[Pkg-swan-devel] Bug#848890: Bug#848890: Revisiting "Ubuntu strongSwan changes"

Christian Ehrhardt christian.ehrhardt at canonical.com
Tue Jan 3 11:14:07 UTC 2017 

On Wed, Dec 21, 2016 at 11:22 AM, Yves-Alexis Perez <corsac at debian.org>
wrote:

> > b7754fe changelog: d/rules: Make override_dh_strip a nop
>
> I don't think this one is ok. Stripping the binaries is a Debian Policy
> *should*.
> >
> > The (to be enabled in a later commit in this series) plugin
> "integrity-test"
> > provides a useful extra feature for the cautious strongswan admin.
> > It stores checksums of its libraries and can check non-malicious errors
> to
> > avoid accidentially loading bad libraries.
> > See https://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest
> for
> > more.
> >
> > It is an experimental feature, but out there for a while and was enabled
> in
> > Ubuntu per user request, so I assume it has its use in the field.
>
> I have my opinion on this, but I'll keep them to that latter mail.
> >
> > To be able to do so it stores the checksums as part of the build process.
> > But to match those sums later on the build is not allowed to strip the
> > plugins.
> > That is listed in the "conflicts" section of the Wiki page.
>
> I think it'd be best to store the checksum of the stripped binaries in any
> case.


Hi Yves-Alexis,
yeah I expected this to be a more discussion-worth one.

I contacted a few more people and it turns out that those that "really
really" need
it e.g. for FIPS create an own checksum checker independent of the
integrity-test plugin.

That said I'm totally ok with not taking the stripping change, but in that
case we should drop the integrity check plugin since we know it won't be
usable.
Change might be something like the following on top on the other enablement
bits:

diff --git a/debian/control b/debian/control
index 343e0bd..7872360 100644
--- a/debian/control
+++ b/debian/control
@@ -106,8 +106,6 @@ Description: strongSwan utility and crypto library
   - resolve (Writes name servers received via IKE to a resolv.conf file or
     installs them via resolvconf(8))
   - test-vectors (Set of test vectors for various algorithms)
-  - libchecksum (not a plugin, but an integrity check to detect
-    misconfigurations or non-malicious file manipulations)

 Package: libstrongswan-standard-plugins
 Architecture: any
diff --git a/debian/rules b/debian/rules
index 03592a9..0c6aeda 100755
--- a/debian/rules
+++ b/debian/rules
@@ -51,7 +51,6 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
                --enable-imv-scanner  \
                --enable-imv-swid \
                --enable-imv-test \
-               --enable-integrity-test \
                --enable-ipseckey \
                --enable-kernel-libipsec \
                --enable-ldap \
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20170103/f4be09ee/attachment.html>

More information about the Pkg-swan-devel mailing list