freeswan (2.04-14) unstable; urgency=medium

  This is probably the final upload to this package, I will ask for
  removal after etch is released.
  * Adopted NMU-patch by Andres Henriksson:
    Comment out lines in debian/rules to not install any files in the
    transition package except the debian changelog and copyright file.
    (Urgency medium as it fixes a RC bug, Closes: #398401)

 -- Rene Mayrhofer <rmayr@debian.org>  Tue, 14 Nov 2006 17:58:57 +0100

freeswan (2.04-13) unstable; urgency=low

  * Changed the dependeny of kernel-patch freeswan to 
    linux-patch-openswan | kernel-patch-openswan, as the openswan kernel 
    patch package has been renamed to make it clear that it is a Linux kernel
    patch.

 -- Rene Mayrhofer <rmayr@debian.org>  Sun, 23 Apr 2006 21:52:05 +0100

freeswan (2.04-12) unstable; urgency=low

  * Finally remove freeswan from Debian. These are transition packages
    that only depend on the respective openswan packages and may be
    safely removed after openswan has been installed.
    Your config files should be taken over by openswan, but please report
    any anomalies that might happen.

 -- Rene Mayrhofer <rmayr@debian.org>  Sun,  20 Jun 2005 17:52:30 +0100

freeswan (2.04-11) unstable; urgency=high

  * Updated the last security fix, it could break connections with self-
    signed certificates.

 -- Rene Mayrhofer <rmayr@debian.org>  Wed,  7 Jul 2004 20:30:44 +0200

freeswan (2.04-10) unstable; urgency=HIGH

  * Fixed a security issue in the X.509 patch reported by Andreas Steffen to
    the openswan mailing list (CAN-2004-0590).
  * Compiling freeswan-modules-source on a non-patched 2.4 kernel tree still
    fails because of bad integration of the NAT patch into the X.509 patch
    I am currently using. I am still working on that, but this security issue
    must be fixed as soon as possible.

 -- Rene Mayrhofer <rmayr@debian.org>  Mon, 28 Jun 2004 13:32:19 +0200

freeswan (2.04-9) unstable; urgency=medium

  * Fixed the alg patch to work again - the upstream patch by Andreas Steffen
    does currently not apply cleanly to a kernel source, because files have
    been moved.

 -- Rene Mayrhofer <rmayr@debian.org>  Mon, 22 Mar 2004 10:26:54 +0100

freeswan (2.04-8) unstable; urgency=low

  * Updated the X.509 patch. This new upstream release supports CRL
    download via OCSP, which is a huge win.
  * Updated the alg patch.
  * Include NAT Traversal support again, many thanks to Andreas Steffen for
    doing the work of forward-porting it.
  * Remove the notify-delete patch, it is now included in the X.509 patch.
  * Adapt debian/rules to not install some doc files that are now missing
    with the new patch versions.
  * Additional debian/rules cleanup to remove cosmetical error messages during
    package build.
  * Fix a few lintian warnings - many thanks to Martin Koeppe for pointing
    them out.
  * Really work on the automatic editing of ipsec.secrets now - this version
    ships a better default config that makes checking for previous key a lot
    easier. Updating from a previous default config should work.
    Closes: #199990: freeswan - key presence check broken
    Closes: #199993: freeswan - postinst cert insertion check broken
  * debian/po/POTFILES.in now lists the master file.
    Closes: #231226: freeswan: Broken woody backward compatibility mechanism 
            for debconf templates translation
  * Updated the Japanese debconf translation.
    Closes: #231227: freeswan: Japanese translation of templates broken
  * Updated the French debconf translation.
    Closes: #235267: freeswan: [INTL:fr] French debconf templates translation
    Closes: #232068: freeswan: [INTL:fr] French debconf templates translation
  * Fixed the last debconf template, thanks for the patch.
    Closes: #231295: freeswan: Templates corrections
  * Explicitly use bash in mkx509cert.sh, it seems to be broken with dash.
    Closes: #232583: postinst fails to create certificate with posix bourne 
            shell
  * Now build pluto with support for LDAP CRL fetching, CRL or OCSP fetching
    via cURL and secret keys on smart cards via opensc. This means that there
    are 3 more build dependencies and that the freeswan package depends on 3
    more library packages. Since they are less than 2MB in whole, I though
    that should be ok.
    Closes: #231825: please build with opensc support
  * Ship the fswcert tool now again, this time under /usr/bin. It is very 
    useful to connect to a non-X.509 capable freeswan box on the other side,
    because the RSA public key needed by the other side can be easily 
    extracted with fswcert from the own PEM certificate.
  * Add the /etc/ipsec.d/ocspcerts and /etc/ipsec.d/policies directories.
  * Be sure that a valid country code is entered for the X.509 certificate -
    openssl will not create one without it:
    - Added a default value (AT at the moment, if somebody has a "better"
      default for Debian, mail me).
    - Don't allow an empty field in the config script.
    Closes: #217796: broken with debconf noninteractive

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Thu,  4 Mar 2004 20:01:41 +0100

freeswan (2.04-7) unstable; urgency=medium

  Urgency is medium because OE breaks connectivity on some systems.
  * Really disable Opportunistic Encryption now for all cases, also
    updates. This should solve the problem of 2 routes being erroneously
    created and effectively disconnecting the host from its default route.
    During installation, the user can select via debconf OE should be disabled,
    but disabling is the default and is strongly recommended in the wording.
    It should also work for existing config files.
    Closes: #230557: freeswan: Default installation kills network connection
    Closes: #225530: freeswan: adds "default route" on empty config

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Tue,  3 Feb 2004 14:26:52 +0100

freeswan (2.04-6) unstable; urgency=low

  * Recommend ipsec-tools instead of suggesting them and clearly state
    in the README.Debian file that ipsec-tools is necessary when the
    kernel native stack is used instead of the KLIPS stack. Maybe I
    should even depend on ipsec-tools. Installing the package fixes the
    problem that pluto can't be stopped.
    Closes: #227747: freeswan: Can't stop ipsec

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Thu, 29 Jan 2004 12:29:56 +0100

freeswan (2.04-5) unstable; urgency=medium

  Urgency is medium due to a kernel patch error on all architectures (#229887).
  * Remove -Werror for compilation. Although I don't really like that
    solution, upstream recommended to do that. This finally makes
    freeswan compile on ia64. Many thanks to Bdale Garbee for compiling a few
    versions on one of his spare ia64.
    Closes: #203339: freeswan_2.01-1(unstable/ia64): FTBFS: int format, 
            different type arg
  * Change the architecture of the created freeswan-modules package from all
    to any. Thanks to Matthias Klose for noticing that.
    Closes: #227209: freeswan-modules-source builds module of architecture all
  * freeswan routing setup scripts now really need the ip tool. Depend on 
    the iproute package to be sure it's installed. I didn't notice this 
    because I have ip installed on all of my systems.
    Closes: #229981: freeswan: does not create routing entries
  * Remove my fix for the missing Config.in entries - it apparently got fixed
    in the rc12 alg patch by inserting the lines at a different place. Thus,
    the entries were put twice into the Config.in, breaking make menuconfig.
    Closes: #229887: FreeS/WAN kernel patch causes failure in Menuconfig
  * Ugh, remove config files from debian/freeswan.conffiles - debhelper 
    already takes care of that.
    Closes: #223281: freeswan: Some conffiles are listed twice
  * Add the japanese debconf translation.
    Closes: #227824: freeswan: Japanese po-debconf template translation (ja.po)

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Thu, 29 Jan 2004 09:24:54 +0100

freeswan (2.04-4) unstable; urgency=low

  * Updated the alg patch to rc12, which seems to fix compatibility with
    the new kernel interface. Many thanks to Herbert Valerio Riedel for
    providing the patch !
    Closes: #224704: freeswan unable to select kernel cipher

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Mon,  5 Jan 2004 12:21:25 +0100

freeswan (2.04-3) unstable; urgency=medium

  * Revert back to 0.8.1rc10 alg patch, because 0.8.1rc11 seems to cause
    trouble for some people.
    Closes: #224704: freeswan unable to select kernel cipher
  * Fix double clean. Thanks to Marc Haber for pointing out the mistake.
  * Fix building of the modules outside of /usr/src/modules. Thanks to
    Adam Lackorzynski for that one.
  * Fix alg modules with versioned module kernel builds.
    Closes: #224283: freeswan-modules-source: failure to build ipsec_aes.o
  * Remove the empty Depends: line in freeswan-modules-source, which breaks
    apt-get under woody.

 -- Rene Mayrhofer <rmayr@debian.org>  Mon, 22 Dec 2003 13:01:53 +0100

freeswan (2.04-2) unstable; urgency=medium

  * Wah, cvs-buildpackage f***ed up. Some of my changes were not taken into
    the last build (after importing the upstream sources). This should correct
    it. Thus, set urgency to medium because the last upload broke the
    compilation of freeswan-modules-source.
  * Fix the compilation of freeswan-modules-source by changing alg_modules to
    all_alg_modules in debian/rules.
  * Remove the temporary hack concerning the cryptoapi module - it works now
    and is the only way to get all the ciphers.
  * Add a fix for linux/net/ipsec/Makefile, so that compiling ipsec without
    module support in the kernel will again work. Thanks to Christian Welzel
    for tracking this one down !
  * Suggest curl for dynamic CRL loading.

 -- Rene Mayrhofer <rmayr@debian.org>  Wed, 17 Dec 2003 09:10:34 +0100

freeswan (2.04-1) unstable; urgency=low

  * New upstream release.
  * Updated the X.509 patch, which now support port and protocol selectors
    for the native IPSec stack.
  * Hebert Xu's patch is no longer needed, it has been integrated into 
    upstream. Thanks for making my life a lot easier :)
  * Updated Juanjo's alg patch (which is now a single patch instead of 
    multiple small ones).
  * Removed my patch to fix the gcc 3.x log conflict, this has now also been
    done upstream.
  * Don't ship the various documentation files from the alg and NAT Traversal 
    patches in the debian/ directory of the source package, they are added by 
    the patches anyway.
  * Disable the NAT Traversal patch for now because it has large problems with
    2.04 upstream (most probably because of the changes needed to integrate
    Herbert's work). I can not fix this immediately, so I will either have to 
    wait until Mathieu Lafon updates his patch or try to do it myself, which
    means digging deeply into the pluto and kernel code....
    However, this has to wait because there are some bugs to fix in this 
    package, and we've been told to do it quickly :)
    Closes: #219007: freeswan-modules-source: NAT_TRAVERSAL sould be disabled 
                     with newer kernel-source packages
  * Forward-port Mathieu's notify-delete patch myself: use plog instead of log
    (as with my old log-conflicts patch) and replace st_connection.(this|that)
    by st_connection.spd.(this|that), which should fix the compile problems.
  * Finally apply patch to fix the build on ia64. Sorry that it took so long,
    I somehow managed to look over this bug. It is untested but should not
    break stuff.
    Closes: #203339: freeswan_2.01-1(unstable/ia64): FTBFS: int format, 
                     different type arg
  * I am not aware that I said that kernel-headers were enough to build the
    freeswan-modules-source package, and I don't think that make-kpkg does
    that in its default configuration. Anyway, document that the real kernel
    soures (the unpacked kernel) tree is needed to build the modules in
    README.Debian and add a Recommends: kernel-source so that it should be 
    clear. If this is in policy violation for *-source packages, then I need
    some help in fixing this.
    Closes: #211935: FTB modules package for kernel-headers-2.4.22*
    Closes: #209167: Can not build modules, or?
  * Define the CONFIG_IPSEC_ALG_* macros for the kernel configuration in
    freeswan-modules-source with 1 instead of just defining them.
    Closes: #218998: freeswan-modules-source: Definition of CONFIG_IPSEC_ALG_*
  * Include french debconf translations and remove some default fields from
    being translated where it doesn't make sense.
    Closes: #200119: freeswan: Please switch to gettext-based debconf templates
    Closes: #200727: freeswan: Please switch to gettext-based debconf templates 
                     + french translation
    Closes: #213479: freeswan: [INTL:fr] French debconf templates translation
  * Suggest ipsec-tools (because setkey is needed when the native IPSec stack 
    is used).
  * A bug with handling 4096 bit keys has been solved by upstream, after the
    report has been forwarded to them. I have received a message from 
    Hugh Redelmeier that it has been fixed, but can not find the mentioned bug
    report #254 in their GNATS bug database.
    Closes: #208165: freeswan - buffer for TXT rrs too short
  * Finally get rid of the duplicate HTML files in the doc directory (they are
    not really duplicate, rather one set is created from the other by the 
    install script).
    Closes: #119259: freeswan: duplication of html files

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Mon, 24 Nov 2003 18:01:02 +0100

freeswan (2.01-4) unstable; urgency=low

  Warning: the kernel-patch-freeswan package will, in this version, not work
  with vanilla kernel sources but only with the Debian kernel source. This will
  hopefully be fixed in the next upload (based on freeswan 2.04); but for the
  time being, please use 2.01-3 if you need freeswan kernel modules for vanilla
  (non-Debian) kernels.
  * Include Herbert Xu's patch for compatibility with Debian kernels and
    the backported IPSec kernel support. This means that (a) the kernel-
    patch-freeswan and freeswan-modules-source packages finally work
    with Debian kernel sources and (b) that pluto should now be able to
    use the kernel IPSec support backported from 2.6.
    Yaacov Akiba Slama has already test this with both the 2.4.22-3 Debian
    kernel source and the 2.6.0-test8-mm1 kernel source and has reported it
    to work out-of-the-box without any further issues, even with NAT Traversal.
    Many thanks for testing this !
    There is an additional catch: NAT Traversal will not work in the KLIPS
    part when applied to Debian kernels. But since the native kernel IPSec
    stack already has NAT Traversal support, you might not even need KLIPS
    anymore (AES and other ciphers are in the kernel and now that NAT
    Traversal is also in, it seems to be the better alternative).
    Many thanks to Herbert for his patch !
    Closes: #205556: kernel-patch-freeswan: Fails to apply to to
            kernel-source-2.4.21 2.4.21-4
    Closes: #204620: kernel-patch-freeswan: build fails in oldconfig on
            2.4.22-rc1
    Closes: #212021: kernel-patch-freeswan: fails to apply to
            kernel-source-2.4.19-10
    Closes: #200033: freeswan-modules-source: failure compiling against
            2.4.21
    Closes: #207946: kernel-patch-freeswan: Don't understand patch system
    Closes: #215188: freeswan-modules-source: 2.01-3 module compilation fail:
            ipsec_rcv.c:1540: union has no member named `af_udp'
    Closes: #212122: freeswan-modules-source: Build with 2.4.22-sources
            fails
    (Please start reading other people's bug reports before submitting a new
    one - most of the above reports show the same error messages.)
  * Provide ike-server now so that the three IKE daemons which are now in
    Debian conflict with each other.
  * Mention in README.Debian that the module sources need to be unpacked.
    CLoses: #209407: freeswan-modules-source: Please add a little more
            documentation
  * Add more documentation to README.Debian now that kernel support no longer
    has to be built and default Debian kernels can be used out-of-the-box.
  * Only make /etc/ipsec.d/private chmod 700 instead of the whole /etc/ipsec.d.
    This should now finally get all permissions right and is a small change
    from the previous upload.
    Closes: #210438: wrong permissions in /etc/ipsec.d/

