On Wed, Dec 21, 2016 at 11:22 AM, Yves-Alexis Perez <[email protected]> wrote:
> > b7754fe changelog: d/rules: Make override_dh_strip a nop > > I don't think this one is ok. Stripping the binaries is a Debian Policy > *should*. > > > > The (to be enabled in a later commit in this series) plugin > "integrity-test" > > provides a useful extra feature for the cautious strongswan admin. > > It stores checksums of its libraries and can check non-malicious errors > to > > avoid accidentially loading bad libraries. > > See https://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest > for > > more. > > > > It is an experimental feature, but out there for a while and was enabled > in > > Ubuntu per user request, so I assume it has its use in the field. > > I have my opinion on this, but I'll keep them to that latter mail. > > > > To be able to do so it stores the checksums as part of the build process. > > But to match those sums later on the build is not allowed to strip the > > plugins. > > That is listed in the "conflicts" section of the Wiki page. > > I think it'd be best to store the checksum of the stripped binaries in any > case. Hi Yves-Alexis, yeah I expected this to be a more discussion-worth one. I contacted a few more people and it turns out that those that "really really" need it e.g. for FIPS create an own checksum checker independent of the integrity-test plugin. That said I'm totally ok with not taking the stripping change, but in that case we should drop the integrity check plugin since we know it won't be usable. Change might be something like the following on top on the other enablement bits: diff --git a/debian/control b/debian/control index 343e0bd..7872360 100644 --- a/debian/control +++ b/debian/control @@ -106,8 +106,6 @@ Description: strongSwan utility and crypto library - resolve (Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)) - test-vectors (Set of test vectors for various algorithms) - - libchecksum (not a plugin, but an integrity check to detect - misconfigurations or non-malicious file manipulations) Package: libstrongswan-standard-plugins Architecture: any diff --git a/debian/rules b/debian/rules index 03592a9..0c6aeda 100755 --- a/debian/rules +++ b/debian/rules @@ -51,7 +51,6 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-imv-scanner \ --enable-imv-swid \ --enable-imv-test \ - --enable-integrity-test \ --enable-ipseckey \ --enable-kernel-libipsec \ --enable-ldap \
