ijackson at chiark.greenend.org.uk
Sun Dec 28 17:44:11 GMT 2014
-----BEGIN PGP SIGNED MESSAGE-----
I am pleased to announce secnet 0.4.0~beta2.
secnet 0.4 contains support for using IPv6 on the public (outside)
secnet 0.4 has support for dynamic use of possibly multiple local
network interfaces, by mobile sites. A mobile site which has multiple
connections to the public internet (for example, wifi and 3G) can now
arrange to send all traffic by all available routes, improving
reliability. This functionality is available even when talking to
earlier versions of secnet, provided that the static peer is running
0.2 or later - although the feature will work best when talking to
another secnet 0.4.
secnet 0.4 is properly described everywhere as being GPLv3+ (rather
than GPLv2+, which is not accurate for the binary packages as they
depend on libraries compatible only with GPLv3+). The source code
licence for most files has been upgraded.
There are also minor bugfixes and logging improvements; but for sites
which do not need IPv6 or polypath support, there is no compelling
reason to upgrade.
(Everyone should be running at least version 0.3.4, as all previous
versions have significant security bugs.)
IPv6 and polypath support are available only if your version of adns
is also IPv6-capable, which means you need adns 1.5.0~rc0 or later.
secnet 0.4.x needs the modern `ipaddr.py' library, provided on
Debian-derived systems in the package python-ipaddr.
When upgrading to 0.4.x, it is necessary to remove the `ipaddr.py'
library previously provided with secnet (and any corresponding
`ipaddr.pyc' files). If you are using a .deb version of secnet this
is done automatically; if you are using `make install' you may need
`make install-force'; and if you are running out a build tree you will
need to clean out the .pyc (by hand, or with git clean, or some such).
Installing the modern ipaddr.py in python-ipaddr will break secnet
versions before 0.3.3~beta1, but you should be running 0.3.4 anyway.
If you're not and you don't want to change both ipaddr.py and secnet
at once, for some reason: install secnet 0.3.4 first, and then
python-ipaddr, and then secnet 0.4.0.
Apart from this installation wrinkle, secnet 0.4.0 is
backwards-compatible with previous versions.
Compared to 0.4.0~beta1, 0.4.0~beta2 has minor bugfixes and build
system and metadata enhancements, including the GPLv3+ upgrade.
0.4.0~beta2 can be found here:
(SHA-256 checksums are listed below).
I have provided binaries for vanilla squeeze i386 _without_ IPv6 and
polypath support. But in the polypath-backport/ subdirectory I have
also provided an IPv6- and polypath-capable secnet. To use that
secnet you must also install the updated libadns1 provided (or an
If you are able to do so conveniently, please test it (especially if
you can test IPv6).
For those on the SGO VPN: chiark is currently running an equivalent
version. chiark's secnet is listening on IPv6 [2001:ba8:1e3::]. But
you should not set sites file fragments in the SGO VPN which mention
IPv6 addresses for your own sites because that would make the sites
file incompatible with older secnet versons. You can safely set IPv6
sites file fragments in the `chiark-only' vpn, using the `userv secnet
For a more detailed summary of the changes see the changelog extract
below. For full details see the git history.
secnet (0.4.0~beta2) unstable; urgency=low
* Ignore IPv6 Unique Local unicast addresses.
* Skip "tentative" IPv6 local addresses.
* Improve logging and debug output.
* Build where size_t is not compatible with int.
Build system and packaging fixes:
* Makefile: support DESTDIR.
* debian/rules: set DESTDIR (not prefix).
* debian/rules: Support dpkg-buildflags.
* Install ipaddrset.py and secnet.8 with correct permissions.
* Fix check for <linux/if_tun.h> and git rid of our copy.
* Use -lresolv only if inet_aton is not found otherwise.
* Use -lnsl only if inet_ntoa is not found otherwise.
* debian/rules: Provide build-arch and build-indep targets.
* debian/rules: Do not run build for *-indep (!)
* Makefile.in: Putative dual (backport and not) release build process doc.
* Update to GPLv3. Add missing copyright notices and credits.
* Get rid of old FSF street address; use URL instead.
* Remove obsolete LICENCE.txt (which was for snprintf reimplementation).
* Remove obsolete references to Cendio (for old ipaddr.py).
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Sun, 28 Dec 2014 17:14:10 +0000
secnet (0.4.0~beta1) unstable; urgency=low
* Support transport over IPv6. (We do not yet carry IPv6 in the private
network.) IPv6 support depends on IPv6-capable adns (adns 1.5.x).
* New polypath comm, which can duplicate packets so as to send them via
multiple routes over the public network, for increased
reliability/performance (but increased cost). Currently Linux-only
but should be fairly easy to port.
* Support multiple public addresses for peers.
* Discard previously-received packets (by default).
* Report (each first) transmission and reception success and failure.
* Log reason for DNS reolution failure.
* Log unexpected kinds of death from userv.
* Log authbind exit status as errno value (if appropriate).
* Adjust default number of mobile peer addresses to store when a peer
public address is also configured.
* Make specifying peer public port optional. This avoids making special
arrangements to bind to a port for in mobile sites with no public
* Hackypar children will die if they get a terminating signal.
* Fix signal dispositions inherited by secnet's child processes.
* Fix off-by-one error which prevented setting transport-peers-max to 5.
Test, build and internal improvements:
* Use conventional IP address handling library ipaddr.py.
* Provide a fuzzer for the slip decoder.
* Build system improvements.
* Many source code cleanups.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Sun, 26 Oct 2014 15:28:31 +0000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Ian Jackson personal email: <ijackson at chiark.greenend.org.uk>
These opinions are my own. http://www.chiark.greenend.org.uk/~ijackson/
More information about the sgo-software-announce