I just thought I should include my reasons for this patch as opposed to
#268822. This is a copy of the message I sent to the dmcrypt upstream.
Please note that this patch does not interfere with any of the cryptoloop
implementations; you can use them still. Also, I wanted to mention that the
article quoted by #279002/#164144 is mostly FUD and when I'm done with the
cryptsetup package, debian dmcrypt will not be vulnerable.
--
Wesley W. Terpstra
--- Begin Message ---
Your mount patch in the link
http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/34
is not appropriate for existing linux distributions.
The problems are:
mount should not depend on cryptography libraries
mount should certainly not depend on /usr
you can't just add -crypt to a device name and hope for the best
the backing implementation of cryptoloop can't simply be replaced
- it breaks existing systems with 2.4 + crypto
the options differ from cryptoloop
- manual user intervention is required to change fstab
- prevents safe upgrading of mount
I have created a patch which addresses all of these issues here:
http://bugs.debian.org/cgi-bin/bugreport.cgi/20cryptsetup.dpatch?bug=290324&msg=3&att=1
It cooperates with the cryptoloop system and takes over only when dmname=...
is specified. Furthermore, the options used are the same. By running
cryptsetup via a fork/exec there is no library dependence on /usr/lib which
means mount can run as normal. Finally, in debian cryptsetup is statically
linked to libgcrypt so it doesn't need /usr either.
I'm open to improvements.
--
Wesley W. Terpstra
--- End Message ---
