Hi, Here's the summary of today's IRC meeting.
--- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Wednesday 22nd Oct 2017 Time: 20:00 CET (19:00 UTC) Planned meeting topics for this meeting were here: <https://community.openvpn.net/openvpn/wiki/Topics-2017-02-22> The next meeting has not been scheduled yet. Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> SUMMARY chipitsine, cron2, dazo, debbie10t, eworm, mattock and syzzer participated in this meeting -- Discussed OpenVPN 2.4.1 release. Agreed that we should make the release in about two weeks. The OpenSSL 1.1.x support patches will be included if possible: <https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1> The patches should not affect OpenSSL 1.0.x support, so including the patchset does not require us to bundle (Windows) installers with OpenSSL 1.1.x. Eworm has done testing with the full patchset, and syzzer has tested each patch individually. Syzzer reviewed and ACKed a few of these patches during the meeting. -- Discussed what to do with patches that can't be attributed properly (name + email), such as this one: <https://community.openvpn.net/openvpn/ticket/825> Agreed that we can take responsibility of the smaller patches if the author can't be reached. Larger patches that can't be attributed will be simply ignored. --- Full chatlog has been attached to this email. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
(21:01:55) syzzer: meeting time! (21:01:57) mattock: hi (21:01:59) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2017-02-22 (21:02:00) vpnHelper: Title: Topics-2017-02-22 – OpenVPN Community (at community.openvpn.net) (21:03:00) mattock: I'll be back in ~5 mins, need to do something real quick (21:03:08) cron2_: so... is there anything we can discuss without dazo? (21:03:26) syzzer: the openssl patches? (21:03:57) syzzer: I'm applying them to my local tree now, getting ready review (21:04:10) cron2_: well, the two of us are in agreement anyway ("in 2.4 they go"), but I'd like to hear dazo's thoughts (21:04:29) cron2_: but you can do a bit of reviewing and I do a bit of merging :) (21:15:23) mattock: back (21:16:15) eworm: I applied the openssl 1.1.0 patches to my package. Builds fine and 'make test' succeeds. (21:17:41) cron2_: which is definitely welcome testing. Please run more tests, connecting to actual VPNs, various cert types, etc. :-) (21:22:45) mattock: syzzer: are you reviewing the openssl-1.1.0 patches now or later? (21:23:07) syzzer: I'm doing it now, as long as we don't have anything else to discuss (21:23:30) mattock: we have a discussion topic: "How to deal with (good) patches without proper attribution?" (21:23:39) mattock: e.g. https://community.openvpn.net/openvpn/ticket/825 (21:23:41) vpnHelper: Title: #825 (Segfault with --tls-crypt on RHEL5/CentOS5) – OpenVPN Community (at community.openvpn.net) (21:24:56) syzzer: yeah, but we need dazo... (21:24:57) mattock: we do have a name and email address on file in LDAP, but the contributor might not want his full name / email published (21:25:18) mattock: did dazo say he'd be here? (21:25:41) syzzer: yeah, I was guessing that it would be in trac somewhere, but I didn't think it was a good plan to just decide to use those (21:25:48) syzzer: yeah, but a bit later (21:59:25) slypknot [~slypknot@unaffiliated/kettlecalling] è entrato nella stanza. (22:05:13) mattock: from my PoV this is probably the most silent meeting ever (22:05:47) chipitsine [~chipitsin@195.64.208.237] è entrato nella stanza. (22:06:29) cron2_: definitely not a very heated discussion :) (22:06:35) syzzer: you just /ignored everyone :p (22:06:46) cron2_: so, what have you decided? (22:10:00) ***dazo is here (22:10:13) cron2_: dazo: welcome! so let's start :) (22:10:19) mattock: hi dazo! (22:10:22) dazo: hey! (22:11:27) ***dazo pokes at #825 (22:12:18) syzzer: yeah, so I actually think we all more-or-less agree (22:12:29) syzzer: but we need to figure out what the exact policy is going to be (22:12:34) cron2_: what was the question again? (22:12:49) syzzer: "what to do with not properly attributed patches?" (22:12:49) dazo: patch acceptance policy ... full name + email (22:12:57) cron2_: ok (22:13:54) slypknot: you manage to prize my name out of me .. so i think it should apply :) (22:15:01) dazo: hehe :) Yes, I do not want to deviate from this at all .... we are working on a security related product, so having proper channels to get in touch and to know whom contributes is valuable for the project as well (22:15:43) dazo: plus it makes it less interesting for those "drop'n'run" patches ... a contribution should have a reasonable owner, IMHO (22:16:11) slypknot: +1 (22:16:12) cron2_: so how should we handle #825, which is a bugfix (and not like a "here's 5000 lines of new features, thanks, bye")? (22:17:34) dazo: If simix doesn't respond within a reasonable time I think one of us core people could take the ownership (22:17:41) chipitsine: what if we put trac number to commit message ? (22:17:56) syzzer: chipitsine: it's already there :) (22:17:59) dazo: that's still not a real reference to a contributor (22:18:10) dazo: it's a reference to a contributION (22:19:36) syzzer: so, we wait a few days, and otherwise I rewrite the commit message, stating 'this patch is based on the patch from trac #825", and add my own signed-off-by line? (22:19:45) dazo: (looking at the patch ... that may actually resolve another GCC optimization bug .... because kt.cipher is accessed *before* 'if (!kt.cipher)', the compiler may choose to optimize out the if() .... the kernel had a similar nasty security bug a few years ago) (22:23:27) dazo: syzzer++ (22:23:27) cron2_: syzzer: sounds like it (22:23:27) cron2_: dazo: well, it doesn't need to optimizie out the check - if kt.cipher is null, it will crash before reaching the if()... :) (22:24:28) slypknot: how about making requirements clear in this : https://community.openvpn.net/openvpn/wiki/Contributing#Makingfeaturerequests (22:24:29) vpnHelper: Title: Contributing – OpenVPN Community (at community.openvpn.net) (22:24:45) slypknot: or at least a little more clear .. (22:25:40) slypknot: i can't even program but i have read that a couple of times (22:27:28) dazo: cron2_: ahh right! we assign something to that (lvalue).... in the kernel issue, the variable caused this was a rvalue (22:27:47) dazo: slypknot: agreed (22:29:30) syzzer: ok, so we're clear on the 'patch-and-run'. what about people that want to remain anonymous? (22:29:51) syzzer: or do we tackle that once it becomes a real problem? that's maybe better (22:29:52) chipitsine: I kinda expected that question )) (22:32:58) slypknot: little patches can just be re-owned .. you all appear happy about the #825 patch .. but all the ssl-1.1 work ???? (22:33:18) slypknot: if that was anon .. what then ? (22:33:19) cron2_: slypknot: huh? (22:33:30) cron2_: well, if that was anon, we'd not take it - easy (22:34:10) slypknot: openssl-1.1 patches from Emmanuel (22:34:50) cron2_: they are not, so this is somewhat hypothetical - but if someone sends a large hit-and-run change, it's quite likely that we'll just ignore it (22:35:02) slypknot: ok :) (22:35:32) mattock: yeah, we probably don't want to maintain large hit-and-run patches ourselves (22:36:03) mattock: it's getting quite late (22:36:23) mattock: did we discuss 2.4.1 properly? (22:36:31) cron2_: very quietly :-) (22:36:35) mattock: ok :) (22:36:40) cron2_: the question is "when do we release, what is missing" (22:36:44) mattock: exactly (22:36:49) syzzer: openssl-1.1 would be nice (22:37:05) mattock: there's nothing really urgent in the pipeline, so we could wait a bit, right? (22:37:07) cron2_: as far as I understand Selva, a bugfix for the group handling in the GUI needs to be merged (22:37:10) syzzer: but I know on whom that's blocking... (22:37:38) cron2_: there's a number of bugfixes in release/2.4 already, among them the syzzer-broke-option-hashing bugfix (22:38:07) syzzer: yeah, quite some 'enterprise users' seem to be running into the domain group thing (22:38:10) cron2_: I think we should do a 2.4.1 fairly soon ("two weeks"-ish) (22:38:19) slypknot: personally .. openssl-1.1 sounds more like openvpn-2.5 to me .. (22:38:27) cron2_: slypknot: different topic (22:38:46) dazo: actually we need openssl-1.1 into 2.4 ... can't wait for 2.5 unless that is released in a few months (22:38:51) mattock: we don't need to bundle OpenVPN 2.4 with OpenSSL 1.1.x (22:38:57) cron2_: dazo: different topic :) (22:39:10) dazo: what we want in 2.4.1 release? (22:39:17) mattock: but we can have support for OpenSSL 1.1.x in OpenVPN 2.4.x (22:39:28) cron2_: (but actually that statement from dazo was in solving the openssl-1.1 topic at hand "do we want this in release/2.4 or not?" nicely :-) ) (22:39:30) dazo: I say we should have openssl 1.1 into v2.4.1 (22:39:31) mattock: (assuming the patch does not break OpenSSL 1.0.0 support :) ) (22:39:48) mattock: sorry 1.0.1 (22:39:49) ***dazo brb (22:39:50) syzzer: mattock: no, it shouldn't (22:39:56) cron2_: dazo: I'd put that in 2.4.2, because otherwise 2.4.1 will be delayed too much (22:39:59) syzzer: I tested against 0.9.8-1.0.2 already :) (22:40:56) syzzer: let's see how much time I need to ACK the patch set, and then you and dazo can decide if you want to include it (22:41:05) cron2_: well, to clarify my stance on the 1.1 patch set (22:41:25) cron2_: I think we should just merge it into release/2.4, as each individual patch stands on its own, is nicely testable (22:41:44) cron2_: but I would not want to hold up 2.4.1 release until the 1.1 patch set is complete, that is "we do support openssl 1.1" (22:41:52) syzzer: fully agree (22:42:17) slypknot: ok (22:42:56) slypknot: no no .. changed my mind .. sorry (22:43:19) slypknot: er .. maybe (22:43:55) cron2_: syzzer: I assume you have tests that cover "almost all" of the SSL code paths? (22:44:17) cron2_: (well, s/assume/seem to remember/) (22:44:55) syzzer: cron2_: yeah, though mostly manually for openssl (22:45:04) syzzer: I have automated tests for mbedtls (22:45:21) syzzer: since the behaviour is slightly different, I can't just use those (22:45:50) syzzer: but because this patch set is so nicely split up, I just manually exercise the relevant code paths per patch (22:46:05) cron2_: even better :) (22:46:55) cron2_: so I have a lot of trust in these ACKs (plus eworm already tests the full builds) (22:48:45) cron2_: dazo: if you could just say "I agree, and let's do 2.4.1 in about two weeks" we're done for today... *bait* (22:52:43) dazo: cron2_: okay, 2.4.2 is okay (22:52:57) dazo: oh! (22:53:05) dazo: "I agree, and let's do 2.4.1 in about two weeks" (22:53:12) cron2_: *g* (22:53:15) mattock: +1 (22:53:40) cron2_: I'll go and see that I can review Selva's GUI-related patches, and with #825 we have something useful to ship (22:55:28) dazo: there is another patch which needs to be looked at again ... the auth-nocache + auth-token ... ordex is quite close, but there are some corner cases I'm discovering when testing it (22:55:36) dazo: but that is 2.4.2 material (22:55:48) cron2_: let's see what you two can achieve in two weeks :) (22:55:53) dazo: heh :) (22:56:20) mattock: mkay, end of meeting I'd say (22:56:38) mattock: I'll send the summary and then hit the sack (22:56:41) mattock: gg (22:56:45) cron2_: good night! (22:56:47) dazo: :)
0x40864578.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
