On 31/01/2017 17:30, Michael Stone wrote:
On Tue, Jan 31, 2017 at 05:17:44PM +0100, Francesco Namuri wrote:
of course we can remove it only from the upcoming stable release,
and removing it from testing already done it. ftpmaster also removed
it from unstable.
We asked also the removal from unstable due the gravity of the bug.
I'd like to point that the problem only affects encrypted directories
made using cryptkeeper, and that the problems it's easily discovered
first time the user tries to mount the partition.
Yes, I agree that it's easily discoverable--which is why I'm concerned
that simply removing the entire functionality of the package without
any kind of notification to the user isn't the best way to address the
problem. Again: removing the package simply ensures that people
upgrading to stretch will either end up with a cryptkeeper package
that exhibits this bug, or will remove their cryptkeeper package and
not know how to access their stored data, right?
Mike Stone
Hello Mike,
thanks for the comments.
This issue only affectes the cryptkeeper working with encfs 1.9.1-3, in
stable we have 1.7.4-5 that works as cryptkeeper expects.
People that upgrades from jessie to stretch simple "loses" cryptkeeper,
package, of course they are still able to access their stored data using
encfs or any other frontend to it.
IMHO it's better to remove the program in any envrionment that is
affected
by this issue, putting a note in the README or also on the debconf isn't
enough to balance the gravity of the issue. Users can think they lost
data
because of a wrong password, or even worst they can trust on a worthless
data encryption.
Francesco
