Change log for cryptsetup package in Debian

175 of 90 results
Published in sid-release on 2020-02-04
cryptsetup (2:2.2.2-3) unstable; urgency=high

  * initramfs hook: Workaround fix for the libgcc_s's source location.
    (Closes: #950628, #939766.)  See #950254 for the proper fix.

 -- Guilhem Moulin <email address hidden>  Tue, 04 Feb 2020 14:11:12 +0100
Superseded in sid-release on 2020-02-04
cryptsetup (2:2.2.2-2) unstable; urgency=medium

  [ Guilhem Moulin ]
  * d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
    include the IV generator found in the cipher specification when there is a
    matching kernel module.  On 5.4 kernels ESSIV isn't implemented in
    dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
    available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
    Closes: #948593.

  [ Debian Janitor ]
  * Set debhelper-compat version in Build-Depends.
  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
    Repository-Browse.

 -- Guilhem Moulin <email address hidden>  Sat, 18 Jan 2020 20:53:19 +0100
Superseded in sid-release on 2020-01-19
cryptsetup (2:2.2.2-1) unstable; urgency=medium

  * New upstream bugfix release.
  * debian/control:
    + Add 'procps' to the Build-Depends since the upstream test suite uses
      free(1).
    + Bump Standards-Version to 4.4.1 (no changes necessary).

 -- Guilhem Moulin <email address hidden>  Fri, 01 Nov 2019 19:32:36 +0100
Published in buster-release on 2019-09-07
cryptsetup (2:2.1.0-5+deb10u2) buster; urgency=medium

  * Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
    32bit architectures.  Regression since 2:2.1.0-1.  (Closes: #935702)

 -- Guilhem Moulin <email address hidden>  Mon, 26 Aug 2019 14:54:10 +0200
Superseded in sid-release on 2019-11-27
cryptsetup (2:2.2.1-1) unstable; urgency=medium

  * New upstream bugfix release.
  * Remove d/patches, applied upstream.

 -- Guilhem Moulin <email address hidden>  Fri, 06 Sep 2019 13:28:55 +0200
Superseded in sid-release on 2019-09-07
cryptsetup (2:2.2.0-3) unstable; urgency=medium

  * Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
    32bit architectures.  Regression since 2:2.1.0-1.  (Closes: #935702)

 -- Guilhem Moulin <email address hidden>  Mon, 26 Aug 2019 12:53:45 +0200
Superseded in sid-release on 2019-08-26
cryptsetup (2:2.2.0-2) unstable; urgency=medium

  * debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy
    package 'crytsetup-run'.
  * debian/control, debian/combat: Bump debhelper compatibility level to 12.
  * debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto
    detection feature subsumes our use of --add-udeb=.  This fixes FTBFS with
    debhelper 12.5.

 -- Guilhem Moulin <email address hidden>  Wed, 21 Aug 2019 22:45:12 +0200
Superseded in sid-release on 2019-08-22
cryptsetup (2:2.2.0-1) unstable; urgency=medium

  * New upstream release 2.2.0.  Highlights include:
    + New LUKS2 online reencryption extension, allowing reencryption of
      mounted LUKS2 devices.
    + Optional global serialization lock for memory hard PBKDF, to workaround
      situations when multiple devices are unlocked in parallel, possibly
      exhausting memory and triggering the OOM killer.  (Cf. #924560.)
    + Add integritysetup support for bitmap mode (Linux >=5.2).
    + Reduce keyslots area size in luksFormat when the header device is too
      small.
  * Remove d/patches, applied upstream.

 -- Guilhem Moulin <email address hidden>  Thu, 15 Aug 2019 09:31:55 +0200
Superseded in sid-release on 2019-08-15
cryptsetup (2:2.1.0-8) unstable; urgency=medium

  * encrypted-boot.md:
    + Clarify partition layout.
    + encrypted-boot.md: New section 'Using a custom keyboard layout'.
  * d/gbp.conf: New section [export-orig] mirroring [buildpackage].
  * d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy.
  * d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's
    crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all
    bound key slots were deleted, like it does for LUKS1. (Closes: #934715)

 -- Guilhem Moulin <email address hidden>  Wed, 14 Aug 2019 16:34:23 +0200
Deleted in experimental-release (Reason: None provided.)
cryptsetup (2:2.2.0~rc1-2) experimental; urgency=low

  * Rebase changes from 2:2.1.0-6 and 2:2.1.0-7 to enable smooth upgrade path
    from sid to experimental. (Closes: #933487)
  * debian/*: Remove compatibility warnings regarding setting 'CRYPTSETUP' in
    the initramfs hook configuration.  The variable is no longer honored, and
    cryptsetup is always integrated to the initramfs when the
    'cryptsetup-initramfs' package is installed.
  * debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
    package swap.
  * debian/control:
    + Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
      init scripts, libraries, keyscripts, etc. while the latter is now a
      transitional dummy package.
    + Remove obsolete cryptsetup.maintscript.
    + Bump Standards-Version to 4.4.0 (no changes necessary).
    + Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:, so upgrading
      systems pull it automatically on upgrade.  (cryptsetup <2:2.1.0-6 was a
      dummy transitional package depending on cryptsetup-run and
      cryptsetup-initramfs.)  Thanks to David Prévot for the precious help!
      Closes: #932643.
    + Add 'cryptsetup-run' to 'cryptsetup's Recommends.  This avoids it being
      removed by `apt upgrade --autoremove` from <2:2.1.0-6, thus avoids the
      old cryptsetup-run's prerm script showing a scary (but moot) warning.
      After upgrading the prerm script is gone and the package can be removed
      without troubles, so we can get rid of it after Bullseye.
      (Closes: #932625.)
  * debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
    for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
  * debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
    section. (Closes: #913233)
  * cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
    mapped crypt devices (like for cryptsetup.prerm).

 -- Guilhem Moulin <email address hidden>  Wed, 31 Jul 2019 20:52:24 +0200
Superseded in sid-release on 2019-08-15
cryptsetup (2:2.1.0-7) unstable; urgency=low

  * debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run'
    package swap.
  * debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:,
    so upgrading systems pull it automatically on upgrade.  (cryptsetup
    <2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run
    and cryptsetup-initramfs.)  Closes: #932643.
  * debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends.  This
    avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6,
    thus avoids the old cryptsetup-run's prerm script showing a scary (but
    moot) warning.  After upgrading the prerm script is gone and the package
    can be removed without troubles, so we can get rid of it after Bullseye.
    (Closes: #932625.)
  * cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are
    mapped crypt devices (like for cryptsetup.prerm).

 -- Guilhem Moulin <email address hidden>  Sun, 21 Jul 2019 21:21:10 -0300
Superseded in sid-release on 2019-07-22
cryptsetup (2:2.1.0-6) unstable; urgency=low

  * debian/control:
    + Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
      as binaries from these packages are architecture independent.
      (Closes: #930115)
    + Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
      required for some upstream tests (skipped if the executables are not
      found in $PATH).
    + Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains
      init scripts, libraries, keyscripts, etc. while the latter is now a
      transitional dummy package.
    + Remove obsolete cryptsetup.maintscript.
    + Bump Standards-Version to 4.4.0 (no changes necessary).
  * debian/*:
    + Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916).
    + Remove compatibility warnings regarding setting 'CRYPTSETUP' in
      the initramfs hook configuration.  The variable is no longer honored,
      and cryptsetup is always integrated to the initramfs when the
      'cryptsetup-initramfs' package is installed.
  * debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
  * debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').
  * debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded
    for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696)
  * debian/doc/crypttab.xml: Point to README.initramfs in the "See Also"
    section. (Closes: #913233)

 -- Guilhem Moulin <email address hidden>  Sat, 20 Jul 2019 22:15:04 -0300
Superseded in experimental-release on 2019-08-01
cryptsetup (2:2.2.0~rc1-1) experimental; urgency=low

  * New /testing/ upstream release 2.2.0 RC0.  Highlights include:
    + New LUKS2 online reencryption extension, allowing reencryption of
      mounted LUKS2 devices.
    + Optional global serialization lock for memory hard PBKDF, to workaround
      situations when multiple devices are unlocked in parallel, possibly
      exhausting memory and triggering the OOM killer.  (Cf. #924560.)
    + Add integritysetup support for bitmap mode (Linux >=5.2).
  * debian/control:
    + Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run',
      as binaries from these packages are architecture independent.
      (Closes: #930115)
    + Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are
      required for some upstream tests (skipped if the executables are not
      found in $PATH).
  * debian/*: Fix path names for /usr/share/doc/cryptsetup*/**.
    (Closes: #904916).
  * debian/doc/pandoc/encrypted-boot.md: Minor refactoring.
  * debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S').

 -- Guilhem Moulin <email address hidden>  Sun, 16 Jun 2019 00:55:18 +0200
Superseded in buster-release on 2019-09-07
Superseded in sid-release on 2019-07-21
cryptsetup (2:2.1.0-5) unstable; urgency=medium

  [ Jonas Meurer ]
  * debian/README.*: Fix markdown formatting issues
  * Copy https://wiki.debian.org/CryptsetupDebug to debian/README.debug

  [ Guilhem Moulin ]
  * d/README.Debian: New section "Unlocking LUKS devices from GRUB" pointing
    to https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html .

 -- Guilhem Moulin <email address hidden>  Mon, 10 Jun 2019 14:51:15 +0200
Superseded in buster-release on 2019-06-15
Superseded in sid-release on 2019-06-10
cryptsetup (2:2.1.0-4) unstable; urgency=medium

  [Guilhem Moulin]
  * d/initramfs/hooks/cryptroot: Always add userspace crypto module
    ('algif_skcipher' kernel module) to the initramfs.  This module is
    required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
    added to large initramfs (i.e., when the MODULES variable isn't set to
    "dep").  It's now added regardless of the value of $MODULES, as 1/ LUKS2
    is the default LUKS header format version; and 2/ we can't check at
    initramfs creation time whether there are LUKS2 devices to be opened at
    early boot stage (detached headers might not be present then).
    Closes: #929616.

