Your message dated Tue, 03 Jun 2025 11:01:10 +0000
with message-id <8714956009f19715c903e2b710c86...@posteo.de>
and subject line
has caused the Debian Bug report #1053512,
regarding encfs: Will EncFS be removed from Debian? / How unsecure is EncFS?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053512: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053512
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: encfs
Version: 1.9.5-2
Severity: normal
Dear Maintainer,
I'm sure you are aware of the "security problems" of EncFS. The information are
not clear to me but to my knowledge there was an security audition some years
ago and the upstream maintainer refused to invest more ressource into the
project and suggest to migrate to gocryptfs.
There is a bug ticket at upstream summarizing some of the information
https://github.com/vgough/encfs/issues/314
As member of upstream maintenance team for "Back In Time"
(https://github.com/bit-team/backintime) currently depending on EncFS, I try to
find out how to deal with the problem. I also try to find out how big the
problem really is.
Debian seems to keep EncFS. That indicates to me that the problem can not be so
big.
As upstream maintainer of Back In Time I'm unsure how to evaluate the
situation. We do think about to remove EncFS because of the security issues.
How do you evaluate the situation?
Kind
Christian Buhtz
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Kernel: Linux 6.1.0-12-arm64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages encfs depends on:
ii debconf [debconf-2.0] 1.5.82
ii fuse3 [fuse] 3.14.0-4
ii libc6 2.36-9+deb12u3
ii libfuse2 2.9.9-6+b1
ii libgcc-s1 12.2.0-14
ii libssl3 3.0.9-1
ii libstdc++6 12.2.0-14
pn libtinyxml2-9 <none>
ii mount 2.38.1-5+b1
encfs recommends no packages.
encfs suggests no packages.
--- End Message ---
--- Begin Message ---
I am closing the issue because it was answered by Eduard.
Next time, Eduard please close it yourself. It is harmful for Debian
projects reputation if ticktes are open to long without activity.
--- End Message ---
