Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17
On Mon, Jan 08, 2024 at 05:48:52PM +0100, Helmut Grohne wrote: > What I also forgot to mention is that I applied quite some testing. You > cannot test these patches with piuparts, because they need to be > upgraded in lockstep, so I wrote a kind of mini-piuparts based on > debhelper that specifically validates all kinds of upgrades and checks > for correct diversions. Also attaching the tests. I note that the patches were still subject to a rather strange file loss scenario: dpkg --auto-deconfigure --unpack cryptsetup_new.deb dpkg --install cryptsetup-nuke-password.deb This is not something apt would do, but dpkg accepts it and the first unpack causes loss, because the declared Conflicts do not prevent dpkg from doing the concurrent unpack. In evaluating this problem more generally and moving the general discussion forward via #1060700, I had an idea to prevent the loss reliably, but the resulting diversions incur a bit more complexity and cryptsetup has be part of the mitigation. cryptsetup.preinst checks whether there is a pre-/usr-merge diversion issued by cryptsetup-nuke-password. If there is, it duplicates it to the physical location with a temporary diversion target on behalf of cryptsetup-nuke-password. cryptsetup-nuke-password.preinst can deal with cryptsetup.preinst not having run and sets up the right diversion. It also can deal with the temporary diversion and changes it to the permanent one. cryptsetup.postinst checks whether its temporary diversion is still there. This can happen if cryptsetup-nuke-password was removed. It cleans up. cryptsetup-nuke-password.postinst cleans up the aliased diversion that is no longer needed. The key to making this work is having cryptsetup mess with cryptsetup-nuke-password's diversions. That's really ugly, but only needed for this transition. I've rerun all the tests successfully and on top of that also checked that upgrading cryptsetup while removing cryptsetup-nuke-password works as well as the complex failure motivating the change: root@localhost:/# dpkg --auto-deconfigure --unpack /tmp/cryptsetup_2.6.1-6.1_amd64.deb dpkg: considering deconfiguration of cryptsetup-nuke-password, which would be broken by installation of cryptsetup ... dpkg: yes, will deconfigure cryptsetup-nuke-password (broken by cryptsetup) (Reading database ... 10381 files and directories currently installed.) Preparing to unpack .../cryptsetup_2.6.1-6.1_amd64.deb ... De-configuring cryptsetup-nuke-password (4+nmu1), to allow installation of cryptsetup (2:2.6.1-6.1) ... Mitigating diversion of /lib/cryptsetup/askpass on behalf of cryptsetup-nuke-password Adding 'diversion of /usr/lib/cryptsetup/askpass to /usr/lib/cryptsetup/askpass.usr-is-merged by cryptsetup-nuke-password' Unpacking cryptsetup (2:2.6.1-6.1) over (2:2.6.1-6+b1) ... dpkg: warning: unable to delete old directory '/lib/cryptsetup/scripts': Directory not empty dpkg: warning: unable to delete old directory '/lib/cryptsetup/checks': Directory not empty root@localhost:/# dpkg -i /tmp/cryptsetup-nuke-password_4+nmu2_amd64.deb (Reading database ... 10383 files and directories currently installed.) Preparing to unpack .../cryptsetup-nuke-password_4+nmu2_amd64.deb ... Removing 'diversion of /usr/lib/cryptsetup/askpass to /usr/lib/cryptsetup/askpass.usr-is-merged by cryptsetup-nuke-password' Adding 'diversion of /usr/lib/cryptsetup/askpass to /usr/lib/cryptsetup/askpass.cryptsetup by cryptsetup-nuke-password' Removing 'diversion of /lib/cryptsetup/askpass to /lib/cryptsetup/askpass.cryptsetup by cryptsetup-nuke-password' Adding 'diversion of /lib/cryptsetup/askpass to /lib/cryptsetup/askpass.cryptsetup.usr-is-merged by cryptsetup-nuke-password' Unpacking cryptsetup-nuke-password (4+nmu2) over (4+nmu1) ... dpkg: warning: unable to delete old directory '/lib/cryptsetup': Directory not empty dpkg: dependency problems prevent configuration of cryptsetup-nuke-password: cryptsetup-nuke-password depends on cryptsetup (>= 2:2.6.1-6.1~); however: Package cryptsetup is not configured yet. dpkg: error processing package cryptsetup-nuke-password (--install): dependency problems - leaving unconfigured Errors were encountered while processing: cryptsetup-nuke-password root@localhost:/# dpkg --configure -a Setting up cryptsetup (2:2.6.1-6.1) ... Setting up cryptsetup-nuke-password (4+nmu2) ... Removing 'diversion of /lib/cryptsetup/askpass to /lib/cryptsetup/askpass.cryptsetup.usr-is-merged by cryptsetup-nuke-password' root@localhost:/# dpkg-divert --list diversion of /usr/lib/cryptsetup/askpass to /usr/lib/cryptsetup/askpass.cryptsetup by cryptsetup-nuke-password root@localhost:/# dpkg --verify root@localhost:/# What do you think? Yes, this adds quite some complexity to both packages, but now I don't see any opportunities for file loss anymore even when upgrading the
Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17
On Mon, Jan 08, 2024 at 02:56:16PM +0100, Helmut Grohne wrote: > I've done a similar conversion for molly-guard/systemd and have prepared > patches for cryptsetup-nuke-password and cryptsetup. Notably: I actually forgot to attach the patches (thanks Raphael), so here go the patches. What I also forgot to mention is that I applied quite some testing. You cannot test these patches with piuparts, because they need to be upgraded in lockstep, so I wrote a kind of mini-piuparts based on debhelper that specifically validates all kinds of upgrades and checks for correct diversions. Also attaching the tests. Hope this is good to upload now. Helmut diff --minimal -Nru cryptsetup-2.6.1/debian/changelog cryptsetup-2.6.1/debian/changelog --- cryptsetup-2.6.1/debian/changelog 2023-12-05 17:48:58.0 +0100 +++ cryptsetup-2.6.1/debian/changelog 2024-01-05 18:56:40.0 +0100 @@ -1,3 +1,10 @@ +cryptsetup (2:2.6.1-6.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * DEP17: Move fles to /usr. (Closes: #-1) + + -- Helmut Grohne Fri, 05 Jan 2024 18:56:40 +0100 + cryptsetup (2:2.6.1-6) unstable; urgency=medium [ Kevin Locke ] diff --minimal -Nru cryptsetup-2.6.1/debian/control cryptsetup-2.6.1/debian/control --- cryptsetup-2.6.1/debian/control 2023-12-05 17:48:58.0 +0100 +++ cryptsetup-2.6.1/debian/control 2024-01-05 18:56:40.0 +0100 @@ -63,6 +63,7 @@ Architecture: linux-any Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends} +Conflicts: cryptsetup-nuke-password (<< 4+nmu2~) Description: disk encryption support - command line tools Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-bin.install cryptsetup-2.6.1/debian/cryptsetup-bin.install --- cryptsetup-2.6.1/debian/cryptsetup-bin.install 2023-12-05 17:48:58.0 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-bin.install 2024-01-05 18:56:40.0 +0100 @@ -1,5 +1,5 @@ -sbin/cryptsetup -sbin/integritysetup -sbin/veritysetup +usr/sbin/cryptsetup +usr/sbin/integritysetup +usr/sbin/veritysetup usr/lib/tmpfiles.d/cryptsetup.conf usr/share/locale/*/*/* diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-ssh.install cryptsetup-2.6.1/debian/cryptsetup-ssh.install --- cryptsetup-2.6.1/debian/cryptsetup-ssh.install 2023-12-05 17:48:58.0 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-ssh.install 2024-01-05 18:56:40.0 +0100 @@ -1,2 +1,2 @@ -lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so -sbin/cryptsetup-ssh +usr/lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so +usr/sbin/cryptsetup-ssh diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-suspend.install cryptsetup-2.6.1/debian/cryptsetup-suspend.install --- cryptsetup-2.6.1/debian/cryptsetup-suspend.install 2023-12-05 17:48:58.0 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-suspend.install 2024-01-05 18:56:40.0 +0100 @@ -1,5 +1,5 @@ -debian/scripts/suspend/cryptsetup-suspend /lib/cryptsetup/scripts/suspend/ -debian/scripts/suspend/cryptsetup-suspend-wrapper /lib/cryptsetup/scripts/suspend/ -debian/scripts/suspend/cryptsetup-suspend.shutdown /lib/systemd/system-shutdown/ +debian/scripts/suspend/cryptsetup-suspend /usr/lib/cryptsetup/scripts/suspend/ +debian/scripts/suspend/cryptsetup-suspend-wrapper /usr/lib/cryptsetup/scripts/suspend/ +debian/scripts/suspend/cryptsetup-suspend.shutdown /usr/lib/systemd/system-shutdown/ debian/scripts/suspend/suspend.conf /etc/cryptsetup/ -debian/scripts/suspend/systemd/cryptsetup-suspend.conf /lib/systemd/system/systemd-suspend.service.d/ +debian/scripts/suspend/systemd/cryptsetup-suspend.conf /usr/lib/systemd/system/systemd-suspend.service.d/ diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-udeb.install cryptsetup-2.6.1/debian/cryptsetup-udeb.install --- cryptsetup-2.6.1/debian/cryptsetup-udeb.install 2023-12-05 17:48:58.0 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-udeb.install 2024-01-05 18:56:40.0 +0100 @@ -1,7 +1,7 @@ -debian/askpass /lib/cryptsetup/ -debian/checks/* /lib/cryptsetup/checks/ -debian/cryptdisks-functions /lib/cryptsetup/ -debian/functions/lib/cryptsetup/ -debian/scripts/decrypt_*/lib/cryptsetup/scripts/ -debian/scripts/passdev /lib/cryptsetup/scripts/ -sbin/cryptsetup +debian/askpass /usr/lib/cryptsetup/ +debian/checks/* /usr/lib/cryptsetup/checks/ +debian/cryptdisks-functions /usr/lib/cryptsetup/ +debian/functions/usr/lib/cryptsetup/ +debian/scripts/decrypt_*/usr/lib/cryptsetup/scripts/ +debian/scripts/passdev /usr/lib/cryptsetup/scripts/ +usr/sbin/cryptsetup diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup.install cryptsetup-2.6.1/debian/cryptsetup.install --- cryptsetup-2.6.1/debian/cryptsetup.install 2023-12-05
Bug#1060269: /lib/cryptsetup/askpass: coordinated move to /usr for DEP17
Package: cryptsetup-nuke-password Version: 4+nmu1 User: helm...@debian.org Usertags: dep17m2 dep17p3 Control: clone -1 -2 Control: reassign -2 cryptsetup Control: block -2 by -1 Hi, for finalizing the /usr-merge via DEP17, we want to move all aliased files to /usr. cryptsetup and cryptsetup-nuke-password are affected in multiple ways. For one think /lib/cryptsetup/askpass is being diverted and diversions need special attention (DEP17 P3), for another libcryptsetup12 is part of the debootstrap set and needs to be done soon. I've done a similar conversion for molly-guard/systemd and have prepared patches for cryptsetup-nuke-password and cryptsetup. Notably: * These patches move all the files to /usr. (DEP17 M2) * Therefore, cryptsetup declares versioned Conflicts for cryptsetup-nuke-password. Please check the version that actually will be uploaded before uploading cryptsetup. * cryptsetup-nuke-password actually uses the original askpass, but it only declares a dependency on cryptsetup-bin, which does not contain askpass. I consider this a bug and upgrade the dependency to cryptsetup. I hope this is fine. * Since cryptsetup-nuke-password depends on the package it diverts (after my previous change), I upgrade the dependency to the version that is expected to apply this patch in cryptsetup. Please coordinate this version with the cryptsetup maintainer. * The way I have implemented this (and which reduces complexity), the moved cryptsetup will be incompatible with the aliased cryptsetup-nuke-password and the moved cryptsetup-nuke-password will be incompatible with the moved cryptsetup. Hence these uploads need to happen concurrently. Otherwise, the packages will not migrate to testing. * There is a corner case when performing the upgrade with dpkg. If you schedule cryptsetup-nuke-password for removal (using dpkg --set-selections) and then unpack the updated cryptsetup, askpass will be lost. After consultation with debian-de...@lists.debian.org we consider this acceptable and do not mitigate it. If you want this mitigated, cryptsetup needs to ship a copy of askpass else where (.e.g. a hardlink in the same directory) and have its postinst restore the lost file in case it is missing. This loss cannot be experienced when working with apt. (In the sense that we couldn't trick apt into loosing it, but there is no proof that this cannot happen.) * Acceptance of this patch will make both packages un-backportatble. These patches must not be uploaded to bookworm-backports or earlier. Removing these patches in a backport would result in a high-versioned cryptsetup containing aliased files. That would break cryptsetup-nuke-password's assumption that a high enough version of cryptsetup is moved. Therefore cryptsetup must not be backported. If you want cryptsetup backportable, a more elaborate patch on the cryptsetup-nuke-password side is needed or the backported cryptsetup must declare an unversioned conflict for cryptsetup-nuke-password. * Please upload these changes to experimental first. That allows running them past QA systems such as piuparts, dumat and others and also lets us double check the version constraints. * If you later restructure (move files to a different binary package) any binary package, please go via experimental as you may need further mitigations for /usr-merged caused file loss (DEP17 P1). I see that this may sound scary. We'll get past this mess together. If things break, I'll keep the pieces and I've done so for molly-guard already. Let me know if you have any questions. Helmut