  [Jonathan Dowland]
  * Update package descriptions to reflect the move of luksformat from
    cryptsetup-bin to cryptsetup-run. Closes: #928751.

 -- Guilhem Moulin <email address hidden>  Tue, 28 May 2019 17:04:16 +0200
Superseded in experimental-release on 2019-06-17
cryptsetup (2:2.2.0~rc0-1) experimental; urgency=low

  * New /testing/ upstream release 2.2.0 RC0.  Highlights include:
    - New LUKS2 online reencryption extension, allowing reencryption of
      mounted LUKS2 devices.
    - Optional global serialization lock for memory hard PBKDF, to workaround
      situations when multiple devices are unlocked in parallel, possibly
      exhausting memory and triggering the OOM killer.  (Cf. #924560.)

 -- Guilhem Moulin <email address hidden>  Mon, 06 May 2019 12:02:54 +0200
Superseded in buster-release on 2019-06-03
Superseded in sid-release on 2019-05-28
cryptsetup (2:2.1.0-3) unstable; urgency=medium

  * d/scripts/decrypt_opensc: Fix standard output poisoning.  Thanks to Nils
    Mueller for the report and patch.  (Closes: #926573.)
  * d/initramfs/hooks/cryptopensc: Ensure that libpcsclite.so is copied to the
    initramfs on non-usrmerge systems.  (Closes: #928263.)

 -- Guilhem Moulin <email address hidden>  Tue, 30 Apr 2019 21:20:47 +0200
Superseded in buster-release on 2019-05-06
Superseded in sid-release on 2019-05-01
cryptsetup (2:2.1.0-2) unstable; urgency=medium

  * debian/copyright:
    + Update copyright years.
    + Add OpenSSL linking exception, in accordance with upstream's "COPYING"
      and "COPYING.LGPL" files.  Since 2:2.1.0-1 the cryptsetup binaries and
      library are linked against libssl, which is the new upstream default
      backend for LUKS header processing.
  * debian/askpass.c: in the console backend, clear stdin's end-of-file
    indicator before calling getline() again.  Thanks to Ken Milmore for the
    detailed report and patch.  (Closes: #921906.)

 -- Guilhem Moulin <email address hidden>  Thu, 28 Feb 2019 22:32:43 +0100
Superseded in buster-release on 2019-03-12
Superseded in sid-release on 2019-03-01
cryptsetup (2:2.1.0-1) unstable; urgency=medium

  * New upstream release.  Highlights include:
    - The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
      --type luks1` to use LUKS1 format). Closes: #919725.
    - The cryptographic backend used for LUKS header processing is now libssl
      instead of libgcrypt.
    - LUKS' default key size is now 512 in XTS mode, half of which is used for
      block encryption.  XTS mode uses two internal keys, hence the previous
      default key size (256) caused AES-128 to be used for block encryption,
      while users were expecting AES-256.

  [ Guilhem Moulin ]
  * Add docs/Keyring.txt and docs/LUKS2-locking.txt to
    /usr/share/doc/cryptsetup-run.
  * debian/README.Debian: Mention that for non-persistent encrypted swap one
    should also disable the resume device.
  * debian/README.initramfs: Mention that keyscript=decrypt_derived normally
    won't work with LUKS2 sources.  (The volume key of LUKS2 devices is by
    default offloaded to the kernel keyring service, hence not readable by
    userspace.)  Since 2:2.0.3-5 the keyscript loudly fails on such sources.
  * decrypt_keyctl keyscript: Always use our askpass binary for password
    prompt (fail instead of falling back to using stty or `read -s` if askpass
    is not available).  askpass and decrypt_keyctl are both shipped in our
    'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
    and askpass binaries are added together to the initramfs image.
  * decrypt_keyctl: Document the identifier used in the user keyring:
    "cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
    empty or "none".  The latter improves compatibility with gdm and
    systemd-ask-password(1).
  * debian/*: run wrap-and-sort(1).
  * debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
    option flag.
  * debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).

  [ Jonas Meurer ]
  * Update docs about 'discard' option: Mention in manpage, that it's enabled
    per default by Debian Installer. Give advice to add it to new devices in
    /etc/crypttab and add it to crypttab example entries in the docs.

 -- Guilhem Moulin <email address hidden>  Sat, 09 Feb 2019 00:40:17 +0100
Superseded in buster-release on 2019-02-19
Superseded in sid-release on 2019-02-09
cryptsetup (2:2.0.6-1) unstable; urgency=medium

  * New upstream bugfix release.  Highlights include:
    - Fix support of larger metadata areas in LUKS2 header.
    - Fix checking of device size alignment and hash & AEAD algorithms to
      avoid formatting devices that later cannot be activated.
    - Fix cryptsetup-reencrypt interrupt handling.
    - Allow Adiantum cipher construction (require Linux 4.21 or later).

 -- Guilhem Moulin <email address hidden>  Mon, 03 Dec 2018 20:16:07 +0100
Superseded in buster-release on 2018-12-16
Superseded in sid-release on 2018-12-04
cryptsetup (2:2.0.5-2) unstable; urgency=medium

  * debian/initramfs/hooks/*: Skip call to copy_file() when the target already
    exists (as the function return value 1 in the case).
  * OpenPGP Smartcard support, based on work by Peter Lebbing and Erik
    Nellessen. (Closes: #888916, #903163.)
  * Move header presence check to crypttab_parse_options() from
    unlock_mapping().  Having the presence checks in unlock_mapping() caused
    dummy password prompts in interactive mode when the LUKS header file was
    missing.  Regression since 2:2.0.3-2.  (Closes: #914458.)

 -- Guilhem Moulin <email address hidden>  Sat, 24 Nov 2018 18:34:42 +0100
Superseded in buster-release on 2018-11-30
Superseded in sid-release on 2018-11-25
cryptsetup (2:2.0.5-1) unstable; urgency=medium

  * New upstream release.
  * Remove d/patches/Disable-blockwise-compat-test-as-it-s-FS-dependent.patch
    as the test suite no longer fails on misaligned I/O in O_DIRECT mode.
    (Cf. upstream issue #403.)

 -- Guilhem Moulin <email address hidden>  Mon, 29 Oct 2018 12:21:00 +0100
Superseded in buster-release on 2018-11-03
Superseded in sid-release on 2018-10-29
cryptsetup (2:2.0.4-3) unstable; urgency=medium

  [ Guilhem Moulin ]
  * debian/initramfs/hooks/cryptroot:
    + Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry().
      (Closes: #907243.)
    + Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is
      deprecated when the variable is set to "y".  (Keep the warning when it's
      set to "n" though.)  Closes: #908220.
  * debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the
    type of crypt device ("luks" / "plain" / "tcrypt").
  * debian/initramfs/scripts/local-top/cryptroot: Don't complain that
    (successful) unlocking of a LUKS device doesn't yield a known file system.
    The check is preserved for plain dm-crypt devices and tcrypt devices.
    (Closes: #906283.)
  * debian/control: Bump Standards-Version to 4.2.1 (no changes necessary).
  * debian/doc/crypttab.xml: Improve formatting.
  * debian/cryptsetup-run.lintian-overrides: Remove unused override
    init.d-script-possible-missing-stop (x2).
  * debian/libcryptsetup12.symbols: Add "Build-Depends-Package:
    libcryptsetup-dev" field.

  [ Helmut Grohne ]
  * Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042)

  [ Dimitri John Ledkov ]
  * Implement support for `cryptsetup --sector-size` in crypttab(5).
    LP: #1776626.

 -- Guilhem Moulin <email address hidden>  Mon, 22 Oct 2018 17:45:35 +0200
Superseded in buster-release on 2018-10-28
Superseded in sid-release on 2018-10-22
cryptsetup (2:2.0.4-2) unstable; urgency=medium

  * debian/cryptsetup-initramfs.preinst: Don't try to overwrite
    /etc/cryptsetup-initramfs/conf-hook if that file doesn't exist.  (The fix
    for #905188 broke 2:2.0.4-1's instability on sid.)  Closes: #905514.
  * debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).

 -- Guilhem Moulin <email address hidden>  Tue, 07 Aug 2018 17:25:30 +0200
Superseded in sid-release on 2018-08-07
cryptsetup (2:2.0.4-1) unstable; urgency=medium

  * New upstream release.  Add 'libblkid-dev' to Build-Depends since
    libcryptsetup and utilities are now linked to libblkid.
  * debian/cryptsetup-initramfs.preinst: Improve conffile ownership transfer
    from 'cryptsetup' to 'cryptsetup-initramfs' to comply with Policy §10.7.3.
    (Closes: #904926.)

 -- Guilhem Moulin <email address hidden>  Sun, 05 Aug 2018 04:59:10 +0800
Superseded in buster-release on 2018-08-13
Superseded in sid-release on 2018-08-05
cryptsetup (2:2.0.3-7) unstable; urgency=medium

  * debian/scripts/gen-ssl-key: avoid storing temporary key file on disk.
  * debian/initramfs/*, debian/scripts/*: improve quoting.
  * debian/initramfs/cryptroot-unlock: Normalize paths before comparison.
    This fixes usage on initramfs images with an usrmerge layout, such as
    images made by mkinitramfs(8) from initramfs-tools-core 0.132. (Closes:
    #904926.)
  * debian/functions: crypttab_find_entry(), crypttab_foreach_entry(): return
    gracefully if $TABFILE doesn't exist.

 -- Guilhem Moulin <email address hidden>  Mon, 30 Jul 2018 16:32:07 +0800
Superseded in buster-release on 2018-08-04
Superseded in sid-release on 2018-07-31
cryptsetup (2:2.0.3-6) unstable; urgency=medium

  * debian/TODO.md: Remove mention of parent device detection for mdadm
    (#629236) as it's fixed since 2:2.0.3-2.
  * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
    fixes.
  * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
    add configure flag '--disable-internal-tests'.  The internal test suite is
    run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
    variable contains the string "nocheck".
  * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
    When the 2nd column of a crypttab entry denodes a block special device,
    resolve the device but don't convert it to /dev/block/$major:$minor.
    (Closes: #903246.)
  * debian/initramfs/hooks/cryptroot:
    + Treat null device numbers as invalid in resolve_device(), cf.
      /Documentation/admin-guide/devices.txt in the kernel source tree.
    + generate_initrd_crypttab(): add '\n' to the local IFS since
      get_resume_devno() prints one major:minor pair per line.
  * debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
    + Save process ID of the pcscd daemon at local-top stage, and kill it at
      local-bottom stage.  Thanks to Pascal Vibet for the patch.
      (Closes: #903574.)
    + Fix path to the pcscd executable (the fix for #880750 was incomplete).
  * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
    since 2:2.0.3-2.
  * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
    $CRYPTTAB_NAME not $crypttarget).

 -- Guilhem Moulin <email address hidden>  Fri, 13 Jul 2018 22:10:43 +0200
Superseded in sid-release on 2018-07-14
cryptsetup (2:2.0.3-5) unstable; urgency=medium

  [ Jonas Meurer ]
  * debian/askpass.c, debian/scripts/passdev.c, debian/rules:
    + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    + Drop c99 std, as the default is now higher than that
  * debian/control:
    + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
      libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.

  [ Guilhem Moulin ]
  * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
    disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
    crypttab(5).
  * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
    read-only mapping.  Cf. `cryptsetup --readonly`.
  * debian/initramfs/hooks/cryptroot:
    + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
      key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
      in the crypttab options.  Regression since 2:2.0.3-2. (Closes: #902733.)
    + Avoid processing entries multiple times in get_crypttab_entry(), which
      could happen with 'keyscript=decrypt_derived' for instance.
    + Don't complain that the sysfs dir can't be found when the hook failed to
      normalize the device (another warning is shown already).
    + If source device is mapped (for instance if it's a logical volume), put
      its dm name into the initrd crypttab.  LVM2's local-block script doesn't
      work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
      activate all volumes at initramfs stage. (Closes: #902943.)
  * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
    unset then no key file is copied.
  * debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
    + Use major:minor device IDs internally, as this facilitate discovery of
      sysfs directories, and we don't have to take care of the udev mangling.
    + Decode octal sequences when reading /etc/crypttab or /etc/fstab.  This
      means that key files and option values can contain blanks and special
      characters encoded as octal sequences.
    + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
      code.
  * debian/functions: If the key file is a symlink, warn about insecure
    permissions of the target, not the link itself.
  * debian/scripts/decrypt_derived: For devices with keys in the kernel
    keyring (e.g., LUKS2 by default), refuse to derive anything.
  * debian/patches/disable-internal-tests.patch: Add configure option
    '--disable-internal-tests' to disable the internal test suite.
  * debian/rules: Don't run upstream's internal test suite if
    $DEB_BUILD_OPTIONS contains the string "skip-internal-tests".  (Tests are
    still run by default.)
  * debian/cryptdisks-functions: Restore support for crypttab(5) entries with
    regular files as source device.  Regression since 2:2.0.3-2.
    (Closes: #902879.)
  * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).

 -- Guilhem Moulin <email address hidden>  Sat, 07 Jul 2018 01:47:57 +0200
Superseded in buster-release on 2018-07-28
Superseded in sid-release on 2018-07-08
cryptsetup (2:2.0.3-4) unstable; urgency=low

  * debian/initramfs/hooks/cryptroot:
    + Fix typo in warning message. (Closes: #901971.)
    + sysfs_devdir(): don't croak when the normalized device pathname isn't of
      the form /dev/$blk.  This is the case in the Debian installer, where the
      devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
      instead of a symlink to /dev/dm-$index.
    + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
      sysfs directory corresponding to the device) rather than /sys/block/$blk.
      While the latter is present for mapped devices, it's not present for
      block devices corresponding to disk partitions.  See sysfs(5) for
      details. (Closes: #902183.)
    + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
      get the UUID of a dm-crypt device's slave (it's normal with plain
      dm-crypt devices).
    + get_crypttab_entry(): don't warn that key file doesn't exist if it's
      e.g., an existing character special device.
  * debian/functions:unlock_mapping(): translate crypttab(5) option
    'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
    doesn't set the key size but the size of the device in number of 512 byte
    sectors).  Regression since 2:2.0.3-2. (Closes: #902245.)
  * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
    debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count.  Some
    keyscripts (such as decrypt_keyctl) don't work properly if on first try
    the CRYPTTAB_TRIED environment variable isn't set to 0.  Regression since
    2:2.0.3-2. (Closes: #902116.)
  * debian/scripts/decrypt_keyctl: replace the source device path with the
    mapped device name in messages, to match the new askpass behavior.

 -- Guilhem Moulin <email address hidden>  Sun, 24 Jun 2018 22:48:41 +0200
Superseded in sid-release on 2018-06-25
cryptsetup (2:2.0.3-3) unstable; urgency=low

  [ Jonas Meurer ]
  * debian/*: run wrap-and-sort(1)
  * debian/control:
    + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
      cryptsetup-run. Needed since we moved luksformat between the
      packages. (Closes: #901773)
    + Remove all traces of package 'cryptsetup-luks' from dependency
      headers. This package has never been part of an official Debian
      release and the time it existed is more than 12 years ago.
    + Remove Conflicts/Breaks headers from the split of cryptsetup into
      cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
      version is from Debian Wheezy, which means that there's three
      releases in between. We don't support dist-upgrades with skipped
      releases anyway.
    + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
    + Remove versioned depends of libcryptsetup12 on libgcrypt20 and
      libgpg-error0. Both versions are satisfied since more than three
      releases.
    + Remove versioned build-depends on docbook-xsl, dpkg-dev,
      libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
      satisfied since more than three releases.
  * debian/*: Change maintainer contact address to @alioth-lists.debian.net.

  [ Guilhem Moulin ]
  * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
    fields.  (2:2.0.2-2 was never released, the version we released after the
    package split was 2:2.0.3-1.)
  * debian/initramfs/cryptroot-script: exit immediately when
    /lib/cryptsetup/functions is not present. (Closes: #901830.)
  * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
    manually excluding mapped devices using another subsystem.
  * d/initramfs/hooks/cryptroot:
    + Fix parser for cipher specifications in mapping table of crypt targets.
      In particular, the cipher mode wasn't parsed properly, potentially
      causing missing modules in initrd.img compiled with MODULES=dep.
      Regression introduced in 2:2.0.3-2.  (Closes: #901884.)
    + Print a warning when the mapping table specifies the cipher in kernel
      crypto API format ("capi:" prefix).  We don't support these yet.

 -- Guilhem Moulin <email address hidden>  Wed, 20 Jun 2018 17:22:36 +0200
Superseded in sid-release on 2018-06-20
cryptsetup (2:2.0.3-2) unstable; urgency=medium

  The "nights are long in summer" cryptsetup sprint release :-)

  Guilhem and Jonas hacked together for three days (and nights), refactored
  almost all of the cryptsetup packages, squashed (at least) 19 bugs and
  started work on several new features. Yay!

  [ Guilhem Moulin ]
  * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
    (Closes: #901641.)
  * debian/initramfs/*-hook: complete refactoring. Common functions are now in
    /lib/cryptsetup/functions (source-able from shell scripts).
    (Closes: #784881.)
  * debian/initramfs/cryptroot-hook:
    + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
      devices such as LVM2 on top of LUKS (resp. multiple device filesystems
      such as btrfs).  This approach is more robust than parsing the output of
      `lvs` or `btrfs filesystem`.
    + Export relevant crypttab(5) snippet (for devices that need to be
      unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
    + Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
      if 1/ the CRYPTSETUP configuration option is unset or null (the
      default), and 2/ the hook didn't detect any device to be unlocked at
      initramfs stage.  The benefit is two-fold: it guides users through the
      package split, and warns them that their system might not reboot if the
      hook script didn't work properly.
  * Remove the 'decrypt_openct' keyscript since openct was last seen in
    oldoldstable, cf. #760258 (ROM).
  * debian/initramfs/cryptroot-script: refactoring, using functions from
    /lib/cryptsetup/functions. (Closes: #720952, #826124.)
    + One can disable the cryptsetup initramfs scripts for a particular boot
      by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
    + No longer sleep for a full minute after exceeding the maximum number of
      unlocking tries.  (This was added in 2:1.7.3-2 as an attempt to mitigate
      CVE-2016-4484.)  Instead, the script sleeps for 1 second after each failed
      attempt in order to defeat online brute-force attacks. (Closes: #898495.)
  * debian/README.initramfs: Remove mention that the initramfs scripts and the
    crypsetup binary are using a different hash algorithm for plain dm-crypt
    volumes.  This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
  * debian/cryptdisks.functions:
    + Refactoring, using functions from /lib/cryptsetup/functions.
      (Closes: #859953, #891219.)
    + Install to /lib/cryptsetup/cryptdisks-functions.
  * crypttab(5):
    + Remove support for the 'precheck' option.  The precheck for LUKS devices
      is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
      non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
      filesystem (other that swap).
    + Don't ignore the 'plain' option: disable auto-detection and treat the
      device as a plain dm-crypt device. (Closes: #886007.)
    + Add support for some option aliases to unify with systemd's crypttab(5)
      options.  Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
      an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
      and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
    + Add support for 'keyfile-size=' and 'keyfile-offset=' options.
      (Closes: #849335.)
    + Source devices can now be specified using their PARTUUID or PARTLABEL,
      similar to fstab(5).
  * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
    to setup readonly mappings. (Closes: #782843.)
  * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
    once.  (Closes: #783194.)

