Your message dated Sat, 06 Feb 2021 10:39:26 +0000 with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for updates in 10.8 has caused the Debian Bug report #981059, regarding buster-pu: package clevis/11-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 981059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981059 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package clevis/11-2
- From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Date: Mon, 25 Jan 2021 20:25:19 +0100
- Message-id: <1611602614@msgid.manchmal.in-ulm.de>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hello stable release team, for the upcoming stable point release, I've just uploaded src:clevis ("automated encryption framework") as version 11-2+deb10u1. There are three changes related to the dracut integration: * No longer try to install the clevis-drcrypt-http unlocker Type: upstream bug Debian bug: https://bugs.debian.org/969361 Fixed in in stable and testing: 12-1 (February 2020) Problem: The "module-setup.sh" sniplet tries to install a script that no longer exists, resulting in am initramfs that no longer can automatically unlock the root device. Remark: The upstream commit also includes documentation cleanup, hence it got a little bigger. Actual code change is just one line removed. * Install cryptsetup and tpm2_pcrlist Type: upstream bug Debian bug: https://bugs.debian.org/969361 Fixed in in stable and testing: 12-1 (February 2020) Problem: Under certain circumstances the cryptsetup program ist not installed in the initramfs, resulting in a system that cannot be unlocked at all, not even manually. Remark: The upstream commit also addresses tpm support, it seemed wise to not touch this. * Trigger dracut initramfs re-creation Type: convenience/missing feature Fixed in in stable and testing: 15-1 (December 2020) Problem: Upon installation or upgrade, a re-creation of the initramfs should be triggered to make sure new features are included. Remark: As a disgression to unstable, the dependency on dracut (where the trigger is handled) has been lowered to a recommendation. This is a safeguard against possible installation problems since dracut conflicts with a few other packages. Let's better play safe although I doubt there exist users of clevis-dracut who do *not* have dracut itself installed *but still* want to use a dracut initramfs. Regards, Christoph -- System Information: Debian Release: 10.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.10 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)diff -Nru clevis-11/debian/changelog clevis-11/debian/changelog --- clevis-11/debian/changelog 2019-03-01 11:37:24.000000000 +0100 +++ clevis-11/debian/changelog 2021-01-25 20:03:26.000000000 +0100 @@ -1,3 +1,14 @@ +clevis (11-2+deb10u1) buster; urgency=medium + + * Cherry-pick two comments to fix initramfs creation: Closes: #969361 + - "Delete remaining references to the removed http pin" to unbreak + initramfs generation in dracut. + - "Install cryptsetup and tpm2_pcrlist in the initramfs" to assert + cryptsetup is available in the initramfs + * clevis-dracut: Trigger initramfs creation upon installation + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Mon, 25 Jan 2021 20:03:26 +0100 + clevis (11-2) unstable; urgency=medium * Use cryptsetup-bin as dependency, following the cryptsetup diff -Nru clevis-11/debian/clevis-dracut.triggers clevis-11/debian/clevis-dracut.triggers --- clevis-11/debian/clevis-dracut.triggers 1970-01-01 01:00:00.000000000 +0100 +++ clevis-11/debian/clevis-dracut.triggers 2021-01-25 20:03:26.000000000 +0100 @@ -0,0 +1 @@ +activate-noawait update-initramfs diff -Nru clevis-11/debian/control clevis-11/debian/control --- clevis-11/debian/control 2019-03-01 11:32:32.000000000 +0100 +++ clevis-11/debian/control 2021-01-25 20:03:26.000000000 +0100 @@ -60,6 +60,8 @@ Depends: ${misc:Depends}, clevis-systemd, dracut-network, +Recommends: + dracut, Description: Dracut integration for clevis Clevis is a plugable framework for automated decryption. This package provides integration for the dracut initramfs to automatically unlock diff -Nru clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch --- clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch 1970-01-01 01:00:00.000000000 +0100 +++ clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch 2021-01-25 19:54:44.000000000 +0100 @@ -0,0 +1,113 @@ +Subject: Delete remaining references to the removed http pin +Origin: v11-1-g1e344db <https://github.com/latchset/clevis/commit/v11-1-g1e344db> +Upstream-Author: Javier Martinez Canillas <javierm@redhat.com> +Date: Wed Nov 7 14:53:08 2018 +0100 +Bug-Debian: https://bugs.debian.org/bug=969361 + + Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but + there are still references of it in the docs and also the dracut module. + + This was causing dracut to fail building the initramfs due the following: + + dracut-install: ERROR: installing 'clevis-decrypt-http' + + Suggested-by: Dominick Grift <dac.override@gmail.com> + + Fixes: #73 + +--- a/README.md ++++ b/README.md +@@ -58,27 +58,6 @@ + the advertisment is specified manually like this, Clevis presumes that the + advertisement is trusted. + +-#### PIN: HTTP +- +-Clevis also ships a pin for performing escrow using HTTP. Please note that, +-at this time, this pin does not provide HTTPS support and is suitable only +-for use over local sockets. This provides integration with services like +-[Custodia](http://github.com/latchset/custodia). +- +-For example: +- +-```bash +-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe +-``` +- +-The HTTP pin generate a new (cryptographically-strong random) key and performs +-encryption using it. It then performs a PUT request to the URL specified. It is +-understood that the server will securely store this key for later retrieval. +-During decryption, the pin will perform a GET request to retrieve the key and +-perform decryption. +- +-Patches to provide support for HTTPS and authentication are welcome. +- + #### PIN: TPM2 + + Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) +--- a/src/clevis.1.adoc ++++ b/src/clevis.1.adoc +@@ -21,26 +21,6 @@ + encrypt the data so that it can be automatically decrypted if the policy is + met. Lets walk through an example. + +-== HTTP ESCROW +- +-When using the HTTP pin, we create a new, cryptographically-strong, random key. +-This key is stored in a remote HTTP escrow server (using a simple PUT or POST). +-Then at decryption time, we attempt to fetch the key back again in order to +-decrypt our data. So, for our configuration we need to pass the URL to the key +-location: +- +- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE +- +-To decrypt the data, simply provide the ciphertext (JWE): +- +- $ clevis decrypt < JWE > PLAINTEXT +- +-Notice that we did not pass any configuration during decryption. The decrypt +-command extracted the URL (and possibly other configuration) from the JWE +-object, fetched the encryption key from the escrow and performed decryption. +- +-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)]. +- + == TANG BINDING + + Clevis provides support for the Tang network binding server. Tang provides +@@ -136,7 +116,6 @@ + + == SEE ALSO + +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)], + link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], +--- a/src/luks/clevis-luks-bind.1.adoc ++++ b/src/luks/clevis-luks-bind.1.adoc +@@ -61,7 +61,6 @@ + == SEE ALSO + + link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)], +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], + link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -36,7 +36,6 @@ + inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" + + inst_multiple /etc/services \ +- clevis-decrypt-http \ + clevis-decrypt-tang \ + clevis-decrypt-sss \ + @libexecdir@/clevis-luks-askpass \ +--- a/src/pins/sss/clevis-encrypt-sss.1.adoc ++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc +@@ -54,6 +54,5 @@ + + == SEE ALSO + +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] diff -Nru clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch --- clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch 1970-01-01 01:00:00.000000000 +0100 +++ clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch 2021-01-25 20:03:26.000000000 +0100 @@ -0,0 +1,42 @@ +Subject: Install cryptsetup and tpm2_pcrlist in the initramfs +Origin: v11-2-g3465859 <https://github.com/latchset/clevis/commit/v11-2-g3465859> +Upstream-Author: Javier Martinez Canillas <javierm@redhat.com> +Date: Wed Nov 7 15:12:17 2018 +0100 +Bug-Debian: https://bugs.debian.org/bug=969361 + + The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes + automatic LUKS unlocking fail with the following errors: + + dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found + dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found + + Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com> + + Fixes: #74 + +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -40,6 +40,7 @@ + clevis-decrypt-sss \ + @libexecdir@/clevis-luks-askpass \ + clevis-decrypt \ ++ cryptsetup \ + luksmeta \ + clevis \ + mktemp \ +@@ -49,6 +50,7 @@ + + for cmd in clevis-decrypt-tpm2 \ + tpm2_createprimary \ ++ tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load; do + +@@ -60,6 +62,7 @@ + if (($ret == 0)); then + inst_multiple clevis-decrypt-tpm2 \ + tpm2_createprimary \ ++ tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load + fi diff -Nru clevis-11/debian/patches/series clevis-11/debian/patches/series --- clevis-11/debian/patches/series 2018-10-30 22:54:32.000000000 +0100 +++ clevis-11/debian/patches/series 2021-01-25 20:03:26.000000000 +0100 @@ -1,2 +1,8 @@ + +# cherry-picked commits. Keep in upstream's chronological order +cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch +cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch + +# local modifications debian.use-socat.patch debian.use-asciidoctor-to-build-manpages.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 955277-done@bugs.debian.org, 962152-done@bugs.debian.org, 962672-done@bugs.debian.org, 970745-done@bugs.debian.org, 972149-done@bugs.debian.org, 973342-done@bugs.debian.org, 973706-done@bugs.debian.org, 975932-done@bugs.debian.org, 976094-done@bugs.debian.org, 976392-done@bugs.debian.org, 976423-done@bugs.debian.org, 976432-done@bugs.debian.org, 977172-done@bugs.debian.org, 977511-done@bugs.debian.org, 977520-done@bugs.debian.org, 977735-done@bugs.debian.org, 977782-done@bugs.debian.org, 977895-done@bugs.debian.org, 977978-done@bugs.debian.org, 978091-done@bugs.debian.org, 978157-done@bugs.debian.org, 979072-done@bugs.debian.org, 979074-done@bugs.debian.org, 979724-done@bugs.debian.org, 979749-done@bugs.debian.org, 980133-done@bugs.debian.org, 980201-done@bugs.debian.org, 980259-done@bugs.debian.org, 980268-done@bugs.debian.org, 980453-done@bugs.debian.org, 980458-done@bugs.debian.org, 980491-done@bugs.debian.org, 980762-done@bugs.debian.org, 980799-done@bugs.debian.org, 980802-done@bugs.debian.org, 980835-done@bugs.debian.org, 980857-done@bugs.debian.org, 980919-done@bugs.debian.org, 980938-done@bugs.debian.org, 980962-done@bugs.debian.org, 981002-done@bugs.debian.org, 981035-done@bugs.debian.org, 981047-done@bugs.debian.org, 981059-done@bugs.debian.org, 981096-done@bugs.debian.org, 981239-done@bugs.debian.org, 981271-done@bugs.debian.org, 981292-done@bugs.debian.org, 981339-done@bugs.debian.org, 981345-done@bugs.debian.org
- Subject: Closing p-u bugs for updates in 10.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 06 Feb 2021 10:39:26 +0000
- Message-id: <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.8 Hi, Each of the updates referenced by these bugs was included in today's 10.8 point release. Regards, Adam
--- End Message ---