[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#656710: partman-crypto: Preseeding the passphrase

Control: tag -1 patch pending

I've pushed a pu/master branch based on the changes in Ubuntu. These
changes have been there since early 2010, they seem to be working mostly
fine, and I'd rather avoid introducing more delta between Debian and
Ubuntu by merging a different approach.

Colin: Please confirm that looks good to you:


The only minor issue I've been able to find using various combinations
of empty, short, and long passphrase(-again) settings; crossed with true
and false for weak_passphrase: if one preseeds weak_passphrase to false,
one never gets a chance of seeing this prompt, in any cases. Of course
it would be a user error to specify too short a passphrase in preseed
and enforce this setting, but it could be somewhat misleading. I'm
tempted to track this issue as a minor or normal bug against

Olaf: I'm really sorry for not merging your work but I hope you do
understand the rationale above. Many thanks for submitting, though, and
for reminding us of that feature request; that's appreciated!

Cyril Brulebois <kibi@debian.org> (2014-10-20):
> > Two things come to my mind:
> > 
> > - The feature should have some documentation to explain to users
> >   that any preseeded passphrase is to be considered insecure and must
> >   be changed after installation, like Olaf suggested perhaps the
> >   preseeding template could be a good place.
> I think I'll go for a comment in partman-crypto's templates file for
> now. I still have to double check how the example preseed file is
> maintained, to make sure it contains said warning.

Christian: Can you please check that this modification isn't going to
generate either noise or work for translators? And suggest another
approach if I failed to do that properly.


> > - I have a vague memory of needing to clear the template value for
> >   partman-crypto/passphrase (and passphrase-again) to ensure the
> >   passphrase does not end up in the debconf database of the installed
> >   system. Could you verify if this is (still?) true?
> I'm also verifying this.

Max: I haven't found a trace of the preseeded passphrase on the
installed system. Possibly because it's not written there, because both
passphrase and passphrase-again have "Type: password"?


Attachment: signature.asc
Description: Digital signature

Reply to: