[Swan-commit] Changes to ref refs/heads/master
Antony Antony
antony at vault.libreswan.fi
Mon Sep 25 16:55:26 UTC 2017
New commits:
commit d286d106bd6fc9996c40821089f1e562bf0cebc9
Merge: 39a63da 4091d58
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 18:36:34 2017 +0200
Merge branch 'debian-master-fixes'
fixes after merging debian-master
fix make deb
commit 4091d58f963b875672503b860ae8aed9ce49fe99
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 20 17:13:46 2016 -0500
add explicit debug symbols package, libreswan-dbg_*
revert aaefcbb
The commit aaefcbb do not work when using 'make deb'
commit 2282ecff37d884ffbc618e516e02696ce8875926
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 17:35:17 2017 +0200
Revert "USE_DNSSEC=false b/c upstream needs libunbound to link to libevent"
This reverts commit b460bec76ea610be2bad21a678003a176d6d9be5.
commit 218bbdd15fdd19da0e637e57346b55fd0ebf0480
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 17:29:37 2017 +0200
debain: maintainer to paul and vcs to upstream repo
commit 86f2e6702535546cac0e38dbc5fe9c9fb8d68c89
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 15:35:41 2017 +0200
building: debian allow building without downloading, override
fix:
debuild -i -us -uc -b -d
Would this break other dependencies? then we may need a better fix
Error:
dpkg-buildpackage: host architecture amd64
dpkg-source -i --before-build libreswan
dpkg-buildpackage -rfakeroot -D -us -uc -i -b failed
dpkg-buildpackage: warning: (Use -d flag to override.)
commit e299a54b183486e0e79216971becb771f46f1c78
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 13:40:33 2017 +0200
packaging: remove packaging/debian/NEWS
commit 3d43eec3e3717897f1144bd5c8aeb4c7d22e0ca2
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 16:41:57 2017 +0200
debian: git mv ./debian ./packaging/
commit 4f4acba7b437c0de8d4bfa419f8ed2cb26ccc3e1
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 16:41:00 2017 +0200
debain: add @ in changelog
It was lost along the way
commit 39f48dcf5c4d74ec9cdb28c622f211af1a0d69b6
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 16:40:10 2017 +0200
debain: packaging prepare to move debian ./packaging/debian
commit 73a3df4644e863430038a85e1833718b07b836c5
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 10:09:05 2017 +0200
git: add debian/* to .gitignore
build: make deb, cp -r --refink=auto packaging/debian .
commit b2394fb705f7ce07b90831a22f6001981df497be
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 16:35:33 2017 +0200
debian: remove the extra patches not necessary in upstream
commit 79178171a852dcbfa18604d20685471a2f8956f6
Merge: 2255b26 36d8270
Author: Antony Antony <antony at phenome.org>
Date: Mon Sep 25 16:34:01 2017 +0200
Merge branch 'https://anonscm.debian.org/git/collab-maint/libreswan.git/master'
syncup debian directory from the master before moving to
./packaging/debian
Conflicts:
debian/NEWS
debian/changelog
commit 36d8270131c8e28bdf26a25229d80dc36a333d48
Author: Antony Antony <antony at phenome.org>
Date: Tue Sep 12 20:12:28 2017 +0200
add systemd build dependency
the package systemd is needed auto detect UNITDIR,
'pkg-config systemd --variable=systemdsystemunitdir'
adding this dependency may work on debian build sytems
Signed-off-by: Antony Antony <antony at phenome.org>
commit 004a116052c3640e3c6feed5b1171b20f2722c2c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 13:55:13 2017 -0400
prepare debian release
commit 1b5a0b9f5b45174d20146a4b579380d4e80c7a93
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 23:46:04 2017 -0400
do not persecute Antony Antony
commit 8fd1b23f94b5b608a4a9367b68b08896147aaf7e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 23:45:24 2017 -0400
clean up some spelling
commit b460bec76ea610be2bad21a678003a176d6d9be5
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 22:37:55 2017 -0400
USE_DNSSEC=false b/c upstream needs libunbound to link to libevent
See: https://github.com/libreswan/libreswan/issues/117
commit 8cc719339830eefec550f106b92ca5e341518287
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 22:22:22 2017 -0400
Initial attempt at autopkgtest
We just try to set up opportunistic IPsec encryption to
http://oe.libreswan.org
commit 111d677a498d88e8550df7fafe0e58b98b7257ca
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 21:01:23 2017 -0400
Standards-Version: bump to 4.0.1 (no changes needed)
commit 40971977f66c3d22ec273fc42f308747f3a109ed
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 19:11:07 2017 -0400
update build-dependencies to match upstream expectations
commit 313aa9da9992044a56343c46d6a43c747cc82fa4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 18:29:08 2017 -0400
add dependency on iptables
/usr/sbin/ipsec assumes that iptables exists and works.
I asked on #swan (freenode) and the conclusion was that it was just
easier to install iptables for now.
if https://github.com/libreswan/libreswan/issues/116 is resolved
upstream, we might be able to relax this to nftables instead.
commit 83048dad74edf0bbd06c25886b633fe2f0d5e9af
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 15:55:05 2017 -0400
ensure that /run/pluto exists
commit b3e3d4a458a68f14d88a24eea6c564281baa71df
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 15:18:50 2017 -0400
use systemd presets for default-disabled service
commit 379b3c92f34c22eed06e14208bbd6fef456c06ed
Merge: a7ba3a1 2e2a612
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Aug 10 13:54:05 2017 -0400
Merge tag 'v3.21' into experimental
* FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS [Andrew]
* FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1) [Paul]
* pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul]
* pluto: Do not return whack error when termining an alias connection [Paul]
* pluto: Remove IKE policy bits on passthrough conns [Paul]
* pluto: Minor memory leak fixes [Paul]
* pluto: Fix memory leak due to addresspool reference count error [Antony]
* pluto: Re-add support for ipsec whack --listevents [Antony]
* pluto: Cleanup listed events on shutdown to please leak-detective [Antony]
* pluto: Perform stricter SubjectAltName checks on configured ID's [Paul]
* pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo]
* pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew]
* pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers) [Andrew]
* pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh]
* pluto: Fix resource leak processing XAUTH password authentication [Andrew]
* pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel]
* pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox) [Ilan Tayari]
* pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions [Antony]
* NSS: Try harder finding private keys that reside on hardware tokens [Andrew]
* IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony]
* IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=, dnssec-anchors= [Paul]
* IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony]
* IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony]
* IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder) [Antony]
* IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder) [Antony]
* IKEv2: Flush ESP/AH proposals on the initiator. It could be stale [Antony]
* IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony]
* IKEv2: DH role is based on message role not Original Initiator role [Antony]
* IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony]
* IKEv2: After an IKE rekey, rehash inherited Child SA to new parent [Antony]
* IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony]
* IKEv2: Decrypt and verify the paylods before calling processor [Andrew]
* IKEv2: Fragmentation code cleanup [Andrew]
* IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony]
* IKEv2: Do not send a new delete request for the same Child SA [Antony]
* IKEv2: During Child SA rekey, abort when ESP proposals mismatch [Antony]
* IKEv2: OE client check should take responders behind NAT into account [Paul]
* IKEv2: Improved dpdaction=hold processing [Antony]
* IKEv1: Only initiate and create IKE SA for appropriate dpdaction [Antony]
* IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults [Andrew]
* IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul]
* IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg Rosowiecki]
* X509: Improve some failure logging [Paul]
* XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section 3.3.3.2.1 [Paul]
* XFRM: Update including system or local copy of xfrm.h [Paul/Antony]
* XFRM: Remove no longer needed {rt}netlink.h copies [Paul]
* KLIPS: cryptoapi: switch from hash to ahash [Richard]
* KLIPS: Add traffic accounting support [Richard/Paul]
* KLIPS: Support for linux 4.11 [Paul]
* lib: Move the alg_info lookup-by-name code to libswan [Andrew]
* lib: Move all conditionally compiled ike_alg*.c files to libswan.a [Andrew]
* addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony]
* libswan: Algo code cleanup [Andrew]
* libipsecconf: Load specified RSA keys irrespective of policy [Paul]
* libipsecconf/pluto: Be more strict in authby= & type= combinations [Paul]
* libipsecconf: Fail to load connections with unsatisfied auto= clause [Hugh]
* parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null [Andrew]
* algparse: (Experimental) modified to run algorithm parser stand-alone [Andrew]
* newhostkey: Actually append to secrets as the warning claims it will [Paul]
* _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set [Tuomo]
* _updown.netkey,klips: Fix use of printf when updating resolv.conf [Tuomo]
* _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo]
* _updown: Add MAX_CIDR variable for host netmask [Tuomo]
* ipsec import: Trust bits correction did not always trigger [Tuomo]
* building: Convert lib/ to use mk/library.mk [Andrew]
* building: Work around rhel-6 gcc [Andrew]
* building: Add copy unbound-event.h work around broken unbound installs [Paul]
* packaging: Better split rpm and make variables [Paul]
* packaging: Updates for new requirements for ldns, unbound-devel [Paul]
* testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple people]
* contrib: Munin plugin for libreswan [Kim/Paul]
commit a7ba3a12911b44c98be55132d0a97178fd912908
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Jun 26 16:52:21 2017 -0400
new debian release candidate
commit 1fb0a9a762e351a04c5f3c431faf8a8f3dc854d2
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Jun 26 17:52:28 2017 -0400
bump Standards-Version to 4.0.0 (no changes needed)
commit 4d1ca1776898f571be030576868fd7a26e8f3ed6
Author: Antony Antony <antony at phenome.org>
Date: Sat Jun 24 00:21:12 2017 +0200
add dns-root-data dependency and use root.key from it
set Debian location for root.key file when compiling
DEFAULT_DNSSEC_ROOTKEY_FILE=/usr/share/dns/root.key
Signed-off-by: Antony Antony <antony at phenome.org>
commit 938c3e394459e93926416a9a3e0ab03c2b6d7787
Merge: 1fd90fd 827c9f3
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Jun 26 16:51:45 2017 -0400
Merge tag 'v3.21_rc5' into experimental
Upstream version 3.21~rc5
commit 827c9f353affbfcb7a8bd03b73bb33923dc4b3a2
Merge: dc7a5ee 29f68e3
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Jun 26 16:51:42 2017 -0400
New upstream version 3.21~rc5
commit 1fd90fd9d2a7d333208079c0f3e9137b8b6f7689
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jun 2 11:45:13 2017 -0400
no longer need this cleanup
commit 1f2d1b5f7ae053b30ce728b929284098d55e5500
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jun 2 10:41:06 2017 -0400
refresh patch
commit 4c2c6ad48e7ad174f3817bd17a39f3b639fec984
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jun 2 10:05:53 2017 -0400
added libldns-dev to build-deps
commit 73de4e7dbd08423b2d3b1f745800c0b481a7faaa
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jun 2 09:58:54 2017 -0400
prepare new debian experimental release
commit 61834b028e896f21e9f3c351183f17265ba4894c
Merge: ec19c95 dc7a5ee
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jun 2 09:58:00 2017 -0400
Updated version 3.21~rc2 from 'v3.21_rc2'
with Debian dir 4fa565447eec6d950e379f069452ad7d79a1229f
commit dc7a5eecd1d09dd97d6949a0ad7a5d8df52cbff4
Merge: 329edad 267b530
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jun 2 09:57:56 2017 -0400
New upstream version 3.21~rc2
commit ec19c95724ec2405a07ada5e5e0b93b263e84fb3
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Jun 1 23:52:51 2017 -0400
look for release candidates as well as developer releases
commit 536ee96a3d683fd08d1b2cc23309f09310317f2e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri May 5 12:47:50 2017 -0400
prepare new debian release
commit 0935d5c7342bdbc7dc4ca4d4c9d26385ad4568b5
Author: Laurent Bigonville <bigon at debian.org>
Date: Fri May 5 12:45:45 2017 -0400
Only depends against libcap-ng-dev on linux (Closes: #861887)
ATM libreswan is not being built because it depends against
libcap-ng-dev that is only available on linux architectures.
commit 08fd011f394f1f5beafca75b47b9f5a692535d62
Author: Laurent Bigonville <bigon at debian.org>
Date: Fri May 5 12:44:44 2017 -0400
Enable SELinux/LABELED_IPSEC support (Closes: #861881)
It would be nice to enable labeled ipsec/SELinux support in libreswan.
This would only work on Linux architectures.
commit 855e846cb9aba5fcd0ca7cd171a553c3afa6891d
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Mar 21 16:15:52 2017 -0400
prepare another debian release
commit 8445a6084bdfbee42ea626a1d596d24e112ac5c9
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Mar 21 16:15:15 2017 -0400
another batch of fixes for time_t on x32
commit b9ee5bcf159be06c7bdfd43e919b42d2802a69c4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Mar 21 12:14:27 2017 -0400
prepare another debian release
commit e51e3275a77d7152e5cd1fc88450fac46764626f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Mar 21 12:13:58 2017 -0400
more fixes for x32 and time_t
commit 0daae8d78c3100f30692de3d35e77563125485d5
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Mar 21 02:31:47 2017 -0400
no stack-protector on alpha either
commit 181261e0e282671683287b00fb5cd528ec7b3b05
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 22:11:38 2017 -0400
prepare another debian release
commit 79c38a5a863d09cf63b338909186352ead5874db
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 22:11:12 2017 -0400
still more x32 time_t printf fixes
commit 76367efccf3575c5c61509517cd5df79bab660a9
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 21:24:57 2017 -0400
prepare another debian release
commit 0391f24ae2d54c33488d62f13cbc8f0a9fc59ff6
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 21:29:30 2017 -0400
fix hppa workaround
commit 18f933936c4a9f59631577f8758ab4b1baea6a06
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 21:23:57 2017 -0400
more fixes for printing time_t on x32
commit 5529bf043bf4757bd11ba3d9e17c1c5be5ef85d1
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 18:51:51 2017 -0400
prepare debian build fix release
commit a6afe64ca6b6c3283756f3c98c5c51b2c767af10
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 18:50:08 2017 -0400
avoid -fstack-protector-all for hppa
commit 84f5822b47be92e4ba2549a5c7ff69549f4ff1fb
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 18:43:17 2017 -0400
avoid time_t printf problems on x32
commit 257d0c67b1441c5a4f17e1d5a62327f8e1710c55
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 14:59:17 2017 -0400
prepare debian release
commit 3d802a02753cb04405b6721f6f27199ab5529f9d
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 15:02:42 2017 -0400
dh-systemd is legacy
commit 57d47978e60b30db4f24b04d67673c00ef432a69
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 14:52:18 2017 -0400
drop patches already included upstream
commit aa361fb59662920527b95aad4491b105c65451f6
Merge: 54085f0 329edad
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 14:47:09 2017 -0400
Merge tag 'v3.20'
v3.20 (March 14, 2017)
* pluto: Add ECP dh19(secp256r1), dh20(secp384r1) and dh21(secp521r1) [Andrew]
* pluto: Add dh= aliases for all modp= groups (eg "dh2" for "modp1024") [Paul]
* pluto: Add statistics support to ipsec whack --globalstatus [Paul]
* pluto: Add statistics clearing support using ipsec whack --clearstats [Paul]
* pluto: Fix use-after-free in whack event handler (since v3.19) [Andrew]
* pluto: Cleanup kernel_netlink.c [Hugh]
* pluto: Print AH= algorithm and ESN when established [Paul/Andrew]
* pluto: strip file path from abort messages [Andrew]
* pluto: Support initiating template conn with --remote-host <ipaddr> [Paul]
* pluto/libswan: Change most ttoaddr() to ttoaddr_num() to prevent DNS [Paul]
* pluto: fix use-after-free with EVENT_v2_RELEASE_WHACK [Andrew]
* pluto: orient() asserted on SPLIT_INC without remote-peer-type=cisco [Paul]
(reported by Oleg Rosowiecki)
* pluto: accurately size a buffer for the decimal representation [Hugh]
(debian bug 853507)
* pluto: avoid gcc unused variable warnings when USE_KLIPS=false [dkg]
* pluto: Support for Linux systems without IFA_F_TENTATIVE (CentOS5) [Paul]
* pluto: Ignore uniqueids= for roadwarrior PSK and assume non-unique [Paul]
* IKEv2: CREATE_CHILD support for Parent SA and Child SA rekeying [Antony]
* IKEv2: Various refactoring for CREATE_CHILD support [Antony]
* IKEV2: OE/CAT: Don't send CP request when responder is behind NAT [Antony]
* IKEv2: log first notify payload when we receive an Notify Error [Paul]
* IKEv2: Fix memory leak in DH secret calculation (since v3.9) [Andrew]
(reported by Eric Andresson)
* IKEv2: If re-entering ikev2_crypto_start(), reset msgid [Paul]
* IKEv2: prevent copying bogus peer id when ID kind is IPv4/IPv6 [Paul]
(rhbz#1392191)
* IKEv2: suppress DELETE notifies for connections being replaced [Paul]
* IKEv2: re-instate ISAKMP_SA_established() [Paul]
* IKEv1: For IKE (phase 1), prefer 256-bit bit encryption [Andrew]
* IKEv1: Print conn algo's when using XAUTH [Andrew]
* IKEv1: Simplify ike= defaults (drop MODP1024, MD5, add MODP2048) [Andrew]
* IKEv1: Prefer 256-bit keys over 128-bit keys for IKE [Andrew]
* IKEv1: Also call ISAKMP_SA_established() in Aggressive Mode [Paul]
* newhostkey: Convert remaining --configdir for --nssdir [Tuomo]
* barf: Ensure proper macros are used. Add certutil/crlutil output [Paul]
* misc: Fix various spelling errors in code/comments/man pages [dkg]
* packaging: spec files should use 0 and 1, not true and false [David Arnold]
* building: NSS_REQ_AVA_COPY?=true to support new NSS lib export fix [Paul]
* building: Remove no longer needed NSSCERT_CheckCrlTimes() copy [Paul]
* building: fetch: remove support for ancient LDAP version 2 [Tuomo]
* building: move whack to separate programs/whack/ directory [Andrew]
* building: Various Makefile variable cleanups and double link fixes [Andrew]
* building: Don't check runtime for SElinux/systemd with DESTDIR [Paul]
* documentation: added oe-letsencrypt-* example configs [Paul]
commit 54085f039420d262362b0990f844c436cd10ed2b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Feb 3 18:21:31 2017 -0500
avoid too-small buffers during printf (closes: #853507)
commit b2d25b8bed6af6dda2e1491343613e5f2f27bd79
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Feb 3 12:35:21 2017 -0500
prepare debian release
commit 001f9bbeb2f6ac29288270fb4fd4259080c403a4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Feb 3 12:21:53 2017 -0500
conflict directly with strongswan-starter (Closes: #836862)
commit 394383616eefd38c668f12d578fdc33403d65ca3
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Feb 3 12:02:18 2017 -0500
Test proposal for mips and mipsel builds (trying to fix: #853947)
commit a97f345ca0c2e1dfd56db7512b9f7ab33c9f9b6e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Feb 1 14:43:47 2017 -0500
more fixes from upstream
commit b4b893aa43b8aa2fa6d693d9885309833e94cfed
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 20:14:49 2017 -0500
prepare debian release
commit 416b9854fa195832fefe530ae6495a610129077b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 19:16:47 2017 -0500
use wrap-and-sort -ast to canonicalize debian metadata files
commit 95c1c5e8b5e6b65d9cc9480e232c47b818074cd0
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 19:16:08 2017 -0500
convert to debhelper 10
commit 5f9ec12b25d264e4002e095b608a53d6f82522a4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 19:15:06 2017 -0500
fix spelling errors found by lintian
commit 1c5117b61e2f8683eaceb4506614cbca9e734d31
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 19:07:47 2017 -0500
cleaner build without KLIPS
commit 7e01932f5d9233049c1919e719f522d05e30e821
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 19:00:17 2017 -0500
drop patches already applied upstream, clean up remaining patches
commit 5990dd5d21fabe93ebbd97dc405444f3cb3eed08
Merge: 2d1d303 3db85fc
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 25 18:38:07 2017 -0500
Merge tag 'v3.19'
v3.19 (January 15, 2017)
* NSS: Support for configurable nss dir via @IPSEC_NSSDIR@ [dkg/Tuomo]
* FIPS: Only pluto needs a .hmac file, reducing crypto boundary [Paul]
* FIPS: do not allow DBG_PRIVATE to be set when running in FIPS mode [Paul]
* FIPS: Ignore failureshunt=passthrough and negotiationshunt=passthrough [Paul]
* FIPS: Filter default proposals of non-FIPS allowed proposals [Andrew]
* FIPS: Added CAVP test for pluto GCM code [Andrew]
* FIPS: More cleanup of crypto related structs and functions [Andrew]
* FIPS: Implement SHA based PRFs directly in NSS [Andrew]
* FIPS: Support for CAVP testing 'HMAC construct' based SHA PRF code [Andrew]
* IKEv2: Don't crash on bogus mixed protocol Delete Payloads [Hugh/Paul]
* IKEv2: Add asymmetric AUTH support (leftauth= and rightauth=) [Antony/Paul]
* IKEv2: refactored AUTH handling payload into v2_check_auth() [Paul]
* IKEv2: support CERT chain sending [Paul]
* IKEv2: Allow CERT and CERTREQ payloads multiple times [Paul]
* IKEv2: do not attempt to send notify in reply to IKE_AUTH reply [Paul]
* IKEv2: When receiving DELETE, ensure expire+restart when needed [Antony]
* IKEv1: If a queued up DPD probe finds no IKE SA, create a new one [Paul]
* IKEv1: accept_delete() check if IKE SA is shared before deleting [Paul]
* IKEv1: Remove ADNS, DNS continuations and IKEv1 OE code [Paul/Antony]
* IKEv1: Schedule IPsec SA REPLACE immediately when receiving DELETE [Antny]
* IKEv1: Some IKE SA failure on initiator could lead to hanging whack [Paul]
* KLIPS: fix for unregister_netdevice() for Linux 3.6.11 and up [Richard/Paul]
* XFRM: EXPERIMENTAL Support for configuring IP address on the VTI device [Paul]
keyword: leftvti=address/mask
* XFRM: Fix NAT-T support when userland compiled without KLIPS support [Paul]
* X509: Obsolete /etc/ipsec.d/crls (load_crls()) and whack --rereadcrls [Paul]
* X509: New whack --fetchcrls (alias ipsec crls) to trigger a fetch [Paul]
* X509: Iterate all X.509 certs and try to fetch their crls [Kim]
* X509: Start a fetch for CRLs 5 seconds after startup [Kim]
* X509: --rereadcrls no longer overwrites newer CRLs with older ones [Paul]
* X509: log the NSS error when CERT_ImportCerts() fails [Paul]
* X509: Don't attempt to fetch crl->uri when not present [Paul/Matt]
* X509: Additional OCSP options to tweak the cache and fetch method [Paul]
(new keywords: ocsp-method ocsp-cache-size ocsp-cache-min-age
ocsp-cache-max-age)
* X509: Fix memory leak in certificate handling (lsbz#278) [William Rios]
* X509: Fix memory leak in certificate chain handling [Matt]
* pluto: close whack socket in add_pending when dup pending is skipped [Hugh]
* pluto: Avoid adding duplicate bare shunts causing lockup [Paul]
* pluto: drop modp1024 (DH2) from IKEv1 "ike=" default list [Andrew]
* pluto: send_packet() now refuses to send a packet to 0.0.0.0 [Paul]
* pluto: find_hostpair ignore CK_INSTANCES which are ID_NULL [Antony]
* pluto: Fix ca name and generalName leak lsbz#276 [Bill Rios]
* pluto: EXPERIMENTAL SECCOMP support (seccomp=enabled|tolerant|disabled) [Paul]
* pluto: connection instances need their own reqid [Antony]
(this resolves multiple clients behind same NAT router issue)
* pluto: Use a global reqid counter instead of looping every time [Paul]
* pluto: use sets instead of nested loops for transform processing [Andrew]
* pluto: Prefer not switching connections when possible [Paul/Hugh]
* pluto: Move unique mark from rw_instantiate() to instantiate() for OE [Paul]
* pluto: log more information when a bare shunt is missing [Hugh]
* pluto: redo process_encrypted_informational_ikev2 [Hugh]
* pluto: Add new config option encapsulation=auto|yes|no [Paul/Patrick Kerpan]
replacing forceencaps=yes|no
* pluto: No longer log bogus reapchildren warning [Paul]
* libipsecconf: libipsecconf: remove last remnants of manual keying [Paul]
* libipsecconf: remove auth= alias for phase2= [Paul]
* _updown.netkey: Move addcat call from route-host to up-client [Paul]
* ipsec: initnss|import use --nssdir for nssdb directory option [Tuomo]
* newhostkey: use --nssdir for nssdb directory option [Tuomo]
* showhostkey: use --nssdir for nssdb directory option [Tuomo]
* barf: minor improvements with systemd/journalctl [Paul]
* verify: fix "with FIPS" output to print OK [Paul]
* _stackmanager: add cmac and chacha20poly1305 to modprobe list [Paul]
* building: libreswan assumes -std=gnu99 when building [Andrew]
* building: USE_EXTRACRYPTO replaced by USE_SERPENT and USE_TWOFISH [Paul]
* building: Disable DH22 by default. To re-enable use USE_DH22=true [Paul]
* building: work around flex 2.5.4 (CentOS 5); use: -o/output/file [Andrew]
* sysvinit: remove unnecessary warnings about already stopped pluto [Tuomo]
* initsystems: Enable "systemctl help ipsec" [dkg]
* testing: various web output fixes (see testing.libreswan.org) [Andrew]
* testing: various test updates / additions [Paul/Antony]
* documentation: fixup changes in GPL 2.0 / LGPL like FSF address [dkg]
* Bugtracker bugs fixed:
#270 newhostkey: text output produces 1 character bug in pubkey [Andew]
#272 Option --leak-detective causes assertion failure [Bill / Paul]
#277 pluto: fix pluto events leak in timer_event_cb [Bill Rios]
#152: ipsec whack --initiate for xauth does not release whack [Paul/Hugh]
commit 2d1d303931e4129c78c95ce986a951c1f972153f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 21:54:19 2016 -0400
cleaning up copyright further
commit fa199865bf0b648bc8d0c641a70cfa8fab7a2f5c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 21:14:28 2016 -0400
upstream cleaned up some of their source; simplify debian/copyright
commit 48e347661daf27f18b0643eea6f63febd3494732
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 20:57:54 2016 -0400
drop lintian override for usr/lib/ipsec/verify, since it is not needed
commit 723eff2ee2f782898f494fa2293cd10dd53abbb7
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 20:55:09 2016 -0400
Spelling and documentation fixups
commit 19c77579ecc8c3d6ef6dbe1b02b88070af128cba
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 20:27:46 2016 -0400
no more need to delete sysconfig
commit 367c5baf35ec559a42ff6ac4db22463f9ab1935e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 19:48:44 2016 -0400
use nssdir patches from upstream
commit fde1ce809ceda3afd079f7bdb980f88a486842e6
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 17:34:38 2016 -0400
update debian/patches
commit 350f98070928a71551182db4de8ce3c4935a0f9c
Merge: 4817eeb 232e565
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Aug 7 17:31:46 2016 -0400
Merge tag 'v3.18'
v3.18 (July 27, 2016)
* SECURITY: CVE-2016-5391: IKEv2 proposal lacking DH causes restart [Andrew]
* XFRM: EXPERIMENTAL Support for NAT OE Client Address Translation (leftcat=) [Antony]
* XFRM: EXPERIMENTAL Support for routed-VPNs using VTI [Paul/Tuomo]
keywords: vti-interface=<name> vti-routing=yes|no vti-shared=yes|no
* XFRM: EXPERIMENTAL Support for Traffic Flow Confidentiality tfc=XXX [Paul]
* KLIPS: Fix for /proc/net/pf_key oops on < 4.4 [Erik Andersson]
* KLIPS: Fix overwriting the sk pointer in 4.4 kernels [Ofer Heifetz]
* FIPS: Only the pluto binary needs a fipscheck .hmac file for self-test [Paul]
* FIPS: Change SA_LIFE_DURATION_MAXIMUM from 1 day to 8h [Paul]
* FIPS: Do not allow Linux-style sha2 truncation for ESP in FIPS mode [Paul]
* FIPS: Allow PSK in FIPS mode. This was erroneously not allowed [Paul]
* FIPS: Added new ipsec whack --fipsstatus [Paul]
* IKEv2: For default proposals, prefer MODP2048 over MODP1536 [Andrew]
* IKEv2: For proposals like ike=aes-sha2, prefer AES_256 over AES_128 [Andrew]
* IKEv2: For default ESP proposals, include and prefer AES_GCM [Andrew]
* IKEv2: For default ESP/AH proposals, do not propose MD5 integrity [Andrew]
* IKEv2: Add MODP3072 to defaults to ease interop with strongswan [Andrew]
* IKEv2: Prefer sha2-512 over sha2-256 for ESP to avoid linux bug [Andrew]
* IKEv2: fix use of ikev2_cert_req_fields [Lubomir Rintel]
* IKEv2: Extend and improve notify handling [Paul]
* IKEv2: Update ike endpoint as per rfc7296#section-2.23 [Antony/Paul]
* IKEv2: If first liveness probe failed, we never noticed liveness failure [Paul]
* pluto: Extend mark= support for mark-in= and mark-out= [Paul]
* pluto: implement unique marks by using mark=-1 [Paul]
* pluto: Add systemd watchdog support via USE_SYSTEMD_WATCHDOG [Matt/Paul]
* pluto: Follow connaddrfamily when resolving hostnames [Daniel M. Weeks]
* pluto: Check enum names consistency on startup [Hugh]
* pluto: Log mismatched DH group (KE payload) to log (not debug) [Andrew]
* pluto: Don't try to delete non-existing ipsec sa's (github #50) [Paul]
* pluto: Prevent double free of id data [Hugh]
* pluto: Avoid crashing on gaining remote ip locally (rhbz#1229766) [Paul]
* pluto: ESN could use uninitialised values and fail [Paul/Andrew]
* X509: Try subsequent crl distribution points when first one fails [Kim]
* whack: Display IPv4 lease address in --trafficstatus [Andrew]
* libipsecconf: New keyword left/rightckaid=XXX [Andrew]
* libipsecconf: Remove legacy keyword subnetwithin= [Hugh]
* libipsecconf: Clean out kv_auto / kv_manual attributes [Hugh]
* updown: Add SPI_IN= and SPI_OUT= to updown scripts [Paul]
* programs: Removed obsoleted ikeping and livetest [Paul]
* newhostkey: No longer touch any secret files [Andrew]
* showhostkey: Only look at NSS - don't require ipsec.secrets [Andrew]
* libswan: Fix unbound dnsctx handling [Hugh/Paul]
* libswan/libipsecconf: Clean up SECRETS code [Andrew]
* libswan: Delete getNSSPassword; replaced by lsw_nss_get_password [Andrew]
* addconn: Find peer IP address when resolving default route [Daniel M. Weeks]
* barf: If systemd detected, use journalctl to get logs [Paul]
* building: The make variable NSSLIBS was renamed to NSS_LDFLAGS [Andrew]
* building: Fix building without DNSSEC support [Hugh/Paul]
* packaging: Updates for debian packaging [dkg]
* initsystem: Add docker support using 'make INITSYSTEM=docker' [Kim]
* ipsec import: Add --configdir|--ipsecdir option for nss db location [Tuomo]
* _import_crl: Fix to work with nsspasswd [Andrew]
* _stackmanager: Remove loading of hardware random modules [Tuomo]
* _stackmanager: hide error if /proc/sys/net is read-only (i.e. docker) [Kim]
* ipsec: remove run by root check for Neutron/VPNaaS [Tuomo]
* ipsec: add option [--configdir|--ipsecdir /etc/ipsec.d] [Tuomo]
* testing: Various improvements for running tests, include web tree [Andrew]
* testing: New makefile targets, see 'make kvm-help' [Andrew]
* testing: pluto support for --expire-bare-shunt <interval> [Paul]
commit 4817eebfba7162455116fae13eb694fceecedf34
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Jun 23 01:18:49 2016 -0400
break out more patches
commit 4be63376d138a6c3f98cd04a2501d6de2f4c67b5
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jun 22 18:11:28 2016 -0400
upstream is using README.md
commit d88d0f2d80a877983183de86b7f0f55dad8d718c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jun 22 17:47:19 2016 -0400
Use /var/lib/ipsec/nss ; do not change newhostkey --output
commit 30c0050b298c77307f4248a57643880230235372
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jun 22 17:31:47 2016 -0400
refreshed patches
commit 7ff0a92c93559e3090a2ffbe0d82c0e8a63db220
Merge: 5caf0b5 e59d378
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Jun 20 16:25:07 2016 -0400
Merge tag 'v3.18dr3' into debian master
commit 5caf0b5eb3e99a888d2a16fe27101ec0bdd5a4d9
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Jun 20 00:59:06 2016 -0400
avoid building with KLIPS support
We do not currently provide kernel modules; NETKEY (kernel builtin) is
likely sufficient, and i'd like to keep the debian packaging simple
from the start -- we can make it more complex later.
This means that the following ipsec subcommands are also not shipped:
* eroute
* klipsdebug
* pf_key
* spi
* spigrp
* tncfg
* _updown.klips
commit 0d2dc842c3695c50671161ff435fb9a5a041943c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 23:47:33 2016 -0400
simplify debian/gbp.conf
upstream releases appear to be generated exactly from the git repo (no
autoconf shenanigans or distribution-time generated files), which is
quite nice. As such, we should treat upstream's master branch
directly as the upstream branch for gbp.
commit 7668176847092a48b87e532232c06198049d2c1f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 23:05:31 2016 -0400
preparing upload to experimental
commit 207f3a0ede3cf0320cadf48c7f10a6f675d6b02f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 17:41:17 2016 -0400
take ownership of the package
Since i haven't checked with Paul or Ondřej yet, and it's possible
that neither of them will like the changes to the NSS homedir, i'll
take responsibility for the package. Happy to have package
maintainership revert to either of them if they want it.
commit b1d04c45dab74c8e138866b5e8dbe5118e8aea6c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 12:12:05 2016 -0400
move NSS database from /etc/ipsec.d to /var/lib/libreswan/nss
Keeping the database in /etc/ipsec.d has several problems:
* Its files get mixed in with the actual hand-editable config files
(*.conf and *.secret) which the administrator might want to review
and modify.
* It is difficult to clean it up or delete it sensibly on package
purge, since different versions of nss actually use different file
names.
* It is managed by the utility itself (e.g. "ipsec rsasigkey" and
"ipsec newhostkey", "ipsec _import_crl"), so it meets the FHS's
guidelines for /var/lib better than it meets the guidelines for
/etc
commit 2cc352c1455f8494f0c828f3ca0d87f748364e98
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 14:17:29 2016 -0400
include some useful upstream README files
commit 8877be70d19611afbfe66bb040a4aa71484f554d
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 12:12:57 2016 -0400
README.Debian: openswan is only in debian oldstable. do not mention migrations
commit 0d5fcdb98807dddbaf10cb4d826e6f54e37ff6cd
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 11:58:25 2016 -0400
"dh_systemd_enable --no-enable" should be sufficient to ensure the service does not start automatically
commit 94eaaed068e88ce8a4a5d0b4316502b7630cce3c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 11:44:56 2016 -0400
acknowledge the use of systemd
We want to shut down the service on removal and purge if it happens to
be running. and we want it to restart on upgrades (again, only if
it's running). But we do not want to start it by default, or enable
it by default.
commit 7f56b214ca736aa32c5a6f0153e7b2f15cb35a66
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 11:30:50 2016 -0400
clean up NSS database and generated newhostkey on purge
commit 2be86327f3b9eb53b296eff44182f010427185ed
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:52:15 2016 -0400
watch for development releases as well.
commit f883b55567d176b2341773e1abb7543ff5c06487
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:35:01 2016 -0400
these directories are already created elsewhere, not needed
commit ade024da85f230e593932e0a04468bb86215b6fc
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:26:25 2016 -0400
we are not installing sysvinit scripts, no need for INC_RCDEFAULT
commit 67995054ba06c6538cdbbf3a2e6d54a8f22496de
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:25:38 2016 -0400
use INC_MANDIR instead of MANTREE
commit 98ae6da79a2ef556ca5ebba5c494b1646634b136
Author: Ondřej Surý <ondrej at sury.org>
Date: Mon Jun 13 12:53:28 2016 +0200
Fix dh_auto_install invocation
commit 28448b2c131b6e857bd8d802cc7a22d5faf4e2df
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:15:11 2016 -0400
normalize naming of debian/patches
commit dc6e343bcb2cdd9cf78c6762047b47f00714f61e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:13:26 2016 -0400
upstream has also cleaned up their intermediate files
commit db29ca6ac8d2a25fc3afaf0cf4eab53dbd0f281b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:10:06 2016 -0400
upstream has already fixed their manpage-naming issues
commit 09183c97b129dfc9cc95cb759c38ce9989eec877
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:07:04 2016 -0400
get rid of unnecessary cleanup
commit 41f6669eaf1580e8acafd59ac35eb5f7d29ec30f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 10:03:15 2016 -0400
be verbose about cleanup so we know what is left to do
commit 77e28476db5f6015ca3fe261009f708b6352f886
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 09:52:10 2016 -0400
No need to specify CONFDIR in debian/rules
Simplify, simplify! Plus, $(CURDIR)/debian doesn't appear to make
much sense.
commit ea83252bd93e602928081b63fd319a57f6398b27
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 09:48:14 2016 -0400
added notes about debian packaging
commit a0433f0f77e32ec1b3e7bcf4af972e7d5681234e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 09:38:24 2016 -0400
clean up debian/rules
* USE_ADNS was removed in 3.16.
* FINALBINDIR is derived from FINALLIBEXECDIR by default
* we want to drop capabilities where possible with LIBCAP_NG (and the
detection in plutomain.c seemed to fail even with
USE_LIBCAP_NG=false somehow)
commit e06a3085349abc7316e5bbebc044c6a1d6209c95
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 09:08:48 2016 -0400
more updates to README.Debian
commit c8d3e377bc2a99dfcb3bb716e14662653a20fcb1
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 08:32:14 2016 -0400
Add Ondřej Surý as a co-maintainer
commit b067b9a846cab820a2b10d9368f20fef41442b44
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 08:20:03 2016 -0400
fix section header in documentation
commit 85feb3bac6e6fbec6ba0a4cc5b81c2e5fd36aaa4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 07:49:18 2016 -0400
Avoid non-standard permissions for /etc/ipsec*
Debian's preferred default is for configuration files to be public.
shipping secret files in a .deb doesn't make a lot of sense (anyone
can fetch the .deb and look at its contents) and the admin can always
create secret files manually for PSKs or XAUTH tokens as mode 0700
named to match /etc/ipsec.d/*.secret
commit eb63c3e4956e483da3cd5c352d717175cc0c72e4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 22:39:55 2016 -0400
update how we deal with newhostkey
commit 6a56bcea5f6be1d9e735f9e0a75d258969e25eca
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 19:11:17 2016 -0400
add provenance for debian/patches
commit 28d9f64e3a6d308818d53abd82f85154ed9cce02
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 19:05:48 2016 -0400
add instructions for opportunistic encryption
commit 1d2d2bfa246404c8ee46258c897d4552ad9d8c0b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 18:56:46 2016 -0400
ship README.rfcs in the documentation as well for those who want protocol references
commit 0f34153923f04b3cdf064ccd92afce05623d0049
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 18:54:43 2016 -0400
ship example config code
commit 899b2f2c8f0f2c37ecac7ae17d8a4171b214b3de
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 16:43:19 2016 -0400
build against libevent and libcap-ng
commit bc78698fb4fb0ac7779cdf11976a669ccfd7e667
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 16:32:13 2016 -0400
we need pkg-config
commit 91e3b8e37cbca1cb5304dadb02f9179f9019608c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 16:06:24 2016 -0400
sign README.Debian, acknowledge that we could add KLIPS/MAST later if we wanted to
commit 206c92f34834d4672560bcce0afa93b77c532d52
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 16:05:52 2016 -0400
ensure that we build against libsystemd
commit 44b72958183e2ff9c9a85e7023b3634c029c5985
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 16:01:07 2016 -0400
point Vcs fields to collab-maint
commit 46b2c599e1aeee084ab210ff511d219ee61094a9
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 15:56:09 2016 -0400
bump standards-version to 3.9.8 (no changes needed)
commit 548a6cf1ac83440db68b57f6594a12d4b9817ae7
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 15:50:31 2016 -0400
repair changelog to include ITP bug number
commit 7ce277a576198e54ef6347a057d61b15da52f43e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Jun 18 15:46:07 2016 -0400
another fix for flex/gcc incompatibility
commit 5dbd13d41a30602208d0360d9920f8c312065cb1
Merge: 1704b3f 6b84ad3
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Jun 19 23:39:41 2016 -0400
Merge upstream tag 'v3.18dr2' into debian
commit 1704b3f4d6472dcbaadab6cb6e01285c7505c50f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jan 22 10:07:52 2016 -0500
fixing gbp.conf
commit 631939d77bfdac1cf6e9169c50e9bce5c3003b28
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jan 22 02:29:39 2016 -0500
we are not doing a lot of debconf templating, so we do not need these translations.
commit 0923b3bbf4c442bdb111e6c3edc9b86919f3e2ef
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Jan 22 02:17:32 2016 -0500
removed copyright statements about liblswcrypto since it was removed in bc3975c5105cc77c9c7217869530ccf4763acd5f
commit 794deed52d9cab7cbfd7f6dd5738f55602865078
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 20 17:30:57 2016 -0500
clean up lintian-overrides
commit f824d88c03d04c9af0a39739c1363d3621c89c00
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 20 19:02:59 2016 -0500
no need for postrm if we are not configuring things in prerm
commit 25fa3ea0e0308025b0d9d72026c5e4891ad5a9df
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 20 17:15:20 2016 -0500
we have no NEWS, as this is the first time libreswan is in debian
commit aaefcbb741a0872bdcf5a7c8831b23ba4a09747b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 20 17:13:46 2016 -0500
remove explicit debug symbols package in favor of the standardized dbgsym packages
commit 47edc45f16eb6bbd3a80faa97fb24b491a43489d
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 20 17:06:45 2016 -0500
clean up debian/copyright
commit a13c7868ade43070f1ebf60a4efa2f1961a3bc02
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 20 17:06:18 2016 -0500
specify upstream versions of dependencies
commit 3e50e17b8bc627c8fc722545bee6500da302e6b4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Dec 22 17:24:29 2015 -0500
use wrap-and-sort to canonicalize debian/ dir
commit 27cfd9952688af1cddc45e73e628b9a268cce128
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Dec 22 17:21:38 2015 -0500
rely on version control to track patch removal
commit cf1a8128eee56f93063d5c7de8916835f391a302
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Dec 22 17:16:40 2015 -0500
cleaning up debian packaging a bit
More information about the Swan-commit
mailing list