Hi, as the maintainer of the strongswan Fedora package, I decided to remove all patches that haven't been properly discussed with upstream. This is in line with the Fedora's "Upstream First" policy. I have already issued a number of warnings over multiple channels. We're getting a new upstream release today. I'll bump the release for all fedora/epel releases keeping the patches applied. Then I'll make a new rawhide build with the patches removed. That will create another timespan to submit/comment the patches upstream and get a rough consensus about what needs to be done. My plan is to harmonize the strongswan package across fedora/epel version once again with the next rawhide build. Please don't hesitate and contact me *and* upstream with any patches you would like to put back. I'm commited to keeping the best quality of the strongswan package while also getting features ASAP to Fedora. Cheers, Pavel
The list of sources and patches: Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 # Initscript for epel6 Source1: %{name}.sysvinit # Avoid breakage with Fedora OpenSSL # http://wiki.strongswan.org/issues/537 Patch1: strongswan-pts-ecp-disable.patch # Use dlopen(file, RTLD_NOW|RTLD_GLOBAL) for the plugin loader # http://wiki.strongswan.org/issues/538 Patch2: libstrongswan-plugin.patch # Use DBG1 for settings.c debug messages # http://wiki.strongswan.org/issues/539 Patch3: libstrongswan-settings-debug.patch # Link plugins to libstrongswan # http://wiki.strongswan.org/issues/538 (same as for Patch2) Patch4: libstrongswan-973315.patch # Fix selinux issues caused by leaking file descriptors to xtables-multi # http://wiki.strongswan.org/issues/519 Patch6: strongswan-5.1.1-selinux.patch # Fix configure.ac to build for epel6 # http://wiki.strongswan.org/issues/536 Patch7: strongswan-5.1.2-autoconf.patch # Fix pki utility location # http://wiki.strongswan.org/issues/552 Patch8: strongswan-5.1.2-libexec.patch
(In reply to Pavel Šimerda (pavlix) from comment #1) Patches already applied upstream: > # Avoid breakage with Fedora OpenSSL > # http://wiki.strongswan.org/issues/537 > Patch1: strongswan-pts-ecp-disable.patch > # Use DBG1 for settings.c debug messages > # http://wiki.strongswan.org/issues/539 > Patch3: libstrongswan-settings-debug.patch > # Fix configure.ac to build for epel6 > # http://wiki.strongswan.org/issues/536 > Patch7: strongswan-5.1.2-autoconf.patch Patches not applied upstream that should stay: > # Initscript for epel6 > Source1: %{name}.sysvinit (needed as long as epel6 tracks rawhide) > # Fix selinux issues caused by leaking file descriptors to xtables-multi > # http://wiki.strongswan.org/issues/519 > Patch6: strongswan-5.1.1-selinux.patch (pinged upstream) > # Fix pki utility location > # http://wiki.strongswan.org/issues/552 > Patch8: strongswan-5.1.2-libexec.patch (can be replaced with `--bindir=/usr/libexec/strongswan`) Patches that diverge from upstream without proper explanation. Please comment in the upstream tickets as well as this bug report. > # Use dlopen(file, RTLD_NOW|RTLD_GLOBAL) for the plugin loader > # http://wiki.strongswan.org/issues/538 > Patch2: libstrongswan-plugin.patch > # Link plugins to libstrongswan > # http://wiki.strongswan.org/issues/538 (same as for Patch2) > Patch4: libstrongswan-973315.patch
(In reply to Pavel Šimerda (pavlix) from comment #2) > (In reply to Pavel Šimerda (pavlix) from comment #1) > > > Patches already applied upstream: > > > # Avoid breakage with Fedora OpenSSL > > # http://wiki.strongswan.org/issues/537 > > Patch1: strongswan-pts-ecp-disable.patch > > > # Use DBG1 for settings.c debug messages > > # http://wiki.strongswan.org/issues/539 > > Patch3: libstrongswan-settings-debug.patch > > > # Fix configure.ac to build for epel6 > > # http://wiki.strongswan.org/issues/536 > > Patch7: strongswan-5.1.2-autoconf.patch Removed those patches with update to 5.1.3rc1. > Patches not applied upstream that should stay: > > > # Fix pki utility location > > # http://wiki.strongswan.org/issues/552 > > Patch8: strongswan-5.1.2-libexec.patch > > (can be replaced with `--bindir=/usr/libexec/strongswan`) Didn't apply, replaced with configure option as suggested by upstream.
Only three patches are now being used (not counting the initscript that is now not a patch): > > # Fix selinux issues caused by leaking file descriptors to xtables-multi > > # http://wiki.strongswan.org/issues/519 > > Patch6: strongswan-5.1.1-selinux.patch > > (pinged upstream) Upstream isn't entirely happy with the patch. We're looking for a better solution. It must stay until then. > Patches that diverge from upstream without proper explanation. Please > comment in the upstream tickets as well as this bug report. > > > # Use dlopen(file, RTLD_NOW|RTLD_GLOBAL) for the plugin loader > > # http://wiki.strongswan.org/issues/538 > > Patch2: libstrongswan-plugin.patch > > > # Link plugins to libstrongswan > > # http://wiki.strongswan.org/issues/538 (same as for Patch2) > > Patch4: libstrongswan-973315.patch Those patches require activity on the side of their authors/users. I'm going to remove them first from rawhide and then from branches otherwise.
Current status: # Fix selinux issues caused by leaking file descriptors to xtables-multi # # Upstream doesn't like the patch because of lack of portability. We're # working with upstream to prepare an acceptable fix. When it's ready, # we'll switch to the new version and remove the patch. # # http://wiki.strongswan.org/issues/519 Patch6: strongswan-5.1.1-selinux.patch (upstream is concerned about interoperability) # Use RTLD_GLOBAL when loading plugins and link them to libstrongswan # # The patch hasn't been accepted upstream because of insufficient # information from the author. This situation needs to be fixed or # the patch needs to be removed to avoid diverging from upstream # permanently. # # http://wiki.strongswan.org/issues/538 Patch7: strongswan-5.1.3-plugins.patch (two former plugin related patches merged)
Avesh promised to take care of upstreaming the plugins patch long time ago and nothing happened, yet.
(In reply to Pavel Šimerda (pavlix) from comment #5) > Current status: > > # Fix selinux issues caused by leaking file descriptors to xtables-multi > # > # Upstream doesn't like the patch because of lack of portability. We're > # working with upstream to prepare an acceptable fix. When it's ready, > # we'll switch to the new version and remove the patch. > # > # http://wiki.strongswan.org/issues/519 > Patch6: strongswan-5.1.1-selinux.patch Upstream came up with their own solution which has been commited to their git. This patch will be dropped with the next release of Strongswan. > (upstream is concerned about interoperability) > > # Use RTLD_GLOBAL when loading plugins and link them to libstrongswan > # > # The patch hasn't been accepted upstream because of insufficient > # information from the author. This situation needs to be fixed or > # the patch needs to be removed to avoid diverging from upstream > # permanently. > # > # http://wiki.strongswan.org/issues/538 > Patch7: strongswan-5.1.3-plugins.patch > > (two former plugin related patches merged) The patch has been dropped from the build but is kept in dist-git for now. # Use RTLD_GLOBAL when loading plugins and link them to libstrongswan # # The patch hasn't been accepted upstream because of insufficient # information from the author. This situation needs to be fixed or # the patch needs to be removed to avoid diverging from upstream # permanently. # # http://wiki.strongswan.org/issues/538 # # Removing the patch from the build as I repeatedly requested that it should be # upstreamed. No comment has been added to the upstream bug report. Nothing # has been done towards the goal of upstreaming the patch. # # See also: # # * https://bugzilla.redhat.com/show_bug.cgi?id=1087437 # * http://fedoraproject.org/wiki/Packaging:Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment # * https://fedoraproject.org/wiki/Staying_close_to_upstream_projects # # The patches violated the packaging guidelines from the beginning so I took # the initiative to merge them and submit them upstream. But I couldn't work # with the upstream developers on the fix as I didn't have enough information # about the use cases. Please cooperate with usptream and get the patch # accepted. There's nothing Fedora specific in the patch. # #Patch1: strongswan-5.1.1-plugins.patch
There's currently only one patch in strongswan and the related issue is already fixed upstream[1]. With the next strongswan release, the patch won't apply and will be removed by the maintainer. This bug report can be closed now. [1] https://wiki.strongswan.org/issues/663