[Pkg-swan-devel] Bug#848890: Bug#848890: Revisiting "Ubuntu strongSwan changes"
Yves-Alexis Perez
corsac at debian.org
Wed Dec 21 10:22:56 UTC 2016
On Wed, 2016-12-21 at 10:32 +0100, Christian Ehrhardt wrote:
> Background to explain the reasoning behind the change 2/7:
>
> Commits:
> 944a3c7 * d/rules: Make override_dh_strip a nop.
> b7754fe changelog: d/rules: Make override_dh_strip a nop
I don't think this one is ok. Stripping the binaries is a Debian Policy
*should*.
>
> The (to be enabled in a later commit in this series) plugin "integrity-test"
> provides a useful extra feature for the cautious strongswan admin.
> It stores checksums of its libraries and can check non-malicious errors to
> avoid accidentially loading bad libraries.
> See https://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest for
> more.
>
> It is an experimental feature, but out there for a while and was enabled in
> Ubuntu per user request, so I assume it has its use in the field.
I have my opinion on this, but I'll keep them to that latter mail.
>
> To be able to do so it stores the checksums as part of the build process.
> But to match those sums later on the build is not allowed to strip the
> plugins.
> That is listed in the "conflicts" section of the Wiki page.
I think it'd be best to store the checksum of the stripped binaries in any
case.
>
> Therefore override "override_dh_strip:" with a comment that explains why
> strip
> is skipped.
>
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20161221/a78d5595/attachment.sig>
More information about the Pkg-swan-devel
mailing list