[Pkg-swan-devel] Bug#814927: Unresponded bugs (for years) for strongSwan in Debian Bug Tracker

Yves-Alexis Perez corsac at debian.org
Sun Sep 23 13:10:02 BST 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, 2018-09-23 at 02:02 +1000, StarBrilliant wrote:
> Hello,
> 
> On Sat, Sep 22, 2018 at 10:24 PM Yves-Alexis Perez <corsac at corsac.net>
> wrote:
> > I do know about open bugs. I try to limit the number of unanswered bug
> > reports, but I don't have enough time to handle everything
> 
> Thank you for your quick reply! I'm sorry to hear that. And thank you
> for your contributions to the Debian community.
> 
> > If you have specific bugs you'd like answered,
> > feel free to point them to me. Any help appreciated, too.
> 
> I am currently expecting on enabling the ChaPoly plugin (Bug#814927):
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814927

Sorry for the lack of reply on this one. As a general thing, I'm not too
inclined in enabling too much stuff in strongSwan, even if it's somehow
modularized through plugins. Quite the opposite actually, I'd rather reduce
the number of algorithms and ciphers to a low number of sane/safe defaults.

That beeing said, chapoly might not be the worst suite to enable.
> 
> The reason is that, if the a disabled cipher suite is set in
> configuration file, strongSwan will not report any error at early
> stage. Instead strongSwan will complete the handshake but terminate
> the connection when being actually used. Additionally, the default log
> level is too low for the error messages to deliver to the user, so the
> user can't realize they haven't installed a plugin (for example,
> Bug#873339 can be solved by enabling Curve25519).
> 
> I recommend putting ChaPoly and Curve25519 plugins into "recommended
> dependency", because:

It's likely to go to -extra-plugins actually.

> 1) ChaPoly family cipher is stable enough now
> 2) ChaPoly family is becoming more and more popular (for example, in TLS and
>    WireGuard)

Which is completely irrelevant to IPsec and IKE.

> 3) ChaPoly is already the default cipher for strongSwan official Android
> client.

Note that we're talking about *IKE* algorithms here, not IPsec ones.
Performance isn't really critical here.

> 4) Patch is already available

Yeah well, I don't want to demotivate you but patches aren't really enough to
change my mind here.
> 
> 
> Additionally, I want to convince you to enable more ciphers and
> features as plugins (e.g. Bug#803787, SHA3 & NewHope). 

PQ ciphers are definitely too early for me.

> Even though you
> said you are "not a huge fan of enabling more code to an already quite
> complex stack", I want to persuade you with the following reasons:
> 1) They are plugins, so enabling it in compilation stage does not mean they
> are
>    also enabled at runtime. The user can choose whether to enable at
> runtime.

See above, I don't want to enable everything and the kitchen sink just because
“it's a plugin”.

> 2) If users want to use a plugin that is not enabled in Debian package, they
>    will have to compile themselves. So they won't have automatic updates and
>    security patches provided by Debian, leaving their computers in danger.

Sure but providing a set of sane/safe default is my responsability. If people
are knowledgeable enough to take their owns, than so be it.
> 
> 
> By the way, I am sure willing to help you by providing patches to some
> known bugs, therefore reducing your pressure. 

Providing packaging patches are usually not that helpful for me. More useful
would be actually trying to reproduce bugs, ping reporters, identify fixes in
and upstream and stuff like that.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlungpoACgkQ3rYcyPpX
RFtI1AgAyujwi4D9XITMuUk2/pG1RwOuTVvPSdFmToTTUKv18GrUrcJE0Pi1v0dK
ox1XFMygA02Z3QyoO4T/c4zEJ9kus3sgY+4JKvZHRQw9y1iNFtz8kNEKX/hPgAk6
bohbZiWwSLZcEIxVZH8zoAAnXr7HXH0GG9rRtAtGoz3ZfCC6pf7T9/DwmXotc/cL
Rdz5iD1uQZXBFjw2I/j9PoaBIjFATY+EYXERPttYkeobVmwKnQZ+QXIvvXhLq0sH
T/PRl3AQRsJkJ3TH2ug+sO8WvJ794ZNaWbHKOh0l6dY4S57RZVJBHeaUZQYyrAO1
RWRH5xb8t1cfv/l+vl0UJHzjuCtjiw==
=wtm5
-----END PGP SIGNATURE-----

More information about the Pkg-swan-devel mailing list