cryptsetup 2:2.0.3-6ubuntu1 source package in Ubuntu

Changelog

cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable.  LP: #1781912.
  * Remaining changes:
    - debian/control:
      + Recommend plymouth.
      + Invert the "busybox | busybox-static" Recommends, as the latter
        is the one we ship in main as part of the ubuntu-standard task.
    - Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
      compatibility. LP: #1651818
  * Dropped changes, included in Debian:
    - Drop explicit libgcrypt20 dependency from libcryptsetup4.
    - Drop the CRYPTSETUP variable warning from the initramfs hook, as
      overlayroot package ships a dropin in conf-hooks.d triggering false
      warnings.
    - Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    - Drop c99 std, as the default is now higher than that
  * Dropped changes, no longer needed:
    - Add maintscript to drop removed upstart system jobs.

cryptsetup (2:2.0.3-6) unstable; urgency=medium

  * debian/TODO.md: Remove mention of parent device detection for mdadm
    (#629236) as it's fixed since 2:2.0.3-2.
  * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
    fixes.
  * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
    add configure flag '--disable-internal-tests'.  The internal test suite is
    run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
    variable contains the string "nocheck".
  * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
    When the 2nd column of a crypttab entry denodes a block special device,
    resolve the device but don't convert it to /dev/block/$major:$minor.
    (Closes: #903246.)
  * debian/initramfs/hooks/cryptroot:
    + Treat null device numbers as invalid in resolve_device(), cf.
      /Documentation/admin-guide/devices.txt in the kernel source tree.
    + generate_initrd_crypttab(): add '\n' to the local IFS since
      get_resume_devno() prints one major:minor pair per line.
  * debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
    + Save process ID of the pcscd daemon at local-top stage, and kill it at
      local-bottom stage.  Thanks to Pascal Vibet for the patch.
      (Closes: #903574.)
    + Fix path to the pcscd executable (the fix for #880750 was incomplete).
  * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
    since 2:2.0.3-2.
  * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
    $CRYPTTAB_NAME not $crypttarget).

cryptsetup (2:2.0.3-5) unstable; urgency=medium

  [ Jonas Meurer ]
  * debian/askpass.c, debian/scripts/passdev.c, debian/rules:
    + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    + Drop c99 std, as the default is now higher than that
  * debian/control:
    + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
      libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.

  [ Guilhem Moulin ]
  * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
    disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
    crypttab(5).
  * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
    read-only mapping.  Cf. `cryptsetup --readonly`.
  * debian/initramfs/hooks/cryptroot:
    + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
      key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
      in the crypttab options.  Regression since 2:2.0.3-2. (Closes: #902733.)
    + Avoid processing entries multiple times in get_crypttab_entry(), which
      could happen with 'keyscript=decrypt_derived' for instance.
    + Don't complain that the sysfs dir can't be found when the hook failed to
      normalize the device (another warning is shown already).
    + If source device is mapped (for instance if it's a logical volume), put
      its dm name into the initrd crypttab.  LVM2's local-block script doesn't
      work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
      activate all volumes at initramfs stage. (Closes: #902943.)
  * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
    unset then no key file is copied.
  * debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
    + Use major:minor device IDs internally, as this facilitate discovery of
      sysfs directories, and we don't have to take care of the udev mangling.
    + Decode octal sequences when reading /etc/crypttab or /etc/fstab.  This
      means that key files and option values can contain blanks and special
      characters encoded as octal sequences.
    + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
      code.
  * debian/functions: If the key file is a symlink, warn about insecure
    permissions of the target, not the link itself.
  * debian/scripts/decrypt_derived: For devices with keys in the kernel
    keyring (e.g., LUKS2 by default), refuse to derive anything.
  * debian/patches/disable-internal-tests.patch: Add configure option
    '--disable-internal-tests' to disable the internal test suite.
  * debian/rules: Don't run upstream's internal test suite if
    $DEB_BUILD_OPTIONS contains the string "skip-internal-tests".  (Tests are
    still run by default.)
  * debian/cryptdisks-functions: Restore support for crypttab(5) entries with
    regular files as source device.  Regression since 2:2.0.3-2.
    (Closes: #902879.)
  * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).

cryptsetup (2:2.0.3-4) unstable; urgency=low

  * debian/initramfs/hooks/cryptroot:
    + Fix typo in warning message. (Closes: #901971.)
    + sysfs_devdir(): don't croak when the normalized device pathname isn't of
      the form /dev/$blk.  This is the case in the Debian installer, where the
      devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
      instead of a symlink to /dev/dm-$index.
    + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
      sysfs directory corresponding to the device) rather than /sys/block/$blk.
      While the latter is present for mapped devices, it's not present for
      block devices corresponding to disk partitions.  See sysfs(5) for
      details. (Closes: #902183.)
    + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
      get the UUID of a dm-crypt device's slave (it's normal with plain
      dm-crypt devices).
    + get_crypttab_entry(): don't warn that key file doesn't exist if it's
      e.g., an existing character special device.
  * debian/functions:unlock_mapping(): translate crypttab(5) option
    'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
    doesn't set the key size but the size of the device in number of 512 byte
    sectors).  Regression since 2:2.0.3-2. (Closes: #902245.)
  * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
    debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count.  Some
    keyscripts (such as decrypt_keyctl) don't work properly if on first try
    the CRYPTTAB_TRIED environment variable isn't set to 0.  Regression since
    2:2.0.3-2. (Closes: #902116.)
  * debian/scripts/decrypt_keyctl: replace the source device path with the
    mapped device name in messages, to match the new askpass behavior.

cryptsetup (2:2.0.3-3) unstable; urgency=low

  [ Jonas Meurer ]
  * debian/*: run wrap-and-sort(1)
  * debian/control:
    + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
      cryptsetup-run. Needed since we moved luksformat between the
      packages. (Closes: #901773)
    + Remove all traces of package 'cryptsetup-luks' from dependency
      headers. This package has never been part of an official Debian
      release and the time it existed is more than 12 years ago.
    + Remove Conflicts/Breaks headers from the split of cryptsetup into
      cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
      version is from Debian Wheezy, which means that there's three
      releases in between. We don't support dist-upgrades with skipped
      releases anyway.
    + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
    + Remove versioned depends of libcryptsetup12 on libgcrypt20 and
      libgpg-error0. Both versions are satisfied since more than three
      releases.
    + Remove versioned build-depends on docbook-xsl, dpkg-dev,
      libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
      satisfied since more than three releases.
  * debian/*: Change maintainer contact address to @alioth-lists.debian.net.

  [ Guilhem Moulin ]
  * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
    fields.  (2:2.0.2-2 was never released, the version we released after the
    package split was 2:2.0.3-1.)
  * debian/initramfs/cryptroot-script: exit immediately when
    /lib/cryptsetup/functions is not present. (Closes: #901830.)
  * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
    manually excluding mapped devices using another subsystem.
  * d/initramfs/hooks/cryptroot:
    + Fix parser for cipher specifications in mapping table of crypt targets.
      In particular, the cipher mode wasn't parsed properly, potentially
      causing missing modules in initrd.img compiled with MODULES=dep.
      Regression introduced in 2:2.0.3-2.  (Closes: #901884.)
    + Print a warning when the mapping table specifies the cipher in kernel
      crypto API format ("capi:" prefix).  We don't support these yet.

cryptsetup (2:2.0.3-2) unstable; urgency=medium

  The "nights are long in summer" cryptsetup sprint release :-)

  Guilhem and Jonas hacked together for three days (and nights), refactored
  almost all of the cryptsetup packages, squashed (at least) 19 bugs and
  started work on several new features. Yay!

  [ Guilhem Moulin ]
  * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
    (Closes: #901641.)
  * debian/initramfs/*-hook: complete refactoring. Common functions are now in
    /lib/cryptsetup/functions (source-able from shell scripts).
    (Closes: #784881.)
  * debian/initramfs/cryptroot-hook:
    + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
      devices such as LVM2 on top of LUKS (resp. multiple device filesystems
      such as btrfs).  This approach is more robust than parsing the output of
      `lvs` or `btrfs filesystem`.
    + Export relevant crypttab(5) snippet (for devices that need to be
      unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
    + Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
      if 1/ the CRYPTSETUP configuration option is unset or null (the
      default), and 2/ the hook didn't detect any device to be unlocked at
      initramfs stage.  The benefit is two-fold: it guides users through the
      package split, and warns them that their system might not reboot if the
      hook script didn't work properly.
  * Remove the 'decrypt_openct' keyscript since openct was last seen in
    oldoldstable, cf. #760258 (ROM).
  * debian/initramfs/cryptroot-script: refactoring, using functions from
    /lib/cryptsetup/functions. (Closes: #720952, #826124.)
    + One can disable the cryptsetup initramfs scripts for a particular boot
      by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
    + No longer sleep for a full minute after exceeding the maximum number of
      unlocking tries.  (This was added in 2:1.7.3-2 as an attempt to mitigate
      CVE-2016-4484.)  Instead, the script sleeps for 1 second after each failed
      attempt in order to defeat online brute-force attacks. (Closes: #898495.)
  * debian/README.initramfs: Remove mention that the initramfs scripts and the
    crypsetup binary are using a different hash algorithm for plain dm-crypt
    volumes.  This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
  * debian/cryptdisks.functions:
    + Refactoring, using functions from /lib/cryptsetup/functions.
      (Closes: #859953, #891219.)
    + Install to /lib/cryptsetup/cryptdisks-functions.
  * crypttab(5):
    + Remove support for the 'precheck' option.  The precheck for LUKS devices
      is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
      non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
      filesystem (other that swap).
    + Don't ignore the 'plain' option: disable auto-detection and treat the
      device as a plain dm-crypt device. (Closes: #886007.)
    + Add support for some option aliases to unify with systemd's crypttab(5)
      options.  Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
      an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
      and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
    + Add support for 'keyfile-size=' and 'keyfile-offset=' options.
      (Closes: #849335.)
    + Source devices can now be specified using their PARTUUID or PARTLABEL,
      similar to fstab(5).
  * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
    to setup readonly mappings. (Closes: #782843.)
  * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
    once.  (Closes: #783194.)

  [ Jonas Meurer ]
  * debian/doc/crypttab.xml:
    + Add a section about the different crypttab formats of our package and
      the systemd cryptsetup wrapper.
    + Document, which options are ignored by the initramfs scripts and which
      are unsupported by the systemd implementation. (Closes: #714380)
    + Clarify documentation of option 'tries'. It also applies when using
      keyscripts, not only with interactive passphrases. (Closes: #826127)
    + Make it obvious that in case a keyscript is configured, the third option
      is passed as argument to the keyscript. Mention the optional requirement
      to quote the value. (Closes: #826122)
    + Some minor wording improvements.
  * debian/control, debian/combat: Bump debhelper compatibility level to 11.
  * debian/rules:
    + Completely refactor the rules file, adapt to debhelper 11 style.
      (Closes: #901713)
    + Run the upstream build-time testsuite thanks to dh_auto_test.
    + Move the luksformat script from cryptsetup-bin to cryptsetup-run.
    + Install the bug-script into all packages.
    + No longer install the sysvinit initscripts into cryptsetup-udeb.
    + Remove many old build and compile flags, debhelper takes care of most of
      them nowadays.

cryptsetup (2:2.0.3-1) unstable; urgency=medium

  [ Guilhem Moulin ]
  * Split cryptsetup package into cryptsetup-run (init scripts and libraries)
    and cryptsetup-initramfs (initramfs integration).  The 'cryptsetup'
    package is now a transitional dummy package.  (Closes: #783297.)
  * debian/cryptsetup-run.preinst: remove logic for rm_conffile
    /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
    2:1.0.6-5.
  * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
    with crypttab(5) targets that already exist, and only complete
    cryptdisks_start targets with crypttab(5) targets that don't exist yet.
    (Closes: #827200.)
  * debian/initramfs/cryptroot-hook:
    + use copy_file() from hook-functions to copy key files to the initrd.
      This ensures that relevant messages are printed in verbose mode.
      (Closes: #898516.)
    + remove backward compatibility support for setting CRYPTSETUP and
      KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf.  Since 2:1.7.2-1
      they should be set in /etc/cryptsetup-initramfs/conf-hook.
    + add 'algif_skcipher' kernel module to large initramfs (if the MODULES
      variable isn't "dep").  That module is required for unlocking LUKS2
      devices.

  [ Jonas Meurer ]
  * New upstream release 2.0.3
  * debian/control:
    - Bump standards-version to 4.1.4, no changes required
    - Change my mail address to '<email address hidden>'
    - Change Vcs links to the new repository on salsa.debian.org
  * debian/README.source: minor improvements
  * debian/doc/crypttab.xml: Fix typo in manpage

 -- Steve Langasek <email address hidden>  Mon, 16 Jul 2018 08:27:58 -0400