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Tue, 21 Oct 2003 21:40:33 +0200

freeswan (2.01-3) unstable; urgency=high

  Urgency is high because of the wrong permissions. Besides that, this is the
  first 2.x package which has both freeswan-modules-source and
  kernel-patch-freeswan working.
  * Whoa, "beautifying" debian/rules in the last upload left dh_fixperms after
    changing the permissions of /etc/ipsec.* and thus left /etc/ipsec.* with
    wrong permissions ! /etc/ipsec.secrets was world-readable on a fresh
    installation of freeswan 2.01-2, fixed now.
  * Make NAT Traversal work again - it was a lot of patching work so I
    sent my diff to Mathieu Lafon for integration in his next NAT
    Traversal patch package.
  * Added a "Source: " line to the freeswan-modules-source control file,
    which should make the package build again on unstable boxes.
  * freeswan-modules-source and kernel-patch-freeswan now depend on
    coreutils | fileutils, so that backporting to woody is simpler
    (in fact, it only needs to be recompiled on a woody box).
  * "Fixed" the clean target of debian/rules so that dpkg-buildpackage is now
    idempotent.
  * freeswan-modules-source now uses the rootcmd properly (some code snippets
    have been taken from alsa-driver, as suggested by the bug report).
    Closes: #212669: freeswan-modules-source: build process doesn't use
            rootcmd correctly
  * Changed the AES patch so that it at least applies cleanly to a vanilla
    2.4.22 kernel source tree. It won't work with the Debian kernels due to
    the 2.5.x IPSec backport. Sorry folks, but I simply don't know what to do
    about this. There are patches to make it work with the Debian package, but
    applying them will break compatibility with vanilla kernels. For now, I
    will stick to vanilla kernels and hopefully get support for the kernel
    IPSec backport running soon.
  * The freeswan-modules-source package now also compiles the crypto extension
    modules correctly. However, NAT Traversal will not work with the
    freeswan-modules-source package because it needs a patch to the kernel
    UDP code.
  * Get the automatic RSA key insertion into /etc/ipsec.secrets in postinst
    working again.
  * Create the X.509 certificate in /etc/ipsec.d/certs instead of /etc/ipsec.d.
    The new X.509 patch expects it that way.
  * Removed the debconf warning about this being an experimental package. I no
    longer consider it as experimental since it has proven itself on my
    machines.

 -- Rene Mayrhofer <rmayr@debian.org>  Mon,  6 Oct 2003 14:57:23 +0200

freeswan (2.01-2) unstable; urgency=low

  * This is a bundled release: with the normal patch-set for the Debian main
    archive (X.509, crypto-ext, notify/delety, etc.) and without any 
    third-party patch for upsteam freeswan 2.02. Yes, the upstream tarball will
    from now on contain all stuff that is necessary to create the Debian 
    packages, even if it's without those patches.
    The debian/rules file is now able to cope with missing patches and simply
    doesn't apply them if they aren't there. This step is an important one and
    will hopefully lead to much quicker updates of the Debian main archive if
    new upstream versions are released.
  * Added Herbert Xu's patch to freeswan so that the upstream kernel ipsec
    support (which is in Debian 2.4.2x and in 2.6.x kernels) can be used with
    pluto.
    It needed to be changed a bit (applied and fixed manually) because it 
    slightly conflicted with other patches. I hope that I didn't mess up too 
    badly with this. If it breaks something, please simply disable the patch 
    in debian/pre-build-patches and recompile.
    UPDATE: This patch is disabled because it currently doesn't work for me.
    With 2.03 upstream, it will be included (hopefully) anyway.
  * Use architecture All for the freeswan-modules-* packages. Thanks to
    Peter Palfrader for the hint. 
    Closes: #202748: architecture should be all
  * Freeswan now also depens on host because the verify script needs it.
    Closes: #205424: freeswan: missing dependency
  * Build-Depend on gawk for now, I hope to remove it soon.
    Closes: #206174: freeswwan: missing build-depends on gawk
  * Make the po-debconf part packported-friendly. Thanks to Marc Haber for the
    patch !
    Closes: #207135: freeswan: please consider using backport-friendly way of 
                     using po-debconf
  * Use the DEB_DEST variable in the freeswan-modules-* build process if it's
    available.
    Closes: #206405: freeswan-modules-source: cannot specify build destination

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Tue,  2 Sep 2003 13:01:21 +0200

freeswan (2.01-1) unstable; urgency=low

  * New upstream version.
  * Bump standards version to 3.6.0.
  * Updated the X.509 patch.
  * Updated the crypto-ext patches to 0.8.1-rc9, which means that my huge
    all-crypto patch can go away and I don't need to maintain it manually.
    This also enables single-DES (yes, I don't have to patch it with still
    another patch).
    I had to remove the RCSID parts of the patch to make it apply though.
  * Ported the NAT Traversal patch so that it works in combination with
    the AES (crypto-ext) patch. Now enabling NAT Traversal again for
    this package.
    Update: Puh, I had to disable it again because it simply can't be applied
    so that the module build will work properly. If anybody has some time to
    figure out what needs to be changed, then please try it.... I will try to
    make it work, but will probably not find time for it in the next 2 weeks.
  * Ok, ok. Reintroduced the kernel-patch-freeswan package, which now again
    allows to build IPSec support in the kernel non-modular. The main reason
    for putting this back in is that I am currently not sure if NAT Traversal
    will work when using the freeswan-modules-source approach (Angus Lees 
    suggested that - thanks for the hint). After a quick look, I don't see
    any patching of the UDP handling with the kernel patch, but I still need 
    to test this. If anybody is using it successfully with the modules 
    package, I would appreciate a short note.
    The kernel-patch-freeswan-ext package is now gone for good. Instead, the
    kernel-patch-freeswan package includes all the patches that the Debian
    package features (e.g. AES / crypto-ext, NAT Traversal, Notify-Delete).
    Although it was nice to have an unmodified kernel patch containing only
    sources by freeswan upstream, it caused a lot of headache, like the 
    building of the Debian package and problems between kernel and user space
    (pluto with NAT Traversal, kernel without - refer to bug #XXXXXX for 
    details). Please don't ask for an unpatched kernel-patch-freeswan package
    unless you are willing to send me a nice patch _and_ assist with it for
    future package versions.
  * Generate the HTML docs, which are removed by cleaning the upstream source.
    This means that the source package now Build-Depends on htmldoc and 
    man2html.
  * freeswan-modules-source now depends on debhelper, which is really needed
    for using it.
  * Don't abort in the config script if the user selects not to upgrade, do
    the whole thing in the preinst, where it belongs. Sorry for the mistake 
    and thanks to Matt Zimmerman for leading me to the right path :)
    Now freeswan has to Pre-Depend on debconf.
    Closes: #199971: Installation abort does not work
  * Only replace /usr/local with /usr in regular files during building the 
    package. This prevents modifying files that are pointed to by symlinks in
    the build tree, but are outside the build tree themselves. 
    Closes: #200237: freeswan: source package build modifies installed files
  * Add another patch to rename the log(...) function to plog(...) because
    gcc 3.3 now has log(double) built-in and thus conflicts. This allows to 
    use gcc 3.3 as the default compiler now.
    Closes: #199925: freeswan_2.00-1(unstable/ia64): FTBFS: bad gcc version
  * This new upstream version should work with (at least vanilla) kernel 
    2.4.21.
    Closes: #199211: kernel-patch-freeswan: Freeswan patch fails to build 
    	    with kernel 2.4.21
  * Depend on coreutils instead of fileutils.
    Closes: #189676: kernel-patch-freeswan: Wrong dependency to fileutils

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Wed,  9 Jul 2003 07:06:40 +0200

freeswan (2.00-1) unstable; urgency=low

  Warning: This is currently an experimental package. Please test it in your
  environment before using it on a production system.
  * New upstream version.
  * Completely redesigned the kernel integration - the kernel-patch-freeswan*
    packages are now gone for good, we can finally build a module without 
    patching the kernel (although the kernel sources are of course needed). 
    It is one (probably conflicting) kernel patch less. 
    This also means that compiling freeswan support into the kernel is no 
    longer supported by this package, only the ipsec module can be built. If
    you really, _really_ don't like or can't use modules, you will have to use
    the source package and do it from there. If there is a compelling reason
    why patching the kernel is necessary (and if somebody offers some help 
    with this)., I might re-introduce a completely new kernel-patch-freeswan 
    package as an alternative to the module package.
    Closes: #197252: freeswan: new upstream major release available
    Closes: #197864: kernel-patch-freeswan: 
            Does not compile with openssl 0.9.7b-2
  * Updated the X.509 patch.
  * Updated the crypto extension patch to a slightly newer version and made it
    apply to the 2.00 upstream sources. Mostly minor things needed to be 
    changed to make it apply cleanly, but I did not care to create a split
    patch again. The crypto extension patch is at the moment one large patch
    file containing everything that is needed.
  * Use dh_installexamples, since it's there and I did manually what it is 
    meant to do.
  * Depend on gawk again as the script seem to really need it now, mawk did
    not work for me.
  * Use po-debconf for translations - thanks to Andre Luis Lopes for the 
    patch !
    Closes: #187672: freeswan: [wishlist] Update packaging to use the newer 
            gettext-based debconf template translation system
  * NAT Translation has now finally been ported to freeswan 2.0, but the patch
    heavily conflicts with AES, so I will need to fix it manually (sigh...).
    It is nonetheless enabled in the default module configuration kept in 
    config-all.h so that it will automatically get compiled in once the patch
    is ready.
  * I will leave the kernel-patch-freeswan* bugs open for now until the new
    package has been tested thoroughly and can be used for all purposes.

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Wed,  4 Jun 2003 18:50:11 +0200

freeswan (1.99-7) unstable; urgency=low

  * Added the L2TP HOWTO by Martin Koeppe - many thanks for providing
    it.

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Thu, 24 Apr 2003 19:41:23 +0200

freeswan (1.99-6) unstable; urgency=low

  * Updated the X.509 patch to solve a problem with parsing ipsec.conf
    From the upstream changelog:
    "A little bug in connections.c:default_end() caused that connections
     without a rightid parameter (defaulting to right) could not be initiated
     ("cannot initiate connection without knowing peer IP address")"
    Closes: #186378: freeswan: My freeswan config stopped working
  * This has been closed by the last logcheck rules cleanup.
    Closes: #186096: freeswan has incorrect logcheck rules


 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Wed,  9 Apr 2003 19:45:25 +0200

freeswan (1.99-5) unstable; urgency=HIGH

  * Fixed the pluto compilation problem. I simply don't know how this
    happened, because the package compiled and installed correctly on my
    development machine before uploading (I am using it in production). It
    seems to be a problem with the newest X.509 patch in conjunction with
    the (older) NAT traversal patch.
    However, please excuse any difficulties that this upload caused, it
    shouldn't have happened.
    Many thanks to all the bug reporters for the quick hints and especially
    to Giacomo Mulas for sending me a description how he solved the problem.
    Closes: #185847: ipsec broken
    Closes: #185433: freeswan: missing pluto binary, compilation error?
    Closes: #185568: freeswan: Whack missing from ipsec command
  * Fixed the logcheck ignore patterns and added a violations ignore file.
    Closes: #138436: Logcheck reports unwanted KLIPS debug message
  * Be a nice Debian package and use the fine invoke-rc.d command in the
    postinst.
    Closes: #185385: freeswan: postinst starts ipsec with no respect for 
                     runlevels

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Mon, 24 Mar 2003 09:07:56 +0100

freeswan (1.99-4) unstable; urgency=low

  This release only changes user-space tools, so there is no need to 
  recompile your kernel if you have used kernel-patch-freeswan* 1.99-3.
  * Updated X.509 patch.
    Closes: #183144: freeswan: pluto complains --id: unkown OID in 
                     ID_DER_ASN1_DN (ignored)
  * Now simply remove everything under /usr/local in the build tree before
    making the package - the upstream Makefiles somehow manage to drop stuff
    in there.
    Closes: #171204: freeswan: libdes installed in /usr/local again

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Wed, 12 Mar 2003 22:33:14 +0100

freeswan (1.99-3) unstable; urgency=low

  This is the "maintainer isn't dead and is sometimes even reading bug
  reports" release. Besides introducing a few new, hopefully helpful patches,
  it fixes quite some bug reports (and yes, even some of the long-standing
  ones).
  * Updated the X.509 patch, which should now include a pretty stable version
    of the protocol and port selector.
  * Updated the NAT traversal patch and made it apply (i.e. resolve conflicts
    with the updated X.509 patch).
  * Added the single-DES patch to allow selection of single-DES as "cipher".
    [*ducks* Please don't kill me for that. I know that it's inherently
    insecure and thus I don't give any hint in any README file that this
    is available. But some may need it for interoperability with broken
    IPSec routers.]
    However, this patch is currently not applied, only contained in the source
    package. It does not apply cleanly with the other patches and I have to
    figure out if it works if I manually apply it (I also do this for other
    patches, but the other ones seem to have no problems other than 
    syntactical ones). If anybody wants to play with it, just download the 
    source, rename the .disabled file in debian/pre-build-patches/ to .diff
    and recompile.
  * Added the %any %any shared secrets patch. If anybody needs road warrior
    support with shared secrets, this will enable it (and should do not harm
    otherwise).
    Please note that the last patch only affects pluto, not the kernel code
    Thus it should not be able to break your system in any way, just make 
    pluto a bit more flexible.
    This patch is also currently not applied, for the same reason as the
    single-DES patch isn't.
  * Removed that bogus comment at the end of ipsec.secrets when
    inserting a private key reference.
  * Moved the example configurations from ext-patches to crypto-ext-patches.
  * Finally deal with the start order with NFS: let the user choose if 
    /usr is mounted via NFS or not (and start as early as possible by 
    default, i.e. directly after the network has been set up).
    While on the way, also let the user choose if it should start after
    PCMCIA.
    Closes: #134650: freeswan: starts too late on NIS/NFS clients
    Closes: #143362: Freeswan init script should start after pcmcia
    Closes: #151064: freeswan: FreeSWan starts too early when using local DNS
                     lookups
  * Change the logcheck ignore patterns to match current syslog messages.
    Closes: #168673: Change templates for logcheck
  * Insert the contents of the plain RSA key instead of the temporary 
    filename into ipsec.secrets .....
    Closes: #167730: freeswan: Do not generate ipsec.secret
    Closes: #167508: freeswan: plain keypairs do not go into /etc/ipsec.secrets
                     correctly
  * Also check for the existance of the automatically generated X.509 
    certificate and key files before overwriting them.
    Closes: #171491: freeswan: x509 certificate recreated upon upgrade
  * Use empty strings for empty fields in the debconf questions instead of
    dots.
    Closes: #143311: freeswan: empty x509 settings should not require dots
  * Changed the example for the X.509 state field (ST) in the debconf template.
    Closes: #148364: freeswan: bogus ST in X.509 DN example
  * I didn't hear anything back from the bug reporter and don't have any
    access to a Sparc machine. Thus, I am now closing this bug, which should
    have gone away with the new upstream version.
    Closes: #173682: kernel-patch-freeswan: freeswan compilation and
                     ioctl() error on sparc64
  * Ok, I finally removed gawk completely (i.e. --purge) from my system
    and tried freeswan. As I could not notice any problems and Angus Lees
    also reported that it worked successfully, I am now closing this bug.
    I know that the upstream docs say that gawk is needed, but I can't see
    a reason for this at the moment. If the bug persists, then please send
    me the full error messages (bug reporter did not respond to Angus Lees's
    request to post the error message to the BTS).
    Closes: #179756: Freeswan: Gawk (again) is missing from dependencies

