1729600 – cryptsetup-reencrypt utility fails to decrypt volume with active keyslot other than 0 (zero)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1729600 - cryptsetup-reencrypt utility fails to decrypt volume with active keyslot other than 0 (zero)

Summary: cryptsetup-reencrypt utility fails to decrypt volume with active keyslot othe...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	cryptsetup
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.0
Assignee:	Ondrej Kozina
QA Contact:	guazhang@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-12 18:52 UTC by Corey Marthaler
Modified:	2021-09-06 15:19 UTC (History)
CC List:	6 users (show)
Fixed In Version:	cryptsetup-2.2.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:17:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3569	0	None	None	None	2019-11-05 22:17:26 UTC

Description Corey Marthaler 2019-07-12 18:52:14 UTC

Description of problem:
This appears to block the ability of "decryption support" listed in RFE 1676622. 

### Scenario 1: Decrypt an offline luks device (which had *not* been re-encrypted) PASSES
[root@hayes-02 ~]# lvcreate  --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity                                                                                                                                    
  WARNING: New raid1 won't be synchronised. Don't read what you didn't write!                                                                                                                                                                
  Wiping crypto_LUKS signature on /dev/raid_sanity/open_LUKS_fsadm_resize.                                                                                                                                                                   
  Logical volume "open_LUKS_fsadm_resize" created.                                                                                                                                                                                           
                                                                                                                                                                                                                                             
[root@hayes-02 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize                                                                                                                            
[root@hayes-02 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume                                                                                                         
                                                                                                                                                                                                                                             
[root@hayes-02 ~]# mkfs /dev/mapper/raid_luksvolume                                                                                                                                                                                          
mke2fs 1.44.6 (5-Mar-2019)                                                                                                                                                                                                                   
Creating filesystem with 1044480 4k blocks and 261120 inodes                                                                                                                                                                                 
Filesystem UUID: 860082b9-9ddf-4c6b-b14b-f9da26a9d82a                                                                                                                                                                                        
Superblock backups stored on blocks:                                                                                                                                                                                                         
        32768, 98304, 163840, 229376, 294912, 819200, 884736                                                                                                                                                                                 
                                                                                                                                                                                                                                             
Allocating group tables: done                                                                                                                                                                                                                
Writing inode tables: done                                                                                                                                                                                                                   
Writing superblocks and filesystem accounting information: done                                                                                                                                                                              
                                                                                                                                                                                                                                             
### Do not reencrypt                                                                                                                                                                                                                         
[root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume
[root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Finished, time 00:12.145, 4080 MiB written, speed 335.9 MiB/s   

[root@hayes-02 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt
[root@hayes-02 ~]# df -h
Filesystem                                      Size  Used Avail Use% Mounted on
/dev/mapper/raid_sanity-open_LUKS_fsadm_resize  4.0G  8.0M  3.8G   1% /mnt





### Scenario 2: Decrypt an offline luks device (which *had* been *offline* re-encrypted) PASSES
[root@hayes-02 ~]# lvcreate  --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity
  WARNING: New raid1 won't be synchronised. Don't read what you didn't write!
  Wiping crypto_LUKS signature on /dev/raid_sanity/open_LUKS_fsadm_resize.
  Wiping crypto_LUKS signature on /dev/raid_sanity/open_LUKS_fsadm_resize.
  Logical volume "open_LUKS_fsadm_resize" created.
[root@hayes-02 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize
[root@hayes-02 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume
[root@hayes-02 ~]# mkfs /dev/mapper/raid_luksvolume
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 1044480 4k blocks and 261120 inodes
Filesystem UUID: 2ea1cd5f-4558-4bed-82b7-be85d908e2d3
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done 

[root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume

### Offline reencrypt
[root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Finished, time 00:11.367, 4080 MiB written, speed 358.9 MiB/s   
[root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Finished, time 00:11.657, 4080 MiB written, speed 350.0 MiB/s   

[root@hayes-02 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt
[root@hayes-02 ~]# df -h
Filesystem                                      Size  Used Avail Use% Mounted on
/dev/mapper/raid_sanity-open_LUKS_fsadm_resize  4.0G  8.0M  3.8G   1% /mnt





