[pkg-cryptsetup-devel] Bug#1092977: debian-installer: systemd-cryptsetup package not installed on encrypted system
Cyril Brulebois
kibi at debian.org
Sat May 24 19:01:19 BST 2025
Pascal Hambourg <pascal at plouf.fr.eu.org> (2025-05-24):
> On 24/05/2025 at 18:43, Guilhem Moulin wrote:
> > On Sat, 24 May 2025 at 17:41:42 +0200, Cyril Brulebois wrote:
> > > If we were to pull systemd-cryptsetup in the mix, should there by
> > > any restrictions/checks before deciding to do so?
>
> Is tweaking d-i to not install systemd at all (like Devuan) a
> supported use case ?
If people feel strongly about their init system, they can do whatever
they want to obtain a system they like. I don't see why we would care
about that for them.
> > IMHO an ideal fix would be to install cryptsetup-initramfs only when
> > some device needs to be unlocked by initramfs-tools, and only
> > install systemd-cryptsetup if there are remaining encrypted devices.
>
> It depends which criteria are used to define "ideal", e.g. minimal set
> of installed packages vs maximum versatility.
>
> Queuing cryptsetup-initramfs was convenient because it pulled all
> other cryptsetup packages at once.
I'm not sure when you showed up but there's been some back and forth on
that topic, with package splits and replits in different ways over the
last few release cycles.
>
> > AFAIK d-i won't allow setting up a system *requiring* systemd-cryptsetup
> > out of its menu
>
> I just did it with manual partitioning, not "out of its menu".
> Create an encrypted volume and use it as /home, /srv or whatever is not
> mounted in the initramfs.
>
> > > How are things between systemd-cryptsetup and cryptsetup itself? Is that
> > > a peaceful cohabitation/cooperation, or is that going to look like some
> > > competition, with race conditions and the like?
> >
> > I have both installed on many systems and AFAIK they cohabit well.
> > cryptsetup's init scripts are inert
>
> They are masked by systemd. I tried to unmask them but the passphrase
> prompt is not displayed.
So that was with current d-i, and not resorting to dropping to a shell
and doing nasty things behind its back? Things don't work out of the
box? But does that start working if you additionally install
systemd-cryptsetup? If so, without any additional configuration?
(I'm not too afraid of the extra dependencies — already there — if we
were to pull this package “blindly” alongside cryptsetup, but the amount
of extra systemd targets and possible complexity doesn't make me
confident about being able to sort things out if some problems start
popping up after we start doing that. After all, we're just weeks away
from the release, it doesn't leave a lot of time to debug regressions or
just walk back…)
Cheers,
--
Cyril Brulebois (kibi at debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20250524/3d9fc862/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list