[Pkg-swan-devel] Bug#848890: Bug#848890: Revisiting "Ubuntu strongSwan changes"

Wed Dec 21 09:34:25 UTC 2016

Background to explain the reasoning behind the change 7/7:

Commits:
0271917 * Enable more features to to cover more use-cases
bd04b06 changelog: Enable more features to to cover more use-cases

Note: Many of those changes are so correlated that this is a one big change
for
now. If needed and ok that interim commits might not be buildable I could
split
it in maybe 3-5 logical pieces. But for now just explaining all the
reasoning
in Detail.

This change enable more features to to cover more use-cases by the packages
strongswan.

As a start it enables this enables all stable plugins according to
https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist

The intention is to make the default packages strongswan more usable without
forcing users to rebuild more more sophisticated setups.
Yet on the other hand we don't want to proliferate plugins so most of the
plugins are added to the extra-plugin package.
- This is a (late) follow on to the discussion started in 2014 with the
subject
  "Ubuntu strongSwan changes" on pkg-swan-devel list.
- Some Features might not show up as change in the configure step. That is
  because they are enabled by default or as dependency to others, and get
now
  "enabled" indirectly due to the additional build dependencies.
  "pool" is such an example.
- Of course to be able to enable all stable plugins I had to add several
  additional build-deps to libjson-c-dev, libldns-dev, libmysqlclient-dev,
  libpcsclite-dev, libtspi-dev, libsoup2.4-dev and libunbound-dev.
- In d/control I mention all addtionally enabled plugins in the package
  descriptions.
- d/libbstrongswan-*-plugins.install got all the added plugins, libs and
conf
  files.

On top of the stable default plugins/features this enables two more
functions
based on user request.
- Also enable kernel-libipsec which is not in upstreams "stable" plugins
  list. This is based on user requests to make strongswan more useful in
  userspace of containers.
  To avoid conflicts it is disabled by default via
  d/p/dont-load-kernel-libipsec-plugin-by-default.patch as
  upstream recommends to not load kernel-libipsec by default.
- integrity-test is another feature people sometimes ask for. It can be
  considered as a little step (clearly not enough) towards FIPS compliance.
  It can help the cautious admin to detect accidentially modified plugins.

Additionally Ubuntu got user requests to make charons default plugin
installation more useful (pad.lv/1640826).
That is eap-mschapv2 for Windows 7+ and modern OSX/iOS using IKEv2 and
xauth-generic for Android and older OSX/iOS using IKEv1 and XAUTH.
To be able to do so the change is following the example of the libstrongswan
plugin packaging and moves those common cases from the
"libcharon-extra-plugins"
to the newly added "libcharon-default-plugins" package

Furthermore it was identified that the whole use case around TNC seems to be
a very selective user group.
See https://wiki.strongswan.org/projects/1/wiki/trustednetworkconnect
Those users (again as with other cases mentioned) might not want to install
all
of the extra-plugins that are needed today. Therefore related functionality
is
moved into packages of its own.
This allows to use TNC without installing extra-plugins package.

Debian already stopped to ship libfast as Ubuntu did for a while.
But it did still mention the associated (and now nor more built) medcli and
medsrv elements.
Also it did not disable it on the configure step which should be done if not
shipping it anyway.
Therefore drop it from d/control and d/rules accordingly.

Due to the new plugins and features there are also more libraries being
built.
Those are only needed by plugins in the extras-plugins package, so add the
libraries there.
- libtpmtss.so available since 5.5
- libnttfft.so available since 5.5
- libmgf1.so available since 5.5.1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20161221/87387103/attachment-0001.html>