Ubuntu
network-manager-openconnect package

[MIR] network-manager-openconnect

Bug #1986592 reported by Luís Infante da Câmara
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager-openconnect (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

I want this source package and all binary packages built from it in the main component for Ubuntu 20.04, 22.04 and Kinetic and to be preinstalled in all Ubuntu flavors (including Desktop) for those Ubuntu releases, because it adds support for several types of enterprise VPNs in wide use (see the [Rationale] section below).

---
[Availability]
The package network-manager-openconnect is already in Ubuntu universe.
The package network-manager-openconnect builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf ppc64el s390x
Link to package [[https://launchpad.net/ubuntu/+source/network-manager-openconnect|network-manager-openconnect]]

[Rationale]
- The package network-manager-openconnect is required in Ubuntu main for managing connections with Cisco's AnyConnect SSL VPNs, Pulse Connect Secure VPNs (formerly known as Juniper Network Connect or Junos Pulse), Palo Alto Networks GlobalProtect SSL VPNs, F5 Big-IP SSL VPNs, Fortinet Fortigate SSL VPNs and Array Networks AG SSL VPNs.
- The package network-manager-openconnect will generally be useful for a large part of our user base
- It would be great and useful to community/processes to have the
  package network-manager-openconnect in Ubuntu main, but there is no definitive deadline.

[Security]
- No CVEs/security issues in this software in the past

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
  There is a D-Bus service with prefix org.freedesktop.NetworkManager.openconnect.
  Those have the following security features: Only root and nm-openconnect can connect to them.
- Package does not open privileged ports (ports < 1024)
- Package does contain extensions to security-sensitive software (NetworkManager plugin)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=network-manager-openconnect
- The package has important open bugs, listing them:
  https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1969734 (fatal bug in 22.04)
  https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1502847
  https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1096326
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966404
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977842

- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package does not run a test at build time because upstream did not add one.

- The package does not run an autopkgtest because there are no tests.

- The package does have not failing autopkgtests right now

- The package can not be tested at build or autopkgtest time because the package does not provide tests.
  To make up for that here (https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1986592/comments/3) is a test plan/automation and example
TODO: test TBD (logs/scripts)

[Quality assurance - packaging]
- debian/watch is present and works

- debian/control defines a correct Maintainer field

- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/network-manager-openconnect/1.2.8-3/+build/23772712/+files/buildlog_ubuntu-kinetic-amd64.network-manager-openconnect_1.2.8-3_BUILDING.txt.gz
- Please attach the full output you have got from
  `lintian --pedantic` as an extra post to this bug.
  - Lintian overrides are present, but ok because NetworkManager searches for its plugins in /usr/lib/NetworkManager.

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions
  higher than medium.

- Packaging and build is easy, link to d/rules:
  https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/network-manager-openconnect/1.2.8-3/network-manager-openconnect_1.2.8-3.debian.tar.xz (file debian/rules)
  https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/network-manager-openconnect/1.2.6-4/network-manager-openconnect_1.2.6-4.debian.tar.xz (file debian/rules)

[UI standards]
- Application is end-user facing, translation is present, via standard
  intltool/gettext or similar build and runtime internationalization
  system see directory po in the upstream tarball.

- End-user applications without desktop file, not needed because this is a
  NetworkManager plugin and its GNOME counterpart.

[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
  is handled as part of bug #1987446.

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- Owning Team will be https://launchpad.net/~desktop-packages or https://launchpad.net/~desktop-bugs
- Team is not yet, but will subscribe to the package before promotion
- I have subscribed to all changes and comments for bugs in this package.

- This does not use static builds

- This does not use vendored code, except for m4 files only used by Autoconf

- This package is not rust based

- The package successfully built during the most recent test rebuild

[Background information]
The Package description explains the package well
Upstream Name is NetworkManager-openconnect
Link to upstream project https://gitlab.gnome.org/GNOME/NetworkManager-openconnect

See original description
Luís Infante da Câmara (luis220413)
Changed in network-manager-openconnect (Ubuntu):
status: New → Incomplete
Changed in openconnect (Ubuntu):
status: New → Incomplete
description: updated
description: updated
description: updated
description: updated
Luís Infante da Câmara (luis220413)
description: updated
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

Assigning the bug report to @luis220413 while still Incomplete.

It can be moved to "New" if/when the MIR template is filled.

Changed in network-manager-openconnect (Ubuntu):
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Changed in openconnect (Ubuntu):
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Luís, part of the role of Ubuntu main is to have an opinion on 'good' packages that provide a feature. We already have StrongSwan, WireGuard, OpenVPN, in main, and all these are for very open VPN protocols and implementations.

OpenConnect may be vastly nicer than the proprietary products it aims to interoperate with, but the interop comes at a strong cost, as apparently peer products can be a decade or more behind the times. See https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834 for an example.

I'm not saying that we can't have OpenConnect in main but you'll need to have a very strong case to get a team to step up and commit to support it.

Thanks

Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

Test plan for network-manager-openconnect:

1. Create a VM with Ubuntu 20.04, 22.04 or Kinetic and an official flavor of Ubuntu (including Desktop). All combinations of those releases with the official Ubuntu desktop flavors must be tested.
2. If the flavor is neither Kubuntu nor Ubuntu Studio, run:
  $ sudo apt install network-manager-openconnect-gnome
3. For each VPN type supported by the package:
  a. Using the Settings application, configure and connect to a VPN of that type.
  b. Check that the VPN is connected and that the type and other information are correct.
  c. Open the default browser and load https://ubuntu.com/ and https://www.debian.org/.
  d. Load https://ipv6-test.com/ and check that the available IP types are those that are made available under the VPN.
  e. Disconnect from the VPN and check that it is successful.
  f. Remove the VPN configuration and check that it is successful.
4. Reboot.
5. Repeat step 3.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

For the changes file for a clean build of the version in Ubuntu 22.04, Lintian produces the following output:

W: network-manager-openconnect: changelog-distribution-does-not-match-changes-file (unstable != jammy)
W: network-manager-openconnect: dbus-policy-without-send-destination etc/dbus-1/system.d/nm-openconnect-service.conf (rule 5) <policy user="nm-openconnect"><allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
W: network-manager-openconnect: debian-news-entry-has-unknown-version 0.9.8.4-1
W: network-manager-openconnect changes: distribution-and-changes-mismatch jammy unstable
W: network-manager-openconnect-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/9e/0ba64d1fba5c4337b62a31b6f66a5b419ab3d5.debug]
W: network-manager-openconnect-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/ca/6c20f6addaf3105513db58bfd3c39fc49a477b.debug]
W: network-manager-openconnect-gnome-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/04/42d21a6cc7bb6b56ac35f4a306e0c45686a2eb.debug]

The elf-error warnings are due to bug #1977883.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

For the changes file for a clean build of the version in Ubuntu Kinetic, Lintian produces the following output:

W: network-manager-openconnect: changelog-distribution-does-not-match-changes-file (unstable != kinetic)
W: network-manager-openconnect: dbus-policy-without-send-destination etc/dbus-1/system.d/nm-openconnect-service.conf (rule 5) <policy user="nm-openconnect"><allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
W: network-manager-openconnect: debian-news-entry-has-unknown-version 0.9.8.4-1
W: network-manager-openconnect changes: distribution-and-changes-mismatch kinetic unstable
W: network-manager-openconnect-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/1f/31b62a73d8d41a12474aa3feb021ade50bd4dc.debug]
W: network-manager-openconnect-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/ae/2abbe81f232246c51e57b8ad8e32ec0f8784d5.debug]
W: network-manager-openconnect-gnome-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/c9/bd9745e48908ac82afd156ee2bda8a212445ab.debug]

The elf-error warnings are due to bug #1977883.

description: updated
Changed in network-manager-openconnect (Ubuntu):
status: Incomplete → New
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
description: updated
Changed in python-mechanize (Ubuntu):
status: New → Incomplete
status: Incomplete → New
summary: - [MIR] network-manager-openconnect, openconnect
+ [MIR] network-manager-openconnect, openconnect, python-mechanize, stoken
Luís Infante da Câmara (luis220413)
description: updated
Revision history for this message
Jeremy Bícha (jbicha) wrote : Re: [MIR] network-manager-openconnect, openconnect, python-mechanize, stoken

Please see Seth's comment above if you haven't.

We generally need separate MIRs for separate source packages.

Luís Infante da Câmara (luis220413)
no longer affects: openconnect (Ubuntu)
no longer affects: python-mechanize (Ubuntu)
no longer affects: stoken (Ubuntu)
Luís Infante da Câmara (luis220413)
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

OK, I split this MIR into 4, and the other necessary MIRs will be filed tomorrow (UTC).

summary: - [MIR] network-manager-openconnect, openconnect, python-mechanize, stoken
+ [MIR] network-manager-openconnect
description: updated
Luís Infante da Câmara (luis220413)
description: updated
Luís Infante da Câmara (luis220413)
summary: - [MIR] network-manager-openconnect
+ [FFe] [MIR] network-manager-openconnect
Luís Infante da Câmara (luis220413)
summary: - [FFe] [MIR] network-manager-openconnect
+ [MIR] network-manager-openconnect
Jeremy Bícha (jbicha)
Changed in network-manager-openconnect (Ubuntu):
importance: Undecided → Low
Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm setting this as Incomplete. One of the requirements for a package to be in main is that it have an Owning Team. Although you wrote down Desktop in this bug report, I don't believe that Desktop has agreed to own this package yet.

Until that's resolved, I believe it doesn't make sense for other people to do the work to process this application.

Changed in network-manager-openconnect (Ubuntu):
status: New → Incomplete
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

For the .dsc file and the changes file for a clean build of the version in Ubuntu 20.04, Lintian produces the following output:

N: 1 tag overridden (1 info)

W: network-manager-openconnect: changelog-distribution-does-not-match-changes-file (unstable != focal)
W: network-manager-openconnect: dbus-policy-without-send-destination etc/dbus-1/system.d/nm-openconnect-service.conf <policy user="nm-openconnect"><allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
W: network-manager-openconnect: debian-news-entry-has-unknown-version 0.9.8.4-1
W: network-manager-openconnect changes: distribution-and-changes-mismatch focal unstable

Luís Infante da Câmara (luis220413)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for network-manager-openconnect (Ubuntu) because there has been no activity for 60 days.]

Changed in network-manager-openconnect (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

In response to comment #8, you said that "Until [the owning team issue] is resolved, I believe it doesn't make sense for other people to do the work to process this application." However, having an owning team is only a requirement for the actual promotion. From https://github.com/canonical/ubuntu-mir/blob/main/README.md:

RULE: - All packages must have a designated "owning" team, regardless of
RULE: complexity, which is set as a package bug contact. This is not a
RULE: requirement for the MIR team ACK, but for the package to be promoted
RULE: by an archive admin. Still, it is strongly suggested to subscribe,
RULE: as the owning team will get a preview of the to-be-expected incoming
RULE: bugs later on.

Therefore, I am reopening this bug.

Changed in network-manager-openconnect (Ubuntu):
status: Expired → New
Luís Infante da Câmara (luis220413)
description: updated
Revision history for this message
Jeremy Bícha (jbicha) wrote :

The wording in that section is confusing and you're welcome to open an issue or pull request at https://github.com/canonical/ubuntu-mir/ about it. There must be an owning team before a MIR will be accepted; however, the MIR team does not require the owning team to subscribe to bugs for the package until immediately before teh package is promoted to main.

I am setting this bug status back to Incomplete because I believe the lack of an appropriate owning team is a hard blocker.

Changed in network-manager-openconnect (Ubuntu):
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

I'm sorry but the desktop team doesn't have the capacity to take on maintaining officially openconnect and doing the work requested by the MIR process at this point so I'm going to wontfix the request. Feel free to bring that topic at the roadmap planing if you think it should make it to the team backlog or to reopen if you find another team wanting to own those components.

Changed in network-manager-openconnect (Ubuntu):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.