subject:"Bug#1060269\: \/lib\/cryptsetup\/askpass\: coordinated move to \/usr for DEP17"

Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17

2024-01-17 Thread Helmut Grohne

On Mon, Jan 08, 2024 at 05:48:52PM +0100, Helmut Grohne wrote:
> What I also forgot to mention is that I applied quite some testing. You
> cannot test these patches with piuparts, because they need to be
> upgraded in lockstep, so I wrote a kind of mini-piuparts based on
> debhelper that specifically validates all kinds of upgrades and checks
> for correct diversions. Also attaching the tests.

I note that the patches were still subject to a rather strange file loss
scenario:

dpkg --auto-deconfigure --unpack cryptsetup_new.deb
dpkg --install cryptsetup-nuke-password.deb

This is not something apt would do, but dpkg accepts it and the first
unpack causes loss, because the declared Conflicts do not prevent dpkg
from doing the concurrent unpack.

In evaluating this problem more generally and moving the general
discussion forward via #1060700, I had an idea to prevent the loss
reliably, but the resulting diversions incur a bit more complexity and
cryptsetup has be part of the mitigation.

cryptsetup.preinst checks whether there is a pre-/usr-merge diversion
issued by cryptsetup-nuke-password. If there is, it duplicates it to the
physical location with a temporary diversion target on behalf of
cryptsetup-nuke-password.

cryptsetup-nuke-password.preinst can deal with cryptsetup.preinst not
having run and sets up the right diversion. It also can deal with the
temporary diversion and changes it to the permanent one.

cryptsetup.postinst checks whether its temporary diversion is still
there. This can happen if cryptsetup-nuke-password was removed. It
cleans up.

cryptsetup-nuke-password.postinst cleans up the aliased diversion that
is no longer needed.

The key to making this work is having cryptsetup mess with
cryptsetup-nuke-password's diversions. That's really ugly, but only
needed for this transition.

I've rerun all the tests successfully and on top of that also checked
that upgrading cryptsetup while removing cryptsetup-nuke-password works
as well as the complex failure motivating the change:

root@localhost:/# dpkg --auto-deconfigure --unpack 
/tmp/cryptsetup_2.6.1-6.1_amd64.deb
dpkg: considering deconfiguration of cryptsetup-nuke-password, which would 
be broken by installation of cryptsetup ...
dpkg: yes, will deconfigure cryptsetup-nuke-password (broken by cryptsetup)
(Reading database ... 10381 files and directories currently installed.)
Preparing to unpack .../cryptsetup_2.6.1-6.1_amd64.deb ...
De-configuring cryptsetup-nuke-password (4+nmu1), to allow installation of 
cryptsetup (2:2.6.1-6.1) ...
Mitigating diversion of /lib/cryptsetup/askpass on behalf of 
cryptsetup-nuke-password
Adding 'diversion of /usr/lib/cryptsetup/askpass to 
/usr/lib/cryptsetup/askpass.usr-is-merged by cryptsetup-nuke-password'
Unpacking cryptsetup (2:2.6.1-6.1) over (2:2.6.1-6+b1) ...
dpkg: warning: unable to delete old directory '/lib/cryptsetup/scripts': 
Directory not empty
dpkg: warning: unable to delete old directory '/lib/cryptsetup/checks': 
Directory not empty
root@localhost:/# dpkg -i /tmp/cryptsetup-nuke-password_4+nmu2_amd64.deb
(Reading database ... 10383 files and directories currently installed.)
Preparing to unpack .../cryptsetup-nuke-password_4+nmu2_amd64.deb ...
Removing 'diversion of /usr/lib/cryptsetup/askpass to 
/usr/lib/cryptsetup/askpass.usr-is-merged by cryptsetup-nuke-password'
Adding 'diversion of /usr/lib/cryptsetup/askpass to 
/usr/lib/cryptsetup/askpass.cryptsetup by cryptsetup-nuke-password'
Removing 'diversion of /lib/cryptsetup/askpass to 
/lib/cryptsetup/askpass.cryptsetup by cryptsetup-nuke-password'
Adding 'diversion of /lib/cryptsetup/askpass to 
/lib/cryptsetup/askpass.cryptsetup.usr-is-merged by cryptsetup-nuke-password'
Unpacking cryptsetup-nuke-password (4+nmu2) over (4+nmu1) ...
dpkg: warning: unable to delete old directory '/lib/cryptsetup': Directory 
not empty
dpkg: dependency problems prevent configuration of cryptsetup-nuke-password:
 cryptsetup-nuke-password depends on cryptsetup (>= 2:2.6.1-6.1~); however:
  Package cryptsetup is not configured yet.

dpkg: error processing package cryptsetup-nuke-password (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 cryptsetup-nuke-password
root@localhost:/# dpkg --configure -a
Setting up cryptsetup (2:2.6.1-6.1) ...
Setting up cryptsetup-nuke-password (4+nmu2) ...
Removing 'diversion of /lib/cryptsetup/askpass to 
/lib/cryptsetup/askpass.cryptsetup.usr-is-merged by cryptsetup-nuke-password'
root@localhost:/# dpkg-divert --list
diversion of /usr/lib/cryptsetup/askpass to 
/usr/lib/cryptsetup/askpass.cryptsetup by cryptsetup-nuke-password
root@localhost:/# dpkg --verify
root@localhost:/#

What do you think? Yes, this adds quite some complexity to both
packages, but now I don't see any opportunities for file loss anymore
even when upgrading the

Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17

2024-01-08 Thread Helmut Grohne

On Mon, Jan 08, 2024 at 02:56:16PM +0100, Helmut Grohne wrote:
> I've done a similar conversion for molly-guard/systemd and have prepared
> patches for cryptsetup-nuke-password and cryptsetup. Notably:

I actually forgot to attach the patches (thanks Raphael), so here go the
patches.

What I also forgot to mention is that I applied quite some testing. You
cannot test these patches with piuparts, because they need to be
upgraded in lockstep, so I wrote a kind of mini-piuparts based on
debhelper that specifically validates all kinds of upgrades and checks
for correct diversions. Also attaching the tests.

Hope this is good to upload now.

Helmut
diff --minimal -Nru cryptsetup-2.6.1/debian/changelog 
cryptsetup-2.6.1/debian/changelog
--- cryptsetup-2.6.1/debian/changelog   2023-12-05 17:48:58.0 +0100
+++ cryptsetup-2.6.1/debian/changelog   2024-01-05 18:56:40.0 +0100
@@ -1,3 +1,10 @@
+cryptsetup (2:2.6.1-6.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * DEP17: Move fles to /usr. (Closes: #-1)
+
+ -- Helmut Grohne   Fri, 05 Jan 2024 18:56:40 +0100
+
 cryptsetup (2:2.6.1-6) unstable; urgency=medium
 
   [ Kevin Locke ]
diff --minimal -Nru cryptsetup-2.6.1/debian/control 
cryptsetup-2.6.1/debian/control
--- cryptsetup-2.6.1/debian/control 2023-12-05 17:48:58.0 +0100
+++ cryptsetup-2.6.1/debian/control 2024-01-05 18:56:40.0 +0100
@@ -63,6 +63,7 @@
 Architecture: linux-any
 Multi-Arch: foreign
 Depends: ${misc:Depends}, ${shlibs:Depends}
+Conflicts: cryptsetup-nuke-password (<< 4+nmu2~)
 Description: disk encryption support - command line tools
  Cryptsetup provides an interface for configuring encryption on block
  devices (such as /home or swap partitions), using the Linux kernel
diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-bin.install 
cryptsetup-2.6.1/debian/cryptsetup-bin.install
--- cryptsetup-2.6.1/debian/cryptsetup-bin.install  2023-12-05 
17:48:58.0 +0100
+++ cryptsetup-2.6.1/debian/cryptsetup-bin.install  2024-01-05 
18:56:40.0 +0100
@@ -1,5 +1,5 @@
-sbin/cryptsetup
-sbin/integritysetup
-sbin/veritysetup
+usr/sbin/cryptsetup
+usr/sbin/integritysetup
+usr/sbin/veritysetup
 usr/lib/tmpfiles.d/cryptsetup.conf
 usr/share/locale/*/*/*
diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-ssh.install 
cryptsetup-2.6.1/debian/cryptsetup-ssh.install
--- cryptsetup-2.6.1/debian/cryptsetup-ssh.install  2023-12-05 
17:48:58.0 +0100
+++ cryptsetup-2.6.1/debian/cryptsetup-ssh.install  2024-01-05 
18:56:40.0 +0100
@@ -1,2 +1,2 @@
-lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so
-sbin/cryptsetup-ssh
+usr/lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so
+usr/sbin/cryptsetup-ssh
diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-suspend.install 
cryptsetup-2.6.1/debian/cryptsetup-suspend.install
--- cryptsetup-2.6.1/debian/cryptsetup-suspend.install  2023-12-05 
17:48:58.0 +0100
+++ cryptsetup-2.6.1/debian/cryptsetup-suspend.install  2024-01-05 
18:56:40.0 +0100
@@ -1,5 +1,5 @@
-debian/scripts/suspend/cryptsetup-suspend /lib/cryptsetup/scripts/suspend/
-debian/scripts/suspend/cryptsetup-suspend-wrapper 
/lib/cryptsetup/scripts/suspend/
-debian/scripts/suspend/cryptsetup-suspend.shutdown 
/lib/systemd/system-shutdown/
+debian/scripts/suspend/cryptsetup-suspend /usr/lib/cryptsetup/scripts/suspend/
+debian/scripts/suspend/cryptsetup-suspend-wrapper 
/usr/lib/cryptsetup/scripts/suspend/
+debian/scripts/suspend/cryptsetup-suspend.shutdown 
/usr/lib/systemd/system-shutdown/
 debian/scripts/suspend/suspend.conf /etc/cryptsetup/
-debian/scripts/suspend/systemd/cryptsetup-suspend.conf 
/lib/systemd/system/systemd-suspend.service.d/
+debian/scripts/suspend/systemd/cryptsetup-suspend.conf 
/usr/lib/systemd/system/systemd-suspend.service.d/
diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-udeb.install 
cryptsetup-2.6.1/debian/cryptsetup-udeb.install
--- cryptsetup-2.6.1/debian/cryptsetup-udeb.install 2023-12-05 
17:48:58.0 +0100
+++ cryptsetup-2.6.1/debian/cryptsetup-udeb.install 2024-01-05 
18:56:40.0 +0100
@@ -1,7 +1,7 @@
-debian/askpass  /lib/cryptsetup/
-debian/checks/* /lib/cryptsetup/checks/
-debian/cryptdisks-functions /lib/cryptsetup/
-debian/functions/lib/cryptsetup/
-debian/scripts/decrypt_*/lib/cryptsetup/scripts/
-debian/scripts/passdev  /lib/cryptsetup/scripts/
-sbin/cryptsetup
+debian/askpass  /usr/lib/cryptsetup/
+debian/checks/* /usr/lib/cryptsetup/checks/
+debian/cryptdisks-functions /usr/lib/cryptsetup/
+debian/functions/usr/lib/cryptsetup/
+debian/scripts/decrypt_*/usr/lib/cryptsetup/scripts/
+debian/scripts/passdev  /usr/lib/cryptsetup/scripts/
+usr/sbin/cryptsetup
diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup.install 
cryptsetup-2.6.1/debian/cryptsetup.install
--- cryptsetup-2.6.1/debian/cryptsetup.install  2023-12-05

Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17

2024-01-08 Thread Helmut Grohne

Package: cryptsetup-nuke-password
Version: 4+nmu1
User: helm...@debian.org
Usertags: dep17m2 dep17p3
Control: clone -1 -2
Control: reassign -2 cryptsetup
Control: block -2 by -1

Hi,

for finalizing the /usr-merge via DEP17, we want to move all aliased
files to /usr. cryptsetup and cryptsetup-nuke-password are affected in
multiple ways. For one think /lib/cryptsetup/askpass is being diverted
and diversions need special attention (DEP17 P3), for another
libcryptsetup12 is part of the debootstrap set and needs to be done
soon.

I've done a similar conversion for molly-guard/systemd and have prepared
patches for cryptsetup-nuke-password and cryptsetup. Notably:
 * These patches move all the files to /usr. (DEP17 M2)
 * Therefore, cryptsetup declares versioned Conflicts for
   cryptsetup-nuke-password. Please check the version that actually will
   be uploaded before uploading cryptsetup.
 * cryptsetup-nuke-password actually uses the original askpass, but it
   only declares a dependency on cryptsetup-bin, which does not contain
   askpass. I consider this a bug and upgrade the dependency to
   cryptsetup. I hope this is fine.
 * Since cryptsetup-nuke-password depends on the package it diverts
   (after my previous change), I upgrade the dependency to the version
   that is expected to apply this patch in cryptsetup. Please coordinate
   this version with the cryptsetup maintainer.
 * The way I have implemented this (and which reduces complexity), the
   moved cryptsetup will be incompatible with the aliased
   cryptsetup-nuke-password and the moved cryptsetup-nuke-password will
   be incompatible with the moved cryptsetup. Hence these uploads need
   to happen concurrently. Otherwise, the packages will not migrate to
   testing.
 * There is a corner case when performing the upgrade with dpkg. If you
   schedule cryptsetup-nuke-password for removal (using dpkg
   --set-selections) and then unpack the updated cryptsetup, askpass
   will be lost. After consultation with debian-de...@lists.debian.org
   we consider this acceptable and do not mitigate it. If you want this
   mitigated, cryptsetup needs to ship a copy of askpass else where
   (.e.g. a hardlink in the same directory) and have its postinst
   restore the lost file in case it is missing. This loss cannot be
   experienced when working with apt. (In the sense that we couldn't
   trick apt into loosing it, but there is no proof that this cannot
   happen.)
 * Acceptance of this patch will make both packages un-backportatble.
   These patches must not be uploaded to bookworm-backports or earlier.
   Removing these patches in a backport would result in a high-versioned
   cryptsetup containing aliased files. That would break
   cryptsetup-nuke-password's assumption that a high enough version of
   cryptsetup is moved. Therefore cryptsetup must not be backported. If
   you want cryptsetup backportable, a more elaborate patch on the
   cryptsetup-nuke-password side is needed or the backported cryptsetup
   must declare an unversioned conflict for cryptsetup-nuke-password.
 * Please upload these changes to experimental first. That allows
   running them past QA systems such as piuparts, dumat and others and
   also lets us double check the version constraints.
 * If you later restructure (move files to a different binary package)
   any binary package, please go via experimental as you may need
   further mitigations for /usr-merged caused file loss (DEP17 P1).

I see that this may sound scary. We'll get past this mess together. If
things break, I'll keep the pieces and I've done so for molly-guard
already. Let me know if you have any questions.

Helmut

Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17

Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17

Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17

3 matches

Site Navigation

Mail list logo

Footer information