group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 918489] Re: duplicity allows a new, different passphrase if an archive cache exists

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Michael Terry <918489@xxxxxxxxxxxxxxxxxx>
Date: Sun, 31 Oct 2021 00:46:19 -0000
Reply-to: Bug 918489 <918489@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
It escaped my attention at the time, but Ubuntu 18.04 released with both
a version of duplicity that shows the new incremental-backups-also-have-
this-issue behavior (see my comment 22) and a release of deja-dup that
wasn't yet fixed to avoid it.

Which means that deja-dup in Ubuntu 18.04 is still affected by this bug
(for incremental backups).

These two commits landed in deja-dup 39.1 and should work around it, if someone wanted to patch deja-dup in 18.04 (I've opened a target for bionic for this bug):
https://gitlab.gnome.org/World/deja-dup/-/commit/4f325940dae7fc259b4be70fccec40c94617f4d4
https://gitlab.gnome.org/World/deja-dup/-/commit/135f4c83774b6dafe194236f99f1405f45032498

For users, you can also install the snap version of deja-dup to avoid
this as well.

** Also affects: duplicity (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: deja-dup (Ubuntu Bionic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/918489

Title:
  duplicity allows a new, different passphrase if an archive cache
  exists

Status in Déjà Dup:
  Fix Released
Status in Duplicity:
  Fix Released
Status in deja-dup package in Ubuntu:
  Fix Released
Status in duplicity package in Ubuntu:
  Triaged
Status in deja-dup source package in Trusty:
  Fix Released
Status in duplicity source package in Trusty:
  Confirmed
Status in deja-dup source package in Xenial:
  Fix Released
Status in duplicity source package in Xenial:
  Confirmed
Status in deja-dup source package in Yakkety:
  Fix Released
Status in duplicity source package in Yakkety:
  Confirmed
Status in deja-dup source package in Bionic:
  New
Status in duplicity source package in Bionic:
  New

Bug description:
  when doing a backup for the first time, dejadup verifies your
  passphrase by having you enter it twice.

  on future incremental backups it doesn't need to do this because
  entering the wrong password will result in the backup failing.

  with the periodic 'full' backups that happen from time to time,
  however, any password will be accepted.

  this can lead to a situation where you accidentally type the wrong
  password once and are left in a situation where you don't know what
  you typed and have no way to get your files (or do another incremental
  backup on top of it).

  i think this is what happened to me recently.

  clearly, the fix is to explicitly verify the passphrase is correct
  when doing a new full backup.  this may be a duplicity bug.

  === Ubuntu deja-dup SRU information ===

  [impact]
  Users may unwittingly re-set their backup password and not be able to restore their data.

  [test case]
  - $ deja-dup-preferences # set up a dummy backup
  - $ deja-dup --backup # complete first encrypted full backup
  - $ rename 's/\.2016/\.2000/' /path/to/test/backup/*
  - $ rename 's/\.2016/\.2000/' ~/.cache/deja-dup/*/*
  - $ deja-dup --backup # second backup, enter the wrong password
  - $ deja-dup --restore # try to restore with original password

  [regression potential]
  Should be limited?  The fix is to delete the duplicity cache files, which ought to be safe to delete.

  It's possible if a full backup is being resumed, we might delete the
  current progress.  That is a better bug to have than this bug, though.
  A more complicated patch would need to be investigated to prevent
  that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/deja-dup/+bug/918489/+subscriptions