Hi,
Here's the summary of today's IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 9th Nov 2015
Time: 20:00 CET (19:00 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2015-11-09>
The next meeting has not been scheduled yet, but will probably be
arranged two weeks from now.
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, lev, mattock, valdikss and syzzer participated in this meeting.
---
Discussed setting up a Flattr account for receiving donations. It was
agreed that it makes sense, but it was not clear who would take care of
the money, and how exactly the money would be distributed. Cron2
suggested using the money to sponsor the developer hackathons, which
have proven quite useful. Mattock will discuss this internally at the
company to see if the company could hold the money.
--
Discussed PolarSSL end-of-life, which is due on 31st December 2015.
Because very few package-based Linux distributions provide "OpenVPN with
PolarSSL" packages, we'll simply drop PolarSSL 1.2 support from OpenVPN
when the time comes. Source-based distributions probably don't have an
issue with us dropping PolarSSL 1.2 support, as their users can link to
1.3 easily at compile time.
--
Discussed setting up Travis-CI and Coverity for OpenVPN. It was agreed
that this is a good idea. Syzzer will do some testing in his own GitHub
fork of OpenVPN and when it works, we'll migrate the configuration to
the official GitHub repository.
--
Discussed the OpenVPN 2.3.9 release. The Windows 10 DNS fix from
valdikss should be included. ValdikSS will provide a separate patch for
2.3 and Git "master". We will aim at releasing 2.3.9 with PolarSSL 1.2
at the end of this month, and 2.3.10 with PolarSSL 1.3 about two weeks
after that.
--
Discussed the "Use adapter index instead of name" patch:
<http://article.gmane.org/gmane.network.openvpn.devel/10361>
Lev will look into the correct syntax for the interface definition and
get back.
--
Discussed the "Support for disabled peer-id" patch:
<http://article.gmane.org/gmane.network.openvpn.devel/10216>
Syzzer promised to review this patch.
--
Discussed the "Notify clients about server's exit/restart" patch:
<http://thread.gmane.org/gmane.network.openvpn.devel/9496/focus=10278>
This has already been ACKed by Arne and will be merged soon.
--
Discussed the query username/password patches from dazo. Cron2 promised
to review them tomorrow evening.
--
Discussed the "When --disable is set for a client, the server never
replies to the client." ticket:
<https://community.openvpn.net/openvpn/ticket/521>
Mattock sent the reporter an email, asking him to test the patch dazo
had provided.
---
Full chatlog has been attached to this email.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
(21:06:09) mattock: hi guys!
(21:06:21) lev__: hi mattock1!
(21:07:49) mattock: everybody set?
(21:07:56) mattock: topics for today:
https://community.openvpn.net/openvpn/wiki/Topics-2015-11-09
(21:09:20) syzzer: yes, ready!
(21:09:53) ***cron2 remarks being impressed with our news windows strategy
(21:10:04) cron2: whatever we did, people are sending windows fixes now! woot!
(21:10:19) syzzer: yes, it is really working
(21:10:21) mattock: even without mattock doing the tasks he promised
(21:10:22) syzzer: very nice
(21:10:26) mattock: :P
(21:10:33) syzzer: yes, go fork!
(21:10:44) mattock: I will definitely need to setup the forum board, IRC
channel and fork openvpn-gui to GitHub
(21:10:59) mattock: I'll prioritize those and start work on them tomorrow
(21:11:00) cron2: syzzer: speaking about tasks :-) - do we have a trac ticket
or anything to remind you of the "warn if local cert is expired" wish?
(21:11:08) cron2: mattock1: tomorrow is always an option!
(21:11:27) syzzer: cron2: uh, not sure
(21:11:38) mattock: cron2: yes, and I'm speaking of a static tomorrow (10th
Nov), not "tomorrow" that recurs every "today"
(21:11:38) syzzer: either way, I completely forgot about it
(21:11:58) cron2: mattock1: oh, the northern europe "tomorrow", not the
southern "manana" :)
(21:12:13) cron2: syzzer: feel yourself reminded (always at your service)
(21:12:21) cron2: shall we start?
(21:12:30) mattock: syzzer: one question before we start
(21:12:34) mattock: what is your personal email?
(21:12:42) mattock: feel free to PM me or whatever
(21:12:47) ***cron2 shows mattock1 "git log" :)
(21:12:47) mattock: if you don't want it published
(21:12:53) mattock: ic
(21:12:56) mattock: let's start then
(21:13:12) mattock: do we want to discuss "moneyz" first, or will that become
too much bikeshedding?
(21:13:18) cron2: half the patches are coming from the private address :)
(21:13:21) mattock: as a first topic I mean
(21:13:31) cron2: it's on position 1, and should be quick...
(21:13:49) mattock: syzzer: found it at HEAD^1 :)
(21:13:56) mattock: ok, fine, moneyz
(21:14:03) mattock: this came from ValdikSS, right?
(21:14:08) cron2: yep
(21:14:39) cron2: but I think it might make sense to have a way to receive
funds, and then use them in a way that helps the project
(21:14:52) syzzer: yes, the one from HEAD~1 is good ;)
(21:15:09) syzzer: yes, agreed
(21:15:10) cron2: now the actual decision how to spend it and who does the
*work* involved is not so easy
(21:15:20) valdikss: strongSwan project uses flattr. It's pretty convenient and
easy to use.
(21:15:20) cron2: and how to get tax authorities non-involved
(21:16:00) mattock: valdikss: I contribute to projects using Flattr, and it's
pretty nice
(21:16:12) mattock: I don't have to remember to donate, it's mostly automatic
(21:16:16) cron2: I think this is the easy part
(21:16:24) mattock: a monthly budget being divided between supported projects
(21:16:26) mattock: cron2: indeed
(21:16:35) mattock: what to do with the money is the tricky part
(21:16:48) cron2: and who handles the work involved
(21:17:36) mattock: and where does the money actually go
(21:17:59) cron2: money is complicated - if there is none, it is easy. If
there is, discussions about fairness and shares etc. *will* start
(21:18:23) mattock: yeah
(21:18:59) syzzer: we have quite a stable group now, so at least for now I
think we can handle that :)
(21:19:22) syzzer: but yeah, it does complicate things
(21:19:55) syzzer: maybe appoint a shepherd or something? /me goes look at
flattr pages of other projects to see how this works.
(21:20:11) cron2: my suggestion is "find a way to make it come in, and use it
for beer and food on the next hackathon" - if it ends up being more than we can
eat, start the bikeshedding
(21:20:47) syzzer: sounds like a plan to me. the meetings have been very much
contributing to openvpn development.
(21:21:23) cron2: mattock1: would you be willing to be the funds keeper?
(21:21:44) mattock: hmm
(21:21:53) mattock: I would have to consult Francis about that
(21:22:28) mattock: I can manage the Flattr account for sure, but where the
money goes is another thing
(21:22:33) cron2: yeah
(21:23:01) cron2: it needs to be a separate account of some sort, so
bookkeeping is clear
(21:24:35) mattock: anyways, I'll talk about this with Francis
(21:25:00) mattock: either the company holds the funds (if you trust it), or
some designated community members holds the funds (if you trust him/her)
(21:25:12) mattock: I'm not sure if "the company" has any opinion of this or not
(21:25:13) syzzer: ok, so the decision is 'we like the plan, need to figure out
how to implement it'?
(21:25:14) ***cron2 doesn't want to do this, as my tax account already finds it
hard to understand what I do and where the money comes and goes (all the IPv6
conferences and such)...
(21:25:28) cron2: syzzer: +1
(21:25:31) mattock: +1
(21:25:39) cron2: (s/account/advisor/)
(21:26:40) cron2: next?
(21:26:48) mattock: yes
(21:26:59) syzzer: ah, I'm up!
(21:27:09) syzzer: so, polar 1.2 is going EOL by 31 dec
(21:27:09) mattock: 2. PolarSSL end-of-life on 31-12-2015 (syzzer)
(21:27:29) cron2: which means "no more security fixes", which is bad on this
SSL stuff
(21:27:40) syzzer: yep
(21:27:52) syzzer: so we will need to add support for 1.3
(21:28:05) syzzer: in the release/2.3 that is, because master already has that
(21:28:17) syzzer: the question is, do we want to keep supporting 1.2 too?
(21:28:46) cron2: this would really be for the benefit of distribution makers,
right?
(21:28:55) cron2: has anyone of them announced how they want to handle this?
(21:28:56) syzzer: I did a proof-of-concept path for dual-support, and it needs
a considerable amount of #ifdefs to work
(21:29:15) syzzer: cron2: yes, keeping 1.2 in there would be for distributions
(21:29:25) ***cron2 is not overly enthusiastic about "we add ifdefs to support
an old and possibly buggy SSL library"
(21:29:43) mattock: I say let distributions handle it
(21:29:47) syzzer: yes, me neither, but I wanted to try to see how many that
would need to be before I discarded the plan
(21:30:02) syzzer: I would be in favour of dropping 1.2-support too
(21:30:19) cron2: mattock1: well, distributions might state "we keep 1.2 around
and backport security fixes" - or "we drop 1.2 then, and go for 1.3"
(21:30:38) mattock: cron2: yes, some distros like RedHat and Debian would keep
1.2 around
(21:30:42) mattock: and backport security fixes
(21:30:43) syzzer: most distribution don't like to move to another version
(21:31:06) mattock: however, many of those same distros do periodic major
upgrades of packages
(21:31:06) valdikss: Are there distros which really build openvpn with polarssl?
(21:31:22) mattock: valdikss: not sure, I'll do a quick review
(21:31:52) syzzer: valdikss: barely
(21:32:02) cron2: what about: release 2.3.9 with polar 1.2 support, 2.3.10 with
polar 1.3, and if a distribution is shipping 1.2+security fixes, they can do
2.3.9+security fixes as well?
(21:32:04) valdikss: AFAIK PolarSSL is used in OpenWRT and some other distros,
but they also provide OpenVPN built with OpenSSL in the same repo
(21:32:37) syzzer: cron2: yes, that is what I was thinking of
(21:32:43) cron2: no
(21:32:49) cron2: no #ifdef please :)
(21:32:52) mattock: Fedora 21, Debian 8, Ubuntu 14.04: no openvpn-polarssl
(21:33:05) syzzer: ok, good
(21:33:30) syzzer: and since I'm migrating OpenVPN-NL to 1.3 too, I don't think
there's much reason to keep 1.2-support
(21:33:34) cron2: OpenWRT will be able to handle this :)
(21:34:00) syzzer: I'll cook up a patch in the coming weeks
(21:34:09) mattock: Debian "unstable" does not have PolarSSL version of OpenVPN
either
(21:34:37) cron2: cool
(21:34:43) valdikss: AFAIK all the major distros use OpenSSL for OpenVPN, but
some distros have both PolarSSL build and OpenSSL.
(21:35:13) valdikss: I didn't see a build with just PolarSSL, except, well,
mobile devices.
(21:35:19) mattock: latest development Ubuntu's don't have OpenVPN with
PolarSSL either
(21:35:22) mattock: so it's pretty rare
(21:35:33) mattock: source-based distros might have it, though
(21:35:42) syzzer: yes, I know those have
(21:35:43) mattock: but then again, those are not an issue
(21:35:54) syzzer: those are for people who love pain ;)
(21:36:08) mattock: yes, like cron2 with his Gentoo :P
(21:36:10) cron2: they can then just require 1.3 - and thank us for not
sticking to 1.2 any longer
(21:36:28) mattock: ok, topic covered?
