[pkg-cryptsetup-devel] Bug#994486: cryptsetup-initramfs: include askpass only when needed?
Christoph Anton Mitterer
calestyo at scientia.net
Sat Oct 2 23:03:17 BST 2021
On Sat, 2021-10-02 at 22:39 +0200, Guilhem Moulin wrote:
> What does “would be nice” means concretely, is there anything else
> than
> the slightly smaller initramfs image?
Well I guess there are mainly two beneficial points, IMO:
1) The actually saved space.
Sure it's not extremely much, but if everyone thinks that way all that
bits and pieces add up to quite something, which are of course no
problem for a normal desktop system, but embedded systems may really
want/need something that stays small.
So if we can't to something to improve it, why not?
2) Is that the problem you refer to (i.e. not knowing what already
silently depends on this) gets just worse and worse.
I recently learned that e.g. sed is not included per se, but only
because cryptroot does it and I always had cryptroot in place.
I think people shouldn't get too sloppy an just assume that whatever
they need will be in place in the initramfs, unless someone really made
such promise.
And I guess the only really proper promise is that klibc-utils stuff is
there.
busybox stuff is also just there because cryptsetup itself needs it and
sets BUSYBOX=Y, but if that should ever change, we shouldn't trap and
force ourself to include it forever, just because someone who doesn’t
include his own deps relies on it.
> Personally I'm not against doing
> what you propose, but the gain has to outweigh potential regressions
> and at the moment this is not obvious to me.
I think the possible regressions are that any keyscripts who silently
dependent on askpass without caring to include it themselves will fail.
This sounds like a big regression at first, but:
- it would only happen to people with custom keyscripts
- a NEWS.Debian entry could tell about it, anyone not reading this is
IMO on his own
- anyone who run a FDE system, and doesn't keep backups of e.g. the
most recent working kernel/initramfs... well, same as above,... on his
own...
I once had the case that I depended on some fs kernel module to read
the key and it used to be included in dep but then no longer... I
didn't care to properly include it myself, so I got stuck (of course I
had the previously working initramfs)... but I couldn't blame whoever
removed that module from the included ones
- Having askpass included was never "promised"... in a way it's the
same when I personally used some internal features back then before I
reported #901795, and you guys changed it... it was my own
responsibility if I use undocumented stuff.
It's like you say in the other bugs... people cannot rely on non-
documented features, and you're right there - otherwise you could
barely make any changes.
Cheers,
Chris.
More information about the pkg-cryptsetup-devel
mailing list