Merge branch 'debian/experimental-2.5'

9 files changed, 34 insertions, 136 deletions

diff --git a/debian/changelog b/debian/changelog
index ca70c2b..2f7724f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,25 @@
+openvpn (2.5~beta1-3) experimental; urgency=medium
+
+  * Disable iproute2 support in favour of the new netlink based default.
+    Thanks to Fabio Pedretti
+
+ -- Bernhard Schmidt <berni@debian.org>  Sun, 16 Aug 2020 14:04:11 +0200
+
+openvpn (2.5~beta1-2) experimental; urgency=medium
+
+  * Set Build-Conflicts: systemctl, see Bug#959828
+
+ -- Bernhard Schmidt <berni@debian.org>  Sun, 16 Aug 2020 10:33:47 +0200
+
+openvpn (2.5~beta1-1) experimental; urgency=medium
+
+  * d/gbp.conf for experimental 2.5 branch
+  * New upstream version 2.5~beta1
+  * Adjust patches for new major upstream version
+  * Add python3-docutils to build-depends for manpage generation
+
+ -- Bernhard Schmidt <berni@debian.org>  Sat, 15 Aug 2020 21:32:49 +0200
+
 openvpn (2.4.9-3) unstable; urgency=medium
 
   [ Jörg Frings-Fürst ]
diff --git a/debian/control b/debian/control
index 43f6a50..3526094 100644
--- a/debian/control
+++ b/debian/control
@@ -6,7 +6,7 @@ Uploaders: Jörg Frings-Fürst <debian@jff.email>
 Build-Depends:
  debhelper-compat (= 13),
  dpkg-dev (>= 1.16.1),
- iproute2 [linux-any],
+# iproute2 [linux-any],
  liblz4-dev,
  liblzo2-dev,
  libp11-kit-dev,
@@ -16,7 +16,12 @@ Build-Depends:
  libsystemd-dev [linux-any],
  net-tools [!linux-any],
  pkg-config,
+ python3-docutils,
  systemd [linux-any]
+# systemctl from src:docker-systemctl-replacement declaring Provides: systemd
+# only necessary for experimental with the apscud resolver
+# See Bug#959828
+Build-Conflicts: systemctl
 Standards-Version: 4.5.0
 Rules-Requires-Root: no
 Homepage: https://openvpn.net/
diff --git a/debian/gbp.conf b/debian/gbp.conf
index cec628c..1526270 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,5 @@
 [DEFAULT]
 pristine-tar = True
+
+debian-branch = debian/experimental-2.5
+upstream-branch = upstream-2.5
diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch
index 2e7e5c4..336ccd4 100644
--- a/debian/patches/auth-pam_libpam_so_filename.patch
+++ b/debian/patches/auth-pam_libpam_so_filename.patch
@@ -6,7 +6,7 @@ Index: trunk/src/plugins/auth-pam/auth-pam.c
 --- trunk.orig/src/plugins/auth-pam/auth-pam.c
 +++ trunk/src/plugins/auth-pam/auth-pam.c
 @@ -716,7 +716,7 @@ pam_server(int fd, const char *service,
-     struct user_pass up;
+     char ac_file_name[PATH_MAX];
      int command;
  #ifdef USE_PAM_DLOPEN
 -    static const char pam_so[] = "libpam.so";
diff --git a/debian/patches/debian_nogroup_for_sample_files.patch b/debian/patches/debian_nogroup_for_sample_files.patch
index f7dcaaa..3660453 100644
--- a/debian/patches/debian_nogroup_for_sample_files.patch
+++ b/debian/patches/debian_nogroup_for_sample_files.patch
@@ -27,32 +27,6 @@ Index: openvpn/sample/sample-config-files/tls-home.conf
  
