secnet 0.4.0~beta2
Ian Jackson
ijackson at chiark.greenend.org.uk
Sun Dec 28 17:44:11 GMT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I am pleased to announce secnet 0.4.0~beta2.
secnet 0.4 contains support for using IPv6 on the public (outside)
network.
secnet 0.4 has support for dynamic use of possibly multiple local
network interfaces, by mobile sites. A mobile site which has multiple
connections to the public internet (for example, wifi and 3G) can now
arrange to send all traffic by all available routes, improving
reliability. This functionality is available even when talking to
earlier versions of secnet, provided that the static peer is running
0.2 or later - although the feature will work best when talking to
another secnet 0.4.
secnet 0.4 is properly described everywhere as being GPLv3+ (rather
than GPLv2+, which is not accurate for the binary packages as they
depend on libraries compatible only with GPLv3+). The source code
licence for most files has been upgraded.
There are also minor bugfixes and logging improvements; but for sites
which do not need IPv6 or polypath support, there is no compelling
reason to upgrade.
(Everyone should be running at least version 0.3.4, as all previous
versions have significant security bugs.)
IPv6 and polypath support are available only if your version of adns
is also IPv6-capable, which means you need adns 1.5.0~rc0 or later.
secnet 0.4.x needs the modern `ipaddr.py' library, provided on
Debian-derived systems in the package python-ipaddr.
When upgrading to 0.4.x, it is necessary to remove the `ipaddr.py'
library previously provided with secnet (and any corresponding
`ipaddr.pyc' files). If you are using a .deb version of secnet this
is done automatically; if you are using `make install' you may need
`make install-force'; and if you are running out a build tree you will
need to clean out the .pyc (by hand, or with git clean, or some such).
Installing the modern ipaddr.py in python-ipaddr will break secnet
versions before 0.3.3~beta1, but you should be running 0.3.4 anyway.
If you're not and you don't want to change both ipaddr.py and secnet
at once, for some reason: install secnet 0.3.4 first, and then
python-ipaddr, and then secnet 0.4.0.
Apart from this installation wrinkle, secnet 0.4.0 is
backwards-compatible with previous versions.
Compared to 0.4.0~beta1, 0.4.0~beta2 has minor bugfixes and build
system and metadata enhancements, including the GPLv3+ upgrade.
0.4.0~beta2 can be found here:
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
http://www.chiark.greenend.org.uk/~secnet/release/0.4.0~beta2/
(SHA-256 checksums are listed below).
I have provided binaries for vanilla squeeze i386 _without_ IPv6 and
polypath support. But in the polypath-backport/ subdirectory I have
also provided an IPv6- and polypath-capable secnet. To use that
secnet you must also install the updated libadns1 provided (or an
equivalent).
If you are able to do so conveniently, please test it (especially if
you can test IPv6).
For those on the SGO VPN: chiark is currently running an equivalent
version. chiark's secnet is listening on IPv6 [2001:ba8:1e3::]. But
you should not set sites file fragments in the SGO VPN which mention
IPv6 addresses for your own sites because that would make the sites
file incompatible with older secnet versons. You can safely set IPv6
sites file fragments in the `chiark-only' vpn, using the `userv secnet
chiarkvpnsites' facility.
For a more detailed summary of the changes see the changelog extract
below. For full details see the git history.
secnet (0.4.0~beta2) unstable; urgency=low
Polypath bugfixes:
* Ignore IPv6 Unique Local unicast addresses.
* Skip "tentative" IPv6 local addresses.
* Improve logging and debug output.
Portability fix:
* Build where size_t is not compatible with int.
Build system and packaging fixes:
* Makefile: support DESTDIR.
* debian/rules: set DESTDIR (not prefix).
* debian/rules: Support dpkg-buildflags.
* Install ipaddrset.py and secnet.8 with correct permissions.
* Fix check for <linux/if_tun.h> and git rid of our copy.
* Use -lresolv only if inet_aton is not found otherwise.
* Use -lnsl only if inet_ntoa is not found otherwise.
* debian/rules: Provide build-arch and build-indep targets.
* debian/rules: Do not run build for *-indep (!)
* Makefile.in: Putative dual (backport and not) release build process doc.
Copyright updates:
* Update to GPLv3. Add missing copyright notices and credits.
* Get rid of old FSF street address; use URL instead.
* Remove obsolete LICENCE.txt (which was for snprintf reimplementation).
* Remove obsolete references to Cendio (for old ipaddr.py).
