Re: Document removal of ecryptfs-utils from Buster
On Monday 01 July 2019 19:42:08 David Wright wrote:
> On Mon 01 Jul 2019 at 15:56:14 (-0400), Gene Heskett wrote:
> > On Monday 01 July 2019 09:33:35 David Wright wrote:
> > > On Mon 01 Jul 2019 at 06:05:52 (-0400), Gene Heskett wrote:
> > > > On Monday 01 July 2019 03:52:55 Jonathan Dowland wrote:
> > > > > On Sun, Jun 30, 2019 at 12:45:57PM -0400, Gene Heskett wrote:
> > > > > >At this point, I'd call it a buster delaying bug. That last
> > > > > > is going to cost too many that can't ignore it and don't
> > > > > > have unencrypted backups. Thats going to be a lot of very
> > > > > > bad PR.
> > > > >
> > > > > It's the release teams call, generally speaking, and one of
> > > > > the things they might factor in is the size of the user-base
> > > > > for the troublesome package. I'm surprised to find that it's
> > > > > extremely small according to popcon data: less than 1% of
> > > > > reporters:
> > > > > https://qa.debian.org/popcon.php?package=ecryptfs-utils
> > > > >
> > > > > Compare just two alternatives:
> > > > >
> > > > > encfs: 1.14% https://qa.debian.org/popcon.php?package=encfs
> > > > > cryptsetup: 15%
> > > > > https://qa.debian.org/popcon.php?package=cryptsetup
> > > >
> > > > That does put a better light on it. From the comments so far, I
> > > > was thinking I'm one of the few not using it. I've depended on
> > > > dd-wrt between me and the internet for the last 16 years, and
> > > > even before that I was on dialup and the dialup folks didn't
> > > > have enough bandwidth to attract the black hats, so I've never
> > > > been touched.
> > >
> > > I was under the impression that these two forms of security,
> > > firewalls and encryption, are completely orthogonal. Once you've
> > > unlocked, say, an encrypted partition, you're now reliant on the
> > > firewall to keep strangers out of your files. OTOH a perfect
> > > firewall is of no benefit when your laptop is stolen.
> > >
> > > > With all the publicity this thread has given the issue, I'll
> > > > change my mind (as if it matters to the team :) and say adequate
> > > > notice and mitigating paths seems to have been given. Those that
> > > > are using it I'd call pretty advanced and are reading this list
> > > > just for the notices given so they shouldn't be surprised. So
> > > > I'll do an Andy Capp and shuddup.
> > >
> > > The grey area is for me is the relative benefit of encrypting file
> > > by file compared with the whole partition. Assuming that there's
> > > just one passphrase involved in each scenario, is more protection
> > > given by the former method? After all, once a partition is
> > > unlocked, all users on the system are able to read all the files,
> > > subject to the normal unix permissions, ACLs, etc.
> >
> > Whole filesystem encryption would be a total non-starter for me.
>
> Fair enough. Could you reveal why, or are your reasons cryptic too?
No, but if for some reason, say a cerebral accident, I should lose the
password, the whole system would be locked away, and that would be
unforgivable. And at 84&counting, I've no warranty I'll remember my own
name 10 minutes from my hitting send on this message.
> > File by
> > file with different passwd's according to whats in the file would
> > make far more sense to me. Thats my $0.02.
>
> I can't see how anyone would cope with a scheme like that. How would
> you remember all those passwords?
By limiting it to probably 2. Normal stuff might just be my user pw,
whereas stuff that is truly private might have a 2048 bit hash.
>
> OTOH I can see that each file must have an individual encryption key,
> but the encryption scheme looks after generating those. Otherwise
> you would have a large sample of encrypted but known-cleartext files
> available for cracking attempts. (Remember that the filenames are not
> encrypted, and many files on a system will have entirely predictable
> contents, eg much of /usr, your Debian package cache, and so on.
Clearly I haven't explored all the ramifications. Its been more of a case
of letting my imagination out to play without a chaperone.
> Cheers,
> David.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: