On Lu, 29 apr 19, 22:13:16, Noah Meyerhans wrote: > Control: tags -1 - moreinfo > > On Mon, Apr 15, 2019 at 08:50:32AM +0300, Andrei POPESCU wrote: > > > Ipsec-tools has been removed from buster. As a security-sensitive package, > > > active upstream involvement is essential for this package, but it has been > > > lacking for some time. > > > > Would you mind elaborating a bit on this part? It would help to come up > > with an adequate entry explaining the issue without stepping on anyone's > > toes. > > ipsec-tools is, by its nature, a security sensitive package. It is > responsible for implementing cryptographic measures to protect privacy > and authenticity of traffic between endpoints on the internet. Doing > this safely and effectively requires active ownership of the code on an > ongoing basis in order to keep up with changes to the threat landscape. > Ipsec-tools hasn't had such ownership in years, and talks of forking the > project have consistently stalled.
In my perception the above paragraphs could be wrongly understood if,
for example, upstream developers don't agree with your assessment.
For what it's worth, in my opinion, the Release Notes should be as
neutral as possible and avoid discussing performance of other projects,
especially outside Debian.
> > > Users are encouraged to migrate to Libreswan, which has
> > > broader protocol compatibility and an active upstream.
> >
> > Is Libreswan a drop-in replacement or is a migration necessary? In case
> > of a migration, is it possible to describe it in a few sentences and
> > maybe point to some other resource (e.g. a wiki)?
>
> libreswan should be fully compatible in terms of communication
> protocols, since it implements a superset of racoon's supported
> protocols. However, migration of the configuration between systems is
> probably going to fall to the administrator. I'm not aware of any
> migration guides that would help in this case, and I can't promise that
> I'll have time to write one in time for reference in the release notes.
Ugh..
Suggested text:
Ipsec-tools removed from buster
Ipsec-tools has been removed from buster as it has been lagging
behind in adapting to new threats.
Users are encouraged to migrate to Libreswan, which has broader
protocol compatibility and is being actively maintained upstream.
Libreswan should be fully compatible in terms of communication
protocols since it implements a superset of racoon's supported
protocols.
In case a migration guide becomes available later (e.g. in the wiki or
so) another paragraph can be added to point to it.
Would the above text address the issue in your opinion?
Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature
