-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package cryptsetup
Hello,
cryptsetup 2:1.4.3-4 has only non-intrusive changes compared to
2:1.4.3-2. Nevertheless it fixes some annoying bugs. Most importantly,
it adds local keymap support to initramfs for encrypted root
filesystem by recommending initramfs-tools, busybox, kbd and
console-setup.
Only easy fixes, documentation and translation updates are included.
The debdiff is attached, relevant changelog follows:
cryptsetup (2:1.4.3-4) unstable; urgency=medium
* change recommends for busybox to busybox | busybox-static. Thanks to
Armin Haas for the bugreport. (closes: #692151)
-- Jonas Meurer <m...@debian.org> Wed, 07 Nov 2012 16:12:25 +0100
cryptsetup (2:1.4.3-3) unstable; urgency=medium
* add recommends for 'kbd, console-setup' to cryptsetup package.
Both are
necessary to support local keymap in initramfs. Thanks to Raphaël
Hertzog
for the bugreport. (closes: #689722)
* move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
busybox' to recommends. Both are required for encrypted root fs.
* remove suggestion for udev, most debian systems have it installed
anyway.
* mention option to use UUID=<luks_uuid> for source device in
crypttab(5).
Thanks to Felicitus for the bug report. (closes: #688786)
* add a paragraph in README.initramfs: Describe, why renaming the target
name is not supported for encrypted root devices. Thanks to Adam
Lee for
bugreport and proposed workaround for this limitation. (closes:
#671037)
* fix keyfile permission checks in cryptdisks init scripts to follow
symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
* fix owner group check for keyfile in cryptdisks init scripts to really
check owner group.
* update debconf translations:
- brasilian portuguese, thanks to Adriano Rafael Gomes. (closes:
#685762)
- japanese, thanks to victory. (closes: #690784)
* fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
the bugreport. (closes: #684086)
-- Jonas Meurer <m...@debian.org> Thu, 01 Nov 2012 15:34:09 +0100
unblock cryptsetup/2:1.4.3-4
Regards,
jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQm95LAAoJEFJi5/9JEEn+D/8P/R9cf2BGuWw5/1yUkxgtJ0xK
2UKIbFKrlh/FH4VE6G+w774yhfTalKoZnXfl3HrY0b9mJBkGxt5a8lAt296nnw3I
VlBhwSJkruqG2xrWw30xQOiOjFERm/xHmYSxGNVU70hdBro8oapdF4MHZKWFP6qf
hiBkpTlNgF1dawyOEJn7nu7ZxsJw/hyvNfY/veJD7LjvBxiH0i3njIMADbCnmAn+
cK3r3V9Q1JBkpKD4iqcEUZ/2k5bROsq8PTXj3Z/h5OLtUzSro7naB6HbuFMLNOoO
6/1E8W0h9f71rGisYavl+gjNqmriRar8Y3dE4GGdfpd4MIRAeJqXf3RkgAoZG17B
PACuprfQ2cQp+Q4nuh7G8C01m9fwNTVzlR3f7+Gm4u/D+q2WOxxM0dKKuRVhuE3E
iN+itLjhqXPDF4zLllR3QL2e5Omo8wmKrC16DabByN6JVo+0UKO6WLhGNNvq4kJj
/UoLIWcRnyLm+dopqCH0hkAiFqV0NMtddojzwCiEA9xnUCxOzCMQpsoLnqkYL0Mi
5dEwkS8h8DstKHlH3ynsZ6yPyEGDbj1A1YIANaL4rF0+CEmzctYeX1cl8OPtWkv2
Kw3+DvJWQx5KIwe3Wi9fm5g8l8dboqr29sNWED9IPF9vnrr2RkuegI5pLrgoW2x4
m9pgVNTN2Iw8NurRwKnC
=7KF6
-----END PGP SIGNATURE-----
diff -Nru cryptsetup-1.4.3/debian/changelog cryptsetup-1.4.3/debian/changelog
--- cryptsetup-1.4.3/debian/changelog 2012-06-12 21:26:35.000000000 +0200
+++ cryptsetup-1.4.3/debian/changelog 2012-11-07 16:12:30.000000000 +0100
@@ -1,3 +1,35 @@
+cryptsetup (2:1.4.3-4) unstable; urgency=medium
+
+ * change recommends for busybox to busybox | busybox-static. Thanks to
+ Armin Haas for the bugreport. (closes: #692151)
+
+ -- Jonas Meurer <m...@debian.org> Wed, 07 Nov 2012 16:12:25 +0100
+
+cryptsetup (2:1.4.3-3) unstable; urgency=medium
+
+ * add recommends for 'kbd, console-setup' to cryptsetup package. Both are
+ necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
+ for the bugreport. (closes: #689722)
+ * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
+ busybox' to recommends. Both are required for encrypted root fs.
+ * remove suggestion for udev, most debian systems have it installed anyway.
+ * mention option to use UUID=<luks_uuid> for source device in crypttab(5).
+ Thanks to Felicitus for the bug report. (closes: #688786)
+ * add a paragraph in README.initramfs: Describe, why renaming the target
+ name is not supported for encrypted root devices. Thanks to Adam Lee for
+ bugreport and proposed workaround for this limitation. (closes: #671037)
+ * fix keyfile permission checks in cryptdisks init scripts to follow
+ symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
+ * fix owner group check for keyfile in cryptdisks init scripts to really
+ check owner group.
+ * update debconf translations:
+ - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
+ - japanese, thanks to victory. (closes: #690784)
+ * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
+ the bugreport. (closes: #684086)
+
+ -- Jonas Meurer <m...@debian.org> Thu, 01 Nov 2012 15:34:09 +0100
+
cryptsetup (2:1.4.3-2) unstable; urgency=medium
* fix the shared library symbols magic: so far, the symbols file for
diff -Nru cryptsetup-1.4.3/debian/control cryptsetup-1.4.3/debian/control
--- cryptsetup-1.4.3/debian/control 2012-06-08 13:31:06.000000000 +0200
+++ cryptsetup-1.4.3/debian/control 2012-11-07 16:11:49.000000000 +0100
@@ -12,7 +12,8 @@
Package: cryptsetup
Architecture: linux-any
Depends: ${shlibs:Depends}, ${misc:Depends}, dmsetup, cryptsetup-bin
-Suggests: udev, initramfs-tools (>= 0.91) | linux-initramfs-tool, busybox, dosfstools, liblocale-gettext-perl
+Recommends: kbd, console-setup, initramfs-tools (>= 0.91) | linux-initramfs-tool, busybox | busybox-static
+Suggests: dosfstools, liblocale-gettext-perl
Provides: cryptsetup-luks
Conflicts: cryptsetup-luks
Replaces: cryptsetup-luks, hashalot (<< 0.3-2)
diff -Nru cryptsetup-1.4.3/debian/cryptdisks.functions cryptsetup-1.4.3/debian/cryptdisks.functions
--- cryptsetup-1.4.3/debian/cryptdisks.functions 2012-05-10 12:14:55.000000000 +0200
+++ cryptsetup-1.4.3/debian/cryptdisks.functions 2012-11-01 14:00:23.000000000 +0100
@@ -219,7 +219,7 @@
fi
# Check ownership of $key
- OWNER="$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
+ OWNER="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
if [ "$OWNER" != "root" ]; then
log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
fi
@@ -230,14 +230,14 @@
fi
# Check owner group of $key
- GROUP="$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
+ GROUP="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{12\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
if [ "$GROUP" != "root" ]; then
log_warning_msg "$dst: INSECURE OWNER GROUP FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
fi
# Check group and other permissions
- GMODE="$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')"
- OMODE="$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')"
+ GMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')"
+ OMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')"
if [ "$GMODE" != "---" ] && [ "$OMODE" != "---" ]; then
log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
fi
diff -Nru cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml
--- cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml 2011-09-19 12:46:18.000000000 +0200
+++ cryptsetup-1.4.3/debian/doc/cryptdisks_start.xml 2012-11-01 14:34:19.000000000 +0100
@@ -38,7 +38,7 @@
</simpara>
<simpara>
Note that this wrapper passes <option>--key-file=-</option> to
- <command moreinfo="refentry">cryptsetup</command>, so the passphase
+ <command moreinfo="refentry">cryptsetup</command>, so the passphrase
in any referenced key file must not be followed by a newline character.
</simpara>
</refsect1>
diff -Nru cryptsetup-1.4.3/debian/doc/crypttab.xml cryptsetup-1.4.3/debian/doc/crypttab.xml
--- cryptsetup-1.4.3/debian/doc/crypttab.xml 2012-04-13 13:00:37.000000000 +0200
+++ cryptsetup-1.4.3/debian/doc/crypttab.xml 2012-11-01 14:34:33.000000000 +0100
@@ -46,13 +46,15 @@
</simpara>
<simpara>
The second field, <emphasis>source device</emphasis>, describes either the
- block special device or file that contains the encrypted data.
+ block special device or file that contains the encrypted data. Instead of
+ giving the <emphasis>source device</emphasis> explicitly, the UUID is
+ supported as well, using <emphasis>UUID=<luks_uuid></emphasis>.
</simpara>
<simpara>
The third field, <emphasis>key file</emphasis>, describes the file to use
as a key for decrypting the data of the <emphasis>source device</emphasis>.
Note that the <emphasis>entire</emphasis> key file will be used as the
- passphase; the passphase must <emphasis>not</emphasis> be
+ passphrase; the passphrase must <emphasis>not</emphasis> be
followed by a newline character.
