Hi Ryan, On 2016-01-22 11:54 AM, Ryan Harper wrote: > Hello, > > I've been working on merging[1] strongswan from Debian into Ubuntu for > Xenial. We've not completed a merge with Debian for some time (Feb 19, > 2014 was the last time). Ubuntu has been using version 5.1.2 since then > but Debian and upstream have moved on. Ubuntu has collected a large delta > between Debian and with this merge I'm attempting to reduce the delta to > ease merging in the future. In particular, the major change would be to > no longer create a package per-plugin and instead use the more general > standard/extra plugin packages as in Debian. Each plugin has an > individual conf file which controls settings including whether to load or > not. Currently the default template conf files default to loading plugins > if present; it's not clear to me if this is a sensible default or if we > should left them off by default. Note that Strongswan doesn't currently > have something akin to apache's a2enmod and a2dismod meaning users will > need to edit conf as needed. During this merge, I've also been using a > git-based merge workflow and the git repo tracking it is available here[3]. > > Since the delta is large, I want to make sure that we document the changes > and provide opportunity for users of Strongswan in Ubuntu to provide > feedback and comments on this merge. I've updated the package and placed > it in a PPA[2].
Awesome work! > The remaining work items are: > - Adding in transitional virtual Packages for upgrade from 5.1.2-0ubuntu8 > - Testing package upgrade I upgraded one system so far and it went well. > - Attempting exercise various modes of Strongswan, including the TPM > enablement > - Continue dropping additional delta no longer needed > - Bug fixes (documenting which bugs this merge will resolve) If you bring in the few changes from [5], almost every bug in LP against Strongswan should be addressed. > I also plan to discuss many of the Ubuntu changes with Debian maintainers > to see if we can get some of the changes picked up there as well. I quickly skimmed Debian bugs and some of them could be closed by adopting some of the Ubuntu delta: debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu) debian #739641: kernel-libipsec support > Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1 > (Debian) release. > > - In Debian 5.3.5, there are 9 Packages defined in debian/control, > and in > Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin > in Ubuntu. > > - Ubuntu also enables TNC Client and Server which requires enabling > and packaging different binaries and plugins. > https://wiki.strongswan.org/projects/1/wiki/TNCC > > - Ubuntu has AppArmor profiles for some binaries > > - Ubuntu updated start/stop scripts to use service instead of > invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds > pt-tls-client but without TNC (Debian includes it in > libcharon-extra-plugins) > > - Ubuntu enables many additional options/features, including TPM support > (with-tss=trousers, libtspi-dev) and smartcard access (libpcsclite-dev) > > - Ubuntu enables (but Debian does not) > unbound > dnscert > ipseckey > coupling > imv-swid > imc-swid > tnc-ifmap > mysql > tnc-pdp > load-tester > whitelist > radattr > ntru > soup > sqlite > md4 > eap-* The acert plugin seems to be missing in your refreshed package. It was previously enabled in Ubuntu and the provided functionality seems useful [6]. > - Debian enables (but Ubuntu does not) > ha (needs special kernel as per jpds) > > - Builddeps in Debian (but not Ubuntu) > clearsilver-dev > libfcgi-dev > > - Other Removals from Debian > *logcheck* files (not relevant to StrongSwan per jpds) The logcheck files are really dated (see debian #787156) and I've accumulated a few rules on my own. Even at the default log level charon is very verbose so I think it makes sense to have the package shipping logcheck rules. I'd be happy to provided those. > - Ubuntu builds with nostrip for integrity checking (TPM) > > - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length key > for tests. > > > Some additional changes which have raised some questions to which I don't > know the answer; any input is helpful here. > > - Ubuntu drops install of debconf managed > /var/lib/strongswan/ipsec.conf.inc > > - Ubuntu force-building dhcp/farp instead of keeping under Linux-only Debian #640928 says it's to support kFreeBSD. Those plugins require CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation? > - Debian still calls dh_installinit with ipsec vs > strongswan > > - dropped Debian's enabling IKEv1 and v2 by default? Upstream's default when no specific version is configured is to use IKEv2 when initiating and accept both when responding. > - Ubuntu systemd file differs from Debian and Upstream. > > - Ubuntu disable ha (claim in changelog says requires special kernel) > > - Ubuntu disables fastcgi (libfcgi) > > - Ubuntu disables clearsilver (as per MIR[4] noted discussion with > upstream) > > > Upstream changes in Strongswan since 5.1.2 that have an impact on the Ubuntu > changes we're carrying. > > - libpts dropped in 5.2.1, affects tnc-base > > - no updown_espmark, updown manpage updown_espmark was apparently created to support kernels < 2.6.16. The updown man page will probably not be missed because the shell script is well documented on its own. > - no openac, replaced with pki --acert command. > https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc If the acert plugin functionality is restored I believe this would be a non issue. > 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951 > 2. ppa:raharper/merges > 3. > https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan > 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066 Regards, Simon 5: https://github.com/simondeziel/ubuntu-strongswan/tree/new/debian_copy_in_old/debian 6: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiAcert
signature.asc
Description: OpenPGP digital signature
-- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
