-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Here's the summary of the previous IRC meeting. - --- COMMUNITY MEETING Place: #openvpn-devel on irc.freenode.net List-Post: openvpn-devel@lists.sourceforge.net Date: Monday 24th Oct 2014 Time: 20:00 CET (19:00 UTC) Planned meeting topics for this meeting were on this page: <https://community.openvpn.net/openvpn/wiki/Topics-2014-11-24> Next meeting has not been scheduled but will be on the same weekday and time. Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> SUMMARY andj, cron2, dazo, lev, mattock, plaisthos and syzzer participated in this meeting. - --- Discussed the "--enable-password-save" option. Decided to enable the feature by default and remove the associated #ifdef. - -- Discussed the the peer-id patch (v7): <http://thread.gmane.org/gmane.network.openvpn.devel/9270> The patch has received a fair share of review. However, as the patch is fairly invasive it was decided to give James a chance to comment on the latest incarnation. If he has no complaints in a few days the patch will go in. As discussed earlier the full patch will go into 2.4. The client-side part of the patch will also go into 2.3 releases for compatibility reasons. - --- Discussed OpenVPN 2.4 release. Some small pieces are still missing: <http://thread.gmane.org/gmane.network.openvpn.devel/9232> <http://article.gmane.org/gmane.network.openvpn.devel/9238> <http://sourceforge.net/p/openvpn/mailman/message/32945354> <http://article.gmane.org/gmane.network.openvpn.devel/9222> <https://community.openvpn.net/openvpn/wiki/MunichHackathon2014> + stuff in Trac aimed at milestones 2.3.6 and 2.4 + OpenVPN-GUI NSI installer The biggest piece of code still missing from 2.4 is the Windows interactive service: <http://sourceforge.net/p/openvpn-gui/openvpn/ci/interactive_service/tree> The IPv4 part of the service has been in production for some time, but some IPv6 bits may be broken. In Munich we agreed that even if d12fk (the author) does not have time to fix IPv6, somebody else will do it. Samuli can help with testing the patch. Samuli will also make experimental Windows builds with the Interactive Service so that the patch gets the testing coverage it needs before the 2.4 release. - --- Discussed scrapping ENABLE_SSL as a separate option. We had asked about this on openvpn-users and openvpn-devel and received no response/objections. It seems that nobody cares, so out it goes. - --- Full chatlog is attached. - -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRzlRsACgkQwp2X7RmNIqPkJACgwQxOmhUGc0W1VzNatpd1Gdnp 0u8AoKrm/sx6itVm11gSvkWfW+0qZOko =cW70 -----END PGP SIGNATURE-----
(21.01.48) mattock: ready for the meeting? (21.01.56) ***dazo is ready (21.01.59) ***syzzer too (21.02.00) dazo: james? (21.02.04) ***andj too (21.02.16) syzzer: just to get things started: http://blog.halon.org.uk/2014/11/barbie-the-debian-developer/ (21.02.18) vpnHelper: Title: Barbie the Debian Developer - Liberal Murmurs (at blog.halon.org.uk) (21.04.11) mattock: indeed (21.04.25) ***dazo wonders if syzzer tries to block his systemd patches ..... (21.04.45) mattock: you'll become friends again in about 2 years :P (21.04.51) dazo: hehe (21.04.53) syzzer: hahaha (21.04.56) mattock: ok, so (21.05.00) mattock: "--enable-password-save - drop #ifdef, make always on? change default? Patch from Yegor Yefremov " (21.06.28) andj: haha (21.06.37) syzzer: I don't like the feature, but pragmatically "always on" seems to make sense... (21.06.46) mattock: yeah (21.06.47) dazo: I've been pondering if there has been some misunderstanding from Yegor's mails ... I might have missed that he pointed out that the --help screen said it was enabled by default, while it was disabled in reality ... and he tried to fix this confusion (21.07.09) dazo: but instead of fixing --help, he actually flipped the switch (21.07.31) plaisthos: I was the one suggestion that we also could drop the #ifdef and always enable the feature (21.07.31) dazo: And that would again be NACK from me ... as then --enable needs to be changed to --disable (21.07.54) syzzer: plaisthos: yes, if we enable it by default let's get rid of the #ifdef's too (21.08.06) syzzer: I'll just throw it out hard in OpenVPN-NL ;) (21.08.25) dazo: I'd like to hear what james has to say about this, tbh (21.08.40) plaisthos: do we actually make sure that password are removed/overwritten after using them? (21.08.41) dazo: as it's something which has been configurable since the very beginning (21.08.59) syzzer: someone else must have disliked the feature ;) (21.09.15) dazo: plaisthos: we can't do that ... it's the user which does --auth-user-pass /path/to/my/username+passwrd_file.txt (21.10.10) mattock: isn't having a key/cert without a password as bad as having a password file, provided both have strict permissions? (21.10.41) andj: the key tends to be longer, and isn't sent over the line (21.10.41) dazo: --enable-password-save is only affecting --auth-user-pass (21.11.06) dazo: and what andj said (21.11.35) mattock: andj: ok, fair point (21.11.50) syzzer: andj: this can also be used to provide the private key password (21.11.54) dazo: but keys themselves are used for the encryption ... certificates are used for authentication, just as username/passwords ... and certs are by def. public (21.12.08) andj: but indeed, the option means something else :) (21.13.01) dazo: (however, you can't use a cert with openvpn with the wrong key, so they are coupled) (21.14.20) andj: we're talking about two different types of key here, I think (21.14.37) andj: there's the static key, and the private key (21.15.00) dazo: right ... and neither of them are related to --enable-password-save (21.15.37) andj: learnt somthing today, thought it was also used for private keys (21.15.41) plaisthos: btw. auth-user-pass caches password by default unless you also specify auth-nocache (21.16.07) andj: and static keys (21.16.32) plaisthos: enable-password-save only affects the ability to specify a file-name after auth-user-pass (21.17.31) syzzer: yeah, which is actually different from what ./configure --help claims: "--enable-password-save allow --askpass and --auth-user-pass passwords to be path to systemd-ask-password utility" (21.18.35) andj: in that case, I agree with syzzer, just get rid of the option, and enable it (21.18.38) dazo: btw ... if we decide to remove any #ifdefs ... only one single #ifdef ENABLE_PASSWORD_SAVE exists in the code (21.19.08) mattock: so no major code cleanups then :P (21.19.22) dazo: nope :) (21.19.29) mattock: I was getting hopeful (21.19.34) andj: one down, couple'o'thousand to go (21.19.46) mattock: ok, so enable it by default, remove #ifdef (21.19.50) mattock: next topic? (21.20.00) cron2: mattock: you want to finish by 20:30 today? (21.20.08) mattock: if I can, yes :) (21.20.11) plaisthos: We could do more useless ifdefs :D (21.20.13) cron2: well, the next topic is "peer-id patch" (21.20.15) mattock: #2 "peer-id v7 / peer-id client-only v2 " (21.20.37) mattock: two parts: anyone else wants to review before commiting? (21.20.44) cron2: i put it on the agenda because I want to be sure that "we all" agree that it goes in now - syzzer has reviewed, but I'd like to hear James opinion (21.21.09) cron2: (it has been tested, it has been reviewed, we agree on the principle, so we're nearly there - but it is *big* and should be done right) (21.21.15) plaisthos: I looked at both patches, did not find anything wrong, but haven't done a proper enough look to say "ACK" (21.21.19) plaisthos: so go from me :0 (21.21.34) dazo: So the patch from cron2 complements the patch from lev__? (21.21.40) plaisthos: yes (21.21.42) lev__: both - second one is client only ? (21.21.49) cron2: dazo: my patch is "client side only" (21.21.50) plaisthos: what lev__ said (21.21.52) dazo: and the first is server only? (21.22.01) cron2: no, lev__'s is "all of it" (21.22.19) cron2: my patch is about 1/3 of the changes from lev__ for 2.3, while lev__'s is the full thing for 2.4 (21.22.31) dazo: ehm ... why do we need the second patch if the first patch has everything? (21.22.33) cron2: so a 2.3 client can float, while a 2.3 *server* will not get that (21.22.41) dazo: aaahh (21.22.43) cron2: because the patch is far too intrusive to go into 2.3 :) (21.22.50) dazo: :) (21.23.06) mattock: no words from james (mailed him 10 mins ago) (21.23.08) plaisthos: and since we probably will have another 2.3 release ... (21.23.16) dazo: so the cron2's patch goes into release/2.3 ... while lev__'s goes into master ... right? (21.23.24) cron2: client-side stuff is fairly