Strongswan merge for Xenial

Fri Jan 22 16:54:14 UTC 2016

Hello,

I've been working on merging[1] strongswan from Debian into Ubuntu for
Xenial.  We've not completed a merge with Debian for some time (Feb 19,
2014 was the last time).  Ubuntu has been using version 5.1.2 since then
but Debian and upstream have moved on.  Ubuntu has collected a large delta
between Debian and with this merge I'm attempting to reduce the delta to
ease merging in the future.  In particular, the major change would be to
no longer create a package per-plugin and instead use the more general
standard/extra plugin packages as in Debian.  Each plugin has an
individual conf file which controls settings including whether to load or
not.  Currently the default template conf files default to loading plugins
if present;  it's not clear to me if this is a sensible default or if we
should left them off by default.  Note that Strongswan doesn't currently
have something akin to apache's a2enmod and a2dismod meaning users will
need to edit conf as needed.  During this merge, I've also been using a
git-based merge workflow and the git repo tracking it is available here[3].

Since the delta is large, I want to make sure that we document the changes
and provide opportunity for users of Strongswan in Ubuntu to provide
feedback and comments on this merge.  I've updated the package and placed
it in a PPA[2].

The remaining work items are:
  - Adding in transitional virtual Packages for upgrade from 5.1.2-0ubuntu8
  - Testing package upgrade
  - Attempting exercise various modes of Strongswan, including the TPM
  enablement
  - Continue dropping additional delta no longer needed
  - Bug fixes (documenting which bugs this merge will resolve)

I also plan to discuss many of the Ubuntu changes with Debian maintainers
to see if we can get some of the changes picked up there as well.

Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
(Debian) release.

    - In Debian 5.3.5, there are 9 Packages defined in debian/control, and
in
    Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
    in Ubuntu.

    - Ubuntu also enables TNC Client and Server which requires enabling
    and packaging different binaries and plugins.
    https://wiki.strongswan.org/projects/1/wiki/TNCC

    - Ubuntu has AppArmor profiles for some binaries

    - Ubuntu updated start/stop scripts to use service instead of
    invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
    pt-tls-client but without TNC (Debian includes it in
    libcharon-extra-plugins)

    - Ubuntu enables many additional options/features, including TPM support
    (with-tss=trousers, libtspi-dev) and smartcard access (libpcsclite-dev)

    - Ubuntu enables (but Debian does not)
        unbound
        dnscert
        ipseckey
        coupling
        imv-swid
        imc-swid
        tnc-ifmap
        mysql
        tnc-pdp
        load-tester
        whitelist
        radattr
        ntru
        soup
        sqlite
        md4
        eap-*

    - Debian enables (but Ubuntu does not)
        ha (needs special kernel as per jpds)

    - Builddeps in Debian (but not Ubuntu)
        clearsilver-dev
        libfcgi-dev

    - Other Removals from Debian
        *logcheck* files (not relevant to StrongSwan per jpds)

    - Ubuntu builds with nostrip for integrity checking (TPM)

    - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length key
    for tests.

Some additional changes which have raised some questions to which I don't
know the answer; any input is helpful here.

    - Ubuntu drops install of debconf managed
    /var/lib/strongswan/ipsec.conf.inc

    - Ubuntu force-building dhcp/farp instead of keeping under Linux-only

    - Debian still calls dh_installinit with ipsec vs
    strongswan

    - dropped Debian's enabling IKEv1 and v2 by default?

    - Ubuntu systemd file differs from Debian and Upstream.

    - Ubuntu disable ha (claim in changelog says requires special kernel)

    - Ubuntu disables fastcgi (libfcgi)

    - Ubuntu disables clearsilver (as per MIR[4] noted discussion with
upstream)

Upstream changes in Strongswan since 5.1.2 that have an impact on the Ubuntu
changes we're carrying.

    - libpts dropped in 5.2.1, affects tnc-base

    - no updown_espmark, updown manpage

    - no openac, replaced with pki --acert command.
    https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc

    - libjson0-dev build-dep added

    - enable-unit-tests dropped (unit tests run by default during build)

1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951
2. ppa:raharper/merges
3.
https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan
4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20160122/fa793692/attachment-0001.html>