Merge ~paelzer/ubuntu/+source/strongswan:merge-5.7.2-1-eoan into ubuntu/+source/strongswan:debian/sid

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/eoan-merge-strongswan-5.7.2-1

Note: Once re-built with all the package re-locations (to be better mergeable with Debian) I'll do some upgrade tests, but the actual MP can already be reviewed.

I hope there is not too much confusion, but this time the logical tag looks much different than last time. This was done to re-group and re-order the changes for Debian submission.

Tags pushed for review:
 * [new tag] lp999999/logical/5.7.1-1ubuntu2 -> lp999999/logical/5.7.1-1ubuntu2
 * [new tag] lp999999/new/debian -> lp999999/new/debian
 * [new tag] lp999999/old/debian -> lp999999/old/debian
 * [new tag] lp999999/old/ubuntu -> lp999999/old/ubuntu
 * [new tag] lp999999/reconstruct/5.7.1-1ubuntu2 -> lp999999/reconstruct/5.7.1-1ubuntu2
 * [new tag] lp999999/split/5.7.1-1ubuntu2 -> lp999999/split/5.7.1-1ubuntu2

Since we had issues getting the mass enabling into Debian I have now opened [1] which contains all but these and we can re-visit those changes later. Hopefully that allows us to reduce the Delta.

Furthermore as a note, once this is in Eoan I will have to clear the seeds, it seems we already depend on plenty of no more existing binaries and removing the TNC packages made this even worse now.

[1]: https://salsa.debian.org/debian/strongswan/merge_requests/5

Review ongoing, I'll write up individual questions or points so they are easy to reply to individually.

What happened to the pool feature? It's in reconstruct, split, but gone from logical with no drop mention:

commit a4c1fbe64282b855e709372dc17e4befbb35a6aa
Author: Christian Ehrhardt <email address hidden>
Date: Thu May 4 13:50:54 2017 +0200

        - d/strongswan-starter.install: Install pool feature, which is useful since
          we have attr-sql plugin enabled as well using it.

This commit mentions one file only, but it changes two;
commit 6d58030fa2e807019f164d02a5df1532bdafc387
Author: Christian Ehrhardt <email address hidden>
Date: Fri Apr 26 10:59:02 2019 +0200

    apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)

it also changes d/usr.lib.ipsec.charon

This other commit also mentions one file, but changes two:
commit 5bb46ca49e2a42fc55a66a55c2355f46305bcb96
Author: Christian Ehrhardt <email address hidden>
Date: Tue May 29 08:53:44 2018 +0200

    apparmor: d/usr.sbin.charon-systemd: allow to contact mysql for sql and attr-sql plugins (LP: 1766240)

it also changes d/usr.lib.ipsec.charon

Regarding the pool feature, looks like it's part of commit 11741ef89c44870ababc41531978375047310019 now, but not mentioned:
commit 11741ef89c44870ababc41531978375047310019
Author: Christian Ehrhardt <email address hidden>
Date: Fri Apr 26 10:32:21 2019 +0200

    - Mass enablement of extra plugins

      Add features to allow a user to use strongswan for a variety of extra use
      cases without having to rebuild.
      + d/control: Add required additional build-deps
      + d/control: Mention addtionally enabled plugins
      + d/rules: Enable features at configure stage
      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      + d/libstrongswan.install: Add plugins (so, conf)

...
--- a/debian/strongswan-starter.install
+++ b/debian/strongswan-starter.install
@@ -16,3 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so
 usr/share/strongswan/templates/config/plugins/stroke.conf
 etc/strongswan.d/charon/stroke.conf
 debian/usr.lib.ipsec.stroke /etc/apparmor.d/
+#pool
+usr/lib/ipsec/pool
+usr/share/strongswan/templates/config/strongswan.d/pool.conf
+etc/strongswan.d/pool.conf

