Re: [arch-projects] [initscripts] next release

[Tom Gundersen]

Hi Heiko,

On Sun, Nov 6, 2011 at 8:18 AM, Heiko Baums  wrote:
>> Yeah, I think I'll add a warning when a passphrase is used. Having
>> looked through it, that should take care of most of my gripes.
>
> Having passphrases in an unencrypted text file on the harddisk
> like /etc/crypttab is certainly not the best method. But only offering
> key files is insufficient. The currently existing methods of
> storing and entering passphrases or key files must be kept.

Backwards compatibility will be kept. The suggestion was to add a
warning if the passphrase is stored inline in /etc/crypttab rather
than in a separate file.

> That implies entering passphrases with the keyboard, storing/reading key
> files on/from USB sticks and storing/reading keys raw on/from USB sticks
> with dd must still be possible for every LUKS container.

I agree.

> And what's currently missing in /etc/rc.sysinit is a fallback to asking
> for a passphrase if a key can't be read, e.g. because it has been
> forgotten to plug in the USB stick. This should be added, too, as it
> is done in the encrypt hook.

That would be very useful.

> I admit I have forgotten to implement it when I've written the
> rc.sysinit patches for reading the keys from the USB stick. I found it
> out only recently, and would have written a patch for it in the coming
> days if you wouldn't want to completely rewrite this cryptsetup system.

I will probably keep most of the code (I really don't want to touch
this stuff), but might have to reorganize a bit (e.g. separate out the
swap stuff).

> Tell me, if I shall write this patch anyway.

The patches would definitely be appreciated, but it would probably
make the most sense to wait for the restructuring to hit master so we
avoid too many merge conflicts.

Cheers,

Tom

Re: [arch-projects] [initscripts] next release

[Heiko Baums]

Am Sun, 6 Nov 2011 07:36:30 +0800
schrieb Tom Gundersen :

> On Sat, Nov 5, 2011 at 5:29 PM, Thomas Bächler 
> wrote:
> > Am 05.11.2011 10:05, schrieb Tom Gundersen:
> >
> >> My issue is with allowing passwords to be written "inline", as
> >> well as the fact that we intepret the file as bash rather than
> >> plaintext.
> >
> > When automatically opening volumes, you are not supposed to use
> > passphrases, but keyfiles.
> 
> Yeah, I think I'll add a warning when a passphrase is used. Having
> looked through it, that should take care of most of my gripes.

Having passphrases in an unencrypted text file on the harddisk
like /etc/crypttab is certainly not the best method. But only offering
key files is insufficient. The currently existing methods of
storing and entering passphrases or key files must be kept.

That implies entering passphrases with the keyboard, storing/reading key
files on/from USB sticks and storing/reading keys raw on/from USB sticks
with dd must still be possible for every LUKS container.

And what's currently missing in /etc/rc.sysinit is a fallback to asking
for a passphrase if a key can't be read, e.g. because it has been
forgotten to plug in the USB stick. This should be added, too, as it
is done in the encrypt hook.

I admit I have forgotten to implement it when I've written the
rc.sysinit patches for reading the keys from the USB stick. I found it
out only recently, and would have written a patch for it in the coming
days if you wouldn't want to completely rewrite this cryptsetup system.

Tell me, if I shall write this patch anyway.

Heiko

Re: [arch-projects] [initscripts] [PATCH] FS#26726 error message should say 'Daemon' instead of 'Dameon' Signed-off-by: Jelle van der Waa

[Tom Gundersen]

Thanks. Applied.

On Sun, Nov 6, 2011 at 3:46 AM, Jelle van der Waa  wrote:
> ---
>  rc.d |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/rc.d b/rc.d
> index 3f2835e..aed2e42 100755
> --- a/rc.d
> +++ b/rc.d
> @@ -36,7 +36,7 @@ filter_daemons() {
>        for daemon in "${daemons[@]}"; do
>                # check if daemons is valid
>                if ! have_daemon "$daemon"; then
> -                       printf "${C_FAIL}:: ${C_DONE}Dameon script 
> ${C_FAIL}${daemon}${C_DONE} does \
> +                       printf "${C_FAIL}:: ${C_DONE}Daemon script 
> ${C_FAIL}${daemon}${C_DONE} does \
>  not exist or is not executable.${C_CLEAR}\n" >&2
>                        exit 2
>                fi
> --
> 1.7.7.2
>
>

[arch-projects] [initscripts] [GIT] Arch Linux initscripts repository branch master updated. 2011.10.2-11-gfb4e5f6

[Tom Gundersen]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Arch Linux initscripts repository".

The branch, master has been updated
   via  fb4e5f6662e32dacb8373274f6ed5592e79472e3 (commit)
  from  1abd8cfb7aeb867c3d7b39dcd620e151228f3a12 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -
commit fb4e5f6662e32dacb8373274f6ed5592e79472e3
Author: Jelle van der Waa 
Date:   Sat Nov 5 20:46:01 2011 +0100

Fix misspelt error message

FS#26726 error message should say 'Daemon' instead of 'Dameon'

[tomegun: fixed commit message]
Signed-off-by: Jelle van der Waa 

---

Summary of changes:
 rc.d |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
Arch Linux initscripts repository

[arch-projects] [initscripts] [GIT] Arch Linux initscripts repository branch master updated. 2011.10.2-10-g1abd8cf

[Tom Gundersen]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Arch Linux initscripts repository".

The branch, master has been updated
   via  1abd8cfb7aeb867c3d7b39dcd620e151228f3a12 (commit)
   via  8b54494acdb9ceda7b24cb4b7c4ca98a5c2b00a6 (commit)
  from  34714bf34e5928479e5ec4367e5e79902876dfa3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -
commit 1abd8cfb7aeb867c3d7b39dcd620e151228f3a12
Author: Tom Gundersen 
Date:   Sun Nov 6 01:44:38 2011 +0800

locale.sh: fix LC_TELEPHONE/LC_MEASUREMENT

Thanks to Fabio Scotoni.

Signed-off-by: Tom Gundersen 

commit 8b54494acdb9ceda7b24cb4b7c4ca98a5c2b00a6
Author: Tom Gundersen 
Date:   Sat Nov 5 13:56:58 2011 +0100

bootlog: filter out some more escapecodes

In particular "^[[119G".

Signed-off-by: Tom Gundersen 

---

Summary of changes:
 functions |2 +-
 locale.sh |6 ++
 2 files changed, 7 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
Arch Linux initscripts repository

Re: [arch-projects] [initscripts] next release

[Tom Gundersen]

On Sat, Nov 5, 2011 at 5:29 PM, Thomas Bächler  wrote:
> Am 05.11.2011 10:05, schrieb Tom Gundersen:
>
>> My issue is with allowing passwords to be written "inline", as well as the
>> fact that we intepret the file as bash rather than plaintext.
>
> When automatically opening volumes, you are not supposed to use
> passphrases, but keyfiles.

Yeah, I think I'll add a warning when a passphrase is used. Having
looked through it, that should take care of most of my gripes.

>> If we skip those
>> possibilities and move closer to the Debian format from which (I assume) we
>> started, things should be simpler.
>
> I have no idea what that format is, but there is a shitload of
> possibilities for crypto, and a "one line per volume" format doesn't
> seem to cover them all.

This is Ubuntu's manpage:
. It
seems that most distros use something similar to this. I haven't
studied what everyone does in detail though. As always, if we are
going to change something, I suggest we don't invent our own format
but try to see if we can use something that already exists (preferably
something that is used by "everyone else").

>> I also heard that Gnome should soon get support for dealing with the Debian-
>> style crypttab format from a GUI, which we might want to take advantage of
>> (not that I use Gnome, but it sounded neat).
>
> I'd rather have a working format than support for a broken one in a GUI.

No argument there. The assumption is that the format is not broken :-)

> Why would you need GUI support for crypttab anyway? I don't see the benefit.

I don't use these kind of tools, but I imagine it would be sensible to
integrate this into whatever tool is used to manage/format disks.

-t

[arch-projects] FS#26726 error message should say 'Daemon' instead of 'Dameon'

[Jelle van der Waa]

Just a typo fix, sorry for the misformed patch. 

Signed-off-by: Jelle van der Waa 
---
 rc.d |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/rc.d b/rc.d
index 3f2835e..aed2e42 100755
--- a/rc.d
+++ b/rc.d
@@ -36,7 +36,7 @@ filter_daemons() {
for daemon in "${daemons[@]}"; do
# check if daemons is valid
if ! have_daemon "$daemon"; then
-   printf "${C_FAIL}:: ${C_DONE}Dameon script 
${C_FAIL}${daemon}${C_DONE} does \
+   printf "${C_FAIL}:: ${C_DONE}Daemon script 
${C_FAIL}${daemon}${C_DONE} does \
 not exist or is not executable.${C_CLEAR}\n" >&2
exit 2
fi
-- 
1.7.7.2

Re: [arch-projects] [initscripts] [PATCH] FS#26726 error message should say 'Daemon' instead of 'Dameon' Signed-off-by: Jelle van der Waa

[Thomas Bächler]

Am 05.11.2011 20:50, schrieb Lukas Fleischer:
> On Sat, Nov 05, 2011 at 08:46:01PM +0100, Jelle van der Waa wrote:
>> ---
>>  rc.d |2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
> 
> Insane commit message :) Apart from that, +1...

