Am 01.04.2014 02:50, schrieb Jonathan Davies: >>> The packaging does have extensive lintian errors, 137 instances of >>> unstripped-binary-or-object and one spelling-error-in-description. >> >> Packages are not stripped to enable the >> http://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest suite. > > what is this supposed to check? the only reason that I can think of is file > corruption on the disk.
It's to be assured that the libraries and binaries you are running are what came out of the buildd and haven't been tampered with. > why should strongswan be special here? Because on some systems I've built, *everything* relies on the IPsec tunnel being functional for security reasons (with everything else on iptables being blocked). So the assurance above is a good to have. This is also needed for FIPS 140-2, see here: - http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Under "4.9.1 Power-Up Tests" → "Software/firmware integrity tests". [http://wiki.strongswan.org/projects/strongswan/wiki/CryptoTest handles most of the rest of section 4.9]. >> Ideally, I'd like to see a lot more than that; a bunch that come to mind >> are: lookip, >> pkcs11 (smartcard backend [and we know from experience how much fun openvpn >> is with smartcards]), and the TNC >> (http://wiki.strongswan.org/projects/strongswan >> /wiki/TrustedNetworkConnect) components which can tie into Secure Boot. > > OK. And you want to seed those or bump those to recommends? I'd like an actual > list of those you want to promote, because I'd prefer to only promote the > packages we need. Preferably seed, I wouldn't want extra pieces installed by default. Let's go for: * libstrongswan * strongswan * strongswan-ike * strongswan-nm * strongswan-plugin-dhcp * strongswan-plugin-eap-md5 * strongswan-plugin-eap-mschapv2 * strongswan-plugin-eap-peap * strongswan-plugin-eap-radius * strongswan-plugin-eap-tls * strongswan-plugin-eap-tnc * strongswan-plugin-eap-ttls * strongswan-plugin-gmp * strongswan-plugin-ldap * strongswan-plugin-mysql * strongswan-plugin-openssl * strongswan-plugin-pkcs11 * strongswan-plugin-radattr * strongswan-plugin-sql * strongswan-plugin-unbound * strongswan-starter * strongswan-tnc-base * strongswan-tnc-client * strongswan-tnc-pdp * strongswan-tnc-server We should also grab network-manager-strongswan while we're at it for the desktop side of things. >> I decided to remove the debconf pieces and just provide a commented out base >> template configuration file as debconf was much hassle than it was worth. > > Is this in a pending upload? The pieces removal? Yes. The packages just provided template configuration files for people to edit. >> Looking at OpenVPN / BIND, I would say that this is the server team's realm. > > Can you get them to subscribe to all three packages then? Team emailed. ** Also affects: network-manager-strongswan (Ubuntu) Importance: Undecided Status: New ** Changed in: network-manager-strongswan (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1266066 Title: [MIR] strongSwan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ldns/+bug/1266066/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
