Strongswan merge for Xenial
ryan.harper at canonical.com
Mon Jan 25 14:49:44 UTC 2016
On Sun, Jan 24, 2016 at 9:38 PM, Simon Deziel <simon at sdeziel.info> wrote:
> Hi Ryan,
Thanks for taking a look at this merge. I really appreciate the help
sorting through this merge.
> On 2016-01-22 11:54 AM, Ryan Harper wrote:
> > Hello,
> > I've been working on merging strongswan from Debian into Ubuntu for
> > Xenial. We've not completed a merge with Debian for some time (Feb 19,
> > 2014 was the last time). Ubuntu has been using version 5.1.2 since then
> > but Debian and upstream have moved on. Ubuntu has collected a large
> > between Debian and with this merge I'm attempting to reduce the delta to
> > ease merging in the future. In particular, the major change would be to
> > no longer create a package per-plugin and instead use the more general
> > standard/extra plugin packages as in Debian. Each plugin has an
> > individual conf file which controls settings including whether to load or
> > not. Currently the default template conf files default to loading
> > if present; it's not clear to me if this is a sensible default or if we
> > should left them off by default. Note that Strongswan doesn't currently
> > have something akin to apache's a2enmod and a2dismod meaning users will
> > need to edit conf as needed. During this merge, I've also been using a
> > git-based merge workflow and the git repo tracking it is available
> > Since the delta is large, I want to make sure that we document the
> > and provide opportunity for users of Strongswan in Ubuntu to provide
> > feedback and comments on this merge. I've updated the package and placed
> > it in a PPA.
> Awesome work!
> > The remaining work items are:
> > - Adding in transitional virtual Packages for upgrade from
> > - Testing package upgrade
> I upgraded one system so far and it went well.
OK. Do you have any of the plugins installed?
> > - Attempting exercise various modes of Strongswan, including the TPM
> > enablement
> > - Continue dropping additional delta no longer needed
> > - Bug fixes (documenting which bugs this merge will resolve)
> If you bring in the few changes from , almost every bug in LP against
> Strongswan should be addressed.
Thanks, I'll go take a look at those changes.
> > I also plan to discuss many of the Ubuntu changes with Debian maintainers
> > to see if we can get some of the changes picked up there as well.
> I quickly skimmed Debian bugs and some of them could be closed by
> adopting some of the Ubuntu delta:
> debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu)
> debian #739641: kernel-libipsec support
Great, I'll look at those too.
> > Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
> > (Debian) release.
> > - In Debian 5.3.5, there are 9 Packages defined in debian/control,
> > and in
> > Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
> > in Ubuntu.
> > - Ubuntu also enables TNC Client and Server which requires enabling
> > and packaging different binaries and plugins.
> > https://wiki.strongswan.org/projects/1/wiki/TNCC
> > - Ubuntu has AppArmor profiles for some binaries
> > - Ubuntu updated start/stop scripts to use service instead of
> > invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
> > pt-tls-client but without TNC (Debian includes it in
> > libcharon-extra-plugins)
> > - Ubuntu enables many additional options/features, including TPM
> > (with-tss=trousers, libtspi-dev) and smartcard access
> > - Ubuntu enables (but Debian does not)
> > unbound
> > dnscert
> > ipseckey
> > coupling
> > imv-swid
> > imc-swid
> > tnc-ifmap
> > mysql
> > tnc-pdp
> > load-tester
> > whitelist
> > radattr
> > ntru
> > soup
> > sqlite
> > md4
> > eap-*
> The acert plugin seems to be missing in your refreshed package. It was
> previously enabled in Ubuntu and the provided functionality seems useful
OK. Will fix.
> > - Debian enables (but Ubuntu does not)
> > ha (needs special kernel as per jpds)
> > - Builddeps in Debian (but not Ubuntu)
> > clearsilver-dev
> > libfcgi-dev
> > - Other Removals from Debian
> > *logcheck* files (not relevant to StrongSwan per jpds)
> The logcheck files are really dated (see debian #787156) and I've
> accumulated a few rules on my own. Even at the default log level charon
> is very verbose so I think it makes sense to have the package shipping
> logcheck rules. I'd be happy to provided those.
> > - Ubuntu builds with nostrip for integrity checking (TPM)
> > - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length
> > for tests.
> > Some additional changes which have raised some questions to which I don't
> > know the answer; any input is helpful here.
> > - Ubuntu drops install of debconf managed
> > /var/lib/strongswan/ipsec.conf.inc
> > - Ubuntu force-building dhcp/farp instead of keeping under Linux-only
> Debian #640928 says it's to support kFreeBSD. Those plugins require
> CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation?
OK, I'll explore. AFAICT, there's nothing wrong with leaving it how Debian
has it; that is
Ubuntu Linux still builds those packages as they are and dropping this
delta reduces merge burden.
> > - Debian still calls dh_installinit with ipsec vs
> > strongswan
> > - dropped Debian's enabling IKEv1 and v2 by default?
> Upstream's default when no specific version is configured is to use
> IKEv2 when initiating and accept both when responding.
Interesting. Does that seem reasonable? I imagine that enabling v1 and v2
wider compatibility between client/server? Is this still worth enabling vs
more secure (I'm asserting v2 is likely more robust than v1, hence a
> > - Ubuntu systemd file differs from Debian and Upstream.
> > - Ubuntu disable ha (claim in changelog says requires special kernel)
> > - Ubuntu disables fastcgi (libfcgi)
> > - Ubuntu disables clearsilver (as per MIR noted discussion with
> > upstream)
> > Upstream changes in Strongswan since 5.1.2 that have an impact on the
> > changes we're carrying.
> > - libpts dropped in 5.2.1, affects tnc-base
> > - no updown_espmark, updown manpage
> updown_espmark was apparently created to support kernels < 2.6.16.
> The updown man page will probably not be missed because the shell script
> is well documented on its own.
OK. Seems like a reasonable drop due to changes upstream.
> > - no openac, replaced with pki --acert command.
> > https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc
> If the acert plugin functionality is restored I believe this would be a
> non issue.
> > 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951
> > 2. ppa:raharper/merges
> > 3.
> > 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066
> 6: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiAcert
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-devel