Yes, you need one completely blank line after the first one.



signature.asc
Description: OpenPGP digital signature

Re: [arch-projects] [initscripts] [PATCH] FS#26726 error message should say 'Daemon' instead of 'Dameon' Signed-off-by: Jelle van der Waa

[Lukas Fleischer]

On Sat, Nov 05, 2011 at 08:46:01PM +0100, Jelle van der Waa wrote:
> ---
>  rc.d |2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 

Insane commit message :) Apart from that, +1...

> diff --git a/rc.d b/rc.d
> index 3f2835e..aed2e42 100755
> --- a/rc.d
> +++ b/rc.d
> @@ -36,7 +36,7 @@ filter_daemons() {
>   for daemon in "${daemons[@]}"; do
>   # check if daemons is valid
>   if ! have_daemon "$daemon"; then
> - printf "${C_FAIL}:: ${C_DONE}Dameon script 
> ${C_FAIL}${daemon}${C_DONE} does \
> + printf "${C_FAIL}:: ${C_DONE}Daemon script 
> ${C_FAIL}${daemon}${C_DONE} does \
>  not exist or is not executable.${C_CLEAR}\n" >&2
>   exit 2
>   fi
> -- 
> 1.7.7.2

[arch-projects] [initscripts] [PATCH] FS#26726 error message should say 'Daemon' instead of 'Dameon' Signed-off-by: Jelle van der Waa

[Jelle van der Waa]

---
 rc.d |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/rc.d b/rc.d
index 3f2835e..aed2e42 100755
--- a/rc.d
+++ b/rc.d
@@ -36,7 +36,7 @@ filter_daemons() {
for daemon in "${daemons[@]}"; do
# check if daemons is valid
if ! have_daemon "$daemon"; then
-   printf "${C_FAIL}:: ${C_DONE}Dameon script 
${C_FAIL}${daemon}${C_DONE} does \
+   printf "${C_FAIL}:: ${C_DONE}Daemon script 
${C_FAIL}${daemon}${C_DONE} does \
 not exist or is not executable.${C_CLEAR}\n" >&2
exit 2
fi
-- 
1.7.7.2

Re: [arch-projects] [initscripts] next release

[Thomas Bächler]

Am 05.11.2011 10:05, schrieb Tom Gundersen:

> My issue is with allowing passwords to be written "inline", as well as the 
> fact that we intepret the file as bash rather than plaintext.

When automatically opening volumes, you are not supposed to use
passphrases, but keyfiles.

> If we skip those 
> possibilities and move closer to the Debian format from which (I assume) we 
> started, things should be simpler.

I have no idea what that format is, but there is a shitload of
possibilities for crypto, and a "one line per volume" format doesn't
seem to cover them all.

> I also heard that Gnome should soon get support for dealing with the Debian-
> style crypttab format from a GUI, which we might want to take advantage of 
> (not that I use Gnome, but it sounded neat).

I'd rather have a working format than support for a broken one in a GUI.
Why would you need GUI support for crypttab anyway? I don't see the benefit.



signature.asc
Description: OpenPGP digital signature

Re: [arch-projects] [initscripts] next release

[Tom Gundersen]

On Saturday 05 November 2011 01:04:46 Thomas Bächler wrote:
> Am 04.11.2011 23:08, schrieb Tom Gundersen:
> > The reason I haven't touched the latter is that I hate
> > the crypttab format we use. If anyone would like to help (preferably
> > someone who uses any of this), that would be highly appreciated.
>
> I always planned on dropping the crypttab format and only keep a
> crypttab parser for legacy systems. Instead, I was planning to have a
> "one crypto mapping per file" configuration in /etc/cryptsetup.d/ or so,
> where you would have bash-style KEY=value pairs. This would improve
> flexibility and extensibility - all the new requested features would be
> more straight-forward to implement.

Hm, interesting

My issue is with allowing passwords to be written "inline", as well as the
fact that we intepret the file as bash rather than plaintext. If we skip those
possibilities and move closer to the Debian format from which (I assume) we
started, things should be simpler.

I also heard that Gnome should soon get support for dealing with the Debian-
style crypttab format from a GUI, which we might want to take advantage of
(not that I use Gnome, but it sounded neat).

I'll do as you suggest and keep the old parser for backwards compatibility
though.

Cheers,

Tom

signature.asc
Description: This is a digitally signed message part.