Hi,
Here's the summary of the IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-meeting on irc.freenode.net
Date: Wed 24th March 2021
Time: 11:30 CET (10:30 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2021-03-24>
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in
this meeting.
---
Noted that community.openvpn.in still does not support IPv6 (at
Cloudflare). The main blocker seems to be .net and .com split, which is
still work in progress.
---
Gave updates on OpenVPN 2.6. Cron2 is working his way through the open
patch sets and ordex and plaistos are reviewing and revising patches. On
the OpenVPN Inc. side there's a clear focus on getting the OpenVPN 2.6
patches in.
Lev is about to announce dco-win and provide link to OpenVPN 2 +
openvpn-gui installer which has driver bundled. The driver source will
be published on OpenVPN's GitHub. On the OpenVPN 3 side the dco-win is
still work in progress.
Mattock will test Lev's installer on Windows ARM64.
---
Noted that OpenVPN 2.5.2 release will need a bit more time.
---
Talked about building OpenVPN for/on Windows with MSVC. Agreed that
going from our custom buildsystem (openvpn-build/msvc) to standard CMake
located in the OpenVPN 2 repository is the right way forward. It seems
necessary to build a vcpkg for libpkcs11-helper for this to work.
The CMake work would not replace autotools on non-Windows platforms. Nor
would it replace cross-compling using openvpn-build/generic.
---
Talked about deprecating --secret mode in 2.6 and removing in 2.7.
Nobody was opposed. Plus peer-fingerprint should be almost as easy to setup.
---
Talked about "Containerized buildmaster and mattock's buildslaves".
There's no progress, but mattock will officially leave the ops team on
15th April 2021, so after that he can finally focus on that task
---
Talked about "Bridged Windows 10 Causes Sporadic Crashes":
<https://community.openvpn.net/openvpn/ticket/1385>
Hopefully we can OpenVPN Inc. QA to replicate the environment and then
get the data to reproduce the issue and fix it. Mattock has detailed
information from the bug reporter (mpfrench) that can be used here.
---
Noted that FIPS support is now present in Git "master" branch. It can
finally be removed from the meeting agendas.
---
Talked about the option of having video calls every now and then. Nobody
was opposed to the idea. [Also agreed to have Jitsi call next week.]
---
Full chatlog attached
(12:26:32) ordex: <o/
(12:26:35) ordex: \o>
(12:26:38) ordex: |o|
(12:26:42) ordex: /o\
(12:29:22) mattock: howdy!
(12:29:41) lev__: hello
(12:29:45) cron2: hullo
(12:29:58) ordex: hi
(12:30:33) d12fk: hi
(12:31:01) modalità (+o d12fk) da ChanServ
(12:32:18) cron2: so, is plaisthos already awake?
(12:32:33) cron2: ordex: what did you torture him with, yesterday night?
(12:33:00) ordex: some more v6-mapped v4 addresses. but he survived
(12:33:34) ordex: found out that the UDP tunnelling in the linux kernel does
not work exactly as we have in userspace. but a patch was merged and since 5.12
we will have the same behaviour
(12:33:42) ordex: I spare you the details, unless you care :)
(12:33:59) cron2: I care, but maybe not in the meeting time
(12:34:34) ordex: okok
(12:34:49) ordex: plaisthos: dazo: ?
(12:35:02) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-03-24
(12:36:40) cron2: mattock: can we spend the time to hear about ipv6 on
community?
(12:37:01) mattock: sure, no news on that front
(12:37:16) ordex: that was a fast discussion
(12:37:27) ordex: I guess we are waiting for the .net vs .com split?
(12:37:56) cron2: can you (for some value of you) push this a bit?
(12:38:23) ordex: last time I did I was told there is a plan and we just have
to wait for $things to happen
(12:38:27) ordex: lots of $things
(12:38:31) ordex: but can try again
(12:39:25) plaisthos: Yeah, awake
(12:39:49) cron2: ordex: thanks
(12:40:21) ordex: I threw some message to see what the plan is
(12:40:23) cron2: (I *did* mention that none of this makes any sense... but
just feel the need to say it again)
(12:40:32) cron2: anyway... let's start
(12:40:44) ordex: cron2: I guess when tech needs hit business priorities
nothing makes sense anymore
(12:40:45) ordex: :D
(12:40:49) cron2: 2.6 news...
