The chatlog was missing, and here it is.
Hi,
Here's the summary of today's IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-meeting on irc.freenode.net
Date: Monday 22nd August 2016
Time: 20:00 CEST (18:00 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2016-08-22>
The next meeting has not been scheduled yet.
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron3, dazo, jamesyonan, mattock, OSTIF-Derek, syzzer, Thermi and
valdikss participated in this meeting.
---
Discussed the Mozilla SOS grant which OSTIF.org wishes to apply for on
behalf of the the OpenVPN project. The goal is to have an external party
(of Mozilla's choosing) do an audit of the OpenVPN codebase. It was
agreed that this plan makes sense, and that the audit should focus on
late OpenVPN 2.4 beta or RC version, instead of current stable versions
(e.g. 2.3.12). If the grant application is rejected, then OSTIF.org will
resort to their backup plan, which is to raise money from VPN providers
using OpenVPN.
A secure channel for discussing any found zero-day exploits is required,
and several alternatives were proposed.
---
Discussed an issue with .ovpn file associations in Windows. It would be
best if clicking on a .ovpn file would bring up a gui that asks "do you
want to import this, or start it right away". Valdikss has planned on
doing a GUI such as that, and will hopefully provide a patch soon.
---
Discussed OpenVPN 2.3.12 release. It was agreed that the release/2.3
branch contains enough "stuff" for a release. It was decided to make the
release tomorrow (Tue) afternoon.
---
Discussed [PATCH v2]: Drop recursively routed packets from Lev:
<https://sourceforge.net/p/openvpn/mailman/message/34737757/>
Cron3 gave the patch an ACK. It was agreed to merge it to "release/2.3"
and "master" branches, so that it can go to 2.3.12, and to optimize and
refactor the patch later in "master" branch. Cron3 volunteered to do the
refactoring.
---
Discuss the "Do not pass env for system commands on Linux/Windows/OS X
patchset from valdikss":
<https://sourceforge.net/p/openvpn/mailman/message/35265481>
Cron3 had given the current implementation a NACK earlier, and dazo gave
his during the meeting. An alternative implementation was also
suggested. The pre-meeting discussion is also available in the attached
chatlog.
---
Discussed "block-outside-dns and multiple tunnels":
<https://sourceforge.net/p/openvpn/mailman/message/35263770/>
<https://community.openvpn.net/openvpn/ticket/718>
It was agreed to move this forward by looking into the approaches
suggested by Selva, and by giving him feedback.
---
Discussed testing on Windows. There is one particular patch which needs
careful testing:
<https://sourceforge.net/p/openvpn/mailman/message/35180749/>
While this one can be tested manually, we should automate testing
Windows-specific features such as "--ip-win32", netsh, api, service
later. Test automation was not seen as a blocker for 2.4.0.
Mattock will create a Wiki page for Windows testing, and content will be
added there by others as needed. The Windows testing project will be
announced in a separate email to openvpn-devel mailing list.
--
Discussed various ways to archive our emails now that Gmane is gone.
Dazo has added our mailing lists to mail-archive.com. Mattock will see
if he could export some of the emails from SF.net archives and import
them to mail-archive.com. Meanwhile ecrist is looking into self-hosting
our email archives using pipermail.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
First a pre-meeting discussion regarding the "Do not pass env for system
commands on Linux/Windows/OS X patchset from valdikss:
(15:04:10) mattock: btw. on requests of valdikss I added some topics, should we
have time: https://community.openvpn.net/openvpn/wiki/Topics-2016-08-22
(15:04:11) vpnHelper: Title: Topics-2016-08-22 – OpenVPN Community (at
community.openvpn.net)
(15:04:37) mattock: patches from the mailing list which may have been forgotten
about
(15:04:42) cron2: he already got a NAK for those from Dazo, if I remember that
correctly
(15:04:50) cron2: but I'm happy to add another NAK
(15:05:45) cron2: (I'm not sure about the feature part of the ACK/NAK, but the
code part definitely is not right - for a trivial change we do not want *three*
commits, which then leaves out all the other platforms)
(15:07:04) valdikss: cron2: did you get my reply on that?
(15:07:07) cron2: even if we accept these changes, his setup pushing 10.000s of
routes would still break --up scripts (because "environment to big")
(15:07:31) cron2: valdikss: not sure, but I have no time right now to check
(15:07:50) valdikss: cron2: I have DMARC with p=reject on my domain and when
sourceforge malilist sends everyone email from my address in FROM field the
message might got into SPAM
(15:08:27) valdikss: cron2: that's fine, I'm happy as long as it works without
up script.
(15:08:28) cron2: valdikss: ah. I do not filter on DMARC, because i consider
this a most idiotic idea invented by people that consider "yahoo groups" all
anyone could want for a mailing list
(15:08:41) cron2: valdikss: yes, but that makes the patch unsuitable for our
code base
(15:08:42) valdikss: cron2: right now it's completely broken in OS X and
low-end Linux.
(15:09:18) cron2: either it's done in a generic way that makes sense across all
features and platforms, or you need to maintain a local branch
(15:09:38) valdikss: cron2: why? I mean, it's fine for me if we would skip
environment only for route/iproute2 but not --up scripts
(15:09:45) cron2: what I could see as making sense here is a flag
"--route-no-env" or the like which will stop putting routes into the environment
(15:09:57) valdikss: cron2: It won't break --up scripts and I don't care about
them, so it's fine for me.
(15:10:14) cron2: valdikss: "fine for me" is not good enough for the main repo
(15:10:24) cron2: and "I don't care" doubly so
(15:11:22) valdikss: cron2: sorry, I meant that if we would not pass route env
for route/ip route commands, would it be fine? It won't break --up scripts but
would work for me.
(15:11:55) valdikss: cron2: I meant that I don't use --up scripts and my users
also don't use them. That approach would fix the issue for me yet won't break
--up scripts
(15:12:48) cron2: valdikss: I heard what you said, but your patch introduces an
asymmetry into the code, and might break other people's usage (someone might
call an "ip" binary that is a script that *wants* these environment variables)
(15:13:24) cron2: see above for a suggestion how to handle this in a way that
doesn't change user-visible behaviour, will also not break --up scripts if one
of your users *wants* to use it, and works on all platforms at once
(15:16:29) valdikss: cron2: >someone might call an "ip" binary that is a script
that *wants* these environment variables
(15:16:32) valdikss: cron2: Is it really the case? ip binary is called in a
loop and routes are passed as arguments.
(15:17:00) cron2: Every time we change user-visible behaviour, *someone* comes
up with a use case that we've not considered, and which is now broken
(15:17:19) cron2: so, "just leave off the environment on *three* platforms,
while keeping it everywhere else" is definitely a no-go
(15:18:18) cron2: we might consider verifying which environment variables are
truly needed across all platforms, and call route/iproute/ifconfig with a
limited subset only - but that would go along with actually *asking* people on
the -devel and -users list
(15:19:50) valdikss: cron2: all right, I understood you
This discussion continued in the actual meeting at 22:10:22.
Then the actual meeting transcript from #openvpn-meeting:
(21:01:25) OSTIF-Derek: hello! This channel is too quiet! This is the right
place for the meeting, correct?
(21:02:51) syzzer: hi OSTIF-Derek
(21:02:57) syzzer: yes, you're at the right place :)
(21:03:12) OSTIF-Derek: excellent!
(21:03:23) syzzer: cron3/cron2 announced he would be a bit late
(21:03:48) OSTIF-Derek: ahh alright
(21:04:07) mattock: hi derek and syzzer!
(21:04:09) syzzer: but I guess mattock is around
(21:04:16) mattock: sorry I'm a bit late, got distracted
(21:04:20) syzzer: and dazo?
(21:04:49) syzzer: hi mattock :)
(21:05:24) mattock: I emailed jamesyonan earlier, but he has not responded
(21:05:33) ***dazo is here
(21:05:36) mattock: hi dazo!
(21:06:06) mattock: maybe derek could start by giving us an update on recent
developments on the OSTIF side?
(21:06:38) syzzer: yes, please do :)
(21:06:39) ***cron3 is in italy
(21:06:50) cron3: (and here, now)
(21:07:17) mattock: hi cron3!
(21:07:34) OSTIF-Derek: sure, we raised enough money to do an audit of
VeraCrypt. It was cheaper than normal because we opted to do a "change" audit
that focuses on the changes that came after TrueCrypt 7.1a, namely patches and
new features.
(21:07:51) OSTIF-Derek: that audit is going on right now, ran by QuarksLab in
Paris.
(21:08:43) syzzer: very nice that you made that happen
(21:08:57) cron3: +1
(21:09:54) OSTIF-Derek: We have been working with Mozilla SOS (their
open-source public audit program) and it looks like OpenVPN 2.3.x would qualify
for them to fully fund the audit. They, (and we) want to get permission to
apply for an audit from Mozilla SOS
(21:10:13) jamesyonan [~jamesy...@c-73-243-160-156.hsd1.co.comcast.net] è
entrato nella stanza.
(21:10:16) OSTIF-Derek: on behalf of the OpenVPN project
(21:10:51) mattock: hi jamesyonan!
(21:10:57) dazo: Sounds like a sweet deal ... what's expected from OpenVPN Tech
and the community side?
(21:11:03) jamesyonan: hi mattock
(21:11:08) OSTIF-Derek: i wanted to get any input you might have on special
needs of your project, such as how findings should be reported and how quickly
the project can respond to 0-days if they are find
(21:12:30) mattock: I think we can get trivial fixes merged pretty quickly
(21:12:33) dazo: well, we sure have some work to do to be more responsive - but
we're probably not the worst ones ... but we have security@openvpn ... which is
a closed list with trusted developers
(21:12:42) OSTIF-Derek: we have had problems with "someone" trying to intercept
our PGP emails with the VeraCrypt audit, so the timetable from finding a
problem to response would need to be fast
(21:13:31) dazo: I think that we have potential to improve and I can sure step
in much more actively these days - to at least coordinate things if I don't see
the solution code wise
(21:14:19) mattock: if the fix is trivial and non-intrusive, then "a day or
two" should be reasonable, right?
(21:14:28) dazo: absolutely
(21:14:40) cron3: yeah, this makes sense - now you (dazo) have more time for
OpenVPN, and you can poke James for "complicated stuff" (and/or me and syzzer,
but our time scales wrt work/other stuff are different)
(21:14:58) OSTIF-Derek: so the primary contact for the auditors to report
findings to would be via email directly to security@openvpn dot net?
(21:15:08) syzzer: yes
(21:15:09) cron3: what we need to agree on is what "response" means in this
context - "new release" or "acknowledge, and prepare release"?
(21:15:27) syzzer: though we still need to setup pgp for that...
(21:15:28) dazo: OSTIF-Derek: jamesyonan, mattock and I work for OpenVPN Tech
... the rest here are (afaik) community members
(21:15:35) cron3: our current patch review/public documentation process is
complicated wrt "security patches that should not be public right away"
(21:15:57) mattock: dazo: dan- might be also the Dan that works for OpenVPN Tech
(21:16:05) dazo: ahh! cool!
