Viewing all changes in revision 30.
- Committer: Dmitrijs Ledkovs
- Date: 2013-11-01 16:56:05 UTC
- Revision ID: dmitrijs.ledkovs@canonical.com-20131101165605-j8n9eier8upzn4nw
* Merge from debian unstable, remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Invert the "busybox | busybox-static" Recommends, as the latter is
the one we ship in main as part of the ubuntu-standard task.
- Remove hardcoded paths to udevadm (LP: #1184066).
- debian/initramfs/cryptroot-hook:
+ Do not unconditionally include cryptsetup utils in the initramfs.
+ Do not include any modules or utils in the initramfs, unless
rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in
the initramfs.conf configuration file.
* debian/initramfs/cryptroot-hook:
- Do not unconditionally include cryptsetup utils in the initramfs.
- Do not include any modules or utils in the initramfs, unless
rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in
the initramfs.conf configuration file.
* Remove hardcoded paths to udevadm (LP: #1184066).
* Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
* Merge from debian unstable, remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- init/upstart jobs:
+ Rename cryptddisks{,-early}.upstart jobs to
cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs
for now.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'.
+ Do not install start symlinks for init scripts
+ NB! shutdown is still handled by the SystemV init scripts
* Merge from debian unstable (LP: #1015753), remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- init/upstart jobs:
+ Add debian/cryptdisks-{enable,udev}.upstart for bootup.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'.
+ Do not install start symlinks for init scripts
+ NB! shutdown is still handled by the SystemV init scripts
* Rename cryptddisks{,-early}.upstart jobs back to
cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs
for now.
* Dropped Changes, included in Debian:
- debian/control:
+ Split up package in cryptsetup and cryptsetup-bin. (LP: #343363).
- debian/cryptdisks.functions:
+ Do not overwrite existing filesystems when creating swap (LP: #474258).
+ Add aesni module when we have hardware encryption.
+ Call 'udevadm settle' before 'dmsetup rename' http://pad.lv/874774
+ Suppress "Starting init crypto disks" message in "init" phase, to
avoid writing over fsck progress text.
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
+ handle the case where crypttab contains a name for the source
device that is not the kernel's preferred name for it (as is the case
for LVs).
- debian/initramfs/cryptroot-hook:
+ Quiet warnings from find on arches that don't have all the
kernel/{arch,crypto} bits we're testing for.
* Our swap creation can trigger udev change events, which means udev may be
holding the device open at the time we try to call 'dmsetup rename' and
cause the /subsequent/ events to be missed because of dmsetup creating
device nodes by hand. So call 'udevadm settle' before 'dmsetup rename',
to ensure blkid is out of the way first. This should ensure swap
partitions are found by mountall in a non-racy manner. LP: #874774.
* Start cryptdisks-enable upstart job on 'or container', to let us
simplify the udevtrigger job.
* Split up package in cryptsetup and cryptsetup-bin. (LP: #343363).
* Do not overwrite existing filesystems when creating swap (LP: #474258).
* Add aesni module when we have hardware encryption.
* Merge from debian unstable (LP: #776264), remaining changes:
- debian/cryptdisks.functions: Suppress "Starting init crypto disks" message
in "init" phase, to avoid writing over fsck progress text.
- debian/cryptroot-hook: Quiet warnings from find on arches that
don't have all the kernel/{arch,crypto} bits we're testing for.
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Add debian/cryptdisks-{enable,udev}.upstart.
- debian/cryptdisks.functions:
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
- debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'
- debian/rules:
+ Do not install start symlinks for init scripts, and
install debian/cryptdisks-{enable,udev}.upstart scripts.
* debian/cryptdisks.functions: handle the case where crypttab contains a
name for the source device that is not the kernel's preferred name for
it (as is the case for LVs).
* debian/cryptdisks.functions: Suppress "Starting init crypto disks" message
in "init" phase, to avoid writing over fsck progress text.
* debian/cryptroot-hook: Quiet warnings from find on arches that
don't have all the kernel/{arch,crypto} bits we're testing for.
* Merge from debian unstable (LP: #682177), remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Add debian/cryptdisks-{enable,udev}.upstart.
- debian/cryptdisks.functions:
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
+ wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
we only ever have one of these running at a time; otherwise multiple
invocations could steal each other's input and/or write over each
other's output
+ when called by cryptdisks-enable, check that we don't already have a
corresponding cryptdisks-udev job running (probably waiting for a
passphrase); if there is, wait until it's finished before continuing.
- debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'
- debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
- debian/rules:
+ Do not install start symlinks for init scripts, and
install debian/cryptdisks-{enable,udev}.upstart scripts.
+ link dynamically against libgcrypt and libgpg-error.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules and create dir in debian/cryptsetup.dirs.
- debian/cryptsetup.postrm: call update-initramfs on package removal.
* Merge from Debian unstable (LP: #594365). Remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Add debian/cryptdisks-{enable,udev}.upstart.
- debian/cryptdisks.functions:
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
+ wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
we only ever have one of these running at a time; otherwise multiple
invocations could steal each other's input and/or write over each
other's output
+ initially create the device under a temporary name and rename it only
at the end using 'dmsetup rename', to ensure that upstart/mountall
doesn't see our device before it's ready to go.
+ do_tmp should mount under /var/run/cryptsetup for changing the
permissions of the filesystem root, not directly on /tmp, since
mounting on /tmp a) is racy, b) confuses mountall something fierce.
+ when called by cryptdisks-enable, check that we don't already have a
corresponding cryptdisks-udev job running (probably waiting for a
passphrase); if there is, wait until it's finished before continuing.
- debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'
- debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
- debian/rules: Do not install start symlinks for init scripts, and
install debian/cryptdisks-{enable,udev}.upstart scripts.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules and create dir in debian/cryptsetup.dirs.
- debian/rules: link dynamically against libgcrypt and libgpg-error.
- debian/cryptsetup.postrm: call update-initramfs on package removal.
* Dropped changes, merged/superseded in Debian:
- Add ext4 support to passdev.
- cryptroot-hook: don't call copy_modules_dir with empty arguments when
archcrypto isn't found
- Set USPLASH=y and FRAMEBUFFER=y in the hook config to pull plymouth into
the initramfs.
- change interaction to use plymouth directly if present, and if not, to
fall back to /lib/cryptsetup/askpass as before
- cryptdisks.functions: replace 'echo -e' bashism with 'printf'.
- debian/initramfs/cryptroot-script: if plymouth is present in the
initramfs, use this directly, bypassing the cryptsetup askpass script
- debian/initramfs/cryptroot-hook: Properly anchor our regexps when
grepping /etc/crypttab so that we don't incorrectly match device names
that are substrings of one another.
- debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
file descriptor to subprocesses.
- Fix grammar error in debian/initramfs/cryptroot-script
("setup" -> "set up")
- debian/initramfs/cryptroot-script: Fix this to work with current
initramfs-tools:
+ Source /scripts/functions after checking for prerequisites.
+ prereqs(): Do not assume we are running within initramfs, and
calculate relative path correctly.
* Fix grammar error in debian/initramfs/cryptroot-script
("setup" -> "set up") (LP: #578896)
* debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
file descriptor to subprocesses.
* debian/initramfs/cryptroot-hook: Properly anchor our regexps when
grepping /etc/crypttab so that we don't incorrectly match device names
that are substrings of one another.
* debian/cryptdisks-{enable,udev}.conf, debian/control: drop
'console output' and add a hard dependency on plymouth instead of
watershed, to avoid spitting extra messages to the console.
* Set FRAMEBUFFER=y in the file that we actually ship.
* debian/cryptsetup.postrm: call update-initramfs on package removal.
LP: #468228.
* cryptdisks.functions: replace 'echo -e' bashism with 'printf'.
* cryptdisks.functions: when called by cryptdisks-enable, check that we
don't already have a corresponding cryptdisks-udev job running (probably
waiting for a passphrase); if there is, wait until it's finished before
continuing.
* Set FRAMEBUFFER=y in the hook config as well, to pull plymouth into the
initramfs.
* cryptdisks.functions, debian/initramfs/cryptroot-script: fix the
invocation of plymouth, so that we actually get proper passphrase prompts
(once bug #496765 is fixed).
* cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
changing the permissions of the filesystem root, not directly on /tmp,
since mounting on /tmp a) is racy, b) confuses mountall something fierce.
LP: #475936.
* Depend on watershed.
* Fix the LSB header in the init scripts, now that we don't install to
rcS.d.
* debian/initramfs/cryptroot-script: Fix this to work with current
initramfs-tools:
- Source /scripts/functions after checking for prerequisites.
- prereqs(): Do not assume we are running within initramfs, and calculate
relative path correctly.
* Rename the upstart job introduced in the previous upload to
cryptdisks-udev and restore the previous version of the job as
cryptdisks-enable, to run at the end of udev coldplugging as before;
this isn't entirely race-free, but should nevertheless give us the
two passes needed to cover devices that are decrypted using keys stored
on other encrypted disks. LP: #443980.
* debian/initramfs/cryptroot-script: if plymouth is present in the
initramfs, use this directly, bypassing the cryptsetup askpass script;
but keep support for these other frontends around on a transitional
basis.
* debian/cryptdisks.functions:
- change interaction to use plymouth directly if present, and if not, to
fall back to /lib/cryptsetup/askpass as before
- wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
we only ever have one of these running at a time; otherwise multiple
invocations could steal each other's input and/or write over each
other's output
- new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
* debian/cryptdisks-enable.upstart: run the upstart job once for each block
device, using the new crypttab_start_one_disk function, triggered by udev;
this doesn't eliminate the possibility of a race with gdm when the
decrypted volume isn't a 'bootwait' mount point (since gdm kills
plymouth), but it does eliminate the race between udev and cryptsetup.
LP: #454898.
* debian/cryptdisks-enable.upstart: check that the package is installed
and exit gracefully if it's not. LP: #435814
* debian/cryptdisk.functions: initially create the device under a temporary
name and rename it only at the end using 'dmsetup rename', to ensure that
upstart/mountall doesn't see our device before it's ready to go.
LP: #475936.
* Add ext4 support to passdev.
* cryptroot-hook: Use if [ -n … ] instead of if ! test -z ….
* cryptroot-hook: dont call copy_modules_dir with empty arguments when
archcrypto isnt found (LP: #495161)
* Merge with Debian testing. Remaining Ubuntu changes:
- debian/rules: cryptsetup is linked dynamically against libgcrypt and
libgpg-error.
- Upstart migration:
+ Add debian/cryptdisks-enable.upstart.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job.
(LP #473615)
+ debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
+ debian/rules: Do not install start symlinks for those two, and install
debian/cryptdisks-enable.upstart scripts.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules, and create dir in debian/cryptsetup.dirs.
- Start usplash in initramfs, since we need it for fancy passphrase input:
+ debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y
+ debian/control: Bump initramfs-tools Suggests to Depends:.
* Make the 'start' action of the init script a no-op, this should be
handled entirely by the upstart job now; and remove any symlinks from
/etc/rcS.d on upgrade. LP: #473615.
* Add an apport hook
* import the blkid and un_blkid from debian, LP: #446517
* also use this script by default (setting in /etc/default/cryptdisks)
* Reupload previous version, siretart had left changes in bzr which
weren't documented in the changelog and caused FTBFS.
* Move the Debian Vcs- fields aside.
* debian/cryptdisks-enable.upstart: Don't overcompensate for my idiocy,
cryptsetup should not need a controlling terminal, just a terminal
is fine. May fix LP: #439138.
* debian/cryptdisks-enable.upstart: Things that often help include
not setting stdin/out to /dev/null, so you can actually type the
passphrase. I am an idiot. LP: #430496.
* debian/cryptdisks-enable.upstart: add upstart job to enable encrypted
disks once we've finished probing for udev devices, so that mountall
can use them. LP: #430496.
* debian/initramfs/cryptroot-conf: declare that we want usplash included
in the initramfs whenever this package is installed. LP: #427356.
* Merge from debian unstable, remaining changes:
- Ubuntu specific:
+ debian/rules: link dynamically for better security supportability and
smaller packages.
+ debian/control: Depend on initramfs-tools so system is not potentially
rendered unbootable.
- debian/initramfs/cryptroot-script wait for encrypted device to appear,
report with log_*_msg (debian bug 488271).
- debian/initramfs/cryptroot-hook: fix support for UUID and LABEL
correlation between fstab and crypttab (debian bug 522041).
- debian/askpass.c, debian/initramfs/cryptroot-script: using newline
escape in passphrase prompt to avoid line-wrapping (debian bug 528133).
* Drop 04_fix_udevsettle_call.patch: fixed upstream differently.
* debian/control: Depend on initramfs-tools so system is not potentially
rendered unbootable (LP: #358654).
* debian/initramfs/cryptroot-script: we don't require vol_id to understand
the encrypted device, but we should check the device is fully up first
before continuing by calling udevadm settle. LP: #291752.
