Post by Noah MeyerhansControl: tags -1 - moreinfo
Post by Andrei POPESCUPost by Noah MeyerhansIpsec-tools has been removed from buster. As a security-sensitive package,
active upstream involvement is essential for this package, but it has been
lacking for some time.
Would you mind elaborating a bit on this part? It would help to come up
with an adequate entry explaining the issue without stepping on anyone's
toes.
ipsec-tools is, by its nature, a security sensitive package. It is
responsible for implementing cryptographic measures to protect privacy
and authenticity of traffic between endpoints on the internet. Doing
this safely and effectively requires active ownership of the code on an
ongoing basis in order to keep up with changes to the threat landscape.
Ipsec-tools hasn't had such ownership in years, and talks of forking the
project have consistently stalled.
In my perception the above paragraphs could be wrongly understood if,
for example, upstream developers don't agree with your assessment.
For what it's worth, in my opinion, the Release Notes should be as
neutral as possible and avoid discussing performance of other projects,
especially outside Debian.
Post by Noah MeyerhansPost by Andrei POPESCUPost by Noah MeyerhansUsers are encouraged to migrate to Libreswan, which has
broader protocol compatibility and an active upstream.
Is Libreswan a drop-in replacement or is a migration necessary? In case
of a migration, is it possible to describe it in a few sentences and
maybe point to some other resource (e.g. a wiki)?
libreswan should be fully compatible in terms of communication
protocols, since it implements a superset of racoon's supported
protocols. However, migration of the configuration between systems is
probably going to fall to the administrator. I'm not aware of any
migration guides that would help in this case, and I can't promise that
I'll have time to write one in time for reference in the release notes.
Ugh..
Suggested text:
Ipsec-tools removed from buster
Ipsec-tools has been removed from buster as it has been lagging
behind in adapting to new threats.
Users are encouraged to migrate to Libreswan, which has broader
protocol compatibility and is being actively maintained upstream.
Libreswan should be fully compatible in terms of communication
protocols since it implements a superset of racoon's supported
protocols.
In case a migration guide becomes available later (e.g. in the wiki or
so) another paragraph can be added to point to it.
Would the above text address the issue in your opinion?
Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser