Bug#600777: RFH: cryptsetup -- configures encrypted block devices
Hi.
In earlier days I'd have had definitely some interesting in helping with
cryptsetup, especially making it "mightier" and "hardening" it. Which is
not to be confused with the wish in taking maintenance overs as you do good
work in many areas....
I guess you remember things or general design principles I've always
proposed like:
- rather failing / throwing errors than doing things that could
potentially allow attacks
- be as strict as possible in all places (for security reasons)
- adding extensive documentation, especially in places where things might
not be obvious and dangerous if future developers remove or change
something.
- rework all keyscripts, especially making them mightier towards fully
supporting encrypted root-fs, key material on external media, etc.
- overwork configuration framwork, or better "standardise" one that all
keyscripts have to conform to
- make key scripts work, that depend on /usr/* stuff, which currently fail
- eventually add new key scripts
However, I guess it makes no sense to re-iterate old discussion points
which we could no agree on in the past...
Nevertheless I guess I just like to say that anybody that would be willing
to help will probably bring in similar or other interfering ideas like
those.... and it will be therefore difficult to get help if not willing to
accept such new ways.
Which would be very bad IMHO, as cryptsetup is probably very important for
many people, already.
And I guess it's especially important for them to have it (as they
probably already trust Debian) take care on all hidden and tricky pitfals
one encounters with encryption (things like this LABEL "attack" I've
described earlier).
Cheers,
Chris.
Reply to: