Heya, Guilhem Moulin <guil...@debian.org> (2019-04-15): > On Mon, 15 Apr 2019 at 21:40:35 +0200, Cyril Brulebois wrote: > > There are also some other highlights in this changelog entry, regarding > > key sizes, and some update to partman-crypto might be needed… > > GRUB stuff aside?
My point above was that there are a number of “keysize” occurrences in partman-crypto[1] that might need to be adjusted for the new sizes in cryptsetup. 1. https://salsa.debian.org/installer-team/partman-crypto > AFAICT not, but FWIW we poked debian-boot to highlight the changes > when 2.1.0 entered unstable two months ago: > > https://lists.debian.org/debian-boot/2019/02/msg00100.html > > Yup that was quite late in the release cycle, sorry for that. > Formatting new devices to LUKS2 by default was discussed since the > summer, and 2.1 was originally planned for late 2018. In the end it > was released 2 months later, but since we had this discussion before > we thought we had d-i's blessing here regarding LUKS2, and uploaded to > sid just before the freeze: > > https://salsa.debian.org/installer-team/partman-crypto/merge_requests/1 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919725 Well, even if that's outside the full freeze, I wasn't exactly expecting a change of that importance to happen a couple of weeks before… Unless I missed something, MRs only trigger notifications to people involved with the actual MR or those who are mentioned in there. I'm also immensely grateful for all the security-related work Matthew Garrett puts everywhere he goes, but I'm not sure that MR qualifies as “requested by d-i [0]” as you mentioned in [2]. 2. https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html Regarding the mail you sent to debian-boot@ (which is of course much appreciated!), that's still happening after the fact (the package is already in the archive), and there's only a couple of days to react before it reaches testing (barring any RC/transition-induced issues). And while I cannot personally guarantee I'm going to spot all mails that need action/reaction on the mailing list, something like a mention of this GRUB limitation[3] (apparently documented since late 2018) might have peaked somebody's interest back then and could have triggered some feedback from someone else… 3. https://savannah.gnu.org/bugs/?55093 > > One could argue that cryptodisk support has never been supported by > > d-i anyway, > > Yup, and I suppose that's why I overlooked this in my mail to > debian-boot :-P Jonathan Carter had a similar report last week > > > https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008196.html While I'm usually fine to dismiss some bug reports as “it's unsupported, sorry”, making users' life harder doesn't seem really reasonable… :/ > Should have poked debian-boot immediately, apologies for not doing so > :-( Until GRUB unlocking is supported in d-i [#849400] I'd say it's > enough to document the change and make the LUKS version configurable > (from an expert prompt or preseed.cfg). > > > And for those who would wonder: It seems that LUKS2 brings some > > interesting features on the security front, so it doesn't seem really > > reasonable to stick to LUKS1 unconditionally. > > Agreed, for the reasons mentioned in my reply to Jonathan: > > > https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html > > (first paragraph). Thanks for the pointer and those details; to be fair, I wanted to concentrate back on the release process and thought they would likely be mentioned magically on this bug report while I was busy pushing the release announcement. :) Time for some rest here. I've added the “LUKS version configurability” topic to my list of urgent d-i issues, and I'll try to get that done soon. Thanks again for the feedback! Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
