Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please give permission to upload OpenVPN 2.6.1-1 to unstable and let it migrate to testing (currently in experimental as 2.6.1-1~exp1 [ Reason ] Upstream has released the first minor release in the 2.6.x series. It is primarily a bugfix release but has one new security feature. https://github.com/OpenVPN/openvpn/blob/v2.6.1/Changes.rst | Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically | create a tls-crypt key that is used for renegotiation. This ensure that only | the previously authenticated peer can do trigger renegotiation and complete | renegotiations. I am afraid that this might be CVE material down the road and would be more invasive to backport during a stable release than adding it now. There is another release slated for next week that will overhaul the kernel interface to the optional DCO (data channel offload) kernel module. I have asked upstream to make 2.6.2 as small as possible compared to 2.6.1, so we can review 2.6.2 and the new DCO module in time. There have been no changes in the debian/ packaging [ Impact ] Missing out on this release would make us miss all the small bugfixes and make reviewing the DCO change a lot harder. [ Tests ] Upstream has a very thorough patch review process and CI pipeline 2.6.1-1~exp1 (but compiled on bullseye) has been running on my employers eduVPN server serving thousands of university students. [ Risks ] The code change is not trivial but managable https://github.com/OpenVPN/openvpn/compare/v2.6.0...v2.6.1 about half of the changes affect only Windows or FreeBSD I'm not smart enough to understand anything about the one new feature, but it has been extensively documented and tested by upstream https://github.com/OpenVPN/openvpn/commit/202a934fc32673ef865b5cbcb23ad6057ceb2e0b [ Checklist ] [x] all changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing I've omitted the debdiff because there have not been any changes apart from the new upstream version, which is a lot more readable as a list of commits on github than with a plain debdiff If you want me to attach a debdiff feel free to tell me. [ Other info ] The upcoming DCO change will involve a new version of src:openvpn and a new version of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible on https://github.com/OpenVPN/ovpn-dco/commits/master . In the past we managed to break DCO on above mentioned really heavily loaded OpenVPN server within a few hours. The new version is a major overhaul and more in-line with code upstreamable in Linux, and did survive torture tests. I know this is kind of late, but I think it would be better to include it as well as soon as it is released because - we cannot support the old deprecated module - openvpn uses DCO (of the right version) automatically and will transparently fall-back to non-DCO mode if the module is not found (or the wrong version) - it has not been in Bullseye previously, so if we see that DCO is too unstable with the new version we can just drop it before the release unblock openvpn/2.6.1-1