In d/changelog:
  [ Simon Deziel ]
  * Added changes:
    - apparmor fixes for contianer and root usage (LP: #1826238)
    - d/usr.sbin.swanctl: allow reading own binary
    - d/usr.sbin.charon-systemd: allow accessing the binary
    - d/usr.sbin.swanctl: add attach_disconnected to work inside containers
    - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
      to apparmor to allow dropping caps

Shouldn't the changes below the bug line be indented? Also, typo: "contianer"

In the "mass enablement" commit f0eab84f7 I mentioned earlier, about the missing debian/strongswan-starter.install entry, you should probably make the change to strongswan-starter.install its own commit, then it will match what's already in d/changelog:
    - Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      + d/control: Add required additional build-deps
      + d/control: Mention addtionally enabled plugins
      + d/rules: Enable features at configure stage
      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      + d/libstrongswan.install: Add plugins (so, conf)
--> - d/strongswan-starter.install: Install pool feature, which is useful since
      we have attr-sql plugin enabled as well using it.

Many typos in commit message 0abd1089ba3c9dff6a4000e01871fdba2054c73d, but since that is the current logical and will be gone next time, probably not worth it. It shows that I read the commit message, though :)

In 97c74a90966a9a639b5d996e235352fde08e63a8, where you are taking care of the package transition according to case #6 from the wiki, you added a single Provides for "A", i.e.:

+Provides: strongswan-tnc-base

Even though that line is optional, shouldn't it be providing all the other strongswan-tnc-* packages that are now empty?

+# Transition back from strongswan-tnc-* being in extra packages
+# Can be dropped after 20.04
+Package: strongswan-tnc-ifmap
+Depends: libcharon-extra-plugins, ${misc:Depends}

Don't you need to depend on a specific version of libcharon-extra-plugins? Like:

Depends: libcharon-extra-plugins (>= 5.7.2-1ubuntu1)

    - d/libstrongswan.install: Reorder conf and .so alphabetically

is listed twice in d/changelog: once under "remaining changes", and once more under "Dropped changes"

Thanks for the review!
Answers:
- Some commit messages change more files than mentioned
  As explained on IRC this is due to merging changes.
  I fixed those two up.
- Q: "What happened to the pool feature?"
  A: This is only needed due to the "mass enablement", therefore it is now part of that (not lost and intentionally there)
  You found that later yourself.
  But I added mentioning it in the commit message as well as better indent in the changelog to reflect it is now part of it.
- Q: apparmor fixes for contianer
  A: Fixed typo and indented the sub-entries
- Q: typos in 97c74a909
  A: yes since this will be gone I'm not cleaning it up
- Q: Provides: strongswan-tnc-base, but not listing others
  A: Provides is optional and only needed for packages which have dependencies "to them". In this case this is only strongswan-tnc-base
- Q: transitionals to get a version depends?
  A: The example at
  https://wiki.debian.org/RenamingPackages#Transition_package_method has no version, but it feels right. You don't need a version there, when you have a repo that makes the new transitonal available you also have the new version of the replacing package.
  I have checked other packages and they behavie ... differently.
  Some have "(= ${source:Version})" and that would work and not hurt. I'm adding that.
- Q: "Reorder conf" listed twice
  A. Fixed

Thanks for the questions, I'll push an updated branch any minute ..

Updated changes pushed.

In addition to the mentioned changes I also squashed the nttftt change to the mass enablement, former commit already was "MERGE mass enablement commit"

Ready for re-review

I entered a rabbit hole troubleshooting postgresql migration issues, but I think I found the issue now. This means I'll go over your changes here only tomorrow, though.

> Thanks for the review!
> Answers:
> - Some commit messages change more files than mentioned
> As explained on IRC this is due to merging changes.
> I fixed those two up.

Thanks. This saves time during reviews.

> - Q: "What happened to the pool feature?"
> A: This is only needed due to the "mass enablement", therefore it is now
> part of that (not lost and intentionally there)
> You found that later yourself.
> But I added mentioning it in the commit message as well as better indent in
> the changelog to reflect it is now part of it.

Thanks. This saves time, as the reviewer then doesn't have to go hunting down the missing piece(s).

> - Q: apparmor fixes for contianer
> A: Fixed typo and indented the sub-entries
> - Q: typos in 97c74a909
> A: yes since this will be gone I'm not cleaning it up

Agreed

> - Q: Provides: strongswan-tnc-base, but not listing others
> A: Provides is optional and only needed for packages which have dependencies
> "to them". In this case this is only strongswan-tnc-base

ok

> - Q: transitionals to get a version depends?
> A: The example at
> https://wiki.debian.org/RenamingPackages#Transition_package_method has no
> version, but it feels right. You don't need a version there, when you have a
> repo that makes the new transitonal available you also have the new version of
> the replacing package.
> I have checked other packages and they behavie ... differently.
> Some have "(= ${source:Version})" and that would work and not hurt. I'm
> adding that.

The #6 example in https://wiki.debian.org/PackageTransition actually does use a version for everything with the exception of the optional provides:

A and B existed, all from A goes into B, A becomes transitional
A: strongswan-tnc-*
B: libcharon-extra-plugins

Flags for new A package: Depends: B (>=2)
Flags for new B package:
Breaks: A (<<2)
Replaces: A (<<2)
optional* -- Provides: A

Just making sure we are reading the same thing, up to you :)

I did a quick test with the packages that are in the ppa. They don't have these latest changes yet.

Starting with these installed packages: https://pastebin.ubuntu.com/p/kgcGXbDqxX/

Dist upgrade prompted me like this:
The following packages will be REMOVED:
  strongswan-tnc-base strongswan-tnc-client strongswan-tnc-ifmap
  strongswan-tnc-pdp strongswan-tnc-server
The following packages will be upgraded:
  charon-cmd libcharon-extra-plugins libcharon-standard-plugins libstrongswan
  libstrongswan-extra-plugins libstrongswan-standard-plugins strongswan-charon
  strongswan-libcharon strongswan-starter strongswan-swanctl

I found the removal part odd. I was expecting the packages to be upgraded to the transitional ones, which I would later remove via "apt autoremove".

Furthermore, there was this issue during the transaction:
(...)
Fetched 2535 kB in 27s (92.7 kB/s)
(Reading database ... 29859 files and directories currently installed.)
Removing strongswan-tnc-client (5.7.1-1ubuntu2) ...
Removing strongswan-tnc-pdp (5.7.1-1ubuntu2) ...
Removing strongswan-tnc-server (5.7.1-1ubuntu2) ...
Removing strongswan-tnc-ifmap (5.7.1-1ubuntu2) ...
dpkg: strongswan-tnc-base: dependency problems, but removing anyway...

FYI: Looks the same with the versioned depends from the transitional packages.
It is actually nice that it cleans up all the transitionals right away.
I see - as you did - that all works fine - yet the message still is here:

dpkg: strongswan-tnc-base: dependency problems, but removing anyway as you requested:
 libcharon-extra-plugins depends on strongswan-tnc-base.

That dependency is only on "the old" version of libcharon-extra-plugins.
The new one breaks, replaces and provides it which should be fine.

The upgrade path is like:
- removal of strongswan-tnc-base (triggers the message as old libcharon-extra-plugins is still there)
- It knows it is save as it knows the new libcharon-extra-plugins will not have a problem
- after upgrade all is fine

I think I know why it is different:
- Most of the time a transitional is only going away
- In that case it will stay around as empty transitional
- later autoremoval can remove it (without that warning)
- but in our case we moved the files, so the new libcharon-extra-plugins has breaks
- that breaks enforces the strongswan-tnc-base to be removed before unpack starts

I think there is not much we can do, I'd leave it as is if you are ok.
I'm open for suggestions thou if there are any how this would work even better.

+1, thanks for checking.

Thanks, tagged and uploaded