Debian Bug report logs - #849308
wireguard: Wireguard should not transition to stable yet

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wireguard: Wireguard should not transition to stable yet

Date: Sun, 25 Dec 2016 02:08:22 -0500

Source: wireguard
Version: 0.0.20161223-1
Severity: grave
Tags: upstream
Justification: renders package unusable

Wireguard appears to be stable and reliable enough to distribute in
debian unstable, to get more widespread testing than would arise from
distribution in experimental alone.

However, the on-wire format might still change, leading to potential
interop issues, and upstream isn't yet willing to maintain a stable
branch in the face of security issues (which is understandable given
the age of the project.

So this bug report is a placeholder to keep it from migration.  Feel
free to comment here!

   --dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Georg Faerber <georg@riseup.net>

To: 849308@bugs.debian.org

Subject: Re: Bug#849308: wireguard: Wireguard should not transition to stable yet

Date: Wed, 12 Jul 2017 02:56:45 +0200

[Message part 1 (text/plain, inline)]

Hi,

I would like to see wireguard right now in buster. Even if the on-wire
format should change in the future, it would be still worth it, IMHO.
Buster is the 'testing' suite - so let's just do that: let's test and
get this into testing. Sometimes testing breaks, which is expected, but
most of the time it works. I doubt that there would be a major
difference in this case.

Thanks for consideration and your work,
cheers,
Georg

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Georg Faerber <georg@riseup.net>, 849308@bugs.debian.org

Subject: Re: Bug#849308: wireguard: Wireguard should not transition to stable yet

Date: Thu, 07 Sep 2017 16:26:43 -0400

[Message part 1 (text/plain, inline)]

Hi Georg--

On Wed 2017-07-12 02:56:45 +0200, Georg Faerber wrote:

> I would like to see wireguard right now in buster. Even if the on-wire
> format should change in the future, it would be still worth it, IMHO.
> Buster is the 'testing' suite - so let's just do that: let's test and
> get this into testing. Sometimes testing breaks, which is expected, but
> most of the time it works. I doubt that there would be a major
> difference in this case.

I understand the appeal here, but the semantics of entry into debian
"testing" is that a package should be in preparation for the next stable
release.

I don't believe that wireguard upstream (Jason Donenfeld) wants
wireguard to be shipped in any long-term operating systems (like debian
stable), because he wants to be able to recommend an upgrade to all
deployed instances easily (that won't happen once buster is stable).
This makes me reluctant to put it into debian testing.

If upstream explicitly states a commitment to maintaining the wire
format, then that version can definitely propagate into testing.  but
that hasn't happened yet.

Now, of course we could let it drop into testing for the moment by
reducing the severity of this bug, and then cranking the severity back
up before the release, but that feels a little bit like cheating, no?

All that said, i do see the appeal of having wider distribution, i'm
just not sure how to do that within the structure of the debian APT
archive.

Any suggestions?

    --dkg

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 849308@bugs.debian.org

Subject: Re: Bug#849308: wireguard: Wireguard should not transition to stable yet

Date: Thu, 7 Sep 2017 17:13:19 -0400

Daniel Kahn Gillmor wrote:
> Now, of course we could let it drop into testing for the moment by
> reducing the severity of this bug, and then cranking the severity back
> up before the release, but that feels a little bit like cheating, no?
> 
> All that said, i do see the appeal of having wider distribution, i'm
> just not sure how to do that within the structure of the debian APT
> archive.
> 
> Any suggestions?

Debian users have a powerful package manager at their disposal that lets
them run testing but cherry-pick packages from unstable, e.g. see
"Tracking Testing or Unstable" in the apt_preferences(5) manpage. That
seems like the appropriate solution if wireguard doesn't have a stable
wire protocol yet.

So far I've even had success using the wireguard packages from unstable
on stretch, just by pinning unstable.

-- 
Robert Edmonds
edmonds@debian.org

Message #25 received at 849308@bugs.debian.org (full text, mbox, reply):

From: James McDonald <james@jamesmcdonald.com>

To: 849308@bugs.debian.org

Subject: Backport of wireguard

Date: Sat, 28 Apr 2018 09:30:35 +0200

[Message part 1 (text/plain, inline)]

Would it make sense to create stretch-backports packages of wireguard?  
That way it would be installable on machines running stable with the 
same apt-get override, but without requiring special pinning 
configuration or having the unstable repo available.

-- 
James McDonald

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 849308@bugs.debian.org (full text, mbox, reply):

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

To: 849308@bugs.debian.org

Date: Mon, 18 Jun 2018 21:09:05 +0200

dkg and I had a discussion about this recently and he asked me to
summarize my understanding of it.

- WireGuard still prefers to operate on a rolling basis, with new
snapshots totally replacing old ones, with no stability, security, or
other long term guarantees.
- WireGuard probably won't be operating this way for too much longer,
since we plan to change how we do releases after mainline inclusion.
- In spite of the above formalism, dkg thinks that WireGuard has been
pretty stable for a while.
- There are a significant number of Debian stable users who use
WireGuard from the unstable repo, via priority pinning. This works,
but might lead to users inadvertently mixing and matching other
unstable and stable packages.
- The tools package makes use of getentropy() which is only in recent
versions of libc, making the current scheme problematic without a
patch.

As such, dkg suggested closing this bug to enact the following:

- Migration of package into testing, on a rolling basis.
- Backporting of package into stable-backports, on a rolling basis.

The long term plan, once testing becomes stable, will be to:

- Maintain oldstable-backports, on a rolling basis.
- Maintain stable-{backports,security}, on a rolling basis, depending
on dkg's security judgement. [*]
- Maintain unstable, on a rolling basis.

The short term plan is:

- Maintain unstable, on a rolling basis.
- Maintain stable-backports, on a rolling basis.

[*] This is based on dkg's security judgement, not upstream's, since
at the time of writing, upstream _only_ operates on a snapshot rolling
basis and considers every new snapshot to be critical, and explicitly
notes that the project is not at the moment assigning CVEs, and so
downstream decisions should be made with this stability & security
anti-guarantee in mind.

I find the above plan complex and the general notion of shipping
outdated snapshots to users, ever, is not something I'm overly
comfortable with. However, if dkg feels he can operate the above
machinery on a basis that's "near-rolling", then I'll follow his
judgement, provided awareness of [*] stays in tact. There are, indeed,
general packaging consistency advantages of closing this bug; however,
these will be need to be weighed against the other considerations as
well.

Message #35 received at 849308@bugs.debian.org (full text, mbox, reply):

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

To: 849308@bugs.debian.org

Date: Tue, 19 Jun 2018 18:26:17 +0200

To further summarize ongoing conversations:

It appears that there many be another alternative, midway between the
two extremes of stabilization on one hand and keeping this bug report
open on the other. The idea is to ship WireGuard in stable-backports
and in unstable, but not let this migrate to testing. That way stable
users have access to it in a rolling manner, and we never need to
worry about stale snapshots being distributed to users, and we also
don't need to compromise on the fact that snapshots are merely
snapshots, not releases. There is some precedent for such a thing --
the grsecurity patchset formerly did this.

Of the various options, this one seems quite sensible to me for the time being.

Message #40 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: "Jason A. Donenfeld" <Jason@zx2c4.com>, 849308@bugs.debian.org

Subject: Re: Bug#849308:

Date: Wed, 8 Aug 2018 17:38:17 +0100

Hi,

On Tue, Jun 19, 2018 at 06:26:17PM +0200, Jason A. Donenfeld wrote:
> The idea is to ship WireGuard in stable-backports
> and in unstable, but not let this migrate to testing.

That would, on the face of it, violate the inclusion criteria for backports
and require an exception from the Backports Team [1].

1: https://backports.debian.org/Contribute/

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #45 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@orangeseeds.org>

To: "Jason A. Donenfeld" <Jason@zx2c4.com>, 849308@bugs.debian.org

Cc: Daniel Kahn Gillmor <dkg@debian.org>

Subject: state of wireguard mainline inclusion?

Date: Wed, 22 Aug 2018 17:56:12 -0400

[Message part 1 (text/plain, inline)]

On Mon, Jun 18, 2018 at 09:09:05PM +0200, Jason A. Donenfeld wrote:
> As such, dkg suggested closing this bug to enact the following:
> 
> - Migration of package into testing, on a rolling basis.
> - Backporting of package into stable-backports, on a rolling basis.
> 
> The long term plan, once testing becomes stable, will be to:
> 
> - Maintain oldstable-backports, on a rolling basis.
> - Maintain stable-{backports,security}, on a rolling basis, depending
> on dkg's security judgement. [*]
> - Maintain unstable, on a rolling basis.
> 
> The short term plan is:
> 
> - Maintain unstable, on a rolling basis.
> - Maintain stable-backports, on a rolling basis.

Since this was discussed, Wireguard was actually proposed for mainline,
as described here:

https://lwn.net/Articles/761939/

It seems to me more likely that Wireguard will stabilize in a Linux
kernel release shipped with Buster than outside.

What are the plans for wireguard *outside* of mainline once it's merged,
actually? That could shape how we handle the packaging on our side...

What's the status on that inclusion? From what I understand, it requires
fairly deep changes to the kernel's crypto subsystems, so it might take
time. But then again buster is not about to be released so maybe it's
reasonable to just wait for mainline inclusion instead of relying on
dkms packages...

On the other hand, that won't give stretch users access to the code
either.

So once the code is mainlined (or before?) maybe it would make sense to
have a 1.0-like release of some sort that we could ship in buster,
regardless of the situation in the kernel, and then backport to
stretch...

Does that make sense?

Thanks!

-- 
The world is a dangerous place, not because of those who do evil,
but because of those who look on and do nothing.
                        - Albert Einstein

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Antoine Beaupre <anarcat@orangeseeds.org>

Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>, 849308@bugs.debian.org, Daniel Kahn Gillmor <dkg@debian.org>

Subject: Please let wireguard migrate to testing

Date: Tue, 18 Sep 2018 16:32:04 +0200

[Message part 1 (text/plain, inline)]

Hello Daniel,

we want wireguard in Kali and Kali is based on Debian testing. For now we
imported it manually from Debian Unstable but it's counter-productive, 
we have rolling distributions (kali and testing) and an upstream
following a rolling model and yet we don't have its packages
automatically.

My suggestion is to just let the package migrate to testing so that you
can provide stable backports to users. At freeze time, you reconsider the
situation:
- either it's not a good idea to ship it in stable and then you ask
  the release manager for a removal hint (quick and easy)
- or you discuss with the security team (or SRM) if it's possible
  to regularly import new upstream release as upstream is only supporting
  the latest release...
- or upstream changed its policy because it has been merged in the kernel
  and you're good to go

Please close this bug. Thank you.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: "Jason A. Donenfeld" <Jason@zx2c4.com>, 849308@bugs.debian.org

Cc: Daniel Kahn Gillmor <dkg@debian.org>

Subject: Re: state of wireguard mainline inclusion?

Date: Wed, 26 Sep 2018 20:26:07 -0400

On 2018-08-22 17:56:12, Antoine Beaupre wrote:
> Since this was discussed, Wireguard was actually proposed for mainline,
> as described here:
>
> https://lwn.net/Articles/761939/
>
> It seems to me more likely that Wireguard will stabilize in a Linux
> kernel release shipped with Buster than outside.

... I'm not so sure anymore. It seems Wireguard implements a bunch of
crypto primitives outside the normal crypto API through a new module
called Zinc, which is controversial:

    https://lwn.net/SubscriberLink/765965/6d509f4af482aa70/ 

This could delay inclusion of Wireguard in the kernel for a bit.

I still think this bug should be closed and we should let wireguard
migrate in testing. I'm sure the relteam would be mooore than happy to
remove it at a moment's notice before or during the freeze if we need
to.

In other words, I feel this bug was filed prematurely. :)

A.
-- 
We will create a civilization of the Mind in Cyberspace. May it be more
humane and fair than the world your governments have made before.
                        - John Perry Barlow, 1996
                        A Declaration of Independence of Cyberspace

Message #60 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Michael Prokop <mika@debian.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>, 849308@bugs.debian.org

Cc: Daniel Kahn Gillmor <dkg@debian.org>

Subject: Re: Bug#849308: state of wireguard mainline inclusion?

Date: Thu, 7 Mar 2019 16:16:40 +0100

[Message part 1 (text/plain, inline)]

* Antoine Beaupré [Wed Sep 26, 2018 at 08:26:07PM -0400]:

> I still think this bug should be closed and we should let wireguard
> migrate in testing. I'm sure the relteam would be mooore than happy to
> remove it at a moment's notice before or during the freeze if we need
> to.

> In other words, I feel this bug was filed prematurely. :)

So sadly wireguard didn't make it into buster. :(
Are there any plans for providing backports for stretch and/or buster?

regards,
-mika-

[signature.asc (application/pgp-signature, inline)]

Message #65 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@debian.org>

To: Michael Prokop <mika@debian.org>, Antoine Beaupré <anarcat@orangeseeds.org>, 849308@bugs.debian.org

Subject: Re: Bug#849308: state of wireguard mainline inclusion?

Date: Fri, 08 Mar 2019 10:37:52 -0500

[Message part 1 (text/plain, inline)]

Hi Mika--

On Thu 2019-03-07 16:16:40 +0100, Michael Prokop wrote:
> So sadly wireguard didn't make it into buster. :(

yep, frustrating.  but that was by design -- it isn't clear to me that
the ecosystem will be happy with having a wide distribution of an
outdated (2019) version running in 2021 :/, depending on what happens
with the upstream inclusion work (which i can't currently predict).

> Are there any plans for providing backports for stretch and/or buster?

I do plan for putting wireguard into buster-backports, since i expect
the upstream inclusion issues to be resolved one way or another by the
time of bullseye release.  If anyone wants to help out by adding it to
stretch-backports-sloppy, i would welcome that.

          --dkg

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@debian.org>

To: Michael Prokop <mika@debian.org>, Antoine Beaupré <anarcat@orangeseeds.org>, 849308@bugs.debian.org, 849308-done@bugs.debian.org, "Jason A. Donenfeld" <Jason@zx2c4.com>

Subject: Re: Bug#849308: state of wireguard mainline inclusion?

Date: Sun, 08 Sep 2019 16:28:52 -0400

[Message part 1 (text/plain, inline)]

Version: 0.0.20190905-1

Over in 849308@bugs.debian.org, Daniel Kahn Gillmor wrote:
> I do plan for putting wireguard into buster-backports, since i expect
> the upstream inclusion issues to be resolved one way or another by the
> time of bullseye release.  If anyone wants to help out by adding it to
> stretch-backports-sloppy, i would welcome that.

Following up on this, and after some discussion with Jason (upstream), i
think it's time to let wireguard migrate into debian testing.

So i'm closing #849308 with this e-mail, and once wireguard migrates
into testing, i'll look into putting it into buster-backports.

I welcome anyone who wants to contribute to the debian packaging to
offer maintenance help too!

      --dkg

[signature.asc (application/pgp-signature, inline)]

Message #80 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Daniel Kahn Gillmor <dkg@debian.org>, Michael Prokop <mika@debian.org>, 849308@bugs.debian.org, "Jason A. Donenfeld" <Jason@zx2c4.com>

Subject: Re: Bug#849308: state of wireguard mainline inclusion?

Date: Mon, 09 Sep 2019 09:44:02 -0400

On 2019-09-08 16:28:52, Daniel Kahn Gillmor wrote:
> Version: 0.0.20190905-1
>
> Over in 849308@bugs.debian.org, Daniel Kahn Gillmor wrote:
>> I do plan for putting wireguard into buster-backports, since i expect
>> the upstream inclusion issues to be resolved one way or another by the
>> time of bullseye release.  If anyone wants to help out by adding it to
>> stretch-backports-sloppy, i would welcome that.
>
> Following up on this, and after some discussion with Jason (upstream), i
> think it's time to let wireguard migrate into debian testing.
>
> So i'm closing #849308 with this e-mail, and once wireguard migrates
> into testing, i'll look into putting it into buster-backports.
>
> I welcome anyone who wants to contribute to the debian packaging to
> offer maintenance help too!

Awesome news, thanks everyone!

A.

PS: does that mean anything regarding WG's inclusion into mainline? I
haven't followed LKML recently so I don't know if that closer to
realization... Or is this just a (vague, non-binding) promise that the
protocol won't change as much anymore?

-- 
À force de ne jamais réfléchir, on a un bonheur stupide
                        - Jean Cocteau

Message #85 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Willem van den Akker <wvdakker@wilsoft.nl>

To: 849308@bugs.debian.org

Subject: wireguard: Wireguard should not transition to stable yet

Date: Tue, 01 Oct 2019 06:50:29 +0200

[Message part 1 (text/plain, inline)]

Hi Daniel,

I offer by help for maintaining packaging WG.
Please let me know how I can help.

/Willem

[Message part 2 (text/html, inline)]

Message #90 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Willem van den Akker <wvdakker@wilsoft.nl>, 849308@bugs.debian.org

Subject: Re: Bug#849308: wireguard: Wireguard should not transition to stable yet

Date: Thu, 03 Oct 2019 07:57:46 -0400

[Message part 1 (text/plain, inline)]

Hi Willem--

On Tue 2019-10-01 06:50:29 +0200, Willem van den Akker wrote:

> I offer by help for maintaining packaging WG.

Thank you, happy to have help!

> Please let me know how I can help.

Please make sure you can build the package from the debian/master branch
at https://salsa.debian.org/debian/wireguard.

If you can do that successfully (it shouldn't be too hard), feel free to
take a look at the debian/TODO file, which contains a handful of
suggestions, mostly about setting up more detailed autopkgtest testing.

Another thing that might be handy is to read through the discussion
starting here:

    https://lists.debian.org/deity/2019/09/msg00017.html

The idea is to propose a debian package for binary wireguard kernel
modules that matches the current kernel package, so that users wouldn't
need to use dkms.  getting the dependency details right there is tricky,
as is keeping it up to date, but it might be worth trying.

I've pushed a very ungainly initial attempt at this binary module
packaging to https://salsa.debian.org/debian/wireguard-modules -- you
might want to take a look at that and consider fixing one of the things
in debian/TODO there, and proposing a fix.  Alternately, testing its
build and seeing whether the resultant binary works or not on systems
without dkms would also be interesting.

Thanks for offering to help!

   --dkg

[signature.asc (application/pgp-signature, inline)]

Message #95 received at 849308@bugs.debian.org (full text, mbox, reply):

From: Willem van den Akker <wvdakker@wilsoft.nl>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 849308@bugs.debian.org

Subject: Re: Bug#849308: wireguard: Wireguard should not transition to stable yet

Date: Fri, 04 Oct 2019 07:28:09 +0200

Hi DKG,


> Please make sure you can build the package from the debian/master branch
> at 
https://salsa.debian.org/debian/wireguard> .
> 
> If you can do that successfully (it shouldn't be too hard), feel free to
> take a look at the debian/TODO file, which contains a handful of
> suggestions, mostly about setting up more detailed autopkgtest testing.

Building is no problem. I will dig into the autopkgtest testing. It is
rather new to me.

> 
> Another thing that might be handy is to read through the discussion
> starting here:
> 
>     
> https://lists.debian.org/deity/2019/09/msg00017.html
> 
> 
> The idea is to propose a debian package for binary wireguard kernel
> modules that matches the current kernel package, so that users
> wouldn't
> need to use dkms.  getting the dependency details right there is
> tricky,
> as is keeping it up to date, but it might be worth trying.

Interesting, needs more digging from my side.

> 
> I've pushed a very ungainly initial attempt at this binary module
> packaging to 
> https://salsa.debian.org/debian/wireguard-modules
>  -- you
> might want to take a look at that and consider fixing one of the
> things
> in debian/TODO there, and proposing a fix.  


> Alternately, testing its
> build and seeing whether the resultant binary works or not on systems
> without dkms would also be interesting.

That shouldn't be a problem.


First I will take the autopkgtest.

Greetings,
Willem

Send a report that this bug log contains spam.