[Swan-dev] libreswan in debian - Ondřej offered to help (fwd)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 22 20:40:43 UTC 2016


On Mon 2016-06-20 13:25:26 -0400, Paul Wouters wrote:
> The VTI stuff is bleeding edge. So I can understand KLIPS users want to
> still use it for a few more releases. We get frequent requests about
> KLIPS. Anyway, if you're the maintainer we can do without KLIPS and
> see what happens.

Let's start it that way.  If that works for some folks, but others rally
around KLIPS, then we can add it in.  It's much easier to go in that
direction than to take something away from even a tiny number of people
once they've come to expect it :)

> No one is objecting and we all agree it is the best. Like I said, we
> just were not ready for it yet. I'm fine with you trying to make it
> /var/lib/ipsec. I should probably cut a dr3 for you so at least you
> have the right binaries with --configdir everywhere (rsasigkey,
> showhostkey)

OK, i'll modify debian to make it use /var/lib/ipsec/nss for the nss
directory.

> And maybe just rename --configdir to --nssdir (and leave the old name
> undocumented)

I'm happy to have --nssdir be the formal name for all of the subcommands
which need it.  What i don't want is for that configuration parameter to
influence other file locaions.

What option will libreswan use to look for policies/ and passwd and
nsspassword ?  (and cacerts/ and crls/ for as long as those remain an
option)

> No one should call rsasigkey directly, it is supposed to go through the
> newhostkey wrapper. Which you suggested above could cause the nss init.

Maybe it should be named _rsasigkey then?  should the documentation have
big scary warnings? i'd assumed that the convention was that documented
subcommands without a leading underscore were knobs that admins were
expected to be able to twiddle.

the EXAMPLES section in ipsec_rsasigkey(8) shows:

  ipsec rsasigkey --verbose 4096 >mykey.txt

but of course that fails...

          --dkg


More information about the Swan-dev mailing list