Debian Developers - Getting openswan 2.2.0 back into sarge

Author

Getting openswan 2.2.0 back into sarge

Rene Mayrhofer

2005-03-24, 7:53 am

Hi all,

[Please CC me in replies, I am currently not subscribed to this list.]

As some have already noticed, openswan has been removed from testing a while
ago, most probably because of bug #291274, which did not apply to package
version 2.2.0-4 (the one that has been removed from testing). As 2.3.0
upstream is currently not production quality (this is my personal opinion,
since it basically triggers a DoS on 2.2.0 installations, cf. #292132), I did
not work on getting it into testing. Of course, I have to admit that I have
been lazy in not filing a RC bug report to prevent it from entering testing
and fixing this bug. However, it looked like 2.3.1 might get released soon at
that time, so I had decided to wait for it and push it into testing as soon
as the new upstream is there. At the moment, 2.3.1 is nowhere to be seen and
I would really like to have a working (and not DoS-triggering) openswan in
testing. My current intention would be to get 2.2.0-4 back into testing,
which worked well in all of my own tests (I am still using that particular
version on many production boxes) and does not seem to be broken for other
users. What is the general opinion on that?

with best regards,
Rene

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Adam M.

2005-03-24, 5:52 pm

Rene Mayrhofer wrote:

>Hi all,
>
>[Please CC me in replies, I am currently not subscribed to this list.]
>
>As some have already noticed, openswan has been removed from testing a while
>ago, most probably because of bug #291274, which did not apply to package
>version 2.2.0-4 (the one that has been removed from testing). As 2.3.0
>
>

You should have tagged the RC bug Sid.

>upstream is currently not production quality (this is my personal opinion,
>since it basically triggers a DoS on 2.2.0 installations, cf. #292132), I did
>
>

Doesn't this mean that 2.2.0 is NOT release quality? It is a security
problem if you can trigger a DoS on a package.

>not work on getting it into testing. Of course, I have to admit that I have
>been lazy in not filing a RC bug report to prevent it from entering testing
>and fixing this bug. However, it looked like 2.3.1 might get released soon at
>that time, so I had decided to wait for it and push it into testing as soon
>as the new upstream is there. At the moment, 2.3.1 is nowhere to be seen and
>I would really like to have a working (and not DoS-triggering) openswan in
>testing. My current intention would be to get 2.2.0-4 back into testing,
>which worked well in all of my own tests (I am still using that particular
>version on many production boxes) and does not seem to be broken for other
>users. What is the general opinion on that?
>
>
The first step is to remove the current version from testing if it is
not production quality.
The second step is to locate the DoS problem in 2.2.0
The final step is to upload 1:2.2.0 or similar to unstable and wait for
it to get to testing.

- Adam

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Jamin W.Collins

2005-03-26, 2:48 am

On Mar 24, 2005, at 2:39 AM, Rene Mayrhofer wrote:

> Hi all,
>
> [Please CC me in replies, I am currently not subscribed to this list.]
>
> As some have already noticed, openswan has been removed from testing a
> while
> ago, most probably because of bug #291274, which did not apply to
> package
> version 2.2.0-4 (the one that has been removed from testing).

There are other problems with the 2.2.0 version such as #261892 which
effectively cripples the network stack.

--
Jamin W. Collins

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org