Sunday, 24 January 2016

Re: Strongswan merge for Xenial

Version: GnuPG v2

Hi Ryan,

On 2016-01-22 11:54 AM, Ryan Harper wrote:
> Hello,
> I've been working on merging[1] strongswan from Debian into Ubuntu for
> Xenial. We've not completed a merge with Debian for some time (Feb 19,
> 2014 was the last time). Ubuntu has been using version 5.1.2 since then
> but Debian and upstream have moved on. Ubuntu has collected a large delta
> between Debian and with this merge I'm attempting to reduce the delta to
> ease merging in the future. In particular, the major change would be to
> no longer create a package per-plugin and instead use the more general
> standard/extra plugin packages as in Debian. Each plugin has an
> individual conf file which controls settings including whether to load or
> not. Currently the default template conf files default to loading plugins
> if present; it's not clear to me if this is a sensible default or if we
> should left them off by default. Note that Strongswan doesn't currently
> have something akin to apache's a2enmod and a2dismod meaning users will
> need to edit conf as needed. During this merge, I've also been using a
> git-based merge workflow and the git repo tracking it is available here[3].
> Since the delta is large, I want to make sure that we document the changes
> and provide opportunity for users of Strongswan in Ubuntu to provide
> feedback and comments on this merge. I've updated the package and placed
> it in a PPA[2].

Awesome work!

> The remaining work items are:
> - Adding in transitional virtual Packages for upgrade from 5.1.2-0ubuntu8
> - Testing package upgrade

I upgraded one system so far and it went well.

> - Attempting exercise various modes of Strongswan, including the TPM
> enablement
> - Continue dropping additional delta no longer needed
> - Bug fixes (documenting which bugs this merge will resolve)

If you bring in the few changes from [5], almost every bug in LP against
Strongswan should be addressed.

> I also plan to discuss many of the Ubuntu changes with Debian maintainers
> to see if we can get some of the changes picked up there as well.

I quickly skimmed Debian bugs and some of them could be closed by
adopting some of the Ubuntu delta:

debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu)
debian #739641: kernel-libipsec support

> Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
> (Debian) release.
> - In Debian 5.3.5, there are 9 Packages defined in debian/control,
> and in
> Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
> in Ubuntu.
> - Ubuntu also enables TNC Client and Server which requires enabling
> and packaging different binaries and plugins.
> - Ubuntu has AppArmor profiles for some binaries
> - Ubuntu updated start/stop scripts to use service instead of
> invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
> pt-tls-client but without TNC (Debian includes it in
> libcharon-extra-plugins)
> - Ubuntu enables many additional options/features, including TPM support
> (with-tss=trousers, libtspi-dev) and smartcard access (libpcsclite-dev)
> - Ubuntu enables (but Debian does not)
> unbound
> dnscert
> ipseckey
> coupling
> imv-swid
> imc-swid
> tnc-ifmap
> mysql
> tnc-pdp
> load-tester
> whitelist
> radattr
> ntru
> soup
> sqlite
> md4
> eap-*

The acert plugin seems to be missing in your refreshed package. It was
previously enabled in Ubuntu and the provided functionality seems useful

> - Debian enables (but Ubuntu does not)
> ha (needs special kernel as per jpds)
> - Builddeps in Debian (but not Ubuntu)
> clearsilver-dev
> libfcgi-dev
> - Other Removals from Debian
> *logcheck* files (not relevant to StrongSwan per jpds)

The logcheck files are really dated (see debian #787156) and I've
accumulated a few rules on my own. Even at the default log level charon
is very verbose so I think it makes sense to have the package shipping
logcheck rules. I'd be happy to provided those.

> - Ubuntu builds with nostrip for integrity checking (TPM)
> - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length key
> for tests.
> Some additional changes which have raised some questions to which I don't
> know the answer; any input is helpful here.
> - Ubuntu drops install of debconf managed
> /var/lib/strongswan/
> - Ubuntu force-building dhcp/farp instead of keeping under Linux-only

Debian #640928 says it's to support kFreeBSD. Those plugins require
CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation?

> - Debian still calls dh_installinit with ipsec vs
> strongswan
> - dropped Debian's enabling IKEv1 and v2 by default?

Upstream's default when no specific version is configured is to use
IKEv2 when initiating and accept both when responding.

> - Ubuntu systemd file differs from Debian and Upstream.
> - Ubuntu disable ha (claim in changelog says requires special kernel)
> - Ubuntu disables fastcgi (libfcgi)
> - Ubuntu disables clearsilver (as per MIR[4] noted discussion with
> upstream)
> Upstream changes in Strongswan since 5.1.2 that have an impact on the Ubuntu
> changes we're carrying.
> - libpts dropped in 5.2.1, affects tnc-base
> - no updown_espmark, updown manpage

updown_espmark was apparently created to support kernels < 2.6.16.

The updown man page will probably not be missed because the shell script
is well documented on its own.

> - no openac, replaced with pki --acert command.

If the acert plugin functionality is restored I believe this would be a
non issue.

> 1.
> 2. ppa:raharper/merges
> 3.
> 4.