On Fri, Apr 04, 2014 at 12:59:35PM +1300, Matt Grant wrote: > Systemd package support is the thing that pushed me over the edge about > this. There are no systemd unit files at all for ipsec-tools/racoon > that I know of. Please advise me otherwise, and I will look at putting > them in the current package. I've recently worked out unit files for other packages, and am happy to help come up with a suitable unit file for racoon as well. > The issues are: > > 1) Security. The racoon daemon has to run as root, with a lot of the > default GCC security flags turned off. Running as root without build-time hardening is bad, but... > 4) racoon/setkey are native IPSEC implementations across FreeBSD, > NetBSD, Mac OSX, and Linux, and thus having it available give a 'just > works' IPSEC option. ... > My main concern as maintainer are the security issues, with an old code > base running as root. The code base may be old, but it's pretty widely used and thus should have many eyes watching it. (I'm being optimistic, I know). The ipsec-tools mailing lists don't see a lot of activity, but they're by no means dead. And there was just an upstream 0.8.2 release in February. > I am willing to co-maintain this package with other developers and > maintainers. My belief is that there is likely a Debian kFreeBSD > developer/maintainer out there who would like to do this, and do a lot > of the work :-) I'm happy to help maintain ipsec-tools, as I make regular use of it and have done so for several years. I'd also be supportive of removing it for jessie+1 based on your arguments for doing so. If that's the path taken, it'd be really good if we could document (and at least partially automate?) the migration path from racoon to the preferred alternatives. noah
Attachment:
signature.asc
Description: Digital signature