summaryrefslogtreecommitdiffstats
path: root/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to 'debian/changelog')
-rw-r--r--debian/changelog2876
1 files changed, 2876 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..5f83d63
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,2876 @@
+cryptsetup (2:2.1.0-5+deb10u2) buster; urgency=medium
+
+ * Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
+ 32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 26 Aug 2019 14:54:10 +0200
+
+cryptsetup (2:2.1.0-5+deb10u1) buster; urgency=high
+
+ * Backport upstream commits c03e3fe8, 725720df and fe4e1de5 to fix support
+ for LUKS2 headers without any bound keyslot. Adding a new key slot using
+ the volume key was failing, both via the crypt_keyslot_add_by_volume_key()
+ API call and with `luksAddKey --master-key`. The former in particular
+ might yield data loss if, in order to change a passphrase, an application
+ destroys the keyslot before adding a new one (using the volume key), cf.
+ #928893. Note that doing so is *unsafe*: applications should instead use
+ crypt_keyslot_change_by_passphrase() from libcryptsetup >=1.6.0.
+ Trying to open LUKS2 volume by supplying the volume key on the command
+ line was also failing if there were no bound keyslot on the header.
+ (Closes: #934715)
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 16 Aug 2019 19:18:10 +0200
+
+cryptsetup (2:2.1.0-5) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * debian/README.*: Fix markdown formatting issues
+ * Copy https://wiki.debian.org/CryptsetupDebug to debian/README.debug
+
+ [ Guilhem Moulin ]
+ * d/README.Debian: New section "Unlocking LUKS devices from GRUB" pointing
+ to https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html .
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 10 Jun 2019 14:51:15 +0200
+
+cryptsetup (2:2.1.0-4) unstable; urgency=medium
+
+ [Guilhem Moulin]
+ * d/initramfs/hooks/cryptroot: Always add userspace crypto module
+ ('algif_skcipher' kernel module) to the initramfs. This module is
+ required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
+ added to large initramfs (i.e., when the MODULES variable isn't set to
+ "dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2
+ is the default LUKS header format version; and 2/ we can't check at
+ initramfs creation time whether there are LUKS2 devices to be opened at
+ early boot stage (detached headers might not be present then).
+ Closes: #929616.
+
+ [Jonathan Dowland]
+ * Update package descriptions to reflect the move of luksformat from
+ cryptsetup-bin to cryptsetup-run. Closes: #928751.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 28 May 2019 17:04:16 +0200
+
+cryptsetup (2:2.1.0-3) unstable; urgency=medium
+
+ * d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils
+ Mueller for the report and patch. (Closes: #926573.)
+ * d/initramfs/hooks/cryptopensc: Ensure that libpcsclite.so is copied to the
+ initramfs on non-usrmerge systems. (Closes: #928263.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 30 Apr 2019 21:20:47 +0200
+
+cryptsetup (2:2.1.0-2) unstable; urgency=medium
+
+ * debian/copyright:
+ + Update copyright years.
+ + Add OpenSSL linking exception, in accordance with upstream's "COPYING"
+ and "COPYING.LGPL" files. Since 2:2.1.0-1 the cryptsetup binaries and
+ library are linked against libssl, which is the new upstream default
+ backend for LUKS header processing.
+ * debian/askpass.c: in the console backend, clear stdin's end-of-file
+ indicator before calling getline() again. Thanks to Ken Milmore for the
+ detailed report and patch. (Closes: #921906.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 28 Feb 2019 22:32:43 +0100
+
+cryptsetup (2:2.1.0-1) unstable; urgency=medium
+
+ * New upstream release. Highlights include:
+ - The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat
+ --type luks1` to use LUKS1 format). Closes: #919725.
+ - The cryptographic backend used for LUKS header processing is now libssl
+ instead of libgcrypt.
+ - LUKS' default key size is now 512 in XTS mode, half of which is used for
+ block encryption. XTS mode uses two internal keys, hence the previous
+ default key size (256) caused AES-128 to be used for block encryption,
+ while users were expecting AES-256.
+
+ [ Guilhem Moulin ]
+ * Add docs/Keyring.txt and docs/LUKS2-locking.txt to
+ /usr/share/doc/cryptsetup-run.
+ * debian/README.Debian: Mention that for non-persistent encrypted swap one
+ should also disable the resume device.
+ * debian/README.initramfs: Mention that keyscript=decrypt_derived normally
+ won't work with LUKS2 sources. (The volume key of LUKS2 devices is by
+ default offloaded to the kernel keyring service, hence not readable by
+ userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources.
+ * decrypt_keyctl keyscript: Always use our askpass binary for password
+ prompt (fail instead of falling back to using stty or `read -s` if askpass
+ is not available). askpass and decrypt_keyctl are both shipped in our
+ 'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup
+ and askpass binaries are added together to the initramfs image.
+ * decrypt_keyctl: Document the identifier used in the user keyring:
+ "cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is
+ empty or "none". The latter improves compatibility with gdm and
+ systemd-ask-password(1).
+ * debian/*: run wrap-and-sort(1).
+ * debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent`
+ option flag.
+ * debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
+
+ [ Jonas Meurer ]
+ * Update docs about 'discard' option: Mention in manpage, that it's enabled
+ per default by Debian Installer. Give advice to add it to new devices in
+ /etc/crypttab and add it to crypttab example entries in the docs.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 09 Feb 2019 00:40:17 +0100
+
+cryptsetup (2:2.0.6-1) unstable; urgency=medium
+
+ * New upstream bugfix release. Highlights include:
+ - Fix support of larger metadata areas in LUKS2 header.
+ - Fix checking of device size alignment and hash & AEAD algorithms to
+ avoid formatting devices that later cannot be activated.
+ - Fix cryptsetup-reencrypt interrupt handling.
+ - Allow Adiantum cipher construction (require Linux 4.21 or later).
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 03 Dec 2018 20:16:07 +0100
+
+cryptsetup (2:2.0.5-2) unstable; urgency=medium
+
+ * debian/initramfs/hooks/*: Skip call to copy_file() when the target already
+ exists (as the function return value 1 in the case).
+ * OpenPGP Smartcard support, based on work by Peter Lebbing and Erik
+ Nellessen. (Closes: #888916, #903163.)
+ * Move header presence check to crypttab_parse_options() from
+ unlock_mapping(). Having the presence checks in unlock_mapping() caused
+ dummy password prompts in interactive mode when the LUKS header file was
+ missing. Regression since 2:2.0.3-2. (Closes: #914458.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 24 Nov 2018 18:34:42 +0100
+
+cryptsetup (2:2.0.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Remove d/patches/Disable-blockwise-compat-test-as-it-s-FS-dependent.patch
+ as the test suite no longer fails on misaligned I/O in O_DIRECT mode.
+ (Cf. upstream issue #403.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 29 Oct 2018 12:21:00 +0100
+
+cryptsetup (2:2.0.4-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/hooks/cryptroot:
+ + Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry().
+ (Closes: #907243.)
+ + Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is
+ deprecated when the variable is set to "y". (Keep the warning when it's
+ set to "n" though.) Closes: #908220.
+ * debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the
+ type of crypt device ("luks" / "plain" / "tcrypt").
+ * debian/initramfs/scripts/local-top/cryptroot: Don't complain that
+ (successful) unlocking of a LUKS device doesn't yield a known file system.
+ The check is preserved for plain dm-crypt devices and tcrypt devices.
+ (Closes: #906283.)
+ * debian/control: Bump Standards-Version to 4.2.1 (no changes necessary).
+ * debian/doc/crypttab.xml: Improve formatting.
+ * debian/cryptsetup-run.lintian-overrides: Remove unused override
+ init.d-script-possible-missing-stop (x2).
+ * debian/libcryptsetup12.symbols: Add "Build-Depends-Package:
+ libcryptsetup-dev" field.
+
+ [ Helmut Grohne ]
+ * Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042)
+
+ [ Dimitri John Ledkov ]
+ * Implement support for `cryptsetup --sector-size` in crypttab(5).
+ LP: #1776626.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Oct 2018 17:45:35 +0200
+
+cryptsetup (2:2.0.4-2) unstable; urgency=medium
+
+ * debian/cryptsetup-initramfs.preinst: Don't try to overwrite
+ /etc/cryptsetup-initramfs/conf-hook if that file doesn't exist. (The fix
+ for #905188 broke 2:2.0.4-1's instability on sid.) Closes: #905514.
+ * debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 07 Aug 2018 17:25:30 +0200
+
+cryptsetup (2:2.0.4-1) unstable; urgency=medium
+
+ * New upstream release. Add 'libblkid-dev' to Build-Depends since
+ libcryptsetup and utilities are now linked to libblkid.
+ * debian/cryptsetup-initramfs.preinst: Improve conffile ownership transfer
+ from 'cryptsetup' to 'cryptsetup-initramfs' to comply with Policy §10.7.3.
+ (Closes: #905188.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 05 Aug 2018 04:59:10 +0800
+
+cryptsetup (2:2.0.3-7) unstable; urgency=medium
+
+ * debian/scripts/gen-ssl-key: avoid storing temporary key file on disk.
+ * debian/initramfs/*, debian/scripts/*: improve quoting.
+ * debian/initramfs/cryptroot-unlock: Normalize paths before comparison.
+ This fixes usage on initramfs images with an usrmerge layout, such as
+ images made by mkinitramfs(8) from initramfs-tools-core 0.132. (Closes:
+ #904926.)
+ * debian/functions: crypttab_find_entry(), crypttab_foreach_entry(): return
+ gracefully if $TABFILE doesn't exist.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 30 Jul 2018 16:32:07 +0800
+
+cryptsetup (2:2.0.3-6) unstable; urgency=medium
+
+ * debian/TODO.md: Remove mention of parent device detection for mdadm
+ (#629236) as it's fixed since 2:2.0.3-2.
+ * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
+ fixes.
+ * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
+ add configure flag '--disable-internal-tests'. The internal test suite is
+ run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
+ variable contains the string "nocheck".
+ * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
+ When the 2nd column of a crypttab entry denodes a block special device,
+ resolve the device but don't convert it to /dev/block/$major:$minor.
+ (Closes: #903246.)
+ * debian/initramfs/hooks/cryptroot:
+ + Treat null device numbers as invalid in resolve_device(), cf.
+ /Documentation/admin-guide/devices.txt in the kernel source tree.
+ + generate_initrd_crypttab(): add '\n' to the local IFS since
+ get_resume_devno() prints one major:minor pair per line.
+ * debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ + Save process ID of the pcscd daemon at local-top stage, and kill it at
+ local-bottom stage. Thanks to Pascal Vibet for the patch.
+ (Closes: #903574.)
+ + Fix path to the pcscd executable (the fix for #880750 was incomplete).
+ * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
+ since 2:2.0.3-2.
+ * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
+ $CRYPTTAB_NAME not $crypttarget).
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 13 Jul 2018 22:10:43 +0200
+
+cryptsetup (2:2.0.3-5) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ + Drop c99 std, as the default is now higher than that
+ * debian/control:
+ + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
+ libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
+ disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
+ crypttab(5).
+ * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
+ read-only mapping. Cf. `cryptsetup --readonly`.
+ * debian/initramfs/hooks/cryptroot:
+ + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
+ key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
+ in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ + Avoid processing entries multiple times in get_crypttab_entry(), which
+ could happen with 'keyscript=decrypt_derived' for instance.
+ + Don't complain that the sysfs dir can't be found when the hook failed to
+ normalize the device (another warning is shown already).
+ + If source device is mapped (for instance if it's a logical volume), put
+ its dm name into the initrd crypttab. LVM2's local-block script doesn't
+ work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
+ activate all volumes at initramfs stage. (Closes: #902943.)
+ * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
+ unset then no key file is copied.
+ * debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ + Use major:minor device IDs internally, as this facilitate discovery of
+ sysfs directories, and we don't have to take care of the udev mangling.
+ + Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
+ means that key files and option values can contain blanks and special
+ characters encoded as octal sequences.
+ + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
+ code.
+ * debian/functions: If the key file is a symlink, warn about insecure
+ permissions of the target, not the link itself.
+ * debian/scripts/decrypt_derived: For devices with keys in the kernel
+ keyring (e.g., LUKS2 by default), refuse to derive anything.
+ * debian/patches/disable-internal-tests.patch: Add configure option
+ '--disable-internal-tests' to disable the internal test suite.
+ * debian/rules: Don't run upstream's internal test suite if
+ $DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
+ still run by default.)
+ * debian/cryptdisks-functions: Restore support for crypttab(5) entries with
+ regular files as source device. Regression since 2:2.0.3-2.
+ (Closes: #902879.)
+ * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 07 Jul 2018 01:47:57 +0200
+
+cryptsetup (2:2.0.3-4) unstable; urgency=low
+
+ * debian/initramfs/hooks/cryptroot:
+ + Fix typo in warning message. (Closes: #901971.)
+ + sysfs_devdir(): don't croak when the normalized device pathname isn't of
+ the form /dev/$blk. This is the case in the Debian installer, where the
+ devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
+ instead of a symlink to /dev/dm-$index.
+ + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
+ sysfs directory corresponding to the device) rather than /sys/block/$blk.
+ While the latter is present for mapped devices, it's not present for
+ block devices corresponding to disk partitions. See sysfs(5) for
+ details. (Closes: #902183.)
+ + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
+ get the UUID of a dm-crypt device's slave (it's normal with plain
+ dm-crypt devices).
+ + get_crypttab_entry(): don't warn that key file doesn't exist if it's
+ e.g., an existing character special device.
+ * debian/functions:unlock_mapping(): translate crypttab(5) option
+ 'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
+ doesn't set the key size but the size of the device in number of 512 byte
+ sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
+ * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
+ debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
+ keyscripts (such as decrypt_keyctl) don't work properly if on first try
+ the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
+ 2:2.0.3-2. (Closes: #902116.)
+ * debian/scripts/decrypt_keyctl: replace the source device path with the
+ mapped device name in messages, to match the new askpass behavior.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 24 Jun 2018 22:48:41 +0200
+
+cryptsetup (2:2.0.3-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * debian/*: run wrap-and-sort(1)
+ * debian/control:
+ + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
+ cryptsetup-run. Needed since we moved luksformat between the
+ packages. (Closes: #901773)
+ + Remove all traces of package 'cryptsetup-luks' from dependency
+ headers. This package has never been part of an official Debian
+ release and the time it existed is more than 12 years ago.
+ + Remove Conflicts/Breaks headers from the split of cryptsetup into
+ cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
+ version is from Debian Wheezy, which means that there's three
+ releases in between. We don't support dist-upgrades with skipped
+ releases anyway.
+ + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ + Remove versioned depends of libcryptsetup12 on libgcrypt20 and
+ libgpg-error0. Both versions are satisfied since more than three
+ releases.
+ + Remove versioned build-depends on docbook-xsl, dpkg-dev,
+ libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
+ satisfied since more than three releases.
+ * debian/*: Change maintainer contact address to @alioth-lists.debian.net.
+
+ [ Guilhem Moulin ]
+ * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
+ fields. (2:2.0.2-2 was never released, the version we released after the
+ package split was 2:2.0.3-1.)
+ * debian/initramfs/cryptroot-script: exit immediately when
+ /lib/cryptsetup/functions is not present. (Closes: #901830.)
+ * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
+ manually excluding mapped devices using another subsystem.
+ * d/initramfs/hooks/cryptroot:
+ + Fix parser for cipher specifications in mapping table of crypt targets.
+ In particular, the cipher mode wasn't parsed properly, potentially
+ causing missing modules in initrd.img compiled with MODULES=dep.
+ Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ + Print a warning when the mapping table specifies the cipher in kernel
+ crypto API format ("capi:" prefix). We don't support these yet.
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 20 Jun 2018 17:22:36 +0200
+
+cryptsetup (2:2.0.3-2) unstable; urgency=medium
+
+ The "nights are long in summer" cryptsetup sprint release :-)
+
+ Guilhem and Jonas hacked together for three days (and nights), refactored
+ almost all of the cryptsetup packages, squashed (at least) 19 bugs and
+ started work on several new features. Yay!
+
+ [ Guilhem Moulin ]
+ * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
+ (Closes: #901641.)
+ * debian/initramfs/*-hook: complete refactoring. Common functions are now in
+ /lib/cryptsetup/functions (source-able from shell scripts).
+ (Closes: #784881.)
+ * debian/initramfs/cryptroot-hook:
+ + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
+ devices such as LVM2 on top of LUKS (resp. multiple device filesystems
+ such as btrfs). This approach is more robust than parsing the output of
+ `lvs` or `btrfs filesystem`.
+ + Export relevant crypttab(5) snippet (for devices that need to be
+ unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ + Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
+ if 1/ the CRYPTSETUP configuration option is unset or null (the
+ default), and 2/ the hook didn't detect any device to be unlocked at
+ initramfs stage. The benefit is two-fold: it guides users through the
+ package split, and warns them that their system might not reboot if the
+ hook script didn't work properly.
+ * Remove the 'decrypt_openct' keyscript since openct was last seen in
+ oldoldstable, cf. #760258 (ROM).
+ * debian/initramfs/cryptroot-script: refactoring, using functions from
+ /lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ + One can disable the cryptsetup initramfs scripts for a particular boot
+ by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ + No longer sleep for a full minute after exceeding the maximum number of
+ unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
+ CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
+ attempt in order to defeat online brute-force attacks. (Closes: #898495.)
+ * debian/README.initramfs: Remove mention that the initramfs scripts and the
+ crypsetup binary are using a different hash algorithm for plain dm-crypt
+ volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
+ * debian/cryptdisks.functions:
+ + Refactoring, using functions from /lib/cryptsetup/functions.
+ (Closes: #859953, #891219.)
+ + Install to /lib/cryptsetup/cryptdisks-functions.
+ * crypttab(5):
+ + Remove support for the 'precheck' option. The precheck for LUKS devices
+ is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
+ non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
+ filesystem (other that swap).
+ + Don't ignore the 'plain' option: disable auto-detection and treat the
+ device as a plain dm-crypt device. (Closes: #886007.)
+ + Add support for some option aliases to unify with systemd's crypttab(5)
+ options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
+ an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
+ and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ + Add support for 'keyfile-size=' and 'keyfile-offset=' options.
+ (Closes: #849335.)
+ + Source devices can now be specified using their PARTUUID or PARTLABEL,
+ similar to fstab(5).
+ * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
+ to setup readonly mappings. (Closes: #782843.)
+ * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
+ once. (Closes: #783194.)
+
+ [ Jonas Meurer ]
+ * debian/doc/crypttab.xml:
+ + Add a section about the different crypttab formats of our package and
+ the systemd cryptsetup wrapper.
+ + Document, which options are ignored by the initramfs scripts and which
+ are unsupported by the systemd implementation. (Closes: #714380)
+ + Clarify documentation of option 'tries'. It also applies when using
+ keyscripts, not only with interactive passphrases. (Closes: #826127)
+ + Make it obvious that in case a keyscript is configured, the third option
+ is passed as argument to the keyscript. Mention the optional requirement
+ to quote the value. (Closes: #826122)
+ + Some minor wording improvements.
+ * debian/control, debian/combat: Bump debhelper compatibility level to 11.
+ * debian/rules:
+ + Completely refactor the rules file, adapt to debhelper 11 style.
+ (Closes: #901713)
+ + Run the upstream build-time testsuite thanks to dh_auto_test.
+ + Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ + Install the bug-script into all packages.
+ + No longer install the sysvinit initscripts into cryptsetup-udeb.
+ + Remove many old build and compile flags, debhelper takes care of most of
+ them nowadays.
+
+ -- Jonas Meurer <jonas@freesources.org> Mon, 18 Jun 2018 02:40:41 +0200
+
+cryptsetup (2:2.0.3-1) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * Split cryptsetup package into cryptsetup-run (init scripts and libraries)
+ and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
+ package is now a transitional dummy package. (Closes: #783297.)
+ * debian/cryptsetup-run.preinst: remove logic for rm_conffile
+ /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
+ 2:1.0.6-5.
+ * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
+ with crypttab(5) targets that already exist, and only complete
+ cryptdisks_start targets with crypttab(5) targets that don't exist yet.
+ (Closes: #827200.)
+ * debian/initramfs/cryptroot-hook:
+ + use copy_file() from hook-functions to copy key files to the initrd.
+ This ensures that relevant messages are printed in verbose mode.
+ (Closes: #898516.)
+ + remove backward compatibility support for setting CRYPTSETUP and
+ KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
+ they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ + add 'algif_skcipher' kernel module to large initramfs (if the MODULES
+ variable isn't "dep"). That module is required for unlocking LUKS2
+ devices.
+
+ [ Jonas Meurer ]
+ * New upstream release 2.0.3
+ * debian/control:
+ - Bump standards-version to 4.1.4, no changes required
+ - Change my mail address to 'jonas@freesources.org'
+ - Change Vcs links to the new repository on salsa.debian.org
+ * debian/README.source: minor improvements
+ * debian/doc/crypttab.xml: Fix typo in manpage
+
+ -- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 15:32:16 +0200
+
+cryptsetup (2:2.0.2-1) unstable; urgency=low
+
+ * New upstream release 2.0.2
+ * debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as
+ libargon2 (used by LUKS2 devices) uses pthread_cancel. (Closes: #890798.)
+ * debian/initramfs/cryptroot-script: create locking directory at initramfs
+ stage, before running the cryptsetup binary, which would create it
+ automatically but also spew a warning.
+ * debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch:
+ removed as it was cherry-picked from upstream and included in 2.0.2.
+ * debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned()
+ API function.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 17 Mar 2018 18:03:03 +0100
+
+cryptsetup (2:2.0.1-1) unstable; urgency=low
+
+ * New upstream release 2.0.1:
+ - Use /run/cryptsetup as default for cryptsetup locking dir.
+ - Add missing symbols for new functions to debian/libcryptsetup12.symbols.
+ * debian/copyright: update copyright years.
+ * debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES
+ devices using --key-file=-. (Closes: #888162.)
+ * debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add
+ `dh_autoreconf_clean` to the "clean:" target. This bumps the minimum
+ debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 11 Feb 2018 00:02:05 +0100
+
+cryptsetup (2:2.0.0-1) unstable; urgency=low
+
+ [ Guilhem Moulin ]
+ * cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the
+ LUKS2 locking directory /run/lock/cryptsetup. For sysVinit, this is taken
+ care of by the cryptdisks-early init file.
+ * Remove debian/patches/Use-system-libargon2.patch (applied upstream).
+ * debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions.
+ * debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of
+ CC0-1.0 license from debian/copyright).
+ * debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev
+ package. Thanks to Alan Fung for the report and patch. (Closes: #885435.)
+ * debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and
+ 'offset' crypttab(5) options in the initramfs script. Thanks to Pascal
+ Liehne for the report and patch. (Closes: #872342.)
+
+ [ Jonas Meurer ]
+ * debian/initramfs/cryptopensc-*: Install required libs and config files for
+ pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for
+ bugreport and patch. (Closes: #880750)
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Jan 2018 00:25:52 +0100
+
+cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low
+
+ * debian/rules: Compile with --enable-libargon2 to use system libargon2
+ instead of bundled version.
+ * debian/control: Bump Standards-Version to 4.1.1 (no changes necessary).
+ * debian/copyright: Update licensing information.
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 01 Nov 2017 17:37:15 +0100
+
+cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low
+
+ * New upstream release 2.0.0 RC0 (closes: #877566). Highlights include:
+ - Support for new on-disk LUKS2 format, offering authenticated disk
+ encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for
+ storage of key material, and more.
+ - New CLI `integritysetup` which can setup standalone dm-integrity devices.
+ - soname bump of libcryptsetup library.
+ * Rename library package from libcryptsetup4 to libcryptsetup12.
+ * Also remove deprecated upstart configuration files on upgrade and purge.
+ (Closes: #883677)
+ * debian/control: Bump Standards-Version to 4.1.0 (no changes necessary).
+ * debian/*: Apply wrap-and-sort(1).
+ * debian/copyright: Update copyright years.
+
+ -- Guilhem Moulin <guilhem@debian.org> Tue, 03 Oct 2017 03:37:36 +0200
+
+cryptsetup (2:1.7.5-1) unstable; urgency=low
+
+ * New upstream release 1.7.5.
+ * cryptroot-unlock: When the standard input is a TTY, keep prompting for
+ passphrases until there are no more devices to unlock. (Closes: #866786)
+ * cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt
+ devices when the dm_mod module isn't loaded. (Closes: #870673)
+ * Rename upstream signing key from debian/upstream/signing-key.asc to
+ debian/upstream-signing-key.asc in order to avoid lintian error
+ orig-tarball-missing-upstream-signature" (we use the key to verify
+ signature on upstrem's git tags).
+ * Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf
+ and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags
+ package-installs-deprecated-upstart-configuration`.
+ * debian/cryptsetup.{postinst,postrm}: Don't hard-code path to
+ update-initramfs(1).
+ * debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing
+ dpkg-parsechangelog(1) output.
+ * debian/control: Bump Standards-Version to 4.0.0 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Sep 2017 13:00:23 +0200
+
+cryptsetup (2:1.7.3-4) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
+ patch. (Closes: #847620)
+ * debian/copyright: Fix license mismatch (docs/examples/*
+ lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
+ LGPL-2.1+ not GPL-2+). (Closes: #861802)
+ * debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
+ initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 09 May 2017 13:50:59 +0200
+
+cryptsetup (2:1.7.3-3) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * debian/scripts/decrypt_ssl: fix script to actually output the decrypted
+ key. Apparently this script has been broken since June 2008. Doesn't seem
+ like anybody is using it. Thanks to g1 for spotting and reporting the
+ error. (Closes: #844050)
+ * debian/initramfs/cryptroot-script:
+ + limit the sleep after max passphrase attempts to devices for the rootfs.
+ This mitigates the negative impact in case of broken keyscripts etc.
+ + add $crypttarget to each message to provide more context.
+ * debian/initramfs/cryptroot-hook: fix sanity check for key files on root
+ fs in get_device_opts(): detect if processed device is a root (parent)
+ device even for LVM setups. (closes: #842951)
+ * debian/README.initramfs: minor fix to the decrypt_derived keyscript
+ section: now that systemd is standard, 'cryptdisks_start' should be used
+ instead of '/etc/init.d/cryptdisks start'.
+ * debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
+ that systemd doesn't support the option (yet) and mention the possible
+ workaround to process the devices in question in the initramfs.
+
+ [ Guilhem Moulin ]
+ * add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As
+ this enables git-buildpackage >= 0.8.7 to automatically generate
+ orig.tar.gz, step nr. 5 is now removed from debian/README.source.
+ * debian/compat: bump debhelper compatibility version to 9.
+ * debian/initramfs/cryptroot-hook:
+ + fix tab damage for consistency with the rest of the code
+ + better warning for deprecated settings
+ + fix sanity check for key files in get_device_opts(): print a warning if
+ the key file isn't on the root FS, or if the root device is not
+ encrypted, even for LVM setups.
+ + fix sanity check for key files in get_device_opts(): print a warning if
+ the processed device is a resume device, even for LVM setups.
+ + fix runtime error in get_lvm_deps() if the first argument is either
+ missing or the empty string.
+ + reset IFS after processing $rootopts in get_device_opts(); the missing
+ linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
+ not to have their parent devices detected correctly.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 09 Dec 2016 01:18:17 +0100
+
+cryptsetup (2:1.7.3-2) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/README.Debian: update authorized_keys(5) path, incorrect since
+ 2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
+ server.
+
+ [ Jonas Meurer ]
+ * debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
+ This mitigates local brute-force attacks and addresses CVE-2016-4484.
+ Thanks to Ismael Ripoll and Hector Marco for discovery and report.
+ - decrease $count by one in tries loop if unlocking was successful.
+ - warn and sleep for 60 seconds if the maximum allowed attempts of
+ unlocking (configured with crypttab option tries, default=3) are
+ reached.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 07 Nov 2016 11:34:41 +0100
+
+cryptsetup (2:1.7.3-1) unstable; urgency=medium
+
+ * New upstream release 1.7.3.
+ * debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
+ make the package build more reproducible. Introduces a new Build-Depends
+ on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
+ patch. (Closes: #842581)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 31 Oct 2016 22:00:52 +0100
+
+cryptsetup (2:1.7.2-5) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
+ fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
+ * debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
+ verify cryptographic signatures on release tarballs.
+
+ [ Jonas Meurer ]
+ * debian/initramfs/cryptroot-hook: only source crypt-hook from
+ /etc/cryptsetup-initramfs/ when present. (Closes: #841503)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 21 Oct 2016 18:10:56 +0200
+
+cryptsetup (2:1.7.2-4) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/cryptroot-hook:
+ + Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
+ Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the
+ patch. (Closes: #840480)
+ + Don't escape all slash characters "/" in device paths of the form
+ /dev/by-label/..., only the label itself. Regression introduced in
+ 2:1.7.2-2 as a fix for #839888.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 13 Oct 2016 23:11:45 +0200
+
+cryptsetup (2:1.7.2-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
+ so the (deprecated) values set in /etc/initramfs-tools aren't overridden
+ to the empty string by default. Regression introduced in 2:1.7.2-1.
+ (Closes: #839994.)
+ * debian/README.initramfs: fixed minor typo.
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 08 Oct 2016 00:01:25 +0200
+
+cryptsetup (2:1.7.2-2) unstable; urgency=medium
+
+ * debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
+ systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
+ patch (Closes: #839888)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 06 Oct 2016 10:47:05 +0200
+
+cryptsetup (2:1.7.2-1) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * new upstream release 1.7.2. Highlights include:
+ - code now uses kernel crypto API backend according to new changes
+ introduced in mainline kernel. (in 1.7.1)
+ - cryptsetup now allows special "-" (standard input) keyfile handling
+ even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
+ - Support activation options for error handling modes in Linux kernel
+ dm-verity module. (in 1.7.2)
+ * debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
+ extension, now that upstream issue #269 is fixed.
+ * migrate the packaging repository from SVN to Git:
+ - debian/control: Update Vcs-* fields to point to the new git repository.
+ - debian/README.source: document new repository structure and release
+ handling.
+ * debian/README.Debian, debian/NEWS: minor typo fixes.
+ * debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
+
+ [ Guilhem Moulin ]
+ * debian/control: add self to uploaders.
+ * debian/cryptdisks.functions: when iterating through the crypttab, don't
+ abort after the first disk that fails to be closed. Regression introduced
+ 2:1.7.0-1 when the filed is sourced under 'set -e'.
+ * debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
+ depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
+ encrypted disk cannot be closed. (Closes: #811456)
+ * debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
+ conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
+ (Closes: #810227)
+ * debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
+ Thanks, Stuart Prescott. (Closes: #827263)
+ * debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
+ ELF executables as PIEs.
+ * debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
+ * debian/cryptsetup.lintian-overrides: Remove unused lintian override
+ init.d-script-does-not-source-init-functions.
+ * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
+ configuration. For backward compatibility setting CRYPTSETUP and
+ KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
+ for now, but causes the hook to print a warning.
+ This is done following the initramfs-tools maintainers' request (see
+ #807527) that hook and boot script configuration files be stored outside
+ the /etc/initramfs-tools directory. (Closes: #783393)
+ * Print a warning when private key material is to be included in the
+ initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
+ created with a permissive mode.
+ * Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
+ patch. (Closes: #835158)
+ * debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
+ $resumedevs, etc.
+ * Support unlocking devices at initramfs stage using a key file stored on
+ the encrypted root FS. Note however that resume devices won't be unlocked
+ this way since the resume boot script is currently run before mounting the
+ root FS. (Closes: #776409)
+ * debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
+ device names containing non-alphanumeric characters such as "." or "-":
+ + replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ + replace `echo "$x"` by printf '%s' "$x" when the argument might start
+ with a dash.
+ * debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
+ ensure slash characters "/" from device labels are escaped when
+ constructing symlinks under /dev/disk/by-label.
+ * debian/scripts/decrypt_gnupg:
+ + Remove --no-mdc-warning to display a warning if the MDC integrity
+ protection is missing.
+ + Replace "GnuPG key" by "gpg-encrypted key" in messages and
+ documentation.
+ * debian/initramfs/cryptgnupg-hook: Add support for multiple devices
+ encrypted using a gpg-encrypted key.
+ * debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
+ the root FS is copied onto the initramfs, but also the ones for all
+ devices that need to be unlocked at initramfs stage.
+ * debian/initramfs/cryptroot-hook: Fix bug for device label starting with
+ "UUID=".
+
+ [ Helmut Grohne ]
+ * libcryptsetup-dev: move the .pc file to a multiarch location such that
+ cross-pkg-config can find it. (closes: #811545)
+ * Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 05 Oct 2016 20:53:09 +0200
+
+cryptsetup (2:1.7.0-2) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * Fix cryptsetup shutdown procedure on sysvinit, broken since 2:1.7.0-1 for
+ systems without active crypttab entry at the time fo the shutdown.
+ (Closes: #792552, #810380)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 10 Jan 2016 18:45:20 +0100
+
+cryptsetup (2:1.7.0-1) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * new upstream release 1.7.0. Highlights include:
+ - cryptsetup TCRYPT mode now supports VeraCrypt devices (in 1.6.7)
+ - fix activation using (UNSECURE) ECB mode (in 1.6.7) (closes: #784129)
+ - properly support stdin "-" handling for luksAddKey for both new and old
+ keyfile parameters. (in 1.6.8)
+ - default hash function is now SHA256 (used in key derivation function
+ and anti-forensic splitter) (in 1.7.0)
+ * debian/cryptsetup.functions, debian/initramfs/cryptroot.{hook,script}: add
+ support for veracrypt option to cryptdisks initscript and cryptroot
+ initramfs script. (closes: #806290)
+ * debian/cryptdisks.functions: don't use '--key-file=-' with the tcrypt
+ extension. This fixes the tcrypt implementation in the initscript and
+ provides a workaround for upstream issue #269.
+ * debian/cryptsetup.bug-script: do not send potentially private information
+ without prior user confirmation in reportbug script. (Closes: #783298)
+ * debian/cryptsetup.apport: do not send potentially private information
+ without prior user confirmation in apport hook.
+ * debian/control, debian/NEWS: fix links to cryptsetup homepage/FAQ. Homepage
+ (and FAQ) moved from code.google.com to gitlab.com. (closes: #781674)
+ * debian/*: update hyperlinks to use https instead of http where appropriate.
+ * debian/rules, debian/post{inst,rm}: don't install cryptdisks_st{art,op}
+ symlinks to /usr/sbin if everything-in-usr directories scheme is used.
+ Thanks to Marco d'Itri for the patch. (closes: #767921)
+ * debian/scripts/luksformat: search for mkfs binaries in /usr/sbin, /usr/bin,
+ /sbin and /bin (default order in $PATH). This fixes luksformat for btrfs
+ filesystems. (closes: #805353)
+ * debian/dirs, debian/rules: install cryptdisks bash-completion script into
+ /usr/share/bash-completion/completions.
+ * debian/cryptdisks.functions: iterate over remaining open crypttab devices
+ in do_stop() in order to close dependent devices and don't freeze the
+ shutdown process. Thanks to Avatar for the patch. (closes: #792552)
+ * debian/rules: set V=1 in order to make build logs usable for blhc.
+ * debian/rules: set DEB_VERSION and DEB_DATE in a way to make cryptsetup
+ build reproducible. Thanks to Dhole and Valentin Lorentz for patches.
+ (closes: #780864, #794106)
+ * debian/cryptdisks.functions: bring the passphrase prompt in line with the
+ one from initramfs script in order to make the user experience more
+ consistent. (closes: #772943)
+ * debian/initramfs/cryptroot-script: move sanity checks of $cryptkeyscript
+ and potential expansion to '/lib/cryptsetup/askpass' to the beginning of
+ setup_mapping().
+
+ [ Guilhem Moulin ]
+ * debian/README.{Debian,remote}: remove dropbear-specific configuration and
+ point to dropbear-initramfs instead. Since version 2015.70-1, dropbear
+ ships dropbear-specific initramfs configuration and documentation in an
+ own binary package dropbear-initramfs. (closes: #801471)
+ * debian/initramfs/cryptroot-{hook,script}: add support for 'keyslot' option
+ to cryptroot initramfs script. (closes: #801479)
+ * debian/README.initramfs, debian/initramfs/cryptroot-hook: add support for
+ storing keyfiles directly in the initrd. (closes: #786578)
+ * debian/initramfs/cryptroot-hook: display a warning for invalid source
+ devices. (closes: #720515, #781955, #784435)
+ * debian/askpass.c: add plymouth support to the askpass helper command.
+ * debian/cryptdisks.functions, debian/initramfs/cryptroot-script: remove
+ special treatment of plymouth installations now that askpass supports
+ plymouth natively.
+ * debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script
+ to remotely unlock cryptroot devices. (closes: #782024, #697156)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 07 Jan 2016 02:22:33 +0100
+
+cryptsetup (2:1.6.6-5) unstable; urgency=high
+
+ * debian/cryptdisks.functions: fix the precheck for ubuntu+upstart
+ before invoking 'status cryptdisks-udev'. (closes: #773456)
+ * debian/cryptdisks.functions: fix the insufficient grep regex for
+ detecting a running cryptdisks-udev (upstart) init script.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 22 Jan 2015 21:22:08 +0100
+
+cryptsetup (2:1.6.6-4) unstable; urgency=medium
+
+ [ Simon McVittie ]
+ * debian/initramfs/cryptroot-script: decrypt /usr as well as / so that
+ split-/usr will work with initramfs-tools (>= 0.118). (closes: #767832)
+
+ [ Jonas Meurer ]
+ * debian/cryptdisks.funcctions: check for cryptdisks-udev initscript before
+ actually invoking 'status' on it. It's only useful in ubuntu+upstart
+ environment anyway. (closes: #764564)
+ * debian/askpas.c: fix systemd_read() to really strip trailing newline from
+ input. Thanks to Quentin Lefebvre for report and patch. (closes: #768407)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2014 14:24:41 +0100
+
+cryptsetup (2:1.6.6-3) unstable; urgency=medium
+
+ * debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED
+ to hold the number of actual tries instead of the number of maximum tries.
+ Thanks to Luc Maisonobe for debugging and the patch. (closes: #758788)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 07 Oct 2014 19:51:36 +0200
+
+cryptsetup (2:1.6.6-2) unstable; urgency=medium
+
+ * rename 'luksheader' option in crypttab to 'header', as it may be used for
+ different encryption modes later as well.
+ * add support for detached LUKS header to initramfs scripts. Thanks to Pablo
+ Santiago for the hint and DiagonalArg from Launchpad for patch suggestions.
+ (closes: #716652)
+ * fix support for truecrypt devices in initramfs scripts. Thanks to Lukas
+ Wunner for the patch. (closes: #748286)
+ * use blkid instead of fstype everywhere in cryptroot initramfs scripts.
+ Thanks to Pablo Santiago for the hint.
+ * debian/initramfs/cryptroot-hook: add support for 'initramfs' option to
+ crypttab. Thanks to Hugh Davenport for the patch. (closes: #697162)
+ * debian/initramfs/cryptroot-script: add support for multiple btrfs root
+ devices. This should fix the WARNING at mkinitramfs for unencrypted
+ btrfs root device(s) as well. Thanks to Jon Severinsson and Gerald Turner
+ for patches. (closes: #682751, #762268)
+ * debian/initramfs/cryptroot-script: skip missing device in initramfs after
+ dropping to the panic/emergency shell instead of looping in the panic
+ shell. Thanks to Cédric Barboiron for the patch. (closes: #762573)
+ * debian/initramfs/cryptroot-script: for LVM devices, don't set ROOT to
+ $NEWROOT in /etc/param.conf in case that /etc/param.conf already has ROOT
+ set. This is the case for flash-kernel devices. Thanks to Brandon Parker
+ for bugreport and patch. (closes: #759720)
+ * debian/initramfs/cryptroot-script: in slumber loop, retry vg_activate
+ every ten seconds. Fixes LVM on USB in cases that the USB device didn't
+ come up fast enough. (closes: #762032)
+ * fix package version number in debian/NEWS.
+ * bump standards-version to 3.9.6, no changes needed.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 20 Aug 2014 19:59:03 +0200
+
+cryptsetup (2:1.6.6-1) unstable; urgency=medium
+
+ * new upsream version 1.6.6.
+ * add versioned dependency on cryptsetup-bin to cryptsetup. (closes: #747670)
+ * change versioned build-depends on automake to >= 1.12 to reflect upstream
+ requirements. Thanks to Joel Johnson. (closes: #740688)
+ * build and link against libgcrypt20 (>= 1.6.1). Add note about whirlpool
+ bug in older libgcrypt releases and how to deal with it to debian/NEWS.
+ * add systemd support to askpass. Thanks to David Härdeman for the patch.
+ (closes: #742600, #755074)
+ * fix initramfs cryptroot hook to not include modules unconditionally. Thanks
+ to Dmitrijs Ledkovs for bugreport and patch. (closes: #714104)
+ * fix decrypt_keyctl script to ask again in case of wrong passphrase. Thanks
+ to Dmitriy Matrosov for bugreport and patch. (closes: #748368)
+ * incorporate changes from ubuntu package:
+ - don't hardcode paths to udevadm and udevsettle.
+ - restore terminal settings in askpass.c. (closes: #714942)
+ - migrate upstart jobs to new names.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 20:14:07 +0100
+
+cryptsetup (2:1.6.4-4) unstable; urgency=medium
+
+ * really fix plain device opening in initramfs cryptroot script this time.
+ Thanks again to Dirk Griesbach for the patch. (closes: #740592)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 03 Mar 2014 21:00:16 +0100
+
+cryptsetup (2:1.6.4-3) unstable; urgency=medium
+
+ * fix plain device opening, broken by switch to new unified open command
+ in 1.6.4-1. Thanks to Dirk Griesbach for the patch. (closes: #740592)
+ * update italian debconf translations, thanks to Italian l10n team and
+ Francesca Ciceri. (closes: #740557)
+ * remove trailing whitespaces from text files.
+ * some minor packaging fixes thanks to lintian checks:
+ - fix VCS-* fields in debian/control to use canoncial URIs.
+ - remove empty directory from libcryptsetup4 package.
+ - add lintian-override for init.d-script-not-included-in-package.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 13:51:35 +0100
+
+cryptsetup (2:1.6.4-2) unstable; urgency=medium
+
+ * fix libcryptsetup.so symlink. Thanks to Michael Biebl. (closes: #740484)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 01:33:39 +0100
+
+cryptsetup (2:1.6.4-1) unstable; urgency=low
+
+ * new upstream version 1.6.4.
+ - minor fixes in cryptsetup manpage. (closes: #725131)
+ - by default verify new passphrase in luksChangeKey and luksAddKey
+ commands (closes: #728302)
+ - cryptsetup releases are released on kernel.org since 1.6.4. Change
+ debian/watch accordingly.
+ * use compiled defaults for cypher, keysize and hash in luksformat script
+ * improvements to docs (thanks to Christoph Anton Mitterer):
+ - small improvement to explanation for CRYPTTAB_TRIED environment variable
+ in crypttab manpage
+ - update cipher, size and hash settings in examples (closes: #714331)
+ - replace '/dev/hdX' devices with '/dev/sdX' in examples
+ - full path to keyscripts in /lib/cryptsetup/scripts not needed in examples
+ * update init and initramfs scripts to use new open syntax (closes: #714395)
+ * add scripts/local-block/cryptroot in order to support event based block
+ device handling. Thanks to Goswin von Brederlow (closes: #678692)
+ * add support for TCRYPT device handling to cryptdisks init and cryptroot
+ initramfs scripts. (closes: #722509)
+ * improve passphrase prompt in cryptroot initramfs script. Thanks to Joachim
+ Breitner. (closes: #728080)
+ * add support for detached luks header to cryptdisks init script. Thanks to
+ Ximin Luo. (closes: #716652)
+ * enhance docs about remote unlocking feature. Thanks to Karl O. Pinc.
+ (closes: #715487, #714952)
+ * update README.keyctl docs: since linux kernel 2.6.38, dm-crypt is not
+ single-threaded any longer. (closes: #714806)
+ * don't sleep between retries in cryptroot initramfs script. (closes: #715525)
+ * add multi-arch support. Thanks to Shawn Landden. (closes: #696008, #732099)
+ * suggest keyutils. Thanks to Nikolaus Rath. (closes: #734133, #735496)
+ * fix initramfs/cryptroot-hook to support more than one lvm source devices.
+ Thanks to Jens Reinsberger for the patch. (closes: #659688, #737686)
+ * bump standards-version to 3.9.5, no changes needed.
+ * override lintian false positives for init scripts:
+ - init.d-script-does-not-implement-optional-option status
+ - init.d-script-does-not-source-init-functions
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:14:55 +0200
+
+cryptsetup (2:1.6.1-1) unstable; urgency=low
+
+ [ Milan Broz ]
+ * new upstream version. (closes: #704827, 707997)
+ - default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331)
+ - adds native support for Truecrypt and compatible on-disk format
+ - adds benchmark command
+ - adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device
+ - adds veritysetup, a tool for dm-verity block device verification module
+ * install docs/examples into docs at cryptsetup-dev package.
+ * fix compilation warnings in askpass.c.
+
+ [ Steve Langasek ]
+ * fix upstart jobs to not cause boot hangs when actually used in
+ conjunction with startpar. (closes: #694499, #677712).
+ * in connection with the above, make the cryptdisks-early job explicitly
+ wait for 'umountfs' on shutdown just like cryptdisks does; otherwise,
+ the teardown of the cryptdisks upstart job may cause the cryptdisks-early
+ init script run before we're done unmounting filesystems.
+
+ [ Jonas Meurer ]
+ * minor wording fixes to README.initramfs, suggested by intrigeri and Adam
+ D. Barrett.
+ * add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius
+ Hubig for providing a patch. (closes: #700777)
+ * support specifying key-slot in crypttab. Thanks to Kevin Locke for the
+ patch. (closes: #704470)
+ * remove evms support code from cryptroot initramfs script. (closes: #713918)
+ * fix location of keyscripts in initramfs documentation. (closes: #697446)
+ * fix a typo in decrypt_ssl script that prevented stdout from beeing
+ redirected to /dev/null. (closes: #700285)
+ * give full path to blkid in crytproot initramfs script. (closes: #697155)
+ * export number of previous tries from cryptroot and cryptdisks to
+ keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility
+ to fallback after a given number of tries for keyscripts. (closes: #438481,
+ #471729, #697455)
+ * improve check for cpu hardware encryption support in initramfs cryptroot
+ hook. (closes: #714326)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:10:41 +0200
+
+cryptsetup (2:1.4.3-4) unstable; urgency=medium
+
+ * change recommends for busybox to busybox | busybox-static. Thanks to
+ Armin Haas for the bugreport. (closes: #692151)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 07 Nov 2012 16:12:25 +0100
+
+cryptsetup (2:1.4.3-3) unstable; urgency=medium
+
+ * add recommends for 'kbd, console-setup' to cryptsetup package. Both are
+ necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog
+ for the bugreport. (closes: #689722)
+ * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool,
+ busybox' to recommends. Both are required for encrypted root fs.
+ * remove suggestion for udev, most debian systems have it installed anyway.
+ * mention option to use UUID=<luks_uuid> for source device in crypttab(5).
+ Thanks to Felicitus for the bug report. (closes: #688786)
+ * add a paragraph in README.initramfs: Describe, why renaming the target
+ name is not supported for encrypted root devices. Thanks to Adam Lee for
+ bugreport and proposed workaround for this limitation. (closes: #671037)
+ * fix keyfile permission checks in cryptdisks init scripts to follow
+ symlinks. Thanks to intrigeri for the bugreport. (closes: #691517)
+ * fix owner group check for keyfile in cryptdisks init scripts to really
+ check owner group.
+ * update debconf translations:
+ - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762)
+ - japanese, thanks to victory. (closes: #690784)
+ * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for
+ the bugreport. (closes: #684086)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 15:34:09 +0100
+
+cryptsetup (2:1.4.3-2) unstable; urgency=medium
+
+ * fix the shared library symbols magic: so far, the symbols file for
+ libcryptsetup4 included just a wildcard for all exported symbols, with
+ libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols
+ that were added later need adjusted minimum versions. Thanks for the
+ great help in #debian-mentors. (closes: #677127)
+ * remove emtpy directory /lib from cryptsetup-bin package.
+ * compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 12 Jun 2012 21:26:18 +0200
+
+cryptsetup (2:1.4.3-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * mention limitations for keyscripts in crypttab(5) manpage: keyscripts
+ must not depend on binaries/files which are part of the to-be-unlocked
+ device. (closes: #665494)
+ * bump versioned build-dependency on debhelper now that we install
+ upstart initscripts in debian as well.
+ * change versioned breaks/replaces for cryptsetup-bin on cryptsetup to
+ 1.4.3-1~, fixing upgrades in debian.
+
+ [ Jean-Louis Dupond ]
+ * New upstream version. (closes: #670071)
+ - Fix keyslot removal (closes: #672299)
+ - Add -r to cryptsetup.8 (closes: #674027)
+ * Split up package in cryptsetup and cryptsetup-bin.
+ * I'm now co-maintainer (closes: #600777).
+ * Start cryptdisks-enable upstart job on 'or container', to let us
+ simplify the udevtrigger job.
+ * debian/cryptdisks.functions: handle the case where crypttab contains a
+ name for the source device that is not the kernel's preferred name for
+ it (as is the case for LVs). (Thanks Steve Langasek)
+ * debian/cryptdisks.functions: fix a race condition in some cases by
+ adding and udevadm settle before rename.
+ * debian/cryptdisks.functions: add UUID & LABEL support to do_start.
+ * debian/copyright: really fix lintian warning.
+ * debian/rules: also include upstart files in debian.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 08 Jun 2012 13:42:51 +0200
+
+cryptsetup (2:1.4.1-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * finally add back support for configuration of custom rootfs-devices through
+ the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to
+ August Martin for the bugreport as well as continuously debugging and
+ providing patches. (closes: #546610)
+ * use blkid instead of fstype to detect the content of devices in initramfs
+ cryptroot script. Unfortunately fstype doesn't recognize md-raid devices,
+ which leads to errors with encrypted devices on top of software raid.
+ * check whether $NEWROOT already exists before actually invoking cryptsetup
+ in initramfs cryptroot script. (closes: #653241)
+ * fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should
+ prevent data loss with encrypted swap in most cases. (closes: #652497)
+ * change default value for tmpfs and examples from ext2 to ext4.
+ * minor code cleanup.
+ * update debconf translations:
+ - russian, thanks to Yuri Kozlov. (closes: #661303)
+ - spanish, thanks to Camaleón. (closes: #661316)
+
+ [ Jean-Louis Dupond ]
+ * fix watch file.
+ * always add aesni module to initramfs if we have hardware aes support.
+ (closes: #639832).
+ * debian/copyright: fix lintain warning.
+ * add upstart scripts for ubuntu.
+ * silent warnings on kernels without kernel/{arch,crypto}.
+ * add crypttab_start_one_disk in function script to handle udev startup
+ in ubuntu.
+ * bump standards-version to 3.9.3, no changes needed.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 11 Apr 2012 23:55:35 +0200
+
+cryptsetup (2:1.4.1-2) unstable; urgency=low
+
+ * acknowledge NMU. Thanks to Michael Biebl. (closes: #659182)
+ * don't print error for non-encrypted rootfs in initramfs cryptroot hook.
+ Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports.
+ (closes: #659087, #659106)
+ * use dmsetup splitname to extract VG name from $node in initramfs cryptroot
+ hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio
+ Imbrenda for suggestions and patches. (closes: #659235)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 12 Feb 2012 15:51:11 +0100
+
+cryptsetup (2:1.4.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix dangling .so symlink. Don't hard code the library version but use
+ readlink instead to determine where the .so symlink should point at.
+ (closes: #659182)
+
+ -- Michael Biebl <biebl@debian.org> Sat, 11 Feb 2012 04:32:01 +0100
+
+cryptsetup (2:1.4.1-1) unstable; urgency=low
+
+ * new upstream release (1.4.0 + 1.4.1) (closes: #647851)
+ - fixes typo in german translation. (closes: #645528)
+ - remove patches, all incorporated upstream.
+ - soname bump, rename library package to libcryptsetup4
+ * check for busybox in initramfs cryptroot hook, and install the sed binary
+ in case it's either not installed or not activated. (closes: #591853)
+ * add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and
+ to cryptroot initramfs script/hook. this adds support for keyscripts inside
+ $PATH. thanks to Ian Jackson for the suggestion. (closes: #597583)
+ * use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks
+ to Christoph Anton Mitterer for the suggestion.
+ * add option for discard/trim features to crypttab and initramfs scripts.
+ Thanks to intrigeri and Peter Colberg for patches. (closes: #648868)
+ * print $target on error in initramfs hook. Thanks to Daniel Hahler for the
+ bugreport. (closes: #648192)
+ * add a warning about using decrypt_derived keyscript for devices with
+ persistent data. Thanks to Arno Wagner for pointing this out.
+ * remove quotes from resume device candidates at get_resume_devs() in
+ initramfs hook script. Thanks to Johannes Rohr. (closes: #634017)
+ * support custom $TABFILE, thanks to Douglas Huff. (closes: #638317)
+ * fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes
+ of lvm volume group that contains the rootfs logical volume, even if the
+ rootfs is lv is not spread over all physical volumes. Thanks to Christian
+ Pernegger for bugreport and patch. (closes: #634109)
+ * debian/initramfs/cryptroot-script: Move check for maximum number of tries
+ behind the while loop, to make the warning appear in case that maximum
+ number of tries is reached. Thanks to Chistian Lamparter for bugreport and
+ patch. (closes: #646083)
+ * incorporate changes to package descriptions and debconf templates that
+ suggested by debian-l10n-english people. Special thanks go to Justin B Rye.
+ * acknowledge NMU, thanks a lot to Christian Perrier for his great work on
+ the i18n front. (closes: #633105, #641719, #641839, #641947, #642470,
+ #640056, #642540, #643633, #643962, #644853)
+ * add and update debconf translations:
+ - italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933)
+ - german, thanks to Erik Pfannenstein. (closes: #642147)
+ - spanish, thanks to Camaleón. (closes: #658360)
+ - russian, thanks to Yuri Kuzlov (closes: #654676)
+ * set architecture to linux-any, depends on linux kernel anyway. Thanks to
+ Christoph Egger. (closes: #638257)
+ * small updates to the copyright file.
+ * add targets build-indep and build-arch to debian/rules, thanks to lintian.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 05 Feb 2012 03:17:59 +0100
+
+cryptsetup (2:1.3.0-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix pending l10n issues. Debconf translations:
+ - French (Julien Patriarca). Closes: #633105
+ - Vietnamese (Hung Tran). Closes: #641719
+ - Portuguese (Miguel Figueiredo). Closes: #641839
+ - Russian (Yuri Kozlov). Closes: #641947
+ - Swedish (Martin Bagge / brother). Closes: #642470,#640056
+ - Czech (Michal Simunek). Closes: #642540
+ - Dutch; (Jeroen Schot). Closes: #643633
+ - Spanish; (Camaleón). Closes: #643962
+ - Danish (Joe Hansen). Closes: #644853
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 25 Dec 2011 19:00:24 +0100
+
+cryptsetup (2:1.3.0-3) unstable; urgency=low
+
+ * drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe
+ pointed out, that auto-destruction support was added to the loopback driver
+ with kernel 2.6.25. Given, that even lenny has a more recent kernel,
+ support for kernels < 2.6.25 is not required any more. (closes: #626458)
+ * add debconf question 'prerm/active-mappings' with priority high to prerm
+ maintainer script. will warn about active dm-crypt mappings before the
+ package is removed/purged. (closes: #626641)
+ * add lintian-override for 'cryptsetup: no-debconf-config', as the debconf
+ question in prerm doesn't require a debconf config script.
+ * add debian/patches/03_create_fix_keyfile.patch. (closes: #626738)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 19 May 2011 20:50:08 +0200
+
+cryptsetup (2:1.3.0-2) unstable; urgency=low
+
+ * fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 12 May 2011 03:06:46 +0200
+
+cryptsetup (2:1.3.0-1) unstable; urgency=low
+
+ * new upstream release
+ - automatically allocates loopback device for container files. update the
+ cryptdisks functions to only setup loopback device for kernel < 2.6.35.
+ otherwise, let cryptsetup do the magic itself.
+ - introduces maximum default keyfile size, see --help for value. manually
+ set the keyfile size with --keyfile-size in order to overwrite the limit.
+ - adds luksChangeKey command for changing passphrase/keyfile in one step
+ - adds loopAES compatibility command loopaesOpen
+ - remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream
+ * add gettext support to luksformat script. Thanks to intrigeri for initial
+ patch, and adduser sources for implementation ideas. (closes: #558405)
+ * fix KEYSCRIPT checks in cryptdisks.functions for empty values.
+ * update REAMDE.gnupg and initramfs cryptgnupg hook script:
+ - warn about keys being copied to initramfs.
+ - fix the documentation to provide working examples.
+ * update README.Debian and related documentation:
+ - add a section about the 'special' keyscripts askpass and passdev
+ (closes: #601314)
+ - update several sections, remove reference to lenny
+ * add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0
+ where the size argument was ignored for create command (closes: #624828)
+ * add debian/patches/02_manpage.patch, escapes minus signs in manpage
+ * remove usplash support from cryptroot initramfs script, askpass and
+ keyscripts, add plymouth support to keyscripts. (closes: #620923)
+ * ignore options like cipher, hash, size, etc. for luks commands in
+ cryptdisks. mention this in the crypttab manpage. (closes: #619249)
+ * again check for existance of /lib/cryptsetup/cryptdisks.functions before
+ sourcing it in cryptdisks(-early).init. required if cryptsetup is removed
+ but not purged, where initscripts are still around. (closes: #625468)
+ * bump standards-version to 3.9.2, no changes needed.
+ * debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 11 May 2011 14:45:42 +0200
+
+cryptsetup (2:1.2.0-2) unstable; urgency=low
+
+ * upload to unstable.
+ * fixes a ftbfs due to updated libgpg-error and libgcrypt11 build-
+ dependencies. (closes: #614530)
+ * install cryptkeyctl initramfs hook, needed for keyctl keyscript in
+ initramfs, thanks to Maik Zumstrull (closes: #610750)
+ * use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be
+ available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe
+ for bugreport and patch. (closes: #611747)
+ * add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey
+ return code when the master key is used. (closes: #610366)
+ * fix luksformat script to invoke usage() with --help. (closes: #612947)
+ * add a paragraph about known upgrade issues to the crypttab manpage. this
+ paragraph strongly suggests to configure cipher, hash and keysize for
+ plain dm-crypt devices. (closes: #612452)
+ * fix examples in crypttab manpage, cipher, hash and keysize should be
+ configured for plain dm-crypt devices.
+ * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to
+ prevent possible race conditions. This is a workaround. (closes: #601886)
+ * update lintian-overrides for new lintian from experimental.
+ * fix spelling mistake in README.Debian thanks to lintian.
+ * update short and long description for udebs to mention udeb and
+ debian-installer. This satisfies lintian.
+ * fix get_resume_device() in initramfs cryptroot hook script to add source
+ device for decrypt_derived keyscript in case it's not the root device.
+ Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 07 Mar 2011 23:52:13 +0100
+
+cryptsetup (2:1.2.0-1) experimental; urgency=low
+
+ * new major upstream release (closes: #603804)
+ - adds text version of FAQ
+ - adds new options --use-random and --use-urandom for MK generation
+ - fixes luksRemoveKey to not ask for remaining keyslot passphrase
+ - no longer supports luksDelKey command (replaced by luksKillSlot)
+ - no longer supports reload command, dmsetup reload should be used instead
+ - adds support to change the UUID later (with --uuid cmd option)
+ - adds --dump-master-key option for luksDump command
+ - no luksOpen, luksFormat and create for open devices (closes: #600208)
+ - remove debian/patches/01_manpage.patch, incorporated upstream
+ - and many more changes, see upstream changelog for further information
+ - update debian/libcryptsetup1.symbols
+ * invoke update-initramfs at cryptsetup removal in order to not leave behind
+ a broken initramfs. thanks to ubuntu for the hint.
+ * link dynamically against libgcrypt11 and libgpg-error0 now that the
+ libraries have been moved to /lib. add versioned depends for libcryptsetup1
+ on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1).
+ * debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in
+ order to support cryptroot to depend on custom initramfs scripts. thanks
+ to Marc Haber for the suggestion. (closes: #601311)
+ * debian/cryptdisks.functions:
+ + fix check for ownership and permissions of $key to work with slighly
+ different output of 'ls -l' with selinux enabled. (closes: #600522)
+ + fix $TRIES implementation to support TRIES=0 again. (closes: #602501)
+ * change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks
+ to checkbashisms script devscripts for spotting that bashism.
+ * add a libcryptsetup1-udeb library package for debian-installer in order to
+ satisfy cryptsetup-udeb dependencies with dynamically linked binary.
+ Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy
+ udeb library dependencies.
+ * change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control
+ * add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu.
+ build-depends on dpkg-dev (>= 1.15.1) is required for this to work.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 16 Jan 2011 01:01:03 +0100
+
+cryptsetup (2:1.1.3-4) unstable; urgency=high
+
+ * bump standards-version to 3.9.1, no changes required
+ * add patches/01_manpage_units: mention units (512b sectors) for -o option
+ in man page. (closes: #584174)
+ * move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for
+ compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800)
+ * add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither,
+ which supports to cache a passphrase for later use. (closes: #563961)
+ * invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to
+ Bernd Zeimetz. (closes: #597648)
+ * print out a warning at initramfs cryptroot hook in case that detection of
+ canonical device failed. (closes: #594092)
+ * add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237)
+ * fix depreciated ext2 wrapper checkscript to succeed for ext2, ext3, ext4
+ and ext4dev filesystems. (closes: #595331)
+ * again remove duplicates from debian/NEWS.
+ * truncate trailing spaces for some variables at initramfs cryptroot hook.
+ * remove volume group -guessing magic from initramfs scripts and hooks,
+ instead activate all available lvm volume groups. thanks to Christoph
+ Anton Mitterer for the suggestion. (closes: #554506, #591626)
+ * remove /etc/bash_completion.d from debian/cryptsetup.dirs
+ * set urgency=high as this upload fixes two release-critical bugs.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 04 Nov 2010 20:36:45 +0100
+
+cryptsetup (2:1.1.3-3) unstable; urgency=low
+
+ * fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes.
+ thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 22 Jul 2010 12:56:01 +0200
+
+cryptsetup (2:1.1.3-2) unstable; urgency=low
+
+ * introduce new $INITSTATE 'manual' for cryptdisks_st* scripts. that way,
+ noauto devices are processed again by cryptdisks_st* scripts.
+ (closes: #588697, #588698, #589153, #589798)
+ * introduce new variable $DEFAULT_LOUD. now the 'loud' option in crypttab
+ affects only the device in question. thanks to Mario 'BitKoenig' Holbe.
+ * introduce new crypttab option 'quiet' which overwrites and unsets the
+ 'loud' option. thanks to Mario 'BitKoenig' Holbe. (closes: #589029)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 21 Jul 2010 10:42:49 +0200
+
+cryptsetup (2:1.1.3-1) unstable; urgency=low
+
+ * new upstream release:
+ - fix device alignment ioctl calls parameters for archs like ppc64.
+ - fix activate_by_* API calls to handle NULL device name as documented
+ - fix udev support for old libdevmapper with not compatible definition
+ * fix rm_lo_setup() in cryptdisks.functions for failed device setup. thanks
+ to Roger Pettersson. (closes: #581712)
+ * add X-Stop-After headers to cryptdisks(-early) initscripts. this fixes
+ shutdown process for system without encrypted rootfs at least. thanks to
+ Alfredo Finelli. (closes: #575652)
+ * more merges from ubuntu, thanks to and Steve Langasek (closes: #575024):
+ - debian/cryptdisk.functions: initially create the device under a temporary
+ name and rename it only at the end using 'dmsetup rename', to ensure that
+ upstart/mountall doesn't see our device before it's ready to go.
+ LP: #475936.
+ - cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
+ changing the permissions of the filesystem root, not directly on /tmp,
+ since mounting on /tmp a) is racy, b) confuses mountall something fierce.
+ LP: #475936.
+ * fix manpage checkscripts documentation. clarify that both cryptdisks and
+ cryptroot invoke checkscripts. thanks Christoph Anton Mitterer.
+ * remove quotes from $KEYSCRIPT invokation, thanks Alexandre Rossi.
+ (closes: #585099)
+ * fix support for commandline options to mkfs in luksformat. thanks to Eduard
+ Bloch again for bugreport and patch. (closes: #585787)
+ * remove duplicates from debian/NEWS, thanks Steve Langasek (closes: 586019)
+ * improve documentation on environment variables in cryptdisks.default and
+ crypttab manpage. thanks Christoph Anton Mitterer. (closes: #585664)
+ * several improvements to (pre)check scripts, inspired by scripts from
+ Christoph Anton Mitterer (closes: #585418, #585496)
+ - checkscripts exit with error 1 if executables aren't available.
+ - ext2, swap and xfs scripts are depreciated and invoke blkid script.
+ - drop filtering of minix filesystem in blkid, util-linux 2.17.2 in debian
+ - remove *vol_id check scripts, vol_id isn't available in debian any longer
+ - don't use sed in *blkid check scripts any longer
+ * fix initramfs/cryptroot-hook to canonicalize $device in get_resume_devices
+ function. this should really weed out all duplicates. (closes: #586122),
+ and catch all udev/device-mapper symlink setups as well (closes: #554506)
+ * bash-completion file now in pck bash-completion (closes: #586299, #586162)
+ * add a paragraph about the boot order of init scripts to README.Debian,
+ describing the current catch-22 situation. (closes: #576646)
+ * initscripts and cryptdisks_st* no longer silently quit in case that include
+ file /lib/cryptsetup/cryptdisks.functions is missing. (closes: #587220)
+ * fix cryptdisks-early LSB headers to restore legacy boot sequence order.
+ mdadm-raid was started before cryptdisks-early. (closes: #587224)
+ * cryptdisks initscript now raises a warning for failed started devices, and
+ cryptdisks-early initscript raises a warning for failed stopped devices.
+ this makes the initscript actions far more transparent to users. same holds
+ for cryptdisks_st*. thanks to Christoph Anton Mitterer. (closes: #587222)
+ * remove lintian overrides init.d-script-should-depend-on-virtual-facility
+ as lintian lintian 2.4.2 has fixed #580082.
+ * bump standards-version to 3.9.0, remove version information from replaces/
+ provides/conflicts against cryptsetup-luks, change conflicts against
+ hashalot (<= 0.3-1) to breaks hashalot (<< 0.3-1) and add replaces.
+ * fix loads of typos, thanks to Christoph Anton Mitterer. (closes: #588068)
+ * update copyright years and list Milan Broz in debian/copyright
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:32:40 +0200
+
+cryptsetup (2:1.1.2-1) unstable; urgency=low
+
+ * new upstream release, changes include:
+ - Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
+ (closes: #583397)
+ - Add verbose log level and move unlocking message there.
+ - Remove device even if underlying device disappeared (remove, luksClose).
+ (closes: #554600, #574126)
+ - Fix (deprecated) reload device command to accept new device argument.
+ * merged from ubuntu:
+ - if plymouth is present in the initramfs, use this directly, bypassing
+ the cryptsetup askpass script
+ - start usplash in initramfs, since we need it for fancy passphrase input
+ - Set FRAMEBUFFER=y in cryptroot-conf, to pull plymouth into the initramfs
+ - debian/initramfs/cryptroot-hook: Properly anchor our regexps when
+ grepping /etc/crypttab so that we don't incorrectly match device names
+ that are substrings of one another.
+ - debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot
+ file descriptor to subprocesses.
+ * sync list of supported filesystems in passdev.c and cryptpassdev-hook
+ * fix debian/watch file to work with updated code.google.com download page
+ * stop building and shipping static libs (closes: #583387, #583471)
+ * improve documentation on (pre)checks in manpage. (closes: #583568, #583567)
+ * remove xfs and ext2 check scripts documentation from crypttab manpage,
+ blkid script can be used. thanks Christoph Anton Mitterer (closes: #583570)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 01 Jun 2010 15:37:50 +0200
+
+cryptsetup (2:1.1.1-1) unstable; urgency=low
+
+ * new upstream release, changes include:
+ - detects and uses device-mapper udev support if available
+ - fix luksOpen reading of passphrase on stdin if "-" keyfile specified
+ - fix isLuks to initialise crypto backend (closes: #578979)
+ - fix luksClose operation for stacked DM devices
+ * remove all patches, they have all been merged upstream
+ * redirect output of copy_exec in add_device() from initramfs cryptroot
+ hook to stderr. fixes verbose run of mkinitramfs. (closes: #574163)
+ * acknowledge NMU. thanks to maximilian attems. (closes: #576488)
+ * change default for random key from /dev/random to /dev/urandom in
+ README.Debian, extend explanation. (closes: #579932)
+ * add comment to crypttab manpage about how to disable (pre)checks.
+ (closes: #574948)
+ * fix cryptdisks.functions to print cryptsource and crypttarget again at
+ the passphrase prompt. (closes: #578428)
+ * reorder build-depends, add pkg-config, change automake1.9 to automake
+ * add new lintian overrides
+ * switch to new dpkg source format "3.0 (quilt)", use upstream bzip tarball
+ * add ${misc:Depends} to depends for libcryptsetup-dev
+ * remove UID checks from initscripts, as these aren't meant to be invoked by
+ users anyway, and the UID checks introduced dependency on /usr filesystem.
+ * use grep -s for /etc/fstab in initramfs/cryptroot-hook. (closes: #580756)
+ * note that fs modules fore passdev devices need to be added to initramfs
+ in README.initramfs (closes: #580898)
+ * merged from ubuntu:
+ - Fix grammar error in debian/initramfs/cryptroot-script (closes: #581973)
+ * add busybox to suggests, thanks to martin michlmayr. (closes: #582914)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 26 May 2010 23:38:01 +0200
+
+cryptsetup (2:1.1.0-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+
+ [ Martin Pitt ]
+ * debian/initramfs/cryptroot-script: (closes: #576488)
+ - Source /scripts/functions after checking for prerequisites.
+ - prereqs(): Do not assume we are running within initramfs, and calculate
+ relative path correctly.
+
+ -- maximilian attems <maks@debian.org> Thu, 08 Apr 2010 01:37:17 +0200
+
+cryptsetup (2:1.1.0-2) unstable; urgency=low
+
+ * fix version in NEWS.Debian: 2:1.1.0~rc2-1 instead of 2:1.0.7-3.
+ * remove 'NOT RELEASED YET' from 2:1.1.0-1 changelog
+ * capitalize names in changelog
+ * mention the old default plain mode in changelog and NEWS, add a note that
+ debian-installer setups can ignore the warning, and warn for plain dm-crypt
+ mappings in crypttab that don't have set cipher, hash and size.
+ (closes: #573103, #573261)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 16 Mar 2010 13:44:50 +0100
+
+cryptsetup (2:1.1.0-1) unstable; urgency=low
+
+ * new upstream stable release (1.1.0), notable changes since rc2:
+ - default key size for LUKS changed from 128 to 256 bits
+ - default plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256
+ - key slot and key diggest iteration minimum set to 1000
+ - convert hash name to lower case in header
+ * update patch 02_manpage
+ * add more supported filesystems to passdev.c, isofs->iso9660. thanks to
+ Christoph Anton Mitterer. (closes: #557405)
+ * update to standards-version 3.8.4, no changes needed
+ * accept spaces in $opts at postinst script. (closes: #559184)
+ * set extended $PATH in cryptdisks.functions. thanks to Christoph Anton
+ Mitterer. (closes: #557329)
+ * fix huge initramfs for archs which don't have kernel/arch directory.
+ thanks to martin michlmayr for bugreport and patch. (closes: #559510)
+ * support commandline options to mkfs in luksformat. thanks to Eduard
+ Bloch for bugreport and patch. (closes: #563975)
+ * extend error messages for evms setup in cryptroot-script
+ * add 03_luksAddKey.patch, to not verify unlocking passphrase in luksAddKey
+ command. (closes: #570418)
+ * add 04_crypto_init.patch, to properly initialise crypto backend in header
+ backup/restore commands.
+ * change build-dependency on cvs to new autopoint package (closes: #572463)
+ * rename decrypt_gpg keyscript to decrypt_gnupg, improve it based on ideas
+ by Christoph Anton Mitterer, mention the keyscript rename in NEWS.Debian.
+ Also, provide a initramfs cryptgnupg hook script. Thanks to Christoph
+ Anton Mitterer for bugreport and ideas. (closes: #560034)
+ * check for root privileges with '/usr/bin/id -u' in init scripts and
+ cryptdisks_{start|stop}. (closes: #563162)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 08 Mar 2010 14:15:35 +0100
+
+cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low
+
+ * new upstream release candidate (1.1.0-rc2), highlights include:
+ - new libcryptsetup API (documented in libcryptsetup.h)
+ - luksHeaderBackup and luksHeaderRestore commands (closes: #533643)
+ - use libgcrypt, enables all gcrypt hash algorithms for LUKS through
+ -h luksFormat option (closes: #387159, #537385)
+ - new --master-key-file option for luksFormat and luksAddKey
+ - use dm-uuid for all crypt devices, contains device type and name now
+ (closes: #548988, #549870)
+ - command successful messages moved to verbose level (closes: #541805)
+ - several code changes to improve speed of luksOpen (closes: #536415)
+ - luksSuspend and luksResume commands
+ * remove unneeded patches 03_read_rework and 04_no_stderr_success, update
+ 02_manpage for new upstream release candidate.
+ * update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/)
+ * fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains
+ symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had
+ defaults changed to this temporary. it has been fixed in a subsequent
+ upload of lvm2 in the meantime, but still it's not a bad idea to be
+ prepared for such setups in the future. that way cryproot now supports
+ /dev/dm-* devices as well. (closes: #532579, #544487, #544773)
+ * fix initscript dependencies both for cryptdisks and cryptdisks-early.
+ thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356)
+ * finally change default behaviour of initscripts/cryptroot-hook to include
+ all available crypto modules into the initramfs. this change should fix
+ any problems with cryto modules missing from the initramfs. announce the
+ change in NEWS.Debian. (closes: #547597)
+ * add error messages to lvm detecting code in initramfs/cryptroot-script
+ in order to make debugging easier. (closes: #541248)
+ * implement detection of devices which are required by decrypt_derived
+ keyscript in initscripts/cryptroot-hook. that way setups where encrypted
+ swap has the key derived from non-root partitions should support suspend/
+ resume as well. (closes: #475838)
+ * remove outdated documentation from the source package: CryptoRoot.HowTo,
+ CheckSystem.Doc
+ * mention in README.initramfs that busybox is required for cryptroot to work
+ * stop creating /etc/keys in postinst maintainer script.
+ * update build system to include library files again: (closes: #480157)
+ - split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev
+ - rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab
+ skeleton into cryptsetup-udeb.preinst.
+ - build with --enable-shared and --enable-static for libcryptsetup.a
+ - create debian/libcryptsetup1.symbols with help of dpkg-gensymbols
+ * add debian/cryptsetup.lintian-override for two false positives
+ * raise build-depends on debhelper and debian/compat for that reason
+ * update README.remote to work with latest dropbear package. thanks to
+ debian@x.ray.net.
+ * make all crypttab fields available to keyscripts as environment variables.
+ thanks to ludwig nussel from suse for idea and implmentation. document
+ this in crypttab(5) manpage. impelement the same environment variables in
+ initramfs cryptroot script.
+ * fix formatting errors in crypttab(5) manpage.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 15 Oct 2009 19:26:14 +0200
+
+cryptsetup (2:1.0.7-2) unstable; urgency=low
+
+ * add a paragraph to the cryptsetup manpage that mentions /proc/crypto as
+ source for available crypto ciphers, modes, hashs, keysizes, etc.
+ (closes: #518266)
+ * fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks
+ to Jon Dowland. (closes: #539734)
+ * mention era eriksson as author of the typo fixes for manpage (submitted as
+ bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344)
+ * bump standards-version to 3.8.3. no changes needed.
+ * add 04_no_stderr_success.patch, which adds an option to suppress success
+ messages to stderr. don't apply the patch as this already has been fixed
+ upstream in another way. next cryptsetup release will print the command
+ successful message to stdout only if opt_verbose is set.
+ * add checkscripts blkid and un_blkid for the reason that vol_id will be
+ removed from udev soon. advertise the new scripts at all places that
+ mentioned vol_id or un_vol_id before.
+ * add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab,
+ /etc/fstab and output of 'lsmod' to bugs against cryptsetup.
+ * add debian/README.remote, which describes how to setup a cryptroot system
+ with support for remote unlocking via ssh login into the initramfs. Thanks
+ to debian@x.ray.net for writing it down.
+ * update debian/copyright for current format from dep.debian.net/deps/dep5
+ * add chainiv, cryptomgr and krng to standard list of modules in initramfs
+ cryptroot hook. (closes: #541835)
+ * add a section describing LUKS header backups and related security
+ implications to README.Debian. a tool to automate this task should not be
+ distributed at all. (closes: #432150)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 01 Sep 2009 12:38:02 +0200
+
+cryptsetup (2:1.0.7-1) unstable; urgency=low
+
+ * new upstream release, highlights include (diff from ~rc1):
+ - allow removal of last slot in luksRemoveKey and luksKillSlot
+ - eject unsupported --offset and --skip options for luksFormat
+ * make passdev accept a timeout option, thanks to Evgeni Golov for the patch.
+ (closes: #502598)
+ * finally add the cryptsource delay implementation from ubuntu, as it seems
+ to workaround some issues where appearance of the root device takes longer
+ than expected. (closes: #488271)
+ * execute udev_settle before $cryptremove if $cryptcreate fails at
+ setup_mapping() in the initramfs cryptroot script. it seems like a short
+ delay and/or udev_settly is needed in between of 'cryptsetup create' and
+ 'cryptsetup remove'. thanks to Gernot Schilling for the bugreport.
+ (closes: #529527)
+ * talk about /dev/urandom instead of /dev/random in crypttab manpage.
+ (closes: #537344)
+ * check for $IGNORE before check_key() in handle_crypttab_line_start()
+ * rewrite error code handling:
+ - return 1 for errors in handle_crypttab_line_{start|stop}
+ - handle_crypttab_line_... || true needed due to set -e in initscript
+ - check for exit code of handle_crypttab_line_{start<stop} in
+ cryptdisks_{start|stop}, exit with proper status code (closes: #524173)
+ * add a counter to the while loop in cryptdisks_{start|stop}, in order to
+ detect if $dst was not found in crypttab. (closes: #524485)
+ * check for keyscript in the new location in initramfs/cryptopensc-hook.
+ * add README.opensc to docs, thanks to Benjamin Kiessling for writing it.
+ (closes: #514538)
+ * add patches/03_rework_read.patch [rework write_blockwise() and
+ read_blockwise()], but don't apply it yet as it's still experimental.
+ applying it will increase the speed of luksOpen.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 30 Jul 2009 17:41:16 +0200
+
+cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low
+
+ * flag the root device with rootdev option at /conf/conf.d/cryptroot in
+ initramfs hook, check for that flag before adding ROOT=$NEWROOT to
+ /conf/param.conf in initramfs script. that should prevent the initramfs
+ script from adding ROOT=$NEWROOT for resume devices. (closes: #535801)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 15 Jul 2009 11:44:45 +0200
+
+cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low
+
+ * new upstream release candidate, highlights include:
+ - use better error messages if device doesn't exist or is already used by
+ other mapping (closes: #492926)
+ - check device size when loading LUKS header
+ - add some error hint if dm-crypt mapping failed (key size and kernel
+ version check for XTS and LRW mode for now) (closes: #494584)
+ - display device name when asking for password
+ - retain readahead of underlying device, if devmapper version supports it
+ - set UUID in device-mapper for LUKS devices
+ - define device-mapper crypt UUID maximal length and check for its size
+ - add some checks for error codes, fixes warning: ignoring return value...
+ - update LUKS homepage in manpage to code.google.com/p/cryptsetup
+ * patches/01_fix_make_distclean.patch: removed, incorporated upstream
+ * patches/02_manpage.patch: updated, mostly incorporated upstream
+ * remove invokation of ./setup-gettext.sh from debian/rules.
+ * set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early
+ boot stage. Thanks to Stefan Bender. (closes: #525118)
+ * update path to docbook-xsl stylesheet in debian/rules to
+ /usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends
+ to docbook-xsl (>= 1.74.3+dfsg) for that reason.
+ * fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert.
+ (closes: #530060)
+ * fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu.
+ (closes: #522041)
+ * add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This
+ is required for lilo to find the correct root device. Thanks to Pyotr
+ Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840)
+ * replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian
+ Kleineidam. (closes: #522798)
+ * support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu.
+ (closes: #528133)
+ * use the same passphrase prompt in init script and initramfs script
+ * mention the incoherent behaviour of cryptsetup create/luksOpen with invalid
+ passwords/keys in cryptsetup manpage. (closes: #529359)
+ * bump standards-version to 3.8.2, no changes required.
+ * add 'X-Interactive: true' LSB-header to initscripts.
+ * fix bash_completion script to use 'command ls'. that way it now works with
+ aliased ls as well. thanks to Daniel Dehennin. (closes: #535351)
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 04 Jul 2009 15:52:06 +0200
+
+cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low
+
+ * New upstream svn snapshot. Highlights include:
+ - Uses remapping to error target instead of calling udevsettle for
+ temporary crypt device. (closes: #514729, #498964, #521547)
+ - Removes lots of autoconf stuff as it's generated by autogen.sh anyway.
+ - Uses autopoint in build process, thus needs to Build-Depend on cvs.
+ - Fixes signal handler to proper close device.
+ - Wipes start of device before LUKS-formatting.
+ - Allows deletion of key slot with it's own key. (closes: #513596)
+ - Checks device mapper communication and gives proper error message in
+ case the communication fails. (closes: #507727)
+ * Update debian patches accordingly:
+ - Remove obsolete patches 01_gettext_package and 03_check_for_root
+ - Update patch 02_manpage
+ * Add missing newlines to some error messages in passdev.c. Thanks to
+ Christoph Anton Mitterer for bugreport and patch. (closes: #509067)
+ * Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts
+ for the sake of consistency between initramfs and normal system. Document
+ this change in NEWS.Debian. (closes: #509066)
+ * Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add
+ LOUD="yes" to cryptdisks_start. (closes: #513149)
+ * cryptdisks_{start,stop}: print error message if no entry is found in
+ crypttab for the given name.
+ * Actually fix watchfile to work with code.google.com.
+ * Update Homepage field to code.google.com URL. (closes: #516236)
+ * Fix location of ltmain.sh, build-depend on versioned libtool.
+ (closes: #521673, #522338)
+ * Some minor changes to make lintian happy:
+ - use set -e instead of /bin/sh -e in preinst.
+ - link to GPL v2 in debian/copyright
+ * Bump standards-version to 3.8.1, no changes needed.
+ * Fix a typo in NEWS.Debian. (closes: #522387)
+ * Taken from ubuntu:
+ - debian/checks/un_vol_id: dynamically build the "unknown volume type"
+ string, to allow for encrypted swap, (closes: #521789, #521469). Fix
+ sed to replace '/' with '\/' instead of '\\/' in device names.
+ - disable error message 'failed to setup lvm device' (LP 151532).
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 06 Apr 2009 08:49:14 +0200
+
+cryptsetup (2:1.0.6-7) unstable; urgency=medium
+
+ * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE
+ in configure.in.
+ * Support keyfiles option in bash completion. Thanks to Stefan Goebel for
+ the patch. (closes: #499936)
+ * Update patches/02_manpage.patch: Fix the documnetation of default cipher
+ for LUKS mappings. (closes: #495832)
+ * Update debian/watch file to reflect the move of project home to
+ code.google.com.
+ * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of
+ cryptdisks.functions. This way, cryptdisks_start/stop work even with
+ $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643)
+ * Add force-start to cryptdisks(-early).init in order to support starting
+ noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779)
+ * Document how to enable remote device unlocking via dropbear ssh server
+ in the initramfs during boot process. Thanks to Chris <debian@x.ray.net>
+ for the great work. (closes: #465902)
+ * Completely remove support and documentation of the timeout option,
+ document this in NEWS.Debian. (closes: #495509, #474120)
+ * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner.
+ (closes: #499704)
+ * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev.
+ Thanks to Christoph Anton Mitterer.
+ * cryptdisks.functions:
+ - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs
+ script already supports keyscripts without path as argument. Thanks to
+ Christoph Anton Mitterer.
+ * README.initramfs:
+ - Remove the mention of bug #398302 from the section about suspend/resume,
+ as this bug has been fixes for some time now.
+ - Remove step 6 (mkswap) from the section about decrypt_derived, as it was
+ superfluous. Thanks to Helmut Grohe. (closes: #491867)
+ * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange.
+ Thanks to Marc Haber. (closes: #506536)
+ * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required
+ to detect the dm-crypt device in setups with more than one level of device
+ mapper mappings. For example if LVM is used with snapshots on top of the
+ dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben
+ Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721)
+ * urgency=medium due to several important fixes.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2008 21:25:45 +0100
+
+cryptsetup (2:1.0.6-6) unstable; urgency=high
+
+ * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles
+ --key-file=- different for luks and plain dm-crypt mappings. This time
+ really (closes: #493848). Thus again upload with urgency=high.
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 09 Aug 2008 13:36:31 +0200
+
+cryptsetup (2:1.0.6-5) unstable; urgency=high
+
+ * Fix watch file to not report -pre and -rc releases as superior.
+ * Remove the global var $SIZE from cryptdisks.functions again but keep the
+ extended value checks.
+ * Remove the udev rules file also in preinst, code taken from example at
+ http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri.
+ (closes: #493151)
+ * Remove duplicated configuration of --key-file in $PARAMS at do_noluks().
+ (closes: #493848).
+ * Invoke mount_fs() and umount_fs() in cryptdisks_start, add
+ log_action_begin_msg() and log_action_end_msg() to both cryptdisk_start
+ and cryptdisks_stop.
+ * Copy fd 3 code from do_start and do_stop to cryptdisks_start and
+ cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622)
+ * This upload fixes two RC bugs, thus upload with severity=high.
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 06 Aug 2008 10:19:21 +0200
+
+cryptsetup (2:1.0.6-4) unstable; urgency=medium
+
+ [ David Härdeman ]
+ * Make sure $IGNORE is reset as necessary, patch by Thomas Luzat
+ <thomas@luzat.com> (closes: #490199)
+ * Use askpass in init scripts as well (closes: #489033, #477203)
+
+ [ Jonas Meurer ]
+ * Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already
+ copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov
+ <sargentd@die-welt.net>. (closes: #490300)
+ * Remove the udev rules file again as the relevant rules are now provided
+ by dmsetup package which cryptsetup depends on.
+ * Add splashy support to askpass, thanks to John Hughes <john@calva.com>
+ for the patch. (closes: #492451) The support is limited to cryptroot
+ though, as splashy freezes for passphrase input dialogs from initscripts.
+ Document that in README.Debian.
+ * Now that askpass is used as keyscript for interactive mode, it's not
+ necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for
+ interactive mode anymore in cryptdisks.functions.
+ * Implement special treatment for random passphrases now that we use
+ "--key-file=-" for all situations. Only necessary in do_noluks.
+ * Fix the passphrase prompt string in initramfs/cryptroot.script to use
+ $cryptsource instead of $cryptsources.
+ * Major documentation cleanup for lenny:
+ - Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo.
+ - Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root
+ filesystem in README.Debian.
+ - Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key
+ as well as the decrypt_old_ssl keyscript.
+ - Remove debian/TODO, didn't have any useful content anyway.
+ - Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to
+ the example line for crypttab and other minor fixes. Thanks to
+ Helmut Grohne <helmut@subdivi.de>. (closes: #491867)
+ * urgency=medium since important (#492451) and security (#477203) bugs get
+ fixed by this upload.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 28 Jul 2008 00:21:44 +0200
+
+cryptsetup (2:1.0.6-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Fix cryptdisks.functions to actually recognize the noauto option. Thanks
+ to Christian Pernegger <pernegger@gmail.com> (closes: #483882)
+ * Update patches/02_manpage.patch:
+ - fixes two more typos, thanks to and Era Eriksson <era@iki.fi> for the
+ patch, and Bruno Barrera Yever <bbyever@gmail.com> for forwarding it
+ to the bts (closes: #476624)
+ - removes a duplicate sentence
+ * Rephrase "Enter password for $crypttarget" to "Enter password to unlock
+ the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script.
+ * Bump Standards-Version to 3.8.0:
+ - Add a README.source which references /usr/share/doc/quilt/README.source.
+ - Add support for debian build option parallel=n to debian/rules.
+ * Add a udev rules file to ignore temporary-cryptsetup-* devices, as
+ suggested in bug #467200. Thanks to Sam Morris <sam@robots.org.uk>.
+ * Transform debian/copyright into machine-readable code as proposed in
+ http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several
+ copyright notices.
+ * Change reference to docbook xml v4.2 driver file from an online version
+ to a local one in the manpage files, as the build process should not
+ depend on internet access. Add docbook-xml to build-depends. Thanks to
+ Lucas Nussbaum <lucas@lucas-nussbaum.net>. (closes: #487056)
+
+ [ David Härdeman ]
+ * Hopefully fix askpass to properly handle console and usplash input
+ (closes: #477203)
+ * Clarify crypttab manpage (closes: #487246)
+ * Make regex work if keyfile has extended attributes,
+ https://launchpad.net/bugs/231339 (closes: #488131)
+ * Support comments in options part of crypttab (closes: #488128)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 07 Jul 2008 00:30:07 +0200
+
+cryptsetup (2:1.0.6-2) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Taken from ubuntu:
+ - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508)
+ - debian/patches/02_manpage.patch: Clarify default key sizes (128 for
+ luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
+ * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a
+ key in gen-ssl-key example script.
+
+ [ David Härdeman ]
+ * Misc bugfixes to askpass, make sure it is installed to the correct
+ location and is built using pedantic mode.
+ * Change the initramfs script to use askpass to prompt for
+ passphrases, this should hopefully fix #382375 and #465902 once it
+ is enabled in the init scripts as well.
+ * Add a keyscript called passdev which allows a keyfile to be
+ retrieved from a device which is first mounted, mainly useful to get
+ keyfiles off USB devices etc.
+ * Unbreak MODULES=dep booting (closes: #478268)
+ * Relax checks for suspend devices a bit (closes: #477658)
+ * Convert man pages to docbook.
+
+ -- David Härdeman <david@hardeman.nu> Mon, 26 May 2008 08:12:32 +0200
+
+cryptsetup (2:1.0.6-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream release
+ - reload option is depreciated and a warning is printed. (closes: #428288)
+ * convert patch system from dpatch to quilt.
+ * enhance the information regarding the default hash setting in NEWS.Debian.
+ Thanks to Ross Boylan <ross@biostat.ucsf.edu>.
+ * change author of keyslot patch to Marc Merlin in changelog, thanks to
+ U. Kuehn for raising that issue.
+ * doing some debian/rules redesign and cleanup, speeds up the build process.
+ * ignore devices with the noauto option early enough to prevent any checks
+ on them. Thanks to Joachim Breitner <nomeata@debian.org> (closes: #464672)
+ * update debian/copyright to actually mention copyright, thanks lintian.
+ * change script=$(basename $req) to script=${req##*/} in initramfs cryptroot
+ script. Thanks to Adeodato Simó <dato@net.com.org.es>. (closes: #466240)
+ * change test ... -a ... to [ ... ] && [ ... ] in the check scripts.
+ * add support for tries option to initramfs scripts. Thanks to Helmut Grohne
+ <helmut@subdivi.de>. (closes: #430158, #469869) Use --tries=1 for
+ cryptsetup in the initramfs script. Document the difference between
+ initscript and initramfs for tries=0 in the crypttab manpage.
+ * add, build and install askpass.c, a helper program by David Härdeman. The
+ idea is to use it for passphrase prompt in the initramfs script.
+
+ [ David Härdeman ]
+ * Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175)
+ * Improve module loading in initramfs hook so that the newer as well
+ as arch specific crypto drivers are taken into consideration
+ (closes: #464673)
+ * Depend on race-free version of libdevmapper, thus making udevsettle
+ call from cryptsetup binary unnecessary. Also change call to
+ udevsettle in initramfs script (which is still useful as it related
+ to the source device) to optionally use udevadm if present (closes:
+ #456326).
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 31 Mar 2008 15:58:35 +0200
+
+cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low
+
+ * New upstream svn snapshot:
+ - Adds typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to cryptsetup.8
+ manpage.
+ - Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein
+ <alexander.heinlein@web.de>. (closes: #459206)
+ - Adds the patch by Marc Merlin <marc_www@merlins.org> to support explicit
+ key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured
+ out that this patch wasn't applied even though changelog said so.
+ - Supports adding new keys to active devices again. Thanks to Tobias Frost
+ <tobi@coldtobi.de> for the bugreport. (closes: #460409)
+ * Add support for a custom filesystem for /tmp. Patch provided by
+ Hans-Peter Oeri <hp@oeri.ch>.
+ * Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts.
+ Thanks to Petter Reinholdtsen <pere@debian.org> for report and patch.
+ (closes: #458944)
+ * Add support for a noauto option to cryptdisks. Thanks to U Kuehn
+ <ukuehn@acm.org> for the idea.
+ * Add typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to crypttab.5
+ manpage. (closes: #460994)
+ * Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to
+ Joachim Breitner <nomeata@debian.org> for the idea. (closes: #459832)
+ * Change log_progress_msg to log_action_msg in cryptdisks.functions. That
+ way a newline is printed after the start of every device. Thanks to Frans
+ Pop <elendil@planet.nl> for the bugreport. (closes: #461548)
+ * Add bash_completition script provided by Kevin Locke <kwl7@cornell.edu>.
+ (closes: #423591)
+ * Fix a spelling error in the package description: linux -> Linux.
+ * Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert
+ <atomo64+debian@gmail.com>.
+ * Change the default hash in initramfs scripts from sha256 to ripemd160 for
+ consistency with cryptsetup default. Add information about that to
+ NEWS.Debian. Thanks to martin f krafft <madduck@debian.org>.
+ (closes: #406317)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 30 Jan 2008 09:01:52 +0100
+
+cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * New upstream alpha release 1.0.6~pre1:
+ - [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream
+ - [02_manpage.dpatch] likewise
+ - [04_fix_unused_or_unitialized_variables.dpatch] likewise
+ - [05_segfault_at_nonexisting_device.dpatch] likewise
+ - [06_run_udevsettle.dpatch] update for new upstream
+ * Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on
+ dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors
+ if expected permissions are not available. Therefore the check for uid ==
+ 0 is superfluous.
+ * [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device
+ creation. Fixes issues with temporary device files in /dev/mapper. Patch
+ by Reinhard Tartler from Ubuntu. (closes: #444914)
+ * Add support for offset and skip options to cryptdisks/crypttab. Thanks to
+ Marc-Jano Knopp. (closes: #446674)
+ * Update the long description in debian/control. Don't mention kernel 2.6.4
+ any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo
+ and mkinitrd.
+ * Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early
+ to ignore the entry. Thanks to Joerg Jaspert (closes: #423102)
+ * Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in
+ cryptdisks.functions. Makes console output of cryptdisks more consistent.
+ * Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland.
+ Also add a manpage for cryptdisks_start(8). (closes: #447159)
+ * Add load_optimized_module() function to cryptdisks.functions. Initial idea
+ by Reinhard Tartler from Ubuntu, enhanced by David Härdeman.
+ (closes: #445186)
+ * Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks
+ to Reinhard Tartler from Ubuntu for the patch. (closes: #445189)
+ * Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks
+ to Martin Pitt from Ubuntu for the patch. (closes: #445189)
+ * Add Vcs-Browser and Vcs-Svn fields to debian/control.
+ * Fix debian/rules to not fail to build if autom4te.cache is left behind
+ from a previous incomplete build. Patch again taken from Ubuntu.
+ * Mention in the crypttab manpage that files are allowed as source. In that
+ case they are mounted as loopback device automatically. Thanks to
+ Michal Cihar (closes: #451909)
+ * At stopping dm-crypt devices really remove the corresponding loopback
+ device if one has been used. Thanks to Rene Pavlik for report and to David
+ Härdeman, who had the idea for the fix. (closes: #451916)
+ * Also remove loopback devices if the cryptsetup device setup fails.
+ * Document a possible deadlock if cryptsetup is invoked as a 'run programm'
+ in a udev role. This i related to the invokation of udevsettle in
+ cryptsetup. Thanks to Dick Middleton for reporting and debugging.
+ (closes: #444914)
+ * Move umount_fs() from handle_crypttab_line() to the end of do_start().
+ * Bump Standards-Version to 3.7.3.0. No changes needed.
+ * Remove unused litian-override file
+ * Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from
+ invocation of ./configure, as they are already included in $(confflags).
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 06 Dec 2007 15:56:05 +0100
+
+cryptsetup (2:1.0.5-2) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by
+ the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj
+ Srivastava for advice.
+ * Fix the watchfile
+ * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann
+ (closes: #436434)
+ * Remove outdated README.html and example usbcrypto.* scripts from
+ documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer
+ for the update. (closes: #409775)
+ * Document that stdin is read different with '--key-file=-' than without.
+ Thanks to Marc Haber. (closes: #418450)
+ * Document that --timeout is useless in conjunction with --key-file. Thanks
+ Alexander Zangerl. (closes: #421693)
+ * [03_check_for_root.dpatch] Check for UID == 0 before actually doing
+ something. Thanks to Benjamin Seidenberg. (closes: #401766)
+ * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings
+ about unused or unitialized variables. Thanks to Ludwig Nussel for the
+ patch.
+ * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to
+ open a non existing device. Thanks to Ludwig Nussel for the patch.
+ (closes: #438198)
+ * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules.
+ This way CFLAGS are passed to the configure script. Thanks to Gordon
+ Farquharson for the patch. (closes: #438450)
+ * Add a warning about missing hash option in crypttab to initramfs
+ cryptoroot hook. Thanks to Sebastian Leske for the patch.
+ (closes: #438169)
+ * Add support for openct using data objects on a smartcard as key. Thanks to
+ Daniel Baumann <baumann@swiss-it.ch> for patch and documentation.
+ (closes: #438473)
+ * Polish opensc_decrypt and openct_decrypt.
+ * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools
+ to (>= 0.91). (closes: #441428)
+ * several cleanups to make lintian happy:
+ - remove #!/bin/sh from cryptsetup.functions as it is not executable.
+ - remove unused-override configure-generated-file-in-source config.log.
+ - add some hyphen fixes to patches/02_manpage.dpatch
+ * Filter out the detection of filesystem type 'minix' in checks vol_id and
+ un_vol_id if checking for any valid filesystem. The minix fs signature
+ seems short enough to be detected erroneously by /lib/udev/vol_id.
+ Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784)
+ * Add Homepage field to debian/control.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 24 Sep 2007 15:42:06 +0200
+
+cryptsetup (2:1.0.5-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * New upstream release, nearly identical to svn snapshot svn29.
+ * Fix watch file to use cryptsetup instead of cryptsetup-luks.
+ * Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to
+ luksFormat in libcryptsetup.h.
+ * Merge some ubuntu changes:
+ - make luksformat check if filesystem is already mounted to prevent a
+ strange error message.
+ - modprobe dm-mod in cryptsetup.functions.
+ - wait for udev to be settled in initramfs script.
+
+ [ David Härdeman ]
+ * Allow other crypto devices to be setup even if one fails.
+ (closes: #423100)
+ * Remove an incorrect warning in postinst.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 27 Jul 2007 04:59:33 +0200
+
+cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low
+
+ * New upstream svn snapshot with several bugfixes
+ - remove 01_tries_fix.dpatch, added upstream
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 02:48:37 +0200
+
+cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low
+
+ * Add cryptdevice name to prompt before actually starting it. Thanks
+ to Joerg Jaspert. (closes: #421803)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 01:05:22 +0200
+
+cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Fix typo in crypttab(5), the ext checkscript is called ext2, not
+ ext3. (closes: #410390)
+ * Use the initramfs-tools keymap support instead of our own (requires
+ initramfs-tools >= 0.87)
+ * Add support for usplash password prompt (closes: #397981)
+ * Remove the "ssl" and "gpg" options which are supported by keyscripts
+ since October 2006 (see NEWS for details).
+ * Spring cleaning of cryptdisks.functions, now supports multiple tries
+ for keyscripts and uses lsb logging. (closes: #420105, #383808)
+
+ [ Jonas Meurer ]
+ * Add 01_tries_fix.dpatch, makes the --tries commandline option work
+ again. (closes: #414326, #412064)
+ * Document the un_vol_id check script, remove the swap check script from
+ documentation. The swap check indeed is rather useless, thanks to Frank
+ Engler <bts.to.FrankEngler@spamgourmet.com>. The script itself is kept
+ for compability issues. (closes: #406837)
+ * Add smartcard keyscript and initramfs-tools hooks/scripts. This adds
+ support for disk encryption with smartcards, even for root disks.
+ Thanks a lot to Gerald Turner <gturner@unzane.com> for the patch and a
+ smartcard reader for testing this. (closes: #416528)
+ * update copyright file: change "program" to "package", and mention GPL
+ version 2. add a full disclaimer.
+ * Add "--showkeys" to the dmsetup invocation in decrypt_derived script.
+ (closes: #420399)
+ * Fixes in cryptdisks.functions:
+ - Don't suppress error messages at mount and unmount and don't break
+ if 'mount $point' fails.
+ - Fix handling of checks and prechecks, the vars somehow where mixed
+ - Really use $CHECKARGS if it's defined
+ - Rename "stopped" to "stopping" for devices which are shutdown at
+ 'cryptdisks stop' (show a difference to already stopped devices).
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 28 Apr 2007 20:45:50 +0200
+
+cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high
+
+ [ Jonas Meurer ]
+ * New upstream svn snapshot 1.0.4+svn26
+ - contains a slightly modified patch by Rob Walker
+ <rob@tenfoot.org.uk> to fix a sector size error. (closes: #403075)
+ - fixes a LUKS header corruption on arm, which downgrades bug
+ #403426 from critical to important.
+ - prevents password retrying with I/O errors.
+ * handle chainmode/essiv "plain" correctly in initramfs hook.
+ Thanks to Leonard Norrgard. (closes: #402417)
+ * remove 'rm -rf m4' from a clean target in debian/rules.
+ * urgency=high to get this into etch.
+
+ [ David Härdeman ]
+ * Document the difference in default hash functions between the
+ initramfs scripts and the plain cryptsetup binary. (closes: #398429)
+ * Verify symlinks for source devices when initramfs is generated and
+ correct if necessary. (closes: #405301)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 9 Jan 2007 21:53:06 +0100
+
+cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Add cbc to standard list of modules. Thanks to Michael Olbrich
+ <michael.olbrich@gmx.net>. (closes: #401370)
+ * Fix support for crypto-on-evms. Thanks to Enrico Gatto
+ <cat@legnago.linux.it>. (closes: #402417)
+
+ [ Jonas Meurer ]
+ * urgency=high to get this into etch.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 14 Dec 2006 01:41:40 +0100
+
+cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium
+
+ [ David Härdeman ]
+ * Support adding separate blockcipher modules to initramfs image
+ (necessary for kernels >= 2.6.19)
+ * Hashing was previously not done correctly when decrypt_derived was used
+
+ [ Jonas Meurer ]
+ * Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer
+ segfaults with unsupported keysize. (closes: #381973)
+ * Urgency medium as we really want these fixes in etch.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 28 Nov 2006 18:17:12 +0100
+
+cryptsetup (2:1.0.4-8) unstable; urgency=high
+
+ [ Jonas Meurer ]
+ * Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well.
+
+ [ David Härdeman ]
+ * Make sure that a failed modprobe does not break with 'set -e'.
+ (closes: #398799)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 16 Nov 2006 16:59:35 +0100
+
+cryptsetup (2:1.0.4-7) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Do not try to configure resume devices which we cant get the key for
+ and also try harder to find resume devices.
+ (closes: #397887, #397888)
+ * Kill some more bashisms.
+ * Only try three times per crypto device in initramfs scripts to avoid
+ unbootable systems if a swap partition can't be setup.
+ * Added decrypt_derived keyscript and improved documentation of latest
+ changes, see README.initramfs for details.
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 14 Nov 2006 16:27:51 +0100
+
+cryptsetup (2:1.0.4-6) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Improve LVM dependency checks in initramfs hook. Thanks to Loïc
+ Minier <lool@dooz.org> for the patch. (closes: #397633, #397651)
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 9 Nov 2006 13:55:48 +0100
+
+cryptsetup (2:1.0.4-5) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Make sure that duplicate entries in initramfs do not block the boot
+ (closes: #397454)
+ * Do not check for the presence of a key if the keyscript option is
+ set (closes: #397450)
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 7 Nov 2006 18:03:41 +0100
+
+cryptsetup (2:1.0.4-4) unstable; urgency=high
+
+ [ David Härdeman ]
+ * Readd and document the kernel boot argument "cryptopts" due to user
+ demand
+ * Implement support for multiple device setup in initramfs.
+ (closes: #394136, #382280)
+ * Remove bashisms. (closes: #396092)
+ * Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in
+ before configure is executed. (closes: #396126)
+
+ [ Jonas Meurer ]
+ * Only warn for insecure keyfile mode/owner. Add some information about
+ insecure keys in README.Debian. (closes: #395357, #394134)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 3 Nov 2006 02:22:49 +0100
+
+cryptsetup (2:1.0.4-3) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * Suggest dosfstools. Needed for the default settings in luksformat. Thanks
+ to Loïc Minier <lool@dooz.org>. (closes: #393473)
+ * Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well.
+ * Still urgency=medium for the same reasons
+
+ [ David Härdeman ]
+ * Change the previous fix for #388871 to use the original patch from
+ Loïc Minier <lool@dooz.org>. This also removes the bogus UTF8 char.
+ (closes: #393895)
+
+ -- Jonas Meurer <mejo@debian.org> Wed, 18 Oct 2006 23:03:47 +0200
+
+cryptsetup (2:1.0.4-2) unstable; urgency=medium
+
+ [ Jonas Meurer ]
+ * Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...'
+ * Fix a typo in cryptdisks.functions, change $opt to $opts for more
+ consistency with the postinst script.
+ * Fix mount_fs() in cryptdisks.functions to actually do what we want it to
+ do. Up to now, the initscript stopped if a mountpoint failed to mount.
+ * urgency=medium to get cryptsetup 1.0.4 into etch
+
+ -- Jonas Meurer <mejo@debian.org> Tue, 17 Oct 2006 16:16:02 +0200
+
+cryptsetup (2:1.0.4-1) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Always update the current initramfs when a new version is installed
+ * Move the double-ssl decryption into a keyscript and change the ssl
+ option to use that script instead
+ * Move the gpg key decryption into a keyscript and change the gpg
+ option to use that script instead
+ * Clean up cryptdisks.functions
+ * Let initramfs-tools know that we need busybox in the initramfs image
+ * Fix bogus error message from initramfs hook, based on patch by
+ Loïc Minier <lool@dooz.org>. (closes: #388871)
+ * Remove the undocumented kernel boot argument "cryptopts"
+ * Always add some crypto modules/tools to the initramfs image unless
+ MODULES=dep. (closes: #389835)
+ * Update README.initramfs.
+ * Add checks and warnings that the ssl and gpg options are going away
+ in favour of the keyscript option
+ * Fix the decrypt_ssl script (closes: #390514)
+
+ [ Jonas Meurer ]
+ * New upstream release.
+ - [01_terminal_output.dpatch] removed, finally went upstream
+ - [02_docs_tries.dpatch] removed, went upstream
+ - [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch
+ * Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory.
+ Thanks to Michael Steinfurth.
+ * Check in postinst for entries with missing arguments in /etc/crypttab.
+ Warn is one is found. Thanks to Michael Steinfurth (closes: #388083)
+ * Fix pretest for encrypted swap. Allow unencrypted swap on the source
+ device. Thanks to Dennis Furey. (closes: #387158)
+ * Fix posttest for encrypted swap. Don't skip if a swap filesystem is found
+ on the target device. Thanks to Sam Couter. (closes: #385317)
+ * Use 'set -e' and 'if [ -r <file> ]; then ...; fi' in init script. Thanks
+ to Goswin Brederlow. (closes: #390354)
+ * change '... > &2' to ... >&2' in cryptdisks.functions
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 16 Oct 2006 19:22:41 +0200
+
+cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * Add some more german translations to de.po.
+ * Add a note to NEWS.Debian where the fix for #376393 is explained. thanks
+ to Robert Bihlmeyer for the report. (closes: #379719)
+ * Allow swap filesystems to be overwritten when the swap flag is set. thanks
+ to Raphaël Quinet for the report. (closes: #379771)
+ * Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723)
+ * removed patches 03-05, merged upstream.
+ * [01_terminal_output.dpatch] updated for new upstream.
+ * [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey
+ documentation and to give more information about the keysize.
+ (closes: #379084)
+
+ [ David Härdeman ]
+ * Make sure that README.initramfs is included in the package (closes
+ #380048)
+ * Replace panic calls in cryptsetup script with exit 1 to match the
+ behaviour of other scripts. The regular initramfs script will panic
+ later when root isn't detected anyway
+ * Make all four fields in crypttab mandatory (closes: #370180,
+ #376941)
+ * Add UTF8 keyboard input support to initramfs image (closes: #379737)
+ * Add a keyscript option (closes: #370302, #375913)
+ * [03_fix_build_error.dpatch] patch po/Makefile with more recent
+ gettext implementation.
