Comment 13 for bug 1266066

Am 01.04.2014 02:50, schrieb Jonathan Davies:
>>> The packaging does have extensive lintian errors, 137 instances of
>>> unstripped-binary-or-object and one spelling-error-in-description.
>>
>> Packages are not stripped to enable the
>> http://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest suite.
>
> what is this supposed to check? the only reason that I can think of is file
> corruption on the disk.

It's to be assured that the libraries and binaries you are running are what came out of the buildd and haven't been tampered with.

> why should strongswan be special here?

Because on some systems I've built, *everything* relies on the IPsec tunnel being functional for security reasons (with everything else on iptables being blocked). So the assurance above is a good to have.

This is also needed for FIPS 140-2, see here:

- http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Under "4.9.1 Power-Up Tests" → "Software/firmware integrity tests".

[http://wiki.strongswan.org/projects/strongswan/wiki/CryptoTest handles most of the rest of section 4.9].

>> Ideally, I'd like to see a lot more than that; a bunch that come to mind are: lookip,
>> pkcs11 (smartcard backend [and we know from experience how much fun openvpn
>> is with smartcards]), and the TNC (http://wiki.strongswan.org/projects/strongswan
>> /wiki/TrustedNetworkConnect) components which can tie into Secure Boot.
>
> OK. And you want to seed those or bump those to recommends? I'd like an actual
> list of those you want to promote, because I'd prefer to only promote the
> packages we need.

Preferably seed, I wouldn't want extra pieces installed by default. Let's go for:

 * libstrongswan
 * strongswan
 * strongswan-ike
 * strongswan-nm
 * strongswan-plugin-dhcp
 * strongswan-plugin-eap-md5
 * strongswan-plugin-eap-mschapv2
 * strongswan-plugin-eap-peap
 * strongswan-plugin-eap-radius
 * strongswan-plugin-eap-tls
 * strongswan-plugin-eap-tnc
 * strongswan-plugin-eap-ttls
 * strongswan-plugin-gmp
 * strongswan-plugin-ldap
 * strongswan-plugin-mysql
 * strongswan-plugin-openssl
 * strongswan-plugin-pkcs11
 * strongswan-plugin-radattr
 * strongswan-plugin-sql
 * strongswan-plugin-unbound
 * strongswan-starter
 * strongswan-tnc-base
 * strongswan-tnc-client
 * strongswan-tnc-pdp
 * strongswan-tnc-server

We should also grab network-manager-strongswan while we're at it for the desktop side of things.

>> I decided to remove the debconf pieces and just provide a commented out base
>> template configuration file as debconf was much hassle than it was worth.
>
> Is this in a pending upload?

The pieces removal? Yes. The packages just provided template configuration files for people to edit.

>> Looking at OpenVPN / BIND, I would say that this is the server team's realm.
>
> Can you get them to subscribe to all three packages then?

Team emailed.