(21:16:42) mattock: OSTIF-Derek: so you said that there have been eavesdropping
attempts on your email exchange?
(21:16:52) dazo: just thinking aloud now ... should we consider Mattermost
(selfhosted) or Slack for security stuff?
(21:17:06) OSTIF-Derek: as long as something can be ironed out quickly i think
exposure would be rather small
(21:17:28) mattock: email is definitely not very secure, and using GnuPG/PGP
for group conversations is a bit tricky afaik
(21:17:31) OSTIF-Derek: mattock - we believe so, yes.
(21:18:19) OSTIF-Derek: I can't really comment other than some emails that we
have sent have disappeared from multiple separate email services, for multiple
people, including in our sent boxes.
(21:18:33) cron3: dazo: if another channel, then only on-demand ("please meet
<here>, important")
(21:18:45) OSTIF-Derek: other than that, Google and ANNSI are currently
investigating and we are awaiting results
(21:18:52) ***cron3 cannot monitor yet-another channel for "oh, I might be
needed there"
(21:18:54) dazo: cron3: At least slack provides e-mail alerts automatically
(21:19:05) dazo: cron3: I believe Mattermost is up-to-par there too
(21:19:14) mattock: yeah, that is pretty convenient occasionally, plus the XMMP
integration
(21:19:28) Thermi: why not a server with ssh pubkey access and then wall?
(21:19:46) mattock: that would be quite nerdy
(21:19:57) OSTIF-Derek: we have been using a combination of PGP and OTR over
XMPP, and signal private messenger for Android/iOS
(21:19:58) mattock: also quite secure I would think
(21:20:03) dazo: Thermi: you loose scrollback when you're not online
(21:20:12) Thermi: dazo: tmux/screen
(21:20:18) dazo: fair enough
(21:20:46) syzzer: I think there's plenty of options, and we can find one that
works :)
(21:21:06) mattock: yeah, I'm sure we can figure out something, and we do not
need to do it now :)
(21:21:12) syzzer: but for reporting from the outside, we really need something
like an email with PGP
(21:21:25) OSTIF-Derek: and you guys are close to releasing 2.3.12? If so, I
can wait for that to make the application
(21:21:26) syzzer: something that everyone can reach out to
(21:21:45) mattock: syzzer: +1
(21:21:57) OSTIF-Derek: yeah, if you guys just generated a key with GnuPG for
the security@openvpn email, then those direct emails could be secure
(21:21:58) dazo: yeah, I'm thinking so too ... we should discuss this more
extensively a bit later .... and perhaps move on further with this meeting now
(21:22:18) syzzer: yes, this :)
(21:22:30) cron3: I know othre forums that have pgp-signed mailing lists
(21:22:37) syzzer: OSTIF-Derek: and yes, 2.3.12 is expected soon
(21:22:44) cron3: (where the list server decrypts and re-encrypts incoming
mails that are encrypted)
(21:22:51) mattock: cron3: any pointers would be appreciated
(21:23:18) syzzer: key signing party in Helsinki!
(21:23:23) mattock: yeah
(21:23:30) dazo: Regarding the 2.3.12 release ... yes, we do have something in
the pipe ... we're not quite yet settled on a date, but very soon hopefully
(21:23:37) OSTIF-Derek: Well, the go head from you guys was the big-step that
we needed to take for this meeting. Other than working out a secure reporting
method, I believe Samuli will be able to guide me with any information that I
might need for the application process
(21:24:00) cron3: OSTIF-Derek: do you want to get 2.3.12 or git master reviewed?
(21:24:01) mattock: OSTIF-Derek: any idea what they will be asking?
(21:24:07) dazo: great!
(21:24:47) mattock: I don't have any business information, but I guess that's
not relevant, right?
(21:24:48) cron3: the thing with 2.3.12 is - it's "the current stable release"
but the code in git master has been rewritten in a number of places, and we
expect 2.4_alpha "soonish"
(21:24:52) dazo: Getting an audit on 2.3.12 would be great ... but what about
the 2.4 release once that comes?
(21:24:55) syzzer: cron3: that is a very good point. reviewing master probably
has more value
(21:25:01) mattock: agreed
(21:25:07) OSTIF-Derek: the location of the source, who the primary developers
are, what license it is under, how many current users of the software, has it
been audited before, secure contact for reporting, etc
(21:25:25) mattock: OSTIF-Derek: ok, that stuff is easy
(21:25:39) ***cron3 wonders about "who the primary developers are" :)
(21:25:41) syzzer: mattock: yeah? you know how many users we have? :p
(21:25:43) mattock: syzzer: have you done any audits at your end?
(21:25:47) OSTIF-Derek: yeah, if 2.4 is inbound we should definitely be working
with that
(21:26:01) mattock: syzzer: 500,000? :P
(21:26:07) OSTIF-Derek: i think openvpn is recognizable enough that it is easy
to say it is well into the millions
(21:26:11) syzzer: mattock: of openvpn? or generally speaking?
(21:26:37) mattock: well, no idea, but OSTIF-Derek is probably more correct, if
we count all the commercial VPN users etc.
(21:26:42) OSTIF-Derek: veracrypt has 200,000 and it's not built into any Linux
distros like OVPN is :P
(21:26:59) dazo: OSTIF-Derek: just so I understand better ... this audit will
be covered by Mozilla SOS and coordinated by you? So no additional costs?
(membership, payment to see the report, etc)
(21:27:23) OSTIF-Derek: right, it will be an open audit and free, all i'm doing
is the paperwork and helping get things set up
(21:27:38) valdikss: ssh chat.shazow.net
(21:27:42) valdikss: https://github.com/shazow/ssh-chat
(21:27:43) vpnHelper: Title: GitHub - shazow/ssh-chat: Chat over SSH. (at
github.com)
(21:27:50) valdikss: (in case anyone really wanted SSH chat)
(21:28:01) cron3: google play store says "openvpn for android: 1000000-5000000
installations"
(21:28:16) mattock: cron3: wow
(21:28:23) mattock: valdikss: that is worth a shot definitely
(21:28:24) OSTIF-Derek: yeah, and that doesn't include all of the custom apps
(21:28:25) cron3: ... and that is git master code :)
(21:28:30) OSTIF-Derek: from the commercial providers
(21:28:59) jamesyonan: actually if you consider all of the commercial VPN
providers that use OpenVPN, it's well into the 100 millions
(21:29:06) dazo: Yeah
(21:29:30) dazo: PIA (Private Internet Access) talks about 700k users, iirc
(21:29:41) OSTIF-Derek: also if you guys could make it so that
block-outside-dns doesn't crash all non-windows clients instead of doing
nothing, that would be terrific ;)
(21:29:52) valdikss: Sorry guys, I'm a bit sick so I'll go sleep. Will read
your conversation later.
(21:29:59) valdikss: OSTIF-Derek: there's an update to the man, read it
(21:30:00) mattock: valdikss: take care and get well!
(21:30:08) valdikss: OSTIF-Derek: setenv opt block-outside-dns
(21:30:10) cron3: valdikss: all the best, good night
(21:30:13) mattock: somebody stuck it to the man
(21:30:26) OSTIF-Derek: oh ill look into that valdikss, thanks!
(21:30:48) valdikss: OSTIF-Derek: and if you push block-outside-dns from server
it would be just ignored on other platforms
(21:31:51) mattock: OSTIF-Derek: do you have the funding for auditing OpenVPN,
or is this dependent on the Mozilla SOS grant application going through?
(21:32:19) OSTIF-Derek: It is dependent on Mozilla SOS, if they do not fund it
we have a contingency plan to raise money through the commercial providers
(21:32:31) mattock: ok, let's hope for the best, then!
(21:32:41) mattock: and the rest of us should get 2.4 out of the door
(21:32:47) dazo: +1
(21:32:48) mattock: so that we have something to audit
(21:33:20) syzzer: so, I think we all agree that git-master should be audited?
(21:33:29) OSTIF-Derek: i think so, yes
(21:33:29) mattock: +1
(21:33:33) syzzer: or aim for 2.4_alpha1 specifically?
(21:33:58) mattock: I would vote for a relatively stable version of
2.4-something
(21:34:01) cron3: that depends a bit on how fast they would start
(21:34:07) mattock: as in: code does not change a lot before 2.4.x
(21:34:08) dazo: I think we should aim for 2.4 ... we will reach a branching
point, and that's a good timing for an audit
(21:34:17) valdikss: Oh, another Q: Windows configuration import tool. Just a
very very simple tool which is associated with .ovpn files and just asks "Going
to import this.ovpn. Are you sure? Yes/no"
(21:34:22) cron3: if 2.4.0 has hit the shelves, and master has been breached
off, 2.4.0 is it..
(21:34:27) valdikss: I think it's needed very much
(21:34:28) OSTIF-Derek: i would imagine you have 20-30 days before the audit
would begin, this stuff moves slow, especially the money
(21:34:32) cron3: valdikss: doesn't the GUI do that today?
(21:34:41) valdikss: cron3: is does?
(21:34:51) mattock: valdikss: doesn't the latest openvpn-gui support that?
(21:34:54) dazo: cron3: it doesn't import and copy files to the config directory
(21:34:57) valdikss: cron3: .ovpn files are always associated with notepad for
me
(21:34:59) cron3: what happens if you click on a .ovpn file? it shows the
logo...
(21:35:16) valdikss: cron3: didn't try git master, anything has changed?
(21:35:18) cron3: notepad is only if you have "edit with..." before
(21:35:33) mattock: valdikss: notepad.exe can be changed to something else
using file associations
(21:35:39) cron3: selva has changed and improved TONs of stuff
(21:35:47) OSTIF-Derek: yeah, Windows auto checks the "always use this app" box
when you edit for the first time
(21:36:00) mattock: yeah, you should look at the latest snapshots:
http://build.openvpn.net/downloads/snapshots/
(21:36:01) vpnHelper: Title: Index of /downloads/snapshots/ (at
build.openvpn.net)
(21:36:10) valdikss: Cool, I'll check them
(21:36:24) mattock: valdikss: which of your topics are still valid, btw?
(21:36:32) OSTIF-Derek: oh also, is there a changelog for the master build that
is public?
(21:36:36) mattock: I recall you and cron3 discussing some of them already?
(21:36:50) mattock: OSTIF-Derek: the snapshots?
(21:36:52) OSTIF-Derek: changelogs help the auditors hunt down bugs in less
mature code
(21:36:53) dazo: OSTIF-Derek: regarding 20-30 days ... that's not too bad from
our point of view, I'd say
(21:36:53) OSTIF-Derek: yeah
(21:37:07) mattock: nothing except Git logs
(21:37:33) mattock: however, the snapshots I linked to have Git commit ID
attached to them, so getting the changelog is easy
(21:37:39) cron3: OSTIF-Derek: well, git log, and Changes.rst
(21:37:42) valdikss: mattock: Drop recursively routed packets and
block-outside-dns
(21:37:46) OSTIF-Derek: we can also schedule the audit and have them wait for
you guys to have the 2.4 master in the state you want
(21:37:58) mattock: +1
(21:38:02) dazo: OSTIF-Derek: the changelog is mostly derived from the git log
... we have added a Changes.rst files recently, where we try to add user
visible changes ... but the git log (or shortlog) gives the best overview
(21:38:18) OSTIF-Derek: alright
(21:38:36) valdikss ha scelto come argomento: Meeting 2016-08-22 1900 UTC:
Agenda at https://community.openvpn.net/openvpn/wiki/Topics-2016-08-22
(21:38:56) dazo: that sounds great, if audit can wait for our "go!" ... that
"go!" will come for sure
(21:39:25) OSTIF-Derek: i'll talk to Mozilla again today and see what works for
them.