</simpara>
<simpara>
@@ -400,8 +402,8 @@
# Encrypted swap device
cswap /dev/sda6 /dev/urandom cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap
-# Encrypted LUKS disk with interactive password
-cdisk0 /dev/hda1 none luks
+# Encrypted LUKS disk with interactive password, identified by UUID
+cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks
# Encrypted ext4 disk with interactive password
# - retry 5 times if the check fails
diff -Nru cryptsetup-1.4.3/debian/po/ja.po cryptsetup-1.4.3/debian/po/ja.po
--- cryptsetup-1.4.3/debian/po/ja.po 1970-01-01 01:00:00.000000000 +0100
+++ cryptsetup-1.4.3/debian/po/ja.po 2012-11-01 15:49:50.000000000 +0100
@@ -0,0 +1,54 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# victory <victory....@gmail.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptse...@packages.debian.org\n"
+"POT-Creation-Date: 2011-09-15 12:30+0200\n"
+"PO-Revision-Date: 2012-06-17 00:27+09:00\n"
+"Last-Translator: victory <victory....@gmail.com>\n"
+"Language-Team: Japanese <debian-japan...@lists.debian.org>\n"
+"Language: ja\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "cryptsetup ã®åé¤ãç¶è¡ãã¾ãã?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr ""
+"ãã®ã·ã¹ãã ã«ã¯ããã¯ããã¦ããªã dm-crypt ããã¤ã¹ãããã¾ã: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"cryptsetup ã«ãã管çããã¦ããããã¤ã¹ãããå ´åãããã±ã¼ã¸åé¤å¾ã«ããã¤ã¹"
+"ãããã¯ã§ããªããªãå¯è½æ§ãããã¾ãããä»ã®ãã¼ã«ã使ã£ã¦ dm-crypt ããã¤ã¹"
+"ã管çãããã¨ãã§ãã¾ããã·ã¹ãã ã®ã·ã£ãããã¦ã³ãåèµ·åãçºçããã¨ããã¤"
+"ã¹ã¯ããã¯ããã¾ãã"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"ããã±ã¼ã¸åé¤ã®åã« dm-crypt ããã¤ã¹ãããã¯ãããå ´åã¯ãã®ãªãã·ã§ã³ãé¸"
+"æããªãã§ãã ããã"
diff -Nru cryptsetup-1.4.3/debian/po/pt_BR.po cryptsetup-1.4.3/debian/po/pt_BR.po
--- cryptsetup-1.4.3/debian/po/pt_BR.po 1970-01-01 01:00:00.000000000 +0100
+++ cryptsetup-1.4.3/debian/po/pt_BR.po 2012-11-01 13:20:47.000000000 +0100
@@ -0,0 +1,55 @@
+# Debconf translations for cryptsetup.
+# Copyright (C) 2011 THE cryptsetup'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Adriano Rafael Gomes <adrian...@gmail.com>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptse...@packages.debian.org\n"
+"POT-Creation-Date: 2011-09-15 12:30+0200\n"
+"PO-Revision-Date: 2011-10-09 17:56-0300\n"
+"Last-Translator: Adriano Rafael Gomes <adrian...@gmail.com>\n"
+"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
+"org>\n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Continuar com a remoção do cryptsetup?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Esse sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Se esses dispositivos são gerenciados com o cryptsetup, você pode não "
+"conseguir bloquear os dispositivos depois da remoção do pacote, embora "
+"outras ferramentas possam ser usadas para gerenciar dispositivos dm-crypt. "
+"Qualquer desligamento ou reinicialização do sistema bloqueará os "
+"dispositivos."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Não escolha essa opção se você quiser bloquear os dispositivos dm-crypt "
+"antes da remoção do pacote."
diff -Nru cryptsetup-1.4.3/debian/README.initramfs cryptsetup-1.4.3/debian/README.initramfs
--- cryptsetup-1.4.3/debian/README.initramfs 2012-03-10 02:06:31.000000000 +0100
+++ cryptsetup-1.4.3/debian/README.initramfs 2012-11-01 13:47:25.000000000 +0100
@@ -207,4 +207,20 @@
the initramfs. This can be done by listing the required modules in
/etc/initramfs-tools/modules.
--- David Härdeman <da...@hardeman.nu>
+11. Limitation: renaming of target name for encrypted root device
+-----------------------------------------------------------------
+As spotted by Adam Lee in bugreport #671037[1], it's not possible to simply
+rename the target name for encrypted root devices. It breaks the initramfs
+creation process. The bugreport submitter found a solution to workaround this
+limitation:
+
+0. enter another system(like livecd)
+1. luksOpen with the new name, change the target name to the new one
+2. chroot into it(now, the living target name is the same as it in conf)
+3. update-initramfs -u
+4. reboot
+
+[1] http://bugs.debian.org/671037
+
+ -- David Härdeman <da...@hardeman.nu>
+ -- Jonas Meurer <m...@debian.org> Thu, 01 Nov 2012 13:44:31 +0100