contained - a new option here, a new IV_ value there, and "in the critical path", it only has very few lines of easy code (21.23.27) cron2: yes (21.23.35) dazo: ACK to the approach! (21.23.48) cron2: server-side touches all the hardcore multi stuff :-) (congrats to lev__ for this, anyway) (21.23.58) cron2: mattock: any word from James? (21.25.09) mattock: no (see ^^^) (21.25.19) dazo: As the patch has been reviewed by cron2 and syzzer, and james was involved in the discussions ... I think we can pull it in unless james disagrees within a few days (21.25.28) mattock: agreed (21.25.58) andj: nice! good news for mobile users :) (21.25.59) cron2: yeah, I'll just mail james a reminder "we think this is good, do you want to wait for us and review?" (21.26.17) mattock: cron2: thanks! (21.26.28) lev__: so, is it going to master now? (21.26.56) andj: yes, unless James gives a nack in the next few days (21.27.03) dazo: lev__: version 6 is golden :) (21.27.09) cron2: lev__: I'd like to give James the chance to comment (21.27.14) dazo: you can do another dance, lev__ ;-) (21.27.15) cron2: dazo: we're at v7 :) (21.27.19) dazo: oh, sorry! (21.27.25) andj: haha (21.28.28) cron2: mailed james (21.28.33) lev__: v7 is basically v6 with minor code reorganizing (21.29.33) dazo: lev__: anyhow, v7 is what counts for us :) (21.29.41) andj: next topic? (21.29.54) cron2: mattock's (21.30.14) mattock: not really mine, but "OpenVPN 2.4" (21.30.33) mattock: basically I put that on the agenda so that we can discuss what's missing (21.30.38) mattock: _still_ missing (21.31.02) andj: haven't had much time to look at the CRL patch (21.31.02) dazo: do we have a summary of the blockers for 2.4 from hackathon? (21.31.09) mattock: dazo: possibly (21.31.14) cron2: dazo: in the hackathon page on the wiki (21.31.22) dazo: duh! (21.31.35) syzzer: an easy one (I think): http://sourceforge.net/p/openvpn/mailman/message/32945354/ (21.31.37) vpnHelper: Title: OpenVPN / Mailing Lists (at sourceforge.net) (21.31.54) mattock: https://community.openvpn.net/openvpn/wiki/MunichHackathon2014 (21.31.56) vpnHelper: Title: MunichHackathon2014 – OpenVPN Community (at community.openvpn.net) (21.32.20) dazo: syzzer: for normal people, anything SSL/TLS usually isn't defined as "easy" ;-) (21.32.23) cron2: syzzer: amazing that you can always remember your old stuff :) (21.33.13) mattock: maybe syzzer uses some advanced system, like Post-It notes? :P (21.33.16) syzzer: cron2: git log ;) (21.34.01) lev__: about 2.4, I think we agreed that someone will ask Fabian to resend async-connect patch with fixed whitespaces (21.34.13) mattock: I think we did decide that (21.34.49) cron2: syzzer: I'm not sure if anyone of us understands the intricacies of not calling tls_ctx_load_dh_params()... (21.35.04) dazo: lev__: I probably have misunderstood, but I thought you would ask/check with Fabian ... but I don't mean to dump things unto you, but feel free to do so :) (21.35.13) lev__: ok I can do that (21.35.17) mattock: nice! (21.35.57) cron2: mattock: I'm not letting you go before netbsd51 stops erroring on me! (21.36.22) plaisthos: syzzer: does OpenSSL fallback to non PFS or does it throw an error if you don't add DH paramters? (21.36.44) plaisthos: (error as in no common cipher) (21.36.47) dazo: syzzer: how will this patch work on a non-EC --server setup where we need --dh today .... but the user forgets to include --dh? (21.37.16) cron2: if it's not included, it will not change the code (21.37.21) syzzer: plaisthos: no. it needs other stuff to do non-PFS, and I already got rid of that stuff in master (21.37.22) cron2: it still checks for "--dh set" (21.37.40) cron2: the only new case is "--dh none", with explicitely calling it "none" (21.37.49) syzzer: dazo: the code will still complain if you don't set --dh, you have to specify '--dh none' to not use DH (21.38.29) dazo: right, and if --dh none is given then ... as the user tries to ignore the dhparam file? (21.38.43) dazo: (that's the first thing newbies on #openvpn will do) (21.39.20) cron2: that is about the same thing I asked - what will "not calling tls_ctx_load_dh_params()" actually *do*, behind the scenes? (21.39.55) cron2: (all the rest of the patch is good for me) (21.39.56) dazo: sorry ... didn't see that (21.40.04) dazo: agreed (21.40.39) syzzer: cron2, dazo: I will dive in again (too long ago, I don't dare to state anything without looking at it again) (21.41.19) mattock: cron2: re: netbsd51: yeah, life got in the way today (21.41.56) mattock: the netbsd builldslave is fairly trivial, so I can finish it after the meeting (21.43.24) mattock: has anyone had time to review d12fk's interactive service code? (21.43.52) plaisthos: is it already in a reviewable state? (21.44.22) mattock: good question (21.44.37) mattock: I think so, but could be wrong (21.45.07) dazo: he has pushed out his tree ... it's one large commit, which he said would be crazy to try to split up into smaller chunks (21.45.23) cron2: he mentioned something about "not compiling" - the thing sophos is shipping is ipv4-only, but he hacked ipv6 into it and that might be unfinished (21.45.35) mattock: ah (21.45.46) syzzer: I did not yet look at it (21.45.49) dazo: git://git.code.sf.net/p/openvpn-gui/openvpn ... in the interactive_service branch (21.45.54) plaisthos: so the v4 code is actually already in producttion? (21.46.21) cron2: yes (21.46.37) cron2: in the astaro/sophos UTM client (21.47.04) dazo: Anyone got some time to look at my query-user patches? http://thread.gmane.org/gmane.network.openvpn.devel/9232 (21.47.07) vpnHelper: Title: Gmane Loom (at thread.gmane.org) (21.47.29) dazo: Or my down-root plug-in patches? http://article.gmane.org/gmane.network.openvpn.devel/9238 http://article.gmane.org/gmane.network.openvpn.devel/9247 (21.47.31) vpnHelper: Title: Gmane -- PATCH down root plugin: Replaced system calls with execve (at article.gmane.org) (21.48.56) mattock: did d12fk say when he'd have the IPv6 bits in place? (21.49.11) syzzer: dazo: no, lev__ kept be busy recently ;) (21.49.15) cron2: d12fk gave us what he has, because we claimed "someone will make it work" (21.49.22) mattock: ah (21.49.30) mattock: who is this mythical "someone", then? :P (21.49.36) dazo: syzzer: fair enough ... his stuff is more important anyhow :) (21.49.38) mattock: hmm, IPv6... I wonder (21.49.44) cron2: (and that was mostly because we didn't have anything before - d12fk was way too busy...) (21.49.53) cron2: mattock: I've heard you're into windows (21.49.58) mattock: lol (21.50.22) mattock: well, I can do testing of course (21.50.56) mattock: just let me know what I should test for (21.51.34) cron2: well... all in good order :) - peer-id, that other patch, release 2.3.6, ... (21.52.13) cron2: as far as releasing 2.3.6 goes: I'll do a tarball on friday/saturday and send syzzer and mattock the locations, and then official push on monday 20:00? (21.52.38) dazo: cron2: I'd like to get the updated systemd unit files into 2.3.6 ... (yet another patch) (21.53.14) plaisthos: cron2: with peer-id client stuff (21.53.15) dazo: http://article.gmane.org/gmane.network.openvpn.devel/9222 (21.53.16) plaisthos: ? (21.53.16) cron2: dazo: are they on the list? (21.53.17) vpnHelper: Title: Gmane -- PATCH systemd: Reworked the systemd unit file to handle server and client configs better (at article.gmane.org) (21.53.25) syzzer: cron2: could you send me the output of git format-patch v2.3.5 perhaps? (21.53.29) cron2: plaisthos: yes! (21.53.33) plaisthos: great! (21.53.34) dazo: yes, all my stuff has been pushed out (21.53.40) cron2: syzzer: ok (21.53.45) dazo: mailed to the ML, that is (21.53.57) cron2: ah, there it is (21.54.41) mattock: cron2: re: 2.3.6 schedule sounds good (21.55.00) dazo: cron2: The client side stuff has been tested, quite successfully even (21.56.00) dazo: (server side part should be functional too, but not so much tested as the client side) (21.56.56) mattock: regarding interactive service (21.57.18) mattock: perhaps we should consider making special OpenVPN builds for it (21.57.37) mattock: I think we could get a fair amount of testers that way, given how useful it is to many people (21.57.41) dazo: mattock: that sounds like a good idea ... at least have it as an experimental download (21.57.47) mattock: exactly (21.57.48) dazo: on the community pages (21.57.57) mattock: and advertise it like hell (21.58.05) cron2: "master" windows builds will have it, "2.3" might get it if it turns out to be stable and way cool (21.58.37) mattock: it's already way cool compared to what we have :P (21.58.38) vpnHelper: RSS Update - gitrepo: systemd: Reworked the systemd unit file to handle server and client configs better <https://github.com/OpenVPN/openvpn/commit/3341a98c2852d1d0c1eafdc70a3bdb218ec29049> (21.58.42) dazo: I'd say we should aim this for 2.4+ ... as I think the patch set is a bit too big, tbh (21.58.50) dazo: (for a 2.3 backport that is) (21.59.05) cron2: right, forgot that it's much more than "just the service side" (22.00.27) mattock: Trac's view of what's missing from 2.3.6 and 2.4: (22.00.27) mattock: https://community.openvpn.net/openvpn/query?status=accepted&status=assigned&status=new&status=reopened&milestone=release+2.3.6&col=id&col=summary&col=milestone&col=status&col=type&col=priority&col=component&order=priority (22.00.27) mattock: https://community.openvpn.net/openvpn/query?status=accepted&status=assigned&status=new&status=reopened&milestone=release+2.4&col=id&col=summary&col=milestone&col=status&col=type&col=priority&col=component&order=priority (22.00.29) vpnHelper: Title: Custom Query – OpenVPN Community (at community.openvpn.net) (22.00.30) vpnHelper: Title: Custom Query – OpenVPN Community (at community.openvpn.net) (22.00.40) mattock: the 2.4 part probably needs a bit cleaning (22.01.56) cron2: I'll look into the 2.3 stuff (22.02.12) mattock: cron2: I squashed a few trivial documentation bugs already (22.02.20) mattock: there are a couple more (22.02.44) cron2: yep, merged one of them :) (22.02.46) mattock: oh, just for the record, the NSI stuff for 2.4 is still wip (22.02.58) mattock: I'll note that in the summary (22.03.49) mattock: are we covered for now? (22.04.31) cron2: I think that's good enough, I'm not really very much awake today... let's redo a short and focused meeting in two weeks or so (22.04.39) mattock: agreed (22.04.58) mattock: Monday 8th Dec it is (22.05.02) mattock: any objections? (22.05.05) lev__: so to be sure: peer-id will go to master in few days if James won't say NACK (22.05.05) syzzer: yeah, sounds ok (22.05.10) andj: sounds good (22.05.12) dazo: lev__: yes (22.05.19) cron2: lev__: yes (22.05.28) dazo: lev__: I said you could do your dance ;-) (22.05.28) cron2: mattock: go for it :) (22.05.33) syzzer: one more question: did we wait long enough to remove ENABLE_SSL ? (22.05.46) cron2: syzzer: did you get *any* response? (22.05.51) syzzer: no, none at all (22.06.00) mattock: then people don't care probably (22.06.00) cron2: out with it (22.06.11) syzzer: good, I'll send a patch soon :) (22.06.12) dazo: syzzer: there was one from #openvpn .... /me digs it up (22.06.14) mattock: they will scream when it's gone, but that should be fairly limited (22.07.03) plaisthos: and then provide no valid use case (22.07.10) mattock: :) (22.07.22) plaisthos: (like people requesting that they really need binding to port < 1024 on Android) (22.07.32) dazo: <dazo> <Eugene> I can't imagine anybody seriously missing that one, except maybe the Debianites (22.07.32) dazo: <dazo> <Eugene> Or that one Gentoo lunatic(there's always one...) (22.07.34) dazo: syzzer: ^^^ (22.07.46) dazo: ;-) (22.08.01) mattock: ok, so a "lunatic" might object (22.08.05) mattock: I think we can live with that :P (22.08.08) dazo: :) (22.08.29) plaisthos: IT RUNS FASTA without SSL which I DO NOT NEED! FIX It You M0R0NS! (22.08.36) mattock: just to make sure: syzzer asked about this on ml? (22.08.47) cron2: mattock: both on -users and -devel lists (22.08.49) syzzer: yes, mailed to -users, BCC'ed -devel (22.08.51) mattock: ok, good (22.09.28) plaisthos: I sucks at bash script (22.09.36) dazo: syzzer: kick it out :) (22.09.39) plaisthos: I cannot get an if (IV_PROTO >= 2) right (22.09.41) dazo: plaisthos: who doesn't? (22.10.16) syzzer: dazo: more than happy to! (22.10.20) dazo: plaisthos: try -ge instead of >= (22.10.26) cron2: plaisthos: if [ -n "$IV_PROTO" -a "$IV_PROTO" -gt 1 ] ; then ... (22.10.28) cron2: suchish (22.10.52) plaisthos: cron2: thanks (22.11.36) mattock: are we done? (22.11.44) mattock: I have a netbsd buildslave to fix (22.11.45) mattock: :) (22.11.46) cron2: mattock: good night :) (22.11.58) mattock: cron2: not that fast (22.12.06) syzzer: yep, done (22.12.29) mattock: ok, see you guys in two weeks (22.12.39) andj: see you
openvpn_irc_meeting_chatlog_2014-11-24.txt.sig
Description: PGP signature