(21:39:52) valdikss: Oh and what do you think about kill-switch? It's not
directly related to the VPN but it's what a lot of people wants.
(21:40:10) dazo: I personally would be very comfortable starting an audit with
an RC release, or a late beta release (if we see the need for that after alpha)
(21:41:25) mattock: me too
(21:41:49) mattock: anything else we should discuss regarding Mozilla SOS /
OSTIF?
(21:41:50) syzzer: I would even be comfortable with an alpha release - the git
master code is used in the field a lot
(21:42:12) mattock: as long as the code does not change dramatically before
2.4.0
(21:42:17) OSTIF-Derek: i think i have all of the information i need to move
forward
(21:42:26) syzzer: well, I would at least like to have a heads-up when the
bugreports that flowing my way ;)
(21:42:30) OSTIF-Derek: unless you guys have any other questions
(21:43:04) mattock: OSTIF-Derek: let me know when you need info about the
project
(21:43:20) OSTIF-Derek: I will. thanks!
(21:43:27) mattock: great!
(21:43:34) mattock: feel free to hang around if you like
(21:43:36) dazo: mattock: if there are dramatically changes from late beta/RC
to 2.4.0, then we've done a very bad job
(21:43:43) syzzer: OSTIF-Derek: your efforts are much appreciated!
(21:43:46) dazo: +1
(21:43:47) mattock: +1
(21:44:38) mattock: dazo: yeah, I was thinking about 2.4-alphas
(21:44:44) mattock: beta/rc should be ok
(21:44:51) mattock: anyways, to the next topic?
(21:44:52) cron3: syzzer: talking about git master quality :-) - what do you
think about my suggested patches in #715?
(21:44:55) OSTIF-Derek: thank you guys! A lot of people care about the cause a
lot, we are hoping as we do more work we will get the attention of the media
and really start to get the ball rolling.
(21:45:05) valdikss: No, there's no import tool in the latest snapshot. .ovpn
files are still associated with the notepad, but there's "Run OpenVPN with this
configuration" menu option.
(21:45:20) syzzer: cron3:
https://community.openvpn.net/openvpn/ticket/715#comment:4
(21:45:21) vpnHelper: Title: #715 (ncp patch set breaks --inetd) – OpenVPN
Community (at community.openvpn.net)
(21:45:22) valdikss: It seems that OpenVPN itself associates .ovpn with notepad
(21:45:23) cron3: well, it's not "imported", but "run in place"
(21:45:25) cron3: oh
(21:45:41) cron3: syzzer: oops :)
(21:45:50) valdikss: cron3: yes, and that's pretty useless for most people as
OpenVPN won't be able to set routes etc.
(21:45:55) mattock: OSTIF-Derek: it will take a few successful
fundraises/grants/audits to build reputation, but it should get easier in time
(21:46:13) OSTIF-Derek: oh i also forgot to mention, if Mozilla SOS pays for
the audit, they will select the auditor. It will like be Cure53 in Germany.
https://cure53.de/ They've done a lot of work for Mozilla so far.
(21:46:14) vpnHelper: Title: Cure53 – Fine penetration tests for fine websites
(at cure53.de)
(21:46:17) cron3: valdikss: why are you saying this? Run a curren snapshot
with iservice in place :)
(21:46:44) cron3: OSTIF-Derek: as long as the auditor has a clue what they are
doing, I think this is good enough
(21:47:07) ***cron3 doesn't want tons of "hey, the compiler warns about
signed/unsigned char here!" reports...
(21:47:14) valdikss: cron3: well, imagine you have an .ovpn file which was sent
to you by mail. I expect that clicking it in the mail client would run you a
VPN connection or at least ask you what to do, but not open a notepad.
(21:47:49) cron3: valdikss: it opens a notepad on YOUR computer, because YOU
have opened .ovpn with notepad once, and [X] checked the "use this forever
after" box
(21:47:57) valdikss: cron3: If anybody thinks the same, I'll make a small
utility or add import functionality to existing gui
(21:47:58) cron3: .ovpn is not associated with notepad
(21:48:01) valdikss: cron3: no!
(21:48:16) syzzer: hehe, Cure53 calls C++ 'exotic'
(21:48:20) valdikss: cron3: well, I need to check this twice but I'm pretty
sure this is done by the installed.
(21:48:23) valdikss: installer*
(21:48:26) syzzer: they'll be up for a treat :')
(21:48:56) cron3: valdikss: try on a fresh machine that does not have
associations changed before
(21:49:51) mattock: I think notepad.exe is only the default editor for
openvpn-gui ("Edit config" / "View log" in the menu), nothing else
(21:50:47) ***valdikss away
(21:50:47) cron3: mmmmh
(21:50:57) mattock: ok, so
https://community.openvpn.net/openvpn/wiki/Topics-2016-08-22
(21:50:58) vpnHelper: Title: Topics-2016-08-22 – OpenVPN Community (at
community.openvpn.net)
(21:51:03) mattock: 2.3.12?
