On Sun, Jan 24, 2016 at 9:38 PM, Simon Deziel <[email protected]> wrote:
> Hi Ryan, > Hi Simon, Thanks for taking a look at this merge. I really appreciate the help sorting through this merge. > > On 2016-01-22 11:54 AM, Ryan Harper wrote: > > Hello, > > > > I've been working on merging[1] strongswan from Debian into Ubuntu for > > Xenial. We've not completed a merge with Debian for some time (Feb 19, > > 2014 was the last time). Ubuntu has been using version 5.1.2 since then > > but Debian and upstream have moved on. Ubuntu has collected a large > delta > > between Debian and with this merge I'm attempting to reduce the delta to > > ease merging in the future. In particular, the major change would be to > > no longer create a package per-plugin and instead use the more general > > standard/extra plugin packages as in Debian. Each plugin has an > > individual conf file which controls settings including whether to load or > > not. Currently the default template conf files default to loading > plugins > > if present; it's not clear to me if this is a sensible default or if we > > should left them off by default. Note that Strongswan doesn't currently > > have something akin to apache's a2enmod and a2dismod meaning users will > > need to edit conf as needed. During this merge, I've also been using a > > git-based merge workflow and the git repo tracking it is available > here[3]. > > > > Since the delta is large, I want to make sure that we document the > changes > > and provide opportunity for users of Strongswan in Ubuntu to provide > > feedback and comments on this merge. I've updated the package and placed > > it in a PPA[2]. > > Awesome work! > > > The remaining work items are: > > - Adding in transitional virtual Packages for upgrade from > 5.1.2-0ubuntu8 > > - Testing package upgrade > > I upgraded one system so far and it went well. > OK. Do you have any of the plugins installed? > > > - Attempting exercise various modes of Strongswan, including the TPM > > enablement > > - Continue dropping additional delta no longer needed > > - Bug fixes (documenting which bugs this merge will resolve) > > If you bring in the few changes from [5], almost every bug in LP against > Strongswan should be addressed. > Thanks, I'll go take a look at those changes. > > > I also plan to discuss many of the Ubuntu changes with Debian maintainers > > to see if we can get some of the changes picked up there as well. > > I quickly skimmed Debian bugs and some of them could be closed by > adopting some of the Ubuntu delta: > > debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu) > debian #739641: kernel-libipsec support > Great, I'll look at those too. > > > Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1 > > (Debian) release. > > > > - In Debian 5.3.5, there are 9 Packages defined in debian/control, > > and in > > Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin > > in Ubuntu. > > > > - Ubuntu also enables TNC Client and Server which requires enabling > > and packaging different binaries and plugins. > > https://wiki.strongswan.org/projects/1/wiki/TNCC > > > > - Ubuntu has AppArmor profiles for some binaries > > > > - Ubuntu updated start/stop scripts to use service instead of > > invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds > > pt-tls-client but without TNC (Debian includes it in > > libcharon-extra-plugins) > > > > - Ubuntu enables many additional options/features, including TPM > support > > (with-tss=trousers, libtspi-dev) and smartcard access > (libpcsclite-dev) > > > > - Ubuntu enables (but Debian does not) > > unbound > > dnscert > > ipseckey > > coupling > > imv-swid > > imc-swid > > tnc-ifmap > > mysql > > tnc-pdp > > load-tester > > whitelist > > radattr > > ntru > > soup > > sqlite > > md4 > > eap-* > > > The acert plugin seems to be missing in your refreshed package. It was > previously enabled in Ubuntu and the provided functionality seems useful > [6]. > OK. Will fix. > > > > - Debian enables (but Ubuntu does not) > > ha (needs special kernel as per jpds) > > > > - Builddeps in Debian (but not Ubuntu) > > clearsilver-dev > > libfcgi-dev > > > > - Other Removals from Debian > > *logcheck* files (not relevant to StrongSwan per jpds) > > The logcheck files are really dated (see debian #787156) and I've > accumulated a few rules on my own. Even at the default log level charon > is very verbose so I think it makes sense to have the package shipping > logcheck rules. I'd be happy to provided those. > Yes please. > > > - Ubuntu builds with nostrip for integrity checking (TPM) > > > > - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length > key > > for tests. > > > > > > Some additional changes which have raised some questions to which I don't > > know the answer; any input is helpful here. > > > > - Ubuntu drops install of debconf managed > > /var/lib/strongswan/ipsec.conf.inc > > > > - Ubuntu force-building dhcp/farp instead of keeping under Linux-only > > Debian #640928 says it's to support kFreeBSD. Those plugins require > CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation? > OK, I'll explore. AFAICT, there's nothing wrong with leaving it how Debian has it; that is Ubuntu Linux still builds those packages as they are and dropping this delta reduces merge burden. > > > - Debian still calls dh_installinit with ipsec vs > > strongswan > > > > - dropped Debian's enabling IKEv1 and v2 by default? > > Upstream's default when no specific version is configured is to use > IKEv2 when initiating and accept both when responding. > Interesting. Does that seem reasonable? I imagine that enabling v1 and v2 means wider compatibility between client/server? Is this still worth enabling vs keeping things more secure (I'm asserting v2 is likely more robust than v1, hence a version 2). > > > - Ubuntu systemd file differs from Debian and Upstream. > > > > - Ubuntu disable ha (claim in changelog says requires special kernel) > > > > - Ubuntu disables fastcgi (libfcgi) > > > > - Ubuntu disables clearsilver (as per MIR[4] noted discussion with > > upstream) > > > > > > Upstream changes in Strongswan since 5.1.2 that have an impact on the > Ubuntu > > changes we're carrying. > > > > - libpts dropped in 5.2.1, affects tnc-base > > > > - no updown_espmark, updown manpage > > updown_espmark was apparently created to support kernels < 2.6.16. > > The updown man page will probably not be missed because the shell script > is well documented on its own. > OK. Seems like a reasonable drop due to changes upstream. > > > - no openac, replaced with pki --acert command. > > https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc > > If the acert plugin functionality is restored I believe this would be a > non issue. > Right. > > > 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951 > > 2. ppa:raharper/merges > > 3. > https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan > > 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066 > > Regards, > Simon > > > 5: > > https://github.com/simondeziel/ubuntu-strongswan/tree/new/debian_copy_in_old/debian > 6: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiAcert > >
-- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
