Am 01.04.2014 02:50, schrieb Jonathan Davies:
>>> The packaging does have extensive lintian errors, 137 instances of
>>> unstripped-binary-or-object and one spelling-error-in-description.
>>
>> Packages are not stripped to enable the
>> http://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest suite.
>
> what is this supposed to check? the only reason that I can think of is file
> corruption on the disk.
It's to be assured that the libraries and binaries you are running are what came out of the buildd and haven't been tampered with.
> why should strongswan be special here?
Because on some systems I've built, *everything* relies on the IPsec tunnel being functional for security reasons (with everything else on iptables being blocked). So the assurance above is a good to have.
>> Ideally, I'd like to see a lot more than that; a bunch that come to mind are: lookip,
>> pkcs11 (smartcard backend [and we know from experience how much fun openvpn
>> is with smartcards]), and the TNC (http://wiki.strongswan.org/projects/strongswan
>> /wiki/TrustedNetworkConnect) components which can tie into Secure Boot.
>
> OK. And you want to seed those or bump those to recommends? I'd like an actual
> list of those you want to promote, because I'd prefer to only promote the
> packages we need.
Preferably seed, I wouldn't want extra pieces installed by default. Let's go for:
We should also grab network-manager-strongswan while we're at it for the desktop side of things.
>> I decided to remove the debconf pieces and just provide a commented out base
>> template configuration file as debconf was much hassle than it was worth.
>
> Is this in a pending upload?
The pieces removal? Yes. The packages just provided template configuration files for people to edit.
>> Looking at OpenVPN / BIND, I would say that this is the server team's realm.
>
> Can you get them to subscribe to all three packages then?
Am 01.04.2014 02:50, schrieb Jonathan Davies: binary- or-object and one spelling- error-in- description. wiki.strongswan .org/projects/ strongswan/ wiki/IntegrityT est suite.
>>> The packaging does have extensive lintian errors, 137 instances of
>>> unstripped-
>>
>> Packages are not stripped to enable the
>> http://
>
> what is this supposed to check? the only reason that I can think of is file
> corruption on the disk.
It's to be assured that the libraries and binaries you are running are what came out of the buildd and haven't been tampered with.
> why should strongswan be special here?
Because on some systems I've built, *everything* relies on the IPsec tunnel being functional for security reasons (with everything else on iptables being blocked). So the assurance above is a good to have.
This is also needed for FIPS 140-2, see here:
- http:// csrc.nist. gov/publication s/fips/ fips140- 2/fips1402. pdf
Under "4.9.1 Power-Up Tests" → "Software/firmware integrity tests".
[http:// wiki.strongswan .org/projects/ strongswan/ wiki/CryptoTest handles most of the rest of section 4.9].
>> Ideally, I'd like to see a lot more than that; a bunch that come to mind are: lookip, wiki.strongswan .org/projects/ strongswan tworkConnect) components which can tie into Secure Boot.
>> pkcs11 (smartcard backend [and we know from experience how much fun openvpn
>> is with smartcards]), and the TNC (http://
>> /wiki/TrustedNe
>
> OK. And you want to seed those or bump those to recommends? I'd like an actual
> list of those you want to promote, because I'd prefer to only promote the
> packages we need.
Preferably seed, I wouldn't want extra pieces installed by default. Let's go for:
* libstrongswan plugin- dhcp plugin- eap-md5 plugin- eap-mschapv2 plugin- eap-peap plugin- eap-radius plugin- eap-tls plugin- eap-tnc plugin- eap-ttls plugin- gmp plugin- ldap plugin- mysql plugin- openssl plugin- pkcs11 plugin- radattr plugin- sql plugin- unbound tnc-client tnc-server
* strongswan
* strongswan-ike
* strongswan-nm
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-
* strongswan-starter
* strongswan-tnc-base
* strongswan-
* strongswan-tnc-pdp
* strongswan-
We should also grab network- manager- strongswan while we're at it for the desktop side of things.
>> I decided to remove the debconf pieces and just provide a commented out base
>> template configuration file as debconf was much hassle than it was worth.
>
> Is this in a pending upload?
The pieces removal? Yes. The packages just provided template configuration files for people to edit.
>> Looking at OpenVPN / BIND, I would say that this is the server team's realm.
>
> Can you get them to subscribe to all three packages then?
Team emailed.