Package: cryptsetup-nuke-password Version: 4+nmu1 User: helm...@debian.org Usertags: dep17m2 dep17p3 Control: clone -1 -2 Control: reassign -2 cryptsetup Control: block -2 by -1
Hi, for finalizing the /usr-merge via DEP17, we want to move all aliased files to /usr. cryptsetup and cryptsetup-nuke-password are affected in multiple ways. For one think /lib/cryptsetup/askpass is being diverted and diversions need special attention (DEP17 P3), for another libcryptsetup12 is part of the debootstrap set and needs to be done soon. I've done a similar conversion for molly-guard/systemd and have prepared patches for cryptsetup-nuke-password and cryptsetup. Notably: * These patches move all the files to /usr. (DEP17 M2) * Therefore, cryptsetup declares versioned Conflicts for cryptsetup-nuke-password. Please check the version that actually will be uploaded before uploading cryptsetup. * cryptsetup-nuke-password actually uses the original askpass, but it only declares a dependency on cryptsetup-bin, which does not contain askpass. I consider this a bug and upgrade the dependency to cryptsetup. I hope this is fine. * Since cryptsetup-nuke-password depends on the package it diverts (after my previous change), I upgrade the dependency to the version that is expected to apply this patch in cryptsetup. Please coordinate this version with the cryptsetup maintainer. * The way I have implemented this (and which reduces complexity), the moved cryptsetup will be incompatible with the aliased cryptsetup-nuke-password and the moved cryptsetup-nuke-password will be incompatible with the moved cryptsetup. Hence these uploads need to happen concurrently. Otherwise, the packages will not migrate to testing. * There is a corner case when performing the upgrade with dpkg. If you schedule cryptsetup-nuke-password for removal (using dpkg --set-selections) and then unpack the updated cryptsetup, askpass will be lost. After consultation with debian-de...@lists.debian.org we consider this acceptable and do not mitigate it. If you want this mitigated, cryptsetup needs to ship a copy of askpass else where (.e.g. a hardlink in the same directory) and have its postinst restore the lost file in case it is missing. This loss cannot be experienced when working with apt. (In the sense that we couldn't trick apt into loosing it, but there is no proof that this cannot happen.) * Acceptance of this patch will make both packages un-backportatble. These patches must not be uploaded to bookworm-backports or earlier. Removing these patches in a backport would result in a high-versioned cryptsetup containing aliased files. That would break cryptsetup-nuke-password's assumption that a high enough version of cryptsetup is moved. Therefore cryptsetup must not be backported. If you want cryptsetup backportable, a more elaborate patch on the cryptsetup-nuke-password side is needed or the backported cryptsetup must declare an unversioned conflict for cryptsetup-nuke-password. * Please upload these changes to experimental first. That allows running them past QA systems such as piuparts, dumat and others and also lets us double check the version constraints. * If you later restructure (move files to a different binary package) any binary package, please go via experimental as you may need further mitigations for /usr-merged caused file loss (DEP17 P1). I see that this may sound scary. We'll get past this mess together. If things break, I'll keep the pieces and I've done so for molly-guard already. Let me know if you have any questions. Helmut
