i think, the squid access log doesnt go to the log/messages.
And sorry, i wasnt accurate. this is the issue: access log is in var/log/squid3/ directory not in var/log/squid/.
two file is affected: https://github.com/vyos/vyatta-webproxy/blob/current/templates-op/show/webproxy/log/node.def and https://github.com/vyos/vyatta-webproxy/blob/current/templates-op/monitor/webproxy/access-log/node.def

For _stable_ release build, you need a fixed point in every vyos/vyatta package (vyos-1x=1.3.1, vyos-netplug=1.2.9.2-3, vyos-opennhrp=0.14.1-1, etc), so you have to release every package, something like 'Oh, this package is in this point stable enought for a stable release', and the stable iso contains this stable packages. But the development doesnt stop, some packages receive new fetaures. Until stable packages are waiting for each other, need a versioning for daily snapshot. for that, the commit count based versioning is good.

i would leave the items in changelog, just every changelog items have git tag. if there is a new release (=new _stable_ release iso), make a new changelog item + git tag.
and for the development packages use your versioning: 1.3.0-17+dev<commitcountfromtag>-git<commit-id>
anyway, there is a "gbp dch" command can generate entries from Git commit messages. you you can fill the "dev" changelog entries with real commit messages. you can set the versionstring too.

you can use '+' and '~' chars in versions. plus gives newer version (1.2.3-4-5+foo32 > 1.2.3-4-5 ) but less than the new upstream (1.2.3-4-6 > 1.2.3-4-5+foo32), tilde gives older version (1.2.3-4-5~foo-2 < 1.2.3-4-5 )
i always use + for my own builds, thats gives me newer package version than ubuntu/debian version.

Just call the multiple options other name (like 'option'), and admin can modify they config if they want. no need a IM migrate script.
And leave the openvpn-option for raw option, if someone want to make a magic things in openvpn.
(like, in dhcp server, static mapping has option tagnode for "Host-specific settings" and static-mapping-parameters for raw hacking :)

sould rewrite to multioption:

sorry, i'm not a hacker, so i dont know any attach vector. :( But it does not mean that it does not exist.

@jjakob detect_if_systemipv6_is_disabled just an idea, but looking to interfaces-openvpn.py, it's easy:

This code doesnt break if ipv6 is disabled by system wide:

The new conntract package depend in newer libnetfilter. but you dont need to rebuild the package, just download the debs.

it's enabled by default.

https://github.com/vyos/vyos-1x/pull/263
https://github.com/vyos/vyatta-cfg-system/pull/121

just note. our fw is using own dns forwarder for resolv, because the internal ip reverse addresses are redirected to local dns server.
so plase handle this situation too.

https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/merge_requests/1
if he merge the PR, we can use it!

from https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_agentd

Here is a solution (based from https://github.com/jansegre/dhcplib/blob/master/dhcplib/rfc.py#L225-L232):

For 1.3, i use this: https://github.com/Elbandi/vyos-1x/commit/f364770fdb5ea8b61d42cb22ca428604d9c6b1df

That's bad, because debian stable (=buster) is fixing security bugs only. They will not fix/add this patches to conntrack package, they leave conntrack buggy. So you sould build an own conntrack-tools package for 1.3 too :( If not, vyos will be less good software.

i think, you sould use crux branch for 1.2 build, current branch is 1.3

It's an upstream bug as @xrobau said. vyos dev sould upgrade https://github.com/vyos/conntrack-tools repo, and apply this patch:
https://git.netfilter.org/conntrack-tools/commit/?id=c12fa8df76752b0a011430f069677b52e4dad164

Yepp, the issue is the quotes in dhcp server config (like the sample line i wrote).
i think, duplicates functionality doesnt matter, there are already such duplications: global-parameters, subnet-parameters, etc. That are for raw settings, if someone want a magic things in dhcp. But adding normal options to static-mapping-parameters are just a workaround.