[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Document removal of ecryptfs-utils from Buster

On Mon 01 Jul 2019 at 06:05:52 (-0400), Gene Heskett wrote:
> On Monday 01 July 2019 03:52:55 Jonathan Dowland wrote:
> > On Sun, Jun 30, 2019 at 12:45:57PM -0400, Gene Heskett wrote:
> > >At this point, I'd call it a buster delaying bug.  That last is going
> > > to cost too many that can't ignore it and don't have unencrypted
> > > backups. Thats going to be a lot of very bad PR.
> >
> > It's the release teams call, generally speaking, and one of the things
> > they might factor in is the size of the user-base for the troublesome
> > package. I'm surprised to find that it's extremely small according to
> > popcon data: less than 1% of reporters:
> > https://qa.debian.org/popcon.php?package=ecryptfs-utils
> >
> > Compare just two alternatives:
> >
> > encfs: 1.14% https://qa.debian.org/popcon.php?package=encfs
> > cryptsetup: 15% https://qa.debian.org/popcon.php?package=cryptsetup
> That does put a better light on it.  From the comments so far, I was 
> thinking I'm one of the few not using it. I've depended on dd-wrt 
> between me and the internet for the last 16 years, and even before that 
> I was on dialup and the dialup folks didn't have enough bandwidth to 
> attract the black hats, so I've never been touched.

I was under the impression that these two forms of security, firewalls
and encryption, are completely orthogonal. Once you've unlocked, say,
an encrypted partition, you're now reliant on the firewall to keep
strangers out of your files. OTOH a perfect firewall is of no benefit
when your laptop is stolen.

> With all the publicity this thread has given the issue, I'll change my 
> mind (as if it matters to the team :) and say adequate notice and 
> mitigating paths seems to have been given. Those that are using it I'd 
> call pretty advanced and are reading this list just for the notices 
> given so they shouldn't be surprised. So I'll do an Andy Capp and 
> shuddup.

The grey area is for me is the relative benefit of encrypting file by
file compared with the whole partition. Assuming that there's just one
passphrase involved in each scenario, is more protection given by the
former method? After all, once a partition is unlocked, all users on
the system are able to read all the files, subject to the normal unix
permissions, ACLs, etc.


Reply to: