XPost: linux.debian.bugs.dist 
 From: forestix@gaga.casa 
  
 Package: upgrade-reports 
 Severity: important 
 X-Debbugs-Cc: forestix@gaga.casa 
  
 My previous release is: Bookworm 
 I am upgrading to: Trixie 
 Archive date: (today) Thu Oct  2 20:21:22 UTC 2025 
 Upgrade date: 2025-09-04 
 uname -a before upgrade: (not recorded) 
 uname -a after upgrade: (not immediately recorded) 
 uname -a today: Linux ink 6.12.48+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 
 6.12.48-1 (2025-09-20) x86_64 GNU/Linux 
 Method: apt upgrade --without-new-pkgs; apt full-upgrade 
  
 Contents of /etc/apt/sources.list.d/debian.sources: 
  
 Types: deb deb-src 
 URIs: https://deb.debian.org/debian 
 Suites: trixie trixie-updates 
 Components: main non-free-firmware 
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 
  
 Types: deb deb-src 
 URIs: https://security.debian.org/debian-security 
 Suites: trixie-security 
 Components: main non-free-firmware 
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 
  
 - Were there any non-Debian packages installed before the upgrade?  If 
   so, what were they? 
   Yes: 
   - Various application & desktop packages with backported bug fixes, 
     none of which would be expected to cause the problems reported here. 
   - linux-image-amd64 6.12.38-1~bpo12+1 
  
 - Was the system pre-update a 'pure' system only containing packages 
   from the previous release? If not, which packages were not from that 
   release? 
   Close enough to pure that I would not expect any Debian upgrade problems. 
   (See previous question.) 
  
 - Did any packages fail to upgrade? 
   No. 
  
 - Were there any problems with the system after upgrading? 
   Yes: The upgrade rendered the system unbootable. 
  
  
 Further Comments/Problems: 
  
 The upgrade process completed without a hitch, until rebooting. 
 On first reboot, the familiar GRUB prompt asking for my LUKS passphrase 
 appeared. Upon entering the passphrase, the system rebooted into the 
 UEFI setup screen instead of bringing up the Debian GRUB menu with blue 
 background. 
  
 Investigation revealed the following: 
  
 - During the upgrade process, the installer asked whether to keep the 
   existing /etc/default/grub or replace it with the maintainer's 
   version. I chose replace, knowing that my kernel command line tweaks 
   would be overwritten, but assuming it would be otherwise safe. 
   It was not safe. 
  
 - It turns out that the new /etc/default/grub did not include 
   GRUB_ENABLE_CRYPTODISK=y, which I believe GRUB requires in order to 
   boot when the /boot directory lives within the encrypted / filesystem 
   (not a separate unencrypted partition) as it does on this system. 
  
 - The Debian upgrade process did not notice that this was the case, and 
   did not restore the critically important GRUB_ENABLE_CRYPTODISK=y 
   line that was in /etc/default/grub before the upgrade. 
  
 - I suspect this omission led to grub-install silently failing during 
   the upgrade process. 
   Evidence: 
   - While fixing this mess, my first attempt to run grub-install 
     failed, with an error message complaining about the missing 
     GRUB_ENABLE_CRYPTODISK=y. I did not see this message during the 
     upgrade process. This suggests to me that the upgrader swallowed 
     it, and assumed that grub-install had succeeded when it had not. 
   - After dealing with that and getting a successful grub-install, 
     I noticed that GRUB's passphrase prompt slightly changed: 
     The prompt text is now bright white instead of its former 
     dim/grayish. I imagine that the dim text probably came from the old 
     GRUB version still being installed on the boot device, but unable 
     to boot the system once the new GRUB config was applied. 
     Once the new version of grub-install had successfully run, the text 
     was bright white (presumably a change introduced by the new version) 
     and the system booted. 
  
 Based on what I've observed, It seems to me that the upgrade process 
 should have: 
  
 1. Noticed that GRUB_ENABLE_CRYPTODISK=y was present in the original 
    /etc/default/grub, and taken steps to preserve this critically 
    important setting. 
 2. Noticed that this sytem's /boot lives within the encrypted root 
    filesystem, therefore requiring GRUB_ENABLE_CRYPTODISK=y, 
    and taken steps to add it (or at least prompt the user about it) 
    if it was not present in /etc/default/grub. 
 3. Detected any failure or warning/error message from grub-install, 
    shown it to the user, and clearly stated that the system was not 
    likely to be bootable until this was dealt with. 
  
 Since the upgrader failed on all three of those points, my system was 
 left in a completely broken state that required considerable time, 
 knowledge, and patience to diagnose and recover from. The vast majority 
 of users would never be able to do that, and would probably consider 
 this a catastrophic failure. It could have been avoided. 
  
  
 Please attach the output of "COLUMNS=200 dpkg -l" (or "env COLUMNS ...", 
 depending on your shell) from before and after the upgrade so that we 
 know what packages were installed on your system. 
  
 For privacy reasons, I prefer not to reveal a list of all my installed 
 packages. If there are specific ones that would help the maintainers 
 address this problem, please just name them; I'll be happy to help. 
 Here are the grub-related ones: 
  
 $ grep grub apt-list-installed.before-upgrade 
 grub-common/oldstable,oldstable-security,now 2.06-13+deb12u1 amd64 
 [installed,automatic] 
 grub-efi-amd64-bin/oldstable,oldstable-security,now 2.06-13+deb12u1 amd64 
 [installed,automatic] 
 grub-efi-amd64-signed/oldstable,oldstable-security,now 1+2.06+13+deb12u1 
 amd64 
 [installed,automatic] 
 grub-efi-amd64/oldstable,oldstable-security,now 2.06-13+deb12u1 amd64 
 [installed] 
 grub2-common/oldstable,oldstable-security,now 2.06-13+deb12u1 amd64 
 [installed,automatic] 
  
 $ grep grub apt-list-installed.today 
 grub-common/stable,now 2.12-9 amd64 [installed,automatic] 
 grub-efi-amd64-bin/stable,now 2.12-9 amd64 [installed,automatic] 
 grub-efi-amd64-signed/stable,now 1+2.12+9 amd64 [installed,automatic] 
 grub-efi-amd64-unsigned/stable,now 2.12-9 amd64 [installed,automatic] 
 grub-efi-amd64/stable,now 2.12-9 amd64 [installed] 
 grub2-common/stable,now 2.12-9 amd64 [installed,automatic] 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)