Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366143 - net-vpn/strongswan ebuild issues/improvements
Summary: net-vpn/strongswan ebuild issues/improvements
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: No maintainer - Look at if you want to take care of it
Depends on:
Reported: 2011-05-05 21:36 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2021-05-31 20:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-05 21:36:25 UTC
Just dropping here a few notes for which I should be providing an ebuild diff at some point, but I'd prefer having some comments about them first:

openssl[-bindist] dependency: as of 4.5.1 there is OPENSSL_NO_EC to disable elliptic curve support, which allows strongswan to be bindist, so I'd suggest something like this:

 - add a bindist USE flag to strongswan
 - require !bindist? ( openssl[bindist] )
 - use bindist && append-cppflags -DOPENSSL_NO_EC

this way EC is only used if -bindist is set, and you can build against openssl[bindist just fine].

USE=smartcard and opensc dependency: this looks mostly bogus; strongswan uses a PKCS#11 provider for sure, but you can use a number of alternative software rather than OpenSC, including Mozilla's NSS. You can see the whole mess in my blog posts on the topic:
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-06 09:33:14 UTC
The smartcard comment applies to openswan as well.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-06 09:34:03 UTC
And I should check better if I'm looking at the latest version of a package next time.
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2011-05-19 08:06:08 UTC
Wouldn't it be colliding with this?

openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )

Also, how would you suggest changing the smartcard part?
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-27 21:05:35 UTC
The idea is to replace the openssl[-bindist] requirement so that you can use a binary version of OpenSSL just fine, and at the same time you can build a binary redistributable version of strongswan (that does not require or employ the Elliptic Curve feature).

As for the smartcard issue, I'm not sure. Maybe we could use a virtual/pkcs11 but I'm not really sure if it makes sense; I'd probably just replace smartcard USE flag with pkcs11 to enable/disable the use of PKCS#11 API, USE flag is already common:

/media/repos/portage/yamato/profiles/use.local.desc:app-crypt/tpm-tools:pkcs11 - Build Token data management utilities based on OpenCryptoki's (dev-libs/opencryptoki) PKCS#11 implementation.
/media/repos/portage/yamato/profiles/use.local.desc:net-libs/neon:pkcs11 - Add support for PKCS#11 using dev-libs/pakchois
/media/repos/portage/yamato/profiles/use.local.desc:net-misc/openvpn:pkcs11 - Enable PKCS#11 smartcard support
/media/repos/portage/yamato/profiles/use.local.desc:sys-fs/ecryptfs-utils:pkcs11 - Enable PKCS#11 (Smartcards) key module