~mwhudson/ubuntu/+source/cryptsetup:merge

Branch merges

Propose for merging

Ready for review for merging into ubuntu/+source/cryptsetup:debian/sid

Guilherme G. Piccoli (community): Approve on 2020-11-10

git-ubuntu developers: Pending requested 2020-11-09

Diff: 2287 lines (+1775/-33)

11 files modified

debian/changelog (+1603/-0)
debian/control (+4/-3)
debian/cryptsetup-initramfs.install (+1/-0)
debian/functions (+11/-1)
debian/initramfs/cryptroot-unlock (+12/-6)
debian/initramfs/hooks/cryptroot (+5/-3)
debian/initramfs/scripts/local-block/cryptroot (+4/-0)
debian/initramfs/scripts/local-bottom/cryptroot (+23/-0)
debian/initramfs/scripts/local-top/cryptroot (+56/-20)
debian/patches/decrease_memlock_ulimit.patch (+55/-0)
debian/patches/series (+1/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

730d330... by Michael Hudson-Doyle on 2020-11-09

update-maintainer

540f02c... by Michael Hudson-Doyle on 2020-11-09

reconstruct-changelog

434ed6d... by Michael Hudson-Doyle on 2020-11-09

merge-changelogs

71abcb1... by Michael Hudson-Doyle on 2020-11-09

      - debian/rules:
        - fix FTBFS on riscv64 adding --with-tmpfilesdir to ensure all archs, even
          without systemd knows how to ship cryptsetup.conf

5adf727... by Michael Hudson-Doyle on 2020-11-09

    - included in Debian:
      - debian/cryptsetup-bin.install:
        - Fix FTBFS due to dh_missing detecting crypsetup.conf in debian/tmp where
          it was installed from ./scripts/crypsetup.conf.

df18e43... by Michael Hudson-Doyle on 2020-11-09

  * Dropped changes:
    - Included in new upstream version:
      - SECURITY UPDATE: Out-of-bounds write
        - debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
          heap space in lib/luks2/luks2_json_metadata.c.
        - CVE-2020-14382

f307b13... by Michael Hudson-Doyle on 2020-11-09

    - Introduce retry logic for external invocations after mdadm (LP: #1879980)
      - Currently, if an encrypted rootfs is configured on top of a MD RAID1
        array and such array gets degraded (e.g., a member is removed/failed)
        the cryptsetup scripts cannot mount the rootfs, and the boot fails.
        We fix that issue here by allowing the cryptroot script to be re-run
        by initramfs-tools/local-block stage, as mdadm can activate degraded
        arrays at that stage.
        There is an initramfs-tools counter-part for this fix, but alone the
        cryptsetup portion is harmless.
      - d/cryptsetup-initramfs.install: ship the new local-bottom script.
      - d/functions: declare variables for local-top|block|bottom scripts
        (flag that local-block is running and external invocation counter.)
      - d/i/s/local-block/cryptroot: set flag that local-block is running.
      - d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
      - d/i/s/local-top/cryptroot: change the logic from just waiting 180
        seconds to waiting 5 seconds first, then allowing initramfs-tools
        to run mdadm (to activate degraded arrays) and call back at least
        30 times/seconds more.

951dc07... by Michael Hudson-Doyle on 2020-11-09

    - debian/patches/decrease_memlock_ulimit.patch
      Fixed FTBFS due a restrict environment in the new Bionic Builder (LP: #1891473)
      tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
      - Thanks Guilherme G. Piccoli.

8a58330... by Michael Hudson-Doyle on 2020-11-09

    - Fix warning and error when running on ZFS on root: (LP: #1830110)
      - d/functions: Return an empty devno for ZFS devices as they don't have
        major:minor device numbers.
      - d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
        devices don't have a devno.
      Submitted to debian upstream as bug #902449.

3adacbd... by Michael Hudson-Doyle on 2020-11-09

    - Fix cryptroot-unlock for busybox compatibility.