[Bug 1755693] Re: strongswan-starter should conflict with openswan due to shared file /usr/sbin/ipsec
Eric Desrochers
eric.desrochers at canonical.com
Thu Mar 15 12:51:09 UTC 2018
** Changed in: strongswan (Ubuntu Trusty)
Assignee: (unassigned) => Trent Lloyd (lathiat)
** Changed in: strongswan (Ubuntu Trusty)
Importance: Undecided => Medium
** Description changed:
strongswan-starter and openswan both share the file /usr/sbin/ipsec
however there is no Conflicts relationship
+
+ $ apt-file search /usr/sbin/ipsec
+ openswan: /usr/sbin/ipsec
+ strongswan-starter: /usr/sbin/ipsec
openswan was deprecated in utopic, so trusty installations may wish to
migrate to strongswan ahead of a xenial upgrade. In that case, the
package upgrade can fail.
This was previously fixed upstream in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740808
For apt operation ordering reasons I don't understand, the issue only
appears when something else on the system (such as neutron-vpn-agent)
depends on (strongswan | openswan). Just installing strongswan and
replacing it with openswan or vica-versa doesn't cause the issue to
trigger.
The Conflicts already exists in xenial through bionic, just not in
trusty. So the upload would only be required in trusty.
[Impact]
- * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
- * Only users on trusty are affected, once upgraded to xenial this change is already in place
+ * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
+ * Only users on trusty are affected, once upgraded to xenial this change is already in place
[Test Case]
On a trusty machine (e.g. lxd)
add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan causing the bug to trigger
apt update
apt install neutron-vpn-agent openswan # you can answer no to X509 generation
apt install strongswan
[Regression Potential]
- * I don't believe the conflicts introduces a new issue in terms of a
+ * I don't believe the conflicts introduces a new issue in terms of a
conflict that didn't previously exist, since the packages contain a
conflicting file and strongswan-starter depends on strongswan-ike which
already has a Conflicts in place. So in terms of the dependency tree
they already conflicted, but did not prevent this temporary file
conflict.
- * Other regression potential would be package rebuild related -- this
+ * Other regression potential would be package rebuild related -- this
package has had security uploads as recently as August 2017 so that risk
appears reduced
[Other Info]
-
- * Same change is already in place from xenial onwards, so no SRU uploads other than trusty are required
+
+ * Same change is already in place from xenial onwards, so no SRU
+ uploads other than trusty are required
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1755693
Title:
strongswan-starter should conflict with openswan due to shared file
/usr/sbin/ipsec
Status in strongswan package in Ubuntu:
Confirmed
Status in strongswan source package in Trusty:
New
Bug description:
strongswan-starter and openswan both share the file /usr/sbin/ipsec
however there is no Conflicts relationship
$ apt-file search /usr/sbin/ipsec
openswan: /usr/sbin/ipsec
strongswan-starter: /usr/sbin/ipsec
openswan was deprecated in utopic, so trusty installations may wish to
migrate to strongswan ahead of a xenial upgrade. In that case, the
package upgrade can fail.
This was previously fixed upstream in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740808
For apt operation ordering reasons I don't understand, the issue only
appears when something else on the system (such as neutron-vpn-agent)
depends on (strongswan | openswan). Just installing strongswan and
replacing it with openswan or vica-versa doesn't cause the issue to
trigger.
The Conflicts already exists in xenial through bionic, just not in
trusty. So the upload would only be required in trusty.
[Impact]
* Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
* Only users on trusty are affected, once upgraded to xenial this change is already in place
[Test Case]
On a trusty machine (e.g. lxd)
add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan causing the bug to trigger
apt update
apt install neutron-vpn-agent openswan # you can answer no to X509 generation
apt install strongswan
[Regression Potential]
* I don't believe the conflicts introduces a new issue in terms of a
conflict that didn't previously exist, since the packages contain a
conflicting file and strongswan-starter depends on strongswan-ike
which already has a Conflicts in place. So in terms of the dependency
tree they already conflicted, but did not prevent this temporary file
conflict.
* Other regression potential would be package rebuild related -- this
package has had security uploads as recently as August 2017 so that
risk appears reduced
[Other Info]
* Same change is already in place from xenial onwards, so no SRU
uploads other than trusty are required
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1755693/+subscriptions
More information about the Ubuntu-sponsors
mailing list