(21:51:07) cron3: I take this back, I think it might be different depending on
windows version or phases of the moon
(21:51:24) cron3: I was sure I've seen the openvpn logo on .ovpn files (which
is a strong indication for "this is the program to use!")
(21:51:32) cron3: but the win7 VM I have with me does not do that
(21:51:43) mattock: open the .ovpn file in notepad.exe?
(21:51:57) cron3: no, show the openvpn logo for .ovpn files, and open with the
openvpn-gui
(21:52:13) valdikss: cron3: yes, it was always just the icon
(21:52:30) mattock: cron3: what does "open with openvpn-gui" mean?
(21:53:14) cron3: mattock: "open the gui, have the gui run openvpn with this
config via the iservice"
(21:53:50) cron3: what everyone else does when you klick on a config file -
"run the program associated with that config, and start it with that config"
(21:55:15) mattock: cron3: "open the gui, have the gui run openvpn with this
config via the iservice" is what it does now, or what it should do?
(21:55:24) mattock: (I have not tested this, ever)
(21:55:29) cron3: mattock: no, it doesn't :-)
(21:56:15) cron3: well, it's what I thought it would do, but it does not seem to
(21:56:17) cron3: anyway
(21:56:26) dazo: 2.3.12?
(21:56:39) mattock: +1
(21:56:40) cron3: I think that "clicking on a .ovpn file" should indeed bring
up a gui that asks "do you want to import this, or start it right away"
(21:56:46) cron3: feature wish :)
(21:56:53) cron3: 2.3.12, yes
(21:56:56) mattock: valdikss almost promised to create such a wrapper
(21:57:02) mattock: it would be nice indeed
(21:58:32) dazo: cron3: Trac ticket 660 ... going to 2.3.13?
(21:58:54) cron3: y
(21:58:58) cron3: "yes", that is
(21:59:17) cron3: I'd see that we do 2.3.12 right away, and then add more bug
fixes as time permits
(21:59:33) cron3: (there are already a number of fixes in 2.3.12)
(21:59:42) cron3: I would merge Lev's patch, though
(21:59:48) cron3: (lets come back to that one later)
(22:00:59) mattock: +1
(22:01:17) mattock: release tomorrow or wednesday?
(22:03:00) dazo: I've not heard back from the ACM CCS guys if they have an
embargo date ... but unless I hear something by tomorrow morning, I'd say we
push it out ... and start our machinery
(22:03:19) cron3: +1
(22:03:24) dazo: I need to coordinate a bit with RH as well
(22:03:40) mattock: so tomorrow afternoon it is
(22:04:14) dazo: yeah, I'd say so
(22:04:15) mattock: cron3: "PATCH v2: Drop recursively routed packets (Lev) "
is the one you're talking about?
(22:04:22) cron3: yes
(22:04:42) mattock: let's discuss that next then?
(22:04:55) mattock: once we're done with the rest of 2.3.12 stuff (if any)
(22:05:04) cron3: I think the patch is important, and can ACK it. Dazo hat
reservations because it has (some) performance implications - and he's right,
because our code is... not good there.
(22:05:49) cron3: My suggestion here is: I ACK it, we merge it as it is in 2.3
and master (because it works, changes a "openvpn hangs with 100% CPU" to "it
will tell you what is broken" situation)
(22:06:01) dazo: Yeah, but lets not that be the killer in this time ... the
power consumption is far worse
(22:06:04) cron3: and then we improve performance in master - which would go
with quite a bit of refactoring
(22:06:14) dazo: +1
(22:06:57) cron3: basically, kill is_ipv4() and is_ipv6() for good, because the
approach right now is "in both places where these are used, all the code is
called twice, and it's not an inline"
(22:07:29) cron3: (replace with "get_ipv4_version()" which would return "4" or
"6" and then all the comparison logic would me much easier and still readable)
(22:07:38) cron3: get_ip_version() of course
(22:08:32) cron3: (and I volunteer to do that :) - half the mess is my doing
anyway, I think)
(22:08:54) dazo: sounds good to me
(22:09:38) ***cron3 goes re-read the code once more :)
(22:09:53) mattock: ok, next topic?
(22:10:11) cron3: yes
(22:10:21) dazo: I've looked through the other Trac ticket tagged 2.3.12, and
wouldn't say anyone of them are worthy of holding 2.3.12 back
(22:10:22) mattock: we have the three patches from ValdikSS, starting with this:
(22:10:22) mattock: PATCH 1/3: Do not pass env for system commands on Linux
(22:10:33) cron3: these got a NAK this afternoon already
(22:10:38) mattock: ah, those were the ones
(22:10:47) dazo: I fully support that NAK, btw
(22:11:07) cron3: so you could just include the discussion from #openvpn-devel
in the published log, so nobody needs to wonder
(22:11:18) mattock: cron3: I recall you suggested an alternative approach
(22:11:28) mattock: I can add that to the chatlog
(22:11:30) dazo: I think cron2's suggestion of adding a --route-no-setenv (or
something similar) is a more sane way to go without potentially breaking
anyone's configs
(22:12:06) cron3: either that, or have a sanitized env for the route/ifconfig
invocations - they do not really need all the "full-blown" stuff that we pass
to --up & friends
(22:12:12) cron3: like, 10.000 routes
(22:13:08) dazo: agreed, but that is quite a job to iron out what users expect
... but we can start on that process, and kill a few variables each time to see
whom we annoy
(22:13:24) dazo: (each time => in each release)
(22:13:55) cron3: dazo: well, do we *really* think people run "route" or
"ifconfig" in a context where all these openvpn environment variables are
relevant?
