On Tue, 2011-05-17 at 13:48 +0200, Jonas Meurer wrote: > - cryptsetup is not the only userspace tool which manages dm-crypt > devices. Low-level tools like dmsetup, udev, hal; commandline tools > like cryptmount and gui applications like gnome-mount etc. might > unlock/lock encrypted devices as well. That's a good point, I've completely forgot, when I've said in another email, that I _could_ live with a cryptsetup package whose removal fails if the are still open devices left. > - the cryptdisks initscript only manages dm-crypt devices which are > listed in the crypttab. Therefore otherwise unlocked devices are > ignored. Though this is another issue: Wouldn't it make sense to try at the very end "just before shutdown/reboot" to close any remaining _non managed_ dm-crypt devices? Perhaps we should as Milan, if the same effect is automatically done by the kernel itself. > > Still, the IMHO best solution would be: > > - let any scripts fail with $? != 0 if the action they're expected to > > perform failed > > => this however does not comply with the crude Debian init-scripts > > policy > > Sorry Christoph, but this is simply not an option. Out of curiosity: Did someone from the policy guys came and request this from you? Cause we had it that way for some time now. > > - if cryptsetup is removed OR purged, give a big fat debconf-prio-low > > warning that devices a b c are still open, and cannot be closed using > > cryptsetup, if the user decides to continue. > > At the moment I consider this as the best solution. Nice to hear :-) Cheers, Chris.
Description: S/MIME cryptographic signature