[ubuntu/focal-proposed] strongswan 5.8.1-1ubuntu1 (Accepted)
Christian Ehrhardt
christian.ehrhardt at canonical.com
Tue Nov 19 15:01:14 UTC 2019
strongswan (5.8.1-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable (LP: #1852579). Remaining changes:
- d/control: Transition from strongswan-tnc-* being in extra packages
to libcharon-extra-plugins
* Added Changes:
- d/control: Transition from former Ubuntu only libcharon-standard-plugins
to common libcharon-extauth-plugins (drop after 20.04)
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswan-charon->strongswan-starter from Depends to Recommends as the
binaries can work without the services but not vice versa.
* Dropped Changes (now in Debian):
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
- d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
- d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
- d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP 1780534)
+ d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
+ d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
- d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
profiles of both ways to start charon (LP 1807664)
- d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
- We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
Debian so this part was be dropped. Two changes remain
- d/control: fix the mentioning of tpmtss in d/control
- apparmor fixes for container and root usage (LP 1826238)
+ d/usr.sbin.swanctl: allow reading own binary
+ d/usr.sbin.charon-systemd: allow accessing the binary
+ d/usr.sbin.swanctl: add attach_disconnected to work inside containers
+ d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
to apparmor to allow dropping caps
* Dropped Changes (too uncommon to support by default)
- d/libstrongswan.install: Add kernel-netlink configuration files
- d/usr.sbin.charon-systemd: allow to contact mysql for sql and
attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
+ d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful
since we now have attr-sql plugin enabled it.
- Enable additional TNC plugins and add them to libcharon-extra-plugins
strongswan (5.8.1-1) unstable; urgency=medium
* d/rules: disable http and stream tests under CI
* New upstream version 5.8.1
strongswan (5.8.0-2) unstable; urgency=medium
[ Christian Ehrhardt ]
* d/control: Mention mgf1 plugin which is in libstrongswan now
* Complete the disabling of libfast
* Clean up d/strongswan-starter.postinst: section about runlevel changes
* Clean up d/strongswan-starter.postinst: opportunistic encryption
* Enable kernel-libipsec for use of strongswan in containers
* d/control, d/libcharon-{extras,extauth}-plugins.install: Add
extauth-plugins package (Recommends)
* apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
* apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
* apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin
(LP: 1773956)
* apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map
and execute themselves
* apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map
and execute themselves
* apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin
(LP: 1807962)
* d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins
[ Ryan Harper ]
* Remove code related to unused debconf managed config
[ Yves-Alexis Perez ]
* ship xfrmi only on Linux, fix FTBFS on kfreebsd
* d/libcharon-extra-plugins.install: drop plugins disabled in Debian
* d/control: update standards version to 4.4.1
* d/strongswan-starter.templates: drop runlevel_changes
* let dh_installinit handle update-rc.d calls
* d/salsa-ci.yml: add a salsa pipeline config
* d/rules: drop dbgsym migration
* strongswan-starter: update line number in lintian override
strongswan (5.8.0-1) unstable; urgency=medium
[ Christian Ehrhardt ]
* Fix fails in debian CI (Closes: #926479)
[ Simon Deziel ]
* d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to
apparmor to allow dropping caps
* d/usr.sbin.swanctl: add attach_disconnected to work inside containers
* d/usr.sbin.charon-systemd: allow accessing the binary
* d/usr.sbin.swanctl: allow reading own binary
[ Yves-Alexis Perez ]
* New upstream version 5.8.0
* d/control: update standards version to 4.4.0
* use debhelper-compat b-d for dh compat level
* d/control: bump dh compat level to 11
* d/rules: drop systemd addon, useless in compat 11
* strongswan-libcharon: install xfrmi binary
* d/patches refreshed for new upstream release
* handle renaming of systemd service files
* d/control: remove obsolete breaks/replaces
Date: Thu, 14 Nov 2019 15:00:15 +0100
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/strongswan/5.8.1-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Nov 2019 15:00:15 +0100
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-extauth-plugins libcharon-standard-plugins strongswan-tnc-ifmap strongswan-tnc-base strongswan-tnc-client strongswan-tnc-server strongswan-tnc-pdp libcharon-extra-plugins strongswan-starter strongswan-libcharon strongswan-charon strongswan-nm charon-cmd strongswan-pki strongswan-scepclient strongswan-swanctl charon-systemd
