Re: openswan: Request for review
Harald Jenny wrote:
> Hello Justin B Rye,
>
> sorry it took me so long to look into the translations but my
> private time was limited the last days but I must come back to you
> because the description part of the control file has a little flaw
> (please find comment below):
>
[...]
>>> Package: openswan-modules-source
>>[...]
>> Description: Internet Key Exchange daemon - kernel module source
>> Openswan is an IPsec based VPN solution for the Linux kernel. It can use the
>> native IPsec stack as well as the KLIPS kernel module. Both IKEv1 and IKEv2
>> protocols are supported.
>> .
>> This package contains source code for the Openswan IPsec kernel module,
>> which can be used with tools like module-assistant or kernel-package
>> for manual building of local kernel images.
>> .
>> Kernel versions >= 2.6.23 no longer need to be patched to provide NAT
>> Traversal support for KLIPS, but do need patching to support the old-style
>> KLIPS ipsecX network interfaces.
(As I went on to say, "I may be getting this wrong, of course".)
> This is not correct - it should rather say someting like:
>
> .
> .
> .
> protocols are supported.
> .
> For support of the old-style KLIPS ipsecX network interfaces a custom
> kernel module is needed.
> .
> This package contains source code for the Openswan IPsec kernel module,
> which can be used with tools like module-assistant or kernel-package
> for manual building of local kernel images.
> .
> Kernel versions >= 2.6.23 no longer need to be patched to provide NAT Traversal
> support for KLIPS.
So the important correction here is that building an ipsecX module
isn't "patching the kernel", right?
> (last paragraph could maybe omitted as this fact is documented in
> NEWS.Debian and README.Debian)
Sure, but people can't read those until they've already (perhaps
unnecessarily) installed the package. Has there been a stable
release with that news already documented? If there has, it's
probably safe to omit the last paragraph; otherwise, maybe not.
(Looking at package version numbers I'm guessing "not".)
Alternatively you could just re-merge paragraphs two and four:
Openswan is an IPsec based VPN solution for the Linux kernel. It can use the
native IPsec stack as well as the KLIPS kernel module. Both IKEv1 and IKEv2
protocols are supported.
.
This package contains source code for the Openswan IPsec kernel module,
which can be used with tools like module-assistant or kernel-package
for manual building of local kernel images.
.
Kernel versions >= 2.6.23 no longer need to be patched to provide NAT
Traversal support for KLIPS, but do still need a custom module to support
old-style KLIPS ipsecX network interfaces.
But there's nothing wrong with the English of your text above.
>>> Package: openswan-modules-dkms
>>[...]
>>> Description: Internet Protocol Security kernel module source (DKMS)
>>> This package contains the source code for the Openswan IPsec kernel module,
>>> which is required to support the old-style KLIPS ipsecX network interfaces.
>>> .
>>> Please note that kernel versions >= 2.6.23 do not need to be patched anymore
>>> in order to provide NAT Traversal support for KLIPS.
>>> .
>>> With this package, modules for local kernel images are automatically built
>>> and installed every time upgrades of relevant kernel packages are installed.
>>
>> Oh, this is new to me. Does this package really contain duplicate
>> source, instead of just a dependency on openswan-modules-source?
>
> Yes, the code is doubled, but this is what almost every DKMS
> package, which has a normal source pendant, does.
By "pendant" do you mean "dependency", perhaps? It doesn't matter
as long as I'm explaining it correctly in the description above - I
was just surprised it was organised that way.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: