From 7fdadc140ce11aefe028b6d67f8a5f03b153a998 Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Thu, 11 Feb 2021 12:36:34 +0100
Subject: fscryptctl: init at 1.0.0 (#112651)

Release notes: https://github.com/google/fscryptctl/releases/tag/v1.0.0

fscryptctl-experimental will remain at version 0.1.0 to ensure a smooth
transition.
---
 pkgs/os-specific/linux/fscryptctl/default.nix |  9 +++--
 pkgs/os-specific/linux/fscryptctl/legacy.nix  | 51 +++++++++++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  3 +-
 3 files changed, 57 insertions(+), 6 deletions(-)
 create mode 100644 pkgs/os-specific/linux/fscryptctl/legacy.nix

(limited to 'pkgs')

diff --git a/pkgs/os-specific/linux/fscryptctl/default.nix b/pkgs/os-specific/linux/fscryptctl/default.nix
index ae89cd43f25..bd1b414f4cb 100644
--- a/pkgs/os-specific/linux/fscryptctl/default.nix
+++ b/pkgs/os-specific/linux/fscryptctl/default.nix
@@ -1,10 +1,8 @@
 { lib, stdenv, fetchFromGitHub }:
 
-# Don't use this for anything important yet!
-
 stdenv.mkDerivation rec {
   pname = "fscryptctl";
-  version = "0.1.0";
+  version = "1.0.0";
 
   goPackagePath = "github.com/google/fscrypt";
 
@@ -12,10 +10,10 @@ stdenv.mkDerivation rec {
     owner = "google";
     repo = "fscryptctl";
     rev = "v${version}";
-    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+    sha256 = "1hwj726mm0yhlcf6523n07h0yq1rvkv4km64h3ydpjcrcxklhw6l";
   };
 
-  makeFlags = [ "DESTDIR=$(out)/bin" ];
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
   meta = with lib; {
     description = "Small C tool for Linux filesystem encryption";
@@ -34,6 +32,7 @@ stdenv.mkDerivation rec {
       documentation for filesystem encryption before using fscryptctl.
     '';
     inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscryptctl/releases/tag/v{version}";
     license = licenses.asl20;
     platforms = platforms.linux;
     maintainers = with maintainers; [ primeos ];
diff --git a/pkgs/os-specific/linux/fscryptctl/legacy.nix b/pkgs/os-specific/linux/fscryptctl/legacy.nix
new file mode 100644
index 00000000000..64a409fb58b
--- /dev/null
+++ b/pkgs/os-specific/linux/fscryptctl/legacy.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+# Don't use this for anything important!
+# TODO: Drop fscryptctl-experimental after the NixOS 21.03/21.05 release.
+
+stdenv.mkDerivation rec {
+  pname = "fscryptctl";
+  version = "0.1.0";
+
+  goPackagePath = "github.com/google/fscrypt";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscryptctl";
+    rev = "v${version}";
+    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)/bin" ];
+
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
+    '';
+    inherit (src.meta) homepage;
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+    knownVulnerabilities = [ ''
+      fscryptctl version 1.0.0 was released and now uses v2 encryption
+      policies. fscryptctl-experimental will remain at version 0.1.0 which
+      still supports the v1 encryption policies. Please try to switch from the
+      "fscryptctl-experimental" package to "fscryptctl". The v1 encryption
+      policies can be insecure, are hard to use correctly, and have different
+      semantics from v2 policies (which is why they are no longer supported in
+      fscryptctl 1.0.0+).
+    '' ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 92d70cdef3c..753a5da0fcc 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -18792,9 +18792,10 @@ in
 
   erofs-utils = callPackage ../os-specific/linux/erofs-utils { };
 
+  fscryptctl = callPackage ../os-specific/linux/fscryptctl { };
   # unstable until the first 1.x release
   fscrypt-experimental = callPackage ../os-specific/linux/fscrypt { };
-  fscryptctl-experimental = callPackage ../os-specific/linux/fscryptctl { };
+  fscryptctl-experimental = callPackage ../os-specific/linux/fscryptctl/legacy.nix { };
 
   fwupd = callPackage ../os-specific/linux/firmware/fwupd { };
 
-- 
cgit 1.4.1