Your message dated Mon, 04 Mar 2024 19:49:05 +0000
with message-id <[email protected]>
and subject line Bug#1060269: fixed in cryptsetup-nuke-password 5
has caused the Debian Bug report #1060269,
regarding /lib/cryptsetup/askpass: coordinated move to /usr for DEP17
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1060269: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060269
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup-nuke-password
Version: 4+nmu1
User: [email protected]
Usertags: dep17m2 dep17p3
Control: clone -1 -2
Control: reassign -2 cryptsetup
Control: block -2 by -1
Hi,
for finalizing the /usr-merge via DEP17, we want to move all aliased
files to /usr. cryptsetup and cryptsetup-nuke-password are affected in
multiple ways. For one think /lib/cryptsetup/askpass is being diverted
and diversions need special attention (DEP17 P3), for another
libcryptsetup12 is part of the debootstrap set and needs to be done
soon.
I've done a similar conversion for molly-guard/systemd and have prepared
patches for cryptsetup-nuke-password and cryptsetup. Notably:
* These patches move all the files to /usr. (DEP17 M2)
* Therefore, cryptsetup declares versioned Conflicts for
cryptsetup-nuke-password. Please check the version that actually will
be uploaded before uploading cryptsetup.
* cryptsetup-nuke-password actually uses the original askpass, but it
only declares a dependency on cryptsetup-bin, which does not contain
askpass. I consider this a bug and upgrade the dependency to
cryptsetup. I hope this is fine.
* Since cryptsetup-nuke-password depends on the package it diverts
(after my previous change), I upgrade the dependency to the version
that is expected to apply this patch in cryptsetup. Please coordinate
this version with the cryptsetup maintainer.
* The way I have implemented this (and which reduces complexity), the
moved cryptsetup will be incompatible with the aliased
cryptsetup-nuke-password and the moved cryptsetup-nuke-password will
be incompatible with the moved cryptsetup. Hence these uploads need
to happen concurrently. Otherwise, the packages will not migrate to
testing.
* There is a corner case when performing the upgrade with dpkg. If you
schedule cryptsetup-nuke-password for removal (using dpkg
--set-selections) and then unpack the updated cryptsetup, askpass
will be lost. After consultation with [email protected]
we consider this acceptable and do not mitigate it. If you want this
mitigated, cryptsetup needs to ship a copy of askpass else where
(.e.g. a hardlink in the same directory) and have its postinst
restore the lost file in case it is missing. This loss cannot be
experienced when working with apt. (In the sense that we couldn't
trick apt into loosing it, but there is no proof that this cannot
happen.)
* Acceptance of this patch will make both packages un-backportatble.
These patches must not be uploaded to bookworm-backports or earlier.
Removing these patches in a backport would result in a high-versioned
cryptsetup containing aliased files. That would break
cryptsetup-nuke-password's assumption that a high enough version of
cryptsetup is moved. Therefore cryptsetup must not be backported. If
you want cryptsetup backportable, a more elaborate patch on the
cryptsetup-nuke-password side is needed or the backported cryptsetup
must declare an unversioned conflict for cryptsetup-nuke-password.
* Please upload these changes to experimental first. That allows
running them past QA systems such as piuparts, dumat and others and
also lets us double check the version constraints.
* If you later restructure (move files to a different binary package)
any binary package, please go via experimental as you may need
further mitigations for /usr-merged caused file loss (DEP17 P1).
I see that this may sound scary. We'll get past this mess together. If
things break, I'll keep the pieces and I've done so for molly-guard
already. Let me know if you have any questions.
Helmut
--- End Message ---
--- Begin Message ---
Source: cryptsetup-nuke-password
Source-Version: 5
Done: Helmut Grohne <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cryptsetup-nuke-password, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne <[email protected]> (supplier of updated cryptsetup-nuke-password
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jan 2024 18:53:10 +0100
Source: cryptsetup-nuke-password
Architecture: source
Version: 5
Distribution: experimental
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Helmut Grohne <[email protected]>
Closes: 1060269
Changes:
cryptsetup-nuke-password (5) experimental; urgency=medium
.
* Team upload, acked by Raphaël.
.
[ Raphaël Hertzog ]
* Request update of initramfs when nuke password is changed with
dpkg-reconfigure.
.
[ Helmut Grohne ]
* Upgrade cryptsetup-bin dependency to cryptsetup, as that contains askpass.
* DEP17: Move files to /usr (M2) and mitigate file loss with diverions (P7).
(Closes: #1060269)
Checksums-Sha1:
22b7c4bc4032b2b8b0951fe066a3b4a52bff5f03 2054 cryptsetup-nuke-password_5.dsc
279b8740e8fab3d80f9182514a5289bd8452c493 16096
cryptsetup-nuke-password_5.tar.xz
Checksums-Sha256:
543bdcd00e44c1d8097cb3437b5194f38ca1a67882da517094a2db7686b6e4dc 2054
cryptsetup-nuke-password_5.dsc
a42365e068ffef490633cae4742f158038d158b31bd1d3bc70bdbdbff9090917 16096
cryptsetup-nuke-password_5.tar.xz
Files:
b3736a2a3a92a46be7b96e80663b03ac 2054 admin optional
cryptsetup-nuke-password_5.dsc
6640d8684762b88462a699cf09e84ca6 16096 admin optional
cryptsetup-nuke-password_5.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmXmIZ8ACgkQLRqqzyRE
REL2OA/9EgOLDam4zG4c8ScyVVmgiZBYpqrL3b/TTHGwQrldMbFEADMznXQfbKQO
vfqGI+x4Y+dCo7ey9am3b7nioyut6iwCadVnPNS4S4RhUp0yarlzTiM3nm54vxSH
TxyZ6nc6QdQzqcKhG7E6pf7KFy8Av2G0kL9ABj/fkpdf+mrnO32KaHDan6LtAmoi
KFYdCMthWdDbGHV+WnzTfHN10Yftag47TfjZBtP2SWEW5i0InYPIeqK+nAvyPbIa
bmWBPuJiq2sqC2wZtnCeAiAt2/xPkSimmpo3iOlyvljqkWx4MVmu7tnTxuL+r6NC
xR2tNo+jOkuP1qbB505V4/9hALYD62gqh0ke9YXWQn9AMHC0kiORT0b3t7W0F845
lCyXgRNrVRul/35ZGpv8oPab3hMDpOerqg51loGVwI0BVXYMsU88NpAwCQV/nd6v
87eOHcSlQocV7n+2seco5A/nNAqa6gxHMmh1JP2hsI5+Ia5CNlzaZQ05JgEZU+G2
pJAI9osehbrnShv0Bh8j99TNFfe2zzxT8CSj8gC2Iw87QG1i27/vVLbKTmQyUi6C
Vj9tgm4meXXjr8tdO22Y5DjUNMnIk0YHxiQpv6RZktUkg+ZF6D6kiVcDeN5Sb0bi
wGVnhsWQKP7CRSkkzhGwpyiNL4fuhpTEGdtaFmsPmNmRbgdpTaM=
=znrQ
-----END PGP SIGNATURE-----
pgpWrl4VgZiyi.pgp
Description: PGP signature
--- End Message ---
