Your message dated Sun, 10 Mar 2024 22:21:38 +0000
with message-id <[email protected]>
and subject line Bug#1060269: fixed in cryptsetup-nuke-password 6
has caused the Debian Bug report #1060269,
regarding /lib/cryptsetup/askpass: coordinated move to /usr for DEP17
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1060269: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060269
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup-nuke-password
Version: 4+nmu1
User: [email protected]
Usertags: dep17m2 dep17p3
Control: clone -1 -2
Control: reassign -2 cryptsetup
Control: block -2 by -1
Hi,
for finalizing the /usr-merge via DEP17, we want to move all aliased
files to /usr. cryptsetup and cryptsetup-nuke-password are affected in
multiple ways. For one think /lib/cryptsetup/askpass is being diverted
and diversions need special attention (DEP17 P3), for another
libcryptsetup12 is part of the debootstrap set and needs to be done
soon.
I've done a similar conversion for molly-guard/systemd and have prepared
patches for cryptsetup-nuke-password and cryptsetup. Notably:
* These patches move all the files to /usr. (DEP17 M2)
* Therefore, cryptsetup declares versioned Conflicts for
cryptsetup-nuke-password. Please check the version that actually will
be uploaded before uploading cryptsetup.
* cryptsetup-nuke-password actually uses the original askpass, but it
only declares a dependency on cryptsetup-bin, which does not contain
askpass. I consider this a bug and upgrade the dependency to
cryptsetup. I hope this is fine.
* Since cryptsetup-nuke-password depends on the package it diverts
(after my previous change), I upgrade the dependency to the version
that is expected to apply this patch in cryptsetup. Please coordinate
this version with the cryptsetup maintainer.
* The way I have implemented this (and which reduces complexity), the
moved cryptsetup will be incompatible with the aliased
cryptsetup-nuke-password and the moved cryptsetup-nuke-password will
be incompatible with the moved cryptsetup. Hence these uploads need
to happen concurrently. Otherwise, the packages will not migrate to
testing.
* There is a corner case when performing the upgrade with dpkg. If you
schedule cryptsetup-nuke-password for removal (using dpkg
--set-selections) and then unpack the updated cryptsetup, askpass
will be lost. After consultation with [email protected]
we consider this acceptable and do not mitigate it. If you want this
mitigated, cryptsetup needs to ship a copy of askpass else where
(.e.g. a hardlink in the same directory) and have its postinst
restore the lost file in case it is missing. This loss cannot be
experienced when working with apt. (In the sense that we couldn't
trick apt into loosing it, but there is no proof that this cannot
happen.)
* Acceptance of this patch will make both packages un-backportatble.
These patches must not be uploaded to bookworm-backports or earlier.
Removing these patches in a backport would result in a high-versioned
cryptsetup containing aliased files. That would break
cryptsetup-nuke-password's assumption that a high enough version of
cryptsetup is moved. Therefore cryptsetup must not be backported. If
you want cryptsetup backportable, a more elaborate patch on the
cryptsetup-nuke-password side is needed or the backported cryptsetup
must declare an unversioned conflict for cryptsetup-nuke-password.
* Please upload these changes to experimental first. That allows
running them past QA systems such as piuparts, dumat and others and
also lets us double check the version constraints.
* If you later restructure (move files to a different binary package)
any binary package, please go via experimental as you may need
further mitigations for /usr-merged caused file loss (DEP17 P1).
I see that this may sound scary. We'll get past this mess together. If
things break, I'll keep the pieces and I've done so for molly-guard
already. Let me know if you have any questions.
Helmut
--- End Message ---
--- Begin Message ---
Source: cryptsetup-nuke-password
Source-Version: 6
Done: Helmut Grohne <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cryptsetup-nuke-password, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne <[email protected]> (supplier of updated cryptsetup-nuke-password
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Mar 2024 14:11:10 +0100
Source: cryptsetup-nuke-password
Architecture: source
Version: 6
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Helmut Grohne <[email protected]>
Closes: 1060269
Changes:
cryptsetup-nuke-password (6) unstable; urgency=medium
.
* Team upload, acked by Raphaël.
* Upload to unstable.
.
cryptsetup-nuke-password (5) experimental; urgency=medium
.
* Team upload, acked by Raphaël.
.
[ Raphaël Hertzog ]
* Request update of initramfs when nuke password is changed with
dpkg-reconfigure.
.
[ Helmut Grohne ]
* Upgrade cryptsetup-bin dependency to cryptsetup, as that contains askpass.
* DEP17: Move files to /usr (M2) and mitigate file loss with diverions (P7).
(Closes: #1060269)
Checksums-Sha1:
3147288953dec893d384fe181766ea2285298dd3 2054 cryptsetup-nuke-password_6.dsc
9deb9eaaef1444d20efd685a08309b29187dec88 16132
cryptsetup-nuke-password_6.tar.xz
Checksums-Sha256:
c6634a5b1eaaf237434ef7668a72377464089c0060b59a89274083f58ef83d15 2054
cryptsetup-nuke-password_6.dsc
e111152a14cddc79d246ecd5d494f10be49c66b50136b30bb2315a3e3594fa19 16132
cryptsetup-nuke-password_6.tar.xz
Files:
60b489926c80ca6748e46e2cb13c396f 2054 admin optional
cryptsetup-nuke-password_6.dsc
b7e4f303cb7160c34963dd50c7d42c73 16132 admin optional
cryptsetup-nuke-password_6.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmXuI5EACgkQLRqqzyRE
REJSzw/7B673NCj6+5jaI/FGrMA1u1xo1N8hl6N+Qjh4MsHWg5bRlY0/Z1JC/SX7
dPeiL3081aQPcjjbrOzRtzZ82O5A7/e/Ozb2dZOPe49PMy6yk1Rtx/+CwX0YtaBJ
UBMyxLLrFfGiDUsKXKFWYz1JOu/zla7eXNf94iDxq40zc2soUs5Afatths8CHnNj
2LhLYXPcMQOOR4nUfFsuPUAXPHQI2WQK9q1Fkp8HI0pvEE9IeUo7k1V+hIBWFgC3
VYaoasDd279ZMpaBm2daRfB+OoBcGXB2AqPEVIDPJLW3GkbMbMOKFLncAeB2CLqj
f6bUyX/+zYpsKEn10uuLqkWoAVgkb81Kj43lIMG+CPdkyxzko3f9s/IDJXbUWrSc
mB6bigsJ7E/S4r2YEqBVAvtryUSmbWegc3vr2SYpB5nhcpayGdI3gXBPYzHnX6oq
Btm++xlXfcmBQGgFK+lq5OXZxPC/YceAjkufj+hPeZiPKejHflHpsn0A/G8CxbfC
0tSakZqaVmmtCqoNqeDsKGJWVnr6Q4pFUTEoWGhnHKk6bgjmY9XsCrgvORKoUYfn
xyjgyWJFPcYOTweJaYnJE/Tiu/HTwunLtlzfD/I2VD26qg7JijJj9gNCjPHOS0pT
l8UaS0CQzxjDIZQ1WcyDc3Tm+0rvT9nW2Utn8mRBRvy1NsrjXqc=
=2NKK
-----END PGP SIGNATURE-----
pgpvPAYgUmIM6.pgp
Description: PGP signature
--- End Message ---