  # If you built OpenVPN with
  # LZO compression, uncomment
-Index: openvpn/sample/sample-config-files/static-home.conf
-===================================================================
---- openvpn.orig/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
-+++ openvpn/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
-@@ -43,7 +43,7 @@
- # "nobody" after initialization
- # for extra security.
- ; user nobody
--; group nobody
-+; group nogroup
- 
- # If you built OpenVPN with
- # LZO compression, uncomment
-Index: openvpn/sample/sample-config-files/static-office.conf
-===================================================================
---- openvpn.orig/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
-+++ openvpn/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
-@@ -40,7 +40,7 @@
- # "nobody" after initialization
- # for extra security.
- ; user nobody
--; group nobody
-+; group nogroup
- 
- # If you built OpenVPN with
- # LZO compression, uncomment
 Index: openvpn/sample/sample-config-files/client.conf
 ===================================================================
 --- openvpn.orig/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch
deleted file mode 100644
index 566d7e6..0000000
--- a/debian/patches/fix-openssl-error.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-In the corner case that the global OpenSSL has an invalid command like
-
-	MinProtocol = TLSv1.0
-
-(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
-
-the SSL_ctx_new function leaves the errors for parsing the config file
-on the stack.
-
-OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
-
-Since the later functions, especially the one of loading the
-certificates expected a clean error this error got reported at the
-wrong place.
-
-Print the warnings with crypto_msg when we detect that we are in this
-situation (this also clears the stack).
----
- src/openvpn/ssl_openssl.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 5955c6bd..555cbbdf 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -115,6 +115,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
-     {
-         crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
-     }
-+    if (ERR_peek_error() != 0)
-+    {
-+        crypto_msg(M_WARN, "Warning: TLS server context initialisation "
-+                   "has warnings.");
-+    }
- }
- 
- void
-@@ -128,6 +133,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
-     {
-         crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
-     }
-+    if (ERR_peek_error() != 0)
-+    {
-+        crypto_msg(M_WARN, "Warning: TLS client context initialisation "
-+                   "has warnings.");
-+    }
- }
- 
- void
--- 
-2.26.0
diff --git a/debian/patches/series b/debian/patches/series
index 6ef394c..55bae8e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,8 +2,6 @@ move_log_dir.patch
 auth-pam_libpam_so_filename.patch
 debian_nogroup_for_sample_files.patch
 openvpn-pkcs11warn.patch
-kfreebsd_support.patch
+#kfreebsd_support.patch
 match-manpage-and-command-help.patch
-spelling_errors.patch
 systemd.patch
-fix-openssl-error.patch
diff --git a/debian/patches/spelling_errors.patch b/debian/patches/spelling_errors.patch
deleted file mode 100644
index cac36d3..0000000
--- a/debian/patches/spelling_errors.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Description: correct tspelling errors
-Author: Jörg Frings-Fürst <debian@jff.email>
-Last-Update: 2018-07-29
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: trunk/src/openvpn/buffer.c
-===================================================================
---- trunk.orig/src/openvpn/buffer.c
-+++ trunk/src/openvpn/buffer.c
-@@ -44,7 +44,7 @@ array_mult_safe(const size_t m1, const s
-     unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra;
-     if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit))
-     {
--        msg(M_FATAL, "attemped allocation of excessively large array");
-+        msg(M_FATAL, "attempted allocation of excessively large array");
-     }
-     return (size_t) res;
- }
-Index: trunk/src/openvpn/options.c
-===================================================================
---- trunk.orig/src/openvpn/options.c
-+++ trunk/src/openvpn/options.c
-@@ -448,7 +448,7 @@ static const char usage_message[] =
-     "                  user/pass via environment, if method='via-file', pass\n"
-     "                  user/pass via temporary file.\n"
-     "--auth-gen-token  [lifetime] Generate a random authentication token which is pushed\n"
--    "                  to each client, replacing the password.  Usefull when\n"
-+    "                  to each client, replacing the password.  Useful when\n"
-     "                  OTP based two-factor auth mechanisms are in use and\n"
-     "                  --reneg-* options are enabled. Optionally a lifetime in seconds\n"
-     "                  for generated tokens can be set.\n"
-Index: trunk/doc/openvpn.8
-===================================================================
---- trunk.orig/doc/openvpn.8
-+++ trunk/doc/openvpn.8
-@@ -2181,7 +2181,7 @@ that
- is parsed on the command line even though
- the daemonization point occurs later.  If one of the
- .B \-\-log
--options is present, it will supercede syslog
-+options is present, it will supersede syslog
- redirection.
- 
- The optional
-@@ -2292,7 +2292,7 @@ If
- already exists it will be truncated.
- This option takes effect
- immediately when it is parsed in the command line
--and will supercede syslog output if
-+and will supersede syslog output if
- .B \-\-daemon
- or
- .B \-\-inetd
diff --git a/debian/rules b/debian/rules
index f7c3377..a49ff29 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,7 +6,7 @@ ENV_VARS	:= IFCONFIG=/sbin/ifconfig ROUTE=/lib/freebsd/route
 EXTRA_ARGS	:=
 else
 ENV_VARS	:= SYSTEMD_ASK_PASSWORD=/bin/systemd-ask-password IFCONFIG=/sbin/ifconfig ROUTE=/sbin/route IPROUTE=/sbin/ip SYSTEMD_UNIT_DIR=/lib/systemd/system TMPFILES_DIR=/usr/lib/tmpfiles.d
-EXTRA_ARGS	:= --enable-systemd --enable-iproute2
+EXTRA_ARGS	:= --enable-systemd
 endif
 
 #export DH_VERBOSE=1