[Openvpn-devel] Summary of the IRC meeting (15th Jul 2010)

[Samuli Seppänen]

Hi,

Here's the summary of the previous community meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday, 15th Jul 2010
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:



Next meeting next week, same place, same time. Your local meeting time
is easy to check from services such as



or with

$ date -u


SUMMARY

Discussed handling of security vulnerabilities. Historically security
issues have been reported by security researchers directly to James
Yonan and fixed within days. Decided to

- use a closed security mailinglist for receiving and discussing
undisclosed security vulnerabilities
- encrypt communications on the security ml using PGP
- include key OpenVPN community members in the mailinglist
- include key package maintainers / distributors in the mailinglist (to
give them time to prepare for repackaging)

Also discussed fixing and disclosing of security vulnerabilities. Agreed
that we should disclose security issues in 3 weeks - or less, if a fix
is ready. If a fix is not ready in 3 weeks we should disclose the issue,
provide workarounds (if any) and then fix the issue a.s.a.p.

Agreed that all security issues - whether they're theoretical or being
exploited - should be fixed. Also agreed that our users should be
informed about vulnerabilities in external software OpenVPN depends on
(e.g. OpenSSL). This will be done after developers of the external
software have already disclosed the vulnerability.

Discussed various mechanisms to make security vulnerability discussions
secure. Sending of security vulnerability reports to us could be done
securely with a simple HTTPS webapp. Alternatively, we could make an
official PGP public key available for sending in reports. There are two
options for securing discussions on the security mailinglist:

- everybody uses the same PGP public/private keypair which expires, say,
after one year
- everybody uses personal PGP keys for communication: all need to have
the public keys of everyone else and each mail has to be encrypted once
for every recipient

Agreed that the second option is better, if mail clients can be
configured to do multiple encryption automatically. Samuli promised to
check if Thunderbird + Enigmail supports this. Samuli also promised to
check if SF.net mailinglists could be used for the -security ml.

--

Discussed the "Build failure on OpenBSD 4.7 IFF_MULTICAST" bug:



Cron2 is still awaiting test reports from krzee and fkr.

--

Discussed our buildbot install briefly. It already does the continuous
integration stuff by automatically building OpenVPN "allmerged" branch
and reporting of build problems. By the end of this month we should have
buildbot-created Debian/Ubuntu packages available. Agreed that we should
provide packages for both "beta2.2" and "allmerged" branches.

--

Discussed promises made in these meetings. Agreed that they're easy to
forget and hard to track. Decided to try using Trac for tracking the
promises:



Samuli promised to review latest meeting summaries and create Trac
tickets as required.

--

Discussed the broken bridge scripts. Waldner has now written the
bridging HOWTO, as promised:



---

Full chatlog as an attachment

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



(21:04:31) mattock: hi james!
(21:04:43) mattock: let's start the meeting!
(21:04:47) krzee: i wont have time to even look at servers for a bit, migration 
craziness
(21:04:58) krzee: (also wont be in the meeting, later guys!)
(21:05:13) mattock: krzee: later
(21:05:27) mattock: ok, so what about this: "How do we tackle security issues?  
(f.ex. CVE's)  How are they announced?"
(21:05:34) mattock: full topic list here: 
https://community.openvpn.net/openvpn/wiki/Topics-2010-07-15
(21:05:35) vpnHelper: Title: Topics-2010-07-15 – OpenVPN (at 
community.openvpn.net)
(21:06:47) mattock: dazo: is the CVE topic from you?
(21:07:08) dazo: A guy on #openvpn wondered about how we announce security 
issues and fixes
(21:07:14) mattock: dazo: ok
(21:07:33) mattock: jamesyonan: do we (=company) have a policy for CVE's? 
(21:07:38) jamesyonan: in the past, security issues that have been found are 
communicated to me confidentially
(21:07:59) dazo: and I can't say I remember having seen much of such 
announcement, especially of fixes ... I've seen one CVE, which was tackled in 
2.1_rc9
(21:08:11) jamesyonan: the security issue is then publicly announced at the 
same time a fix is released
(21:08:35) dazo: Yeah, that's the normal procedure
(21:08:48) dazo: Maybe it would make sense to have a "inner circle" of some 
people who will receive such issues?
(21:08:

Re: [Openvpn-devel] Summary of the IRC meeting (15th Jul 2010)

[Samuli Seppänen]

> Discussed various mechanisms to make security vulnerability discussions
> secure. Sending of security vulnerability reports to us could be done
> securely with a simple HTTPS webapp. Alternatively, we could make an
> official PGP public key available for sending in reports. There are two
> options for securing discussions on the security mailinglist:
>
> - everybody uses the same PGP public/private keypair which expires, say,
> after one year
> - everybody uses personal PGP keys for communication: all need to have
> the public keys of everyone else and each mail has to be encrypted once
> for every recipient
>
> Agreed that the second option is better, if mail clients can be
> configured to do multiple encryption automatically. Samuli promised to
> check if Thunderbird + Enigmail supports this. Samuli also promised to
> check if SF.net mailinglists could be used for the -security ml.
>   
As promised, I did some digging... Thunderbird + Enigmail _should_ be
able to encrypt messages using several public keys based on the target
address (e.g. openvpn-secur...@lists.sourceforge.net):



I currently only have David's public PGP/GnuPG key - if somebody else
cares to share his key, we could test if this works in practice.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Summary of the IRC meeting (15th Jul 2010)

[Samuli Seppänen]

Samuli Seppänen ha scritto:
>> Discussed various mechanisms to make security vulnerability discussions
>> secure. Sending of security vulnerability reports to us could be done
>> securely with a simple HTTPS webapp. Alternatively, we could make an
>> official PGP public key available for sending in reports. There are two
>> options for securing discussions on the security mailinglist:
>>
>> - everybody uses the same PGP public/private keypair which expires, say,
>> after one year
>> - everybody uses personal PGP keys for communication: all need to have
>> the public keys of everyone else and each mail has to be encrypted once
>> for every recipient
>>
>> Agreed that the second option is better, if mail clients can be
>> configured to do multiple encryption automatically. Samuli promised to
>> check if Thunderbird + Enigmail supports this. Samuli also promised to
>> check if SF.net mailinglists could be used for the -security ml.
>>   
>> 
> As promised, I did some digging... Thunderbird + Enigmail _should_ be
> able to encrypt messages using several public keys based on the target
> address (e.g. openvpn-secur...@lists.sourceforge.net):
>
> 
>
> I currently only have David's public PGP/GnuPG key - if somebody else
> cares to share his key, we could test if this works in practice.
>   

Did some digging in the wonderful world of SF.net mailinglists...
Snippets from the GNU mailman admin interface:

"Require approval - require list administrator approval for subscriptions"

"*private_roster* (privacy): Who can view subscription list? When set,
the list of subscribers is protected by member or admin password
authentication."

*"generic_nonmember_action* (privacy): Action to take for postings from
non-members for which no explicit action is defined. When a post from a
non-member is received, the message's sender is matched against the list
of explicitly accepted
,
held
,
rejected

(bounced), and discarded

addresses. If no match is found, then this action is taken."

So it is possible to lock the list down pretty tightly, if required.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Compiler warnings when using openssl-1.0.0 - beta4

[chantra]

> 
> If nobody responds, I'll try to find some time looking into this in the
> near future.
> 

I did in https://community.openvpn.net/openvpn/ticket/5#comment:3

chantra