[Openswan dev] Re: Openswan Debian package, first version (fwd)

[Rene Mayrhofer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

mcr at xelerance.com wrote:
| Rene, thank you very much for that patch.
You're welcome. I think we can finally get the Debian packaging into the
upstream tree (with a nice "make deb" target), as I have now come around
to work on it.

| Some questions: 1) top-level Makefile. What was the problem with the
| checkv199install: check?
Not sure at the moment, will have to recheck that.

| 2) your patch seems to include patches for a number of files in
| _confread that are generated at compile time.
Whoops, that shouldn't happen - mabye the debian/rules clean target
needs tweaking.

| 3) ditto. openswan-2.1.1/doc/manpage.d
Dt. - openswan seems to handle that dir a bit differently than the late
freeswan versions. I will have to recheck.

| 4) I want to remove all of the debian/freeswan.* files from our tree.
|  I think that this will be okay?
Yes, please do so.

| 5) as an option, one can have per-host logging, stored by default to
|  /var/log/pluto/peer/A/B/C/D/A.B.C.D.log
|
| (A.B.C.D is the IPv6, or for IPv6, it is split into 16-bit chunks)
|
| We have not yet written any program to clean/roll these logs. I
| wonder if there is a good one on debian that will do this? My
| experience with logrotate is that it can't deal with rotating all
| files in a hierarchy, while ignoring the backups.
I also think that logrotate won't handle that, and unfortunately I also
don't know another alternative at the moment.

| 6) there are some patches in pre-build-install, which I think I can
| remove.
Which ones ?

| 7) I have moved fswcert to programs/fswcert
Great.

| We'd like to change how the private keys are generated. Instead of
| relying on openssl, I'd like to generate the private key as we
| normally do, then use a program (to be written) that will generate a
|  self-signed certificate from what is in /etc/ipsec.secrets. It would
|  also generate a certificate request at the same time.
Hmm, using openssl (with probably already existing certificates) has the
advantage that a host may use its certificate for IPSec and e.g. HTTPS
(if that's a good idea is left to the admin, but it is simpler to do).

| A bug about fswcert is that it produces an ipsec.secrets file which
| is in hex (the old format), vs in base64. This affects some other
| scripts.
I see - mabye fswcert can be changed to generate the new format ? How
different is it ?

| 8) we want to continue to support KLIPS on 2.4, and expect to support
|  it on 2.6.
Me too ;) The last package creates the kernel-patch-openswan and
openswan-modules-source package, equivalent to freeswan. There are still
some issue, but I should be able to resolve them pretty soon.

| At the same time, we want to support 26sec. 26sec is missing quite a
|  number of key things, and has the EAGAIN problem. We are hoping that
|  we will be able to fix these issues, but we do not have the
| resources to do so at this time.
I think it will need some changes in the kernel code.

| 9) use bash stuff. Hmm. If that is the simplest solution, then I'll
| change the headers to do that.
Yes, please. Some scripts (those which I patch) aren't really POSIX
shell script, they require bash at some places. It would be better to
fix the issues in the script, but the quick fix is to just use bash
(which almost everybody has installed anyways).

How about awk/gawk ? Some awk scripts don't run cleanly with mawk, but
they do with gawk. Currently I am replacing awk calls with gawk ones in
debian/rules, it might also be better to change them in the upstream code.

| 10) I don't understand why you install the ipsec.secrets.proto file.
|  Openswan 2.x does not build the key at install time. (Freeswan
| stopped doing that around 1.96 or something)
Ok, I was not aware of that - it's just legacy code. I will try to
change that to a "cleaner" way.

| Reply-To list if you feel comfortable with that.
Done.

best regards,
Rene

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFAfQjgq7SPDcPCS94RAlLvAKDP+QhLBEktx1cETlf8zuQHco4d4wCeLkvB
dMNAmtgilvFlwfqhPYIJizg=
=g2vI
-----END PGP SIGNATURE-----