cryptsetup (2:2.6.1-4~deb12u2) bookworm; urgency=medium
[ Michael Biebl ]
* cryptsetup-suspend-wrapper: Don't error out on missing
/lib/systemd/system-sleep directory as systemd 254.1-3 and later no longer
ship empty directories. (Closes: #1050606)
[ Kevin Locke ]
* cryptsetup-initramfs: Add support for compressed kernel modules, which is
the default as linux-image 6.6.4-1~exp1. (Closes: #1036049, #1057441)
[ Guilhem Moulin ]
* add_modules(): Change suffix drop logic to match initramfs-tools.
* Fix DEP-8 tests with kernels shipping compressed modules.
* d/salsa-ci.yml: Set RELEASE=bookworm.
-- Guilhem Moulin <guilhem@debian.org> Mon, 18 Dec 2023 03:41:04 +0100
cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency=medium
* Rebuild for Bookworm.
-- Guilhem Moulin <guilhem@debian.org> Fri, 21 Apr 2023 00:54:29 +0200
cryptsetup (2:2.6.1-4) unstable; urgency=medium
* Backport upstream MR !498, see #1028250:
+ 7893c33d: Check for physical memory available also in PBKDF benchmark.
+ 6721d3a8: Use only half of detected free memory on systems without swap.
-- Guilhem Moulin <guilhem@debian.org> Thu, 20 Apr 2023 23:46:08 +0200
cryptsetup (2:2.6.1-3~deb12u1) bookworm; urgency=medium
* Rebuild for Bookworm.
* d/gbp.conf: Set 'debian-branch = debian/bookworm'.
* #1032221 can't be fixed via unstable since libcryptsetup12-udeb 2:2.6.1-3
has "Depends: libargon2-1-udeb (>= 0~20190702)" which won't transition to
testing, so instead the release team asked for a t-p-u upload.
-- Guilhem Moulin <guilhem@debian.org> Sun, 26 Mar 2023 19:18:59 +0200
cryptsetup (2:2.6.1-3) unstable; urgency=medium
[ Guilhem Moulin ]
* initramfs hook: Fix copy_libgcc_argon2() on non merged-/usr systems.
(Closes: #1032518)
* Backport upstream MR !490, see #1028250:
+ 27f8e5c0: Try to avoid OOM killer on low-memory systems without swap
+ 899bad8c: Print warning when keyslot requires more memory than available
* d/t/initramfs-hook: Pass `-xdev` to `find "$INITRD_DIR"` in order to solve
a race condition in that autopkgtest.
[ Remus-Gabriel Chelu ]
* Add Romanian debconf templates translation. (Closes: #1031497)
-- Guilhem Moulin <guilhem@debian.org> Mon, 13 Mar 2023 23:43:50 +0100
cryptsetup (2:2.6.1-2) unstable; urgency=medium
* initramfs hook: Explicitly call copy_libgcc(). The recent libargon2-1
upgrade is built with glibc ≥2.34 hence no longer links libpthread. This
in turns means that initramfs-tool's copy_exec() is no longer able to
detect pthread_*() need and thus doesn't copy libgcc_s.so anymore. So we
need to do it manually instead. Closes: #1032221
-- Guilhem Moulin <guilhem@debian.org> Thu, 02 Mar 2023 05:01:53 +0100
cryptsetup (2:2.6.1-1) unstable; urgency=medium
* New upstream bugfix release.
* d/README.Debian: Explicitly set cswap1's device type to 'plain'.
(Closes: #1025136)
* d/control: Update standards version to 4.6.2, no changes needed.
* d/clean: Add some gitignore(5)'d files. (Closes: #1026838)
* cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition
to /lib/terminfo, see #1028202. (Closes: 1028234)
* d/copyright: Bump copyright years.
-- Guilhem Moulin <guilhem@debian.org> Fri, 10 Feb 2023 00:50:42 +0100
cryptsetup (2:2.6.0-2) unstable; urgency=low
* libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev,
libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for
libcryptsetup.pc's Requires.private. Closes: #1025054.
-- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 15:42:25 +0100
cryptsetup (2:2.6.0-1) unstable; urgency=low
* New upstream release 2.6.0.
-- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 01:20:38 +0100
cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium
* New upstream release candidate 2.6.0, introducing support for handling
macOS FileVault2 devices (FVAULT2). The new version of FileVault based on
the APFS filesystem used in recent macOS versions is currently not
supported: only the (legacy) FileVault2 format based on Core Storage and
HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported. Moreover
header formatting and changes are not supported; cryptsetup never changes
the metadata on the device.
Closes: #923513.
* Update d/copyright for 2:2.6.0~rc0-1.
* Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to
cryptsetup-bin binary package.
* Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1.
* Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2
volumes.
* d/rules: Add new target execute_before_dh_auto_test so blhc ignores
compilations of tests/*.c.
* d/u/metadata: Set 'Security-Contact' upstream metadata field.
-- Guilhem Moulin <guilhem@debian.org> Sat, 19 Nov 2022 17:30:40 +0100
cryptsetup (2:2.5.0-6) unstable; urgency=medium
* d/t/cryptroot-*: Mask systemd-firstboot.service.
* d/t/cryptroot-*: Use camel case for apt.conf(5) settings.
* d/t/cryptroot-*: _apt(): Sort apt.conf(5) settings.
* d/t/cryptroot-*: Honor apt_preferences(5) settings under autopkgtest.
* d/t/cryptroot-*: init: bind mount temporary filesystems to fix
autopkgtests with systemd 252. (Closes: #1022970)
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 Oct 2022 19:30:14 +0200
cryptsetup (2:2.5.0-5) unstable; urgency=medium
* d/t/cryptroot-*: Bump setup timeout to 3600s so autopkgtests don't fail on
debci runners lacking KVM support.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 20:01:50 +0200
cryptsetup (2:2.5.0-4) unstable; urgency=medium
* suspend.conf: Improve description and typofix.
* d/t/cryptroot-*: Fix race condition between creating new partition and
using them.
* d/t/cryptroot-*: Fail the test after a reasonable timeout.
(Closes: #1020714)
* d/t/cryptroot-*: setup_apt(): Add 'Identifier: Packages' to `apt-get
indextargets` filter.
* cryptsetup-suspend-wrapper: Explicitly disable udev support when resuming.
(Closes: #1020553)
* d/t/cryptroot-*: Pin versions for all packages in PKGS_EXTRA that are part
of src:cryptsetup.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 01:14:30 +0200
cryptsetup (2:2.5.0-3) unstable; urgency=low
* d/t/cryptroot-*: Disable VGA card on the guest.
* d/t/cryptroot-*: Communicate with guests on /dev/hvc0 and remove
console=hvc0 from the kernel command line to get a noise-free channel.
* d/t/cryptroot-*: poweroff(): Use poweroff(8) not `echo o
>/proc/sysrq-trigger`.
* d/t/cryptroot-*: hibernate(): Use systemctl(1) not `echo disk
>/sys/power/state`.
* d/t/cryptroot-*: Use a separate logfile for each communication channel.
* Refactor d/t/utils/mock.pm and add QMP support; this adds 'Depends:
libjson-perl' to cryptroot-* autopkgtests.
* d/t/cryptroot-*: Use the QMP "quit" command to destroy guests early.
* d/t/cryptroot-*: Start getty on /dev/hvc0 only (not /dev/ttyS0) in
non-interactive mode.
* d/t/cryptroot-*: Remove console=tty0 from the kernel command line.
* d/t/cryptroot-*: Mask all timer units to avoid cluttering test
environments with background jobs.
* d/t/cryptroot-lvm: Also test cryptsetup-suspend (enter to and resume from
S3 state).
* d/t/cryptroot-*: Simplify login prompt regex.
* d/t/cryptroot-*: Use $' when consuming input buffers.
* Salsa CI: Include recipes/debian.yml.
* Salsa CI: Remove redundant variable RELEASE=unstable.
* Salsa CI: Re-enable autopkgtest job with partial coverage.
* cryptsetup-suspend-wrapper: Improve quoting.
* cryptsetup-suspend-wrapper: Use crypttab_find_entry()'s return status.
* d/copyright: Improve wording.
* d/copyright: Fix license for d/scripts/suspend/cryptsetup-suspend.c .
* Add license headers for d/scripts/suspend/*.
* Relicense own code from GPLv2+ to GPLv3+.
* cryptsetup-suspend-wrapper: Don't bindmount temporary filesystems.
* cryptsetup-suspend-wrapper: Improve $INITRAMFS_DIR detection and cleanup.
* cryptsetup-suspend-wrapper: Improve TODO comment.
* d/t/cryptroot-*: Add a network device in interactive mode.
* d/t/cryptroot-lvm: Test I/O on the root FS after wakeup to make sure the
device is not suspended.
* cryptsetup-suspend-wrapper: Harden chroot environment: mount ramfs
read-only and with the 'nodev' option, make it unbindable, and use a
restrictive root mode.
* initramfs hook: Remove duplicate unmangling.
* initramfs hook: populate_CRYPTO_HASHES(): Add missing call to
crypttab_parse_options().
* d/functions: crypttab_parse_options(): Always reset $CRYPTTAB_TYPE.
* cryptsetup-suspend-wrapper: Ignore $KEEP_INITRAMFS if a newer initrd is
detected.
* d/functions: resume_device(): Fix resuming by keyscript.
* d/functions: Refactor resume_device() and freeze_cgroups().
* cryptsetup-suspend-wrapper: Don't copy /lib/firmware if it already exists
in the initrd.
* cryptsetup-suspend-wrapper: Don't treat udevd specially as luksResume now
appears to work when udevd is still frozen.
* cryptsetup-suspend-wrapper: Populate ACTIVE_DEVICES via callback.
* cryptsetup-suspend-wrapper: Use FD3 to list remaining devices.
* d/t/utils/debootstrap: Strip colon and suffix from package (Pre-)Depends.
* d/t/utils/debootstrap: Remove obsolete comment and Pre-Depends.
* d/t/cryptroot-*: Manually create merged-/usr layout and install
usr-is-merged.
-- Guilhem Moulin <guilhem@debian.org> Sun, 18 Sep 2022 23:01:46 +0200
cryptsetup (2:2.5.0-2) unstable; urgency=low
[ Matthias Klose ]
* Add support for 'noudeb' build profile. (Closes: #983318)
[ Christoph Anton Mitterer ]
* initramfs hook: align busybox check on klibc-utils's hook.
[ Benjamin Drung ]
* initramfs hook: Fix broken compatibility with OpenSSL3 when cryptsetup
needs legacy hashes (currently ripemd160 and whirlpool). (LP: #1979159)
[ Guilhem Moulin ]
* New DEP-8 test for crude checks of the initramfs hook.
* Minor changes to the legacy.so inclusion logic.
* DEP-8: Add checks for OpenSSL's legacy.so inclusion.
* d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
* initramfs boot script: Remove custom LVM handling. Since 2.03.15-1 lvm2
doesn't ship an initramfs boot script anymore and relies solely on udev
rules instead. We therefore don't have to manually activate LVs/VGs
anymore, but cryptsetup-initramfs now conflicts with earlier lvm2
versions. (Closes: #928943)
* Override lintian tag 'conflicts-with-version' given the above.
* initramfs hook: Don't overwrite crypttab(5) source to /dev/mapper/$NAME
for mapped devices. (Closes: #1016455)
* initramfs hook: Preserve crypttab source specifications and devices
starting with /dev/disk/by- or /dev/mapper/.
* d/README.initramfs: Improve section about cryptopts= kernel parameter.
* d/Debian.README: Mention that systemd masks /etc/init.d/cryptdisks.
(Closes: #1010708)
* Rename systemd_cryptsetup-suspend.conf to systemd/cryptsetup-suspend.conf.
* cryptsetup-suspend-wrapper: Fix grep calls in some corner cases such as
template cgroups.
* cryptsetup-suspend-wrapper: Avoid double slash in cgroup paths.
* cryptsetup-suspend-wrapper: Consolidate style.
* d/t/cryptroot-*: Relax the kernel.deb regex to account for release
candidates.
* d/t/cryptroot-*: Add more partition type GUIDs.
* d/t/cryptroot-*: Improve sources.list(5) generation.
* d/t/cryptroot-*: Make APT repository Origin and URI configurable.
* d/t/cryptroot-*: Start udevd before setting up the guest.
* d/t/cryptroot-*: Use a separate /run partition when bootstrapping.
* Run `chmod +x d/t/cryptdisks d/t/utils/init` for consistency.
* d/t/cryptroot-*.d/config: Remove 'cryptsetup' from PKGS_EXTRA as it's only
needed for cryptroot-sysvinit.
* d/t/cryptroot-sysvinit: Rename 'rootfs.key' keyfile to 'homefs.key' which
better describes the purpose of the keyfile.
* d/t/cryptroot-*: Replace /target with '$ROOT'.
* d/t/cryptroot-*: Rename 'testvg' Volume Group to 'cryptvg'.
* d/t/cryptroot-*: Add note about testing cryptsetup-suspend.
* d/t: Add convenience wrapper script for local cryptroot-* test runs.
