Control: retitle -1 integritysetup: HMAC(SHA256) key truncated to 106/114bytes in standalone mode Control: severity -1 important
On Thu, 13 May 2021 at 17:46:26 +0200, Guilhem Moulin wrote: > Fortunately there are no Debian releases with integritysetup ≤2.0.4 so > as far as Debian is concerned the impact is limited. After some discussion on the upstream bug tracker: the fact that the user-supplied key is truncated in the first place is an issue. But fixing that, like changing the truncation length in 2.0.5, yields incompatibilities. I'm not sure what's the best course of action for Bullseye. Fixing the truncation altogether isn't ideal given we're so late in the release cycle. The safest might be to keep the 114-bytes truncation for Bullseye, but warn the user of upcoming compatibility issues when --integrity-key-size exceeds 114 bytes (and suggest to use `--integrity-key-size 114`). Any other opinion? -- Guilhem.
signature.asc
Description: PGP signature