  * Finally acknowledging these bugs that have been fixed in previous NMUs.
    Closes: #133752: kernel-patch-freeswan: unpatch/freeswan remove empty
                     files
    Closes: #139024: freeswan: wrong logcheck rule filters ALL "unusual"
                     syslog messages
    Closes: #141059: kernel-patch-freeswan: link error with freeswan 1.64
                     and 2.4.18 kernel
    Closes: #127236: freeswan: FTBFS with gcc 3.0 (hppe/unstable)
    Closes: #135068: [Bugs] FreeS/WAN on hppa
    Closes: #139857: Undeclared dependency on gawk
    Closes: #115737: freeswan: bashism in /usr/lib/ipsec/_plutorun

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Sun, 16 Feb 2003 21:17:08 +0100

freeswan (1.99-2) unstable; urgency=low

  This is a major update to debian package in regards to the build process.
  I know that it does now take even _longer_ to build, but this is necessary
  to have it clean (in regards to debian/rules standards) and to build the
  kernel-patch-freeswan package (without the crypto extensions patches).
  Currently, I am thinking of dropping the upstream freeswan source in favor
  of the Superfreeswan source from www.freeswan.ca. It is actively maintained
  and enhances the freeswan source by all the patches that I am currently 
  using and a few more small fixes. However, that would mean dropping the
  kernel-patch-freeswan-ext package and only having a patched 
  kernel-patch-freeswan one (no more unpatched freeswan kernel modules).
  * Added the NAT traversal patch, which should allow freeswan to be used
    behind NAT gateways.
  * Copy the workstation logcheck.ignore file instead of linking it to
    the server file.
    Closes: #162811: Logcheck will ignore it.
    Should also close the following, please tell me if it's not (I can't
    reproduce it and need more details if this doesn't help).
    Closes: #141182: freeswan: upgrade errors
  * Restructure (read: clean up) the build process. Thanks to Joey for 
    pointing it out.
  * Please try the current version of freeswan and reopen the bugs if the
    errors are still there (too much has changed since 1.94 and 1.95).
    Closes: #163393: freeswan: version outdated
    Closes: #131341: freeswan: doesn't compile
    Closes: #137286: freeswan kernel link error
    Closes: #140892: kernel-patch-freeswan: won't apply to 2.4.18
    Closes: #167733: kernel-patch-freeswan: Do not patch with kernel-source-2.4.18
    The same for this bug: some build errors were already fixed by current
    crypto-ext patches.
    Closes: #152723: kernel-patch-freeswan: Extension modules are not built if CONFIG_IPSEC=y
  * Finally build-depend on libssl-dev.....
    Closes: #165854: freeswan: /usr/lib/ipsec/pluto missing (missing build-dep on libssl-dev)
    Closes: #137835: kernel-patch-freeswan: Missing a "Depends: libssl-dev"
  * Move the other third party patches (besides X.509) into their own 
    directory (named "crypto-ext-patches").
    Closes: #143894: freeswan: please put third party patches in their own directory
  * I can not reproduce this: the only symlinks in my (normally patched) 
    kernel tree point to targets inside the kernel tree itself, which do not
    have to be owned by root.
    Closes: #171157: kernel-patch-freeswan-ext: It symlinks to root-owned files that need to be touch'd during compile
  * Some small debian/rules fixes. Thanks to Rene Camu for the patch !

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Mon, 23 Dec 2002 20:40:56 +0100

freeswan (1.99-1) unstable; urgency=HIGH

  * New upstream release, fixes a DoS attack
    (http://www.kb.cert.org/vuls/id/459371)
    Closes: #168274: freeswan: DoSable due to inadequate authentication 
                     data validation
  * Updated X.509 patch.
  * Updated extension patches.
  * Since recently, the private key data does not need to go into 
    ipsec.secrets anymore. Only the file name is inserted to reference to the
    private key file. Therefore this is not a bug, but a feature :)
    Closes: #167508: freeswan: plain keypairs do not go into 
                     /etc/ipsec.secrets correctly

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Sun, 10 Nov 2002 20:40:01 +0100

freeswan (1.98b-4) unstable; urgency=low

  * Change section to be 'net' instead of 'main' - stupid me....
  * Do not distribute the LICENSE file, but copy it's contents into 
    debian/copyright with some added comment on where this file came from.
  * Remove the .cvsignore files from the upstream package.
  * A few small tweaks to eliminate many lintian warnings.
  * Fixed the upstream Makefile, which installed libdes into /usr/local.

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Tue,  8 Oct 2002 12:43:17 +0200

freeswan (1.98b-3) unstable; urgency=high

  * Security fix: overwrite zlib/infblock.c with the new upstream version, 
    which has a more complete security fix than 1.96-1.
    It seems that cvs-upgrade from cvs-buildpackage has not upgraded this 
    file when I imported the new upstream source (most probably due to my
    stupidity). I have to investigate in this problem, so that it won't 
    occur again (any hints are more than welcome).
    Many thanks to Christian Jaeger for pointing this out.
  * Save original ipsec.secrets file before changing it in postinst - so
    that it can be restored to its distributed state as the postinst
    message says.
  * Remove the patch debian/pre-build-patches/patch-ssh-sentinel-IKE.diff
    which is now included in the extension patches (and caused the build to
    silently fail - sorry about that).
  * Added the LICENSE file to the upstream source tree. This file will be 
    included in the next stable upstream release (2.00) and has already been
    authorized by upstream (see the archives of the "distro" mailing list at
    lists.freeswan.org). In the file, the upstream authors give an addition to
    the GPL license that explicitely allows linking to the libdes library by
    Eric Young (which has an advertising clause in its license terms).
    This should now finally fix the license issues that prevented any 
    freeswan version since 1.96-2 from entering the Debian archive.

