-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
On 2016-01-22 11:54 AM, Ryan Harper wrote:
> I've been working on merging strongswan from Debian into Ubuntu for
> Xenial. We've not completed a merge with Debian for some time (Feb 19,
> 2014 was the last time). Ubuntu has been using version 5.1.2 since then
> but Debian and upstream have moved on. Ubuntu has collected a large delta
> between Debian and with this merge I'm attempting to reduce the delta to
> ease merging in the future. In particular, the major change would be to
> no longer create a package per-plugin and instead use the more general
> standard/extra plugin packages as in Debian. Each plugin has an
> individual conf file which controls settings including whether to load or
> not. Currently the default template conf files default to loading plugins
> if present; it's not clear to me if this is a sensible default or if we
> should left them off by default. Note that Strongswan doesn't currently
> have something akin to apache's a2enmod and a2dismod meaning users will
> need to edit conf as needed. During this merge, I've also been using a
> git-based merge workflow and the git repo tracking it is available here.
> Since the delta is large, I want to make sure that we document the changes
> and provide opportunity for users of Strongswan in Ubuntu to provide
> feedback and comments on this merge. I've updated the package and placed
> it in a PPA.
> The remaining work items are:
> - Adding in transitional virtual Packages for upgrade from 5.1.2-0ubuntu8
> - Testing package upgrade
I upgraded one system so far and it went well.
> - Attempting exercise various modes of Strongswan, including the TPM
> - Continue dropping additional delta no longer needed
> - Bug fixes (documenting which bugs this merge will resolve)
If you bring in the few changes from , almost every bug in LP against
Strongswan should be addressed.
> I also plan to discuss many of the Ubuntu changes with Debian maintainers
> to see if we can get some of the changes picked up there as well.
I quickly skimmed Debian bugs and some of them could be closed by
adopting some of the Ubuntu delta:
debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu)
debian #739641: kernel-libipsec support
> Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
> (Debian) release.
> - In Debian 5.3.5, there are 9 Packages defined in debian/control,
> and in
> Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
> in Ubuntu.
> - Ubuntu also enables TNC Client and Server which requires enabling
> and packaging different binaries and plugins.
> - Ubuntu has AppArmor profiles for some binaries
> - Ubuntu updated start/stop scripts to use service instead of
> invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
> pt-tls-client but without TNC (Debian includes it in
> - Ubuntu enables many additional options/features, including TPM support
> (with-tss=trousers, libtspi-dev) and smartcard access (libpcsclite-dev)
> - Ubuntu enables (but Debian does not)
The acert plugin seems to be missing in your refreshed package. It was
previously enabled in Ubuntu and the provided functionality seems useful
> - Debian enables (but Ubuntu does not)
> ha (needs special kernel as per jpds)
> - Builddeps in Debian (but not Ubuntu)
> - Other Removals from Debian
> *logcheck* files (not relevant to StrongSwan per jpds)
The logcheck files are really dated (see debian #787156) and I've
accumulated a few rules on my own. Even at the default log level charon
is very verbose so I think it makes sense to have the package shipping
logcheck rules. I'd be happy to provided those.
> - Ubuntu builds with nostrip for integrity checking (TPM)
> - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length key
> for tests.
> Some additional changes which have raised some questions to which I don't
> know the answer; any input is helpful here.
> - Ubuntu drops install of debconf managed
> - Ubuntu force-building dhcp/farp instead of keeping under Linux-only
Debian #640928 says it's to support kFreeBSD. Those plugins require
CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation?
> - Debian still calls dh_installinit with ipsec vs
> - dropped Debian's enabling IKEv1 and v2 by default?
Upstream's default when no specific version is configured is to use
IKEv2 when initiating and accept both when responding.
> - Ubuntu systemd file differs from Debian and Upstream.
> - Ubuntu disable ha (claim in changelog says requires special kernel)
> - Ubuntu disables fastcgi (libfcgi)
> - Ubuntu disables clearsilver (as per MIR noted discussion with
> Upstream changes in Strongswan since 5.1.2 that have an impact on the Ubuntu
> changes we're carrying.
> - libpts dropped in 5.2.1, affects tnc-base
> - no updown_espmark, updown manpage
updown_espmark was apparently created to support kernels < 2.6.16.
The updown man page will probably not be missed because the shell script
is well documented on its own.
> - no openac, replaced with pki --acert command.
If the acert plugin functionality is restored I believe this would be a
> 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951
> 2. ppa:raharper/merges
> 3. https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan
> 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066