From fd888e850cf413955483bfb993aeeea5ea611289 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 10:06:26 +0200 Subject: Adding debian version 2:2.6.1-4~deb12u2. Signed-off-by: Daniel Baumann --- debian/TODO.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 debian/TODO.md (limited to 'debian/TODO.md') diff --git a/debian/TODO.md b/debian/TODO.md new file mode 100644 index 0000000..8958ec2 --- /dev/null +++ b/debian/TODO.md @@ -0,0 +1,47 @@ +# TODO list + +* luks nuke feature + * https://www.kali.org/tutorials/nuke-kali-linux-luks/ + * https://pkg.kali.org/pkg/cryptsetup + * https://github.com/offensive-security/cryptsetup-nuke-keys + * TODO: + * review and improve original patch to address upstream's concerns + * http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/7184 + * patch luks2 functions to support it as well + * documentation in manpage (and README.Debian?) + * bash completion + +* systemd integration and future of cryptscripts + * patch cryptsetup.c in systemd to support cryptscripts? + * try the patches + * https://github.com/systemd/systemd/pull/3007#pullrequestreview-39358162 + * https://lists.freedesktop.org/archives/systemd-devel/2012-June/005693.html + * or completely remove cryptscripts feature from cryptsetup in Debian? + +* ephemeral swap encryption + +* improve test suite + +* cryptroot hook script: + - We should add parent device detection for ZFS (#820888) so users + don't have to manually add the 'initramfs' option to the crypttab. + + +## Old list + +* Would a fallback make sense? like when using any keyscript, try passphrase + in the case that it fails. if we implement that at all, never make it the + default, and warn about security issues in README.Debian. even explain that + backup passphrase keyslots thwart the extra security of keyfiles/keyscripts. + (#438481, #471729) + +* Implement something like 'ignore-if-no-device' to mount (/etc/fstab), and + thus support several situations where cryptsetup fails to setup a device: + -> the device is not attached at all + -> wrong passphrase/no keyfile available + -> timeouts arise + (#474120) + * seems like the fstab flag alread does exists: nofail. so reimplement + timeout? + +* Reimplement timeout support in a cleaner way? -- cgit v1.2.3