* New DEP-8 test for LVM-on-MD-on-LUKS2 layout backed by 4 independently
encrypted partitions (all unlocked at initramfs stage).
* New DEP-8 test for a complex nested block device stack.
* Salsa CI: Disable autopkgtest job for now.
-- Guilhem Moulin <guilhem@debian.org> Tue, 09 Aug 2022 01:40:50 +0200
cryptsetup (2:2.5.0-1) unstable; urgency=medium
* New upstream release. (Closes: #1000634, #1011128)
* d/copyright: Fix licence for tokens/ssh/cryptsetup-ssh.c.
* Remove patches applied upstream.
* Rename 'ssh-plugin-test' to 'ssh-test-plugin'.
* Add DEP-8 tests for cryptroot unlocking at early boot stage.
-- Guilhem Moulin <guilhem@debian.org> Fri, 29 Jul 2022 16:31:23 +0200
cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium
* DEP-8: Add 'Features: test-name=' in order to name inline tests.
* d/t/control: Add 'Restrictions: rw-build-tree' to upstream-testsuite.
* d/control: Remove cryptsetup-reencrypt from cryptsetup-bin package
description since the utility was removed upstream in v2.5.0-rc1.
* d/changelog: Retroactively correct 2:2.4.0~rc0-1+exp1 entry.
* Update d/patches with what's landed upstream since v2.5.0-rc1.
* d/patches, d/rules: Pass $(LDFLAGS) when building fake_token_path.so and
no longer silence blhc(1) for test files.
* Move SSH token plugin stuff into new binary package 'cryptsetup-ssh'.
That plugin is arguably not useful for everyone and we can save the
'Depends: libssh-4' on cryptsetup-bin by moving cryptsetup-ssh(8) and
libcryptsetup-token-ssh.so to a separate package. Since LUKS2 SSH token
support was added after the Bullseye release, and since it is still in
experimental stage, we don't let cryptsetup-bin or cryptsetup depend on
the new binary package. Users who need that feature will need to install
it manually.
-- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200
cryptsetup (2:2.5.0~rc1-2) experimental; urgency=medium
* localtest: Treat skipped tests as failure for full coverage.
* d/watch: Add uversionmangle option for release candidates.
* unit-wipe-test: Skip DIO tests when the file system doesn't support
O_DIRECT. This is needed on the buildds where the source tree appears to
be on a tmpfs.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 20:49:13 +0200
cryptsetup (2:2.5.0~rc1-1) experimental; urgency=low
* New upstream release candidate 2.5.0. Highlights include:
+ Remove cryptsetup-reencrypt(8) executable, use `cryptsetup reencrypt`
instead (for both LUKS1 and LUKS2).
+ Split manual pages into per-action pages, for instance cryptsetup-open.8
which can be consulted with `man cryptsetup open`.
+ Add LUKS2 encryption removal support with `cryptsetup reencrypt
--decrypt`.
+ Preserve unknown metadata option (features implemented in more recent
cryptsetup releases) during reencryption.
* Salsa CI's deploy stage: Use a Bullseye image.
* Salsa CI's deploy stage: Use apt-get(8) not apt(8).
* Salsa CI's deploy stage: Replace `cp` with `install`.
* Salsa CI's reprotest job: Remove '--no-diffoscope' flag.
* Salsa CI's reprotest job: Update reason for running under 'nocheck' build
profile.
* d/README.source: Update text to reflect current practices.
* DEP-8: Run installed binaries and libraries through the full upstream test
suite (needs machine-level isolation).
* Retroactivately add NEWS.Debian for #949336.
* d/t/control: Add 'Depends: xxd' for 'Tests: cryptdisks' stanza.
* foreach_cryptdev(): Process each device *after* its slaves.
* do_stop(): Remove device holders beforehand. (Closes: #1006802)
* Fix space damage.
* d/u/metadata: Add FAQ URL.
* Refresh lintian overrides to accommodate lintian v2.115.
* d/control: New Build-Depends: asciidoctor (unless under 'nodoc' build
profile).
* d/cryptsetup.docs: Fix FAQ filename.
* Move usr/share/man/*/* glob to debian/*.manpages where it belongs.
* Update d/libcryptsetup12.symbols.
* Bump Standards-Version to 4.6.1 (no changes needed).
* Update d/copyright.
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 01:49:59 +0200
cryptsetup (2:2.4.3-1) unstable; urgency=high
[ Guilhem Moulin ]
* New upstream security release 2.4.3, with fix for CVE-2021-4122:
decryption through LUKS2 reencryption crash recovery. (Closes: #1003685,
#1003686)
* Remove cryptsetup-initramfs.preinst. (Closes: #1001063)
[ Christoph Anton Mitterer ]
* d/rules: don't expand here-document.
-- Guilhem Moulin <guilhem@debian.org> Thu, 13 Jan 2022 19:07:05 +0100
cryptsetup (2:2.4.2-1) unstable; urgency=high
* New upstream bugfix release 2.4.2.
* d/control: Replace Build-Depends on removed package libsepol1-dev with
libsepol-dev. (Closes: #999815)
* blkid/un_blkid checks: Ignore large offsets when converting from sectors
to bytes.
* crypttab(5): Formatting fix.
* Refresh d/copyright.
* Refresh lintian overrides to accommodate lintian v2.112.
-- Guilhem Moulin <guilhem@debian.org> Thu, 18 Nov 2021 17:15:08 +0100
cryptsetup (2:2.4.1-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release 2.4.1.
* d/rules:
+ Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
+ Skip documentation generation under nodoc profile.
+ Add new target execute_before_dh_auto_test so blhc ignores compilations
of tests/*.c.
* d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0.
* crypttab(5):
+ Improve documentation about escape sequences.
+ Document that keyscript= can also take an absolute path.
(Closes: #994219)
+ Document that keyscript's exit status is ignored.
+ Various typo fixes and manpages improvements.
* initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from
askpass inclusion. (Closes: #994486)
* d/cryptsetup-initramfs.post*: Replace `which` with `command -v`.
* Merge debian/experimental branch and bring cryptsetup-suspend to sid.
* d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any
implementation should work. (Closes: #993374)
* Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of
d/functions and d/cryptdisks-functions. The testbed requires
'isolation-machine' restriction since we need to load kernel modules and
create loop devices.
* d/gbp.conf, d/watch: Explicitly use gzip compression.
[ Christoph Anton Mitterer ]
* d/functions: Export _CRYPTTAB_* to the keyscript's environment.
[ Lukas Schwaighofer ]
* initramfs: Honor activation/auto_activation_volume_list setting.
(Closes: #993725)
[ Thorsten Glaser ]
* blkid/un_blkid checks: Honor offset= option. (Closes: #994056)
-- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 14:27:03 +0200
cryptsetup (2:2.4.0-1+exp1) experimental; urgency=medium
* Upload to experimental.
* d/rules: Prefix /lib/systemd/system-shutdown/cryptsetup-suspend.shutdown
with /usr to fix FTBS with debhelper 13.4; see #992469.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 22:55:02 +0200
cryptsetup (2:2.4.0-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release.
* Salsa CI: Set SALSA_CI_BLHC_ARGS to avoid failing when *test* files are
built without the "right" LDFLAGS.
* Remove obsolete upstart configuration files on upgrade and purge.
(Closes: #990490)
* d/*.{pre,post}*: Explicitly exit with status code 0.
* d/copyright: Set field Upstream-Name.
* d/control: Bump Standards-Version to 4.6.0 (no changes necessary).
* d/control: Remove cryptsetup-run from cryptsetup's Recommends.
(Closes: #987769)
* d/control: Demote cryptsetup-initramfs from cryptsetup's Recommends to
Suggests. This concludes the package split started in 2:2.0.3-1 during
the Buster release cycle.
[ Ayla Ounce ]
* Add support for --perf_* flags to initramfs.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 03:11:11 +0200
cryptsetup (2:2.4.0~rc1-1+exp1) experimental; urgency=medium
* New upstream release candidate.
* d/copyright: Update file.
* d/cryptsetup.docs: Add upstream's README.md.
* d/TODO.md: Remove implemented `luksSuspend` integration.
-- Guilhem Moulin <guilhem@debian.org> Fri, 30 Jul 2021 02:37:32 +0200
cryptsetup (2:2.4.0~rc0-1+exp1) experimental; urgency=medium
* New upstream release candidate 2.4.0. Highlights include:
+ Support for external libraries (plugins) for handling LUKS2 token
objects.
+ Experimental SSH token handler and cryptsetup-ssh(8) utility (resp.
shipped in the 'cryptsetup' and 'cryptsetup-bin' binary packages) as a
demonstration of the external LUKS2 token interface. This adds
libssh-dev to build-depends.
+ Change default LUKS2 PBKDF to Argon2id from Argon2i.
