Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 live-boot (3.0~a27-1+tails2~1.gbp319fe6) UNRELEASED; urgency=low
 .
   ** SNAPSHOT build @319fe6f7c8aa64c3a4c75628d0cd3fa16fdf2460 **
 .
   [ Ian Reinhart Geiser ]
   * Fix to allow for multiple rof when exposed roots is disabled.
 .
   [ Tails developers ]
   * Implement and make use of robust list functions.
   * Use single-debian-patch.
Author: Tails developers <tails@boum.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- live-boot-3.0~a27.orig/scripts/live-helpers
+++ live-boot-3.0~a27/scripts/live-helpers
@@ -388,7 +388,7 @@ Arguments ()
 	then
 		PERSISTENCE_ENCRYPTION="none"
 		export PERSISTENCE_ENCRYPTION
-	elif echo ${PERSISTENCE_ENCRYPTION} | grep -qe "\<luks\>"
+	elif is_in_comma_sep_list luks ${PERSISTENCE_ENCRYPTION}
 	then
 		if ! modprobe dm-crypt
 		then
@@ -418,6 +418,27 @@ Arguments ()
 	fi
 }
 
+is_in_list_separator_helper () {
+	local sep=${1}
+	shift
+	local element=${1}
+	shift
+	local list=${*}
+	echo ${list} | grep -qe "^\(.*${sep}\)\?${element}\(${sep}.*\)\?$"
+}
+
+is_in_space_sep_list () {
+	local element=${1}
+	shift
+	is_in_list_separator_helper "[[:space:]]" "${element}" "${*}"
+}
+
+is_in_comma_sep_list () {
+	local element=${1}
+	shift
+	is_in_list_separator_helper "," "${element}" "${*}"
+}
+
 sys2dev ()
 {
 	sysdev=${1#/sys}
@@ -449,9 +470,9 @@ storage_devices()
 	do
 		fulldevname=$(sys2dev "${sysblock}")
 
-		if echo "${black_listed_devices}" | grep -qe "\<${fulldevname}\>" || \
+		if is_in_space_sep_list ${fulldevname} ${black_listed_devices} || \
 			[ -n "${white_listed_devices}" ] && \
-			echo "${white_listed_devices}" | grep -qve "\<${fulldevname}\>"
+			! is_in_space_sep_list ${fulldevname} ${white_listed_devices}
 		then
 			# skip this device entirely
 			continue
@@ -461,7 +482,7 @@ storage_devices()
 		do
 			devname=$(sys2dev "${dev}")
 
-			if echo "${black_listed_devices}" | grep -qe "\<${devname}\>"
+			if is_in_space_sep_list ${devname} ${black_listed_devices}
 			then
 				# skip this subdevice
 				continue
@@ -984,7 +1005,7 @@ find_persistence_media ()
 		# in order to probe any filesystem it contains, like we do
 		# below. activate_custom_mounts() also depends on that any luks
 		# device already has been opened.
-		if echo ${PERSISTENCE_ENCRYPTION} | grep -qe "\<luks\>" && \
+		if is_in_comma_sep_list luks ${PERSISTENCE_ENCRYPTION} && \
 		   is_luks_partition ${dev}
 		then
 			if luks_device=$(open_luks_device "${dev}")
@@ -994,14 +1015,14 @@ find_persistence_media ()
 				# skip $dev since we failed/chose not to open it
 				continue
 			fi
-		elif echo ${PERSISTENCE_ENCRYPTION} | grep -qve "\<none\>"
+		elif ! is_in_comma_sep_list none ${PERSISTENCE_ENCRYPTION}
 		then
 			# skip $dev since we don't allow unencrypted storage
 			continue
 		fi
 
 		# Probe for matching GPT partition names or filesystem labels
-		if echo ${PERSISTENCE_STORAGE} | grep -qe "\<filesystem\>"
+		if is_in_comma_sep_list filesystem ${PERSISTENCE_STORAGE}
 		then
 			result=$(probe_for_gpt_name "${overlays}" "${snapshots}" ${dev})
 			if [ -n "${result}" ]
@@ -1019,7 +1040,7 @@ find_persistence_media ()
 		fi
 
 		# Probe for files with matching name on mounted partition
-		if echo ${PERSISTENCE_STORAGE} | grep -qe "\<file\>"
+		if is_in_comma_sep_list file ${PERSISTENCE_STORAGE}
 		then
 			result=$(probe_for_file_name "${overlays}" "${snapshots}" ${dev})
 			if [ -n "${result}" ]
--- live-boot-3.0~a27.orig/scripts/live
+++ live-boot-3.0~a27/scripts/live
@@ -1001,12 +1001,12 @@ setup_unionfs ()
 				;;
 		esac
 
-		if echo ${PERSISTENCE_METHOD} | grep -qe "\<overlay\>"
+		if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD}
 		then
 			overlays="${old_root_overlay_label} ${old_home_overlay_label} ${custom_overlay_label}"
 		fi
 
-		if echo ${PERSISTENCE_METHOD} | grep -qe "\<snapshot\>"
+		if is_in_comma_sep_list snapshot ${PERSISTENCE_METHOD}
 		then
 			snapshots="${root_snapshot_label} ${home_snapshot_label}"
 		fi
@@ -1108,15 +1108,15 @@ setup_unionfs ()
 
 	rofscount=$(echo ${rofslist} |wc -w)
 
-	# XXX: we now ensure that there can only be one read-only filesystem. Should this be inside the EXPOSED_ROOT if?
-	if [ ${rofscount} -ne 1 ]
-	then
-		panic "only one RO file system supported with exposedroot: ${rofslist}"
-	fi
 	rofs=${rofslist%% }
 
 	if [ -n "${EXPOSED_ROOT}" ]
 	then
+		if [ ${rofscount} -ne 1 ]
+		then
+			panic "only one RO file system supported with exposedroot: ${rofslist}"
+		fi
+
 		mount --bind ${rofs} ${rootmnt} || \
 			panic "bind mount of ${rofs} failed"
 
