Cherry-pick "Delete remaining references to the removed http pin" to unbreak initramfs generation in dracut. Closes: #969361

debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch

@@ -0,0 +1,113 @@
+Subject: Delete remaining references to the removed http pin
+Origin: v11-1-g1e344db <https://github.com/latchset/clevis/commit/v11-1-g1e344db>
+Upstream-Author: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed Nov 7 14:53:08 2018 +0100
+Bug-Debian: https://bugs.debian.org/bug=969361
+
+    Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
+    there are still references of it in the docs and also the dracut module.
+
+    This was causing dracut to fail building the initramfs due the following:
+
+    dracut-install: ERROR: installing 'clevis-decrypt-http'
+
+    Suggested-by: Dominick Grift <dac.override@gmail.com>
+
+    Fixes: #73
+
+--- a/README.md
++++ b/README.md
+@@ -58,27 +58,6 @@
+ the advertisment is specified manually like this, Clevis presumes that the
+ advertisement is trusted.
+ 
+-#### PIN: HTTP
+-
+-Clevis also ships a pin for performing escrow using HTTP. Please note that,
+-at this time, this pin does not provide HTTPS support and is suitable only
+-for use over local sockets. This provides integration with services like
+-[Custodia](http://github.com/latchset/custodia).
+-
+-For example:
+-
+-```bash
+-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
+-```
+-
+-The HTTP pin generate a new (cryptographically-strong random) key and performs
+-encryption using it. It then performs a PUT request to the URL specified. It is
+-understood that the server will securely store this key for later retrieval.
+-During decryption, the pin will perform a GET request to retrieve the key and
+-perform decryption.
+-
+-Patches to provide support for HTTPS and authentication are welcome.
+-
+ #### PIN: TPM2
+ 
+ Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
+--- a/src/clevis.1.adoc
++++ b/src/clevis.1.adoc
+@@ -21,26 +21,6 @@
+ encrypt the data so that it can be automatically decrypted if the policy is
+ met. Lets walk through an example.
+ 
+-== HTTP ESCROW
+-
+-When using the HTTP pin, we create a new, cryptographically-strong, random key.
+-This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
+-Then at decryption time, we attempt to fetch the key back again in order to
+-decrypt our data. So, for our configuration we need to pass the URL to the key
+-location:
+-
+-    $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
+-
+-To decrypt the data, simply provide the ciphertext (JWE):
+-
+-    $ clevis decrypt < JWE > PLAINTEXT
+-
+-Notice that we did not pass any configuration during decryption. The decrypt
+-command extracted the URL (and possibly other configuration) from the JWE
+-object, fetched the encryption key from the escrow and performed decryption.
+-
+-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
+-
+ == TANG BINDING
+ 
+ Clevis provides support for the Tang network binding server. Tang provides
+@@ -136,7 +116,6 @@
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+--- a/src/luks/clevis-luks-bind.1.adoc
++++ b/src/luks/clevis-luks-bind.1.adoc
+@@ -61,7 +61,6 @@
+ == SEE ALSO
+ 
+ link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -36,7 +36,6 @@
+     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+ 
+     inst_multiple /etc/services \
+-        clevis-decrypt-http \
+         clevis-decrypt-tang \
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
+@@ -54,6 +54,5 @@
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

debian/patches/debian.use-socat.patch

@@ -12,7 +12,7 @@ Forwarded: not-needed
 
 --- a/src/luks/systemd/dracut/module-setup.sh.in
 +++ b/src/luks/systemd/dracut/module-setup.sh.in
-@@ -46,7 +46,7 @@
+@@ -45,7 +45,7 @@
          mktemp \
          curl \
          jose \

debian/patches/series

@@ -1,2 +1,7 @@
+
+# cherry-picked commits. Keep in upstream's chronological order
+cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
+
+# local modifications
 debian.use-socat.patch
 debian.use-asciidoctor-to-build-manpages.patch