+ Increase minimal memory cost for Argon2 benchmark to 64MiB (suggested
value in Argon2 RFC).
+ Autodetect optimal encryption sector size on LUKS2 format.
+ integritysetup: add integrity-recalculate-reset flag.
+ cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
+ Add close --deferred and --cancel-deferred options.
-- Guilhem Moulin <guilhem@debian.org> Tue, 06 Jul 2021 10:18:17 +0200
cryptsetup (2:2.3.6-1+exp1) experimental; urgency=medium
* New upstream bugfix release. (Closes: #949336)
-- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200
cryptsetup (2:2.3.5-1+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Thu, 11 Mar 2021 23:36:01 +0100
cryptsetup (2:2.3.5-1) unstable; urgency=medium
* New upstream bugfix release. (Closes: #985581)
* d/watch: Monitor upstream tags rather than tarballs.
* d/gbp.conf: Set 'upstream-vcs-tag' to add upstream tag as additional
parent.
* Simplify d/README.source in accordance with the above.
* Rename d/upstream-signing-key.asc to d/upstream/signing-key.asc as uscan
is now able to verify git tags.
* encrypted-boot.md: Clarify how to solve double password prompt for the
device holding /boot.
* d/copyright: Update copyright year.
-- Guilhem Moulin <guilhem@debian.org> Fri, 02 Apr 2021 23:43:41 +0200
cryptsetup (2:2.3.4-2+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:55:25 +0100
cryptsetup (2:2.3.4-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/control: Remove Build-Depends: dh-exec. In compatibility level 13
Debhelper supports variable expansion, which was why we used dh-exec in
the first place.
* libcryptsetup-dev: Install libcryptsetup.so to /lib/$DEB_HOST_MULTIARCH
not /usr/lib/$DEB_HOST_MULTIARCH (closes: #978585), and override
subsequent lintian warning per #843932.
* d/*.install: Replace wildcard with $DEB_HOST_MULTIARCH for consistency.
* d/cryptsetup.lintian-overrides: Rename "init.d-script-does-not-implement-
optional-option $FOO status" tags to "init.d-script-does-not-implement-
status-option $FOO".
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/cryptdisks-functions: Rename left-over loop_cryptdevs() to
foreach_cryptdev(). Regression from 2:2.3.0-1. (Closes: #974591)
* Initramfs boot script: Drop `lvm vgchange`'s --ignoreskippedcluster flag
which is now a no-op.
* Make d/cryptsetup-initramfs.preinst mangling idempotent.
* Rename Debian resp. upstream branch to debian/latest resp. upstream/latest
for DEP-14 compliance.
* Rename d/gitlab-ci.yml to d/salsa-ci.yml.
* Consolidate d/gbp.conf.
* cryptsetup-initramfs now requires initramfs-tools 0.137 or later and no
longer copies libgcc_s.so.1 to the initrd since recent initramfs-tools
take care of it.
* Add libcryptsetup.la to debian/not-installed.
[ Guilherme G. Piccoli ]
* Initramfs boot script: Fix a deadlock when cryptroot would wait at
local-top stage for a device to appear, while the device would only be
created at local-block stage. This can be the case in dm-crypt-over-MD
scenario when booting the RAID array in degraded mode. (Closes: #933059)
[ Felix C. Stegerman ]
* Fix typo in README.gnupg-sc
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:16:40 +0100
cryptsetup (2:2.3.4-1+exp1) experimental; urgency=medium
* Upload to experimental.
-- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:55:41 +0200
cryptsetup (2:2.3.4-1) unstable; urgency=high
* New upstream bugfix release, including fix for CVE-2020-14382:
possible out-of-bounds memory write while validating LUKS2 data
segments metadata on 32-bits platforms. (Closes: #969471)
-- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:30:40 +0200
cryptsetup (2:2.3.3-3+exp3) experimental; urgency=medium
* d/control: Make cryptsetup-suspend explicitly depend on
initramfs-tools-core as we use unmkinitramfs(8) in the wrapper.
* systemd-suspend.service override: Set OOMScoreAdjust to -1000 to
disable OOM killing of processes of the unit. Thanks, ಚಿರಾಗ್.
(Closes: #968569)
* d/doc/cryptsetup-suspend.xml: Document that key material included in the
initramfs image will remain unencrypted (see #969286).
-- Guilhem Moulin <guilhem@debian.org> Mon, 31 Aug 2020 00:09:10 +0200
cryptsetup (2:2.3.3-3+exp2) experimental; urgency=medium
* d/control: Typofix in cryptsetup-suspend's long description.
(Closes: #968455)
* d/control: Make cryptsetup-suspend explicitly depend on kbd as we use
openvt(1) in the systemd-suspend.service override. (Closes: #969226)
* d/*: Run wrap-and-sort(1).
* d/scripts/suspend/cryptsetup-suspend-wrapper:
+ Parse /proc/meminfo in a single pass using shell builtins rather than
calling awk(1).
+ Use "/boot/initrd.img-$(uname -r)" as path to the initrd instead of
deriving it from the kernel command line. BOOT_IMAGE's value is
relative to the boot's loader viewpoint, which might differ from that of
the main system.
+ run_dir(): Prefer find(1)'s -execdir option over -exec.
+ Conditionally remove/copy firmware into the initramfs image.
(Closes: #969270)
* d/rules: Build our scripts with `-Wall -Werror`.
* d/cryptsetup-suspend.{postinst,postrm}: Call `systemctl daemon-reload`,
which appears to be needed on upgrades. (dh_installsystemd(1) doesn't
support overrides so we manually copy the snippet it would add.)
-- Guilhem Moulin <guilhem@debian.org> Sun, 30 Aug 2020 18:01:49 +0200
cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium
* Add new binary package 'crypsetup-suspend', which implements support
to luksSuspend LUKS devices before ACPI S3 system suspend.
+ See the cryptsetup-suspend(7) manpage for further information.
-- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:29:31 +0200
cryptsetup (2:2.3.3-2) unstable; urgency=medium
[ Helmut Grohne ]
* d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)
[ Guilhem Moulin ]
* d/rules: Build with `--with-tmpfilesdir` to force installing
usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
scripts/cryptsetup.conf. This fixes FTBS in environments containing
systemd. (Closes: #968250)
* Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
volumes. (Closes: #967853)
-- Guilhem Moulin <guilhem@debian.org> Wed, 12 Aug 2020 00:22:59 +0200
cryptsetup (2:2.3.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`.
* d/control: Bump debhelper compatibility level to 13. Remove
debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it
anywhere.
[ Rob Pilling ]
* d/scripts/decrypt_derived:
+ move an error message to standard error so it's not accidentally used as
a key
+ exit with a success code when successful
-- Guilhem Moulin <guilhem@debian.org> Thu, 04 Jun 2020 01:41:44 +0200
cryptsetup (2:2.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/control: Set 'Rules-Requires-Root: no'.
* d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module
when the host CPU lacks AES-NI support. On such systems XTS needs ECB.
This is a work around for #883595 on kernels 4.10 and later.
(Closes: #959423)
-- Guilhem Moulin <guilhem@debian.org> Wed, 06 May 2020 16:22:01 +0200
cryptsetup (2:2.3.1-1) unstable; urgency=medium
* New upstream release.
* d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR.
-- Guilhem Moulin <guilhem@debian.org> Tue, 24 Mar 2020 02:07:07 +0100
cryptsetup (2:2.3.0-1) unstable; urgency=low
* New upstream release, introducing support for BitLocker-compatible
devices (BITLK format) used in Windows systems.
WARNING: crypttab(5) support for these devices is currently *experimental*
and requires blkid from util-linux >=2.33 (i.e., Buster or later). These
devices currently have no keyword to use in the 4th field (unlike 'luks'
or 'plain'), the device type is inferred from the signature instead.
* crypttab(5): Make the 4th field (options) optional so we don't have to
introduce a new keyword for each new device type. (That field is also
optional in the systemd implementation.) Other fields (dm target name,
source device, and key file) remain required.
* Install cryptdisks_{start,stop} bash completion scripts to the right
path/name so they are loaded automatically. This was no longer the case
since 2:1.7.0-1. (Closes: #949623)
* d/*.install: Replace tabs with spaces.
* d/cryptdisks-functions: Fix broken $FORCE_START handling. Since
2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
overriding noauto/noearly. (Closes: #933142)
* Move some functions to d/function from the initramfs hook.
* SysV init scripts: skip devices holding the root FS and/or /usr during the
shutdown phase; these file systems are still mounted at this point so any
attempt to gracefully close the underlying device(s) is bound to fail.
(Closes: #916649, #918008)
* Bump Standards-Version to 4.5.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Wed, 04 Mar 2020 00:48:19 +0100
cryptsetup (2:2.2.2-3) unstable; urgency=high
* initramfs hook: Workaround fix for the libgcc_s's source location.
(Closes: #950628, #939766.) Fixing #950254 will provide a better
solution.
-- Guilhem Moulin <guilhem@debian.org> Tue, 04 Feb 2020 14:11:12 +0100
cryptsetup (2:2.2.2-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
include the IV generator found in the cipher specification when there is a
matching kernel module. On 5.4 kernels ESSIV isn't implemented in
dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
Closes: #948593.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
-- Guilhem Moulin <guilhem@debian.org> Sat, 18 Jan 2020 20:53:19 +0100
cryptsetup (2:2.2.2-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/control:
+ Add 'procps' to the Build-Depends since the upstream test suite uses
free(1).
+ Bump Standards-Version to 4.4.1 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Fri, 01 Nov 2019 19:32:36 +0100
cryptsetup (2:2.2.1-1) unstable; urgency=medium
* New upstream bugfix release.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <guilhem@debian.org> Fri, 06 Sep 2019 13:28:55 +0200
cryptsetup (2:2.2.0-3) unstable; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Guilhem Moulin <guilhem@debian.org> Mon, 26 Aug 2019 12:53:45 +0200
cryptsetup (2:2.2.0-2) unstable; urgency=medium
* debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy
package 'crytsetup-run'.
* debian/control, debian/compat: Bump debhelper compatibility level to 12.
* debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto
detection feature subsumes our use of --add-udeb=. This fixes FTBFS with
debhelper 12.5.
-- Guilhem Moulin <guilhem@debian.org> Wed, 21 Aug 2019 22:45:12 +0200
cryptsetup (2:2.2.0-1) unstable; urgency=medium
* New upstream release 2.2.0. Highlights include:
+ New LUKS2 online reencryption extension, allowing reencryption of
mounted LUKS2 devices.
+ Optional global serialization lock for memory hard PBKDF, to workaround
situations when multiple devices are unlocked in parallel, possibly
exhausting memory and triggering the OOM killer. (Cf. #924560.)
+ Add integritysetup support for bitmap mode (Linux >=5.2).
+ Reduce keyslots area size in luksFormat when the header device is too
small.
* Remove d/patches, applied upstream.
-- Guilhem Moulin <guilhem@debian.org> Thu, 15 Aug 2019 09:31:55 +0200
cryptsetup (2:2.1.0-8) unstable; urgency=medium
* encrypted-boot.md:
+ Clarify partition layout.
+ encrypted-boot.md: New section 'Using a custom keyboard layout'.
* d/gbp.conf: New section [export-orig] mirroring [buildpackage].
* d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy.
* d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's
crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all
bound key slots were deleted, like it does for LUKS1. (Closes: #934715)
-- Guilhem Moulin <guilhem@debian.org> Wed, 14 Aug 2019 16:34:23 +0200
cryptsetup (2:2.1.0-7) unstable; urgency=low
* debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
package swap.
* debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:,
so upgrading systems pull it automatically on upgrade. (cryptsetup
<2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run
and cryptsetup-initramfs.) Closes: #932643.
* debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends. This
avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6,
thus avoids the old cryptsetup-run's prerm script showing a scary (but
moot) warning. After upgrading the prerm script is gone and the package
can be removed without troubles, so we can get rid of it after Bullseye.
(Closes: #932625.)
* cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
mapped crypt devices (like for cryptsetup.prerm).
* Thanks to David Prévot for helping with the upgrade path!
-- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 21:21:10 -0300
cryptsetup (2:2.1.0-6) unstable; urgency=low
* debian/control:
+ Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
as binaries from these packages are architecture independent.
(Closes: #930115)
+ Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
required for some upstream tests (skipped if the executables are not
found in $PATH).
+ Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
init scripts, libraries, keyscripts, etc. while the latter is now a
transitional dummy package.
+ Remove obsolete cryptsetup.maintscript.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
* debian/*:
+ Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916).
+ Remove compatibility warnings regarding setting 'CRYPTSETUP' in
the initramfs hook configuration. The variable is no longer honored,
and cryptsetup is always integrated to the initramfs when the
'cryptsetup-initramfs' package is installed.
* debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
* debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
* debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
* debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
section. (Closes: #913233)
-- Guilhem Moulin <guilhem@debian.org> Sat, 20 Jul 2019 22:15:04 -0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libcryptsetup12`.
Generated by dwww version 1.15 on Thu May 23 22:32:33 CEST 2024.