Hi,
Here's the summary of the IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-meeting on libera.chat
Date: Wed 30th March 2022
Time: 10:30 CEST (8:30 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30>
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, dazo, d12fk, mattock, MaxF, novaflash, ordex and plaisthos
participated in this meeting.
---
Cron2 noted that the hackathon T-shirts have not yet been sent to
novaflash for further distribution.
--
Novaflash presented a workaround to the "no IPv6 on community servers"
dilemma. The proposal is to create subdomains in Cloudflare for each
community server and turn on IPv6 there without affecting the whole of
openvpn.net domain. This seems the only reasonable way forward that can
be done relatively quickly.
--
Talked about OpenVPN 2.6.
Plaisthos has HMAC based (syn cookies) three way handshake working for
none/tls-auth/tls-crypt. Cron2 is fighting DCO and iroutes right now,
but he has a path forward. Besides that the patch queue looks fairly
decent. The big ones are done, there are a few small ones that want to
be looked at (and old stuff that needs to be revived or closed). Some
patches in the queue require more careful review before being merged.
--
Talked about community server upgrade. Mattock plans to migrate the
current (somewhat outdated) community servers to the new VPC, then
upgrade them one by one.
--
Talked about new production buildbot. It is now email notification
capable. It was agreed to make it send build failures and other
notifications to the openvpn-builds mailing list.
Potentially it could be configured to notify "projects owners" as well
if we wanted that.
--
Full chatlog attached
(11.24.21) mattock: meeting time almost here
(11.26.59) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella
stanza.
(11.30.46) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato
nella stanza.
(11.32.45) mattock: anyone here?
(11.32.57) dazo: yupp!
(11.32.58) novaflash: no
(11.33.02) cron2: meow
(11.33.05) MaxF: not me!
(11.33.34) novaflash: hey cron2 - did i neglect to send you my address in
regards to distribution of t-shirts?
(11.34.26) d12fk: also here mattock
(11.34.37) cron2: no, but after it took weeks to get the addresses, I got too
busy otherwise... so sorry, t-shirts still sitting here.
(11.34.43) ***cron2 feeling embarrassed
(11.35.01) novaflash: ah okay. so it's not my fault.
(11.35.15) novaflash: we still didn't get ipv6
(11.35.16) cron2: *this* is all my fault. Everything else can be your fault
today :-)
(11.35.18) ***novaflash feeling embarrassed
(11.35.38) d12fk: btw, closed the --dns PR on github manually, didn't autoclose
b/c of the formatting changes by cron2
(11.36.01) novaflash: okay, i already managed to deflect some blame onto dazo
yesterday, so i'm ready to take on more today.
(11.36.08) cron2: github autodetects merged patches, even if no reference to
the PR in the commit message?
(11.36.34) d12fk: git can do that
(11.36.55) d12fk: iff the sha is the same
(11.37.29) d12fk: this time it just showed conflicts with master waaaay on the
bottom
(11.37.48) cron2: well, yeah, that's the uncrustification
(11.38.01) cron2: d12fk: but that's good to know
(11.40.17) mattock: maybe novaflash can mention the potential workaround/fix to
the IPv6 dilemma?
(11.40.28) novaflash: oh yeah
(11.40.37) novaflash: you can set a different nameserver per subdomain
(11.40.56) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30
(11.41.03) novaflash: so we can run another nameserver for community stuff and
assign the subdomains to that nameserver so it can do ipv4 and ipv6 without
affecting the rest of the openvpn.net domain's dns settings
(11.41.15) cron2 ha scelto come argomento:
https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30
(11.41.23) novaflash: which, if i understand the situation correctly, can be a
workaround/solution, at least until the time the company does ipv6 on the whole
domain.
(11.41.56) cron2: that sounds like a way forward for community :-) - and way
backward for corp ("we have solved what Gert is complaing about, so we do not
need to fix the actual thing")
(11.42.01) mattock: "until the time" could be years from now, so I think this
is a reasonable hack
(11.42.39) cron2: I'm fine if I have IPv6 on everything I want to access
regularily...
(11.43.06) novaflash: does your fridge have ipv6?
(11.43.31) cron2: it has no network connection
(11.43.42) novaflash: but then how will you access it..
(11.43.46) mattock: I will get worried when they start selling axes that have
IPv6
(11.44.12) mattock: anyhow
(11.44.22) mattock: novaflash: did you do a PoC about this subdomain thing?
(11.44.28) novaflash: no
(11.44.33) novaflash: but it's trivial to try one
(11.44.42) cron2: novaflash: I walk into the kitchen and open the door :-)
(11.45.00) novaflash: but you said you want ipv6 on everything you access
regularly..:-P
(11.45.23) novaflash: so let's do a poc and see what happens
(11.45.34) plaisthos: probably nothing happens and it just works
(11.45.39) novaflash: ya
(11.46.25) plaisthos: As for the 2.6 syncup. I already have HMAC based (syn
cookies) three way handshake working for none/tls-auth/tls-crypt.
(11.46.44) cron2: very very nice
(11.46.52) plaisthos: tls-cryptv2 stateless 3way handshake requires client
support, protocol changes
(11.48.22) plaisthos: so tls-cryptv2 will default to allow creating a session
with just a normal packet (so you are vulnerable to replay attacks)
(11.49.07) plaisthos: but probably tls-crypt-v2 version will get a optional
parameter that controls if old clients are allowed which default will be change
somewhere in the future
(11.50.18) cron2: this is what you designed & agreed on at the hackathon, right?
(11.52.46) mattock_ [~ya...@mobile-access-bcee59-221.dhcp.inet.fi] è entrato
nella stanza.
(11.53.00) mattock: wow, I was able to join from mobile as well...
(11.56.22) plaisthos: cron2: yeah
(11.56.35) novaflash: mattock - perhaps you can inform community about plans
for community stuff in april/may or so? if time permits
(12.01.48) mattock_: Yep. So I plan to migrate the current (somewhat outdated)
community servers to the new VPC.
(12.02.05) mattock_: Then upgrade them one by one
(12.02.22) cron2: great
(12.05.00) mattock_: Another thing: new buildbot is now notification capable
(12.05.13) novaflash: and didn't you also fix trac email sending?
(12.05.30) mattock_: Do we just send the emails to the builds list?
(12.05.41) mattock_: novaflash: yea
(12.05.55) cron2: yes, please
(12.06.50) mattock_: I could potentially send email to "project owners" as well
(12.07.44) mattock_: Also VPN client configs for all interestes partiea
(12.08.27) cron2: ewww, new VPN client configs... yes, please distribute
(12.08.34) mattock_: +1
(12.11.53) mattock_: Anything else?
(12.12.05) cron2: I'm fighting DCO and iroutes right now
(12.12.35) cron2: I think I have a path forward (two clients, one with /32s on
its loopback, networks iroute'd to that client - and a second one doing
t_client pings on those iroute IPs)
(12.14.52) cron2: besides this, our patch queue looks fairly decent. The big
ones are done, there are a few small ones that want to be looked at (and old
stuff that needs to be revived or closed)
(12.25.40) mattock_: Discussion came to and end? :)
(12.26.18) plaisthos: I have a number of patches that are sitting on the
mailing list and are ignored
(12.26.49) plaisthos: especially: Implement --client-crresponse script options
and plugin interface
(12.26.50) ordex: hi!
(12.26.56) novaflash: just in time ordex
(12.27.04) ordex: for the blaming?
(12.27.08) plaisthos: somehow that patch got ignored frm the auth pending
patchset for some reason
(12.27.43) cron2: plaisthos: yes, these are the ones I wanted to go through.
Some I saw and just did not understand, some need more clueful eyes (lev's
M_ERRNO patch)
(12.53.25) novaflash ha abbandonato la stanza (quit: Quit: let he who is
innocent cast the first /quit message).
(13.01.36) mattock: writing the summary
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