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Sun, 28 Dec 2014 17:14:10 +0000
secnet (0.4.0~beta1) unstable; urgency=low
New features:
* Support transport over IPv6. (We do not yet carry IPv6 in the private
network.) IPv6 support depends on IPv6-capable adns (adns 1.5.x).
* New polypath comm, which can duplicate packets so as to send them via
multiple routes over the public network, for increased
reliability/performance (but increased cost). Currently Linux-only
but should be fairly easy to port.
* Support multiple public addresses for peers.
* Discard previously-received packets (by default).
Logging improvements:
* Report (each first) transmission and reception success and failure.
* Log reason for DNS reolution failure.
* Log unexpected kinds of death from userv.
* Log authbind exit status as errno value (if appropriate).
Configuration adjustments:
* Adjust default number of mobile peer addresses to store when a peer
public address is also configured.
* Make specifying peer public port optional. This avoids making special
arrangements to bind to a port for in mobile sites with no public
stable address.
Bugfixes:
* Hackypar children will die if they get a terminating signal.
* Fix signal dispositions inherited by secnet's child processes.
* Fix off-by-one error which prevented setting transport-peers-max to 5.
Test, build and internal improvements:
* Use conventional IP address handling library ipaddr.py.
* Provide a fuzzer for the slip decoder.
* Build system improvements.
* Many source code cleanups.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Sun, 26 Oct 2014 15:28:31 +0000
5e419c093af9afd00fc16cd058766b298ff192b69ba9c6a5cf19e7e39d5fe02c ./secnet-0.4.0~beta2.tar.gz
8dd531c5db18edc3ff4d52b0b86cf537b3aa5a856295e31ed6ad57ca57c76727 ./secnet-0.4.0~beta2.tar.gz.sig
ba7721799db68675f5e4950017649ffb6af2cb913013c12a65e4376a6e82179d ./secnet_0.4.0~beta2_i386.deb
44c54d10850221cdd87d693b6d599545f334215b615e695a258049fb1b3db557 ./polypath-backport/adns-tools_1.5.0~rc1-1~~squeeze~_i386.deb
4c38fafecfbee097baff6479431ca533e11f092ba16c6f8020383bd8dfa01fce ./polypath-backport/adns_1.5.0~rc1-1~~squeeze~.dsc
718861e48eb391f07b1b278876b6c014cf0fab70680cda9ca800e39765b80974 ./polypath-backport/adns_1.5.0~rc1-1~~squeeze~.tar.gz
1c850f8366a630f9318ad9ddef5a6631226cb0dec3b14dfc01c1fb9aabb2f8a3 ./polypath-backport/libadns1-dbg_1.5.0~rc1-1~~squeeze~_i386.deb
f93fe2c44313df02d4f9549c4a17a6053ab3eda36a9cc4dabf891bcf3167be86 ./polypath-backport/libadns1-dev_1.5.0~rc1-1~~squeeze~_i386.deb
74b2af0d00131060e7aa026e4b99c738362a6e57f011b34e0b7a132e3c6a9616 ./polypath-backport/libadns1_1.5.0~rc1-1~~squeeze~_i386.deb
e5d4fc80000789ac5727aef762b07b1384ed6fe9fc0790c27d25622d14a77a21 ./polypath-backport/secnet_0.4.0~beta2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJUoEFQAAoJEOPjOSNItQ05YrwH/14Gf42chdretUNO6kVfDVYQ
Hj9miNL/OJPH2rX644leAUmJA0q3iQxJ2YS4ehP5EznlV8VdFNKdGzQEr0mbjpQX
AZNB8LFZsf4Ohp8ValqaAkD5zYHByozvAgq3yMnoTUBYeCr2xsAQw//IO7XUlxd7
E3jGuk4HgIMOXeCqIIdPF73j59U43ptjDjpn3YDZNLNfWIRWRPlQ3uJYXxJ/1zAP
37Y1Damh1GXUpSsRW9gnQI945KjfQxWRQXFgvfs//Kavge81Ceozc6pil1daO1xk
Ac+ovD/8zsdjss7juhhBuOUbjPCFAn7LpUAFPW75Hk/DzCBeG0y/JUDVJjwPeLE=
=clr/
-----END PGP SIGNATURE-----
--
Ian Jackson personal email: <ijackson at chiark.greenend.org.uk>
These opinions are my own. http://www.chiark.greenend.org.uk/~ijackson/
More information about the sgo-software-announce
mailing list