strongSwan 5.1.3

Source package ready at: http://people.canonical.com/~jpds/s5.1.3/

Debian has 5.1.3-4, so shouldn't this be a merge instead of an -0ubuntu1?

(I can't upload/am not a sponsor, BTW)

The merge report is here:
https://merges.ubuntu.com/s/strongswan/REPORT

$ grep-merges strongswan
strongswan Marc Deslauriers <email address hidden>

I would sync with Marc, see if you can help with the merge.

> Debian has 5.1.3-4, so shouldn't this be a merge instead of an -0ubuntu1?

The Debian and Ubuntu packages have significant difference between them. They came about as I revamped the Ubuntu packaging and then the Debian guys decided to do something else with regards to plugin management and they also don't enable certain plugins like the TNC stack.

Two entries were missing from the changelog:
* debian/libstrongswan.install: install new acert.* files
* debian/usr.lib.ipsec.stroke: add capability dac_override

I'm still going through the package, but will simply add these as part of the sponsoring process.

Comparing build logs looks good. Comparing binaries looks good. Changes look fine (excepting the two minor issues I mentioned). The test suites pass during the build. ACK with my changes (uploading now).

FYI the ppc64el build failed (tests)
https://launchpad.net/ubuntu/+source/strongswan/5.1.3-0ubuntu1/+build/6260486

Already working with upstream on it: https://wiki.strongswan.org/issues/674

fails to build on armhf and ppc64el, setting back to confirmed.
5.2.0 in Debian does not fail

@glowyaba-o

How is this an upstream bug? Deleting the bug task.

I am currently affected by https://wiki.strongswan.org/issues/547 which should be fixed in 5.1.3

Strongswan 5.1.2 from Trusty is also affected by https://wiki.strongswan.org/issues/1020 which is fixed in 5.1.3

FTBFS on s390x, building 5.3.5-1 from debian cannot be tested yet, as missing new (universe) dependencies.

Cherry-picking patch from debian upload 5.1.2-3 fixing the build failure, thus removing s390x tag for now.

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
          tests.
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
          --with-tss=trousers
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debia...