(21:36:35) ***cron2 just had to repair a colleague's debian last weekend... :-)
(21:36:41) syzzer: yep, as far as I'm concerned
(21:36:47) cron2: good
(21:36:50) cron2: 3. is still you
(21:37:04) syzzer: yes, so I've been toying around with coverity last week
(21:37:07) syzzer: and it seems useful
(21:37:23) cron2: +1
(21:37:25) syzzer: so I'd like to integrate the whole thing into automatic
analysis
(21:37:41) cron2: +1
(21:37:54) syzzer: the preferred framework for that seems to be github +
travis-ci + coverity
(21:38:08) ***cron2 has no idea and no opinion
(21:38:55) syzzer: but since I don't have the rights to integrate this myself,
I was considering to link the whole thing to my personal openvpn 'fork' on
github for now, figure out how to do it properly and than move towards
integrating with the real github project
(21:39:25) syzzer: but, that would mean linking the 'official' coverity project
to my personal github fork
(21:39:36) cron2: what rights do you need?
(21:40:04) syzzer: not sure, but I can't connect it to OpenVPN/openvpn.git
(21:40:21) cron2: shouldn't that be read-only?
(21:40:22) syzzer: I can connect to my personal and fox-it projects
(21:40:44) cron2: strange
(21:41:01) syzzer: but since I need to be able to commit to test the whole
thing, I don't think it makes sense to use the official one right away
(21:41:27) syzzer: or can you give me (temporary) commit rights for a specific
branch?
(21:41:34) syzzer: e.g. a
(21:41:42) syzzer: 'cov_build' branch
(21:41:45) ***cron2 is fine with that, but mattock1 would have to do that, I
think
(21:42:06) cron2: no idea whether I can grant rights, he's project owner :)
(21:42:21) syzzer: either is fine with me, but didn't want to link it to my
personal project without consulting you :)
(21:42:40) cron2: cov_build, and when that all works, we figure out what rights
you need
(21:42:59) mattock: ok so no rights required quite yet?
(21:43:03) cron2: (and whether you want to just keep commit rights, in case
dazo and I both get hit by a truck...)
(21:43:16) cron2: mattock1: yes, commit rights
(21:43:21) mattock: or get eaten by a pack of wolves on two unrelated incidents
(21:43:31) syzzer: for a 'cov_build' branch I would need commit rights for such
a branch in the github project
(21:43:33) mattock: (from Git documentation regarding SHA-1 hash collisions)
(21:43:46) mattock: ok so commit rights to the OpenVPN GitHub project
(21:43:49) mattock: just a sec
(21:43:51) cron2: yep
(21:44:56) syzzer: ok, cool :)
(21:45:21) syzzer: will toy around with it more next week en let you know :)
(21:45:22) mattock: syzzer: syzzer is your GitHub account also?
(21:45:28) syzzer: mattock1: yes
(21:46:44) syzzer: ok, so from now on I need to be more careful when I start
typing 'push' :')
(21:46:59) mattock: syzzer: you should have received an invite
(21:47:01) mattock: next topic?
(21:47:05) syzzer: yes, got it
(21:47:08) syzzer: next!
(21:47:23) cron2: syzzer: please :-) it would be slightly annoying to have to
clean up that
(21:47:28) ***cron2 invokes xkcd...
(21:47:29) mattock: 3. 2.3.9 release
(21:47:53) cron2: yep, mine. There is quite some amount of goodness in 2.3 by
now which wants out - anything else?
(21:48:18) syzzer: the two 'on hold' patches ofc
(21:48:20) cron2: like, the win10 dns fix - which needs to go in, but it will
break winxp
(21:49:00) syzzer: win10 would be nice indeed
(21:49:16) syzzer: any word on whether those are possible to do it without
breaking xp?