Architecture: source
Version: 5.8.1-1ubuntu1
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Description:
charon-cmd - standalone IPsec client
charon-systemd - strongSwan IPsec client, systemd support
libcharon-extauth-plugins - strongSwan charon library (extended authentication plugins)
libcharon-extra-plugins - strongSwan charon library (extra plugins)
libcharon-standard-plugins - transitional package
libstrongswan - strongSwan utility and crypto library
libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins)
libstrongswan-standard-plugins - strongSwan utility and crypto library (standard plugins)
strongswan - IPsec VPN solution metapackage
strongswan-charon - strongSwan Internet Key Exchange daemon
strongswan-libcharon - strongSwan charon library
strongswan-nm - strongSwan plugin to interact with NetworkManager
strongswan-pki - strongSwan IPsec client, pki command
strongswan-scepclient - strongSwan IPsec client, SCEP client
strongswan-starter - strongSwan daemon starter and configuration file parser
strongswan-swanctl - strongSwan IPsec client, swanctl command
strongswan-tnc-base - transitional package
strongswan-tnc-client - transitional package
strongswan-tnc-ifmap - transitional package
strongswan-tnc-pdp - transitional package
strongswan-tnc-server - transitional package
Closes: 926479
Launchpad-Bugs-Fixed: 1852579
Changes:
strongswan (5.8.1-1ubuntu1) focal; urgency=medium
.
* Merge with Debian unstable (LP: #1852579). Remaining changes:
- d/control: Transition from strongswan-tnc-* being in extra packages
to libcharon-extra-plugins
* Added Changes:
- d/control: Transition from former Ubuntu only libcharon-standard-plugins
to common libcharon-extauth-plugins (drop after 20.04)
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswan-charon->strongswan-starter from Depends to Recommends as the
binaries can work without the services but not vice versa.
* Dropped Changes (now in Debian):
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
- d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
- d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
- d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP 1780534)
+ d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
+ d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
- d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
profiles of both ways to start charon (LP 1807664)
- d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
- We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
Debian so this part was be dropped. Two changes remain
- d/control: fix the mentioning of tpmtss in d/control
- apparmor fixes for container and root usage (LP 1826238)
+ d/usr.sbin.swanctl: allow reading own binary
+ d/usr.sbin.charon-systemd: allow accessing the binary
+ d/usr.sbin.swanctl: add attach_disconnected to work inside containers
+ d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
to apparmor to allow dropping caps
* Dropped Changes (too uncommon to support by default)
- d/libstrongswan.install: Add kernel-netlink configuration files
- d/usr.sbin.charon-systemd: allow to contact mysql for sql and
attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
+ d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful
since we now have attr-sql plugin enabled it.
- Enable additional TNC plugins and add them to libcharon-extra-plugins
.
strongswan (5.8.1-1) unstable; urgency=medium
.
* d/rules: disable http and stream tests under CI
* New upstream version 5.8.1
.
strongswan (5.8.0-2) unstable; urgency=medium
.
[ Christian Ehrhardt ]
* d/control: Mention mgf1 plugin which is in libstrongswan now
* Complete the disabling of libfast
* Clean up d/strongswan-starter.postinst: section about runlevel changes
* Clean up d/strongswan-starter.postinst: opportunistic encryption
* Enable kernel-libipsec for use of strongswan in containers
* d/control, d/libcharon-{extras,extauth}-plugins.install: Add
extauth-plugins package (Recommends)
* apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
* apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
* apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin
(LP: 1773956)
* apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map
and execute themselves
* apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map
and execute themselves
* apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin
(LP: 1807962)
* d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins
.
[ Ryan Harper ]
* Remove code related to unused debconf managed config
.
[ Yves-Alexis Perez ]
* ship xfrmi only on Linux, fix FTBFS on kfreebsd
* d/libcharon-extra-plugins.install: drop plugins disabled in Debian
* d/control: update standards version to 4.4.1
* d/strongswan-starter.templates: drop runlevel_changes
* let dh_installinit handle update-rc.d calls
* d/salsa-ci.yml: add a salsa pipeline config
* d/rules: drop dbgsym migration
* strongswan-starter: update line number in lintian override
.
strongswan (5.8.0-1) unstable; urgency=medium
.
[ Christian Ehrhardt ]
* Fix fails in debian CI (Closes: #926479)
.
[ Simon Deziel ]
* d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to
apparmor to allow dropping caps
* d/usr.sbin.swanctl: add attach_disconnected to work inside containers
* d/usr.sbin.charon-systemd: allow accessing the binary
* d/usr.sbin.swanctl: allow reading own binary
.
[ Yves-Alexis Perez ]
* New upstream version 5.8.0
* d/control: update standards version to 4.4.0
* use debhelper-compat b-d for dh compat level
* d/control: bump dh compat level to 11
* d/rules: drop systemd addon, useless in compat 11
* strongswan-libcharon: install xfrmi binary
* d/patches refreshed for new upstream release
* handle renaming of systemd service files
* d/control: remove obsolete breaks/replaces
Checksums-Sha1:
eab2578f9b7a19e0bea9fb878c852fc349572444 3888 strongswan_5.8.1-1ubuntu1.dsc
a7c8762a8e9eecc49dfbbbad57ac7a3045add0db 4517921 strongswan_5.8.1.orig.tar.bz2
501cce9142ec73e1ed2ff3b69bc51cf9dd0a04db 126000 strongswan_5.8.1-1ubuntu1.debian.tar.xz
ecd9b8c80a5979ab17d0058cebbbc03c31e1cae1 9291 strongswan_5.8.1-1ubuntu1_source.buildinfo
Checksums-Sha256:
7782ad53b453408b74fd23045d100ad8cb73771febc3c3e2734e032c8ac8f6e4 3888 strongswan_5.8.1-1ubuntu1.dsc
d9af70acea5c054952ad1584916c1bf231b064eb6c8a9791dcb6ae90a769990c 4517921 strongswan_5.8.1.orig.tar.bz2
90abf941fbe039ba72cc8f67644a9304bd50b403e2166147aed7baf5a1660fdd 126000 strongswan_5.8.1-1ubuntu1.debian.tar.xz
83fa062fcf35d879052fe1e8d7cb26fcd007c7812acd0e0dedf34d350a03c3c9 9291 strongswan_5.8.1-1ubuntu1_source.buildinfo
Files:
0c71e9997a8f8d7fc21c52ec5b0e67b8 3888 net optional strongswan_5.8.1-1ubuntu1.dsc
5a6b9980cd1ac4fad3c24b55ed960ac9 4517921 net optional strongswan_5.8.1.orig.tar.bz2
6f0b7eb3829ccbf80e9529d852cbd90f 126000 net optional strongswan_5.8.1-1ubuntu1.debian.tar.xz
a0517108f5df46d7454696b5df168474 9291 net optional strongswan_5.8.1-1ubuntu1_source.buildinfo
Original-Maintainer: strongSwan Maintainers <pkg-swan-devel at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEktYY9mjyL47YC+71uj4pM4KAskIFAl3UA2UACgkQuj4pM4KA
skIBwA//QoMNMLAH4XcJfcIAPCAdt+4VzKJt7XubMP7Ctv8e04c/FOCgSSJW6uP8
Wg15U/D7rRz9M0KEsB9MuS3Msd3FgmdN6lD83yFOsSpsMG4uiWMNJL8oMugT4WUh
37gPXLZKvM33uwi6QOL1hGeQGv+fP9MWNq4kEKgKrOQsLtQhECIw34ExhmOw1vUa
abEacai27fxe/AdGQeMK96ojG+yF4tIvbfU46vaqw0YdTGwKhaB7BLiB22Mph/ER
H6oJjYIR6Cg1M6eAjem0BJaitmGDPTAMceASmpODJuFYFVsYAy5/CobhsEY23Pbc
EKao691yfxL6RIOL2se/mXFIrsH2jmmQ8OKziY2OhpXWvVcKtRR18vwfSES1Cf/n
U6Lyv59NLtwaEaAK/b+HsGBvkgBzO51kVnJPTWcJQIco9/jSc5bxzWROQM089poQ
P+PET8lBpZTyr+XPojrVy4zoiir0IbVoSSG/I13c0bw3arQ1h78LGtMijZE5dLpy
4BBZEGz+fyc7KILpNN3FZOgKhLqVbyJVjTb12av5wreOirtPDYzX5kAFRqFgsiOh
I/ulsBEbjJZwHg43DEjklElRCKOe0L4D2mq8yp4QRff/WL1Ljhb0Cb1YnvQEYKG4
uUeeRpPjA/8P4OnnPG7lwO6VsR+6Ay7sIVgRRvPBlRAJJYt920M=
=QycD
-----END PGP SIGNATURE-----
More information about the Focal-changes
mailing list