[Bug 1755693] Re: strongswan-starter should conflict with openswan due to shared file /usr/sbin/ipsec

[Eric Desrochers]

** Changed in: strongswan (Ubuntu Trusty)
     Assignee: (unassigned) => Trent Lloyd (lathiat)

** Changed in: strongswan (Ubuntu Trusty)
   Importance: Undecided => Medium

** Description changed:

  strongswan-starter and openswan both share the file /usr/sbin/ipsec
  however there is no Conflicts relationship
+ 
+ $ apt-file search /usr/sbin/ipsec
+ openswan: /usr/sbin/ipsec
+ strongswan-starter: /usr/sbin/ipsec
  
  openswan was deprecated in utopic, so trusty installations may wish to
  migrate to strongswan ahead of a xenial upgrade.  In that case, the
  package upgrade can fail.
  
  This was previously fixed upstream in Debian:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740808
  
  For apt operation ordering reasons I don't understand, the issue only
  appears when something else on the system (such as neutron-vpn-agent)
  depends on (strongswan | openswan).  Just installing strongswan and
  replacing it with openswan or vica-versa doesn't cause the issue to
  trigger.
  
  The Conflicts already exists in xenial through bionic, just not in
  trusty.  So the upload would only be required in trusty.
  
  [Impact]
  
-  * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
-  * Only users on trusty are affected, once upgraded to xenial this change is already in place
+  * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
+  * Only users on trusty are affected, once upgraded to xenial this change is already in place
  
  [Test Case]
  
  On a trusty machine (e.g. lxd)
  
  add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan causing the bug to trigger
  apt update
  apt install neutron-vpn-agent openswan # you can answer no to X509 generation
  apt install strongswan
  
  [Regression Potential]
  
-  * I don't believe the conflicts introduces a new issue in terms of a
+  * I don't believe the conflicts introduces a new issue in terms of a
  conflict that didn't previously exist, since the packages contain a
  conflicting file and strongswan-starter depends on strongswan-ike which
  already has a Conflicts in place.  So in terms of the dependency tree
  they already conflicted, but did not prevent this temporary file
  conflict.
  
-  * Other regression potential would be package rebuild related -- this
+  * Other regression potential would be package rebuild related -- this
  package has had security uploads as recently as August 2017 so that risk
  appears reduced
  
  [Other Info]
-  
-  * Same change is already in place from xenial onwards, so no SRU uploads other than trusty are required
+ 
+  * Same change is already in place from xenial onwards, so no SRU
+ uploads other than trusty are required

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1755693

Title:
  strongswan-starter should conflict with openswan due to shared file
  /usr/sbin/ipsec

Status in strongswan package in Ubuntu:
  Confirmed
Status in strongswan source package in Trusty:
  New

Bug description:
  strongswan-starter and openswan both share the file /usr/sbin/ipsec
  however there is no Conflicts relationship

  $ apt-file search /usr/sbin/ipsec
  openswan: /usr/sbin/ipsec
  strongswan-starter: /usr/sbin/ipsec

  openswan was deprecated in utopic, so trusty installations may wish to
  migrate to strongswan ahead of a xenial upgrade.  In that case, the
  package upgrade can fail.

  This was previously fixed upstream in Debian:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740808

  For apt operation ordering reasons I don't understand, the issue only
  appears when something else on the system (such as neutron-vpn-agent)
  depends on (strongswan | openswan).  Just installing strongswan and
  replacing it with openswan or vica-versa doesn't cause the issue to
  trigger.

  The Conflicts already exists in xenial through bionic, just not in
  trusty.  So the upload would only be required in trusty.

  [Impact]

   * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
   * Only users on trusty are affected, once upgraded to xenial this change is already in place

  [Test Case]

  On a trusty machine (e.g. lxd)

  add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan causing the bug to trigger
  apt update
  apt install neutron-vpn-agent openswan # you can answer no to X509 generation
  apt install strongswan

  [Regression Potential]

   * I don't believe the conflicts introduces a new issue in terms of a
  conflict that didn't previously exist, since the packages contain a
  conflicting file and strongswan-starter depends on strongswan-ike
  which already has a Conflicts in place.  So in terms of the dependency
  tree they already conflicted, but did not prevent this temporary file
  conflict.

   * Other regression potential would be package rebuild related -- this
  package has had security uploads as recently as August 2017 so that
  risk appears reduced

  [Other Info]

   * Same change is already in place from xenial onwards, so no SRU
  uploads other than trusty are required

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1755693/+subscriptions