Bug#1035560: marked as done (unblock: calamares-settings-debian/12.0.9-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 5 May 2023 17:27:20 +0200
with message-id <20230505152720.3br25wftf5ihbtzi@mraw.org>
and subject line Re: Bug#1035560: unblock: calamares-settings-debian/12.0.9-1
has caused the Debian Bug report #1035560,
regarding unblock: calamares-settings-debian/12.0.9-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035560
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: calamares-settings-debian/12.0.9-1
• From: Jonathan Carter <jcc@debian.org>
• Date: Fri, 05 May 2023 14:20:02 +0200
• Message-id: <[🔎] 168328920240.3296720.18010992793167848802.reportbug@commodore.bluemosh.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: calamares-settings-debian@packages.debian.org, kibi@debian.org
Control: affects -1 + src:calamares-settings-debian

Please unblock package calamares-settings-debian

[ Reason ]
The method that LUKS encryption tools (cryptsetup, cryptset-initramfs,
keyutils) have changed. Prior to bookworm, these were included in the squashfs
system, so it was installed whether or not it was required, resulting in a
warning on unencrypted systems when update-initramfs were run.

By some happy accident due to updates in the live build system, these aren't
included in the squashfs image anymore, so we've added it to the media package
pool so that it could be installed only when required. This Calamares change
will install the required package only when LUKS have been configured.

[ Impact ]
If this isn't accepted, users who installed via the Calamares installer on
live media will not be able to boot their systems until they install 
cryptsetup-initramfs (and potentially keyutils, depending on configuration)
from rescue media.

[ Tests ]
This package was tested manually on the latest live test build.

[ Risks ]
The fixes are trivial and has been tested, and once migrated, we'll test it
yet again asap on the latest installation media. We're also adding luks tests
to our standard live smoke testing to help catch a bug like this sooner in the
future.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ DebDiff ]

"""
diff -Nru calamares-settings-debian-12.0.8/CHANGELOG calamares-settings-debian-12.0.9/CHANGELOG
--- calamares-settings-debian-12.0.8/CHANGELOG	2023-04-26 14:23:37.000000000 +0200
+++ calamares-settings-debian-12.0.9/CHANGELOG	2023-05-04 20:34:51.000000000 +0200
@@ -1,8 +1,15 @@
-[ 10.0.8 ]
+[ 12.0.9 ]
+
+ * Fix typos in version numbers for last two changelog entries
+ * Install cryptsetup-initramfs, cryptsetup and keyutils (only) when needed
+   (required due to these packages only now existing on package pool,
+    not on the squashfs filesystem)
+
+[ 12.0.8 ]

  * Do grub work within the chroot

-[ 10.0.7 ]
+[ 12.0.7 ]

  * Enable os-prober /after/ grub has been installed.

diff -Nru calamares-settings-debian-12.0.8/debian/changelog calamares-settings-debian-12.0.9/debian/changelog
--- calamares-settings-debian-12.0.8/debian/changelog	2023-04-26 14:25:34.000000000 +0200
+++ calamares-settings-debian-12.0.9/debian/changelog	2023-05-04 20:47:17.000000000 +0200
@@ -1,3 +1,10 @@
+calamares-settings-debian (12.0.9-1) unstable; urgency=medium
+
+  * New upstream release
+    - Deal with changes in how luks tools are installed from live media
+
+ -- Jonathan Carter <jcc@debian.org>  Thu, 04 May 2023 20:47:17 +0200
+
 calamares-settings-debian (12.0.8-1) unstable; urgency=medium

   * New upstream release
diff -Nru calamares-settings-debian-12.0.8/scripts/bootloader-config calamares-settings-debian-12.0.9/scripts/bootloader-config
--- calamares-settings-debian-12.0.8/scripts/bootloader-config	2023-04-26 14:23:37.000000000 +0200
+++ calamares-settings-debian-12.0.9/scripts/bootloader-config	2023-05-04 20:34:51.000000000 +0200
@@ -2,22 +2,24 @@

 CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e "s#/proc##g")

-# Set secure permissions for the initramfs if we're configuring
+# Install luks utilities if needed.
+# Also, set secure permissions for the initramfs if we're configuring
 # full-disk-encryption. The initramfs is re-generated later in the
 # installation process so we only set the permissions snippet without
 # regenerating the initramfs right now:
 if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; then
     echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions
+    chroot $CHROOT apt-get -y install cryptsetup-initramfs cryptsetup keyutils
 fi

 echo "Running bootloader-config..."

 if [ -d /sys/firmware/efi/efivars ]; then
     echo " * Installing grub-efi (uefi)..."
-    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-efi-amd64 cryptsetup keyutils
+    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-efi-amd64
 else
     echo " * install grub... (bios)"
-    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-pc cryptsetup keyutils
+    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-pc
 fi

 # Re-enable os-prober:
"""

thanks,

-Jonathan

unblock calamares-settings-debian/12.0.9-1

--- End Message ---

--- Begin Message ---

• To: Jonathan Carter <jcc@debian.org>, 1035560-done@bugs.debian.org
• Cc: calamares-settings-debian@packages.debian.org
• Subject: Re: Bug#1035560: unblock: calamares-settings-debian/12.0.9-1
• From: Cyril Brulebois <kibi@debian.org>
• Date: Fri, 5 May 2023 17:27:20 +0200
• Message-id: <20230505152720.3br25wftf5ihbtzi@mraw.org>
• In-reply-to: <[🔎] 168328920240.3296720.18010992793167848802.reportbug@commodore.bluemosh.com>
• References: <[🔎] 168328920240.3296720.18010992793167848802.reportbug@commodore.bluemosh.com>

Hi Jonathan,

And thanks for the cc.

Release-team: While my focus is and will remain on d-i, seeing how d-i
and live are built are the same time, and how I'll be pushing those
buttons from time to time, I've asked Jonathan to keep me in the loop.
This way, we have higher chances of having relevant bits in place for
both d-i and live releases.

Jonathan Carter <jcc@debian.org> (2023-05-05):
> --- calamares-settings-debian-12.0.8/debian/changelog
> +++ calamares-settings-debian-12.0.9/debian/changelog
> @@ -1,3 +1,10 @@
> +calamares-settings-debian (12.0.9-1) unstable; urgency=medium
> +
> +  * New upstream release
> +    - Deal with changes in how luks tools are installed from live media

Maybe this could have benefited from a little more details / a pointer
to some bug report (like a reference to #1035360), but I suppose we can
do without it.

> --- calamares-settings-debian-12.0.8/scripts/bootloader-config
> +++ calamares-settings-debian-12.0.9/scripts/bootloader-config
> @@ -2,22 +2,24 @@
> 
>  CHROOT=$(mount | grep proc | grep calamares | awk '{print $3}' | sed -e "s#/proc##g")
> 
> -# Set secure permissions for the initramfs if we're configuring
> +# Install luks utilities if needed.
> +# Also, set secure permissions for the initramfs if we're configuring
>  # full-disk-encryption. The initramfs is re-generated later in the
>  # installation process so we only set the permissions snippet without
>  # regenerating the initramfs right now:
>  if [ "$(mount | grep $CHROOT" " | cut -c -16)" = "/dev/mapper/luks" ]; then
>      echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions
> +    chroot $CHROOT apt-get -y install cryptsetup-initramfs cryptsetup keyutils
>  fi

OK, so both existing packages are now getting installed when LUKS is
detected instead of separately, alongside whichever grub package is
needed, *and* cryptsetup-initramfs is added to those two.

>  if [ -d /sys/firmware/efi/efivars ]; then
>      echo " * Installing grub-efi (uefi)..."
> -    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-efi-amd64 cryptsetup keyutils
> +    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-efi-amd64
>  else
>      echo " * install grub... (bios)"
> -    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-pc cryptsetup keyutils
> +    DEBIAN_FRONTEND=noninteractive chroot $CHROOT apt-get -y install grub-pc
>  fi

And that should indeed work together with live-build's latest commit
which also adds cryptsetup-initramfs alongside the other two existing
packages, to the pool where packages can be installed from.

AFAICT live-build.git is pulled on casulana, so what's in the archive
shouldn't matter. I suppose this is similar to the debian-cd situation,
but that one we try and get into unstable and testing to match what's
getting used to build a given release…

I see the following:

    live-build | 1:20230131        | testing
    live-build | 1:20230502        | unstable

but no matching tag for the latter in the git repository, and no unblock
request. I have no opinions as to whether it would be best to try and
get it into testing, but I thought I'd mention it. :)

> unblock calamares-settings-debian/12.0.9-1

Done.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

--- End Message ---