Hi,
Here's the summary of the IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-meeting on libera.chat
Date: Wed 18th May 2022
Time: 10:30 CEST (9:30 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2022-05-18>
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, dazo, d12fk, mattock, MaxF, ordex and plaisthos participated in
this meeting.
---
Mattock has completed rebuild and modernization of build.openvpn.net,
but the switch (old -> new) still needs to be done.
Mattock is almost done with rebuild and modernization of Patchwork in
Vagrant. Once that is done deploying Patchwork in AWS EC2 will be fairly
trivial.
After that mattock shall move to upgrading ldap, pwm and trac.
Cron2 will test the community VPN and set up new buildslaves, hopefully
next week.
---
Talked about the private Git repository currently hosted on
build.openvpn.net. It is mainly used for testing feature branches with
buildbot and also for hosting sensitive code not yet releasable for the
generic public (i.e. fixes to vulnerabilities).
Agreed that having such a local repository is preferable to having a
private repo on a public Cloud-based Git hosts (e.g. github.com or
gitlab.com).
Mattock will see how such a repo could be integrated with the new buildbot.
---
Talked about the next hackathon. Agreed that it would be nice to have it
in Delft. MaxF will ask around at Fox-IT is doing that would be feasible.
---
Noted that 2.5.6 + ossl3 does not work well. Therefore 2.5.7-to-be has
the ossl3 backports, so we need a 2.5.7 release "soonish". Agreed that
next Tuesday is doable.
Also noted that upstream (e.g. Ubuntu) needs to be notified of the
issues so that they can backport the fixes.
--
Full chatlog attached
(11.23.34) mattock: almost meeting time
(11.23.44) ordex: lunch time you mean ?
(11.28.32) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella
stanza.
(11.29.29) mattock: yes, also lunch time!
(11.30.02) MaxF: what, already? time zones are weird
(11.30.09) ordex: not i's just mattock
(11.30.12) ordex: *it
(11.30.42) MaxF: hello, anyway!
(11.31.06) mattock2 [~ya...@mobile-access-bcee3c-243.dhcp.inet.fi] è entrato
nella stanza.
(11.31.57) d12fk: .fi is +3, right?
(11.32.13) mattock: yes, now it is
(11.32.36) d12fk: makes you early lunch explanation
(11.32.52) d12fk: it's LATE actually ;-)
(11.33.10) ***cron2 is here and is not here
(11.34.33) d12fk: omg cron2 is Heisenberg
(11.34.39) cron2: heisencron2
(11.35.12) mattock: let me give an update before I leave for lunch (faster
typing than on mobile)
(11.35.29) mattock: I've completed rebuild and modernization of
build.openvpn.net, but the switch needs to be done
(11.35.59) mattock: I'm almost done with rebuild and modernization of patchwork
- still working in Vagrant, but once that's done deploying it in AWS EC2 will
be almost trivial
(11.36.18) mattock: from there I shall move to ldap, pwm and trac
(11.36.24) cron2: yeah, now it's my time to do something... test the community
VPN, set up new buildslave. I hope I can get stuff done next week.
(11.36.31) ***plaisthos is here
(11.36.41) mattock: trac will be most effort, pwm and ldap should be easier
(less moving parts)
(11.36.50) mattock: cron2: +1
(11.37.28) mattock: there's one topic related to build.openvpn.net we should
discuss: there's a local Git repo there which is used to do feature branch
tests against buildbot
(11.37.41) ***dazo is here
(11.37.56) mattock: could we replace that with a public repository (e.g.
GitHub, GitLab)?
(11.38.24) cron2: I like the private repository, because it gives me the
opportunity to share quarantained stuff with you
(11.38.28) mattock: so basically have a public place where you (developers) can
push branches and then point buildbot at them
(11.38.38) mattock: how about a private public repository?
(11.38.47) cron2: like, prepare a release with CVE stuff, push to build, you
can test stuff on it
(11.38.48) mattock: where we (developers) have access
(11.39.04) ***cron2 is not trusting github or gitlub to keep anything private
(11.39.11) mattock: I see where this is going :D
(11.39.19) cron2: so what is your reasoning for wanting to go away from build?
(11.39.20) dazo: yeah, I think we should have the internal git repo ... it's
good to be able to test some builds "internally only" some times
(11.39.29) cron2: (I can do the quarantaine stuff on my machine, we've done
this before)
(11.39.37) mattock: cron2: nothing except to keep the complexity of the setup a
bit lower
(11.40.32) ordex: +1 for keeping a really private repo - whether this is on
build.o.n or somewhere else is not important, as long as we don't use gh ot gl
for that
(11.40.34) mattock: but I believe the setup of the private git repository on
build.openvpn.in has been codified, so reimplementing it is doable as well
(11.40.43) cron2: I'd keep that complexity (but it's not me doing that work,
and maybe I am misjudging the amount of work needed - I think it's "one-time
setup, done", isn't it?)
(11.40.55) mattock: yeah, it is not a horrible amount of work
(11.41.12) mattock: a few hours probably, assuming we can grant buildbot access
to it
(11.41.13) mattock: easily
(11.41.45) mattock: anyhow, let's go with the approach we have, I will figure
out if there are any major issues with that
(11.41.57) mattock: -> lunch
(11.42.19) ordex: quick distraction: do we want to start *thinking* or
*planning* th next hackathon?
(11.42.40) cron2: I like hackathons :-)
(11.42.43) ordex: :-)
(11.43.24) cron2: (was wearing my t-shirt yesterday, talking to a guy from .ua,
showing him lviv on the back :-) - he liked that)
(11.43.27) plaisthos: we need time and location
(11.43.33) MaxF: Should I ask if Fox-IT would sponsor another one?
(11.43.35) ordex: :D
(11.43.43) cron2: Delft is nice
(11.43.44) ordex: MaxF: anything is welcome at this stage
(11.43.51) ordex: and what cron2 says :)
(11.44.18) plaisthos: Yeah, I would exclude .ua at the moment personally\
(11.44.26) cron2: yes :(
(11.44.32) ordex: yeah, not the best place to travel to at the moment,
unfortunately
(11.44.57) plaisthos: or easy to travel to since commercial flights are still
suspsended
(11.45.13) ordex: yap yap
(11.45.22) ordex: but Delft would surely be an option
(11.46.01) MaxF: are hackathons usually late in the year, or was last time an
exception?
(11.46.45) d12fk: think we pushed it out a bit because of covid
(11.46.46) cron2: we've usually stuck to "some time after the summer holidays",
so september-november, depending on who has time when
(11.47.17) ordex: yeah
(11.47.45) ordex: ideally who organizes should possibly poll some dates
(compatible with the host) and come up with a decision
(11.47.51) MaxF: ok, I hope I can get them to sponsor it :)
(11.47.59) cron2: last delft hackathon was early october
(11.48.14) cron2: helsinki hackathon was sep 20
(11.50.20) plaisthos: and locals were dressed for at least 5C warmer than it was
(11.50.36) dazo: FOSDEM ones was january/february .... and too cold meeting
spots :-P
(11.51.50) d12fk: a chance for scarfs to play their strengths
(11.52.20) dazo: gloves hacking is challenging ....
(11.52.52) ordex: :D
(11.53.12) ordex: ok, so MaxF we will wait for you to let us know about a
response from foxit?
(11.53.35) dazo: +1
(11.54.06) MaxF: yes, I'll let you know next week
(11.55.00) ordex: thanks!
(11.55.04) MaxF: can you give me some ballpark figure for how much money is
expected from them?
(11.55.13) MaxF: would be good to know before I ask ;)
(11.55.21) d12fk: yes thanks indeed, missed the last one in Delft, so would be
nice personally for me
(11.55.55) d12fk: MaxF: it's about location mainly
(11.56.13) ordex: MaxF: the point is more about providing a location and
finding accommodation
(11.56.14) d12fk: usually also coffee but that is optional already
(11.56.33) plaisthos: MaxF: yeah, OpenVPN inc will probably sponser dinners as
there as so many from openvpn inc now.
(11.56.50) ordex: if foxit could provide the location (i.e. some meeting room)
that would be already "sponsoring"
(11.57.17) ordex: for the number of poeple, I think we can say we normally are
in the range of 15-20 people at most
(11.57.32) ordex: (just to have a higher bound, we may be less)
(11.58.03) cron2: MaxF: when we did Munich on SpaceNet facilities, SpaceNet
provided "meeting room and Internet" (and since this was wekeend only, both did
not really cost "actual money"). I paid for Snacks and soft drinks, because I
was happy I hadn't to pay for a flight ticket :-)
(11.58.33) ordex: MaxF: unless we got it wrong, when you said "foxit can
sponsor it" we were imagining "MaxF can organize it and host at foxit" :D
(11.58.37) dazo: I recall an IKEA hotel "next door" to the Fox-IT site ....
(11.58.44) cron2: yep
(11.59.16) plaisthos: the "we are not a ikea hotel but there is an IKEA
philosphy guide instead of a bible in the room"
(11.59.25) cron2: last meeting (with the host actually sponsoring food and
softdrinks and everything for a full week) was an exception
(11.59.36) ordex: do you get to mount your bed before you actually sleep?
(12.00.01) MaxF: I said I'll ask ;) But if Fox hasn't become too paranoid
since last time, I'll organize it
(12.00.08) ordex: :)
(12.00.15) dazo: MaxF: I believe Adriaan and Steffan was the persons involved
last time ... the concept hasn't changed that much since then (except there's a
much larger group from OpenVPN Inc these days)
(12.01.03) ordex: MaxF: actually each of the participant is expected to care
about himself...so not much work todo, except providing a framework (take this
as an example of when I organized one:
https://community.openvpn.net/openvpn/wiki/TrentoHackathon2019)
(12.04.50) ordex: so we all went sun bathing?
(12.05.10) cron2: I remember dark rooms and too much coffee
(12.05.13) d12fk: i'm still pale
(12.05.20) ordex: :-D try harder!
(12.05.57) d12fk: anything on the agenda left?
(12.06.35) d12fk: pushed update to pre-commit hook for a problem ordex found
(12.06.47) ordex: I have seen the ptch - will give it a go today
(12.07.25) d12fk: the produced patch will not apply if the changes in the
working dir conflict with the patch obv
(12.07.43) ordex: <o>
(12.08.00) d12fk: tried around a bit but found no easy solution to determine if
it should only be applied to the staging area
(12.08.30) d12fk: but then devs will get it
(12.09.35) cron2: 2.5.7
(12.13.44) cron2: so, I put it into the agenda - 2.5.6 + ossl3 does not work
well. 2.5.7-to-be has the ossl3 backports, so we need a 2.5.7 release "soonish"
(12.14.05) cron2: and *then* we need volunteers to discuss this with fc36 and
ubuntu22 openvpn maintainers, if that version can be bumped
(12.14.34) ordex: dazo: maybe you can poke the fedora guys?
(12.14.39) ordex: but first we need 2.5.7 to be out
(12.14.51) ordex: I guess we need mattock for that?
(12.15.07) cron2: I can do 2.5.7 release next week ("tag, changes.rst, push")
but need mattock for the rest of the machinery
(12.15.07) dazo: For fc36, that's no problem .... *I* am the Fedora OpenVPN
package maintainer ... and it's already on 2.5. A 2.5.7 release is a no-brainer
(12.15.20) plaisthos: we probably need to file bugs against openvpn in ubuntu
22 and point out why they need to be fixed
(12.15.23) cron2: dazo: oh? that is easy, then :-)
(12.15.51) cron2: (why did the fc36 maintainer not say anything about issues
with ossl3, then? ;-) )
(12.15.55) plaisthos: Knowing their philosphy they don't wnat a new OpenVPN
2.5.7 release but will probably cherry-pick all the commits
(12.16.16) dazo: cron2: it hit the streets last week; I've been too busy
elsewhere
(12.16.19) cron2: plaisthos: yes, this...
(12.16.20) mattock2: 2.5.7 next week is doable
(12.16.27) cron2: dazo: haha, an ambush release
(12.16.48) cron2: mattock2: great
(12.16.55) plaisthos: But I can open a bug on the Ubuntu 22 openvpn package
explaining the issue and pointing at the commits on github
(12.17.31) cron2: plaisthos: that would be good. Do you want for 2.5.7, or
just point at the commits?
(12.18.08) plaisthos: I want to say, it is best to use 2.5.7 but here are the
individual commits that you need to pick up if you don't want 2.5.7
(12.18.19) ordex: yap yap, sounds good
(12.18.20) cron2: yep
(12.18.23) becm: if I interpret correctly, smartcard support with OSSL3 will
also need at least pkcs11-helper 1.29
(12.18.41) dazo: Normally the Fedora releases goes quite smooth ... but I see
one getting reported yesterday
https://bugzilla.redhat.com/show_bug.cgi?id=2087181 .... not heard anything
from anyone else on Fedora 36 (including beta testing phase) prior to this
(12.18.41) plaisthos: that will be like 5 of 8 commits that are the diff
between 2.5.6 and 2.5.7
(12.18.42) vpnHelper`: Title: 2087181 – OpenVPN Connection stopped working
after upgrade to F36 (at bugzilla.redhat.com)
(12.19.48) cron2: oh, that's an interesting one, .p12 files not loading
(12.19.56) plaisthos: p12 files is "normal"
(12.19.58) cron2: (I think the default crypto there is also "legacy provider",
no?)
(12.20.11) plaisthos: openssl <= 1.1 sign them bey default with rc2 which
requires legacy provider
(12.20.22) plaisthos: s/sign/encrypts/
(12.20.45) dazo: yeah, that sounds quite plausible
(12.20.59) plaisthos: but the same should happen with openssl binary
(12.21.00) plaisthos: so no idea
(12.24.10) cron2: the actual openvpn log (not ltrace, and not nm log) might
have a more useful error message...
(12.25.15) plaisthos: I remember adding a patch during OpenSSL 3 development to
actually print PKCS12 error messages
(12.25.19) plaisthos: not sure if that got also into 2.5
(12.26.37) cron2: I can't remember any specific patches related to error
message printing...
(12.26.41) plaisthos: cron2: git cherry-pick 6ac4e63c57
(12.26.56) cron2: ah!
(12.27.18) plaisthos: also a candidate for 2.5.7 :)
(12.27.21) cron2: yes, in :-)
(12.27.24) cron2: applies nicely
(12.30.55) cron2: mattock2: specific preference for next week?
(12.31.56) mattock2: No
(12.32.06) cron2: Tuesday, then?
(12.35.52) mattock2: +1
(12.36.01) cron2: cool
(12.43.13) dazo: I presume the meeting has been wrapped up
(12.44.25) plaisthos: so Ubuntu already picked up the patch for
tls-cert-profile insecure:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629
(12.44.26) vpnHelper`: Title: Bug #1968629 “OpenVPN fails to start/connect:
OpenSSL: error:0A0...” : Bugs : openvpn package : Ubuntu (at bugs.launchpad.net)
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
