Changelog
cryptsetup (2:1.7.2-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.2. Highlights include:
- code now uses kernel crypto API backend according to new changes
introduced in mainline kernel. (in 1.7.1)
- cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
- Support activation options for error handling modes in Linux kernel
dm-verity module. (in 1.7.2)
* debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
extension, now that upstream issue #269 is fixed.
* migrate the packaging repository from SVN to Git:
- debian/control: Update Vcs-* fields to point to the new git repository.
- debian/README.source: document new repository structure and release
handling.
* debian/README.Debian, debian/NEWS: minor typo fixes.
* debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
[ Guilhem Moulin ]
* debian/control: add self to uploaders.
* debian/cryptdisks.functions: when iterating through the crypttab, don't
abort after the first disk that fails to be closed. Regression introduced
2:1.7.0-1 when the filed is sourced under 'set -e'.
* debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
encrypted disk cannot be closed. (Closes: #811456)
* debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
(Closes: #810227)
* debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
Thanks, Stuart Prescott. (Closes: #827263)
* debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
ELF executables as PIEs.
* debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
* debian/cryptsetup.lintian-overrides: Remove unused lintian override
init.d-script-does-not-source-init-functions.
* Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
configuration. For backward compatibility setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
for now, but causes the hook to print a warning.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory. (Closes: #783393)
* Print a warning when private key material is to be included in the
initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
created with a permissive mode.
* Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
patch. (Closes: #835158)
* debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
$resumedevs, etc.
* Support unlocking devices at initramfs stage using a key file stored on
the encrypted root FS. Note however that resume devices won't be unlocked
this way since the resume boot script is currently run before mounting the
root FS. (Closes: #776409)
* debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
device names containing non-alphanumeric characters such as "." or "-":
+ replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ replace `echo "$x"` by printf '%s' "$x" when the argument might start
with a dash.
* debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
ensure slash characters "/" from device labels are escaped when
constructing symlinks under /dev/disk/by-label.
* debian/scripts/decrypt_gnupg:
+ Remove --no-mdc-warning to display a warning if the MDC integrity
protection is missing.
+ Replace "GnuPG key" by "gpg-encrypted key" in messages and
documentation.
* debian/initramfs/cryptgnupg-hook: Add support for multiple devices
encrypted using a gpg-encrypted key.
* debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
the root FS is copied onto the initramfs, but also the ones for all
devices that need to be unlocked at initramfs stage.
* debian/initramfs/cryptroot-hook: Fix bug for device label starting with
"UUID=".
[ Helmut Grohne ]
* libcryptsetup-dev: move the .pc file to a multiarch location such that
cross-pkg-config can find it. (closes: #811545)
* Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
-- Jonas Meurer <email address hidden> Wed, 05 Oct 2016 20:53:09 +0200