(12:40:55) ordex: yeah
(12:41:19) cron2: - I am working my way through the open patch sets (thanks to
ordex for all the reviews, thanks to plaisthos for sending new versions quickly
while the momentum is there)
(12:41:50) cron2: - found new "config not reset after SIGUSR1" bugs at it (now
that I have a testbed... testing is *BAD* because you always find stuff you
didn't want to hear about)
(12:41:56) ordex: internally (corp side) we are trying to dedicate more time on
revieweing openvpn2 patches and I made this my high prio too. so more review
will come
(12:42:04) lev__: I was planning to announce dco-win and provide link to
openvpn-gui installer which has driver bundled
(12:42:10) dazo: Oh, I'm here
(12:42:20) lev__: and publish driver code to openvpn github
(12:42:22) cron2: - patchwork is looking much better these days, so I think we
could dare to see the next big patchset "soonish"
(12:42:30) ordex: cron2: schhh
(12:43:15) ordex: cron2: regarding the SIGUSR1 bug - will you send a patch or a
mail explaining the issue?
(12:43:16) cron2: lev__: *like*. Which ovpn client has support for dco-win
today? 2 or 3?
(12:43:52) cron2: ordex: well, I did :-) - it's in my reply to 2/3 and 3/3.
That lists how to test it and what we found (compress and at least
route-gateway)
(12:44:06) lev__: nothing yet merged to master, but for 2 I have installer
built from plaisthos dco branch
(12:44:26) ordex: cron2: oh okok, thanks - didn't look that deep
(12:44:38) lev__: there is a good chance that latest installer will also work
on arm64
(12:44:58) cron2: ordex: if my replies are like 5x the length of the usual
"your patch has been applied to..." it's for good reason :-)
(12:45:24) ordex: hehe no doubt
(12:45:26) cron2: lev__: nice. I still have no device to test that, though...
(I have an ARM Mac, but that cannot run windows)
(12:45:48) plaisthos: I think you can get arm/windows to run on that thing
(12:45:52) plaisthos: in a vm
(12:45:55) cron2: (though I think we might see vmware-on-mac being able to run
windows-on-arm...)
(12:46:08) mattock: lev: I will test on windows arm64 today
(12:46:13) lev__: for 3 there is branch from d12fk which we'll likely review
today, but 3 has so-called "reference" client which is not super user friendly
(12:46:15) cron2: I'll hope so. Right now I wouldn't know which virtualizer is
ready
(12:46:37) cron2: lev__: isn't "Connect" on windows built on top of 3?
(12:46:54) plaisthos: parallels seems to have a tech preview
(12:47:13) cron2: fooosch
(12:47:21) lev__: right, but we're not yet ready for ovpn-dco for connect
(12:47:40) cron2: lev__: what's missing?
(12:48:17) ordex: ovpn3 integration is WIP AFAIR
(12:48:20) lev__: agent support (d12fk is working on it) and dco-win support in
Connect MSI installer
(12:48:54) dazo: Connect will need an updated OpenVPN 3 library update which
provides the win-dco support, which is scheduled for a later release
(12:48:59) cron2: yeah, the installers will be fun...
(12:49:01) lev__: it takes order of magnitude more work to get stuff done with
MSI comparison to NSIS
(12:49:32) d12fk: it really doesn't kick the llama's ass
(12:49:33) lev__: so I made NSIS installer for openvpn-gui
(12:50:50) lev__: with MSI you have hundreds/few thousand? lines of XML,
support C code and even some VBscript to make it work
(12:51:38) cron2: yeah, I merged the ton of msi-related patches to the openvpn
2 repo...
(12:52:16) lev__: honestly I am now sure what are advantages of MSI comparison
to NSIS, MSI requires much much more maintenance
(12:52:33) ordex: job security !!
(12:52:40) ordex: :)
(12:52:47) cron2: "The Parallels software can run Windows using Microsoft's
Arm-based version that's available through the Windows Insider program, but
there's no publicly available version of Arm Windows that can be purchased"
(12:52:51) d12fk: AD rollout is the only one I'm aware of
(12:52:51) cron2: okay...
(12:53:20) plaisthos: cron2: that doesn't sound very user friendly
(12:53:38) cron2: not sure. I've seen more and more packages go to .msi over
the years, so it seems MS to be at least encouraging that way...
(12:54:07) cron2: plaisthos: yes, MS strategy is somewhat unclear...
(12:54:18) dazo: lev__: NSIS has quite a few security challenges
(12:54:56) ordex: [btw i have to leave the helm soon (lunch time here). But I
just wanted to say that I will take a look at
https://patchwork.openvpn.net/patch/636/]
(12:54:57) vpnHelper: Title: [Openvpn-devel,v3] Stop state-exhaustion attacks
from a single source address. - Patchwork (at patchwork.openvpn.net)
(12:55:19) dazo: lev__: And many centralized deployment tools can do that more
smoothly via MSI installers, if I've understood things right
(12:55:25) cron2: ordex: thanks. It is not production ready but could use a
general "is this the right approach?" review
(12:55:33) ordex: ok
(12:55:40) mattock: I'll go boot my arm64 laptop now...
(12:56:44) lev__: not suggesting to drop MSI, just expressing my frustration
(12:57:14) cron2: lev__: from what I had to review and merge, I share that :)
(12:57:24) cron2: or better "I sympathize with you"
(12:58:02) cron2: so... 2.5.2 next?
(12:58:34) dazo: maybe plaisthos can give a quick update
(12:59:15) plaisthos: Having a bad cold. Concentration is not that good, so not
making the progress on the complex thing that I hoped I would
(12:59:24) plaisthos: sorry :(
(13:00:09) dazo: that's fine .... sickness is sickness .... and what we want to
put into 2.5.2 requires a sharp mind; and you have the best overview over the
related challenges
(13:02:26) cron2: ok. good enough.
(13:02:34) dazo: We just need to take the time needed to solve this properly
across all versions. On the plus side, it requires quite some efforts and good
timing to trigger these bugs, so not something most users hits easily
(13:03:05) dazo: plus it involves features not used by most users
(13:03:26) cron2: yeah. More details can be found on the security@ list
(13:03:30) dazo: yupp
(13:04:08) cron2: so... #3, "windows building with MSVC"
(13:04:17) cron2: lev__: your bullet point...
(13:05:33) lev__: idea is to make openvpn buildable on windows without
openvpn-build
(13:06:33) lev__: that would require cmake file (which plaisthos already has)
and fetching dependencies via vcpkg and, if needed, create vcpkg ports for
missing dependencies
(13:08:57) dazo: My take on this is that if CMake replaces openvpn-build,
that's a good move in the right direction. The CMake approach is more
standardized than openvpn-build - and we end up anyhow maintaining two build
systems. Moving towards standardized build systems is good.
(13:09:27) cron2: my take is "the end result needs to be an easy-to-follow
recipe on our wiki"
(13:09:31) cron2: - install this
(13:09:35) cron2: - then do that
(13:09:41) cron2: - run this command
(13:09:49) cron2: - out falls an .exe that does...
(13:10:01) lev__: this change would lower the threshold for new windows
developers, you just checkout openvpn and start coding, no more custom build
scripts which download/build openssl etc
(13:10:37) cron2: I'm all for it :-) - but what I stress is that this
information should be easy to find and easy to follow
(13:10:44) dazo: I'm reluctant to swap out autotools with CMake, but might
change my view on that later on .... both autotools and CMake have good an
nasty sides, it's more kind of pick-your-poison. I would be interested in
seeing other alternatives on the table which would also cover CMake on Windows
in a standardized way could pan out, though.
(13:10:55) cron2: I'm not a windows developer, and have no idea how to do
windows developing - so, "recipe"
(13:11:11) dazo: but isolated for Windows building .... moving towards CMake
makes sense to me
(13:11:13) cron2: dazo: we're not suggesting to change from auto* to cmake on
non-windows today
(13:11:31) cron2: (and I would have strong reservations there... cmake seems to
bring in quite a bit of pain)
(13:12:05) cron2: lev__: am I making sense to you? short form "yeah, go for
it" :-)
(13:12:39) lev__: yes sure, me and plaisthos can take care of it
(13:13:06) plaisthos: the cmake build file will also work for non-Windows files
but that is more "developer only" for that
(13:13:22) cron2: I'll be happy to ACK and merge the patch to openvpn-build to
rip out windows and replace it with a link to the new documentation :-)
(13:13:43) plaisthos: biggest problem with cmake as of now is the pkcs11-helper
(13:13:59) plaisthos: that doesn't exist in vcpkg
(13:14:47) lev__: echo Build pkcs11-helper
(13:14:47) lev__: cd build.tmp\pkcs11-helper*
(13:14:47) lev__: cd lib
(13:14:47) lev__: nmake -f Makefile.w32-vc OPENSSL=1 OPENSSL_HOME="%TARGET%" all
(13:15:03) lev__: this can be wrapped into vcpkg custom port
(13:16:22) plaisthos: yeah then we should do that
(13:17:47) mattock: I'm all for scrapping openvpn-build/msvc, I've always hated
it and never used it :D
(13:17:58) mattock: topic #4?
(13:18:04) mattock: deprecate --secret mode in 2.6, remove in 2.7?
(13:18:18) cron2: "fine with me"
(13:18:23) plaisthos: Yeah, the code diverges more and more
(13:19:29) mattock: nobody opposed?
(13:19:32) plaisthos: and peer-fingerprint should make an almost as easy setup
(13:19:38) mattock: +1
(13:20:45) dazo: agreed, peer-fingerprint is a much saner and more secure
approach to --secret
(13:21:13) dazo: The --secret era has served its purpose and now we need better
solutions
(13:21:50) dazo: (and for those arguing for --secret serving a purpose for
traffic obfuscation, stunnel can do the same)
(13:22:24) cron2: +1
(13:23:19) cron2: seems we're all in agreement, and hungry
(13:23:20) Pippin_ ha abbandonato la stanza (quit: Remote host closed the
connection).
(13:23:35) Pippin_ [Pippin_@gateway/vpn/protonvpn/pippin/x-75792076] è entrato
nella stanza.
(13:23:37) cron2: so, quick round on #5? or #6? (build*things and windows
bridge crash)
(13:24:17) mattock: "Containerized buildmaster and mattock's buildslaves": no
progress on that front, but I will officially leave the ops team on 15th April
2021, so after that I can finally focus on that task
(13:24:27) dazo: \o/
(13:24:59) mattock: "Bridged Windows 10 Causes Sporadic Crashes": we had an
internal discussion about that, and will talk to our internal QA guys
(13:25:20) mattock: hopefully we can get them to replicate the environment and
then we can get the data to reproduce the issue and fix it
(13:25:37) mattock: I have all the info that should be needed from the bug
reporter (mpfrench)
(13:25:53) cron2: good :-) +2
(13:25:53) mattock: I'll just need to know who to assign the task to, plus
compile all the info somewhere
(13:26:02) mattock: that's all about that
(13:26:52) cron2: I'd skip #7 and just touch on #8... I think we can remove
that from our long-standing agenda now.
(13:27:13) dazo: +1
(13:28:18) cron2: it's only master, but since we're aiming for a "quick" 2.6,
that should be good enough (the FIPS stuff has been pending for years, and
nobody really showed "much interest" in it, over all the time)
(13:28:25) mattock: +1
(13:29:01) cron2: lunch time?
(13:29:06) mattock: I had lunch, but yes
(13:30:29) cron2: I wonder if you are interested to do a video meeting once in
a while...
(13:30:43) cron2: I had a jitsi chat with plaisthos last week and it was nice
to actually *see* each other again
(13:30:43) plaisthos: I will reply to the patch and ask if they still need it
(13:30:56) cron2: but then, most likely you're doing that for corp meetings all
week anyway?
(13:31:02) cron2: plaisthos: ah, thanks
(13:31:31) plaisthos: the problem with sparklabs is that they were always very
coy *why* they wanted a change
(13:31:48) mattock: video meetings every now and then would be good
(13:32:34) mattock: wrapping up the summary now
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