(21:49:46) cron2: the functionality and library is not there, so you need
#ifdef in win32.c and "something in the build system"
(21:50:07) mattock: there are also rumours about MS fixing the DNS issue, but
those are just that: rumours
(21:50:15) mattock: so we can't really depend on those
(21:50:31) mattock: we can backpedal if MS indeed delivers
(21:52:03) cron2: given that the C code can be #ifdef'ed on WINNT_VERSION (or
whatever it is called), it sort of falls onto mattock1's lap, I think... the
build system would need to build two binaries with different WINNT options
(21:52:39) mattock: the buildsystem part could get a bit tricky, but I have not
dared looked at it quite yet
(21:53:21) cron2: Changes.rst needs to be done for 2.3 as well
(21:53:34) mattock: that is also on my todo, just have not prioritize it
sufficiently yet
(21:53:48) mattock: but it's fairly quick thing to do, based on the release
announcements
(21:54:12) lev__: did anybody tested it except valdikss and me? for me it works
but adds 10sec delay to dns request when using ethernet adapter
(21:54:29) mattock: lev__: I have not tested it
(21:54:37) valdikss: lev__: I have one of my clients tested it, works fine for
him.
(21:54:46) ***cron2 still has no win10 machine :(
(21:55:18) mattock: I have one VM, but I'm not sure if it's still alive
(21:55:25) lev__: I would love to use it instead dirty register hack, but on
only machine with reproducible leak it has this nasty side effect
(21:55:39) lev__: .. instead of ..
(21:56:03) syzzer: lev__: is that just the first dns request, or *each* request?
(21:56:03) lev__: /register/registry/
(21:56:15) cron2: looking at the patch right now - it has a change to
Makefile.am, which would break 2.3 on XP
(21:56:28) cron2: so I could merge it as is for master, and leave off that
chunk for 2.3
(21:56:54) mattock: once it's in "master", we get Windows snapshot builds which
we can announce
(21:57:01) mattock: and hopefully we'd get more people to test it
(21:57:03) lev__: each dns request to a new domain, then it got cached into
local resolver
(22:01:33) cron2: hrmph... and we don't really want the #if _WIN32_WINNT check
in master
(22:02:34) cron2: valdikss: are fwmpu.h and fwpmtypes.h available on XP builds?
(22:02:36) valdikss: Well, I can do 2 patches then
(22:03:12) valdikss: cron2: I'm not sure. They may be available in mingw, but
not the libraries itself.
(22:03:34) valdikss: cron2: in general, they should not be available.
(22:04:01) cron2: valdikss: I think we should cover those in the #ifdef as well
- but yes, a split patch for master (no #ifdef) and 2.3 (#ifdef, no change to
Makefile.am and vcproj) would be good
(22:04:27) cron2: so someone who wants to build 2.3 with that patch would need
to ensure that his build environment sets VISTA and links the right stuff
(22:05:37) cron2: otherwise I need to trust you and lev__ regarding
functionality (maybe mattock1 can find someone at openvpn tech to test?), as I
can't test
(22:06:48) mattock: cron2: I can ask about this on our internal mailing list
(22:08:25) mattock: ok, so two patches, mattock will ask if somebody at openvpn
tech could also test the patch
(22:08:38) mattock: do we have a link to an installer with the patch?
(22:08:48) cron2: yes, and maybe we should aim for 2.3.9 release "end of the
month" or so (I'll be travelling next week)
(22:09:04) mattock: end of the month sounds reasonable
(22:09:40) mattock: anything else missing from 2.3.9?
(22:10:11) syzzer: hmm, sorry, getting back to the polar 1.3 thing
(22:10:24) syzzer: do want a release with 1.3 before 1.2 goes EOL?
