Hi, Here's the summary of the previous IRC meeting.
--- COMMUNITY MEETING Place: #openvpn-devel on irc.freenode.net List-Post: openvpn-devel@lists.sourceforge.net Date: Thursday 18th Apr 2013 Time: 18:00 UTC Planned meeting topics for this meeting were on this page: <https://community.openvpn.net/openvpn/wiki/Topics-2013-04-18> Next meeting is scheduled for Thursday 2nd May at 18:00 UTC. Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> or with $ date -u SUMMARY andj, cron2, jamesyonan, jamxNL, mattock, m-a and syzzer participated in this meeting. -- Discussed how to handle security vulnerabilities in the future. Mattock has already created a secur...@openvpn.net mail alias which forwards any security related notices to a handful of key developers. The list is also advertised on openvpn.net. It was agreed that in future, when a security issue was reported, the they would be handled as follows: - Discuss the issue on secur...@openvpn.net - Assess severity (threat, impact, etc.) - Notify OpenVPN package maintainers (e.g. *BSD, Linux) in advance - Prepare a fix - Get a CVE entry - Make a security announcement - Make a release with the fix --- Discussed OpenVPN 3.0, which was released by jamesyonan under the AGPLv3 license in FOSDEM in February: <http://staging.openvpn.net/openvpn3> Agreed that the latest code (on above page) should be pushed to GitHub/SF.net. Jamesyonan did not want to preserve SVN logs, so the initial commit would be created from the tarball. Also agreed that a plan on how to move from 2.x to 3.x is needed at some point, although there's no hurry at the moment. --- Discussed the OpenVPN 2.4 release: <https://community.openvpn.net/openvpn/wiki/OpenVPN2.4> Agreed that with the socket.c changes from plaisthos we already have enough new features to warrant a new major release. The 2.4 release would probably include the following patchsets: - Android patchsets - Dual stack client patches - utun on mac os x - native tun, no need for extra tun.kext - Supported for all OS X >= 10.6.8 (latest PPC version) - Unfortunatly requires root - Real question: Drop tun.kext support and support only utun or "try utun first, fall back to tun.kext if it fails" - svn 2.1 patchset (snappy support, push-peer-info changes, see trac#268-273) - management interface changes (status 2/3) - Formatting and whitespace fixes (just before 2.4 release) - --version to include git commit id and branch? - OpenVPN-GUI installer from mattock --- Discussed the 2.3.2 release briefly. Cron2 promised to tag the tree soon so that mattock can make the release. --- Full chatlog as an attachment -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
(21:00:55) andj: evening (21:01:55) syzzer: hi :) (21:02:11) andj: :) (21:03:17) syzzer: busy cooking diner in the mean while, but that should work ;) (21:03:38) andj: right, who's leading the meeting? :) (21:04:15) cron2: mattock is da boss (21:04:30) andj: I thought as much (21:04:32) mattock: ha (21:04:38) cron2: where's dazo? (21:04:48) mattock: jamesyonan should get here, too (21:04:52) mattock: talked to him a few mins ago (21:05:20) mattock: meanwhile, here's the topic list: https://community.openvpn.net/openvpn/wiki/Topics-2013-04-18 (21:05:26) vpnHelper: Title: Topics-2013-04-18 – OpenVPN Community (at community.openvpn.net) (21:08:17) andj: so, security first? (21:10:03) mattock: yes (21:10:14) mattock: ok, so a brief update first (21:10:35) mattock: we now have a security mailinglist... or rather, a mail alias (secur...@openvpn.net) which goes to several people (21:10:45) mattock: currently james, dazo, cron2 and I are on it (21:11:12) mattock: I heard Steffan should be added, too (21:11:35) andj: I wouldn't mind if you could add open...@fox-it.com, that just ends up at the contact people (21:11:36) syzzer: I'd appreciate that, yes (21:11:51) mattock: also, we now advertise that address here: http://openvpn.net/index.php/contact-us.html (21:11:53) vpnHelper: Title: Contact Us (at openvpn.net) (21:12:05) mattock: andj, syzzer: I'll add both (21:12:19) mattock: or is open...@fox-it.com enough? (21:12:24) andj: thanks, openvpn@fox should reach syzzer (21:12:27) andj: :) (21:12:28) mattock: ok (21:12:42) mattock: the rackspace alias has a silly limitation, only 4 "external" email addresses allowed (21:12:51) jamesyonan [~jamesy...@c-24-9-78-222.hsd1.co.comcast.net] è entrato nella stanza. (21:12:51) modalità (+o jamesyonan) da ChanServ (21:12:54) andj: weird (21:12:54) mattock: hi jamesyonan! (21:13:01) andj: evening, james (21:13:01) jamesyonan: hi! (21:13:03) mattock: yes, it's weird (21:13:08) mattock: jamesyonan: https://community.openvpn.net/openvpn/wiki/Topics-2013-04-18 (21:13:10) vpnHelper: Title: Topics-2013-04-18 – OpenVPN Community (at community.openvpn.net) (21:13:11) andj: or morning :) (21:13:22) mattock: almost lunch time I guess? (21:13:47) mattock: so we started discussing topic 1, handling security issues (21:14:01) mattock: I think we can agree on that we should do better next time (21:14:02) mattock: :P (21:14:03) m-a: good evening (21:14:07) mattock: hi m-a (21:14:25) andj: I think the list of points on the wiki should cover the basics (21:14:41) m-a: I contacted our FreeBSD guys about security-for-packages so as to have a definitive answer about the contacts (21:14:42) cron2: +1 (21:14:55) mattock: there was some disagreement regarding CVEs, from dazo I think (21:15:02) mattock: whether one is always needed (21:15:15) mattock: andj, syzzer: do you have experience on creating CVEs? (21:15:26) mattock: I'm wondering if it's a heavy-weight process... (21:15:54) andj: Not much, but I think it's pretty open. Paul bakker has done it in the past (21:16:11) m-a: basically you contact one of the numbering authorities to have the CVE assigned, then write a free-form document about the issue, and send it either to the CVE publishers and security contacts, or you just publish it in public. (21:16:13) mattock: ok, I'll have a look... if it's fairly easy, creating one might make sense (21:16:31) m-a: I've done that several times for fetchmail; http://www.fetchmail.info/security.html (21:16:33) vpnHelper: Title: Fetchmail (at www.fetchmail.info) (21:16:35) mattock: m-a: ok, I'll do some research (21:16:46) mattock: ok, it can't be too painful, then (21:16:49) mattock: so many notices :D (21:17:05) m-a: there is also a public list where the CVE gurus lurk, which is good for requesting CVE Ids. (21:17:08) andj: Most important thing is to do a good analysis, and determine the impact (21:17:25) mattock: ok, that'll be handled on the secur...@openvpn.net "list" then (21:17:41) mattock: anything else on this subject? (21:18:09) andj: how are we going to handle downstream communications? (21:18:39) m-a: as to the FreeBSD contacts, that would be mandree at FreeBSD.org, ecrist at secure-computing.net as the maintainers of the stable and developmental packages, and security at FreeBSD.org (but those should only be contacted by persons - they should not be added to mailing lists) (21:19:06) m-a: security at FreeBSD.org should be the last resort usually, meaning that neither I nor ecrist are responding. (21:19:27) mattock: I'll contact the maintainers of OpenVPN packages of various Linux/BSD distros and gather a list of email addresses (21:20:42) mattock: afaik the idea was to first discuss the issue on secur...@openvpn.net, the before releasing a fix and making the announcement give the distributors a head-up that "a security fix is coming" (21:20:52) mattock: so that they can prepare to make a new build (21:20:56) andj: sounds good (21:21:28) m-a: sensible (21:21:33) mattock: ok, I think we're in agreement on this subject (21:21:51) mattock: next topic would be OpenVPN 3.0 (21:22:03) mattock: jamesyonan: is the page you linked to in FOSDEM still available? (21:22:13) jamesyonan: yes, should be (21:22:16) andj: I'd love a preview of the code (21:22:21) mattock: can you send us a link? (21:23:18) jamesyonan: sure, let me just update the site first with latest code base (21:23:24) mattock: ok, sounds good (21:23:50) mattock: regarding latest code base... I'm thinking we should put the latest code to Git (SF.net/GitHub) right away (21:24:37) andj: Question from my side: how are we going to transition? (21:24:58) cron2: "not any time soon" (21:25:06) mattock: yes, my words exactly (21:25:46) mattock: there are a few issues with 3.0... first, it's an entirely new codebase... second, due to iOS store policies it requires some form of contributor agreement from committers (21:26:08) mattock: also, it's missing server-side functionality... so making 3.0 completely replace 2.x will be challenging (21:26:26) mattock: and will take time, obviously (21:26:42) andj: True, but to prevent a Python 3/Samba 4-esque situation, a planned migration isn't a bad plan (21:26:59) mattock: yes, agreed (21:27:25) mattock: however, I would first like to see the beginning of a migration before thinking about that too much :P (21:27:59) mattock: getting the code to GitHub/SF.net repos would help gauge interest in 3.0 (21:28:00) jamxNL: if the code is on github, we can make create a roadmap (21:28:43) mattock: jamxNL: what do you mean exactly? (21:28:51) andj: ok, so mostly: we want a look at the code, for now it's 2.4 business as usual (21:29:13) mattock: yep, let's get the code (and James :P) to Git first (21:29:26) ***cron2 just found a bug in the 3.0 code :) (21:29:32) ecrist: heh (21:29:38) jamxNL: see what is missing and set priorities (21:30:11) mattock: jamesyonan: is 3.0 code on the web-page updated? (21:30:47) jamesyonan: yes, I just updated http://staging.openvpn.net/openvpn3/ (21:30:49) vpnHelper: Title: OpenVPN 3 (at staging.openvpn.net) (21:31:18) mattock: added the link to the agenda page for the posterity (21:31:37) mattock: jamesyonan: do you mind if we push this codebase to GitHub? (21:31:52) mattock: or rather, if it's just a tarball, we might want to preserve history from SVN (21:31:52) jamesyonan: no prob (21:32:13) mattock: dazo probably knows the magic to convert an SVN repo into a Git repo (21:32:21) syzzer: https://community.openvpn.net/openvpn/wiki/Topics-2013-04-18 (21:32:22) vpnHelper: Title: Topics-2013-04-18 – OpenVPN Community (at community.openvpn.net) (21:32:55) mattock: jamesyonan: is there anything in 3.0 SVN history you'd like to get rid of? (21:33:08) mattock: or could we "export" the SVN repo with full history to Git? (21:33:43) jamesyonan: I'd rather not include svn history for now, because its wrapped up in a lot of other stuff that I'd have to go through and edit (21:33:56) mattock: ok, so we'd start from the tarball (21:34:06) jamesyonan: yes (21:34:07) mattock: I think that's ok (21:34:32) mattock: regarding the API documentation... should we find a better place for it? (21:34:55) mattock: ah, it's in the tarball (21:35:01) mattock: disregard my comment (21:35:21) mattock: anything else on OpenVPN 3.0? (21:35:45) andj: not from my side (21:36:09) mattock: next topic would be OpenVPN 2.4... mostly "what do we want to include in it?" (21:36:18) ecrist: bug fixes (21:36:27) ecrist: fewer security vulnerabilities, mostly (21:36:29) ecrist: ;) (21:36:31) andj: And what do we want to postpone for 2.4 (21:37:21) syzzer: maybe update the options string? (21:37:22) mattock: andj: for 2.5 you mean? (21:37:40) andj: yeah, 2.5 (21:38:10) andj: options string fixes are a good idea, management API comes to mind as well (21:38:17) mattock: there are some patchsets listed on the agenda page... is it missing something else? (21:38:47) mattock: there are some "papercuts" that were found when SVN patches were forward-ported to master (21:38:52) cron2: I have a bunch of IPv6 enhancements I want to see in 2.4 (mostly related to "redirect-gateway ipv6") (21:39:07) cron2: mattock: USE_SSL already got fixed :) (21:39:11) mattock: papercuts = partially implemented functionality (21:39:21) mattock: cron2: yes, that was fairly minor (21:39:22) andj: whitespace and code formatting fixes (21:40:11) cron2: andj: we could do that "just before releasing 2.4", because any sort of patch merging / cherrypicking is huge pains when the code *looks* all different (21:40:33) cron2: merging 2.1 changes to lzo.h into 2.3 with all your documentation changes to that header was... not-automatic (21:40:38) andj: true, but we forgot just before 2.3 :) (21:40:44) cron2: andj: true (21:40:57) mattock: oh, one more topic after this one... 2.3.2 (21:41:02) cron2: (and I'm happy about that, because otherwise those remaining svn changes would have been a nightmare). (21:41:06) mattock: but let's not deviate quite yet (21:41:14) cron2: andj: but otherwise I agree, someone should watch out that we do not forget before 2.4 (21:41:29) mattock: formatting and white-space fixes? (21:41:45) cron2: yep (21:42:11) mattock: I can file a ticket to Trac... we all know how actively we check those, so that's fairly foolproof way to ensure we don't forget :P (21:43:18) cron2: totally (21:43:55) mattock: added note to the topic page (21:44:01) mattock: when is 2.4 due? (21:44:09) mattock: do we have enough stuff for a new major release? (21:44:14) andj: depends on what needs to go into it (21:44:29) mattock: I would personally aim at fairly small, incremental releases (21:44:37) mattock: release soon, release often (21:44:48) mattock: as long as there's some motive for people to upgrade (21:45:06) mattock: thoughts? (21:45:08) cron2: if plaisthos' socket refactoring goes in, 2.4 will be fairly big (21:45:29) cron2: but in general I'm all for having frequent releases :) (21:45:44) mattock: plaisthos here atm? (21:45:55) cron2: no, he said he couldn't make it today at this time (21:45:57) mattock: ah (21:46:29) mattock: I've heard tales of socket.c... that's probably enough to warrant a new major release then (21:46:39) mattock: anything else on 2.4? (21:47:07) mattock: if not, we have 2.3.2 which is not on topic list (21:47:33) mattock: I'd like to know when to release and what to include (21:47:33) cron2: not specific... I think we have quite a bit of work to do for 2.4, mostly in the "networking" and "os support" side of things (so not so much work for the crypto geeks :-) unless you want to add elliptic curves and stuff...) (21:47:34) m-a: mattock: if there is anything substantial on the table, 2.4 might be OK, but I haven't been paying attention, so unless there's some killer feature I'd say 2.3.2 with minor touch-ups would be fine. What's the story about socket.c, URL to tickets, mailing list or anything? (21:47:35) andj: Mattock, is there a 2.4 todo list somewher? (21:48:17) mattock: andj: no, afaik (21:48:21) cron2: m-a: Arne sent a big patchset to the list on Nov 30 (21:48:41) mattock: cron2: was there something blocking inclusion of those patches to master? (21:48:46) m-a: cron2: OK, would have to dig that out, needs to be done offline by yours truly, not during the IRC conference (21:48:59) cron2: mattock: "lack of brains" - large and complex changes (21:49:15) mattock: ah :) (21:49:32) cron2: seems nobody but plaisthos and me wants to touch the deep innards, and I had too much other things to keep me busy (21:49:38) andj: I think the plan for 2.4 was mostly a cleanup release (21:49:59) cron2: cleanup-and-refactoring-stuff (21:50:25) mattock: let's add a page for 2.4 to the wiki... (21:50:41) mattock: no need to go heavyweight and start creating <n> tickets to trac (21:51:07) mattock: ah, we have page already: https://community.openvpn.net/openvpn/wiki/OpenVPN2.4 (21:51:08) cron2: regarding 2.3.2, we have the tls-cipher translation bugfix and the USE_SSL bugfix in that branch right now (21:51:09) vpnHelper: Title: OpenVPN2.4 – OpenVPN Community (at community.openvpn.net) (21:51:13) andj: Are there any urgent trac tickets for 2.4 (21:51:40) m-a: anything pending with respect to PolarSSL 1.2.x support, given that this was quite new? (21:51:54) cron2: m-a: have not heard back anything (21:51:55) m-a: FreeBSD builds with it, but I haven't tested it beyond "make check" (21:52:03) andj: syzzer? (21:52:08) m-a: (so that's progress from 2.3.0 already :-)) (21:52:20) cron2: I tried to get the openwrt people to update their build, but the maintainer is too busy (21:52:20) mattock: good question, I've skimmed through 1/3 of the tickets and they've been 90% bug reports (21:52:43) syzzer: i haven't heard anthing on polar 1.2 either (21:54:32) mattock: I'll update the 2.4 wiki page (21:55:10) mattock: ok, page updated: https://community.openvpn.net/openvpn/wiki/OpenVPN2.4 (21:55:12) vpnHelper: Title: OpenVPN2.4 – OpenVPN Community (at community.openvpn.net) (21:56:30) mattock: cleaned up formatting (21:56:57) mattock: so 2.3.2... is the release imminent? (21:57:53) mattock: I recall it was due a few weeks ago :) (21:58:13) cron2: I could do tagging and version.m4 etc. this weekend... (21:58:21) mattock: ok, if all the pieces are in place (21:58:52) cron2: well, there's a couple of open trac tickets :-) but nothing that screams "MUST BE FIXED YESTERDAY!" to me (21:59:00) mattock: cron2: which ones? (21:59:11) cron2: there are many open tickets (21:59:19) mattock: oh, actually, I'd like to have the openvpn-gui installer included in openvpn 2.4 release (21:59:21) cron2: (I have no particular ones in mind) (21:59:31) mattock: not really related to 2.4 code, but still relevant (21:59:33) mattock: ok (22:00:22) mattock: anything else on any of the topics? (22:00:29) mattock: or any topics we've missed? (22:01:10) cron2: there's "openvpn --version" which right now only says 2.3_master for master. Dazo and I discussed having a commit ID in there as well... (22:01:36) mattock: ah, that'd be nice (22:01:55) mattock: wasn't there such an ID earlier? (22:02:00) ***cron2 is waiting for dazo to send a patch, tbh :-) - I just brought it up to gather feedback (22:02:04) mattock: did it blow during Alon's refactoring? (22:02:19) cron2: it's currently printing the git id in a separate line because Alon said "we don't want it in the version!!" (22:02:38) cron2: OpenVPN 2.3_master ... (22:02:41) cron2: git revision: refs/heads/as_work/45f43a41caf14692 (22:02:46) mattock: I assume he gave no reason for his opinion? (22:02:57) cron2: Because This Is The Only True Way (22:03:52) mattock: ok, so now it gives stuff like this: (22:03:52) mattock: OpenVPN 2.3.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 28 2013 (22:04:05) mattock: it's full of stuff not really related to the version number (22:04:17) mattock: I wonder why adding a Git commit ID would be such as Bad Thing(tm) (22:04:20) mattock: go for it :D (22:04:26) cron2: haha :-) (22:04:30) ***cron2 will poke dazo tomorrow (22:04:44) mattock: ok (22:04:50) mattock: anything else we'd like to discuss? (22:04:53) mattock: we've been quick today (22:06:01) mattock: oh, jamesyonan: how's your Git-fu improving? (22:06:13) mattock: feel adventurous enough to use it for OpenVPN 3.0? (22:06:27) jamesyonan: possibly (22:07:10) mattock: ok, we'll put the code to Git and move on from there (22:07:40) mattock: if there's nothing else, I'd call it a day (22:08:46) mattock: it seems everyone has dispersed already :P (22:08:55) syzzer: nothing else from my side (22:08:58) m-a: not entirely (22:09:05) ***cron2 is still here (22:09:15) andj: nothing else from my side (22:09:22) mattock: ok, sounds good (22:09:30) mattock: I'll write the usual summary tomorrow (22:09:35) andj: still here though (22:09:46) mattock: do we want to have a meeting next week? (22:10:04) mattock: we could aim for weekly or maybe biweekly meetings maybe (22:10:18) mattock: "meeting when needed" seems to end up in a 6 month pause :) (22:10:47) mattock: I think regular meetings have been fairly useful (22:10:51) mattock: opinions? (22:10:51) andj: sounds good (22:11:19) cron2: biweekly (22:11:31) mattock: biweekly, but more often _if_ needed (22:11:53) mattock: to keep the routine but not overly stress people (22:12:43) syzzer: yup, sounds good (22:12:48) mattock: ok, meeting next week if needed, otherwise the week after that (22:13:16) mattock: ok, I'll take the cat out and then hit the sack :P (22:13:22) mattock: talk to you later! (22:13:33) andj: k, nice speaking to you! (22:13:39) mattock: bye all! (22:13:53) cron2: *wave* (22:14:00) mattock: \o/
