The Debian Installer team is pleased to announce the second release
candidate of the installer for Debian 10 "Buster".
Improvements in this release
- Update Mirrors.masterlist.
- New section “Unlocking LUKS devices from GRUB” pointing to:
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html * debian-archive-keyring:
- Add Buster keys (#917535, #917536).
- Create images to fit on 16G USB sticks too (for amd64 and i386).
- Tweak package selection to make the multi-arch firmware netinst
fit on CD media again (needs a 700MB CD-R): Don't include 686
PAE kernels on these CDs.
- Tweak ordering of snapshot URLs in jigdo images to remove load
- Add haveged-udeb [linux] to avoid entropy starvation issues
(#923675). Those could affect HTTPS connections, SSH keypair
- Bump Linux kernel ABI from 4.19.0-4 to 4.19.0-5.
- Add œ/Œ glyphs for the French translation.
- Update size limits.
- Relabel “Dark theme” into “Accessible high contrast” (#930569).
- Compress armhf u-boot images with “gzip -n” to avoid embedding
timestamps which cause reproducibility issues.
- Wait longer for sound cards.
- Make grub-efi-*-bin recommend efibootmgr, for debugging purposes.
- Make grub-efi work on armhf too (upstream fixes for alignment
- Add the partman-auto-lvm/guided_size setting to the example
preseed config file (#930846).
- Enlarge maximum line length in Packages and Sources files
- Update size limits.
- Fix gen-crypt segfault, which prevented remote installations due
to a missing password for the “installer” user (#926947, #928299).
- Ship an openssl.cnf in libssl1.1-udeb, fixing wget's TLS issues
in the installer (#926315).
- Tweak Arabic translation to avoid a hang at the hard disk step
- Update auto-install/defaultroot, replacing stretch with buster
- Start haveged when appropriate, to avoid entropy starvation
(#923675). This means when the haveged binary is available, and
when there's no hardware RNG available.
- Update size limits for the graphical installer.
UEFI Secure Boot updates
Debian's Secure Boot setup is still being polished, the main updates
are summarized below.
- Add shim-signed and grub-efi-ARCH-signed to build-dependencies
- Use the signed shim and grub packages for all 3 arches for EFI
- Fix the netboot setup for signed grub images to match the
previous setup and the existing documentation (#928750).
- Generate a specific signed netboot image for d-i to use (#928750).
- Add cpuid, play, ntfs modules to signed UEFI images (#928628,
- Deal with --force-extra-removable with signed shim too (#930531).
Hardware support changes
- [arm64] Add support for netboot SD-card-images.
- [arm64] Add u-boot images for a64-olinuxino, orangepi_zero_plus2
- Add support for NanoPi NEO2.
- Add support for NanoPi NEO2 (#928861).
- Add support for Marvell 8040 MACCHIATOBin Double-shot and
- udeb: Add all HWRNG drivers to kernel-image (#923675).
- udeb: input-modules: Include all keyboard driver modules.
- [arm64] udeb: kernel-image: Include cros_ec_spi and SPI drivers.
- [arm64] udeb: kernel-image: Include phy-rockchip-pcie.
- [arm64] udeb: usb-modules: Include phy-rockchip-typec and
- [arm64] udeb: mmc-modules: Include phy-rockchip-emmc.
- [arm64] udeb: fb-modules: Include rockchipdrm, panel-simple,
pwm_bl, and pwm-cros-ec.
- udeb: Drop unused ntfs-modules packages.
* 76 languages are supported in this release.
* Full translation for 39 of them.
Known bugs in this release
* There seems to be no known major bug as of yet.
See the errata for details and a full list of known issues.
Feedback for this release
We need your help to find bugs and further improve the installer,
so please try it. Installer CDs, other media and everything else you
will need are available at our web site.
The Debian Installer team thanks everybody who has contributed to this
> The Debian Installer team is pleased to announce the second release
> candidate of the installer for Debian 10 "Buster".
> Improvements in this release
> * choose-mirror:Hi
> - Update Mirrors.masterlist.
> * cryptsetup:
> - New section “Unlocking LUKS devices from GRUB” pointing to:
The guide states the following:
| But as of Buster cryptsetup(8) defaults to a new LUKS header format
| version, which isn’t supported by GRUB as of 2.04. Hence the
| pre-Buster workarounds won’t work anymore.
But looking at cryptsetup(8), it is not mentioned that luks2
is default, in fact it seems to tell the opposite:
| LUKS2 is a new version of header format that allows additional extensions like
| different PBKDF algorithm or authenticated encryption. You can format device
| with LUKS2 header if you specify --type luks2 in luksFormat command. For
| activation, the format is already recognized automatically.
Darshaka Pathirana <[hidden email]> (2019-07-01):
> Just a quick note.
Thanks for the feedback.
> On 6/26/19 7:49 PM, Cyril Brulebois wrote:
> > The Debian Installer team is pleased to announce the second release
> > candidate of the installer for Debian 10 "Buster".
> > Improvements in this release
> > ============================
> > * choose-mirror:Hi
> > - Update Mirrors.masterlist.
> > * cryptsetup:
> > - New section “Unlocking LUKS devices from GRUB” pointing to:
> > https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html >
> The guide states the following:
> | But as of Buster cryptsetup(8) defaults to a new LUKS header format
> | version, which isn’t supported by GRUB as of 2.04. Hence the
> | pre-Buster workarounds won’t work anymore.
> But looking at cryptsetup(8), it is not mentioned that luks2
> is default, in fact it seems to tell the opposite:
>  https://manpages.debian.org/testing/cryptsetup-bin/cryptsetup.8.en.html >
> | LUKS2 is a new version of header format that allows additional extensions like
> | different PBKDF algorithm or authenticated encryption. You can format device
> | with LUKS2 header if you specify --type luks2 in luksFormat command. For
> | activation, the format is already recognized automatically.
>  https://gitlab.com/cryptsetup/cryptsetup/blob/master/man/cryptsetup.8#L241 >
> | To use LUKS2, specify --type luks2.
>  https://gitlab.com/cryptsetup/cryptsetup/blob/master/man/cryptsetup.8#L278
That doesn't say much about the default setting; but I can see how one
could read it as “this is not the default”.
> Is the guide wrong or is there a (RC) bug in the man page?
The guide was just written, is correct; and a possible bug in the
manpage wouldn't exactly qualify as release critical.
> P.s. I am not on the list, I read this via debian-devel-announce.
Thanks for the feedback indeed, that manpage snippet should probably be
reformulated. Would you mind filing a bug against the cryptsetup-bin
package? I can also do it otherwise. That bit was likely written for
2.0 (when LUKS2 support was introduced), and not updated for 2.1 (when
LUKS2 was made the default LUKS format).
The compiled in-default for cryptsetup(8) can be obtained with
~$ cryptsetup --help
Default compiled-in metadata format is LUKS2 (for luksFormat action).
That setting, as well as other compiled-in defaults (PBKDF algorithm and
parameters, ciphers, modes), comes from upstream. The Debian binary doesn't
differ in that regard.
>> P.s. I am not on the list, I read this via debian-devel-announce.