+
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 4 Sep 2006 03:55:35 +0200
+
+cryptsetup (2:1.0.3-3) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * revert the change that for swap devices the vol_id check is run by
+ default. if the swap partition is encrypted with a random key, the check
+ will always fail. thanks to Mika Bostrom <bostik@bostik.iki.fi>
+ (closes: #371135, #371160, #377434)
+ * fix the vol_id checkscript to do what it's expected to do.
+ * add the un_vol_id checkscript, which does the reverse of vol_id.
+ * use 'check=un_vol_id, checkargs=swap' for swap devices per default.
+ * added do_close function to cryptdisks.functions, as do_swap needs to use
+ it. up to now, 'cryptsetup remove' was invoked regardless whether the
+ device contains a LUKS partition or not. this is fixed now too.
+ * allow custom check scripts. check only if $CHECK exists in
+ /lib/cryptsetup/checks/ and use the given value as full path otherwise.
+ * make precheck for no_luks mandatory, fail if any known filesystem is
+ found.
+ * update crypttab manpage to reflect the checksystem changes. added an own
+ section for check scripts. update the CheckSystem documentation.
+ * update and simplify the gen-ssl-key script, thanks to Markus Nass
+ <generalstone@gmx.net>
+ * move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the
+ source.
+ * add new directory /lib/cryptsetup/scripts/ for key decryption scripts like
+ decrypt_ssl and decrypt_gpg.
+ * add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on
+ 64bit architectures. Thanks to David Härdeman for the patch.
+ * revert the order of do_start and do_stop at 'cryptdisks restart'. thanks
+ to Hans Peter Wiedau <hpw@quelltext.com> for pointing out that silly typo.
+ (closes: #377591)
+
+ [ David Härdeman ]
+ * Support root-on-crypto-on-lvm in the initramfs scripts without
+ having to change the root variable (closes: #371846)
+ * If possible, load correct keymap in the initramfs image before any
+ password prompts (closes: #376393)
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 10 Jul 2006 20:01:02 +0200
+
+cryptsetup (2:1.0.3-2) unstable; urgency=low
+
+ [ David Härdeman ]
+ * Add patch by Arjan Oosting <arjanoosting@home.nl) for lvm-on-cryptroot
+ in initramfs scripts (closes: #362564)
+
+ [ Jonas Meurer ]
+ * install luksformat to /usr/sbin, as it depends on perl (closes: #369923)
+ * use essiv cipher in luksformat, debian 2.6.16 kernels have essiv support
+ compiled in (closes: #369878)
+ * fix cryptsetup output, patch by David Härdeman <david@2gen.com>
+ (closes: #369575)
+ * add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports
+ checks for any known filesystem type. implement a new option checkargs in
+ cryptdisks for that. suggest udev. closes one half of #370302. thanks to
+ Markus Nass and Darvid Härdeman for the suggestion.
+ * always check for a swap partition before running mkswap
+ * updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly.
+ * drop usage of strings from swap check, as it is in /usr/bin. thanks to
+ Markus Nass.
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 5 Jun 2006 18:27:07 +0200
+
+cryptsetup (2:1.0.3-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream release, 1.0.3 final
+ - Add alignPayload patch by Peter Palfrader (closes: #358388)
+ - meaningful exitcodes and password retrying by Johannes Weißl
+ (closes: #359277)
+ * add 01_terminal_timeout.dpatch from Andres Salomon <dilinger@debian.org>.
+ - gets rid of getpass(), which is obsolete according to manpage
+ - restores the terminal state before doing the timeout (closes: #364153)
+ * add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage.
+ * add 03_stdin_input.dpatch from David Härdeman <david@2gen.com>,
+ fixes input from stdin, accepts input with more than 32 characters
+ (closes: #364529, #365333)
+ * add 04_status_exit_codes.dpatch from David Härdeman <david@2gen.com>,
+ fixes the exit codes of 'cryptsetup status'
+ * provide a cryptsetup-udeb package (closes: #358422)
+ * remove debian/luksformat.8 in clean target (closes: #358386)
+ * fix update-rc.d arguments to start cryptdisks in rc0 and rc6.
+ it is not really started [but stopped], but still the links need to be
+ named S48cryptdisks. otherwise it will be invoked before umountfs.
+ * add initramfs cryptroot functionality, thanks to David Härdeman
+ <david@2gen.com> for the patch (closes: #358452)
+ * rename /lib/cryptsetup/init_functions to cryptdisks.functions
+ * move most of /etc/init.d/cryptdisks to cryptdisks.functions.
+ /etc/init.d/cryptdisks now does not much more than importing
+ cryptdisks.functions. required for running two seperate cryptdisks
+ initscripts.
+ * split the cryptdisks initscript into cryptdisks-early and cryptdisks.
+ actually both scripts do the same except having slightly different output.
+ the early script is run before lvm/evms/... are started, and the other one
+ after they are started. (closes: #363007)
+ * add support for mount to cryptdisks. this makes it possible to use
+ keyfiles from removable media. see the crypttab.5 manpage for more
+ information.
+ * use upstream cryptsetup tries option instead of the shell code in
+ cryptdisks. rename cryptdisks 'retry' option to 'tries'.
+ * document the fact, that the default settings in /etc/default/cryptdisks
+ take only effect if the relevant option is set without a value in
+ crypttab. add the environment section to crypttab.5.txt (closes: #364203)
+ * update the TODO list.
+ * update crypdisks.default
+ * run do_swap and do_tmp. Thanks to Riku Voipio <riku.voipio@iki.fi>
+ (closes: #365633)
+ * bump Standards-Version to 3.7.2.0, no changes needed
+
+ [ David Härdeman ]
+ * add lvm capabilities to initramfs scripts (closes: #362564)
+ * add cryptsetup.postinst which executes update-initramfs when
+ cryptsetup is first installed (not on upgrades)
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 13 May 2006 19:45:08 +0200
+
+cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream release candidate:
+ - fixes sector size of the temporary mapping (closes: #355156)
+ - more verbose error logging (closes: #353755, #356288, #258376)
+ - upstream accepted my patches to the manpage
+ * fixed spelling error in README.Debian
+ * removed debian/cryptsetup.sgml, outdated
+ * ran ispell against doc files in debian/, fixed many typos
+ * change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt
+ (closes: #354910)
+ * add --build (and maybe even --host) to configure flags, for
+ cross-compiling
+ * remove debian/luksformat.8 in clean target
+ * fix bashism in cryptdisks. thanks to Michal Politowski
+ <mpol@charybda.icm.edu.pl> (closes: #356484)
+ * add support for openssl encrypted keys, based on a patch by General Stone
+ <generalstone@gmx.net> (closes: #350615)
+ * add some code to support gnupg encrypted keys, some parts are missing.
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 17 Mar 2006 00:42:41 +0100
+
+cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * new upstream version 1.0.3-rc2, fixing issues with devmapper
+ * new upstream version 1.0.3-rc1, doesn't use essiv per default
+ * new upstream version (1.0.2) released
+ - add --timeout option for interactive usage
+ - add --batch-mode option to suppress input verifications
+ * install local cryptsetup.8 copy instead of the upstream manpage
+ - mention --readonly as possible option to luksOpen (closes: #353753)
+ - mention --batch-mode, --timeout, --version
+ - transform remaining option hyphens from '-' to '\-'
+ * merged ubuntu patches:
+ - modify cryptdisks init script to use lsb functions
+ - add luksformat and a manpage
+ * removed postinst and postrm, empty scripts
+ * added a README.Debian and a TODO
+ * added a NEWS file for Debian, and explain both the upstream transition
+ from plain cryptsetup to cryptsetup-luks, and the check options for
+ crypttab.
+ * install manpages using dh_installman, not with install
+ * updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different
+ linux-image versions. (closes: #344867)
+ * removed needless debian/hack
+ * added debian/watch
+ * bumped debhelper compat level to 5, add versioned depends on
+ debhelper (>> 5.0.0)
+ * update debian/cryptsetup.8 to mention batch-mode and timeout
+ * updated cryptdisks
+ - modify init script to use lsb functions, at least where possible
+ - updated comments for cryptdisks.default
+ - moved option parsing and setup of loopback devices to seperate functions.
+ added a new include file /lib/cryptsetup/init_functions with functions
+ parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp
+ - always check for the source device exists before running cryptsetup
+ - hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer
+ than allowing other random prechecks, as it manifests that the source
+ device actually is a LUKS partition.
+ - don't remove the LUKS device when postcheck fails, as the supplied
+ password/key is correct anyway.
+ - use the new 'timeout' commandline option of cryptsetup instead of an
+ external wrapper
+ - be silent for not existing devices per default. Implement the loud
+ option for crypttab to warn if a device does not exist.
+ - remerge postchecks and prechecks into checks.
+ - don't disable swap & luks combination, instead disable luks with
+ /dev/random, /dev/urandom or /dev/hwrandom as key.
+ - run parse_opts before check_key, to know whether we use luks or not
+
+ [ Michael Gebetsroither ]
+ * converted crypttab.sgml to asciidoc
+ * added dependencies for asciidoc to manpage conversion
+ * added developer documentation for a robust checksystem into cryptdisks
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 26 Feb 2006 20:04:49 +0100
+
+cryptsetup (2:1.0.1-16) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * already fixed in 2:1.0.1-14: binaries xor and delay from
+ usbcrypto.mkinitrd don't exist in debian. replaces with a perl script
+ and /bin/sleep. thanks to wesley terpstra for the help.
+ (closes: #324353)
+ * clean cryptdisks from bashisms (closes: #350360)
+ * check for /usr/bin/timeout before using it in cryptdisks. First, it's
+ only available when /usr is mounted, and that is not definitive when
+ cryptdisks is run at boot time. Second, timeout is a non-essential
+ debian package, and not neccecarily installed. The usage of
+ /usr/bin/timeout in any case is only a temporary workaround.
+ * move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be
+ available at boot time, before local filesystems (like i.e. /usr) are
+ mounted.
+ * replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in
+ /usr/bin.
+ * install init.d script and default file with dh_installinit
+ (closes: #350548)
+ * don't build-depend on cvs
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 30 Jan 2006 17:54:50 +0100
+
+cryptsetup (2:1.0.1-15) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * rebuilt with -sa, to include the sources into upload
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 18:18:46 +0100
+
+cryptsetup (2:1.0.1-14) unstable; urgency=low
+
+ [ Jonas Meurer ]
+ * added a configurable timeout option for interactive password
+ prompt. set the default timeout to 180 seconds in
+ /etc/default/cryptdisks, and documented the crypttab option in
+ the crypttab manpage. (closes: #328961)
+ * fixed the default "precheck" and "postcheck" options, currently
+ no useful precheck exists, so no default here.
+ * removed the dummy cryptsetup-luks package, ftpmaster complains
+ about it.
+
+ [ Michael Gebetsroither ]
+ * make small fixes to CryptoSwap.HowTo
+ * added postcheck for swap (closes: #342079)
+
+ -- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 12:59:10 +0100
+
+cryptsetup (2:1.0.1-13) unstable; urgency=low
+
+ * split the "check" in a "precheck" and a "postcheck" option
+ - adds the possibility to check the source device before creating the
+ decrypted target device, useful for things like swap.
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 21:24:06 +0100
+
+cryptsetup (2:1.0.1-12) unstable; urgency=low
+
+ * correctly parse options in cryptdisks (closes: #304399)
+ * remove the moduledir /usr/lib/cryptsetup from the deb, it's
+ empty anyway (closes: #334648)
+ * replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd
+ * cosmetical changes to /etc/crypttab
+ * add "check" and "retry" options to cryptdisks script,
+ thanks to A Mennucc <debdev@mennucci.sns.it>. (closes: #290626)
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 19:46:18 +0100
+
+cryptsetup (2:1.0.1-11) unstable; urgency=low
+
+ * include sources although the debian revision is not -1
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 16:35:12 +0100
+
+cryptsetup (2:1.0.1-10) unstable; urgency=low
+
+ * introduce an epoch to make upgrade happen
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 09:02:47 +0100
+
+cryptsetup (1.0.1-9) unstable; urgency=low
+
+ * rename the package to cryptsetup, provide a dummy cryptsetup-luks package
+ * initial upload to debian
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 08:06:25 +0100
+
+cryptsetup-luks (1.0.1-8) unstable; urgency=low
+
+ * use upstream tarball as orig.tar.gz and keep debian changes in diff.gz
+ * change to use dpatch
+ * adjust build environment to work with upstream sources, and without
+ autogen.sh
+ * merge fixes for debian scripts from cryptsetup.
+ * keep cryptsetup manpage untouched, as merging cryptsetup and
+ cryptsetup-luks manpages is rather complex.
+ * set mandir to /usr/share/man for configure
+ * add a lintian-override file
+
+ -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 06:48:30 +0100
+
+cryptsetup-luks (1.0.1-7) unstable; urgency=high
+
+ * make cryptsetup create work again (patch for lib/libdevmapper.c)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 21 Jan 2006 14:39:36 +0100
+
+cryptsetup-luks (1.0.1-6) unstable; urgency=low
+
+ * recompile for new libdevmapper
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 10 Jan 2006 15:10:17 +0100
+
+cryptsetup-luks (1.0.1-5) unstable; urgency=low
+
+ * improved documentation for /etc/crypttab
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 7 Nov 2005 17:05:20 +0100
+
+cryptsetup-luks (1.0.1-4) unstable; urgency=low
+
+ * added luks option for /etc/crypttab (thx to Fabian Thorns
+ <fabian@thorns.it> for the initial patch)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 3 Nov 2005 19:22:59 +0100
+
+cryptsetup-luks (1.0.1-3) unstable; urgency=low
+
+ * completly switched to luks upstream
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 11 Aug 2005 22:14:16 +0200
+
+cryptsetup-luks (1.0.1-2) unstable; urgency=low
+
+ * fixed build dependencies
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 22:30:38 +0200
+
+cryptsetup-luks (1.0.1-1) unstable; urgency=low
+
+ * synced with luks upstream
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 16:22:53 +0200
+
+cryptsetup-luks (1.0-5) unstable; urgency=low
+
+ * fixed a small typo in the manpage
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 23 Apr 2005 11:06:31 +0200
+
+cryptsetup-luks (1.0-4) unstable; urgency=low
+
+ * cleand source-tree for submitting a wishlist report into debian BTS
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 18:44:13 +0200
+
+cryptsetup-luks (1.0-3) unstable; urgency=low
+
+ * updatet dependencies (libdevmapper1.00 => libdevmapper1.01)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 13:51:10 +0200
+
+cryptsetup-luks (1.0-2) unstable; urgency=low
+
+ * replaced original debian cryptsetup manpage with manpage from
+ cryptsetup-luks
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sun, 3 Apr 2005 13:33:55 +0200
+
+cryptsetup-luks (1.0-1) unstable; urgency=low
+
+ * new upstream release
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 2 Apr 2005 23:29:43 +0200
+
+cryptsetup-luks (0.993-3) unstable; urgency=low
+
+ * fixed dependencis
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sun, 13 Feb 2005 01:28:11 +0100
+
+cryptsetup-luks (0.993-2) unstable; urgency=low
+
+ * fixed a few source problems
+ * fixed post/pre install scripts
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 16:18:07 +0100
+
+cryptsetup-luks (0.993-1) unstable; urgency=low
+
+ * synced with luks upstream
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 15:50:21 +0100
+
+cryptsetup-luks (0.992-5) unstable; urgency=low
+
+ * fixed a few problems in den debian source package
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 04:22:30 +0100
+
+cryptsetup-luks (0.992-4) unstable; urgency=low
+
+ * debianized the package
+ * cleand up build system
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 00:12:43 +0100
+
+cryptsetup-luks (0.992-3) unstable; urgency=low
+
+ * Fixed typo
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:38:42 +0100
+
+cryptsetup-luks (0.992-2) unstable; urgency=low
+
+ * Added note within description
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:21:03 +0100
+
+cryptsetup-luks (0.992-1) unstable; urgency=low
+
+ * "integrated LUKS" support (very messy hack)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 10 Feb 2005 18:16:21 +0100