(22:10:33) mattock: yeah
(22:10:37) syzzer: because then the 1.3 upgrade should go into 2.39
(22:10:38) mattock: so that people can upgrade
(22:10:59) cron2: I was thinking about releaseing 2.3.10 fairly shortly after
2.3.9, with not much more than the polar change in it
(22:11:01) syzzer: since I'm guessing there will be no 2.3.10 before jan 1
(22:11:07) mattock: before they have a steaming pile of security holes at their
hands :)
(22:11:09) syzzer: ah, that would be fine too
(22:11:32) cron2: keep reminding me that this is my plan :)
(22:12:29) mattock: 2.3.9 with polarssl 1.2 and 2.3.10 soon after with polarssl
1.3 is very doable
(22:13:12) mattock: cron2: what does "fairly shortly after" mean?
(22:13:15) mattock: before end of the year?
(22:13:18) cron2: yes
(22:13:32) cron2: two weeks, dunno
(22:13:37) mattock: ok
(22:13:45) mattock: I'm fine with that
(22:13:54) mattock: so that's our plan I guess
(22:14:10) syzzer: perfect
(22:15:00) cron2: patch review...?
(22:15:18) mattock: yers
(22:15:29) cron2: adapter index - I
(22:15:45) mattock: lev__: finally we get to your patches :)
(22:15:57) lev__: so, I guess I should use index in other places for consistency
(22:16:11) cron2: I've sent a comment to the list. Basically I'm fine, but
there's two things - I want to use this consistently for address and route, and
wonder about the right syntac
(22:16:14) cron2: syntax
(22:16:15) cron2: 42
(22:16:16) cron2: IF 42
(22:16:19) cron2: interface=42
(22:16:23) cron2: or "all of them are valid"
(22:16:51) lev__: I will check
(22:17:16) cron2: but that is ongoing, I'd say :)
(22:17:42) lev__: yeah I won't send a new version now
(22:17:58) cron2: * notify client about server exit -> plaisthos has ACKed, I
lost track, will merge
(22:18:10) cron2: * support for disabled peer-id -> needs review
(22:20:40) ***cron2 does not see anything obvious ("looks good to me") but does
not understand the surrounding code well enough to give it an ACK "just so"
(22:22:18) syzzer: ah, yes, the disabled peer id one
(22:23:27) lev__: this is described in "OpenVPN protocol extensions update"
document
(22:25:17) syzzer: I remember looking at the patch and thinking it looked good
(22:25:25) syzzer: but didn't look good enough
(22:25:28) syzzer: yet
(22:25:48) syzzer: one thing I was wondering, shouldn't we make the server also
send P_DATA_V2?
(22:25:49) mattock: so you did not have a good enough look, or the patch was
not good enough yet? :P
(22:26:11) syzzer: that way we can start moving away from the old packet format
(22:26:35) syzzer: mattock1: I didn't look good enough to convince myself I
actually understand what's happening
(22:26:52) lev__: syzzer: good question, I think we planned it when we were
discussing peer-id about year ago
(22:27:46) cron2: syzzer: compression v2 needs P_DATA_V2 as well, right?
(22:28:03) syzzer: cron2: no, I don't think so
(22:28:39) syzzer: compression works on the crypto payload only, it doesn't
really care about the whole opcode and crypto stuff
(22:29:03) cron2: good argument. but AEAD needs P_DATA_V2?
(22:29:04) syzzer: but openvpn 3 has this 'all or nothing' approach
(22:29:21) cron2: ah
(22:29:36) syzzer: nope, AEAD works without too. But, in V2 the opcode is
authenticated too, so it does improve AEAD mode.
(22:30:05) ***cron2 can see why v3 does all-or-nothing :)
(22:30:46) valdikss: Since we had a talk about patches for Windows, should we
set 'run as administrator' flag for a shortcut by default from the installer?
It works without admin privileges only without ipv6, and with ipv6 it never
works.
