Hi, Here's the summary of the previous community meeting.
--- COMMUNITY MEETING Place: #openvpn-devel on irc.freenode.net List-Post: openvpn-devel@lists.sourceforge.net Date: Thursday, 16th June 2011 Time: 18:00 UTC Planned meeting topics for this meeting were on this page: <https://community.openvpn.net/openvpn/wiki/Topics-2011-06-16> Next meeting will be announced in advance, but will be on the same weekday and at the same time. Your local meeting time is easy to check from services such as <http://www.timeanddate.com/world clock> or with $ date -u SUMMARY andj, cron2, dazo, ecrist, jamesyonan, krzee, mattock and psha were present in this meeting. -- Discussed integration of Buildbot and cron2's connectivity tests (t_client.sh). Mattock said that the tests are now working, but for a number of reasons Buildbot integration is painfully complex. To reduce complexity mattock will check that the clients get an IP-address from the correct range (a.b.c.*), rather than any specific address (a.b.c.d). Also discussed which platforms to run Buildslaves on. Mattock had cut down the number of buildslaves to 3 (Various Ubuntu/Debian i386/amd64 OSes), with Fedora 15, Scientific Linux 6.0 and FreeBSD 8.x coming up. The other Debian/Ubuntu buildslaves were deactivated to save mattock's server resources. Agreed that testing for the NetBSD+Sparc64 combination, as well as ARM platforms would make sense. The former could possibly be emulated using qemu-sparc. These would catch more problems than the relatively homogenous group of buildslaves based on Linux i386/amd64. -- Discussed James' more active participation in the OSS project. James is at the moment migrating to Git, after which he'll move to OpenVPN 2.2 internally at OpenVPN Technologies. Decided to discuss his role in the OSS project in detail after the migration is finished. -- Discussed OpenVPN 2.2.1 release. Agreed that it should be released next Friday (24th June). Mattock promised to fix the "Build CA is broken in Windows on version 2.2 release" bug: <https://community.openvpn.net/openvpn/ticket/125> The rest of the bugs for milestone 2.2.1 will be moved over to 2.2.2 to avoid delaying the release. -- Discussed the state of Windows building. Apparently MinGW/Msys builds are broken in the "master" branch. Also, the state of Python / Visual Studio building is unclear. Mattock will test the latter after next week's 2.2.1 release, so that we can start pushing out Windows snapshots. -- Discussed the openvpn.net website: <http://openvpn.net> Concerns have frequently been raised by our community members that OpenVPN (OSS) is buried under commercial content. Also, users are confused about the relation of the commercial products (e.g. Access Server / OpenVPN Connect) and the open source application (OpenVPN) they're based on. Agreed that the following changes would be adequate: - Αdd OpenVPN news to the news feed ("Latest news: ...") - Rename "Community (project)" tab to "Open source" - Add a section for OpenVPN to the bottom of the page, next to - "Connecting to Internet securely" - "Deploying VPN Access solution" - "Using VPN Hosted Service" Mattock will bring these up with company people. -- Discussed andj's PolarSSL patchset. Andj said that he'll start porting ιτ to 2.3 next week, and hopes to have it completed by the week after that. The patchset will also contain Doxygen patches. -- Discussed commercial products offered by OpenVPN Technologies, Inc. Agreed that each product should have it's own sticky topic in the "Providers" board on the forums. Mattock asked raidz (not present) to add those. --- Full chatlog as an attachment -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
mattock 21:01:48 meeting time ... everybody set? 21:02:09 dazo is 21:02 jamesyonan 21:02:18 hi guys dazo 21:02:24 hey cron2 sits 21:02 krzee 21:02:39 im here kinda, lil busy at work dazo 21:03:34 krzee: you got it wrong ... you are busy at work, because you want to join this meeting ... just look very busy to the people around you ... we won't say anything, I promise! mattock 21:03:45 ok, topic list here: https://community.openvpn.net/openvpn/wiki/Topics-2011-06-16 vpnHelper 21:03:47 Title: Topics-2011-06-16 â OpenVPN Community (at community.openvpn.net) mattock 21:05:31 cron2: I added something about t_client.sh mind if I share that now? 21:05:42 cron2 21:05:53 no mattock 21:05:55 ok so, in a nutshell, everything works, but I need to tidy things up 21:06:10 cron2 21:06:16 cool! mattock 21:06:24 I had to increase the timeout to 20 secs, probably will increase it to 30 or the "waiting for connection to be established" delay 21:06:42 second, more problematic part is how EXCEPT_* stuff is handled 21:06:55 cron2 21:07:02 EXPECT mattock 21:07:07 yes in buildbot's parallel test context expecting specific IPs is very problematic 21:07:26 cron2 21:07:42 well, leave it empty then, but you miss test coverage mattock 21:08:04 would checking for, say, 10.100.50.* defeat the purpose of the whole test? cron2 21:08:10 yes well 21:08:12 this depends on what you want to see 21:08:17 mattock 21:08:55 it makes my configuration painfully complex for various reasons, so a more relaxed check would be better and less prone to breakage 21:09:00 dazo 21:09:07 I've not looked into this script for a very long time ... but I'd probably say that would be enough ... as it is a pushed address, if I'm not mistaken cron2 21:09:08 you can just put 10.100.50 in there it basically does 21:09:17 if get_ifconfig_route | fgrep "$expect" >/dev/null 21:09:20 mattock 21:09:22 cron2: yes, I tried that, it works probably needs a little cleaning up, though, as 10.50.100.* is all over the get_ifconfig_route output (or what was it) 21:09:49 cron2 21:10:02 it really depends on "what do you want to test for?" - if you want to make sure you don't get "just any" address but "what you expect" - be specific. If you just want to make srue that "something from the right network is there", that's fine mattock 21:10:32 well, I think "getting something" is enough for buildbot... given the savings in complexity I won't go into details unless you want to get bored 21:10:40 anyways, I implement the simplified test variant in buildbot 21:11:28 cron2 21:11:30 if you just match for 10.50.100, you'll also match the route - so that's not perfect, but *if* you have the route, at least "something" is working combine that with "ping works now!" and it's pretty good already 21:11:50 mattock 21:11:57 yeah, my thoughts exactly I also cut down the number of buildslaves to 3, with 2 more (scientific linux 6.0, freebsd 8.0) coming up 21:12:29 to save my server, basically 21:12:45 also, I'm not sure how beneficial it is to run every possible flavour of Ubuntu/Debian, when they're almost the same OpenVPN-vise anyways 21:13:24 rather test against platforms that are very different from them 21:13:53 what do you think? 21:13:56 dazo 21:14:41 agreed ... tbh, I think just compiling on Debian or Ubuntu would cover these two pretty well too ... as I believe they are pretty close to each other debian is stable and long-life basically ... while ubuntu is much faster moving target 21:15:26 cron2 21:15:30 I think we need to cover linux/ipconfig and Linux/iproute2, and at least one of the BSDs... mattock 21:16:03 maybe having a selection of "stable" platforms (e.g. Debian 6, Ubuntu 10.04, RedHat/SL 6.0) and a few faster-moving ones would be useful latest Ubuntu, for example 21:16:10 and of course FreeBSD 21:16:14 dazo 21:16:50 Ubuntu, Fedora, openSuSE ... all of them are more fast moving targets jamesyonan 21:16:55 I used to have access to an ancient solaris box that was great because it was big endian and had so many weird quirks that it would find bugs that no other platform would show mattock 21:17:04 oh yes, Fedora, that's coming up once it install on kvm cron2: do you have any ancient, weird boxes lying around? you had one at some point 21:17:33 cron2 21:17:34 yeah, NetBSD/Sparc64 is great for that "it finds *all* the bugs" dazo 21:17:49 jamesyonan: you still have that box? or is it gone? mattock 21:17:52 cron2: would it be possible to build one? jamesyonan 21:18:23 no not any more -- it wasn't mine -- I just had remote access to it dazo 21:18:30 ah, okay cron2: is it NetBSD or Sparc64 which made it greatest? 21:18:50 cron2 21:18:53 mattock: I have the Solaris/Sparc64 and NetBSD/Sparc64 boxes, but these are production stuff, so I can't give other people access to it Sparc64 is the hairy thing - 64 bit and big-endian 21:19:01 and if you do unaligned word access -> boom, SIGSEGV 21:19:10 dazo 21:19:14 ahh mattock 21:19:18 cron2: could setup a buildslave to run there? you could run it with limited privileges L'utente raidzx si è disconnesso (Quit: Leaving) 21:19 mattock 21:19:39 I won't guarantee it will be easy, though dazo 21:20:19 or of cron2 would just have a cron script which pulls the code, compiles and pastes the result somewhere public, that would be a good alternative jamesyonan 21:20:32 testing on ARM might be worthwhile as well cron2 21:20:32 mattock: it won't be able to test the t_client tests (needs root), and I'm currently reinstalling these boxes, so "yes, in theory, but it will take a bit longer" dazo 21:20:46 could run every 2-4 week mattock 21:21:08 jamesyonan: where could we get a ARM server? cron2 21:21:09 first I actually need to move the Solaris box to FreeBSD 8, because Solaris sucks too much for production use... dazo 21:21:13 ARM is an interesting platform, due to the cell phone market cron2 21:21:20 sheevaplug debian runs on it... 21:21:32 jamesyonan 21:21:38 aren't those OpenWRT routers also ARM? mattock 21:21:44 cron2: yep, would be straightforward to setup I think so, yes 21:21:51 dazo 21:21:55 some of them, but often MIPS as well cron2 21:21:55 jamesyonan: some of them, some others are MIPSel what he said 21:22:02 dazo 21:22:05 mattock 21:22:46 jamesyonan: could you (or somebody in the company) provide an ARM server I could configure for buildbot? or some ARM box where I can install Debian/something 21:23:00 cron2 won't go into details on OpenWRT and DD-WRT and TomatoWRT and MIPS vs. ARM vs. generic bitrot on *WRT 21:23 jamesyonan 21:23:10 I can look into that mattock 21:23:17 ok, great! so, whenever cron2 has time and energy, he'll provide us with the "funkiest platform ever" 21:23:38 cron2 21:23:49 mattock: anyway, regarding Sparc64: if you're bored, try installing NetBSD in qemu-sparc, it actually works - and keep pinging me regarding weird stuff my Alphas are all broken or have been given away 21:24:06 L'utente psha è entrato nella stanza 21:24 mattock 21:24:20 meanwhile, I'll focus on a select set of buildslaves (Fedora 15, SL 6.0, FreeBSD 8.0) + finally finishing the t_client.sh integration in buildbot 21:24:33 which needs tidying up, but all pieces are in place and working 21:24:47 cron2: I'll check that out 21:24:55 ok, next topic? 21:25:03 dazo 21:25:12 yes, please 2.2.1? 21:25:15 (should be quick) 21:25:18 mattock 21:25:22 that'd be "James more active participation in the project" jamesyonan: any thoughts? 21:25:27 how much time could you allocate, in what role you'd like to see yourself, etc. 21:25:41 jamesyonan 21:27:01 well the first thing I'm focusing on, in the near term, is migrating to git that should be finished within a couple weeks 21:27:26 dazo 21:28:21 great! Would you like me to have a time slot available for you where you can hit me with different git challenges? jamesyonan 21:28:22 next step is to move OpenVPN tech to 2.2 branch mattock 21:28:47 I can be around, too and cron2 can probably share his painful experiences with svn->git transition 21:29:04 jamesyonan 21:29:20 that would be great -- I will start the process and if I hit any snags I'll let you know cron2 21:29:21 not really, as I never really got into liking svn jamesyonan 21:30:04 is it harder than cvs to svn? mattock 21:30:36 I would guess so cron2 21:30:37 it needs unlearning of established way of "a VCS would do things *this way*" ecrist still hates git 21:30 cron2 still doesn't understand git, but likes it very much 21:30 mattock 21:30:57 I did have some issues with Git, but not too many dazo 21:31:06 hmmm .... cvs -> git is fairly easy ..... svn -> git is a bit more challenging .... but the working methods are very different mattock 21:31:08 as cron2 said, changing the mindset is the challenge dazo 21:31:14 yeah jamesyonan 21:31:23 what are the criticisms of git? psha 21:31:29 you may still use git like svn - one central repo and pull/push then slowly migrate to native git workflow 21:31:56 mattock 21:32:00 I would say that Git is probably a bit complex for simple scenarios dazo 21:32:20 Some of the git commands can really be confusing in the beginning mattock 21:32:27 a cheat sheet will help cron2 21:32:48 git is too powerful, so "finding the subset that is needed for my own processes" was a bit tricky jamesyonan 21:32:53 isn't the idea with git that everyone replicates their own repository and then various repository branch/merge functions are provided? dazo 21:33:00 exactly mattock 21:33:10 makes scrapping the repository very easy dazo 21:33:11 and that's the approach we're using now in openvpn.git and openvpn-testing.git cron2 21:33:30 the idea is "everybody does it in a way that's easiest for them"... and *that* brings necessary decisions "how do I know what's best for me?" but we all have dazo to ask what's best for us 21:34:32 dazo 21:34:32 the most important thing in git, in my experiences ... is to understand the difference between rebasing and merge ... and when to use which which all narrows down to: "Who is upstream and downstream from where I am?" 21:35:20 mattock 21:37:17 so rebase against upstream, and merge from downstream? dazo 21:37:26 mattock: correct mattock 21:37:32 then I did it correctly with my puppet configuration 21:37:41 huraa 21:37:44 dazo 21:38:05 we don't need to go much more into such details here now ... it's probably better to look at this in detail when there is a situation in front of you mattock 21:38:15 jamesyonan: keep us posted on your progress jamesyonan 21:38:22 sure mattock 21:38:55 do you have any ideas what role you could take in the project? one that would not eat up too much of your own resources? jamesyonan 21:42:22 I'd like to play more of a role, but obviously it's difficult for me to scale efficiently because of the huge amount of stuff going on at OpenVPN Tech and here in the community as well mattock 21:43:03 could you manage patch review? I feel that's very important also for QA purposes 21:43:39 to make sure the basis of what our products are built on are in good shape 21:43:54 jamesyonan 21:43:54 But I think that the two issues of (a) migrating to git and (b) getting onto 2.2 will make it a lot easier for me to play more of an active role in the community releases, including patch review, etc. dazo 21:43:58 right now, it is not too much patches flowing in ... but we would need help to review the PolarSSL patches which is on the way ... which modularises the SSL implementation mattock 21:44:23 jamesyonan: ok, let's do those first and worry about the rest later dazo 21:44:26 that makes sense ... get migrated, then move AS to 2.2 krzee 21:44:37 sounds like a nice step twords 3.0! dazo 21:44:56 krzee: it's a big step forward, but still just one of many mattock 21:44:58 dazo, andj: any news on PolarSSL patchset? dazo 21:45:25 I just know he said he would post something very soon ... I forgot if it was this or next week mattock 21:45:41 ok next topic? 21:45:51 dazo 21:45:56 sure! mattock 21:46:02 2.2.1 release date there are a few patches missing, one from me 21:46:11 dazo 21:46:19 I wonder if we should have a look at what's left ... http://www.fpaste.org/bwwy/ 21:46:20 this is what we do have ready for 2.2.1 21:46:32 https://community.openvpn.net/openvpn/ticket/128 and https://community.openvpn.net/openvpn/ticket/143 should be reviewed properly, and most likely be fixed 21:47:02 vpnHelper 21:47:04 Title: #128 (Connection errors) â OpenVPN Community (at community.openvpn.net) dazo 21:47:29 I'm not sure about ticket #143 ... if that is really a bug, or just different behaviour than expected and then there is this fix from mattock which we do need 21:47:42 mattock 21:48:23 https://community.openvpn.net/openvpn/report/3 vpnHelper 21:48:25 Title: {3} Active Tickets by Milestone â OpenVPN Community (at community.openvpn.net) mattock 21:48:26 milestone 2.2.1 dazo 21:48:28 ticket #127 is also targeted for 2.2.1, but that is by no means critical ... that can go in any later release mattock 21:49:20 dazo: release next Friday? I can sure get my bug fixed, it's trivial 21:49:33 I assume there are no TAP-driver changes? 21:49:44 dazo 21:49:46 I doubt we can manage to have #128 and #143 fixed by that time not heard about any need for a new WinTAP driver 21:49:59 #128 is pretty hefty to fix by the way 21:50:25 cron2 21:50:56 mattock: haven't heard anything regarding the new TAP driver (and this is good news ) dazo 21:51:03 (it's been discussed a few times, and I haven't had time to look into it, as it requires a lot) (#128, that is) 21:51:14 mattock 21:51:30 is it necessary for 2.2.1? or, is it worth to postpone 2.2.1 because of it? 21:51:53 especially if "This is a well known and long-term bug in OpenVPN" 21:52:13 dazo 21:52:15 well, it might not be 2.2.1 critical ... but when I look at what we have fixed, and the last outstanding issues ... it's kind of just small stuff we're fixing which of course is good ... its just, should we try to put a little bit more into the 2.2.1 release? 21:52:51 mattock 21:52:53 the build-ca broken is kind of big, even if it's trivial ...to fix 21:52:58 dazo 21:53:09 yeah, build-ca is the most critical one of all mattock 21:53:43 I think we should push out 2.2.1 a.s.a.p... we can always make more point releases cron2 21:54:00 +1 krzee 21:54:01 i see nothing wrong with releasing earlier with trivial bugfixes and waiting for 2.2.2 for more +1 21:54:04 mattock 21:54:14 ok, that's settled then next Friday? 21:54:17 dazo 21:54:31 okay, then I'll just await mattock patch and move the other things to a next release that's definitely doable then 21:54:44 mattock 21:54:46 jamesyonan: could you have signatures for 2.2.1 packages by next Friday? cron2 won't be here next week, but isn't needed anyway 21:54 dazo 21:54:55 if I get the patch tomorrow or so krzee 21:55:05 damn i only have 1 more hour at work, and my internet at home is out, gunna put work on hold and try to test that patch jamesyonan 21:55:12 sure krzee 21:55:23 (dont tell my boss!) mattock 21:55:31 dazo: ok, I can send it to the list tomorrow morning dazo 21:55:33 krzee: that's the spirit! mattock 21:55:39 krzee: you mean the build-ca patch? dazo 21:55:39 mattock: perfect! mattock 21:55:58 next topic? "tmp/winbuildfix branch - how to move forward, what's blocking?" 21:56:16 krzee 21:56:20 mattock, no, patch for trac tik #73 mattock 21:56:23 I haven't tried it lately krzee: ok 21:56:25 dazo 21:56:58 mattock: I tried to do a cross build on Linux ... which is closer to MinGW/msys builds in Windows .... and that's pretty nasty now cron2 21:57:28 mattock: what's nasty? dazo 21:57:41 -#include <NtDDNdis.h> +#include <ntddnsdis.h> 21:57:41 such kind of stuff ... it struggles with some other include files as well, for IPv6 structs 21:57:57 krzee 21:57:58 oh that reminds me... what would you guys think of us offering openwrt-style openvpn binary on downloads page? cron2 21:58:16 dazo: I think that should be the only one - everything else worked on mingw before krzee 21:58:18 since those linux router users are *always* on old versions based on availability dazo 21:58:42 cron2: yeah, it's JJO's patches which kind of makes it tricky cron2 21:58:43 krzee: there is openvpn-devel in openwrt packages dazo 21:59:12 krzee: well, the tricky stuff is also that openwrt is on pretty many architectures ... so that's another challenge krzee 21:59:32 ahh i see cron2 21:59:57 and indeed, we do not want to go into building 50+ different packages mattock 22:00:06 cron2: +1 dazo 22:00:12 I think keeping an eye on the openwrt repositories, and make sure openvpn-devel and openvpn is a safe path to walk is *in*, is 22:00:23 krzee 22:00:23 yep i agree cron2 22:00:49 I'll go and push for an update to 2.2.1 and "-current" after 2.2.1 release dazo 22:01:10 thx! mattock 22:01:12 anyways, regarding wintmpbuild (or whatever it is)... I'll try it again after 2.2.1 release cron2 22:01:19 ok dazo 22:01:23 sounds good! mattock 22:01:26 so that we can start releasing Windows snapshot builds can we do something about the MinGW build issues? 22:01:51 dazo 22:02:34 I'd love to help ... but I begin to have too much on my plate now, so I know I do need to start focusing on the platforms I have handy mattock 22:03:15 dazo: good idea cron2: anybody else got a MinGW build environment handy? 22:03:43 I probably won't have time to play with it, either 22:03:54 my plate is getting full, too 22:03:58 cron2 has enough diapers to keep him busy 22:04 mattock 22:04:16 lol maybe let MinGW slip, and see when somebody complains? 22:04:37 and if nobody does, then nobody misses it? 22:04:45 dazo 22:04:58 I'm pretty sure Alon will complain rather quickly mattock 22:05:06 doesn't he cross-compile on *NIX? or is that affected, too? 22:05:19 dazo 22:05:23 yes, he does ... but I'd expect the same issues there as well mattock 22:05:28 ok cron2 builds win+ipv6 on mingw 22:05 mattock 22:05:52 cron2: caught! dazo 22:05:59 native windows mingw, or cross build? cron2 22:06:02 (but needs to bootup a different server plus VM on that, so it takes time and I can only do it when I'm at home) native 22:06:05 mattock 22:06:23 good that somebody has the environment ready let's try to find a fix that pleases both MinGW and Visual Studio 22:06:41 ...eventually 22:06:46 final topic? 22:06:56 cron2 22:06:59 doesn't the patch work that jjo sent in? dazo 22:07:34 It solves something ... but when I try to build how he describes it, it explodes in my tree cron2 22:07:45 oh dazo 22:07:54 and using mingw32-configure instead of ./configure also explodes ... but this is cross building and since it is cross building, I don't trust it as much currently 22:08:14 mattock 22:08:52 maybe continue this discussion later? I don't think we can reach any conclusion without testing it thoroughly 22:09:09 dazo 22:09:17 agreed mattock 22:09:28 last topic would be "OpenVPN site" cron2 22:09:29 indeed, all this windows stuff is mattock's problem to solve anyway *duck**hide* mattock 22:09:45 cron2: I have my own little silo, MinGW is outside it cron2 22:10:16 but it's those fixes for your large dump that are breaking poor little MinGW!! dazo 22:10:31 hehe mattock 22:10:43 cron2: +1 cron2 22:10:53 anyway, let's indeed go ahead mattock 22:11:16 "How do we make openvpn.net better for the project"? any layout suggestions? 22:11:38 a few ideas: news about new openvpn releases on the front page 22:12:32 dazo 22:12:50 A kind of box somewhere saying something about OpenVPN Open Source project ... and a clear pointer to where the differences between the AS/Cloud/Shield* stuff and OpenVPN F/OSS project are mattock 22:13:15 a section for OpenVPN (similarly to the 3 others at the bottom of the page) what about "Open source" tab? 22:13:27 dazo 22:13:29 yeah, that's a good step I think renaming "Community" to "Open Source" would be clever as well 22:13:47 mattock 22:13:53 I agree I think that'd solve a lot of confusion 22:14:14 andj 22:14:42 mattock, in reply to your earlier question: I should be starting on the port of PolarSSL to 2.3 next week, hope to have it completed end of the week after that krzee 22:14:48 +2 from me hehe 22:14:54 mattock 22:14:59 andj: nice! leaves some time for review before 2.3 22:15:15 andj 22:15:52 I'll send patches out earlier though, while I'm working on the port I can see two major milestones: doxygen and polarssl 22:16:06 jamesyonan 22:16:18 what's the motivation for using something like PolarSSL instead of OpenSSL. Code size? andj 22:16:37 code size, easier to evaluate by government auditors dazo 22:16:41 andj: that sounds great! I can take care of looking at doxygen stuff, as that should be fairly easy to review andj 22:16:52 OpenSSL is a little tough on the eyes krzee 22:17:29 at first i didnt think i cared about the polarssl addition... but then i see that it means making the encrypting modular... and thats a step twords 3.0, so i LOVE IT! jamesyonan 22:17:38 does PolarSSL easily support RSA offloading? mattock 22:17:43 anyways, so a summary of proposed changes: - add OpenVPN news to the news feed - "Community (project)" tab renamed to "Open source" - a section for OpenVPN besides "Connecting to Internet security", "Deploying VPN Access solution" etc. - describe the differences with OpenVPN and the commercial products somewhere andj 22:18:12 oops, sorry, did I bump into the middle of a meeting... /blush krzee 22:18:30 andj, good timing actually =] dazo 22:18:33 mattock: those two last ones can be "combined", and it can even be located as a box to the very right of the screen .... doesn't really matter ... but visibility matters mattock 22:18:45 dazo: yep ok, I think we've run out of topics 22:19:47 pretty quickly, I might add 22:19:53 krzee 22:19:58 ohhh i have a question for corp mattock 22:20:03 krzee: shoot krzee 22:20:38 i see you have offsite openvpn server hosting avail, any thoughts of also doing a service where you run the server and they use your as vpn provider? use you* 22:20:47 mattock 22:21:18 krzee: just a sec andj 22:21:31 jamesyonan: pkcs#11 through Polar was added through pkcs#11-helper, in a similar way as the OpenSSL library krzee 22:21:34 occasionally we get people asking who they provider we recommend is... now i have no answer but point to forums... would answer with openvpn.net if its an option andj 22:21:37 or did you mean HSM offloadning? dazo 22:22:07 andj: I think he meant like RSA accelerator cards, and the AES-NI instruction set in newer Intel CPUs jamesyonan 22:22:36 andj: pkcs#11 pretty much answers my question andj 22:23:13 dazo: it has some support for the via padlock stuff I think mattock 22:23:15 krzee: I'm asking about that atm dazo 22:23:18 (on my Intel Core i5 laptop, I can add --engine aesni in OpenVPN .... and get much of the encryption stuff offloaded from software to the CPU) mattock 22:23:20 from people who know krzee 22:23:27 mattock, cool =] mattock, if you guys do offer it, an announcement in the forums providers section should be made sticky 22:23:48 in fact, the hosted server offering should be there as well imo 22:23:58 mattock 22:24:06 krzee: I think our ShieldExchange offering is what they're looking for: shieldexchange.com jamesyonan 22:24:07 what I mean specifically is that OpenSSL has an RSA struct with overloadable members for RSA encrypt, decrypt, etc. -- so it makes it easy if you need to interact with a private key that isn't available locally krzee 22:24:40 (the forum is good advertisement, and since its the official forum theres no reason for you guys to not advertise on it (its pretty on-topic for the providers section after all) ) 22:24:43 mattock 22:25:00 krzee: I'll ask the guys to add topics to the forums jamesyonan 22:25:46 krzee: regarding hosted services, OpenVPN tech currently offers ShieldExchange which is more or less a zero-configuration VPN solution that's based on OpenVPN dazo 22:27:06 cron2: would you mind having a quick look on this patch, and have your say? http://www.fpaste.org/rGQL/raw/ ... krzee is testing it out now mattock 22:27:25 jamesyonan: I asked Andrew to post sticky topics about AS, hosted service and shieldexchange to the forums krzee 22:27:28 so no plans on more of a standard openvpn service like people are used to? or maybe im mis-understanding something mattock, tell him those go in the providers section pls 22:27:50 mattock 22:27:56 krzee: I did krzee 22:28:02 nice =] cron2 22:28:35 mmmh mattock 22:29:00 if there's nothing else, I'll take my cat out andj 22:29:03 jamesyonan: unfortunately, it's not quite as pretty as that in PolarSSL yet. mattock 22:29:08 and call this a day krzee 22:29:13 it broke 2.2.0 from building on freebsd, im installing git right now so i can test against -testing jamesyonan 22:29:34 krzee: we're contemplating more of a standard OpenVPN service as well where you could lease a VPS that has everything preinstalled on it cron2 22:29:35 dazo: in general, I agree. Some of the coding style is not "the way it's done elsewhere", like: ret |= ( access(...) != 0 ); 22:29:42 that's nearing obfuscation 22:29:49 mattock 22:30:01 jamesyonan: before you do that, talk to me cron2 22:30:09 what's so bad about "if (access() < 0 ) { err++; errcode=errno; } mattock 22:30:14 I can setup thousands of VPSes in a snap with pupept puppet 22:30:16 dazo 22:30:34 cron2: heh ... yeah, I can agree to that ... I'm just used to read such code, so didn't think about it mattock 22:30:36 of course, the initial install needs to be automated and I've already puppetized OpenVPN configuration 100% 22:30:51 dazo 22:31:06 cron2: I'll clean up the check_file_access() function then cron2 22:31:12 I *can* read it, but I find it harder than "making it obvious" - and for folks with less C coding experience, it might be more difficult jamesyonan 22:31:12 krzee: we also have an Amazon EC2 AMI for Access Server krzee 22:31:22 mattock = the master of puppets! cron2 22:31:35 dazo: ack for the idea jamesyonan 22:31:38 mattock: that sounds great -- we should discuss mattock 22:32:12 jamesyonan: just let me know when but really, combining automated installation and puppet makes that kind of things trivial 22:32:33 cron2 22:32:36 dazo: and in general, ack for the implementation, and "minor nack" for the coding style mattock 22:32:37 as well as managing the configuration but I got to go now 22:32:50 dazo 22:32:58 cron2: not sure I'm willing to change all the check_file_access() calls later on .... those errs |= check_file_access(...); lines ... as I find switching to if() would make that part less readable krzee 22:33:05 later mattack, good meeting =] mattock 22:33:09 krzee: +1 later! 22:33:11 I'll write the summary tomorrow, and provide the patch for dazo 22:33:21
