On Mon, Jan 08, 2024 at 02:56:16PM +0100, Helmut Grohne wrote: > I've done a similar conversion for molly-guard/systemd and have prepared > patches for cryptsetup-nuke-password and cryptsetup. Notably:
I actually forgot to attach the patches (thanks Raphael), so here go the patches. What I also forgot to mention is that I applied quite some testing. You cannot test these patches with piuparts, because they need to be upgraded in lockstep, so I wrote a kind of mini-piuparts based on debhelper that specifically validates all kinds of upgrades and checks for correct diversions. Also attaching the tests. Hope this is good to upload now. Helmut
diff --minimal -Nru cryptsetup-2.6.1/debian/changelog cryptsetup-2.6.1/debian/changelog --- cryptsetup-2.6.1/debian/changelog 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/changelog 2024-01-05 18:56:40.000000000 +0100 @@ -1,3 +1,10 @@ +cryptsetup (2:2.6.1-6.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * DEP17: Move fles to /usr. (Closes: #-1) + + -- Helmut Grohne <[email protected]> Fri, 05 Jan 2024 18:56:40 +0100 + cryptsetup (2:2.6.1-6) unstable; urgency=medium [ Kevin Locke ] diff --minimal -Nru cryptsetup-2.6.1/debian/control cryptsetup-2.6.1/debian/control --- cryptsetup-2.6.1/debian/control 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/control 2024-01-05 18:56:40.000000000 +0100 @@ -63,6 +63,7 @@ Architecture: linux-any Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends} +Conflicts: cryptsetup-nuke-password (<< 4+nmu2~) Description: disk encryption support - command line tools Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-bin.install cryptsetup-2.6.1/debian/cryptsetup-bin.install --- cryptsetup-2.6.1/debian/cryptsetup-bin.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-bin.install 2024-01-05 18:56:40.000000000 +0100 @@ -1,5 +1,5 @@ -sbin/cryptsetup -sbin/integritysetup -sbin/veritysetup +usr/sbin/cryptsetup +usr/sbin/integritysetup +usr/sbin/veritysetup usr/lib/tmpfiles.d/cryptsetup.conf usr/share/locale/*/*/* diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-ssh.install cryptsetup-2.6.1/debian/cryptsetup-ssh.install --- cryptsetup-2.6.1/debian/cryptsetup-ssh.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-ssh.install 2024-01-05 18:56:40.000000000 +0100 @@ -1,2 +1,2 @@ -lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so -sbin/cryptsetup-ssh +usr/lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so +usr/sbin/cryptsetup-ssh diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-suspend.install cryptsetup-2.6.1/debian/cryptsetup-suspend.install --- cryptsetup-2.6.1/debian/cryptsetup-suspend.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-suspend.install 2024-01-05 18:56:40.000000000 +0100 @@ -1,5 +1,5 @@ -debian/scripts/suspend/cryptsetup-suspend /lib/cryptsetup/scripts/suspend/ -debian/scripts/suspend/cryptsetup-suspend-wrapper /lib/cryptsetup/scripts/suspend/ -debian/scripts/suspend/cryptsetup-suspend.shutdown /lib/systemd/system-shutdown/ +debian/scripts/suspend/cryptsetup-suspend /usr/lib/cryptsetup/scripts/suspend/ +debian/scripts/suspend/cryptsetup-suspend-wrapper /usr/lib/cryptsetup/scripts/suspend/ +debian/scripts/suspend/cryptsetup-suspend.shutdown /usr/lib/systemd/system-shutdown/ debian/scripts/suspend/suspend.conf /etc/cryptsetup/ -debian/scripts/suspend/systemd/cryptsetup-suspend.conf /lib/systemd/system/systemd-suspend.service.d/ +debian/scripts/suspend/systemd/cryptsetup-suspend.conf /usr/lib/systemd/system/systemd-suspend.service.d/ diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup-udeb.install cryptsetup-2.6.1/debian/cryptsetup-udeb.install --- cryptsetup-2.6.1/debian/cryptsetup-udeb.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup-udeb.install 2024-01-05 18:56:40.000000000 +0100 @@ -1,7 +1,7 @@ -debian/askpass /lib/cryptsetup/ -debian/checks/* /lib/cryptsetup/checks/ -debian/cryptdisks-functions /lib/cryptsetup/ -debian/functions /lib/cryptsetup/ -debian/scripts/decrypt_* /lib/cryptsetup/scripts/ -debian/scripts/passdev /lib/cryptsetup/scripts/ -sbin/cryptsetup +debian/askpass /usr/lib/cryptsetup/ +debian/checks/* /usr/lib/cryptsetup/checks/ +debian/cryptdisks-functions /usr/lib/cryptsetup/ +debian/functions /usr/lib/cryptsetup/ +debian/scripts/decrypt_* /usr/lib/cryptsetup/scripts/ +debian/scripts/passdev /usr/lib/cryptsetup/scripts/ +usr/sbin/cryptsetup diff --minimal -Nru cryptsetup-2.6.1/debian/cryptsetup.install cryptsetup-2.6.1/debian/cryptsetup.install --- cryptsetup-2.6.1/debian/cryptsetup.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/cryptsetup.install 2024-01-05 18:56:40.000000000 +0100 @@ -1,9 +1,9 @@ -debian/askpass /lib/cryptsetup/ +debian/askpass /usr/lib/cryptsetup/ debian/bash_completion/cryptdisks_start /usr/share/bash-completion/completions/ -debian/checks/* /lib/cryptsetup/checks/ -debian/cryptdisks-functions /lib/cryptsetup/ -debian/functions /lib/cryptsetup/ -debian/scripts/cryptdisks_* /sbin/ -debian/scripts/decrypt_* /lib/cryptsetup/scripts/ +debian/checks/* /usr/lib/cryptsetup/checks/ +debian/cryptdisks-functions /usr/lib/cryptsetup/ +debian/functions /usr/lib/cryptsetup/ +debian/scripts/cryptdisks_* /usr/sbin/ +debian/scripts/decrypt_* /usr/lib/cryptsetup/scripts/ debian/scripts/luksformat /usr/sbin/ -debian/scripts/passdev /lib/cryptsetup/scripts/ +debian/scripts/passdev /usr/lib/cryptsetup/scripts/ diff --minimal -Nru cryptsetup-2.6.1/debian/libcryptsetup-dev.install cryptsetup-2.6.1/debian/libcryptsetup-dev.install --- cryptsetup-2.6.1/debian/libcryptsetup-dev.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/libcryptsetup-dev.install 2024-01-05 18:56:40.000000000 +0100 @@ -1,3 +1,3 @@ -lib/${DEB_HOST_MULTIARCH}/*.so -lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc /usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/ +usr/lib/${DEB_HOST_MULTIARCH}/*.so +usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc usr/include/*.h diff --minimal -Nru cryptsetup-2.6.1/debian/libcryptsetup12-udeb.install cryptsetup-2.6.1/debian/libcryptsetup12-udeb.install --- cryptsetup-2.6.1/debian/libcryptsetup12-udeb.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/libcryptsetup12-udeb.install 2024-01-05 18:56:40.000000000 +0100 @@ -1 +1 @@ -lib/${DEB_HOST_MULTIARCH}/*.so.* +usr/lib/${DEB_HOST_MULTIARCH}/*.so.* diff --minimal -Nru cryptsetup-2.6.1/debian/libcryptsetup12.install cryptsetup-2.6.1/debian/libcryptsetup12.install --- cryptsetup-2.6.1/debian/libcryptsetup12.install 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/libcryptsetup12.install 2024-01-05 18:56:40.000000000 +0100 @@ -1 +1 @@ -lib/${DEB_HOST_MULTIARCH}/*.so.* +usr/lib/${DEB_HOST_MULTIARCH}/*.so.* diff --minimal -Nru cryptsetup-2.6.1/debian/not-installed cryptsetup-2.6.1/debian/not-installed --- cryptsetup-2.6.1/debian/not-installed 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/not-installed 2024-01-05 18:56:40.000000000 +0100 @@ -1,2 +1,2 @@ -lib/${DEB_HOST_MULTIARCH}/libcryptsetup.la -lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.la +usr/lib/${DEB_HOST_MULTIARCH}/libcryptsetup.la +usr/lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.la diff --minimal -Nru cryptsetup-2.6.1/debian/rules cryptsetup-2.6.1/debian/rules --- cryptsetup-2.6.1/debian/rules 2023-12-05 17:48:58.000000000 +0100 +++ cryptsetup-2.6.1/debian/rules 2024-01-05 18:56:40.000000000 +0100 @@ -24,8 +24,6 @@ override_dh_auto_configure: dh_auto_configure -- $(CONFFLAGS) \ - --libdir=/lib/$(DEB_HOST_MULTIARCH) \ - --sbindir=/sbin \ --with-tmpfilesdir=/usr/lib/tmpfiles.d \ --enable-libargon2 \ --enable-shared \ @@ -85,13 +83,13 @@ dh_bugfiles -A execute_after_dh_fixperms-arch: - chmod 0755 debian/cryptsetup/lib/cryptsetup/checks/* - chmod 0755 debian/cryptsetup/lib/cryptsetup/scripts/decrypt_* - chmod 0755 debian/cryptsetup-suspend/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper - chmod 0755 debian/cryptsetup-suspend/lib/systemd/system-shutdown/cryptsetup-suspend.shutdown + chmod 0755 debian/cryptsetup/usr/lib/cryptsetup/checks/* + chmod 0755 debian/cryptsetup/usr/lib/cryptsetup/scripts/decrypt_* + chmod 0755 debian/cryptsetup-suspend/usr/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper + chmod 0755 debian/cryptsetup-suspend/usr/lib/systemd/system-shutdown/cryptsetup-suspend.shutdown ifeq (,$(filter noudeb, $(DEB_BUILD_PROFILES))) - chmod 0755 debian/cryptsetup-udeb/lib/cryptsetup/checks/* - chmod 0755 debian/cryptsetup-udeb/lib/cryptsetup/scripts/decrypt_* + chmod 0755 debian/cryptsetup-udeb/usr/lib/cryptsetup/checks/* + chmod 0755 debian/cryptsetup-udeb/usr/lib/cryptsetup/scripts/decrypt_* endif execute_after_dh_fixperms-indep:
diff --minimal -Nru cryptsetup-nuke-password-4+nmu1/Makefile
cryptsetup-nuke-password-4+nmu2/Makefile
--- cryptsetup-nuke-password-4+nmu1/Makefile 2023-06-20 03:55:03.000000000
+0200
+++ cryptsetup-nuke-password-4+nmu2/Makefile 2024-01-05 18:25:54.000000000
+0100
@@ -13,8 +13,8 @@
rm -f $(EXECUTABLES)
install: $(EXECUTABLES)
- mkdir -p $(DESTDIR)/lib/cryptsetup
- cp askpass $(DESTDIR)/lib/cryptsetup/
+ mkdir -p $(DESTDIR)/usr/lib/cryptsetup
+ cp askpass $(DESTDIR)/usr/lib/cryptsetup/
mkdir -p $(DESTDIR)/usr/share/initramfs-tools/hooks/
cp hooks/* $(DESTDIR)/usr/share/initramfs-tools/hooks/
diff --minimal -Nru cryptsetup-nuke-password-4+nmu1/debian/changelog
cryptsetup-nuke-password-4+nmu2/debian/changelog
--- cryptsetup-nuke-password-4+nmu1/debian/changelog 2023-06-20
04:00:28.000000000 +0200
+++ cryptsetup-nuke-password-4+nmu2/debian/changelog 2024-01-05
18:53:10.000000000 +0100
@@ -1,3 +1,12 @@
+cryptsetup-nuke-password (4+nmu2) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Upgrade cryptsetup-bin dependency to cryptsetup, as that contains askpass.
+ * DEP17: Move files to /usr (M2) and mitigate file loss with diverions (P7).
+ (Closes: #-1)
+
+ -- Helmut Grohne <[email protected]> Fri, 05 Jan 2024 18:53:10 +0100
+
cryptsetup-nuke-password (4+nmu1) unstable; urgency=medium
* Non-maintainer upload.
diff --minimal -Nru cryptsetup-nuke-password-4+nmu1/debian/control
cryptsetup-nuke-password-4+nmu2/debian/control
--- cryptsetup-nuke-password-4+nmu1/debian/control 2023-06-20
04:00:28.000000000 +0200
+++ cryptsetup-nuke-password-4+nmu2/debian/control 2024-01-05
18:53:10.000000000 +0100
@@ -11,7 +11,7 @@
Package: cryptsetup-nuke-password
Architecture: any
-Depends: cryptsetup-bin, ${shlibs:Depends}, ${misc:Depends}
+Depends: cryptsetup (>= 2:2.6.1-6.1~), ${shlibs:Depends}, ${misc:Depends}
Enhances: cryptsetup-initramfs
Description: Erase the LUKS keys with a special password on the unlock prompt
Installing this package lets you configure a special "nuke password" that
diff --minimal -Nru
cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.lintian-overrides
cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.lintian-overrides
---
cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.lintian-overrides
1970-01-01 01:00:00.000000000 +0100
+++
cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.lintian-overrides
2024-01-05 18:53:10.000000000 +0100
@@ -0,0 +1,2 @@
+# DEP17 P7 M18
+cryptsetup-nuke-password: diversion-for-unknown-file lib/cryptsetup/askpass
[preinst:*]
diff --minimal -Nru
cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.postinst
cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.postinst
--- cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.postinst
2023-06-20 03:55:03.000000000 +0200
+++ cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.postinst
2024-01-05 18:52:12.000000000 +0100
@@ -50,6 +50,12 @@
}
configure_nuke_password() {
+ if test "$(dpkg-divert --truename /lib/cryptsetup/askpass)" !=
/lib/cryptsetup/askpass; then
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
+ --remove /lib/cryptsetup/askpass
+ fi
+
db_get cryptsetup-nuke-password/already-configured || true
what="$RET"
diff --minimal -Nru
cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.postrm
cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.postrm
--- cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.postrm
2023-06-20 03:55:03.000000000 +0200
+++ cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.postrm
2024-01-05 18:52:33.000000000 +0100
@@ -4,8 +4,8 @@
if [ "$1" = "remove" ]; then
dpkg-divert --rename --package cryptsetup-nuke-password \
- --divert /lib/cryptsetup/askpass.cryptsetup \
- --remove /lib/cryptsetup/askpass
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --remove /usr/lib/cryptsetup/askpass
elif [ "$1" = "purge" ]; then
rm -rf /etc/cryptsetup-nuke-password
fi
diff --minimal -Nru
cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.preinst
cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.preinst
--- cryptsetup-nuke-password-4+nmu1/debian/cryptsetup-nuke-password.preinst
2023-06-20 03:55:03.000000000 +0200
+++ cryptsetup-nuke-password-4+nmu2/debian/cryptsetup-nuke-password.preinst
2024-01-05 18:53:10.000000000 +0100
@@ -4,8 +4,26 @@
if [ "$1" = "install" ]; then
dpkg-divert --rename --package cryptsetup-nuke-password \
- --divert /lib/cryptsetup/askpass.cryptsetup \
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --add /usr/lib/cryptsetup/askpass
+ dpkg-divert --rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
--add /lib/cryptsetup/askpass
+elif [ "$1" = "upgrade" ]; then
+ if test "$(dpkg-divert --truename /usr/lib/cryptsetup/askpass)" !=
/usr/lib/cryptsetup/askpass.cryptsetup; then
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --add /usr/lib/cryptsetup/askpass
+ TRUENAME=$(dpkg-divert --truename /lib/cryptsetup/askpass)
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --remove /lib/cryptsetup/askpass
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
+ --add /lib/cryptsetup/askpass
+ if test -e "$TRUENAME"; then
+ mv "$TRUENAME" /lib/cryptsetup/askpass.cryptsetup.usr-is-merged
+ fi
+ fi
fi
#DEBHELPER#
testcase.sh
Description: Bourne shell script
TESTS= \
-_divertee \
-_divertee-diverter \
divertee_divertee \
divertee_diverter-divertee \
diverter-divertee_diverter-divertee \
diverter-divertee_rmdiverter-divertee \
diverter-divertee_divertee \
newdivertee_diverter \
newdivertee_rmdivertee \
newdivertee-newdiverter_rmdiverter \
newdivertee-newdiverter_rmdiverter-rmdivertee \
all: $(foreach t,$(TESTS),testout/$(t))
testout/%:
./testcase.sh "$(firstword $(subst _, ,$*))" "$(lastword $(subst _,
,$*))" >"$@" 2>&1; echo $$? >> "$@"
