[Pkg-swan-devel] Bug#787810: Bug#787810: libstrongswan-standard-plugins not installed during dist-upgrade

Daniel Pocock daniel at pocock.pro
Fri Jun 5 18:50:36 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 05/06/15 15:43, Yves-Alexis Perez wrote:
> On Fri, Jun 05, 2015 at 12:31:46PM +0200, Daniel Pocock wrote:
>> Package: libstrongswan-standard-plugins Version: 5.2.1-6 
>> Severity: serious
>> 
>> I've marked this bug serious because it can lead to a loss of 
>> connectivity for remote users.
>> 
>> The system was running fine with strongSwan on wheezy using
>> ECDSA
>> 
>> The system was upgraded to jessie using apt-get dist-upgrade
>> 
>> After upgrade, the VPN would not start
>> 
>> "ipsec up peer" would complain:
>> 
>> no private key found for 'fromcert'
>> 
>> Looking at the ipsec start logs in syslog, I observed the
>> errors:
>> 
>> building CRED_PRIVATE_KEY - ECDSA failed, tried 2 builders 
>> loading private key from 'hostKey.der' failed ... building
>> CRED_CERTIFICATE - ANY failed, tried 1 builders loading
>> certificate from 'hostCert.der' failed
>> 
>> Installing the missing package and restarting ipsec resolved the
>> issue:
>> 
>> apt-get install libstrongswan-standard-plugins ipsec stop ipsec
>> start
>> 
> Hi,
> 
> libstrongswan (which is a dependency of the various charon daemons)
> as a Recommends: on libstrongswan-standard-plugins so if you
> install Recommends: I think it /should/ be the case.
> 

Thanks for the prompt feedback

I tend to be a bit cautious about installing all recommended packages
on dist-upgrade, mainly because of disk usage.

Many of the systems I've worked with have deliberately small
partitions (they are usually virtual servers) and even without all
recommended packages, each upgrade tends to grow the disk usage and
require some re-arranging of LVM.  Even on my laptop, it is just a
pain to backup if I let the disk usage grow too much.

Do you feel these plugins definitely need to be in a separate package?

Do you think you could use a metapackage for upgraders, with a
mandatory dependency on the plugins, so they end up with the same
plugins they had before?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVce97AAoJEOm1uwJp1aqD5lsP/jMzdv/74q526lYsZpll/53w
E6TC9bjVoEheCDbmTrlKmWo0BDDcNtgl7mZuhSTMYYllNmhdxi/IF69ITZCe6EeO
drhnXOaDnDgnzgeuc9iC3+yYQ6T/lEUyBTL05G8uFy5H41qMNxOcIzwxNqpJiGOf
dZvw3e1hoOQ1bsHBSyDntkee5mEcndq5nRTYyF40fexMx/oW9583BXZd7bAcRttN
IrhZLyZ0O2YleMyiJKqmyKMImZ3i1rV8thZtq7PJjLZ4z/PBXnmmH0Gypi7TQdr8
OE7iyK+45W+eHcBeJl3kbhpOer6NpcksrtnOgbqMdtOEQIxyMKXj9aJA0ssOS0ZS
cvrplsDSPu9qttSGL01+LxHa9rwhRO4ZaYv1HSLX5556dQr9ZTtrouIfB3+ZpJJX
Cmc8RA8n96HjInzBRRequks52HK/DlZdKR//Rg6c34R1khPz9o7lqKWinmAX1dY0
hRP1j7sHEEE+UytCMPD94a6q0a2VPB29s1tMZ6EPWBhvfLP1/TYKC6KnkbROQTEF
xFsUG3xat+9JokizlKJaRn2A8yetNOobYJJyCJhXTbIusDgDoLe4i2oo9Rsxp3+w
3tekZOd5wypW0uyX08OgZEg16/D86hN/LyWDT+gFBWZdcKjdCd9NbnerCwTW03Wa
uBeAxfsqSJGoOQk/R4Tn
=0WrB
-----END PGP SIGNATURE-----

More information about the Pkg-swan-devel mailing list