Background to explain the reasoning behind the change 7/7: Commits: 0271917 * Enable more features to to cover more use-cases bd04b06 changelog: Enable more features to to cover more use-cases
Note: Many of those changes are so correlated that this is a one big change for now. If needed and ok that interim commits might not be buildable I could split it in maybe 3-5 logical pieces. But for now just explaining all the reasoning in Detail. This change enable more features to to cover more use-cases by the packages strongswan. As a start it enables this enables all stable plugins according to https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist The intention is to make the default packages strongswan more usable without forcing users to rebuild more more sophisticated setups. Yet on the other hand we don't want to proliferate plugins so most of the plugins are added to the extra-plugin package. - This is a (late) follow on to the discussion started in 2014 with the subject "Ubuntu strongSwan changes" on pkg-swan-devel list. - Some Features might not show up as change in the configure step. That is because they are enabled by default or as dependency to others, and get now "enabled" indirectly due to the additional build dependencies. "pool" is such an example. - Of course to be able to enable all stable plugins I had to add several additional build-deps to libjson-c-dev, libldns-dev, libmysqlclient-dev, libpcsclite-dev, libtspi-dev, libsoup2.4-dev and libunbound-dev. - In d/control I mention all addtionally enabled plugins in the package descriptions. - d/libbstrongswan-*-plugins.install got all the added plugins, libs and conf files. On top of the stable default plugins/features this enables two more functions based on user request. - Also enable kernel-libipsec which is not in upstreams "stable" plugins list. This is based on user requests to make strongswan more useful in userspace of containers. To avoid conflicts it is disabled by default via d/p/dont-load-kernel-libipsec-plugin-by-default.patch as upstream recommends to not load kernel-libipsec by default. - integrity-test is another feature people sometimes ask for. It can be considered as a little step (clearly not enough) towards FIPS compliance. It can help the cautious admin to detect accidentially modified plugins. Additionally Ubuntu got user requests to make charons default plugin installation more useful (pad.lv/1640826). That is eap-mschapv2 for Windows 7+ and modern OSX/iOS using IKEv2 and xauth-generic for Android and older OSX/iOS using IKEv1 and XAUTH. To be able to do so the change is following the example of the libstrongswan plugin packaging and moves those common cases from the "libcharon-extra-plugins" to the newly added "libcharon-default-plugins" package Furthermore it was identified that the whole use case around TNC seems to be a very selective user group. See https://wiki.strongswan.org/projects/1/wiki/trustednetworkconnect Those users (again as with other cases mentioned) might not want to install all of the extra-plugins that are needed today. Therefore related functionality is moved into packages of its own. This allows to use TNC without installing extra-plugins package. Debian already stopped to ship libfast as Ubuntu did for a while. But it did still mention the associated (and now nor more built) medcli and medsrv elements. Also it did not disable it on the configure step which should be done if not shipping it anyway. Therefore drop it from d/control and d/rules accordingly. Due to the new plugins and features there are also more libraries being built. Those are only needed by plugins in the extras-plugins package, so add the libraries there. - libtpmtss.so available since 5.5 - libnttfft.so available since 5.5 - libmgf1.so available since 5.5.1
