Bug#928956: Document removal of ecryptfs-utils from Buster

tags -1 + moreinfo

Bug #928956 [release-notes] Document removal of ecryptfs-utils from Buster
Ignoring request to alter tags of bug #928956 to the same tags previously set

--
928956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928956
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Debian Bug Tracking System

2019-05-14 07:00:01 UTC

tags -1 + moreinfo

Bug #928956 [release-notes] Document removal of ecryptfs-utils from Buster
Added tag(s) moreinfo.

--
928956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928956
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Andrei POPESCU

2019-05-14 07:00:01 UTC

Control: tags -1 + moreinfo

Post by Daniel Lange
Package: release-notes
Severity: important
Due to #765854 ecryptfs-utils has been removed from Buster.
The kernel module (ecryptfs.ko) is still built but depending on the upgrade
path users will be unable to mount their encrypted home directories (pam
module, ecryptfs-mount-private missing).
So they should probably be strongly advised to not upgrade.

Hi Daniel,

It would be helpful to provide more information on:

* reason for removal
not essential, but it helps to understand the issue

* what would be the alternative(s) available in buster

* is there a (documented) migration path

Thanks,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

Daniel Lange

2019-05-14 08:00:01 UTC

Post by Andrei POPESCU
* reason for removal
not essential, but it helps to understand the issue

#765854
ecryptfs cannot unmount encrypted home directories due to systemd
keeping the pam session active even after logout.
Upstream bug https://github.com/systemd/systemd/issues/8598
A work around (user unit file) has not been implemented and tested.

Post by Andrei POPESCU
* what would be the alternative(s) available in buster

there is none

Post by Andrei POPESCU
* is there a (documented) migration path

there is none

People with ecryptfs should not upgrade to Buster or enable and pin sid
repositories where ecryptfs-utils, libecryptfs1 and friends are still
available and continue to work (including the unmount bug linked above).

CC'd jak (original bug submitter) and gcs (maintainer) in case they can
add something. May be we can get the user unit file approach tested and
if working into a point release and/or backports?

Justin B Rye

2019-05-15 12:10:01 UTC

Post by Andrei POPESCU
* reason for removal
not essential, but it helps to understand the issue

#765854
ecryptfs cannot unmount encrypted home directories due to systemd keeping
the pam session active even after logout.
Upstream bug https://github.com/systemd/systemd/issues/8598
A work around (user unit file) has not been implemented and tested.

Post by Andrei POPESCU
* what would be the alternative(s) available in buster

there is none

Does Debian really not provide any alternative mechanisms for
filesystem encryption that users could switch over to? A quick "apt
search" suggests that they could try encfs...

Post by Andrei POPESCU
* is there a (documented) migration path

there is none

Sounds as if someone needs to write one, then.

Post by Daniel Lange
People with ecryptfs should not upgrade to Buster or enable and pin sid
repositories where ecryptfs-utils, libecryptfs1 and friends are still
available and continue to work (including the unmount bug linked above).

Is the problem a result of changes in ecryptfs-utils, PAM, systemd, or
what? Would upgrading systemd etc to Buster but keeping the Stretch
version of ecryptfs-utils installed be a better or worse option than
installing the Sid version?

Post by Daniel Lange
CC'd jak (original bug submitter) and gcs (maintainer) in case they can add
something. May be we can get the user unit file approach tested and if
working into a point release and/or backports?

--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Paul Gevers

2019-06-01 20:10:01 UTC

Control: tags -1 patch

Hi all,

On Wed, 15 May 2019 13:00:52 +0100 Justin B Rye

Post by Andrei POPESCU
* reason for removal
not essential, but it helps to understand the issue

#765854
ecryptfs cannot unmount encrypted home directories due to systemd keeping
the pam session active even after logout.
Upstream bug https://github.com/systemd/systemd/issues/8598
A work around (user unit file) has not been implemented and tested.

Post by Andrei POPESCU
* what would be the alternative(s) available in buster

there is none

Does Debian really not provide any alternative mechanisms for
filesystem encryption that users could switch over to? A quick "apt
search" suggests that they could try encfs...

Post by Andrei POPESCU
* is there a (documented) migration path

there is none

Sounds as if someone needs to write one, then.

In absence of other text, I am about to push the attached text to the
release-notes. I hope this isn't the final text, but at least the draft
document now mentions the problem.

Paul

Justin B Rye

2019-06-02 10:00:01 UTC

+ The <systemitem role="package">ecryptfs-utils</systemitem> package
+ is not part of buster due to an unfixed serious bug (<ulink
+ url="&url-bts;765854">#765854</ulink>). At the time of writing this
+ paragraph, there wasn't a clear advice to people with encryptfs,
+ except not upgrading.

Advice is a non-count noun, and "not upgrading" doesn't quite fit the
grammar either. Make it

paragraph, there was no clear advice for users of encryptfs,
except not to upgrade.

And I'm not sure even the non-upgrade option counts as clear advice,
but I suppose it's the nearest thing we've got.

--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Holger Wansing

2019-06-02 10:30:01 UTC

Hi,

Advice is a non-count noun, and "not upgrading" doesn't quite fit the
grammar either. Make it
paragraph, there was no clear advice for users of encryptfs,
except not to upgrade.
And I'm not sure even the non-upgrade option counts as clear advice,
but I suppose it's the nearest thing we've got.

Maybe adding something like
"or migrate to <some alternative>"
to the end would be helpfu?

And also, I wonder if "ecryptfs-utils" (without n) and
encryptfs (with n) are both correct?

Holger

--
Sent f

Justin B Rye

2019-06-02 10:50:01 UTC

Post by Holger Wansing

paragraph, there was no clear advice for users of encryptfs,
except not to upgrade.

Maybe adding something like
"or migrate to <some alternative>"
to the end would be helpfu?
And also, I wonder if "ecryptfs-utils" (without n) and
encryptfs (with n) are both correct?

Oops! Well, I can fix that bit.

And to make it easier to remember we can use the upstream "brand name"
spelling "eCryptfs".

(I wonder: is it "extended" Cryptfs? "enterprisey" Cryptfs?)

--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Paul Gevers

2019-06-03 20:20:01 UTC

Hi,

Post by Holger Wansing

paragraph, there was no clear advice for users of encryptfs,
except not to upgrade.

Maybe adding something like
"or migrate to <some alternative>"
to the end would be helpfu?
And also, I wonder if "ecryptfs-utils" (without n) and
encryptfs (with n) are both correct?

Oops! Well, I can fix that bit.
And to make it easier to remember we can use the upstream "brand name"
spelling "eCryptfs".
(I wonder: is it "extended" Cryptfs? "enterprisey" Cryptfs?)

Pushed.

Paul

Paul Gevers

2019-06-29 08:10:01 UTC

Hi all,

Post by Paul Gevers
On Wed, 15 May 2019 13:00:52 +0100 Justin B Rye

Post by Andrei POPESCU
* reason for removal
not essential, but it helps to understand the issue

#765854
ecryptfs cannot unmount encrypted home directories due to systemd keeping
the pam session active even after logout.
Upstream bug https://github.com/systemd/systemd/issues/8598
A work around (user unit file) has not been implemented and tested.

Post by Andrei POPESCU
* what would be the alternative(s) available in buster

there is none

Does Debian really not provide any alternative mechanisms for
filesystem encryption that users could switch over to? A quick "apt
search" suggests that they could try encfs...

Post by Andrei POPESCU
* is there a (documented) migration path

there is none

Sounds as if someone needs to write one, then.

In absence of other text, I am about to push the attached text to the
release-notes. I hope this isn't the final text, but at least the draft
document now mentions the problem.

Did anybody learn about (documented) migration paths in the mean time?

Paul

Osamu Aoki

2019-07-01 15:00:02 UTC

Hi,

Post by Paul Gevers
Hi all,

Post by Paul Gevers
On Wed, 15 May 2019 13:00:52 +0100 Justin B Rye

Post by Andrei POPESCU
* reason for removal
not essential, but it helps to understand the issue

#765854
ecryptfs cannot unmount encrypted home directories due to systemd keeping
the pam session active even after logout.
Upstream bug https://github.com/systemd/systemd/issues/8598
A work around (user unit file) has not been implemented and tested.

...

Post by Paul Gevers

Post by Paul Gevers
In absence of other text, I am about to push the attached text to the
release-notes. I hope this isn't the final text, but at least the draft
document now mentions the problem.

Did anybody learn about (documented) migration paths in the mean time?

Unencrypt eCryptfs data and mount the unencrypted filesystem is one way.

But then we don't have encryption.

I can think of migration to dm-crypt/LUKS or encfs/FUSE is an technical
possibility. But that's something beyond this document should
elaborate,

Realistically, I think best recommendation to people who wants to have
encryption is
* save all your data unencrypted (BACKUP!)
* move them to freshly installed Debian on full disk encryption
(RESTORE)

Osamu

Julian Andres Klode

2019-07-01 15:10:01 UTC

Post by Osamu Aoki
Hi,

Post by Paul Gevers
Hi all,

Post by Paul Gevers
On Wed, 15 May 2019 13:00:52 +0100 Justin B Rye

Post by Andrei POPESCU
* reason for removal
not essential, but it helps to understand the issue

#765854
ecryptfs cannot unmount encrypted home directories due to systemd keeping
the pam session active even after logout.
Upstream bug https://github.com/systemd/systemd/issues/8598
A work around (user unit file) has not been implemented and tested.

...

Post by Paul Gevers

Post by Paul Gevers
In absence of other text, I am about to push the attached text to the
release-notes. I hope this isn't the final text, but at least the draft
document now mentions the problem.

Did anybody learn about (documented) migration paths in the mean time?

LUKS is the only sensible option, overlay file systems, especially
encfs are significantly less safe, which was among the reasons we
ended up here in the first place.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

Debian Bug Tracking System

2019-06-01 20:10:02 UTC

Post by Paul Gevers
tags -1 patch

Bug #928956 [release-notes] Document removal of ecryptfs-utils from Buster
Added tag(s) patch.

--
928956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928956
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Hendrik Boom

2019-06-03 23:50:01 UTC

Just to be clear. Does this relate to the package encfs? It's
(also?) an encrypted file system. Do I need to be worried as an encfs
user?

-- hendrik

Justin B Rye

2019-06-04 16:00:02 UTC