(22:31:26) valdikss: Or maybe have to think on another way to get admin
privileges if needed
(22:31:59) mattock: valdikss: we have discussed this in the past, d12fk, who
has written the Interactive service thing had the opinion that we should rather
add interactive service to openvpn and not require admin rights
(22:32:04) cron2: that is the iservice can of worms... we want iservice (and
this is why d12fk always opposed setting the admin flag), but for 2.3, the flag
might just be the right thing to do...
(22:32:07) mattock: however, interactive service is still not in openvpn
(22:32:18) mattock: yeah, for 2.3 definitely
(22:32:20) cron2: what mattock says
(22:32:42) cron2: just make sure that when we merge iservice, we remove that
flag again
(22:33:48) mattock: valdikss: couldn't we do the RequestExecutionLevel thing in
the actual binary?
(22:33:53) mattock: instead of the shortcut
(22:34:08) valdikss: mattock1: I'm not definitely sure, but from what I read,
you can't do that.
(22:34:26) mattock: ah, so just a command-line switch to the shortcut file
(22:34:33) valdikss: mattock1: BUT I suppose you can semi-control this in the
runtime using .manifest file
(22:34:48) mattock: so openvpn.exe + openvpn.manifest, right?
(22:34:58) valdikss: openvpn.exe.manifest AFAIK
(22:35:00) mattock: ok
(22:35:14) valdikss: I'm not truly sure tho
(22:35:17) mattock: I can
(22:35:24) mattock: 't recall the details, either
(22:35:48) mattock: but if RequestExecutionLevel is set to Admin, then Vista+
should give a UAC prompt
(22:35:52) mattock: asking for admin rights
(22:35:55) mattock: afaik
(22:36:16) mattock: or not authorizing the user if he/she does not have admin
rights
(22:36:34) mattock: anyways, I can definitely do this after some testing
(22:36:39) cron2: but that would not be the right thing - we want this to work,
not ask for admin rights
(22:37:16) cron2: (ask for "is this ok?" fine, but not ask for credentials)
(22:37:25) mattock: the authorization part is handled by UAC, so I suspect
there's nothing we can do about it
(22:37:32) mattock: it probably does not ask for credentials
(22:37:47) cron2: testing :)
(22:37:49) syzzer: it will ask for credentials if you're not local admin
(22:37:54) mattock: I've never seen Windows 7 or later ask for credentials if
the user has admin rights
(22:37:59) syzzer: (or domain admin, ofc)
(22:38:07) mattock: syzzer: ah, I see
(22:38:21) cron2: well, if the user has admin rights, we don't need this anyway
(22:39:20) mattock: so, I'll do some testing and we include this in 2.3
(22:39:23) syzzer: no, you do, so people don't have to do 'run as admin' by hand
(22:39:48) mattock: yeah, and get an openvpn connection which has no routes set
(22:40:06) mattock: so we need this, but what Windows does to grant admin
rights is beyond our control afaik
(22:40:13) cron2: I understand the problem with "not enough rights", but I
wonder if "set a flag and windows will ask for admin credentials every time" is
a useful way forward
(22:40:16) mattock: it may or may not ask for credentials
(22:40:34) cron2: if you set the "run as admin" compat flag, you need the
credentials *once* and then it will just ask "is it ok to run?"...
(22:40:37) mattock: I suspect Windows will ask for credentials even if user
does "run as admin"
(22:40:44) mattock: ok
(22:41:03) cron2: but maybe I'm totally misunderstanding what can be done and
what can ot be done
(22:41:14) syzzer: yeah, well, same here...
(22:41:36) syzzer: I'm not used to not having admin rights :p
(22:41:37) mattock: I'd think Windows would cache the credentials once they're
entered once to some place
(22:41:50) mattock: but I can do the manifest trick and we can do some testing
afterwards
(22:42:12) mattock: no need to discuss this because none of us knows how it
works exactly :P
(22:42:20) cron2: right
(22:42:45) mattock: also, this is a good task for the Windows team guys, after
I setup the IRC channel (tomorrow)
(22:42:52) cron2: +1
(22:42:53) mattock: the testing part in particular
(22:43:12) mattock: next topic?
(22:44:47) syzzer: sure :)
(22:45:09) cron2: dazo's patches, and trac tickets
(22:45:11) mattock: oh, and regarding "disabled peer-id": somebody needs to
review it more properly, right?
(22:45:15) cron2: yes
(22:45:18) mattock: ok
(22:45:38) mattock: so dazo was asking about his Query username/password
patches
(22:45:57) mattock: he was on the fringe of applying lazy ack to get them in
(22:46:09) mattock: anything blocking them from being merged?
(22:46:25) syzzer: just review and testing, afaik
(22:46:30) cron2: "lack of review"...
(22:47:14) cron2: I'll look into them tomorrow evening
(22:47:26) mattock: ok, great, dazo will appreciate that!
(22:47:49) syzzer: then I'll commit myself to looking at the disabled peer-id
patch
(22:47:57) cron2: cool
(22:48:14) lev__: syzzer: thanks!
(22:48:49) mattock: so then we have Trac tickets left
(22:48:56) mattock: anything particularly important?
(22:49:03) mattock: "more important than others"
(22:49:08) ***cron2 is tired
(22:49:25) mattock: good point, so am I
(22:50:00) mattock: I'll check the ticket dazo asked us to cover
(22:50:20) mattock: https://community.openvpn.net/openvpn/ticket/521
(22:50:24) cron2: I've seen that he has added analysis and proposed patches,
but not looked more detailed
(22:50:35) mattock: so dazo provided a patch that might have fixed the issue,
and asked for testers
(22:50:58) valdikss: Oh, that patch is very similar to my issue
(22:51:01) valdikss: https://community.openvpn.net/openvpn/ticket/180
(22:51:12) valdikss: I mean, I have exactly the same thing
(22:51:20) cron2: didn't I link them?
(22:51:30) valdikss: Read dazo's last answer
(22:51:38) mattock: ticket #521 was posted by ecrist, so maybe we should throw
the ball to him?
(22:51:44) mattock: posted=reported
(22:51:53) valdikss: also
https://community.openvpn.net/openvpn/ticket/521#comment:8
(22:52:44) valdikss: and
https://community.openvpn.net/openvpn/ticket/180#comment:10
(22:54:23) mattock: I'll email ecrist about dazo's patch to #521
(22:56:59) mattock: sent
(22:57:19) mattock: it seems things are slowing down a bit
(22:57:26) mattock: maybe we should just call it a day?
(22:57:30) cron2: +1
(22:57:35) cron2: (barely enough energy left :) )
(22:58:15) mattock: you know things are really bad when you're too tired to go
to bed :)
(22:58:17) syzzer: yeah, not much brains left here either
(22:58:29) mattock: we got lots of stuff done
(22:58:47) mattock: maybe we should Flattr the patch review you guys will be
doing tomorrow :P
(22:58:56) cron2: haha :)
(22:59:09) mattock: sponsor a beer or two, so that you get the endurance to get
through it
(22:59:36) cron2: (if we have *that* much money coming in that we can actually
pay normal hourly fees for coding and review, then I'm impressed :) )
(22:59:49) mattock: we might actually get a fair amount
(23:00:08) mattock: after a while at least, once the word gets out
(23:00:23) mattock: many people want to contribute money, but doing so is too
much of a hassle
(23:00:31) syzzer: would be cool, let's see :)
(23:00:48) mattock: Flattr seems one of the most sane and useful approaches imho
(23:00:53) mattock: anyways, good meeting!
(23:00:58) syzzer: indeed
(23:01:02) syzzer: and good night! :)
(23:01:05) mattock: again in two weeks at latest
(23:01:08) mattock: good night!
(23:01:18) lev__: good night!
(23:01:19) cron2: 2 weeks, yes
(23:01:24) cron2: next week I'm in bucharest
