efiboot?
+ log.info "Using PBKDF2 because it is not a EFI system."
+ return PbkdFunction::PBKDF2
+ end
+ pbkdf
+ end
end
# Constructor
@@ -89,6 +103,7 @@
super(devicegraph: devicegraph, disk_analyzer: disk_analyzer)
@settings = settings || ProposalSettings.new_for_current_product
+ @settings.encryption_pbkdf =
GuidedProposal.check_pbkdf(@settings.encryption_pbkdf)
end
private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/test/data/devicegraphs/output/raspi_empty.yml
new/yast2-storage-ng-5.0.37/test/data/devicegraphs/output/raspi_empty.yml
--- old/yast2-storage-ng-5.0.35/test/data/devicegraphs/output/raspi_empty.yml
2025-08-06 14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/test/data/devicegraphs/output/raspi_empty.yml
2025-10-23 10:08:23.000000000 +0200
@@ -10,8 +10,7 @@
type: primary
id: dos32
file_system: vfat
- fstab_options:
- - utf8
+ fstab_options: ["utf8", "dmask=0077"]
mount_point: /boot/efi
- partition:
size: 40 GiB
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/test/data/devicegraphs/output/raspi_firmware.yml
new/yast2-storage-ng-5.0.37/test/data/devicegraphs/output/raspi_firmware.yml
---
old/yast2-storage-ng-5.0.35/test/data/devicegraphs/output/raspi_firmware.yml
2025-08-06 14:13:12.000000000 +0200
+++
new/yast2-storage-ng-5.0.37/test/data/devicegraphs/output/raspi_firmware.yml
2025-10-23 10:08:23.000000000 +0200
@@ -17,8 +17,7 @@
type: primary
id: esp
file_system: vfat
- fstab_options:
- - utf8
+ fstab_options: ["utf8", "dmask=0077"]
mount_point: /boot/efi
- partition:
size: 40 GiB
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/test/y2storage/clients/inst_disk_proposal_test.rb
new/yast2-storage-ng-5.0.37/test/y2storage/clients/inst_disk_proposal_test.rb
---
old/yast2-storage-ng-5.0.35/test/y2storage/clients/inst_disk_proposal_test.rb
2025-08-06 14:13:12.000000000 +0200
+++
new/yast2-storage-ng-5.0.37/test/y2storage/clients/inst_disk_proposal_test.rb
2025-10-23 10:08:23.000000000 +0200
@@ -524,7 +524,7 @@
end
context "if the guided setup returns :next" do
- let(:new_settings) { double("Y2Storage::ProposalSettings") }
+ let(:new_settings) { Y2Storage::ProposalSettings.new }
before do
allow(proposal_dialog).to
receive(:devicegraph).and_return(devicegraph)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/test/y2storage/filesystems/type_test.rb
new/yast2-storage-ng-5.0.37/test/y2storage/filesystems/type_test.rb
--- old/yast2-storage-ng-5.0.35/test/y2storage/filesystems/type_test.rb
2025-08-06 14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/test/y2storage/filesystems/type_test.rb
2025-10-23 10:08:23.000000000 +0200
@@ -202,16 +202,18 @@
it "vfat has the correct fstab options for a utf8 locale" do
Yast::Encoding.SetUtf8Lang(true)
Yast::Encoding.SetEncLang("de_DE")
- expect(described_class::VFAT.default_fstab_options("/boot")).to eq
["utf8"]
- expect(described_class::VFAT.default_fstab_options("/boot/efi")).to
eq ["utf8"]
-
expect(described_class::VFAT.default_fstab_options("/boot/whatever")).to eq
["utf8"]
+ expect(described_class::VFAT.default_fstab_options("/boot")).to eq
["utf8", "dmask=0077"]
+ expect(described_class::VFAT.default_fstab_options("/boot/efi")).to
eq ["utf8", "dmask=0077"]
+
expect(described_class::VFAT.default_fstab_options("/boot/whatever")).to eq
["utf8",
+
"dmask=0077"]
end
it "vfat has the correct fstab options for a non-utf8 de_DE locale" do
Yast::Encoding.SetUtf8Lang(false)
Yast::Encoding.SetEncLang("de_DE")
# "codepage=437" is default and thus omitted
- expect(described_class::VFAT.default_fstab_options("/boot/efi")).to
eq ["iocharset=iso8859-15"]
+ expect(described_class::VFAT.default_fstab_options("/boot/efi"))
+ .to include("iocharset=iso8859-15")
end
end
@@ -226,7 +228,8 @@
Yast::Encoding.SetUtf8Lang(false)
Yast::Encoding.SetEncLang("de_DE")
# "codepage=437" is default and thus omitted
- expect(described_class::VFAT.default_fstab_options("/bootme")).to eq
["iocharset=iso8859-15"]
+ expect(described_class::VFAT.default_fstab_options("/bootme"))
+ .to eq ["iocharset=iso8859-15"]
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-5.0.35/test/y2storage/proposal_luks2_x86_test.rb
new/yast2-storage-ng-5.0.37/test/y2storage/proposal_luks2_x86_test.rb
--- old/yast2-storage-ng-5.0.35/test/y2storage/proposal_luks2_x86_test.rb
2025-08-06 14:13:12.000000000 +0200
+++ new/yast2-storage-ng-5.0.37/test/y2storage/proposal_luks2_x86_test.rb
2025-10-23 10:08:23.000000000 +0200
@@ -68,69 +68,51 @@
expect(encs.map(&:pbkdf)).to all(eq pbkdf)
end
- RSpec.shared_examples "/boot unless PBKDF2" do
- context "using Argon2id as key derivation function" do
- let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
-
- it "proposes a separate unencrypted /boot partition" do
- proposal.propose
- boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path ==
"/boot" }
- expect(boot_fs.encrypted?).to eq false
- end
+ RSpec.shared_examples "proposes /boot" do
+ it "does propose a separate /boot partition" do
+ proposal.propose
+ boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path ==
"/boot" }
+ expect(boot_fs.encrypted?).to eq false
end
+ end
- context "using PBKDF2 as key derivation function" do
- let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
-
- it "does not propose a separate /boot partition" do
- proposal.propose
- boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path ==
"/boot" }
- expect(boot_fs).to be_nil
- end
+ RSpec.shared_examples "not proposes /boot" do
+ it "does not propose a separate /boot partition" do
+ proposal.propose
+ boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path ==
"/boot" }
+ expect(boot_fs).to be_nil
end
end
- RSpec.shared_examples "correct PBKDF encrypted partitions" do
- context "using Argon2id as key derivation function" do
- let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
-
- it "proposes LUKS2 encrypted partitions with Argon2 for all system
partitions" do
- proposal.propose
- expect_luks2_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
- expect_luks2_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
- end
+ RSpec.shared_examples "correct Argon2id encrypted partitions" do
+ it "proposes LUKS2 encrypted partitions with Argon2 for all system
partitions" do
+ proposal.propose
+ expect_luks2_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
+ expect_luks2_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
end
+ end
- context "using PBKDF2 as key derivation function" do
- let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
-
- it "proposes LUKS2 encrypted partitions with PBKDF2 for all system
partitions" do
- proposal.propose
- expect_luks2_fs("/", Y2Storage::PbkdFunction::PBKDF2)
- expect_luks2_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
- end
+ RSpec.shared_examples "correct PBKDF2 encrypted partitions" do
+ it "proposes LUKS2 encrypted partitions with PBKDF2 for all system
partitions" do
+ proposal.propose
+ expect_luks2_fs("/", Y2Storage::PbkdFunction::PBKDF2)
+ expect_luks2_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
end
end
- RSpec.shared_examples "correct PBKDF encrypted LVM" do
- context "using Argon2id as key derivation function" do
- let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
-
- it "proposes LUKS2 encrypted LVM with Argon2 for all system volumes" do
- proposal.propose
- expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
- expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
- end
+ RSpec.shared_examples "correct Argon2id encrypted LVM" do
+ it "proposes LUKS2 encrypted LVM with Argon2 for all system volumes" do
+ proposal.propose
+ expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
+ expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
end
+ end
- context "using PBKDF2 as key derivation function" do
- let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
-
- it "proposes LUKS2 encrypted LVM with PBKDF2 for all system volumes" do
- proposal.propose
- expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::PBKDF2)
- expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
- end
+ RSpec.shared_examples "correct PBKDF2 encrypted LVM" do
+ it "proposes LUKS2 encrypted LVM with PBKDF2 for all system volumes" do
+ proposal.propose
+ expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::PBKDF2)
+ expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
end
end
@@ -140,16 +122,32 @@
context "proposing LVM" do
let(:lvm) { true }
- # FIXME: commented out because the combination of LVM + LUKS2 with
Argon2 doesn't work yet
- # include_examples "/boot unless PBKDF2"
- include_examples "correct PBKDF encrypted LVM"
+ context "default ARGON2ID" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+ # FIXME: commented out because the combination of LVM + LUKS2 with
Argon2 doesn't work yet
+ # include_examples "proposes /boot"
+ include_examples "correct Argon2id encrypted LVM"
+ end
+ context "default PBKDF2" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+ include_examples "correct PBKDF2 encrypted LVM"
+ include_examples "not proposes /boot"
+ end
end
context "proposing partitions (no LVM)" do
let(:lvm) { false }
- include_examples "/boot unless PBKDF2"
- include_examples "correct PBKDF encrypted partitions"
+ context "default ARGON2ID" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+ include_examples "correct Argon2id encrypted partitions"
+ include_examples "proposes /boot"
+ end
+ context "default PBKDF2" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+ include_examples "correct PBKDF2 encrypted partitions"
+ include_examples "not proposes /boot"
+ end
end
end
@@ -159,16 +157,37 @@
context "proposing LVM" do
let(:lvm) { true }
- # FIXME: commented out because the combination of LVM + LUKS2 with
Argon2 doesn't work yet
- # include_examples "/boot unless PBKDF2"
- include_examples "correct PBKDF encrypted LVM"
+ context "default ARGON2ID" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+ # proposes PBKDF2 although ARGON2ID has been set in the
+ # control.xml file because grub2 in a none EFI system can
+ # only handle PBKDF2 (bnc#1249670).
+ include_examples "correct PBKDF2 encrypted LVM"
+ include_examples "not proposes /boot"
+ end
+ context "default PBKDF2" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+ include_examples "correct PBKDF2 encrypted LVM"
+ include_examples "not proposes /boot"
+ end
end
context "proposing partitions (no LVM)" do
let(:lvm) { false }
- include_examples "/boot unless PBKDF2"
- include_examples "correct PBKDF encrypted partitions"
+ context "default ARGON2ID" do
+ # proposes PBKDF2 although ARGON2ID has been set in the
+ # control.xml file because grub2 in a none EFI system can
+ # only handle PBKDF2 (bnc#1249670).
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+ include_examples "correct PBKDF2 encrypted partitions"
+ include_examples "not proposes /boot"
+ end
+ context "default PBKDF2" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+ include_examples "correct PBKDF2 encrypted partitions"
+ include_examples "not proposes /boot"
+ end
end
end
end