### Scenario 3: Decrypt an offline luks device (which *had* been *online* re-encrypted) FAILS
[root@hayes-02 ~]# lvcreate  --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity
  WARNING: New raid1 won't be synchronised. Don't read what you didn't write!
  Wiping ext2 signature on /dev/raid_sanity/open_LUKS_fsadm_resize.
  Logical volume "open_LUKS_fsadm_resize" created.
[root@hayes-02 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize
[root@hayes-02 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume
[root@hayes-02 ~]# mkfs /dev/mapper/raid_luksvolume
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 1044480 4k blocks and 261120 inodes
Filesystem UUID: e7d2f06a-d436-42e4-8414-9da6ec351c07
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done 

### Online reencrypt
[root@hayes-02 ~]#  echo foobarglarch | cryptsetup reencrypt --active-name raid_luksvolume
Finished, time 00:46.387, 4080 MiB written, speed  88.0 MiB/s   

[root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume
[root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
[root@hayes-02 ~]# echo $?
1

### There was no warning/error about what happened above
[root@hayes-02 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt
mount: /mnt: unknown filesystem type 'crypto_LUKS'.



### Scenario 4-5: Decrypt an online|offline luks device (which *had* been *online* re-encrypted) but using cryptsetup --decrypt instead of cryptsetup-reencrypt FAILS

Same setup as above
[root@hayes-02 ~]# dmsetup ls
raid_sanity-open_LUKS_fsadm_resize      (253:4)
raid_sanity-open_LUKS_fsadm_resize_rimage_1     (253:3)
raid_sanity-open_LUKS_fsadm_resize_rimage_0     (253:1)
raid_luksvolume (253:5)
raid_sanity-open_LUKS_fsadm_resize_rmeta_1      (253:2)
raid_sanity-open_LUKS_fsadm_resize_rmeta_0      (253:0)

# Maybe my syntax is wrong, but the action is correct "--decrypt"
[root@hayes-02 ~]# echo foobarglarch | cryptsetup --decrypt raid_luksvolume
Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
        [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes]
        [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs]
        [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase]
        [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt]
        [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads]
        [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT]
        [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes]
        [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING]
        [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific>
cryptsetup: Unknown action.

[root@hayes-02 ~]# echo foobarglarch | cryptsetup --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
        [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes]
        [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs]
        [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase]
        [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt]
        [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads]
        [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT]
        [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes]
        [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING]
        [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific>
cryptsetup: Unknown action.

### Attempt to close first
[root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume
[root@hayes-02 ~]# echo foobarglarch | cryptsetup --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
        [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes]
        [-S|--key-slot=INT] [-b|--size=SECTORS] [--device-size=bytes] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs]
        [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase]
        [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt]
        [--perf-submit_from_crypt_cpus] [--deferred] [--serialize-memory-hard-pbkdf] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads]
        [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT]
        [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes]
        [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [--encrypt] [--decrypt] [--init-only] [--resume-only] [--reduce-device-size=bytes] [--hotzone-size=bytes] [--resilience=STRING]
        [--resilience-hash=STRING] [--active-name=STRING] [OPTION...] <action> <action-specific>
cryptsetup: Unknown action.


Version-Release number of selected component (if applicable):
cryptsetup-2.2.0-0.2.el8    BUILT: Mon Jun 17 04:08:11 CDT 2019
cryptsetup-libs-2.2.0-0.2.el8    BUILT: Mon Jun 17 04:08:11 CDT 2019
cryptsetup-reencrypt-2.2.0-0.2.el8    BUILT: Mon Jun 17 04:08:11 CDT 2019


kernel-4.18.0-112.el8    BUILT: Fri Jul  5 06:51:26 CDT 2019
lvm2-2.03.05-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
lvm2-libs-2.03.05-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
lvm2-dbusd-2.03.05-1.el8    BUILT: Mon Jun 17 06:01:56 CDT 2019
cmirror-2.03.05-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
device-mapper-1.02.163-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
device-mapper-libs-1.02.163-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
device-mapper-event-1.02.163-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
device-mapper-event-libs-1.02.163-1.el8    BUILT: Mon Jun 17 05:59:47 CDT 2019
device-mapper-persistent-data-0.8.5-2.el8    BUILT: Wed Jun  5 10:28:04 CDT 2019


How reproducible:
Everytime

Comment 1 Ondrej Kozina 2019-07-15 09:34:37 UTC

Hi Corey,

You have a small typo in the command. It should be  "cryptsetup reencrypt --decrypt". But we do not support decryption with LUKS2 header put in the head of data device with the new code yet, see bug #676622, comment 8.

Also, I notice you've combined testing of new reencryption code with testing of old reencryption tool: cryptsetup-reencrypt. There's nothing wrong about it, it must work. I've just wanted to point out that new code works in both offline and online mode. Command "cryptsetup reencrypt" decides the mode depending if the device is active (luksOpen) or not.

So if you run "cryptsetup reencrypt" on inactive device, it performs offline reencryption. If the device is active (luksOpened) it'll switch automatically in online mode.

Comment 2 Ondrej Kozina 2019-07-15 09:37:07 UTC

Ehm, actually, please better see the bug #1676622, comment 8 :)

Comment 3 Ondrej Kozina 2019-07-15 12:19:09 UTC

(In reply to Corey Marthaler from comment #0)
> ### Online reencrypt
> [root@hayes-02 ~]#  echo foobarglarch | cryptsetup reencrypt --active-name
> raid_luksvolume
> Finished, time 00:46.387, 4080 MiB written, speed  88.0 MiB/s   
> 
> [root@hayes-02 ~]# cryptsetup luksClose raid_luksvolume
> [root@hayes-02 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt
> /dev/raid_sanity/open_LUKS_fsadm_resize
> [root@hayes-02 ~]# echo $?
> 1

Ok, reproduced it. Actually, it's unrelated to new reencryption code at all. It's a bug in cryptsetup-reencrypt offline utility and very easily reproducible:

format device with first active keyslot number != 0:

1) echo "passs" | cryptsetup luksFormat /dev/sdx -S5
2) echo "passs" | cryptsetup-reencrypt --decrypt /dev/sdx (result retcode = 1)

Comment 4 Ondrej Kozina 2019-07-15 12:48:17 UTC

(And fixed via commit https://gitlab.com/cryptsetup/cryptsetup/commit/4f8c6b7773a0f4f07a830575f482fb9ecf4c8819)

Comment 7 Corey Marthaler 2019-08-19 20:24:45 UTC

Verified the issue in Scenario 3 is now fixed (the issues in Scenario 4 and 5 were syntax errors due to missing "reencrypt").

cryptsetup-2.2.0-1.el8    BUILT: Fri Aug 16 01:22:41 CDT 2019
cryptsetup-libs-2.2.0-1.el8    BUILT: Fri Aug 16 01:22:41 CDT 2019
cryptsetup-reencrypt-2.2.0-1.el8    BUILT: Fri Aug 16 01:22:41 CDT 2019


### Scenario 3: Decrypt an offline luks device (which *had* been *online* re-encrypted) FAILS
[root@hayes-01 ~]# lvcreate  --nosync --type raid1 -m 1 -n open_LUKS_fsadm_resize -L 4G --yes raid_sanity
  WARNING: New raid1 won't be synchronised. Don't read what you didn't write!
  Wiping ext2 signature on /dev/raid_sanity/open_LUKS_fsadm_resize.
  Logical volume "open_LUKS_fsadm_resize" created.
[root@hayes-01 ~]# echo foobarglarch | cryptsetup luksFormat --type luks2 /dev/raid_sanity/open_LUKS_fsadm_resize
[root@hayes-01 ~]# echo foobarglarch | cryptsetup luksOpen --disable-keyring /dev/raid_sanity/open_LUKS_fsadm_resize raid_luksvolume
[root@hayes-01 ~]# mkfs /dev/mapper/raid_luksvolume
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 1044480 4k blocks and 261120 inodes
Filesystem UUID: 53e91a40-4855-49a0-87e9-6771e138dc36
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done 

[root@hayes-01 ~]# echo foobarglarch | cryptsetup reencrypt --active-name raid_luksvolume
Finished, time 01:26.079, 4080 MiB written, speed  47.4 MiB/s
[root@hayes-01 ~]# cryptsetup luksClose raid_luksvolume
[root@hayes-01 ~]# echo foobarglarch | cryptsetup-reencrypt --decrypt /dev/raid_sanity/open_LUKS_fsadm_resize
Finished, time 00:41.574, 4080 MiB written, speed  98.1 MiB/s   
[root@hayes-01 ~]# echo $?
0
[root@hayes-01 ~]# mount /dev/raid_sanity/open_LUKS_fsadm_resize /mnt

Comment 9 errata-xmlrpc 2019-11-05 22:17:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3569

Note You need to log in before you can comment on or make changes to this bug.