Hi, Guilhem Moulin <guil...@debian.org> (2017-12-18): > On Sun, 17 Dec 2017 at 18:12:21 +0100, Cyril Brulebois wrote: > > FWIW, feel free to (x-debbugs-)cc debian-boot@ when requesting such > > additions; you might get some feedback like a patch or two, or > > alternative routes to consider. > > > > I hadn't spotted libcryptsetup12-udeb isn't installable due to these > > dependencies, as experimental isn't checked automatically: > > https://d-i.debian.org/dose/ > > Makes sense, sorry for not doing so.
No worries, knowing about the transition in advance was nice already. :) > > I've added this as a todo item, along with looking into src:argon2 > > and src:json-c. I'll try to look into that next week (ping welcome), > > but we'll need to get those packages past NEW; it would be > > appreciated to only start the cryptsetup transition once > > dependencies can be satisfied, to avoid breaking d-i daily builds > > purposefully. > > Ack. I see mejo has just requested the transition slot in #884618, > that means we should we block that bug by #88052[56], right? That would look good yes. > > Also, from one the those two bugs: “cryptsetup ≥2.0.0 introduces a > > new on-disk “LUKS2” format, which support Argon2i and Argon2id as > > PBKDF.” > > > > Is that a new default format? Does it need any special handling from > > d-i components, like options or files to create, or is that just a > > transparent change for cryptsetup callers? > > The format isn't the new default in the sense that `cryptsetup > luksFormat` still creates “legacy” LUKS (version 1) devices, and one > needs to append `--type luks2` to create LUKS2 devices. Opening a LUKS2 > block device does require a locking directory[0] (/run/lock/cryptsetup), > but partman-crypto can stay as is as long as it keeps creating LUKS1 > devices. > > Not sure what's upstream's intention regarding making `cryptsetup > luksFormat` create LUKS2 devices by default, but at this stage it seems > precipitated to switch to LUKS2 in d-i: I'd rather stick to upstream's > default, especially considering the following snippets of their v2.0.0 > Release Notes: > > “Please note that […] the LUKS2 on-disk format itself are new > features and can contain some bugs.” > — > https://gitlab.com/cryptsetup/cryptsetup/blob/v2.0.0/docs/v2.0.0-ReleaseNotes#L15 > > (And FWIW it's possible to later in-place convert a device from LUKS1 to > LUKS2 format using `cryptsetup convert`, although it of course won't > magically upgrade the crypto & PKDF algorithms.) Alright; feel free to poke us again for partman-crypto when the new format looks mature enough so that we see about adding support for it. > > Alternatively, instead of waiting for udebs to be available for the > > dependencies, maybe support for those two libraries could be patched > > out temporarily in the cryptsetup udebs? > > For libargon2-0 it should be a matter of changing the default PBKDF > back to pbkdf2, but I don't see a way to drop the libjson-c3 > dependency unless we compile cryptsetup without LUKS2 support (LUKS2 > headers contain metadata stored in JSON format [1]), which is not > trivial AFAICT. Alright, thanks for your input, that's going to guide my looking into these packages during the week; I'll investigate as soon as I'm done with urgent matters. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
