[Pkg-swan-devel] Handling of openssl and crypto libstrongswan plugins in 6.0.0+

[Yves-Alexis Perez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 2025-01-31 at 16:45 +0100, Yves-Alexis Perez wrote:
> I'm wondering about the migration path for Debian: should we follow upstream
> and:
> - move openssl plugin to the libstrongswan package
> - stop building/providing the various cipher-specific plugins

I've also asked on the strongSwan IRC channel and here's the reply from Tobias
Bruner:

> With the openssl plugin enabled and loaded, the other plugins have always
> been redundant. So there is not really a point in enabling and shipping them
> (fips-prf might be an exception but is only required if the eap-sim/aka
> plugins are enabled). Maintaining these custom implementations doesn't make
> that much sense. They are currently not deprecated, but we decided to
> disable them by default and focus on external crypto implementations
> (default via OpenSSL).

If we want to align with upstream we should:
- - move the openssl plugin to libstrongswan and that would be enough for most
cases
- - move the cipher-specific plugins to libstrongswan-extra-plugins (I don't
think we should disable them completely already).

Any thoughts on this?

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAme1sxwACgkQ3rYcyPpX
RFt7GAgAiAMGJFKb1oRCl580lvSHFWbi68OU2a0hF0h6YBJCF1StW+5HP17wAMDs
HPed5yXvUPM8etoLKDnV0D2bQctn6yxS+W+AcBTDO+yVDuXsoM5LTVd/kakXp9QJ
OmRnIzuHxDOJC4vDJ3XwOjmkLUXZAbOwxZQEGS44UXyX+/ph/zIq+SGFTslKj5f4
0elvPpTWsowhczLzK6gIlpPXkGQAgAR2uBXe7ZwXGfvrn9R11TXRi6le5j0+N48G
5NFtl7h6fOCq5FKDC0Llazfp36exQeqUNfrXBrMI96IvQ/OBqbsdPBsnYDRpQ2OO
2A2aS4LBw2II9oALE896ijSi8+Lcsg==
=RtIh
-----END PGP SIGNATURE-----