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Mon, 16 Sep 2002 22:22:06 +0200

freeswan (1.98b-2) unstable; urgency=low

  * Removed dependency on libssl to finally get the package into
    unstable again. As it turned out, freeswan does not necessarily need
    libssl to compile, because the libdes library is contained in the 
    freeswan source code. According to the CREDITS file in the upstream 
    source, Eric Young (the author of libdes) gave explicit permission to
    include it in the source code. Therefore, license conflicts should no
    longer be a problem. 
    The freeswan package depends on openssl only because the postinst 
    script needs its binaries for the automatic creation of X.509 
    certificates (for authentication); the openssl library is not linked
    into the freeswan binaries.
    However, future version of the Debian package of freeswan might again
    use openssl (respectively libssl) instead of the included libdes for
    two reasons:
    1. Security bugs might get fixed quicker in the openssl package than in 
       the freeswan package (nothing said about upstream....).
    2. Dynamic linking and shared libraries are generally a good thing (TM).

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Mon, 19 Aug 2002 15:45:21 +0200

freeswan (1.98b-1) unstable; urgency=low

  * Corrected debian/rules so that the new ext patches work again.
  
  I don't know why my upload of 1.96-2 did not get into unstable, I uploaded
  twice. Maybe I did something wrong with the main -> non-US transition. This
  was the changelog text:
  * Moved from non-US to main.
  * Now the source package generates two different kernel-patch-freeswan
    packages: One with and one without the ext patches (which add AES
    among other ciphers). This made some restructuring of debian/rules
    necessary, but there are no changes that should affect the generated
    packages in any way (not getting in the way of the freeze).
    Thanks to Kyle McMartin for doing a lot of fore-work.

    This somehow deals with the following bug (please use the non-ext
    kernel-patch package if there are problems with the ext package). This is
    also good for the freeze since kernel-patch-freeswan is now again back
    to upstream state and therefore stable.
    BTW: This bug can easily be avoided by either enabling the aes or the
    aes-opt module (and not both).
    Closes: #137282: freeswan kernel patch doesn't compile with AES configured
    The restructuring should also deal with this one:
    Closes: #141024: build problem

  * Fixed mkx509cert.sh. I am keeping this script just for one reason
    (and not integrating it directly into the postinst): it will get used by
    some other scripts that are about to come. Therefore I did not want to
    have this code directly in the postinst script.
    Closes: #136803: mkx509cert is fubar
    Closes: #140059: Certificates not generated properly by install
  * Completed the transition to the new capabilities of the X509 patch: now
    the X509 key file (when created in PEM format or taken from an existing
    key) is copied to /etc/ipsec.d/private/<hostname<Key>.pem and this
    filename is put into /etc/ipsec.secrets. Therefore this file does not
    need to be touched anymore manually when using X509 certificates.
    Also fixed a small bug - thanks to Robert Bihlmeyer for discovering and
    sending a patch.
    Closes: #143310: generating a non-self-signed keypair (cert req) is broken
    Since fswcert is now no longer needed (there is no need to extract the RSA
    key from the PEM file anymore, pluto can now deal with this directly), it
    is not included in the upstream X509 patch. The references in README.x509
    also say that this tool is optional and that it can be downloaded from the
    given webpage.
    Closes: #141293: fswcert not present
  * Changed the default keylength for created RSA keys. Now it is 2048 bit,
    conforming with the recommendation by upstream.
    Closes: #136799: RSA keys should default to 2048 bits
  * Really distribute the example configurations for the ext patches.
    Closes: #142747: README.Debian mentions non existant documentation
    
  Angus Lees offered to be a co-maintainer of freeswan and I am happy about 
  that - expect bugs to be fixed quicker when two maintainers are working on
  freeswan. Therefore put him into the uploaders field. He already sent me a
  packaged version of 1.98b, which I have (hopefully) integrated into this
  upload. His changelog entries were:
  * New upstream version (closes: #148742).
  * Updated the X.509 patch.
  * Updated the crypto extensions patch.
  * Add notify_delete patch from Mathieu Lafon (closes: #140992)
    (required a trivial change to work with crypto extensions patch).
  * Replace `pwd` with $(CURDIR) and remove "sh -c" braindeadness from
    debian/rules.
  * After perusing all the awk scripts, I declare that we are no longer
    dependent on gawk. Dependencies and (broken) debian/rules munging
    removed. Bug reports welcome :)  (closes: #141024)
  * Make install-kernel-patch-freeswan debian/rules target depend on
    "build", so it triggers patching.  Really should be moved into a
    separate "patch" target or something.
  * Set KLIPSLINK=cp rather than try and munge Makefile directly.
  

 -- Rene Mayrhofer <rmayr@debian.org>  Fri, 02 Jul 2002 12:25:36 +0200

freeswan (1.96-1.2) unstable; urgency=high

  Urgency high because of RC bug
  * fix linkage problem of pfkey_register_reply if IPSEC_DEBUG is of
    (closes: #141059)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat,  6 Apr 2002 15:26:23 +0200

freeswan (1.96-1.1) unstable; urgency=high

  Urgency high because of RC bugs.
  * add gawk to dependencies for kernel-patch-freeswan to fix the silent
    failure of the patch (closes: #139857)
  * fix the logcheck rules files to prevent the removing of all unusual
    messages of all programms (closes: #139024)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 30 Mar 2002 11:18:26 +0100

freeswan (1.96-1) unstable; urgency=HIGH

  Urgency critical because of the zlib bug.
  * New upstream version.
  * Fixed the zlib bug by manually applying the patch from the bug report.
    Closes: #138210: zlib security bug also present in freeswan 1.95-2
  * Updated the X.509 patch.
  * Updated the crypto extensions patch.

 -- Rene Mayrhofer <rene@mayrhofer.eu.org>  Thu, 14 Mar 2002 17:48:23 +0100

freeswan (1.95-3) unstable; urgency=HIGH

  Another small RC bug, please get this back into woody.
  * Added libssl-dev to kernel-patch-freeswan depends.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed, 13 Mar 2002 17:05:41 +0100

freeswan (1.95-2) unstable; urgency=HIGH

  Urgency HIGH to get it back into woody...
  * Applied patches that were done in the NMU. Thanks for it, now I
    should have more time again.
    Closes: #135598 freeswan: patch for 1.95-1.1 NMU
    Closes: #134407 freeswan: package build bug: xargs

    Fixed handling of restarting: removed message in prerm script (not needed
    anymore), fixed postinst (the init.d script is named ipsec, not freeswan).
    Fixed the config script: The new question introduced by the NMU was
    never asked....
    Now freeswan is restarted when asked to do so (via debconf).
    Closes: #128205 freeswan: freeswan does not restart on upgrade
  * Really changed from awk to gawk now (in all the occurances).
    Closes: #119257 freeswan: gawk dependency mishandled
  * Applied patch from bugreport to make manually patching the kernel (without
    make-kpkg) easier.
    Closes: #134427 freeswan: fixes to make apply/freeswan easier to use
  * Moved the created X.509 key file to /etc/ipsec.d/private.
    Closes: #134654 freeswan: better key path in postinst
  * Changed the build system back to it's original state: The only thing
    that gets changed by Debian .diff is the debian/ subdir. All the other
    files are patched in the build / install process. This makes it a lot
    easier on upstream upgrades because I only have to copy the debian/ dir
    to the new upstream and it should work. I am using cvs-buildpackage, but
    even with CVS merge it is easier this way.
    I hope to have all the patches in there, but if I missed something, please
    file a bug report.
  * Added extended patches from http://www.irrigacion.gov.ar/juanjo/ipsec/
    so this package now comes with support for new ciphers (including AES).
  * I can not reproduce this bug, compiling kernel-source-2.4.17 with
    support from kernel-patch-freeswan works for me.
    Closes: #135627 kernel-patch-freeswan: patch breaks kernel-source from
                    kernel-source-2.4.17_2.4.17-1.deb

 -- Rene Mayrhofer <rmayr@debian.org>  Wed, 27 Feb 2002 22:29:26 +0100

freeswan (1.95-1.1) unstable; urgency=high
  setting to high because of the rc fixes...
  * utils/_plutorun now runs /bin/bash (fix on my system which uses ash as
    the default sh (closes: #115737)
  * applied fix to the compile bug on pluto/constants.h (closes: #127236)
  * applied fix for the removing empty files bug (closes: #133752)
  * duh, the kernel is too new and freeswan too old (closes: #135406)
  * fix the rm + xargs bug (closes: #134407)
  * ask if we want to restart freeswan in the postinst (closes: #128205)
  i think this is all that i fixed.

 -- Kyle McMartin <kyle@debian.org>  Sat, 23 Feb 2002 03:23:18 -0500

freeswan (1.95-1) unstable; urgency=HIGH

  This release has urgency HIGH because it makes the package usable again.
  (The last upstream release is unusable.)
  * New upstream release.
    This release should make freeswan usable again, but the major changes 
    seem to have happened in the x509 patches (which I include in the 
    newest version in this package). The patched pluto is now able to read
    its RSA private key directly from a x509 file in PEM or DER format 
    (please look at /usr/share/doc/freeswan/ipsec.secrets.template.x509 for
    details) instead of having to extract the key and store it in 
    ipsec.secrets. Of cource, this makes my previously introduced 
    extractrsakey.sh script useless, sigh.... Although I have invested some
    time in the previous solution, this one is definitely cleaner. 
    Entering the private key file in ipsec.secrets automatically will be done
    by a future package, this one only creates new x509 certificates as 
    before, but does not change ipsec.secrets (I have to release quickly).
    Closes: #129392, 120252
    I hope this also fixes the problem with the validity date of x509
    certificates. Since I was unable to reproduce the problem, I am closing
    the bug report. Please reopen it if it still does not work for you (but
    the I need more details for reproducing).
    Closes: #128117
  * The kernel-patch-freeswan should work with current kernels, at least on
    my system it does. If it does not compile for you, please send me 
    a detailed report with the kernel version *and* the kernel configuration
    you are using.
    Closes: #128000, #122115, #122116
  * Made the postinst script a bit more robust against failures when starting
    freeswan (the kernel module might not be available yet).
    Closes: #128471
  * As far as I see it, the makefiles for patching the kernel have to be
    called from within the kernel patch directory. The KERNELSRC variable
    is responsible for changing files in the right directory (and that one
    gets set to the current working directory, which should be the kernel
    source dir when calling the apply script). Therefore I think the
    PATCHDIR variable is set correctly. If it does not work in some cases,
    then please send me a report where it does not work this way.
    For now, closing the bug report since it seems to work on all of my 
    systems.
    Closes: #119637
    

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Mon, 11 Feb 2002 00:23:18 +0100

freeswan (1.94-2) unstable; urgency=low

  * Corrected config script (a few return codes from debconf were not
    ignored, thus killing the config script when debconf returned an
    error).
    Closes: #126688

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Fri, 28 Dec 2001 15:13:35 +0100

freeswan (1.94-1) unstable; urgency=low

  * New upstream release.
  * Updated the x509 patch.
    Now there is one patch instead of 3, corrected the debian/rules
    accordingly.
  * Now also install the CHANGES files from the x509 patch into
    /usr/share/doc/freeswan

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Tue, 25 Dec 2001 20:40:03 +0100

freeswan (1.93-1) unstable; urgency=low

  * New upstream release.
    Now also copy Makefile.inc and Makefile.ver into the kernel-patch-freeswan
    package (new in upstream).
  * Updated the x509 patch.
  * Now also create the file /etc/x509cert.der from the X509 certificate, so
    that FreeS/WAN can now find its own certificate.
    (And remove it during purge.)

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Thu,  6 Dec 2001 10:51:41 +0100

freeswan (1.92-1) unstable; urgency=low

  This is a major release with new features (talking about the Debian
  packaging now), because this is the first version that supports that auto-
  creation of RSA keys.
  * New upstream release, now compiles with 2.4.14.
    Closes: #119638
  * Updated the x509 patch.
  * Now create the directories /etc/ipsec.d/cacerts and /etc/ipsec.d/crls for
    using the PKI features of the x509 patch.
  * Do not stop FreeS/Wan during upgrade, because people might lose their
    network connection (and their session) due to this.
    Only start freeswan on new installations, not on updates.
    Closes: #115412
  * Only ask to create the device nodes if devfs is not used.
  * During the check for the existance of an ipsec kernel module in the
    startup script, also try the location where the module is on older
    kernels.
    Thanks for the patch to Christoph Martin. Please test if it works, I do
    not have a system with kernel 2.2 anymore.
    Closes: #121190

 -- Rene Mayrhofer <rmayr@debian.org>  Thu, 15 Nov 2001 02:21:14 +0100

freeswan (1.91-4) unstable; urgency=low

  * Added a version depends on fileutils (for kernel-patch-freeswan), because
    the call of 'cp' uses options only available in newer versions.
    Closes: #109294
  * kernel-patch-freeswan now again works with newer vanilla kernels
    (>= 2.4.11), because the 'min' macro has been changed. It does not build
    on a vanilla 2.4.9 kernel, but it works with newer ones.
    But please users, use the newest upstream version when compiling with
    newer kernels (1.9 does not work).
    Closes: #110903, #115214, #116124
  * kernel-patch-freeswan is useable by non-root users since 1.91-2.
    Closes: #112489
  Fixed by Kyle McMartin, thank you very much for the patch.
  * Modified constants.h to hopefully fix the build error on hppa
    Closes: #111603
  * Made MAKEDEV call a debconf option (also starts freeswan if selected)
    Closes: #113135
  * Fixed manpage paths to point to correct locations
    Closes: Bug#86740
  * Edited init script to check to see if /proc/sys/net/ipsec exists, and if
    it does we know that IPSec has been compiled into the kernel, this should
    more gracefully handle installation.
    (Modified a bit by me so that it also checks if the kernel module exists
    alternatively to the file in proc. Because the kernel module is
    automatically loaded by the script if it is there, we don't need to stop
    if the file in proc does not exist, but the kernel module does.)
    Closes: Bug#96613
  * Fixed problems building on potato in the rules, libgmp2-dev is defunct.
    Closes: #113552, #113555

 -- Rene Mayrhofer <rmayr@debian.org>  Fri,  1 Nov 2001 18:14:01 +0100

freeswan (1.91-3) unstable; urgency=medium

  * The backup file /etc/init.d/ipsec~ (which is created by patching the
    file during package creation) has been removed in 1.91-2.
    Closes: #109782
  * Removed the explicit listing of conffiles from debian/freeswan.conffiles
    because debhelper already does that.
    Closes: #109781
  * Cleaned up the apply and unpatch scripts a bit. Now it is also possible to
    have the patches in a directory other than /usr/src/kernel-patches/
  * Escaped the special characters in the logcheck ignore files.


 -- Rene Mayrhofer <rmayr@debian.org>  Sat, 25 Aug 2001 11:57:12 +0200

freeswan (1.91-2) unstable; urgency=medium

  * BTW: This upstream version is capable of opportunistic encryption, you
    might want to play with it (look at 
    /usr/share/doc/freeswan/doc/opportunism.howto for details).
  * Now hopefully really fixing the problem that kernel-patch-freeswan
    was not useable by non-root users. I don't know why the Makefile of 
    the kernel patch was not patched in the last package, it is now.
    Closes: #97438, #107331
  * Including logcheck ignore files now. Thanks to Martin Waitz for providing
    a ready-to-use logcheck ignore file (used for server level, adapted it for
    paranoid level, workstation is a link to server now).
    Closes: #107924
  * Removed a lot of lintian errors. Thanks to Tollef Fog Heen for fiddling
    with the lines that were already (commented out) in the rules file - I 
    just never got around doing it....


 -- Rene Mayrhofer <rmayr@debian.org>  Sat, 11 Aug 2001 19:51:13 +0200

freeswan (1.91-1) unstable; urgency=medium

  * New upstream version.
    Closes: #103979, #103698, #106776
  * Updated the x509 patches - now trust paths are supported.
  * Closing bug reports that were closed by 1.9-2 (not uploaded, just an
    internal testing release)
    Closes: #97438, #97959, #84310, #97825
  * Made the build-dependency on libssl-dev versioned.
    Closes: #100130
  * Manually applying the kernel patch should work now. Please tell me if it
    doesn't work for you.
    Closes: #100131


 -- Rene Mayrhofer <rmayr@debian.org>  Sun, 22 July 2001 12:51:27 +0200

freeswan (1.9-2) unstable; urgency=low

  * Make the kernel patch useable by non-root users by copying the needed
    files to the kernel directory instead of symlinking them. This requires
    changing the freeswan Makefile which does not make me quite happy, but I
    do not see another good and clean solution at the moment.
    Closes: #97438
  * The same goes for this bug. Now the out.kpatch file should not be created
    anymore under /usr/src/kernel-patches/freeswan, but I have to change the
    Makefile to do this.
    Closes: #97959
  * This has been fixed by the new upstream, which supports 2.4.x now.
    Closes: #84310
  * Changed boot order to 15, because freeswan might be needed by some other
    servives.
    Can we please have the new init scheme with need(), because then we
    would not have to care about some boot number....
    Closes: #97825

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Thu, 31 May 2001 18:13:27 +0200

freeswan (1.9-1) unstable; urgency=low

  * I know that this release generates a lot of lintian errors in the
    kernel-patch-freeswan package, but I do not have time to fix them now
    and will no be able to do so for the next week. Because those errors are
    uncritical (just too much files shipped which are not needed), I am
    uploading now because this package fixes a lot of bug reports and enables
    2.4.x kernel users to use it.
    Please don't file a bug report about these errors, they will get fixed
    anyway.
  * New upstream release, now the kernel patch works with 2.4.x kernels too.
  * Rewrote most of the code for creating the kernel-patch-freeswan package.
    Now the package is a bit bigger, but it should work for newer versions of
    freeswan with less problems.
    Closes: #86741
  * Also upgraded the x509 support for the new upstream release.
  * Added a note on how to compile a kernel without the help of kernel-package.
    Closes: #93206
  * Added a dependency on bsdmainutils
    Closes: #88073
  * Changed the build-dependency from libssl096-dev to libssl-dev
  * Added a doc-base entry for freeswan (thanks to Wichert Ackerman for this)..
    Closes: #86738
  * Shut the postinst script up.
    Closes: #86742
  * Added a patch to remove the 'depmod -a' call from the /etc/init.d/ipsec
    script. There is no need for it because 'depmod -a' is called on reboot on
    Debian systems, so this makes starting ipsec a bit quicker.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Tue, 10 Apr 2001 17:24:04 +0200

freeswan (1.8-6) unstable; urgency=low

  * The version number is now -6 because of some troubles with the initial
    upload into the pool (-5 might work, this is just to be sure).
  * Downgraded the Rcommends: kernel-patch-freeswan to a Suggests
    (for firewalls etc, which do not have development packages installed).
  * Added a note about the use of the "--config=" option to make-kpkg for
    compiling the patched kernel.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed, 14 Feb 2001 11:41:24 +0100

freeswan (1.8-4) unstable; urgency=low

  * The version number has to go up because of cvs-buildpackage (I can't
    remove the tag from a removed file).

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Mon, 15 Jan 2001 13:49:25 +0100

freeswan (1.8-3) unstable; urgency=low

  * Fixed a bug in the creation of the kernel-patch-freeswan package: 'cp -r'
    did not follow the symbolic links (anymore ?) while creating
    /usr/src/kernel-patches/all/freeswan/klips, and therefore there were
    symbolic links in the package that pointed nowhere. Now it should work
    again.
  * Updated build-dependency from libssl095a-dev to libssl096-dev.
  * Minor fixes for lintian reported problems.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed, 20 Dec 2000 23:11:42 +0100

freeswan (1.8-2) unstable; urgency=low

  * Added Oscar Delgado Mohatar's guide for interoperability between freeswan,
    Windows 2000 and PGPNet.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed, 13 Dec 2000 11:33:18 +0100

freeswan (1.8-1) unstable; urgency=low

  * New upstream release.
  * The remove-gmp-dependency patch is no longer necessary, since the upstream
    uses the GMP library installed on the system now.
  * The kernel unpatching should now work better, since the upstream source now
    includes an "unpatch" target (update: not used by now because I could not get
    it to work).

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Tue,  5 Dec 2000 15:15:25 +0100

freeswan (1.7-4) unstable; urgency=low

  * Made sure that no RSA key will be distributed with the package. It should
    be created on demand and not during package creation.....

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Mon, 27 Nov 2000 13:13:24 +0100

freeswan (1.7-3) unstable; urgency=low

  * Updated the x509 patch to version 0.7.1.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed, 22 Nov 2000 10:53:07 +0100

freeswan (1.7-2) unstable; urgency=low

  * Introduced x509 patch. Please refer to the file README.x509 for details.
    The _confread patch has also been applied so that the options 'leftcert'
    and 'rightcert' can be used in ipsec.conf.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed,  8 Nov 2000 14:18:32 +0100

freeswan (1.7-1) unstable; urgency=low

  * New upstream release

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Tue,  7 Nov 2000 19:07:59 +0100

freeswan (1.6-1) unstable; urgency=low

  * New upstream release
  * Removed the patch for the glibc update in woody. It seems that this is
    not needed anymore with upstream version 1.6.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Mon, 30 Oct 2000 09:47:42 +0100

freeswan (1.5-4) unstable; urgency=low

  * Fixed a dump mistake in te kernel unpatching script. Hopefully if works
    now (at last).

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Wed, 18 Oct 2000 12:24:56 +0200

freeswan (1.5-3) unstable; urgency=low

  * Patched to use the new glibc, it did not even compile without patching.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Fri, 13 Oct 2000 14:11:51 +0200

freeswan (1.5-2) unstable; urgency=low

  * Unpatching the kernel automatically should now work
  * Now the freeswan code uses the libgmp2 from Debian, not the gmp code
    that comes with the upstream package. This patch was written by
    Aaron Johnson and modified by me.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Thu,  5 Oct 2000 11:58:49 +0200

freeswan (1.5-1) unstable; urgency=low

  * Initial Release.

 -- Rene Mayrhofer <rene.mayrhofer@vianova.at>  Thu, 10 Aug 2000 10:50:33 +0200

Local variables:
mode: debian-changelog
End:
