Hi Guilhem and Chris,
greetings from Portugal to Taiwan :)
Am 16.07.2018 um 19:28 schrieb Guilhem Moulin:
> I'm in favor of adding OpenPGP smartcard support to src:cryptsetup, but
> not more that one set of hook & boot scripts.
Ack.
> Since there is already #888916 open requesting merging of some initramfs
> scripts providing OpenPGP smartcard support, and 888916 < 903163, it'd
> polite of us cryptsetup package maintainers to review Rian's code as
> well before including anything.
Ack.
> I'm not sure it's worth shipping another “Architecture: all” binary
> package to src:cryptsetup, though (as opposed to including the keyscript
> to cryptsetup-run and the initramfs bits to cryptsetup-initramfs, like
> we're doing for decrypt_gnupg, decrypt_keyctl, decrypt_opensc, etc.).
> Sure, splitting cryptsetup-run and cryptsetup-initramfs further means we
> can assign more fine-grained dependencies, but in the end it'll just be
> a tiny shell script in each package, so is it worth the effort? Also
> `update-initramfs -u` will complain if the required binaries (pcsd, gpg,
> etc.) cannot be copied; and the user has to install these to be able to
> set up the mapping in the first place.
>
> (If we add another “Architecture: all” binary package we should also
> split cryptsetup-run and cryptsetup-initramfs for the sake of
> consistency. Not sure it's worth the effort, but now-ish would be a
> good time to do this since we've already split cryptsetup-initramfs
> away. I personally don't have strong feelings either way; CC'ing Jonas
> who might have a different opinion.)
I don't think that adding a new binary package for OpenPGP smartcard
support is a good idea and would oppose to it. If we followed that logic
(e.g. in order to allow more fine-grained dependencies), we'd have to
split other keyscripts into own binary packages as well. Also, given the
limited scope of keyscripts these days[1], I don't think that's worth
the effort and to much overhead.
Cheers,
jonas
[1] The systemd cryptsetup helper implementation doesn't support
keyscripts and upstream refuses to implement support for it. So
we're left with keyscripts support in the initramfs and the SysVinit
init scripts.
Attachment:
signature.asc
Description: OpenPGP digital signature