Control: tag -1 patch pending I've pushed a pu/master branch based on the changes in Ubuntu. These changes have been there since early 2010, they seem to be working mostly fine, and I'd rather avoid introducing more delta between Debian and Ubuntu by merging a different approach. Colin: Please confirm that looks good to you: http://anonscm.debian.org/cgit/d-i/partman-crypto.git/commit/?h=pu/master&id=be0a3afab31ba7a174047289c3aa5df179c6a794 http://anonscm.debian.org/cgit/d-i/partman-crypto.git/commit/?h=pu/master&id=34d54040ad6052a581f18732a8cb854445ae2e77 http://anonscm.debian.org/cgit/d-i/partman-crypto.git/commit/?h=pu/master&id=093592ce5f377679cbe717d5bdd87a35fcab98f5 The only minor issue I've been able to find using various combinations of empty, short, and long passphrase(-again) settings; crossed with true and false for weak_passphrase: if one preseeds weak_passphrase to false, one never gets a chance of seeing this prompt, in any cases. Of course it would be a user error to specify too short a passphrase in preseed and enforce this setting, but it could be somewhat misleading. I'm tempted to track this issue as a minor or normal bug against partman-crypto/76. Olaf: I'm really sorry for not merging your work but I hope you do understand the rationale above. Many thanks for submitting, though, and for reminding us of that feature request; that's appreciated! Cyril Brulebois <firstname.lastname@example.org> (2014-10-20): > > Two things come to my mind: > > > > - The feature should have some documentation to explain to users > > that any preseeded passphrase is to be considered insecure and must > > be changed after installation, like Olaf suggested perhaps the > > preseeding template could be a good place. > > I think I'll go for a comment in partman-crypto's templates file for > now. I still have to double check how the example preseed file is > maintained, to make sure it contains said warning. Christian: Can you please check that this modification isn't going to generate either noise or work for translators? And suggest another approach if I failed to do that properly. http://anonscm.debian.org/cgit/d-i/partman-crypto.git/commit/?h=pu/master&id=093592ce5f377679cbe717d5bdd87a35fcab98f5 > > - I have a vague memory of needing to clear the template value for > > partman-crypto/passphrase (and passphrase-again) to ensure the > > passphrase does not end up in the debconf database of the installed > > system. Could you verify if this is (still?) true? > > I'm also verifying this. Max: I haven't found a trace of the preseeded passphrase on the installed system. Possibly because it's not written there, because both passphrase and passphrase-again have "Type: password"? Mraw, KiBi.
Description: Digital signature