* debian/initramfs/cryptroot-hook: fix support for UUID and LABEL correlation
between fstab and crypttab (LP: #287879).
* debian/askpass.c: also handle newline escape code in console prompt.
* debian/checks/un_vol_id: dynamically build the "unknown volume type"
string, to allow for encrypted swap, LP: #316607
* debian/askpass.c: handle newline escape code in password prompt.
* debian/initramfs/cryptroot-script: add newline to split cryptroot
password prompt onto two lines for readability (LP: #326900).
* Merge from debian unstable, remaining changes:
- debian/initramfs/cryptroot-script:
- must source /scripts/functions to get the log_*_msg() functions.
- wait for encrypted device to show up (LP 164044, 291752).
- disable error message 'failed to setup lvm device' (LP 151532).
- debian/rules:
- fix location of ltmain.sh (Ubuntu-specific until libtool 2.2.x is
in Debian unstable).
- link dynamically (LP 62751).
- add 04_fix_udevsettle_call.patch: fix path to binary for udevsettle.
* Revert versioned build-depency on libdevmapper-dev, since Ubuntu's
version is higher now.
* debian/initramfs/cryptroot-script: do not require that vol_id
can parse the encrypted device as valid (LP: #291752).
* Fixes for (LP: #272301)
* debian/initramfs/cryptroot-script: must source /scripts/functions to get
the log_*_msg() functions
* 04_fix_udevsettle_call.patch: fix path to binary for udevsettle
* drop almost all ubuntu specific changes from the cryptsetup package,
because they have been merged in debian. Thanks a lot!
* merge from debian, remaining changes:
- remove versioned build-depency on libdevmapper-dev, we are using a
rather sophisticated loop for making sure the root filesystem appears.
* debian/rules: fix location of ltmain.sh
* don't exit usplash anymore in the init script. LP: #110970, #139363
* Disable error message 'failed to setup lvm device'. It is harmless, and
caused by the fact that the udev rules provided by lvm2 are setting up
the lvm on their own. In debian the scripts here are responsible for this
but obviously fail in ubuntu. LP: #151532
* reintroduce changes from 2:1.0.6-2ubuntu5 that have been accidentally
dropped in version 2:1.0.6-2ubuntu6.
* load scripts/functions for log_{begin,end}_msg
* debian/initramfs/cryptroot-script: wait for the cryptsource, not the resulting mapped root device
* debian/initramfs/cryptroot-hook: copy binaries to the right directory
* remove versioned build-depency on libdevmapper-dev, we are using a
rather sophisticated loop for making sure the root filesystem appears.
* Okay, I give up. include preprocessed manpages and adapt
debian/rules to easily produce those.
ATTENTION: on subsequent uploads, make sure that the manpages are
available and up-to-date.
* also use local dtd in debian/doc/variables.xml.in.
* try harder to fix FTBFS.
* build docbook documentation using local dtds instead of trying to
download them at buildtime. Fixes FTBFS.
* Merge new debian version. Remaining changes:
- Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
- debian/rules: cryptsetup is linked dynamically against libgcrypt and
libgpg-error.
- cryptdisks.functions: stop usplash on user input. LP #62751
- Parse comments in lines not starting with '#', LP #185380
- If the encrypted source device hasn't shown up yet, give it a
little while to deal with removable devices. LP #164044
* Depend on race-free version of libdevmapper, thus making udevsettle
call from cryptsetup binary unnecessary. Dropping patch
debian/patches/06_run_udevsettle.patch
* remove patch from LP #73862, loading optimized modules has been solved
in debian in another way.
* cryptdisk.functions: remove spurious call to load_optimized_module.
LP: #239946
* bugfix: make regex work if keyfile has extended attributes. LP: #231339.
* remove patch in cryptdisks.functions for rexecing the script itself for
ensuring that a tty is always available. (See LP #58794.) According to
Scott, this is not necessary anymore.
* Fix configuration parsing (LP: #239808)
* cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723)
* Parse comments in lines not starting with '#', LP: #185380
* in cryptroot hook, don't rely on 'udevadm settle' to wait long enough
for the cryptdevice to appear. Reimplement the busy waiting loop found
while waiting for the root file system. Patch based on work by Swâmi
Petaramesh. LP: #164044
* debian/crypdisks.functions: call 'env' with full path. LP: #178829.
* Simplify the patch in debian/cryptdisks.functions that stops usplash
before asking for a passphrase.
* Merge new debian version. Remaining changes:
- cryptsetup is linked dynamically against libgcrypt and libgpg-error.
- stop usplash on user input. LP #62751
- debian/cryptdisks.functions: Always output and read from the console.
LP #58794.
- Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
- debian/initramfs/cryptroot-hook: LP #73862
Added patch to install aes optimized cypher module
- try to load optimized cypher module in cryptsetup.functions as well,
because cryptroot-hook is only executed when we really have a
cryptoroot.
* other ubuntu changes have been merged into debian. Please report bugs
if you believe some patches have been dropped.
* removed 07_typos_fix.patch, has been reviewed and applied upstream.
* added debian/patches/07_typos_fix.dpatch: fixed typos in man pages. (LP: #164181)
* debian/initramfs/cryptroot-script: Do show the disk name after all, since
some people use multiple encrypted partitions as LVM PVs. (LP: #201413)
* debian/initramfs/cryptroot-script: Do not mention the name of the
encrypted device. It is just technobabble anyway (sda4_crypt), and there
is just one root partition ever, so it is not needed to tell apart
different partitions. From a security POV, someone who can change your
initramfs to boot a different root partition can just as well change the
strings, too. (LP: #201413)
* debian/scripts/luksformat: Use 256 bit key size by default.
(LP: #78508)
* debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for
luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
* Fix -x calls and access() call.
* debian/initramfs/cryptroot-script: call udevadm instead of udevsettle
* debian/patches/06_call_udevsettle.dpatch: likewise
* Make cryptsetup understand devices specified by UUID=... or LABEL=
in crypttab. (LP: #153597)
* reenable additional udevsettle calls in cryptroot hook from
https://launchpad.net/bugs/85640, LP: #132373.
* change maintainer to ubuntu-core-dev.
* use Vcs-Bzr instead of XSCB-Vcs-Bzr header in debian/control.
* reapply changes from version 2:1.0.5-2ubuntu2, got dropped with last
upload. Sorry, pitti.
* convert patch to lib/libdevmapper.c to a dpatch.
* RELIABILY FIX: lib/libdevmapper.c: Ensure that pending device creation
events are being processed by calling /sbin/udevsettle. Patch based on
OpenSUSE bug #285478, LP: #132373.
* Based on the change above, the patch from LP #85640 is no longer needed.
dropping the relevant parts.
* Fix debian/rules to not fail to build if autom4te.cache is left behind
from a previous incomplete build.
* debian/initramfs/cryptroot-script:
- If the supplied password worked, remove the prompt from usplash again,
so that the user has some visual feedback that everything is alright.
(LP: #151305)
- Do not show the UUID device node of the outer physical device. It is
scary ("/dev/disk/by-uuid/1234yadayada") and displaying it does not
improve security at all: If attackers can tamper with your initramfs,
they can also change the prompt, and if the UUID of the physical device
changes, then booting will not even get that far. Now it is a much more
friendly "Enter passphrase for sda5_crypt:" which is still technical,
but it's necessary to point out which device will be unlocked in case
there are several.
* Merge new debian version. Remaining changes:
- cryptsetup is linked dynamically against libgcrypt and libgpg-error.
This will break systems where /usr is a separate encrypted filesystem
but not have other bad consequences (in particular, systems with
encrypted root are still fine). The upsides include better
security supportability and smaller packages.
- libcryptsetup.so et al removed from the binary packages. They have
no stable ABI and are not suitable for use by other packages, and
were in violation of library policies etc. They're not needed since
the cryptsetup executable statically contains the relevant parts of
libcryptsetup.
- cryptdisks.functions: remove #!/bin/bash as it isn't a script
by itself; it's only sourced by other scripts. This gets rid
of the lintian warning `script-not-executable' for this file.
- stop usplash on user input. LP #62751
- Always output and read from the console. LP #58794.
- Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
- Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate
libnsl linkage;
- debian/initramfs/cryptroot-hook: (LP: #73862)
Added patch to install aes optimized cypher module
- try to load optimized cypher module in cryptsetup.functions as well,
because cryptroot-hook is only executed when we really have a
cryptoroot.
- apply patch from pitti for allowing UUIDs in /etc/crypttab.
This allowes crypted PVs! LP: #144390.
- remove README.ubuntu, since it contains old and obsolete information.
* apply patch from pitti for allowing UUIDs in /etc/crypttab.
This allowes crypted PVs! LP: #144390.
* remove README.ubuntu, since it contains old and obsolete information.
* debian/initramfs/cryptroot-hook: (LP: #73862)
- Added patch to install aes optimized cypher module
* re-applying old patch to new package version
* try to load optimized cypher module in cryptsetup.functions as well,
because cryptroot-hook is only executed when we really have a
cryptoroot.
* Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate
libnsl linkage; should finally produce a usable cryptsetup binary for
the udeb.
* Bump libgcrypt11 build-dependency to 1.2.4-2ubuntu1 and rebuild for
proper udeb dependencies.
* Merge new debian version. Remaining changes:
- cryptsetup is linked dynamically against libgcrypt and libgpg-error.
This will break systems where /usr is a separate encrypted filesystem
but not have other bad consequences (in particular, systems with
encrypted root are still fine). The upsides include better
security supportability and smaller packages.
- libcryptsetup.so et al removed from the binary packages. They have
no stable ABI and are not suitable for use by other packages, and
were in violation of library policies etc. They're not needed since
the cryptsetup executable statically contains the relevant parts of
libcryptsetup.
- cryptdisks.functions: remove #!/bin/bash as it isn't a script
by itself; it's only sourced by other scripts. This gets rid
of the lintian warning `script-not-executable' for this file.
- stop usplash on user input. LP #62751
- Always output and read from the console. LP #58794.
* Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
* UVF exception request granted by Scott Kitterman and Chuck Short
LP: #138295
* Add notes by Ilkka Tuohela in a new file debian/README.ubuntu
* cryptsetup is linked dynamically against libgcrypt and libgpg-error.
This will break systems where /usr is a separate encrypted filesystem
but not have other bad consequences (in particular, systems with
encrypted root are still fine). The upsides include better
security supportability and smaller packages.
* libcryptsetup.so et al removed from the binary packages. They have
no stable ABI and are not suitable for use by other packages, and
were in violation of library policies etc. They're not needed since
the cryptsetup executable statically contains the relevant parts of
libcryptsetup.
* cryptdisks.functions: remove #!/bin/bash as it isn't a script
by itself; it's only sourced by other scripts. This gets rid
of the lintian warning `script-not-executable' for this file.
* s/$CRYPTCMD/cryptsetup/ in debian/cryptdisks.functions
(LP: #115617)
* make luksformat check if filesystem is already mounted to prevent a
strange error message. thanks to mvo for the patch (LP: #116633)
* remove file debian/initramfs-cryptroot-script from source. it is not
installed anywhere, and a leftover from the last merge.
* add missing hunk of cryptsetup.functions compared to debian package.
* reapply http://librarian.launchpad.net/7329604/bug85640.debdiff to
debian/initramfs/cryptroot-script, since stgraber's patch has been
lost in the last merge. (LP: #85640)
* modprobe dm-mod from cryptsetup.functions. (LP: #64625, #91405)
* Merge from Debian unstable. Remaining Ubuntu changes:
- stop usplash on user input. Ubuntu: #62751
- Always output and read from the console. Ubuntu: #58794.
- Wait for Udev to be ready to avoid partition non-detection. (LP: #85640)
* Modify Maintainer value to match Debian-Maintainer-Field Spec
* Wait for Udev to be ready to avoid partition non-detection. (LP: #85640)
* merge debian changes. Remaining ubuntu changes:
- stop usplash on user input. Ubuntu: #62751
- Always output and read from the console. Ubuntu: #58794.
* fix and improve initramfs hook: terminate usplash if running, since
adequate secure text input is not possible with usplash ATM
* usplash support: Terminate usplash before asking a password.
Closes https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/62751
* merge debian changes, remaining patches:
- Always output and read from the console. Ubuntu: #58794.
* other changes have been merged or do noy apply anymore
* read password via usplash if available in initramfs for rootfs. based on a patch from
Swen Thümmler (Thanks for that!) Ubuntu #62751
* read password from initscript via usplash if running. should fix the
rest of Ubuntu #62751. Only problem with that patch: It asks only once
for the password! improvements welcome!
* Always output and read from the console. Ubuntu: #58794.
* Load the dm-crypt module on startup. Ubuntu: #53475.
* Sync with Debian:
Remaining Ubuntu Changes
+ debian/cryptdisks.functions:
- Tell usplash to quit if we ask for a passphrase
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Invert the "busybox | busybox-static" Recommends, as the latter is
the one we ship in main as part of the ubuntu-standard task.
- Remove hardcoded paths to udevadm (LP: #1184066).
- debian/initramfs/cryptroot-hook:
+ Do not unconditionally include cryptsetup utils in the initramfs.
+ Do not include any modules or utils in the initramfs, unless
rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in
the initramfs.conf configuration file.
* debian/initramfs/cryptroot-hook:
- Do not unconditionally include cryptsetup utils in the initramfs.
- Do not include any modules or utils in the initramfs, unless
rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in
the initramfs.conf configuration file.
* Remove hardcoded paths to udevadm (LP: #1184066).
* Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
* Merge from debian unstable, remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- init/upstart jobs:
+ Rename cryptddisks{,-early}.upstart jobs to
cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs
for now.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'.
+ Do not install start symlinks for init scripts
+ NB! shutdown is still handled by the SystemV init scripts
* Merge from debian unstable (LP: #1015753), remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- init/upstart jobs:
+ Add debian/cryptdisks-{enable,udev}.upstart for bootup.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'.
+ Do not install start symlinks for init scripts
+ NB! shutdown is still handled by the SystemV init scripts
* Rename cryptddisks{,-early}.upstart jobs back to
cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs
for now.
* Dropped Changes, included in Debian:
- debian/control:
+ Split up package in cryptsetup and cryptsetup-bin. (LP: #343363).
- debian/cryptdisks.functions:
+ Do not overwrite existing filesystems when creating swap (LP: #474258).
+ Add aesni module when we have hardware encryption.
+ Call 'udevadm settle' before 'dmsetup rename' http://pad.lv/874774
+ Suppress "Starting init crypto disks" message in "init" phase, to
avoid writing over fsck progress text.
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
+ handle the case where crypttab contains a name for the source
device that is not the kernel's preferred name for it (as is the case
for LVs).
- debian/initramfs/cryptroot-hook:
+ Quiet warnings from find on arches that don't have all the
kernel/{arch,crypto} bits we're testing for.
* Our swap creation can trigger udev change events, which means udev may be
holding the device open at the time we try to call 'dmsetup rename' and
cause the /subsequent/ events to be missed because of dmsetup creating
device nodes by hand. So call 'udevadm settle' before 'dmsetup rename',
to ensure blkid is out of the way first. This should ensure swap
partitions are found by mountall in a non-racy manner. LP: #874774.
* Start cryptdisks-enable upstart job on 'or container', to let us
simplify the udevtrigger job.
* Split up package in cryptsetup and cryptsetup-bin. (LP: #343363).
* Do not overwrite existing filesystems when creating swap (LP: #474258).
* Add aesni module when we have hardware encryption.
* Merge from debian unstable (LP: #776264), remaining changes:
- debian/cryptdisks.functions: Suppress "Starting init crypto disks" message
in "init" phase, to avoid writing over fsck progress text.
- debian/cryptroot-hook: Quiet warnings from find on arches that
don't have all the kernel/{arch,crypto} bits we're testing for.
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Add debian/cryptdisks-{enable,udev}.upstart.
- debian/cryptdisks.functions:
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
- debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'
- debian/rules:
+ Do not install start symlinks for init scripts, and
install debian/cryptdisks-{enable,udev}.upstart scripts.
* debian/cryptdisks.functions: handle the case where crypttab contains a
name for the source device that is not the kernel's preferred name for
it (as is the case for LVs).
* debian/cryptdisks.functions: Suppress "Starting init crypto disks" message
in "init" phase, to avoid writing over fsck progress text.
* debian/cryptroot-hook: Quiet warnings from find on arches that
don't have all the kernel/{arch,crypto} bits we're testing for.
* Merge from debian unstable (LP: #682177), remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Add debian/cryptdisks-{enable,udev}.upstart.
- debian/cryptdisks.functions:
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
+ wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
we only ever have one of these running at a time; otherwise multiple
invocations could steal each other's input and/or write over each
other's output
+ when called by cryptdisks-enable, check that we don't already have a
corresponding cryptdisks-udev job running (probably waiting for a
passphrase); if there is, wait until it's finished before continuing.
- debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'
- debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
- debian/rules:
+ Do not install start symlinks for init scripts, and
install debian/cryptdisks-{enable,udev}.upstart scripts.
+ link dynamically against libgcrypt and libgpg-error.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules and create dir in debian/cryptsetup.dirs.
- debian/cryptsetup.postrm: call update-initramfs on package removal.
* Merge from Debian unstable (LP: #594365). Remaining changes:
- debian/control:
+ Bump initramfs-tools Suggests to Depends: so system is not
potentially rendered unbootable.
+ Depend on plymouth.
- Add debian/cryptdisks-{enable,udev}.upstart.
- debian/cryptdisks.functions:
+ new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
+ wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
we only ever have one of these running at a time; otherwise multiple
invocations could steal each other's input and/or write over each
other's output
+ initially create the device under a temporary name and rename it only
at the end using 'dmsetup rename', to ensure that upstart/mountall
doesn't see our device before it's ready to go.
+ do_tmp should mount under /var/run/cryptsetup for changing the
permissions of the filesystem root, not directly on /tmp, since
mounting on /tmp a) is racy, b) confuses mountall something fierce.
+ when called by cryptdisks-enable, check that we don't already have a
corresponding cryptdisks-udev job running (probably waiting for a
passphrase); if there is, wait until it's finished before continuing.
- debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job;
and fix the LSB header to not declare this should be started in
runlevel 'S'
- debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
- debian/rules: Do not install start symlinks for init scripts, and
install debian/cryptdisks-{enable,udev}.upstart scripts.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules and create dir in debian/cryptsetup.dirs.
- debian/rules: link dynamically against libgcrypt and libgpg-error.
- debian/cryptsetup.postrm: call update-initramfs on package removal.
* Dropped changes, merged/superseded in Debian:
- Add ext4 support to passdev.
- cryptroot-hook: don't call copy_modules_dir with empty arguments when
archcrypto isn't found
- Set USPLASH=y and FRAMEBUFFER=y in the hook config to pull plymouth into
the initramfs.
- change interaction to use plymouth directly if present, and if not, to
fall back to /lib/cryptsetup/askpass as before
- cryptdisks.functions: replace 'echo -e' bashism with 'printf'.
- debian/initramfs/cryptroot-script: if plymouth is present in the
initramfs, use this directly, bypassing the cryptsetup askpass script
- debian/initramfs/cryptroot-hook: Properly anchor our regexps when
grepping /etc/crypttab so that we don't incorrectly match device names
that are substrings of one another.
- debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
file descriptor to subprocesses.
- Fix grammar error in debian/initramfs/cryptroot-script
("setup" -> "set up")
- debian/initramfs/cryptroot-script: Fix this to work with current
initramfs-tools:
+ Source /scripts/functions after checking for prerequisites.
+ prereqs(): Do not assume we are running within initramfs, and
calculate relative path correctly.
* Fix grammar error in debian/initramfs/cryptroot-script
("setup" -> "set up") (LP: #578896)
* debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
file descriptor to subprocesses.
* debian/initramfs/cryptroot-hook: Properly anchor our regexps when
grepping /etc/crypttab so that we don't incorrectly match device names
that are substrings of one another.
* debian/cryptdisks-{enable,udev}.conf, debian/control: drop
'console output' and add a hard dependency on plymouth instead of
watershed, to avoid spitting extra messages to the console.
* Set FRAMEBUFFER=y in the file that we actually ship.
* debian/cryptsetup.postrm: call update-initramfs on package removal.
LP: #468228.
* cryptdisks.functions: replace 'echo -e' bashism with 'printf'.
* cryptdisks.functions: when called by cryptdisks-enable, check that we
don't already have a corresponding cryptdisks-udev job running (probably
waiting for a passphrase); if there is, wait until it's finished before
continuing.
* Set FRAMEBUFFER=y in the hook config as well, to pull plymouth into the
initramfs.
* cryptdisks.functions, debian/initramfs/cryptroot-script: fix the
invocation of plymouth, so that we actually get proper passphrase prompts
(once bug #496765 is fixed).
* cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
changing the permissions of the filesystem root, not directly on /tmp,
since mounting on /tmp a) is racy, b) confuses mountall something fierce.
LP: #475936.
* Depend on watershed.
* Fix the LSB header in the init scripts, now that we don't install to
rcS.d.
* debian/initramfs/cryptroot-script: Fix this to work with current
initramfs-tools:
- Source /scripts/functions after checking for prerequisites.
- prereqs(): Do not assume we are running within initramfs, and calculate
relative path correctly.
* Rename the upstart job introduced in the previous upload to
cryptdisks-udev and restore the previous version of the job as
cryptdisks-enable, to run at the end of udev coldplugging as before;
this isn't entirely race-free, but should nevertheless give us the
two passes needed to cover devices that are decrypted using keys stored
on other encrypted disks. LP: #443980.
* debian/initramfs/cryptroot-script: if plymouth is present in the
initramfs, use this directly, bypassing the cryptsetup askpass script;
but keep support for these other frontends around on a transitional
basis.
* debian/cryptdisks.functions:
- change interaction to use plymouth directly if present, and if not, to
fall back to /lib/cryptsetup/askpass as before
- wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
we only ever have one of these running at a time; otherwise multiple
invocations could steal each other's input and/or write over each
other's output
- new function, crypttab_start_one_disk, to look for the named source
device in /etc/crypttab (by device name, UUID, or label) and start it
if configured to do so
* debian/cryptdisks-enable.upstart: run the upstart job once for each block
device, using the new crypttab_start_one_disk function, triggered by udev;
this doesn't eliminate the possibility of a race with gdm when the
decrypted volume isn't a 'bootwait' mount point (since gdm kills
plymouth), but it does eliminate the race between udev and cryptsetup.
LP: #454898.
* debian/cryptdisks-enable.upstart: check that the package is installed
and exit gracefully if it's not. LP: #435814
* debian/cryptdisk.functions: initially create the device under a temporary
name and rename it only at the end using 'dmsetup rename', to ensure that
upstart/mountall doesn't see our device before it's ready to go.
LP: #475936.
* Add ext4 support to passdev.
* cryptroot-hook: Use if [ -n … ] instead of if ! test -z ….
* cryptroot-hook: dont call copy_modules_dir with empty arguments when
archcrypto isnt found (LP: #495161)
* Merge with Debian testing. Remaining Ubuntu changes:
- debian/rules: cryptsetup is linked dynamically against libgcrypt and
libgpg-error.
- Upstart migration:
+ Add debian/cryptdisks-enable.upstart.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job.
(LP #473615)
+ debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
+ debian/rules: Do not install start symlinks for those two, and install
debian/cryptdisks-enable.upstart scripts.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules, and create dir in debian/cryptsetup.dirs.
- Start usplash in initramfs, since we need it for fancy passphrase input:
+ debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y
+ debian/control: Bump initramfs-tools Suggests to Depends:.
* Make the 'start' action of the init script a no-op, this should be
handled entirely by the upstart job now; and remove any symlinks from
/etc/rcS.d on upgrade. LP: #473615.
* Add an apport hook
* import the blkid and un_blkid from debian, LP: #446517
* also use this script by default (setting in /etc/default/cryptdisks)
* Reupload previous version, siretart had left changes in bzr which
weren't documented in the changelog and caused FTBFS.
* Move the Debian Vcs- fields aside.
* debian/cryptdisks-enable.upstart: Don't overcompensate for my idiocy,
cryptsetup should not need a controlling terminal, just a terminal
is fine. May fix LP: #439138.
* debian/cryptdisks-enable.upstart: Things that often help include
not setting stdin/out to /dev/null, so you can actually type the
passphrase. I am an idiot. LP: #430496.
* debian/cryptdisks-enable.upstart: add upstart job to enable encrypted
disks once we've finished probing for udev devices, so that mountall
can use them. LP: #430496.
* debian/initramfs/cryptroot-conf: declare that we want usplash included
in the initramfs whenever this package is installed. LP: #427356.
* Merge from debian unstable, remaining changes:
- Ubuntu specific:
+ debian/rules: link dynamically for better security supportability and
smaller packages.
+ debian/control: Depend on initramfs-tools so system is not potentially
rendered unbootable.
- debian/initramfs/cryptroot-script wait for encrypted device to appear,
report with log_*_msg (debian bug 488271).
- debian/initramfs/cryptroot-hook: fix support for UUID and LABEL
correlation between fstab and crypttab (debian bug 522041).
- debian/askpass.c, debian/initramfs/cryptroot-script: using newline
escape in passphrase prompt to avoid line-wrapping (debian bug 528133).
* Drop 04_fix_udevsettle_call.patch: fixed upstream differently.
* debian/control: Depend on initramfs-tools so system is not potentially
rendered unbootable (LP: #358654).
* debian/initramfs/cryptroot-script: we don't require vol_id to understand
the encrypted device, but we should check the device is fully up first
before continuing by calling udevadm settle. LP: #291752.
* debian/initramfs/cryptroot-hook: fix support for UUID and LABEL correlation
between fstab and crypttab (LP: #287879).
* debian/askpass.c: also handle newline escape code in console prompt.
* debian/checks/un_vol_id: dynamically build the "unknown volume type"
string, to allow for encrypted swap, LP: #316607
* debian/askpass.c: handle newline escape code in password prompt.
* debian/initramfs/cryptroot-script: add newline to split cryptroot
password prompt onto two lines for readability (LP: #326900).
* Merge from debian unstable, remaining changes:
- debian/initramfs/cryptroot-script:
- must source /scripts/functions to get the log_*_msg() functions.
- wait for encrypted device to show up (LP 164044, 291752).
- disable error message 'failed to setup lvm device' (LP 151532).
- debian/rules:
- fix location of ltmain.sh (Ubuntu-specific until libtool 2.2.x is
in Debian unstable).
- link dynamically (LP 62751).
- add 04_fix_udevsettle_call.patch: fix path to binary for udevsettle.
* Revert versioned build-depency on libdevmapper-dev, since Ubuntu's
version is higher now.
* debian/initramfs/cryptroot-script: do not require that vol_id
can parse the encrypted device as valid (LP: #291752).
* Fixes for (LP: #272301)
* debian/initramfs/cryptroot-script: must source /scripts/functions to get
the log_*_msg() functions
* 04_fix_udevsettle_call.patch: fix path to binary for udevsettle
* drop almost all ubuntu specific changes from the cryptsetup package,
because they have been merged in debian. Thanks a lot!
* merge from debian, remaining changes:
- remove versioned build-depency on libdevmapper-dev, we are using a
rather sophisticated loop for making sure the root filesystem appears.
* debian/rules: fix location of ltmain.sh
* don't exit usplash anymore in the init script. LP: #110970, #139363
* Disable error message 'failed to setup lvm device'. It is harmless, and
caused by the fact that the udev rules provided by lvm2 are setting up
the lvm on their own. In debian the scripts here are responsible for this
but obviously fail in ubuntu. LP: #151532
* reintroduce changes from 2:1.0.6-2ubuntu5 that have been accidentally
dropped in version 2:1.0.6-2ubuntu6.
* load scripts/functions for log_{begin,end}_msg
* debian/initramfs/cryptroot-script: wait for the cryptsource, not the resulting mapped root device
* debian/initramfs/cryptroot-hook: copy binaries to the right directory
* remove versioned build-depency on libdevmapper-dev, we are using a
rather sophisticated loop for making sure the root filesystem appears.
* Okay, I give up. include preprocessed manpages and adapt
debian/rules to easily produce those.
ATTENTION: on subsequent uploads, make sure that the manpages are
available and up-to-date.
* also use local dtd in debian/doc/variables.xml.in.
* try harder to fix FTBFS.
* build docbook documentation using local dtds instead of trying to
download them at buildtime. Fixes FTBFS.
* Merge new debian version. Remaining changes:
- Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
- debian/rules: cryptsetup is linked dynamically against libgcrypt and
libgpg-error.
- cryptdisks.functions: stop usplash on user input. LP #62751
- Parse comments in lines not starting with '#', LP #185380
- If the encrypted source device hasn't shown up yet, give it a
little while to deal with removable devices. LP #164044
* Depend on race-free version of libdevmapper, thus making udevsettle
call from cryptsetup binary unnecessary. Dropping patch
debian/patches/06_run_udevsettle.patch
* remove patch from LP #73862, loading optimized modules has been solved
in debian in another way.
* cryptdisk.functions: remove spurious call to load_optimized_module.
LP: #239946
* bugfix: make regex work if keyfile has extended attributes. LP: #231339.
* remove patch in cryptdisks.functions for rexecing the script itself for
ensuring that a tty is always available. (See LP #58794.) According to
Scott, this is not necessary anymore.
* Fix configuration parsing (LP: #239808)
* cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723)
* Parse comments in lines not starting with '#', LP: #185380
* in cryptroot hook, don't rely on 'udevadm settle' to wait long enough
for the cryptdevice to appear. Reimplement the busy waiting loop found
while waiting for the root file system. Patch based on work by Swâmi
Petaramesh. LP: #164044
* debian/crypdisks.functions: call 'env' with full path. LP: #178829.
* Simplify the patch in debian/cryptdisks.functions that stops usplash
before asking for a passphrase.
* Merge new debian version. Remaining changes:
- cryptsetup is linked dynamically against libgcrypt and libgpg-error.
- stop usplash on user input. LP #62751
- debian/cryptdisks.functions: Always output and read from the console.
LP #58794.
- Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
- debian/initramfs/cryptroot-hook: LP #73862
Added patch to install aes optimized cypher module
- try to load optimized cypher module in cryptsetup.functions as well,
because cryptroot-hook is only executed when we really have a
cryptoroot.
* other ubuntu changes have been merged into debian. Please report bugs
if you believe some patches have been dropped.
* removed 07_typos_fix.patch, has been reviewed and applied upstream.
* added debian/patches/07_typos_fix.dpatch: fixed typos in man pages. (LP: #164181)
* debian/initramfs/cryptroot-script: Do show the disk name after all, since
some people use multiple encrypted partitions as LVM PVs. (LP: #201413)
* debian/initramfs/cryptroot-script: Do not mention the name of the
encrypted device. It is just technobabble anyway (sda4_crypt), and there
is just one root partition ever, so it is not needed to tell apart
different partitions. From a security POV, someone who can change your
initramfs to boot a different root partition can just as well change the
strings, too. (LP: #201413)
* debian/scripts/luksformat: Use 256 bit key size by default.
(LP: #78508)
* debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for
luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
* Fix -x calls and access() call.
* debian/initramfs/cryptroot-script: call udevadm instead of udevsettle
* debian/patches/06_call_udevsettle.dpatch: likewise
* Make cryptsetup understand devices specified by UUID=... or LABEL=
in crypttab. (LP: #153597)
* reenable additional udevsettle calls in cryptroot hook from
https://launchpad.net/bugs/85640, LP: #132373.
* change maintainer to ubuntu-core-dev.
* use Vcs-Bzr instead of XSCB-Vcs-Bzr header in debian/control.
* reapply changes from version 2:1.0.5-2ubuntu2, got dropped with last
upload. Sorry, pitti.
* convert patch to lib/libdevmapper.c to a dpatch.
* RELIABILY FIX: lib/libdevmapper.c: Ensure that pending device creation
events are being processed by calling /sbin/udevsettle. Patch based on
OpenSUSE bug #285478, LP: #132373.
* Based on the change above, the patch from LP #85640 is no longer needed.
dropping the relevant parts.
* Fix debian/rules to not fail to build if autom4te.cache is left behind
from a previous incomplete build.
* debian/initramfs/cryptroot-script:
- If the supplied password worked, remove the prompt from usplash again,
so that the user has some visual feedback that everything is alright.
(LP: #151305)
- Do not show the UUID device node of the outer physical device. It is
scary ("/dev/disk/by-uuid/1234yadayada") and displaying it does not
improve security at all: If attackers can tamper with your initramfs,
they can also change the prompt, and if the UUID of the physical device
changes, then booting will not even get that far. Now it is a much more
friendly "Enter passphrase for sda5_crypt:" which is still technical,
but it's necessary to point out which device will be unlocked in case
there are several.
* Merge new debian version. Remaining changes:
- cryptsetup is linked dynamically against libgcrypt and libgpg-error.
This will break systems where /usr is a separate encrypted filesystem
but not have other bad consequences (in particular, systems with
encrypted root are still fine). The upsides include better
security supportability and smaller packages.
- libcryptsetup.so et al removed from the binary packages. They have
no stable ABI and are not suitable for use by other packages, and
were in violation of library policies etc. They're not needed since
the cryptsetup executable statically contains the relevant parts of
libcryptsetup.
- cryptdisks.functions: remove #!/bin/bash as it isn't a script
by itself; it's only sourced by other scripts. This gets rid
of the lintian warning `script-not-executable' for this file.
- stop usplash on user input. LP #62751
- Always output and read from the console. LP #58794.
- Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
- Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate
libnsl linkage;
- debian/initramfs/cryptroot-hook: (LP: #73862)
Added patch to install aes optimized cypher module
- try to load optimized cypher module in cryptsetup.functions as well,
because cryptroot-hook is only executed when we really have a
cryptoroot.
- apply patch from pitti for allowing UUIDs in /etc/crypttab.
This allowes crypted PVs! LP: #144390.
- remove README.ubuntu, since it contains old and obsolete information.
* apply patch from pitti for allowing UUIDs in /etc/crypttab.
This allowes crypted PVs! LP: #144390.
* remove README.ubuntu, since it contains old and obsolete information.
* debian/initramfs/cryptroot-hook: (LP: #73862)
- Added patch to install aes optimized cypher module
* re-applying old patch to new package version
* try to load optimized cypher module in cryptsetup.functions as well,
because cryptroot-hook is only executed when we really have a
cryptoroot.
* Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate
libnsl linkage; should finally produce a usable cryptsetup binary for
the udeb.
* Bump libgcrypt11 build-dependency to 1.2.4-2ubuntu1 and rebuild for
proper udeb dependencies.
* Merge new debian version. Remaining changes:
- cryptsetup is linked dynamically against libgcrypt and libgpg-error.
This will break systems where /usr is a separate encrypted filesystem
but not have other bad consequences (in particular, systems with
encrypted root are still fine). The upsides include better
security supportability and smaller packages.
- libcryptsetup.so et al removed from the binary packages. They have
no stable ABI and are not suitable for use by other packages, and
were in violation of library policies etc. They're not needed since
the cryptsetup executable statically contains the relevant parts of
libcryptsetup.
- cryptdisks.functions: remove #!/bin/bash as it isn't a script
by itself; it's only sourced by other scripts. This gets rid
of the lintian warning `script-not-executable' for this file.
- stop usplash on user input. LP #62751
- Always output and read from the console. LP #58794.
* Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
bzr on launchpad.
* UVF exception request granted by Scott Kitterman and Chuck Short
LP: #138295
* Add notes by Ilkka Tuohela in a new file debian/README.ubuntu
* cryptsetup is linked dynamically against libgcrypt and libgpg-error.
This will break systems where /usr is a separate encrypted filesystem
but not have other bad consequences (in particular, systems with
encrypted root are still fine). The upsides include better
security supportability and smaller packages.
* libcryptsetup.so et al removed from the binary packages. They have
no stable ABI and are not suitable for use by other packages, and
were in violation of library policies etc. They're not needed since
the cryptsetup executable statically contains the relevant parts of
libcryptsetup.
* cryptdisks.functions: remove #!/bin/bash as it isn't a script
by itself; it's only sourced by other scripts. This gets rid
of the lintian warning `script-not-executable' for this file.
* s/$CRYPTCMD/cryptsetup/ in debian/cryptdisks.functions
(LP: #115617)
* make luksformat check if filesystem is already mounted to prevent a
strange error message. thanks to mvo for the patch (LP: #116633)
* remove file debian/initramfs-cryptroot-script from source. it is not
installed anywhere, and a leftover from the last merge.
* add missing hunk of cryptsetup.functions compared to debian package.
* reapply http://librarian.launchpad.net/7329604/bug85640.debdiff to
debian/initramfs/cryptroot-script, since stgraber's patch has been
lost in the last merge. (LP: #85640)
* modprobe dm-mod from cryptsetup.functions. (LP: #64625, #91405)
* Merge from Debian unstable. Remaining Ubuntu changes:
- stop usplash on user input. Ubuntu: #62751
- Always output and read from the console. Ubuntu: #58794.
- Wait for Udev to be ready to avoid partition non-detection. (LP: #85640)
* Modify Maintainer value to match Debian-Maintainer-Field Spec
* Wait for Udev to be ready to avoid partition non-detection. (LP: #85640)
* merge debian changes. Remaining ubuntu changes:
- stop usplash on user input. Ubuntu: #62751
- Always output and read from the console. Ubuntu: #58794.
* fix and improve initramfs hook: terminate usplash if running, since
adequate secure text input is not possible with usplash ATM
* usplash support: Terminate usplash before asking a password.
Closes https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/62751
* merge debian changes, remaining patches:
- Always output and read from the console. Ubuntu: #58794.
* other changes have been merged or do noy apply anymore
* read password via usplash if available in initramfs for rootfs. based on a patch from
Swen Thümmler (Thanks for that!) Ubuntu #62751
* read password from initscript via usplash if running. should fix the
rest of Ubuntu #62751. Only problem with that patch: It asks only once
for the password! improvements welcome!
* Always output and read from the console. Ubuntu: #58794.
* Load the dm-crypt module on startup. Ubuntu: #53475.
* Sync with Debian:
Remaining Ubuntu Changes
+ debian/cryptdisks.functions:
- Tell usplash to quit if we ask for a passphrase
expand all
collapse all
added
removed