(22:14:12) cron3: our scripts need them, of course (--up, etc.)
(22:14:26) cron3: right now, everything we fork/exec gets "all!"
(22:17:16) dazo: cron3: Yes, I have seen people using route and ifconfig info
to do their own weird stuff ... mostly when involving containers, bridges and
automated vm configs and such
(22:17:36) dazo: It's not main stream common ... but not that infrequent either
(22:18:27) cron3: ok, good. I had the gut feeling someone would do this...
(22:18:53) cron3: ACK sent
(22:19:24) dazo: thx! I'll get it applied to my branches today ... and we'll
push it out tomorrow, where I already have syzzers bf warning patches ready
(22:19:33) cron3: thanks
(22:20:04) ***cron3 will be around noonish (14-15:00) in case questions show up
(22:20:43) dazo: btw ... I slightly did an on-the-fly update to syzzer's
patches ... https://paste.fedoraproject.org/412409/18580731/ ... fixing the
C89/C99 issues as it wouldn't build on my SL7.2 (RHEL 7.2 clone) without adding
-std=gnu99
(22:21:02) cron3: what compiler is that?
(22:21:03) syzzer: -std=c99, I hope ;)
(22:21:17) dazo: -std=c99 would work too
(22:21:25) dazo: gcc-4.8.5-4.el7.x86_64
(22:22:03) dazo: it complained that variable declarations inside for-loops was
not permitted in c89 (which is the default in gcc-4.8)
(22:22:11) dazo: and then it bailed out
(22:22:27) cron3: interesting, gcc being stricter than gnu :)
(22:23:15) dazo: hehe ... yeah, I wonder if I have done something without
catching it ... or if RH have added/changed some default options to gcc
(22:23:28) syzzer: I think the gcc default used to be gnu89
(22:23:43) syzzer: maybe RH changed that to c89?
(22:23:46) dazo: yeah, until some gcc-5.x release
(22:24:05) mattock: shall we move on?
(22:24:20) mattock: there is one more bug report on the topic list
(22:24:26) mattock: https://sourceforge.net/p/openvpn/mailman/message/35263770/
(22:24:27) vpnHelper: Title: OpenVPN / Mailing Lists (at sourceforge.net)
(22:24:35) mattock: "block-outside-dns and multiple tunnels"
(22:24:52) mattock: valdikss was not sure what to do with this issue
(22:24:56) dazo: do we have any patches?
(22:25:01) mattock: not afaict
(22:25:05) dazo: or any ideas how to fix it?
(22:25:08) cron3: selva had ideas how to tackle it, but not coded anything yet
(22:25:23) dazo: then I say this goes into 2.3.13
(22:25:35) cron3: right, not 2.3.12
(22:25:51) dazo: unless a very trivial patch appears by tomorrow :)
(22:26:05) cron3: it won't be trivial
(22:26:50) mattock: yeah
(22:27:03) mattock: I agree it is a problem, but probably not a critical one
(22:27:12) mattock: should be fixed, if possible
(22:27:47) cron3: Selva's approach sounds like it should work (= he understand
the issue AND microsoft WFP it seems :) )
(22:28:04) ***cron3 has no idea how that WFP stuff works
(22:28:52) mattock: I think we just need to tell Selva which approach seems the
most sane to us
(22:29:08) mattock: so that he can implement the fix
(22:29:50) mattock: this would leave us with the mega-topic of the day, #5 or
"windows testing"
(22:30:05) mattock: shall we move on to that one?
(22:30:52) cron3: that's that topic that always shows up when everyone is tired
(22:31:08) mattock: yeah :)
(22:31:30) mattock: I think we should create a Wiki page which outlines what
tests we need
(22:31:37) mattock: start with something simple and build from there
(22:31:40) dazo: does anyone "own" that task?
(22:31:46) mattock: I don't think so
(22:32:02) cron3: what mattock suggests makes sense
(22:32:27) mattock: and let's not let (extensive) Windows testing automation
block 2.4 release for too long
(22:32:36) cron3: I was thinking along the lines of "make t_client work" (to be
able to easily auto-test new versions) but the wiki page would have information
on *what* to test
(22:32:41) cron3: mattock: it is a blocker
(22:32:48) mattock: what is "it"?
(22:32:55) cron3: windows testing
(22:32:55) mattock: that is what we need to discuss
(22:32:57) cron3: let me explain
(22:33:09) dazo: Okay, let's try to fix that first ... then that person can
look into alternatives and we can start discussing the best solution for us.
But until somebody takes ownership, it will be the last topic on the agenda in
coming meetings and not moving much forward
(22:33:19) cron3: d12fk's change looks like "it only fixes one small corner
case", but under the hood, it *normalizes* the windows code
(22:33:47) cron3: windows has always been sort of "weird order of things",
different from all other platforms - so that change would make future
maintenance much easier
(22:34:15) cron3: but there has to be a reason why windows is the way it is,
and either that reason is no longer relevant with XP and earlier gone, or
testing needs to uncover that
(22:34:29) dazo: +1
(22:34:35) cron3: and we should not release a 2.4_alpha that is "funny on
windows", because that would kill our testing user base
(22:34:50) mattock: are speaking of one particular change here?
(22:35:09) dazo: We can go ahead with alpha and probably beta releases .... but
we should really have something in place before the RC releases
(22:35:16) cron3: Message-ID:
<1466784101-20655-1-git-send-email-heiko.h...@sophos.com>
(22:35:19) cron3: this one
(22:35:26) cron3: From: Heiko Hund <heiko.h...@sophos.com>
(22:35:32) cron3: Subject: [Openvpn-devel] [PATCH] Windows: do_ifconfig() after
open_tun()
(22:35:57) cron3: so, let's attack this from two angles:
(22:36:04) cron3: - do a list of things we WANT tested
(22:36:08) mattock: https://sourceforge.net/p/openvpn/mailman/message/35180749/
(22:36:09) vpnHelper: Title: OpenVPN / Mailing Lists (at sourceforge.net)
(22:36:27) cron3: - with that list, test "master without d12fk's patch" and
"master *with* d12fk's patch" - manually, if needed
(22:36:52) mattock: +1 for "manually", unless automation is fairly trivial
(22:37:17) mattock: but also plan for automating Windows testing more
extensively
(22:37:18) dazo: +1
(22:37:25) cron3: - second angle: figure out how to get this automated, so we
can run the full set of test configs on each commit
(22:37:31) mattock: +1
(22:37:33) dazo: fully automated is secondary, manual is mandatory
(22:37:38) mattock: +1
(22:37:42) cron3: we MUST have automated windows testing
(22:37:49) cron3: (but that is not a blocker for 2.4)
(22:37:56) dazo: that's what I'm trying to say
(22:37:58) mattock: yeah, then we are in agreement
(22:38:25) mattock: I only wanted to avoid ill-defined task such as "Windows
testing automation" from blocking 2.4 release
(22:38:38) cron3: that list needs to contain variations of --ip-win32 - netsh,
api, service - because those are particular code branches that cannot be tested
elsewhere
(22:38:43) mattock: as a long-run goal it makes sense, but we still need to
define the scope of the testing well
(22:38:49) dazo: jamesyonan: do you know of any resources who could help out
ironing out windows testing?
(22:39:37) mattock: also: who knows how to compile the "what to test" wiki page?
(22:39:45) cron3: mattock: see above - I'm thinking about the windows
particulars, dhcp options and --ip-win32 variants
(22:40:00) ***cron3 suggests mattock starts the page, and the rest of us adds
to it
(22:40:05) dazo: +1
(22:40:06) mattock: ok
(22:40:12) cron3: (get jjk involved... and ecrist...)
(22:40:23) dazo: yeah
(22:40:47) mattock: let's send a separate email to openvpn-devel when the Wiki
page is up
(22:40:52) cron3: +1
(22:40:58) dazo: +1
(22:41:05) cron3: <openvpn-devel@lists.sourceforge.net>... Sent (OK
id=1bbv5U-0002Bc-Vk)
(22:41:23) cron3: (that is trac#715 related)
(22:42:23) ***syzzer wakes up
(22:42:32) cron3: n3> (that is trac#715 related)
(22:42:37) cron3: argh
(22:42:44) cron3: this laptop's touch pad is... special
(22:43:04) cron3: mattock: how do you do the message-id <-> sourceforge URL
mapping?
(22:43:27) dazo: cron3: I've subscribed our ML to mail-archive.com ....
(22:43:38) mattock: I do not, I just search for the subject line
(22:43:39) dazo: cron3: I got an updated git-ack script too
(22:43:50) cron3: dazo: please mail over :)
(22:44:26) dazo: will do! Just realised this evening I have two versions of
that script, so need to just realign them first and you'll get a good one
(22:45:02) mattock: maybe create a GitHub project?
(22:45:13) dazo: mattock: could we look into getting at least the last 2-3
years of -devel lists exported from sourceforge and imported to
mail-archive.com?
(22:45:15) cron3: mattock: trac #723 is a consequence of these funny windows
exceptions
(22:45:29) dazo: mattock: yeah, I should do that :)
(22:45:36) cron3: (just saying why d12fk's change is really big)
(22:46:00) mattock: cron3: ok
(22:46:48) mattock: dazo: yes - is there a built-in mechanism for the
export-import, or would it require extensive, nasty scripting?
(22:47:40) dazo: mattock: mail-archive.com can import mbox, iirc ... so it just
needs to be exported somehow ... not sure how easily that can be done via the
mailman admin pages?
(22:47:51) mattock: I'll check if that's doable
(22:48:16) dazo: (hadn't sourceforge replaced the default mailman archive index
by their crappy front-end, I would have done it already)
(22:49:23) dazo: and if someone can think of other mail archives we should join
(I've also requested for marc.info, but haven't heard anything yet) ... I'd say
we should do that
(22:49:30) mattock: https://community.openvpn.net/openvpn/ticket/724
(22:49:32) vpnHelper: Title: #724 (Try to export SF.net mail archives to
mail-archive.com) – OpenVPN Community (at community.openvpn.net)
(22:49:38) dazo: mattock: https://www.mail-archive.com/faq.html#import
(22:49:40) vpnHelper: Title: The Mail Archive: FAQ (at www.mail-archive.com)
(22:49:41) ***cron3 still hopes for gmane.org to come back - it looks like this
*might* happen...
(22:50:05) mattock: oh, and ecrist is looking into pipermail (for
self-archiving)
(22:50:11) dazo: cron3: the NNTP part of it is back, afaik ... but there is not
much efforts on the web side though
(22:50:25) dazo: self-archiving with a Message-ID lookup would be ideal though
(22:51:10) cron3: that would also be good, yes
(22:52:23) ***cron3 is out for tonight - need to read goodnight stories for the
kids now
(22:52:32) mattock: yeah, I'm done too
(22:52:32) cron3: *wave* - good meeting, though
(22:52:37) mattock: we did very good work today!
(22:52:39) dazo: yeah
(22:52:44) dazo: g'night all :)
(22:52:55) syzzer: good night!
(22:53:46) mattock: good night!
(23:00:55) mattock: summary away
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
