Discussion:
Bug#927092: release-notes: document removal of ipsec-tools in buster
(too old to reply)
Noah Meyerhans
2019-04-15 02:10:01 UTC
Permalink
Package: release-notes
Severity: normal

Ipsec-tools has been removed from buster. As a security-sensitive package,
active upstream involvement is essential for this package, but it has been
lacking for some time. Users are encouraged to migrate to Libreswan, which has
broader protocol compatibility and an active upstream.

Thanks
noah
Andrei POPESCU
2019-04-15 06:00:02 UTC
Permalink
control -1 moreinfo
Post by Noah Meyerhans
Package: release-notes
Severity: normal
Ipsec-tools has been removed from buster. As a security-sensitive package,
active upstream involvement is essential for this package, but it has been
lacking for some time.
Would you mind elaborating a bit on this part? It would help to come up
with an adequate entry explaining the issue without stepping on anyone's
toes.
Post by Noah Meyerhans
Users are encouraged to migrate to Libreswan, which has
broader protocol compatibility and an active upstream.
Is Libreswan a drop-in replacement or is a migration necessary? In case
of a migration, is it possible to describe it in a few sentences and
maybe point to some other resource (e.g. a wiki)?

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser
Noah Meyerhans
2019-04-30 05:40:01 UTC
Permalink
Control: tags -1 - moreinfo
Post by Andrei POPESCU
Post by Noah Meyerhans
Ipsec-tools has been removed from buster. As a security-sensitive package,
active upstream involvement is essential for this package, but it has been
lacking for some time.
Would you mind elaborating a bit on this part? It would help to come up
with an adequate entry explaining the issue without stepping on anyone's
toes.
ipsec-tools is, by its nature, a security sensitive package. It is
responsible for implementing cryptographic measures to protect privacy
and authenticity of traffic between endpoints on the internet. Doing
this safely and effectively requires active ownership of the code on an
ongoing basis in order to keep up with changes to the threat landscape.
Ipsec-tools hasn't had such ownership in years, and talks of forking the
project have consistently stalled.
Post by Andrei POPESCU
Post by Noah Meyerhans
Users are encouraged to migrate to Libreswan, which has
broader protocol compatibility and an active upstream.
Is Libreswan a drop-in replacement or is a migration necessary? In case
of a migration, is it possible to describe it in a few sentences and
maybe point to some other resource (e.g. a wiki)?
libreswan should be fully compatible in terms of communication
protocols, since it implements a superset of racoon's supported
protocols. However, migration of the configuration between systems is
probably going to fall to the administrator. I'm not aware of any
migration guides that would help in this case, and I can't promise that
I'll have time to write one in time for reference in the release notes.

noah
Andrei POPESCU
2019-04-30 07:20:02 UTC
Permalink
Post by Noah Meyerhans
Control: tags -1 - moreinfo
Post by Andrei POPESCU
Post by Noah Meyerhans
Ipsec-tools has been removed from buster. As a security-sensitive package,
active upstream involvement is essential for this package, but it has been
lacking for some time.
Would you mind elaborating a bit on this part? It would help to come up
with an adequate entry explaining the issue without stepping on anyone's
toes.
ipsec-tools is, by its nature, a security sensitive package. It is
responsible for implementing cryptographic measures to protect privacy
and authenticity of traffic between endpoints on the internet. Doing
this safely and effectively requires active ownership of the code on an
ongoing basis in order to keep up with changes to the threat landscape.
Ipsec-tools hasn't had such ownership in years, and talks of forking the
project have consistently stalled.
In my perception the above paragraphs could be wrongly understood if,
for example, upstream developers don't agree with your assessment.

For what it's worth, in my opinion, the Release Notes should be as
neutral as possible and avoid discussing performance of other projects,
especially outside Debian.
Post by Noah Meyerhans
Post by Andrei POPESCU
Post by Noah Meyerhans
Users are encouraged to migrate to Libreswan, which has
broader protocol compatibility and an active upstream.
Is Libreswan a drop-in replacement or is a migration necessary? In case
of a migration, is it possible to describe it in a few sentences and
maybe point to some other resource (e.g. a wiki)?
libreswan should be fully compatible in terms of communication
protocols, since it implements a superset of racoon's supported
protocols. However, migration of the configuration between systems is
probably going to fall to the administrator. I'm not aware of any
migration guides that would help in this case, and I can't promise that
I'll have time to write one in time for reference in the release notes.
Ugh..

Suggested text:

Ipsec-tools removed from buster

Ipsec-tools has been removed from buster as it has been lagging
behind in adapting to new threats.

Users are encouraged to migrate to Libreswan, which has broader
protocol compatibility and is being actively maintained upstream.

Libreswan should be fully compatible in terms of communication
protocols since it implements a superset of racoon's supported
protocols.

In case a migration guide becomes available later (e.g. in the wiki or
so) another paragraph can be added to point to it.

Would the above text address the issue in your opinion?

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser
Debian Bug Tracking System
2019-04-30 05:40:01 UTC
Permalink
Post by Noah Meyerhans
tags -1 - moreinfo
Bug #927092 [release-notes] release-notes: document removal of ipsec-tools in buster
Removed tag(s) moreinfo.
--
927092: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927092
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2019-05-03 19:30:01 UTC
Permalink
Your message dated Fri, 3 May 2019 21:18:44 +0200
with message-id <ece9d7b4-13fa-e459-875d-***@debian.org>
and subject line Re: Bug#927092: release-notes: document removal of ipsec-tools in buster
has caused the Debian Bug report #927092,
regarding release-notes: document removal of ipsec-tools in buster
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
927092: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927092
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...