  [ Jonas Meurer ]
  * debian/doc/crypttab.xml:
    + Add a section about the different crypttab formats of our package and
      the systemd cryptsetup wrapper.
    + Document, which options are ignored by the initramfs scripts and which
      are unsupported by the systemd implementation. (Closes: #714380)
    + Clarify documentation of option 'tries'. It also applies when using
      keyscripts, not only with interactive passphrases. (Closes: #826127)
    + Make it obvious that in case a keyscript is configured, the third option
      is passed as argument to the keyscript. Mention the optional requirement
      to quote the value. (Closes: #826122)
    + Some minor wording improvements.
  * debian/control, debian/combat: Bump debhelper compatibility level to 11.
  * debian/rules:
    + Completely refactor the rules file, adapt to debhelper 11 style.
      (Closes: #901713)
    + Run the upstream build-time testsuite thanks to dh_auto_test.
    + Move the luksformat script from cryptsetup-bin to cryptsetup-run.
    + Install the bug-script into all packages.
    + No longer install the sysvinit initscripts into cryptsetup-udeb.
    + Remove many old build and compile flags, debhelper takes care of most of
      them nowadays.

 -- Jonas Meurer <email address hidden>  Mon, 18 Jun 2018 02:40:41 +0200
Superseded in sid-release on 2018-06-18
cryptsetup (2:2.0.3-1) unstable; urgency=medium

  [ Guilhem Moulin ]
  * Split cryptsetup package into cryptsetup-run (init scripts and libraries)
    and cryptsetup-initramfs (initramfs integration).  The 'cryptsetup'
    package is now a transitional dummy package.  (Closes: #783297.)
  * debian/cryptsetup-run.preinst: remove logic for rm_conffile
    /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
    2:1.0.6-5.
  * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
    with crypttab(5) targets that already exist, and only complete
    cryptdisks_start targets with crypttab(5) targets that don't exist yet.
    (Closes: #827200.)
  * debian/initramfs/cryptroot-hook:
    + use copy_file() from hook-functions to copy key files to the initrd.
      This ensures that relevant messages are printed in verbose mode.
      (Closes: #898516.)
    + remove backward compatibility support for setting CRYPTSETUP and
      KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf.  Since 2:1.7.2-1
      they should be set in /etc/cryptsetup-initramfs/conf-hook.
    + add 'algif_skcipher' kernel module to large initramfs (if the MODULES
      variable isn't "dep").  That module is required for unlocking LUKS2
      devices.

  [ Jonas Meurer ]
  * New upstream release 2.0.3
  * debian/control:
    - Bump standards-version to 4.1.4, no changes required
    - Change my mail address to '<email address hidden>'
    - Change Vcs links to the new repository on salsa.debian.org
  * debian/README.source: minor improvements
  * debian/doc/crypttab.xml: Fix typo in manpage

 -- Jonas Meurer <email address hidden>  Fri, 15 Jun 2018 15:32:16 +0200
Superseded in buster-release on 2018-06-30
Superseded in sid-release on 2018-06-16
cryptsetup (2:2.0.2-1) unstable; urgency=low

  * New upstream release 2.0.2
  * debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as
    libargon2 (used by LUKS2 devices) uses pthread_cancel.  (Closes: #890798.)
  * debian/initramfs/cryptroot-script: create locking directory at initramfs
    stage, before running the cryptsetup binary, which would create it
    automatically but also spew a warning.
  * debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch:
    removed as it was cherry-picked from upstream and included in 2.0.2.
  * debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned()
    API function.

 -- Guilhem Moulin <email address hidden>  Sat, 17 Mar 2018 18:03:03 +0100
Superseded in buster-release on 2018-03-28
Superseded in sid-release on 2018-03-18
cryptsetup (2:2.0.1-1) unstable; urgency=low

  * New upstream release 2.0.1:
    - Use /run/cryptsetup as default for cryptsetup locking dir.
    - Add missing symbols for new functions to debian/libcryptsetup12.symbols.
  * debian/copyright: update copyright years.
  * debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
    devices using --key-file=-.  (Closes: #888162.)
  * debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add
    `dh_autoreconf_clean` to the "clean:" target.  This bumps the minimum
    debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.)

 -- Guilhem Moulin <email address hidden>  Sun, 11 Feb 2018 00:02:05 +0100
Superseded in sid-release on 2018-02-11
cryptsetup (2:2.0.0-1) unstable; urgency=low

  [ Guilhem Moulin ]
  * cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the
    LUKS2 locking directory /run/lock/cryptsetup.  For sysVinit, this is taken
    care of by the cryptdisks-early init file.
  * Remove debian/patches/Use-system-libargon2.patch (applied upstream).
  * debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions.
  * debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of
    CC0-1.0 license from debian/copyright).
  * debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev
    package.  Thanks to Alan Fung for the report and patch.  (Closes: #885435.)
  * debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and
    'offset' crypttab(5) options in the initramfs script.  Thanks to Pascal
    Liehne for the report and patch.  (Closes: #872342.)

  [ Jonas Meurer ]
  * debian/initramfs/cryptopensc-*: Install required libs and config files for
    pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for
    bugreport and patch. (Closes: #880750)

 -- Guilhem Moulin <email address hidden>  Mon, 22 Jan 2018 00:25:52 +0100
Deleted in experimental-release (Reason: None provided.)
cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low

  * debian/rules: Compile with --enable-libargon2 to use system libargon2
    instead of bundled version.
  * debian/control: Bump Standards-Version to 4.1.1 (no changes necessary).
  * debian/copyright: Update licensing information.

 -- Guilhem Moulin <email address hidden>  Wed, 01 Nov 2017 17:37:15 +0100
Superseded in experimental-release on 2017-11-03
cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low

  * New upstream release 2.0.0 RC0 (closes: #877566).  Highlights include:
    - Support for new on-disk LUKS2 format, offering authenticated disk
      encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for
      storage of key material, and more.
    - New CLI `integritysetup` which can setup standalone dm-integrity devices.
    - soname bump of libcryptsetup library.
  * Rename library package from libcryptsetup4 to libcryptsetup12.
  * Also remove deprecated upstart configuration files on upgrade and purge.
  * debian/control: Bump Standards-Version to 4.1.0 (no changes necessary).
  * debian/*: Apply wrap-and-sort(1).

 -- Guilhem Moulin <email address hidden>  Tue, 03 Oct 2017 03:37:36 +0200
Superseded in buster-release on 2018-02-22
Superseded in sid-release on 2018-02-20
cryptsetup (2:1.7.5-1) unstable; urgency=low

  * New upstream release 1.7.5.
  * cryptroot-unlock: When the standard input is a TTY, keep prompting for
    passphrases until there are no more devices to unlock. (Closes: #866786)
  * cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
    devices when the dm_mod module isn't loaded. (Closes: #870673)
  * Rename upstream signing key from debian/upstream/signing-key.asc to
    debian/upstream-signing-key.asc in order to avoid lintian error
    orig-tarball-missing-upstream-signature" (we use the key to verify
    signature on upstrem's git tags).
  * Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
    and /etc/init/cryptdisks-udev.conf.  Cf. `lintian-info --tags
    package-installs-deprecated-upstart-configuration`.
  * debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
    update-initramfs(1).
  * debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
    dpkg-parsechangelog(1) output.
  * debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).

 -- Guilhem Moulin <email address hidden>  Thu, 14 Sep 2017 13:00:23 +0200
Superseded in buster-release on 2017-09-24
Published in stretch-release on 2017-05-17
Superseded in sid-release on 2017-09-15
cryptsetup (2:1.7.3-4) unstable; urgency=high

  [ Guilhem Moulin ]
  * Drop obsolete update-rc.d parameters.  Thanks to Michael Biebl for the
    patch. (Closes: #847620)
  * debian/copyright: Fix license mismatch (docs/examples/*
    lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
    LGPL-2.1+ not GPL-2+). (Closes: #861802)
  * debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
    initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)

 -- Jonas Meurer <email address hidden>  Tue, 09 May 2017 13:50:59 +0200
Superseded in stretch-release on 2017-05-17
Superseded in sid-release on 2017-05-09
cryptsetup (2:1.7.3-3) unstable; urgency=medium

  [ Jonas Meurer ]
  * debian/scripts/decrypt_ssl: fix script to actually output the decrypted
    key. Apparently this script has been broken since June 2008. Doesn't seem
    like anybody is using it. Thanks to g1 for spotting and reporting the
    error. (Closes: #844050)
  * debian/initramfs/cryptroot-script:
    + limit the sleep after max passphrase attempts to devices for the rootfs.
      This mitigates the negative impact in case of broken keyscripts etc.
    + add $crypttarget to each message to provide more context.
  * debian/initramfs/cryptroot-hook: fix sanity check for key files on root
    fs in get_device_opts(): detect if processed device is a root (parent)
    device even for LVM setups. (closes: #842951)
  * debian/README.initramfs: minor fix to the decrypt_derived keyscript
    section: now that systemd is standard, 'cryptdisks_start' should be used
    instead of '/etc/init.d/cryptdisks start'.
  * debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
    that systemd doesn't support the option (yet) and mention the possible
    workaround to process the devices in question in the initramfs.

  [ Guilhem Moulin ]
  * add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s".  As
    this enables git-buildpackage >= 0.8.7 to automatically generate
    orig.tar.gz, step nr. 5 is now removed from debian/README.source.
  * debian/compat: bump debhelper compatibility version to 9.
  * debian/initramfs/cryptroot-hook:
    + fix tab damage for consistency with the rest of the code
    + better warning for deprecated settings
    + fix sanity check for key files in get_device_opts(): print a warning if
      the key file isn't on the root FS, or if the root device is not
      encrypted, even for LVM setups.
    + fix sanity check for key files in get_device_opts(): print a warning if
      the processed device is a resume device, even for LVM setups.
    + fix runtime error in get_lvm_deps() if the first argument is either
      missing or the empty string.
    + reset IFS after processing $rootopts in get_device_opts(); the missing
      linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
      not to have their parent devices detected correctly.

 -- Jonas Meurer <email address hidden>  Fri, 09 Dec 2016 01:18:17 +0100
Superseded in stretch-release on 2016-12-20
Superseded in sid-release on 2016-12-09
cryptsetup (2:1.7.3-2) unstable; urgency=medium

  [ Guilhem Moulin ]
  * debian/README.Debian: update authorized_keys(5) path, incorrect since
    2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
    server.

  [ Jonas Meurer ]
  * debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
    This mitigates local brute-force attacks and addresses CVE-2016-4484.
    Thanks to Ismael Ripoll for discovery and report.
    - decrease $count by one in tries loop if unlocking was successful.
    - warn and sleep for 60 seconds if the maximum allowed attempts of
      unlocking (configured with crypttab option tries, default=3) are
      reached.

 -- Jonas Meurer <email address hidden>  Mon, 07 Nov 2016 11:34:41 +0100
Superseded in sid-release on 2016-11-07
cryptsetup (2:1.7.3-1) unstable; urgency=medium

  * New upstream release 1.7.3.
  * debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
    make the package build more reproducible. Introduces a new Build-Depends
    on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
    patch. (Closes: #842581)

 -- Jonas Meurer <email address hidden>  Mon, 31 Oct 2016 22:00:52 +0100
Superseded in stretch-release on 2016-11-14
Superseded in sid-release on 2016-11-01
cryptsetup (2:1.7.2-5) unstable; urgency=high

  [ Guilhem Moulin ]
  * debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
    fingerprint 2A29 1824 3FDE 4664 8D06  86F9 D9B0 577B D93E 98FC.
  * debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
    verify cryptographic signatures on release tarballs.

  [ Jonas Meurer ]
  * debian/initramfs/cryptroot-hook: only source crypt-hook from
    /etc/cryptsetup-initramfs/ when present. (Closes: #841503)

 -- Jonas Meurer <email address hidden>  Fri, 21 Oct 2016 18:10:56 +0200
Superseded in stretch-release on 2016-10-26
Superseded in sid-release on 2016-10-24
cryptsetup (2:1.7.2-4) unstable; urgency=high

  [ Guilhem Moulin ]
  * debian/initramfs/cryptroot-hook:
    + Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
      Regression introduced in 2:1.7.2-1.  Thanks Zoltan Hidvegi, for the
      patch. (Closes: #840480)
    + Don't escape all slash characters "/" in device paths of the form
      /dev/by-label/..., only the label itself.  Regression introduced in
      2:1.7.2-2 as a fix for #839888.

 -- Jonas Meurer <email address hidden>  Thu, 13 Oct 2016 23:11:45 +0200
Superseded in stretch-release on 2016-10-17
Superseded in sid-release on 2016-10-14
cryptsetup (2:1.7.2-3) unstable; urgency=medium

  [ Guilhem Moulin ]
  * debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
    so the (deprecated) values set in /etc/initramfs-tools aren't overridden
    to the empty string by default.  Regression introduced in 2:1.7.2-1.
    (Closes: #839994.)
  * debian/README.initramfs: fixed minor typo.

 -- Jonas Meurer <email address hidden>  Sat, 08 Oct 2016 00:01:25 +0200
Superseded in sid-release on 2016-10-08
cryptsetup (2:1.7.2-2) unstable; urgency=medium

  * debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
    systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
    patch (Closes: #839888)

 -- Jonas Meurer <email address hidden>  Thu, 06 Oct 2016 10:47:05 +0200
Superseded in sid-release on 2016-10-07
cryptsetup (2:1.7.2-1) unstable; urgency=medium

  [ Jonas Meurer ]
  * new upstream release 1.7.2. Highlights include:
    - code now uses kernel crypto API backend according to new changes
      introduced in mainline kernel. (in 1.7.1)
    - cryptsetup now allows special "-" (standard input) keyfile handling
      even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
    - Support activation options for error handling modes in Linux kernel
      dm-verity module. (in 1.7.2)
  * debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
    extension, now that upstream issue #269 is fixed.
  * migrate the packaging repository from SVN to Git:
    - debian/control: Update Vcs-* fields to point to the new git repository.
    - debian/README.source: document new repository structure and release
      handling.
  * debian/README.Debian, debian/NEWS: minor typo fixes.
  * debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)

  [ Guilhem Moulin ]
  * debian/control: add self to uploaders.
  * debian/cryptdisks.functions: when iterating through the crypttab, don't
    abort after the first disk that fails to be closed.  Regression introduced
    2:1.7.0-1 when the filed is sourced under 'set -e'.
  * debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
    depend on busybox.  Instead, try again after 1, 2, 4, 8 and 16s when an
    encrypted disk cannot be closed. (Closes: #811456)
  * debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
    conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
    (Closes: #810227)
  * debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
    Thanks, Stuart Prescott. (Closes: #827263)
  * debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
    ELF executables as PIEs.
  * debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
  * debian/cryptsetup.lintian-overrides: Remove unused lintian override
    init.d-script-does-not-source-init-functions.
  * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
    configuration.  For backward compatibility setting CRYPTSETUP and
    KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
    for now, but causes the hook to print a warning.
    This is done following the initramfs-tools maintainers' request (see
    #807527) that hook and boot script configuration files be stored outside
    the /etc/initramfs-tools directory. (Closes: #783393)
  * Print a warning when private key material is to be included in the
    initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
    created with a permissive mode.
  * Add Indonesian debconf templates translation.  Thanks, Izharul Haq for the
    patch. (Closes: #835158)
  * debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
    $resumedevs, etc.
  * Support unlocking devices at initramfs stage using a key file stored on
    the encrypted root FS.  Note however that resume devices won't be unlocked
    this way since the resume boot script is currently run before mounting the
    root FS. (Closes: #776409)
  * debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
    device names containing non-alphanumeric characters such as "." or "-":
    + replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
    + replace `echo "$x"` by printf '%s' "$x" when the argument might start
      with a dash.
  * debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
    ensure slash characters "/" from device labels are escaped when
    constructing symlinks under /dev/disk/by-label.
  * debian/scripts/decrypt_gnupg:
    + Remove --no-mdc-warning to display a warning if the MDC integrity
      protection is missing.
    + Replace "GnuPG key" by "gpg-encrypted key" in messages and
      documentation.
  * debian/initramfs/cryptgnupg-hook: Add support for multiple devices
    encrypted using a gpg-encrypted key.
  * debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
    the root FS is copied onto the initramfs, but also the ones for all
    devices that need to be unlocked at initramfs stage.
  * debian/initramfs/cryptroot-hook: Fix bug for device label starting with
    "UUID=".

  [ Helmut Grohne ]
  * libcryptsetup-dev: move the .pc file to a multiarch location such that
    cross-pkg-config can find it. (closes: #811545)
  * Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)

 -- Jonas Meurer <email address hidden>  Wed, 05 Oct 2016 20:53:09 +0200
Superseded in stretch-release on 2016-10-13
Superseded in sid-release on 2016-10-06
cryptsetup (2:1.7.0-2) unstable; urgency=medium

  [ Guilhem Moulin ]
  * Fix cryptsetup shutdown procedure on sysvinit, broken since 2:1.7.0-1 for
    systems without active crypttab entry at the time fo the shutdown.
    (Closes: #792552, #810380)

 -- Jonas Meurer <email address hidden>  Sun, 10 Jan 2016 18:45:20 +0100
Superseded in sid-release on 2016-01-11
cryptsetup (2:1.7.0-1) unstable; urgency=medium

  [ Jonas Meurer ]
  * new upstream release 1.7.0. Highlights include:
    - cryptsetup TCRYPT mode now supports VeraCrypt devices (in 1.6.7)
    - fix activation using (UNSECURE) ECB mode (in 1.6.7) (closes: #784129)
    - properly support stdin "-" handling for luksAddKey for both new and old
      keyfile parameters. (in 1.6.8)
    - default hash function is now SHA256 (used in key derivation function
      and anti-forensic splitter) (in 1.7.0)
  * debian/cryptsetup.functions, debian/initramfs/cryptroot.{hook,script}: add
    support for veracrypt option to cryptdisks initscript and cryptroot
    initramfs script. (closes: #806290)
  * debian/cryptdisks.functions: don't use '--key-file=-' with the tcrypt
    extension. This fixes the tcrypt implementation in the initscript and
    provides a workaround for upstream issue #269.
  * debian/cryptsetup.bug-script: do not send potentially private information
    without prior user confirmation in reportbug script. (Closes: #783298)
  * debian/cryptsetup.apport: do not send potentially private information
    without prior user confirmation in apport hook.
  * debian/control, debian/NEWS: fix links to cryptsetup homepage/FAQ. Homepage
    (and FAQ) moved from code.google.com to gitlab.com. (closes: #781674)
  * debian/*: update hyperlinks to use https instead of http where appropriate.
  * debian/rules, debian/post{inst,rm}: don't install cryptdisks_st{art,op}
    symlinks to /usr/sbin if everything-in-usr directories scheme is used.
    Thanks to Marco d'Itri for the patch. (closes: #767921)
  * debian/scripts/luksformat: search for mkfs binaries in /usr/sbin, /usr/bin,
    /sbin and /bin (default order in $PATH). This fixes luksformat for btrfs
    filesystems. (closes: #805353)
  * debian/dirs, debian/rules: install cryptdisks bash-completion script into
    /usr/share/bash-completion/completions.
  * debian/cryptdisks.functions: iterate over remaining open crypttab devices
    in do_stop() in order to close dependent devices and don't freeze the
    shutdown process. Thanks to Avatar for the patch. (closes: #792552)
  * debian/rules: set V=1 in order to make build logs usable for blhc.
  * debian/rules: set DEB_VERSION and DEB_DATE in a way to make cryptsetup
    build reproducible. Thanks to Dhole and Valentin Lorentz for patches.
    (closes: #780864, #794106)
  * debian/cryptdisks.functions: bring the passphrase prompt in line with the
    one from initramfs script in order to make the user experience more
    consistent. (closes: #772943)
  * debian/initramfs/cryptroot-script: move sanity checks of $cryptkeyscript
    and potential expansion to '/lib/cryptsetup/askpass' to the beginning of
    setup_mapping().

  [ Guilhem Moulin ]
  * debian/README.{Debian,remote}: remove dropbear-specific configuration and
    point to dropbear-initramfs instead. Since version 2015.70-1, dropbear
    ships dropbear-specific initramfs configuration and documentation in an
    own binary package dropbear-initramfs. (closes: #801471)
  * debian/initramfs/cryptroot-{hook,script}: add support for 'keyslot' option
    to cryptroot initramfs script. (closes: #801479)
  * debian/README.initramfs, debian/initramfs/cryptroot-hook: add support for
    storing keyfiles directly in the initrd. (closes: #786578)
  * debian/initramfs/cryptroot-hook: display a warning for invalid source
    devices. (closes: #720515, #781955, #784435)
  * debian/askpass.c: add plymouth support to the askpass helper command.
  * debian/cryptdisks.functions, debian/initramfs/cryptroot-script: remove
    special treatment of plymouth installations now that askpass supports
    plymouth natively.
  * debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script
    to remotely unlock cryptroot devices. (closes: #782024, #697156)

 -- Jonas Meurer <email address hidden>  Thu, 07 Jan 2016 02:22:33 +0100
Superseded in stretch-release on 2016-01-16
Published in jessie-release on 2015-02-11
Superseded in sid-release on 2016-01-07
cryptsetup (2:1.6.6-5) unstable; urgency=high


  * debian/cryptdisks.functions: fix the precheck for ubuntu+upstart
    before invoking 'status cryptdisks-udev'. (closes: #773456)
  * debian/cryptdisks.functions: fix the insufficient grep regex for
    detecting a running cryptdisks-udev (upstart) init script.

 -- Jonas Meurer <email address hidden>  Thu, 22 Jan 2015 21:22:08 +0100
Superseded in jessie-release on 2015-02-11
Superseded in sid-release on 2015-01-23
cryptsetup (2:1.6.6-4) unstable; urgency=medium


  [ Simon McVittie ]
  * debian/initramfs/cryptroot-script: decrypt /usr as well as / so that
    split-/usr will work with initramfs-tools (>= 0.118). (closes: #767832)

  [ Jonas Meurer ]
  * debian/cryptdisks.funcctions: check for cryptdisks-udev initscript before
    actually invoking 'status' on it. It's only useful in ubuntu+upstart
    environment anyway. (closes: #764564)
  * debian/askpas.c: fix systemd_read() to really strip trailing newline from
    input. Thanks to Quentin Lefebvre for report and patch. (closes: #768407)

 -- Jonas Meurer <email address hidden>  Wed, 17 Dec 2014 14:24:41 +0100
Superseded in jessie-release on 2014-12-23
Superseded in sid-release on 2014-12-17
cryptsetup (2:1.6.6-3) unstable; urgency=medium


  * debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED
    to hold the number of actual tries instead of the number of maximum tries.
    Thanks to Luc Maisonobe for debugging and the patch. (closes: #758788)

 -- Jonas Meurer <email address hidden>  Tue, 07 Oct 2014 19:51:36 +0200
Superseded in jessie-release on 2014-11-02
Superseded in sid-release on 2014-10-23
cryptsetup (2:1.6.6-2) unstable; urgency=medium


  * rename 'luksheader' option in crypttab to 'header', as it may be used for
    different encryption modes later as well.
  * add support for detached LUKS header to initramfs scripts. Thanks to Pablo
    Santiago for the hint and DiagonalArg from Launchpad for patch suggestions.
    (closes: #716652)
  * fix support for truecrypt devices in initramfs scripts. Thanks to Lukas
    Wunner for the patch. (closes: #748286)
  * use blkid instead of fstype everywhere in cryptroot initramfs scripts.
    Thanks to Pablo Santiago for the hint.
  * debian/initramfs/cryptroot-hook: add support for 'initramfs' option to
    crypttab. Thanks to Hugh Davenport for the patch. (closes: #697162)
  * debian/initramfs/cryptroot-script: add support for multiple btrfs root
    devices. This should fix the WARNING at mkinitramfs for unencrypted
    btrfs root device(s) as well. Thanks to Jon Severinsson and Gerald Turner
    for patches. (closes: #682751, #762268)
  * debian/initramfs/cryptroot-script: skip missing device in initramfs after
    dropping to the panic/emergency shell instead of looping in the panic
    shell. Thanks to Cédric Barboiron for the patch. (closes: #762573)
  * debian/initramfs/cryptroot-script: for LVM devices, don't set ROOT to
    $NEWROOT in /etc/param.conf in case that /etc/param.conf already has ROOT
    set. This is the case for flash-kernel devices. Thanks to Brandon Parker
    for bugreport and patch. (closes: #759720)
  * debian/initramfs/cryptroot-script: in slumber loop, retry vg_activate
    every ten seconds. Fixes LVM on USB in cases that the USB device didn't
    come up fast enough. (closes: #762032)
  * fix package version number in debian/NEWS.
  * bump standards-version to 3.9.6, no changes needed.

 -- Jonas Meurer <email address hidden>  Wed, 20 Aug 2014 19:59:03 +0200
Superseded in jessie-release on 2014-10-18
Superseded in sid-release on 2014-10-07
cryptsetup (2:1.6.6-1) unstable; urgency=medium


  * new upsream version 1.6.6.
  * add versioned dependency on cryptsetup-bin to cryptsetup. (closes: #747670)
  * change versioned build-depends on automake to >= 1.12 to reflect upstream
    requirements. Thanks to Joel Johnson. (closes: #740688)
  * build and link against libgcrypt20 (>= 1.6.1). Add note about whirlpool
    bug in older libgcrypt releases and how to deal with it to debian/NEWS.
  * add systemd support to askpass. Thanks to David Härdeman for the patch.
    (closes: #742600, #755074)
  * fix initramfs cryptroot hook to not include modules unconditionally. Thanks
    to Dmitrijs Ledkovs for bugreport and patch. (closes: #714104)
  * fix decrypt_keyctl script to ask again in case of wrong passphrase. Thanks
    to Dmitriy Matrosov for bugreport and patch. (closes: #748368)
  * incorporate changes from ubuntu package:
    - don't hardcode paths to udevadm and udevsettle.
    - restore terminal settings in askpass.c. (closes: #714942)
    - migrate upstart jobs to new names.

 -- Jonas Meurer <email address hidden>  Tue, 04 Mar 2014 20:14:07 +0100
Superseded in jessie-release on 2014-08-26
Superseded in sid-release on 2014-08-21
cryptsetup (2:1.6.4-4) unstable; urgency=medium


  * really fix plain device opening in initramfs cryptroot script this time.
    Thanks again to Dirk Griesbach for the patch. (closes: #740592)

 -- Jonas Meurer <email address hidden>  Mon, 03 Mar 2014 21:00:16 +0100
Superseded in sid-release on 2014-03-05
cryptsetup (2:1.6.4-3) unstable; urgency=medium


  * fix plain device opening, broken by switch to new unified open command
    in 1.6.4-1. Thanks to Dirk Griesbach for the patch. (closes: #740592)
  * update italian debconf translations, thanks to Italian l10n team and
    Francesca Ciceri. (closes: #740557)
  * remove trailing whitespaces from text files.
  * some minor packaging fixes thanks to lintian checks:
    - fix VCS-* fields in debian/control to use canoncial URIs.
    - remove empty directory from libcryptsetup4 package.
    - add lintian-override for init.d-script-not-included-in-package.

 -- Jonas Meurer <email address hidden>  Sun, 02 Mar 2014 13:51:35 +0100
Superseded in sid-release on 2014-03-04
cryptsetup (2:1.6.4-2) unstable; urgency=medium


  * fix libcryptsetup.so symlink. Thanks to Michael Biebl. (closes: #740484)

 -- Jonas Meurer <email address hidden>  Sun, 02 Mar 2014 01:33:39 +0100
Superseded in sid-release on 2014-03-03
cryptsetup (2:1.6.4-1) unstable; urgency=low


  * new upstream version 1.6.4.
    - minor fixes in cryptsetup manpage. (closes: #725131)
    - by default verify new passphrase in luksChangeKey and luksAddKey
      commands (closes: #728302)
    - cryptsetup releases are released on kernel.org since 1.6.4. Change
      debian/watch accordingly.
  * use compiled defaults for cypher, keysize and hash in luksformat script
  * improvements to docs (thanks to Christoph Anton Mitterer):
    - small improvement to explanation for CRYPTTAB_TRIED environment variable
      in crypttab manpage
    - update cipher, size and hash settings in examples (closes: #714331)
    - replace '/dev/hdX' devices with '/dev/sdX' in examples
    - full path to keyscripts in /lib/cryptsetup/scripts not needed in examples
  * update init and initramfs scripts to use new open syntax (closes: #714395)
  * add scripts/local-block/cryptroot in order to support event based block
    device handling. Thanks to Goswin von Brederlow (closes: #678692)
  * add support for TCRYPT device handling to cryptdisks init and cryptroot
    initramfs scripts. (closes: #722509)
  * improve passphrase prompt in cryptroot initramfs script. Thanks to Joachim
    Breitner. (closes: #728080)
  * add support for detached luks header to cryptdisks init script. Thanks to
    Ximin Luo. (closes: #716652)
  * enhance docs about remote unlocking feature. Thanks to Karl O. Pinc.
    (closes: #715487, #714952)
  * update README.keyctl docs: since linux kernel 2.6.38, dm-crypt is not
    single-threaded any longer. (closes: #714806)
  * don't sleep between retries in cryptroot initramfs script. (closes: #715525)
  * add multi-arch support. Thanks to Shawn Landden. (closes: #696008, #732099)
  * suggest keyutils. Thanks to Nikolaus Rath. (closes: #734133, #735496)
  * fix initramfs/cryptroot-hook to support more than one lvm source devices.
    Thanks to Jens Reinsberger for the patch. (closes: #659688, #737686)
  * bump standards-version to 3.9.5, no changes needed.
  * override lintian false positives for init scripts:
    - init.d-script-does-not-implement-optional-option status
    - init.d-script-does-not-source-init-functions
   

 -- Jonas Meurer <email address hidden>  Fri, 28 Jun 2013 12:14:55 +0200
Superseded in jessie-release on 2014-03-10
Superseded in sid-release on 2014-03-02
cryptsetup (2:1.6.1-1) unstable; urgency=low


  [ Milan Broz ]
  * new upstream version. (closes: #704827, 707997)
    - default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331)
    - adds native support for Truecrypt and compatible on-disk format
    - adds benchmark command
    - adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device
    - adds veritysetup, a tool for dm-verity block device verification module
  * install docs/examples into docs at cryptsetup-dev package.
  * fix compilation warnings in askpass.c.

  [ Steve Langasek ]
  * fix upstart jobs to not cause boot hangs when actually used in
    conjunction with startpar.  (closes: #694499, #677712).
  * in connection with the above, make the cryptdisks-early job explicitly
    wait for 'umountfs' on shutdown just like cryptdisks does; otherwise,
    the teardown of the cryptdisks upstart job may cause the cryptdisks-early
    init script run before we're done unmounting filesystems.

  [ Jonas Meurer ]
  * minor wording fixes to README.initramfs, suggested by intrigeri and Adam
    D. Barrett.
  * add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius
    Hubig for providing a patch. (closes: #700777)
  * support specifying key-slot in crypttab. Thanks to Kevin Locke for the
    patch. (closes: #704470)
  * remove evms support code from cryptroot initramfs script. (closes: #713918)
  * fix location of keyscripts in initramfs documentation. (closes: #697446)
  * fix a typo in decrypt_ssl script that prevented stdout from beeing
    redirected to /dev/null. (closes: #700285)
  * give full path to blkid in crytproot initramfs script. (closes: #697155)
  * export number of previous tries from cryptroot and cryptdisks to
    keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility
    to fallback after a given number of tries for keyscripts. (closes: #438481,
    #471729, #697455)
  * improve check for cpu hardware encryption support in initramfs cryptroot
    hook. (closes: #714326)

 -- Jonas Meurer <email address hidden>  Fri, 28 Jun 2013 12:10:41 +0200
Superseded in jessie-release on 2013-09-08
Published in wheezy-release on 2012-11-14
Superseded in sid-release on 2013-06-29
cryptsetup (2:1.4.3-4) unstable; urgency=medium


  * change recommends for busybox to busybox | busybox-static. Thanks to
    Armin Haas for the bugreport. (closes: #692151)

 -- Jonas Meurer <email address hidden>  Wed, 07 Nov 2012 16:12:25 +0100
Superseded in sid-release on 2012-11-07
cryptsetup (2:1.4.3-3) unstable; urgency=medium


  * add recommends for 'kbd, console-setup' to cryptsetup package. Both are
    necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
    for the bugreport. (closes: #689722)
  * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
    busybox' to recommends. Both are required for encrypted root fs.
  * remove suggestion for udev, most debian systems have it installed anyway.
  * mention option to use UUID=<luks_uuid> for source device in crypttab(5).
    Thanks to Felicitus for the bug report. (closes: #688786)
  * add a paragraph in README.initramfs: Describe, why renaming the target
    name is not supported for encrypted root devices. Thanks to Adam Lee for
    bugreport and proposed workaround for this limitation. (closes: #671037)
  * fix keyfile permission checks in cryptdisks init scripts to follow
    symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
  * fix owner group check for keyfile in cryptdisks init scripts to really
    check owner group.
  * update debconf translations:
    - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
    - japanese, thanks to victory. (closes: #690784)
  * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
    the bugreport. (closes: #684086)

 -- Jonas Meurer <email address hidden>  Thu, 01 Nov 2012 15:34:09 +0100
Superseded in wheezy-release on 2012-11-14
Superseded in sid-release on 2012-11-02
cryptsetup (2:1.4.3-2) unstable; urgency=medium


  * fix the shared library symbols magic: so far, the symbols file for
    libcryptsetup4 included just a wildcard for all exported symbols, with
    libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols
    that were added later need adjusted minimum versions. Thanks for the
    great help in #debian-mentors. (closes: #677127)
  * remove emtpy directory /lib from cryptsetup-bin package.
  * compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS.

 -- Jonas Meurer <email address hidden>  Tue, 12 Jun 2012 21:26:18 +0200
Superseded in sid-release on 2012-06-14
cryptsetup (2:1.4.3-1) unstable; urgency=low


  [ Jonas Meurer ]
  * mention limitations for keyscripts in crypttab(5) manpage: keyscripts
    must not depend on binaries/files which are part of the to-be-unlocked
    device. (closes: #665494)
  * bump versioned build-dependency on debhelper now that we install
    upstart initscripts in debian as well.
  * change versioned breaks/replaces for cryptsetup-bin on cryptsetup to
    1.4.3-1~, fixing upgrades in debian.

  [ Jean-Louis Dupond ]
  * New upstream version. (closes: #670071)
    - Fix keyslot removal (closes: #672299)
    - Add -r to cryptsetup.8 (closes: #674027)
  * Split up package in cryptsetup and cryptsetup-bin.
  * I'm now co-maintainer (closes: #600777).
  * Start cryptdisks-enable upstart job on 'or container', to let us
    simplify the udevtrigger job.
  * debian/cryptdisks.functions: handle the case where crypttab contains a
    name for the source device that is not the kernel's preferred name for
    it (as is the case for LVs). (Thanks Steve Langasek)
  * debian/cryptdisks.functions: fix a race condition in some cases by
    adding and udevadm settle before rename.
  * debian/cryptdisks.functions: add UUID & LABEL support to do_start.
  * debian/copyright: really fix lintian warning.
  * debian/rules: also include upstart files in debian.

 -- Jonas Meurer <email address hidden>  Fri, 08 Jun 2012 13:42:51 +0200
Superseded in wheezy-release on 2012-06-18
Superseded in sid-release on 2012-06-11
cryptsetup (2:1.4.1-3) unstable; urgency=low


  [ Jonas Meurer ]
  * finally add back support for configuration of custom rootfs-devices through
    the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to
    August Martin for the bugreport as well as continuously debugging and
    providing patches. (closes: #546610)
  * use blkid instead of fstype to detect the content of devices in initramfs
    cryptroot script. Unfortunately fstype doesn't recognize md-raid devices,
    which leads to errors with encrypted devices on top of software raid.
  * check whether $NEWROOT already exists before actually invoking cryptsetup
    in initramfs cryptroot script. (closes: #653241)
  * fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should
    prevent data loss with encrypted swap in most cases. (closes: #652497)
  * change default value for tmpfs and examples from ext2 to ext4.
  * minor code cleanup.
  * update debconf translations:
    - russian, thanks to Yuri Kozlov. (closes: #661303)
    - spanish, thanks to Camaleón. (closes: #661316)

  [ Jean-Louis Dupond ]
  * fix watch file.
  * always add aesni module to initramfs if we have hardware aes support.
    (closes: #639832).
  * debian/copyright: fix lintain warning.
  * add upstart scripts for ubuntu.
  * silent warnings on kernels without kernel/{arch,crypto}.
  * add crypttab_start_one_disk in function script to handle udev startup
    in ubuntu.
  * bump standards-version to 3.9.3, no changes needed.

 -- Jonas Meurer <email address hidden>  Wed, 11 Apr 2012 23:55:35 +0200
Superseded in wheezy-release on 2012-04-22
Superseded in sid-release on 2012-04-12
cryptsetup (2:1.4.1-2) unstable; urgency=low


  * acknowledge NMU. Thanks to Michael Biebl. (closes: #659182)
  * don't print error for non-encrypted rootfs in initramfs cryptroot hook.
    Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports.
    (closes: #659087, #659106)
  * use dmsetup splitname to extract VG name from $node in initramfs cryptroot
    hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio
    Imbrenda for suggestions and patches. (closes: #659235)

 -- Jonas Meurer <email address hidden>  Sun, 12 Feb 2012 15:51:11 +0100
Superseded in sid-release on 2012-02-13
cryptsetup (2:1.4.1-1) unstable; urgency=low


  * new upstream release (1.4.0 + 1.4.1) (closes: #647851)
    - fixes typo in german translation. (closes: #645528)
    - remove patches, all incorporated upstream.
    - soname bump, rename library package to libcryptsetup4
  * check for busybox in initramfs cryptroot hook, and install the sed binary
    in case it's either not installed or not activated. (closes: #591853)
  * add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and
    to cryptroot initramfs script/hook. this adds support for keyscripts inside
    $PATH. thanks to Ian Jackson for the suggestion. (closes: #597583)
  * use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks
    to Christoph Anton Mitterer for the suggestion.
  * add option for discard/trim features to crypttab and initramfs scripts.
    Thanks to intrigeri and Peter Colberg for patches. (closes: #648868)
  * print $target on error in initramfs hook. Thanks to Daniel Hahler for the
    bugreport. (closes: #648192)
  * add a warning about using decrypt_derived keyscript for devices with
    persistent data. Thanks to Arno Wagner for pointing this out.
  * remove quotes from resume device candidates at get_resume_devs() in
    initramfs hook script. Thanks to Johannes Rohr. (closes: #634017)
  * support custom $TABFILE, thanks to Douglas Huff. (closes: #638317)
  * fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes
    of lvm volume group that contains the rootfs logical volume, even if the
    rootfs is lv is not spread over all physical volumes. Thanks to Christian
    Pernegger for bugreport and patch. (closes: #634109)
  * debian/initramfs/cryptroot-script: Move check for maximum number of tries
    behind the while loop, to make the warning appear in case that maximum
    number of tries is reached. Thanks to Chistian Lamparter for bugreport and
    patch. (closes: #646083)
  * incorporate changes to package descriptions and debconf templates that
    suggested by debian-l10n-english people. Special thanks go to Justin B Rye.
  * acknowledge NMU, thanks a lot to Christian Perrier for his great work on
    the i18n front. (closes: #633105, #641719, #641839, #641947, #642470,
    #640056, #642540, #643633, #643962, #644853)
  * add and update debconf translations:
    - italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933)
    - german, thanks to Erik Pfannenstein. (closes: #642147)
    - spanish, thanks to Camaleón. (closes: #658360)
    - russian, thanks to Yuri Kuzlov (closes: #654676)
  * set architecture to linux-any, depends on linux kernel anyway. Thanks to
    Christoph Egger. (closes: #638257)
  * small updates to the copyright file.
  * add targets build-indep and build-arch to debian/rules, thanks to lintian.

 -- Jonas Meurer <email address hidden>  Sun, 05 Feb 2012 03:17:59 +0100
Superseded in wheezy-release on 2012-03-05
Superseded in sid-release on 2012-03-04
cryptsetup (2:1.3.0-3.1) unstable; urgency=low


  * Non-maintainer upload.
  * Fix pending l10n issues. Debconf translations:
    - French (Julien Patriarca).  Closes: #633105
    - Vietnamese (Hung Tran).  Closes: #641719
    - Portuguese (Miguel Figueiredo).  Closes: #641839
    - Russian (Yuri Kozlov).  Closes: #641947
    - Swedish (Martin Bagge / brother).  Closes: #642470,#640056
    - Czech (Michal Simunek).  Closes: #642540
    - Dutch; (Jeroen Schot).  Closes: #643633
    - Spanish; (Camaleón).  Closes: #643962
    - Danish (Joe Hansen).  Closes: #644853

 -- Christian Perrier <email address hidden>  Sun, 25 Dec 2011 19:00:24 +0100
Superseded in wheezy-release on 2012-01-12
Superseded in sid-release on 2012-01-02
cryptsetup (2:1.3.0-3) unstable; urgency=low
  * drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe    pointed out, that auto-destruction support was added to the loopback driver    with kernel 2.6.25. Given, that even lenny has a more recent kernel,    support for kernels < 2.6.25 is not required any more. (closes: #626458)  * add debconf question 'prerm/active-mappings' with priority high to prerm    maintainer script. will warn about active dm-crypt mappings before the    package is removed/purged. (closes: #626641)  * add lintian-override for 'cryptsetup: no-debconf-config', as the debconf    question in prerm doesn't require a debconf config script.  * add debian/patches/03_create_fix_keyfile.patch. (closes: #626738) -- Jonas Meurer <email address hidden>  Thu, 19 May 2011 20:50:08 +0200

Available diffs

Superseded in sid-release on 2011-09-20
cryptsetup (2:1.3.0-2) unstable; urgency=low
  * fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint -- Jonas Meurer <email address hidden>  Thu, 12 May 2011 03:06:46 +0200
Superseded in sid-release on 2011-09-20
cryptsetup (2:1.3.0-1) unstable; urgency=low
  * NOT RELEASED YET  * new upstream release    - automatically allocates loopback device for container files. update the      cryptdisks functions to only setup loopback device for kernel < 2.6.35.      otherwise, let cryptsetup do the magic itself. *****TODO: TESTING*****    - introduces maximum default keyfile size, see --help for value. manually      set the keyfile size with --keyfile-size in order to overwrite the limit.    - adds luksChangeKey command for changing passphrase/keyfile in one step    - adds loopAES compatibility command loopaesOpen    - remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream  * add gettext support to luksformat script. Thanks to intrigeri for initial    patch, and adduser sources for implementation ideas. (closes: #558405)  * fix KEYSCRIPT checks in cryptdisks.functions for empty values.  * update REAMDE.gnupg and initramfs cryptgnupg hook script:    - warn about keys being copied to initramfs.    - fix the documentation to provide working examples.  * update README.Debian and related documentation:    - add a section about the 'special' keyscripts askpass and passdev      (closes: #601314)    - update several sections, remove reference to lenny  * add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0    where the size argument was ignored for create command (closes: #624828)  * add debian/patches/02_manpage.patch, escapes minus signs in manpage  * remove usplash support from cryptroot initramfs script, askpass and    keyscripts, add plymouth support to keyscripts. (closes: #620923)  * ignore options like cipher, hash, size, etc. for luks commands in    cryptdisks. mention this in the crypttab manpage. (closes: #619249)  * again check for existance of /lib/cryptsetup/cryptdisks.functions before    sourcing it in cryptdisks(-early).init. required if cryptsetup is removed    but not purged, where initscripts are still around. (closes: #625468)  * bump standards-version to 3.9.2, no changes needed.  * debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols -- Jonas Meurer <email address hidden>  Wed, 11 May 2011 14:45:42 +0200
Published in squeeze-release
cryptsetup (2:1.1.3-4squeeze2) stable-proposed-updates; urgency=low
  * fix changelog for cryptsetup 2:1.1.3-4squeeze1. -- Jonas Meurer <email address hidden>  Thu, 10 Mar 2011 21:45:56 +0100
Superseded in wheezy-release on 2011-09-21
Superseded in sid-release on 2011-09-20
cryptsetup (2:1.2.0-2) unstable; urgency=low
  * upload to unstable.  * fixes a ftbfs due to updated libgpg-error and libgcrypt11 build-    dependencies. (closes: #614530)  * install cryptkeyctl initramfs hook, needed for keyctl keyscript in    initramfs, thanks to Maik Zumstrull (closes: #610750)  * use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be    available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe    for bugreport and patch. (closes: #611747)  * add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey    return code when the master key is used. (closes: #610366)  * fix luksformat script to invoke usage() with --help. (closes: #612947)  * add a paragraph about known upgrade issues to the crypttab manpage. this    paragraph strongly suggests to configure cipher, hash and keysize for    plain dm-crypt devices. (closes: #612452)  * fix examples in crypttab manpage, cipher, hash and keysize should be    configured for plain dm-crypt devices.  * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to    prevent possible race conditions. This is a workaround. (closes: #601886)  * update lintian-overrides for new lintian from experimental.  * fix spelling mistake in README.Debian thanks to lintian.  * update short and long description for udebs to mention udeb and    debian-installer. This satisfies lintian.  * fix get_resume_device() in initramfs cryptroot hook script to add source    device for decrypt_derived keyscript in case it's not the root device.    Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430) -- Jonas Meurer <email address hidden>  Mon, 07 Mar 2011 23:52:13 +0100
Deleted in experimental-release (Reason: None provided.)
cryptsetup (2:1.2.0-1) experimental; urgency=low
  * new major upstream release (closes: #603804)    - adds text version of FAQ    - adds new options --use-random and --use-urandom for MK generation    - fixes luksRemoveKey to not ask for remaining keyslot passphrase    - no longer supports luksDelKey command (replaced by luksKillSlot)    - no longer supports reload command, dmsetup reload should be used instead    - adds support to change the UUID later (with --uuid cmd option)    - adds --dump-master-key option for luksDump command    - no luksOpen, luksFormat and create for open devices (closes: #600208)    - remove debian/patches/01_manpage.patch, incorporated upstream    - and many more changes, see upstream changelog for further information    - update debian/libcryptsetup1.symbols   * invoke update-initramfs at cryptsetup removal in order to not leave behind    a broken initramfs. thanks to ubuntu for the hint.  * link dynamically against libgcrypt11 and libgpg-error0 now that the    libraries have been moved to /lib. add versioned depends for libcryptsetup1    on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1).  * debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in    order to support cryptroot to depend on custom initramfs scripts. thanks    to Marc Haber for the suggestion. (closes: #601311)  * debian/cryptdisks.functions:    + fix check for ownership and permissions of $key to work with slighly      different output of 'ls -l' with selinux enabled. (closes: #600522)    + fix $TRIES implementation to support TRIES=0 again. (closes: #602501)  * change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks    to checkbashisms script devscripts for spotting that bashism.  * add a libcryptsetup1-udeb library package for debian-installer in order to    satisfy cryptsetup-udeb dependencies with dynamically linked binary.    Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy    udeb library dependencies.  * change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control  * add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu.    build-depends on dpkg-dev (>= 1.15.1) is required for this to work. -- Jonas Meurer <email address hidden>  Sun, 16 Jan 2011 01:01:03 +0100
Superseded in wheezy-release on 2011-09-21
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
cryptsetup (2:1.1.3-4) unstable; urgency=high


  * bump standards-version to 3.9.1, no changes required
  * add patches/01_manpage_units: mention units (512b sectors) for -o option
    in man page. (closes: #584174)
  * move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for
    compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800)
  * add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither,
    which supports to cache a passphrase for later use. (closes: #563961)
  * invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to
    Bernd Zeimetz. (closes: #597648)
  * print out a warning at initramfs cryptroot hook in case that detection of
    canonical device failed. (closes: #594092)
  * add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237)
  * fix depreciated ext2 wrapper checkscript to succeed for ext2, ext3, ext4
    and ext4dev filesystems. (closes: #595331)
  * again remove duplicates from debian/NEWS.
  * truncate trailing spaces for some variables at initramfs cryptroot hook.
  * remove volume group -guessing magic from initramfs scripts and hooks,
    instead activate all available lvm volume groups. thanks to Christoph
    Anton Mitterer for the suggestion. (closes: #554506, #591626)
  * remove /etc/bash_completion.d from debian/cryptsetup.dirs
  * set urgency=high as this upload fixes two release-critical bugs.

 -- Jonas Meurer <email address hidden>  Thu, 04 Nov 2010 20:36:45 +0100
Superseded in squeeze-release on 2011-09-13
Superseded in sid-release on 2011-09-20
cryptsetup (2:1.1.3-3) unstable; urgency=low


  * fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes.
    thanks to Mario 'BitKoenig' Holbe. (closes: #589029)

 -- Jonas Meurer <email address hidden>  Thu, 22 Jul 2010 12:56:01 +0200
175 of 90 results