-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJWpZi+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3
MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0nf8P/2iTdeVSVAv283UV2lpPewfn
q8H228nlBAjWE1MLI+GMpC6vWGDHmVyKB7Tu1gGe1IPx6D5qxYjI+6Ysd2R24VK8
sg5PohUyI9x2JF/DHFv1tl/z4LqStG1UwNO3XFowPH7bSYhRaZ3UT4IDIJiz1Dd2
8vhkeNXoKmCL0ilPZoSQB+bVHlP0zXyJoAkTAD/LKnzFYhvCnNaI4DXFioWpOE8U
PqIyt5LhzvJRlBCO2qS/BdKuMDH88e6r+rvLlbmropixnk4h8/XnmYWsuVOJhvlT
c/8LA564+ZVqVxbkMlWWqOV6JtSNSmWXwodvyUKmtcTe2/LUPoat1GlS5/ZsY5kI
L6gfZD/P8JjO+zyKpch+YeYpWinOLkFi8QQLjC81hUu4B7tBwbcQY7dOdDuZGKvJ
UwA2YwLzrDzXu3pRO1Nzve4QIVG2DBWytYd/+15OC4iu5KgxWBCFQetm4hN5KD3c
SnnIzSaDTEp8UAq5fddeo/mAAo+KAFLljNeEbPp070yqSNI9RhPTsI1Kij75CPOI
nSFCoik2loNKv9oYmebIM1Xi2zwYQRSHSRgJZadB0SUrlBWU9dv/7NWim6iVdQdk
QFEvDm0F0br2yJC3wqZHAGixt5k/AyYAlnDu5fLV2uZsak1a6mqcqCbq2mS8bJeF
uipwwSj3WLKPINKFkA11
=wlvy
-----END PGP SIGNATURE-----
Hi Ryan,
On 2016-01-22 11:54 AM, Ryan Harper wrote:
> Hello,
>
> I've been working on merging[1] strongswan from Debian into Ubuntu for
> Xenial. We've not completed a merge with Debian for some time (Feb 19,
> 2014 was the last time). Ubuntu has been using version 5.1.2 since then
> but Debian and upstream have moved on. Ubuntu has collected a large delta
> between Debian and with this merge I'm attempting to reduce the delta to
> ease merging in the future. In particular, the major change would be to
> no longer create a package per-plugin and instead use the more general
> standard/extra plugin packages as in Debian. Each plugin has an
> individual conf file which controls settings including whether to load or
> not. Currently the default template conf files default to loading plugins
> if present; it's not clear to me if this is a sensible default or if we
> should left them off by default. Note that Strongswan doesn't currently
> have something akin to apache's a2enmod and a2dismod meaning users will
> need to edit conf as needed. During this merge, I've also been using a
> git-based merge workflow and the git repo tracking it is available here[3].
>
> Since the delta is large, I want to make sure that we document the changes
> and provide opportunity for users of Strongswan in Ubuntu to provide
> feedback and comments on this merge. I've updated the package and placed
> it in a PPA[2].
Awesome work!
> The remaining work items are:
> - Adding in transitional virtual Packages for upgrade from 5.1.2-0ubuntu8
> - Testing package upgrade
I upgraded one system so far and it went well.
> - Attempting exercise various modes of Strongswan, including the TPM
> enablement
> - Continue dropping additional delta no longer needed
> - Bug fixes (documenting which bugs this merge will resolve)
If you bring in the few changes from [5], almost every bug in LP against
Strongswan should be addressed.
> I also plan to discuss many of the Ubuntu changes with Debian maintainers
> to see if we can get some of the changes picked up there as well.
I quickly skimmed Debian bugs and some of them could be closed by
adopting some of the Ubuntu delta:
debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu)
debian #739641: kernel-libipsec support
> Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
> (Debian) release.
>
> - In Debian 5.3.5, there are 9 Packages defined in debian/control,
> and in
> Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
> in Ubuntu.
>
> - Ubuntu also enables TNC Client and Server which requires enabling
> and packaging different binaries and plugins.
> https://wiki.strongswan.org/projects/1/wiki/TNCC
>
> - Ubuntu has AppArmor profiles for some binaries
>
> - Ubuntu updated start/stop scripts to use service instead of
> invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
> pt-tls-client but without TNC (Debian includes it in
> libcharon-extra-plugins)
>
> - Ubuntu enables many additional options/features, including TPM support
> (with-tss=trousers, libtspi-dev) and smartcard access (libpcsclite-dev)
>
> - Ubuntu enables (but Debian does not)
> unbound
> dnscert
> ipseckey
> coupling
> imv-swid
> imc-swid
> tnc-ifmap
> mysql
> tnc-pdp
> load-tester
> whitelist
> radattr
> ntru
> soup
> sqlite
> md4
> eap-*
The acert plugin seems to be missing in your refreshed package. It was
previously enabled in Ubuntu and the provided functionality seems useful
[6].
> - Debian enables (but Ubuntu does not)
> ha (needs special kernel as per jpds)
>
> - Builddeps in Debian (but not Ubuntu)
> clearsilver-dev
> libfcgi-dev
>
> - Other Removals from Debian
> *logcheck* files (not relevant to StrongSwan per jpds)
The logcheck files are really dated (see debian #787156) and I've
accumulated a few rules on my own. Even at the default log level charon
is very verbose so I think it makes sense to have the package shipping
logcheck rules. I'd be happy to provided those.
> - Ubuntu builds with nostrip for integrity checking (TPM)
>
> - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length key
> for tests.
>
>
> Some additional changes which have raised some questions to which I don't
> know the answer; any input is helpful here.
>
> - Ubuntu drops install of debconf managed
> /var/lib/strongswan/ipsec.conf.inc
>
> - Ubuntu force-building dhcp/farp instead of keeping under Linux-only
Debian #640928 says it's to support kFreeBSD. Those plugins require
CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation?
> - Debian still calls dh_installinit with ipsec vs
> strongswan
>
> - dropped Debian's enabling IKEv1 and v2 by default?
Upstream's default when no specific version is configured is to use
IKEv2 when initiating and accept both when responding.
> - Ubuntu systemd file differs from Debian and Upstream.
>
> - Ubuntu disable ha (claim in changelog says requires special kernel)
>
> - Ubuntu disables fastcgi (libfcgi)
>
> - Ubuntu disables clearsilver (as per MIR[4] noted discussion with
> upstream)
>
>
> Upstream changes in Strongswan since 5.1.2 that have an impact on the Ubuntu
> changes we're carrying.
>
> - libpts dropped in 5.2.1, affects tnc-base
>
> - no updown_espmark, updown manpage
updown_espmark was apparently created to support kernels < 2.6.16.
The updown man page will probably not be missed because the shell script
is well documented on its own.
> - no openac, replaced with pki --acert command.
> https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc
If the acert plugin functionality is restored I believe this would be a
non issue.
> 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951
> 2. ppa:raharper/merges
> 3. https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan
> 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066
Regards,
Simon
5:
https://github.com/simondeziel/ubuntu-strongswan/tree/new/debian_copy_in_old/debian
6: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiAcert
