Your message dated Mon, 26 Feb 2024 16:49:14 +0000
with message-id <[email protected]>
and subject line Bug#1060270: fixed in cryptsetup 2:2.7.0-1
has caused the Debian Bug report #1060270,
regarding /lib/cryptsetup/askpass: coordinated move to /usr for DEP17
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1060270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060270
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup-nuke-password
Version: 4+nmu1
User: [email protected]
Usertags: dep17m2 dep17p3
Control: clone -1 -2
Control: reassign -2 cryptsetup
Control: block -2 by -1
Hi,
for finalizing the /usr-merge via DEP17, we want to move all aliased
files to /usr. cryptsetup and cryptsetup-nuke-password are affected in
multiple ways. For one think /lib/cryptsetup/askpass is being diverted
and diversions need special attention (DEP17 P3), for another
libcryptsetup12 is part of the debootstrap set and needs to be done
soon.
I've done a similar conversion for molly-guard/systemd and have prepared
patches for cryptsetup-nuke-password and cryptsetup. Notably:
* These patches move all the files to /usr. (DEP17 M2)
* Therefore, cryptsetup declares versioned Conflicts for
cryptsetup-nuke-password. Please check the version that actually will
be uploaded before uploading cryptsetup.
* cryptsetup-nuke-password actually uses the original askpass, but it
only declares a dependency on cryptsetup-bin, which does not contain
askpass. I consider this a bug and upgrade the dependency to
cryptsetup. I hope this is fine.
* Since cryptsetup-nuke-password depends on the package it diverts
(after my previous change), I upgrade the dependency to the version
that is expected to apply this patch in cryptsetup. Please coordinate
this version with the cryptsetup maintainer.
* The way I have implemented this (and which reduces complexity), the
moved cryptsetup will be incompatible with the aliased
cryptsetup-nuke-password and the moved cryptsetup-nuke-password will
be incompatible with the moved cryptsetup. Hence these uploads need
to happen concurrently. Otherwise, the packages will not migrate to
testing.
* There is a corner case when performing the upgrade with dpkg. If you
schedule cryptsetup-nuke-password for removal (using dpkg
--set-selections) and then unpack the updated cryptsetup, askpass
will be lost. After consultation with [email protected]
we consider this acceptable and do not mitigate it. If you want this
mitigated, cryptsetup needs to ship a copy of askpass else where
(.e.g. a hardlink in the same directory) and have its postinst
restore the lost file in case it is missing. This loss cannot be
experienced when working with apt. (In the sense that we couldn't
trick apt into loosing it, but there is no proof that this cannot
happen.)
* Acceptance of this patch will make both packages un-backportatble.
These patches must not be uploaded to bookworm-backports or earlier.
Removing these patches in a backport would result in a high-versioned
cryptsetup containing aliased files. That would break
cryptsetup-nuke-password's assumption that a high enough version of
cryptsetup is moved. Therefore cryptsetup must not be backported. If
you want cryptsetup backportable, a more elaborate patch on the
cryptsetup-nuke-password side is needed or the backported cryptsetup
must declare an unversioned conflict for cryptsetup-nuke-password.
* Please upload these changes to experimental first. That allows
running them past QA systems such as piuparts, dumat and others and
also lets us double check the version constraints.
* If you later restructure (move files to a different binary package)
any binary package, please go via experimental as you may need
further mitigations for /usr-merged caused file loss (DEP17 P1).
I see that this may sound scary. We'll get past this mess together. If
things break, I'll keep the pieces and I've done so for molly-guard
already. Let me know if you have any questions.
Helmut
--- End Message ---
--- Begin Message ---
Source: cryptsetup
Source-Version: 2:2.7.0-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated cryptsetup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 26 Feb 2024 12:50:46 +0100
Source: cryptsetup
Architecture: source
Version: 2:2.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cryptsetup Team
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1060270
Changes:
cryptsetup (2:2.7.0-1) unstable; urgency=medium
.
* Upload to unstable.
* Revert "d/gbp.conf: Set ‘debian-branch = debian/experimental’."
* Revert "Use OpenSSL's own argon2 implementation" (since sid doesn't have
OpenSSL 3.2 yet).
* Revert "d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version
to 2.7~."
* Revert "d/cryptsetup.lintian-overrides: Ignore ‘conflicts-with-version
cryptsetup-nuke-password’."
* Revert "d/cryptsetup.lintian-overrides: Remove unused overrides."
* Revert "/lib/cryptsetup/askpass: coordinated move to /usr for DEP17"
.
cryptsetup (2:2.7.0-1+exp) experimental; urgency=medium
.
* New upstream release.
.
[ Guilhem Moulin ]
* d/control: cryptsetup Depends: Bump minimum cryptsetup-bin version to 2.7~.
* d/control: Build-Depends: Replace pkg-config with pkgconf.
* d/cryptsetup-suspend.lintian-overrides: Remove alien tag.
* d/cryptsetup.lintian-overrides: Remove unused overrides.
* d/cryptsetup.lintian-overrides: Add override ‘conflicts-with-version
cryptsetup-nuke-password’.
* d/t/cryptroot-*: Fix DEP-8 tests with QEMU 8.2.
.
[ Helmut Grohne ]
* /lib/cryptsetup/askpass: coordinated move to /usr for DEP17.
(Closes: #1060270)
.
cryptsetup (2:2.7.0~rc1-1) experimental; urgency=medium
.
* New upstream release candidate.
* d/gbp.conf: Set ‘debian-branch = debian/experimental’.
* Add new DEP-8 test to check crypto backend flags. (And whether system
libargon2 is used.)
* Use OpenSSL's own argon2 implementation rather than libargon2. This drops
libargon2 from (Build-)Depends and bumps the minimum required OpenSSL
version to 3.2.
.
cryptsetup (2:2.7.0~rc0-2) experimental; urgency=medium
.
Rebuild for experimental.
Checksums-Sha1:
6b4c2829c16da225cd49c793910e462aeb65ebf0 3545 cryptsetup_2.7.0-1.dsc
7d07ff49f2d55eecf733e76c3a372c7a0f473f7c 156528
cryptsetup_2.7.0-1.debian.tar.xz
7c77b72c3e85dc634b5ec5f8aac7b564b9a7a3c5 11789
cryptsetup_2.7.0-1_amd64.buildinfo
Checksums-Sha256:
46c72b607b401f9b97f3f990fc104712a112156b6e5c35e5250939cedb6658f1 3545
cryptsetup_2.7.0-1.dsc
8b9acd12a4698c3150a85f9df8514d9b092b20a97adf5615023fef544d4363d3 156528
cryptsetup_2.7.0-1.debian.tar.xz
36f71827eab24cc9617810f2b50d8558975ba1c4734c193ca551a6cbec231440 11789
cryptsetup_2.7.0-1_amd64.buildinfo
Files:
65f3be3bf4441cc121d626fb96f5c83c 3545 admin optional cryptsetup_2.7.0-1.dsc
a4edcce6ed1bbafdfdb5dcb91a4dcacb 156528 admin optional
cryptsetup_2.7.0-1.debian.tar.xz
700e6c350f9da4493a023f9ca01dbee4 11789 admin optional
cryptsetup_2.7.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmXcsnMACgkQ05pJnDwh
pVLQPg//UPJWoim4XHck4tTyQWK5jwsVILN4rmBLk0sC7IWkYOGcbn/a+gCnsF4g
neVBsTX6rLyLBmEYfdxvfr/oFrKtRuPE7Uftjx4jkfX98FSBVesvfadLEbyo8NQX
5mx8OK4uh+GI7NbjqH+tUfVkygC/mXzPbJ/mzIUU6oquSFNlcUQ7kGzmYE7UG829
PnyMs64hoYtTUbbYBPoU0dAJ/xOvveRZYOb/TfA1BlY9sytIYOlmZ/59hz7uiauH
SVqvm1YzZd2pvUwMGreRBvVXvnLFeJmY0sDKhbcPG4eo4X6grJePzK1KvoclY7fv
2xK2jQ9vTiPjDnPUTlr/MjqHVgJwHKIZ09sKX8ax8oA8xYHv0v29c13WT5UETf9Q
5ijBuLu5wKL5eCLYCp8xyKyW2b4foYuXm/iJCYNyV4lxMfyyjdaM3WVrCWi19h3h
qWfhT2OVIjaBbra0GJmlT7yoJARZLnPpL3EfwDy1+9Q3Q9Xj65YN79mVU2Bch+tf
NBAyZA9uGklsQaixEJPhmR0L3mm+QSV8PX44KBDXbL+hIeI+Ik768Hdq+rzAasqV
WwVVwnyWtJDyJ8kNtlfq6CVDQFTl6NxpNchqyuMUdJzzCdbDY+MQ252L7T9CpWwg
SGBlOrDbtF1Qy+Kks5L2kOV/oZas60LoAa41TiysoI2+x0R/4C0=
=7WzY
-----END PGP SIGNATURE-----
pgpzFse_du2i1.pgp
Description: PGP signature
--- End Message ---
