debian/changelog

+strongswan (5.8.0-2) unstable; urgency=medium
+
+  [ Christian Ehrhardt ]
+  * d/control: Mention mgf1 plugin which is in libstrongswan now
+  * Complete the disabling of libfast
+  * Clean up d/strongswan-starter.postinst: section about runlevel changes
+  * Clean up d/strongswan-starter.postinst: opportunistic encryption
+  * Enable kernel-libipsec for use of strongswan in containers
+  * d/control, d/libcharon-{extras,extauth}-plugins.install: Add
+    extauth-plugins package (Recommends)
+  * apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
+  * apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
+  * apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin
+    (LP: 1773956)
+  * apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map
+    and execute themselves
+  * apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map
+    and execute themselves
+  * apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin
+    (LP: 1807962)
+  * d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins
+
+  [ Ryan Harper ]
+  * Remove code related to unused debconf managed config
+
+  [ Yves-Alexis Perez ]
+  * ship xfrmi only on Linux, fix FTBFS on kfreebsd
+  * d/libcharon-extra-plugins.install: drop plugins disabled in Debian
+  * d/control: update standards version to 4.4.1
+  * d/strongswan-starter.templates: drop runlevel_changes
+  * let dh_installinit handle update-rc.d calls
+  * d/salsa-ci.yml: add a salsa pipeline config
+  * d/rules: drop dbgsym migration
+  * strongswan-starter: update line number in lintian override
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Sat, 05 Oct 2019 15:03:59 +0200
+
 strongswan (5.8.0-1) unstable; urgency=medium
 
   [ Christian Ehrhardt ]

debian/control

@@ -3,7 +3,7 @@ Section: net
 Priority: optional
 Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
 Uploaders: Yves-Alexis Perez <corsac@debian.org>
-Standards-Version: 4.4.0
+Standards-Version: 4.4.1
 Vcs-Browser: https://salsa.debian.org/debian/strongswan
 Vcs-Git: https://salsa.debian.org/debian/strongswan.git
 Build-Depends: bison,
@@ -239,8 +239,8 @@ Description: strongSwan charon library
    - counters
    - bypass-lan (disabled by default)
  .
- It also contains the xfrmi binary which can be used on Linux 4.19+ to create
- XFRM interfaces (for more information, see
+ On Linux, it also contains the xfrmi binary which can be used on Linux 4.19+
+ to create XFRM interfaces (for more information, see
  https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN)
 
 Package: strongswan-charon

debian/libcharon-extra-plugins.install

 # libcharon plugins
 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
-usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so
 usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
-usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
 usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
 usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
 usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
-usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
 usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
-usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so
-usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so
-usr/lib/ipsec/plugins/libstrongswan-eap-sim.so
-usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so
-usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so
-usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so
 usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
 usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
 usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so
@@ -28,25 +19,15 @@ usr/lib/ipsec/plugins/libstrongswan-lookip.so
 usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
 usr/lib/ipsec/plugins/libstrongswan-unity.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
 # standard configuration files
 usr/share/strongswan/templates/config/plugins/addrblock.conf
 usr/share/strongswan/templates/config/plugins/certexpire.conf
-usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf
 usr/share/strongswan/templates/config/plugins/eap-aka.conf
-usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
 usr/share/strongswan/templates/config/plugins/eap-gtc.conf
 usr/share/strongswan/templates/config/plugins/eap-identity.conf
 usr/share/strongswan/templates/config/plugins/eap-md5.conf
-usr/share/strongswan/templates/config/plugins/eap-peap.conf
 usr/share/strongswan/templates/config/plugins/eap-radius.conf
-usr/share/strongswan/templates/config/plugins/eap-sim-file.conf
-usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf
-usr/share/strongswan/templates/config/plugins/eap-sim.conf
-usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf
-usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf
-usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf
 usr/share/strongswan/templates/config/plugins/eap-tls.conf
 usr/share/strongswan/templates/config/plugins/eap-tnc.conf
 usr/share/strongswan/templates/config/plugins/eap-ttls.conf
@@ -60,26 +41,16 @@ usr/share/strongswan/templates/config/plugins/lookip.conf
 usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
 usr/share/strongswan/templates/config/plugins/unity.conf
 usr/share/strongswan/templates/config/plugins/xauth-eap.conf
-usr/share/strongswan/templates/config/plugins/xauth-noauth.conf
 usr/share/strongswan/templates/config/plugins/xauth-pam.conf
 usr/share/strongswan/templates/config/strongswan.d/tnc.conf
 etc/strongswan.d/tnc.conf
 etc/strongswan.d/charon/addrblock.conf
 etc/strongswan.d/charon/certexpire.conf
-etc/strongswan.d/charon/eap-aka-3gpp2.conf
 etc/strongswan.d/charon/eap-aka.conf
-etc/strongswan.d/charon/eap-dynamic.conf
 etc/strongswan.d/charon/eap-gtc.conf
 etc/strongswan.d/charon/eap-identity.conf
 etc/strongswan.d/charon/eap-md5.conf
-etc/strongswan.d/charon/eap-peap.conf
 etc/strongswan.d/charon/eap-radius.conf
-etc/strongswan.d/charon/eap-sim-file.conf
-etc/strongswan.d/charon/eap-sim-pcsc.conf
-etc/strongswan.d/charon/eap-sim.conf
-etc/strongswan.d/charon/eap-simaka-pseudonym.conf
-etc/strongswan.d/charon/eap-simaka-reauth.conf
-etc/strongswan.d/charon/eap-simaka-sql.conf
 etc/strongswan.d/charon/eap-tls.conf
 etc/strongswan.d/charon/eap-tnc.conf
 etc/strongswan.d/charon/eap-ttls.conf
@@ -93,7 +64,6 @@ etc/strongswan.d/charon/lookip.conf
 etc/strongswan.d/charon/tnc-tnccs.conf
 etc/strongswan.d/charon/unity.conf
 etc/strongswan.d/charon/xauth-eap.conf
-etc/strongswan.d/charon/xauth-noauth.conf
 etc/strongswan.d/charon/xauth-pam.conf
 debian/usr.lib.ipsec.lookip /etc/apparmor.d/
 # support libs

debian/rules

@@ -132,6 +132,8 @@ ifeq ($(DEB_HOST_ARCH_OS),linux)
 	dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/af-alg.conf
 	# the systemd service file only gets generated on Linux
 	dh_install -p strongswan-starter lib/systemd/system/strongswan-starter.service
+	# XFRM is Linux only
+	dh_install -p strongswan-libcharon usr/lib/ipsec/xfrmi
 endif
 
 ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
@@ -216,14 +218,11 @@ endif
 	find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf
 
 override_dh_installinit:
-	dh_installinit -n --name=ipsec
+	dh_installinit --name=ipsec
 
 override_dh_installchangelogs:
 	dh_installchangelogs NEWS
 
-override_dh_strip:
-	dh_strip --dbgsym-migration='strongswan-dbg (<< 5.3.5-2~)'
-
 override_dh_fixperms:
 	dh_fixperms \
 		-X etc/ipsec.d \

debian/salsa-ci.yml

+---
+include:
+    - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+    - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

debian/strongswan-libcharon.install

 usr/lib/ipsec/libcharon*
-usr/lib/ipsec/xfrmi
 ## libcharon plugins
 # socket-default
 usr/lib/ipsec/plugins/libstrongswan-socket-default.so

debian/strongswan-starter.lintian-overrides

@@ -3,4 +3,4 @@ strongswan-starter: non-standard-dir-perm etc/ipsec.d/private/ 0700 != 0755
 strongswan-starter: non-standard-file-perm etc/ipsec.secrets 0600 != 0644
 strongswan-starter: non-standard-dir-perm var/lib/strongswan/ 0700 != 0755
 # the full path is used to check the command presence
-strongswan-starter: command-with-path-in-maintainer-script postrm:36 /usr/sbin/deluser
+strongswan-starter: command-with-path-in-maintainer-script postrm:35 /usr/sbin/deluser

debian/strongswan-starter.postrm

@@ -31,7 +31,6 @@ case "$1" in
 esac
 
 if [ "$1" = "purge" ] ; then
-        update-rc.d ipsec remove >/dev/null
         if getent passwd strongswan>/dev/null; then
                 if [ -x /usr/sbin/deluser ]; then
                         deluser --system strongswan

debian/strongswan-starter.templates

@@ -7,17 +7,6 @@
 # Even minor modifications require translation updates and such
 # changes should be coordinated with translators and reviewers.
 
-Template: strongswan/runlevel_changes
-Type: note
-_Description: Old runlevel management superseded
- Previous versions of the strongSwan package gave a choice between
- three different Start/Stop-Levels. Due to changes in the standard system
- startup procedure, this is no longer necessary or useful. For all new
- installations as well as old ones running in any of the predefined modes,
- sane default levels will now be set. If you are upgrading from a previous
- version and changed your strongSwan startup parameters, then please take a
- look at NEWS.Debian for instructions on how to modify your setup accordingly.
-
 Template: strongswan/restart
 Type: boolean
 Default: true