Here's the summary of today's IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 22nd Oct 2017
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:


The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



chipitsine, cron2, dazo, debbie10t, eworm, mattock and syzzer
participated in this meeting


Discussed OpenVPN 2.4.1 release. Agreed that we should make the release
in about two weeks. The OpenSSL 1.1.x support patches will be included
if possible:


The patches should not affect OpenSSL 1.0.x support, so including the
patchset does not require us to bundle (Windows) installers with OpenSSL

Eworm has done testing with the full patchset, and syzzer has tested
each patch individually.

Syzzer reviewed and ACKed a few of these patches during the meeting.


Discussed what to do with patches that can't be attributed properly
(name + email), such as this one:


Agreed that we can take responsibility of the smaller patches if the
author can't be reached. Larger patches that can't be attributed will be
simply ignored.


Full chatlog has been attached to this email.

Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:01:55) syzzer: meeting time!
(21:01:57) mattock: hi
(21:01:59) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2017-02-22
(21:02:00) vpnHelper: Title: Topics-2017-02-22 – OpenVPN Community (at 
(21:03:00) mattock: I'll be back in ~5 mins, need to do something real quick
(21:03:08) cron2_: so... is there anything we can discuss without dazo?
(21:03:26) syzzer: the openssl patches?
(21:03:57) syzzer: I'm applying them to my local tree now, getting ready review
(21:04:10) cron2_: well, the two of us are in agreement anyway ("in 2.4 they 
go"), but I'd like to hear dazo's thoughts
(21:04:29) cron2_: but you can do a bit of reviewing and I do a bit of merging 
(21:15:23) mattock: back
(21:16:15) eworm: I applied the openssl 1.1.0 patches to my package. Builds 
fine and 'make test' succeeds.
(21:17:41) cron2_: which is definitely welcome testing.  Please run more tests, 
connecting to actual VPNs, various cert types, etc. :-)
(21:22:45) mattock: syzzer: are you reviewing the openssl-1.1.0 patches now or 
(21:23:07) syzzer: I'm doing it now, as long as we don't have anything else to 
(21:23:30) mattock: we have a discussion topic: "How to deal with (good) 
patches without proper attribution?"
(21:23:39) mattock: e.g. https://community.openvpn.net/openvpn/ticket/825
(21:23:41) vpnHelper: Title: #825 (Segfault with --tls-crypt on RHEL5/CentOS5) 
– OpenVPN Community (at community.openvpn.net)
(21:24:56) syzzer: yeah, but we need dazo...
(21:24:57) mattock: we do have a name and email address on file in LDAP, but 
the contributor might not want his full name / email published
(21:25:18) mattock: did dazo say he'd be here?
(21:25:41) syzzer: yeah, I was guessing that it would be in trac somewhere, but 
I didn't think it was a good plan to just decide to use those
(21:25:48) syzzer: yeah, but a bit later
(21:59:25) slypknot [~slypknot@unaffiliated/kettlecalling] è entrato nella 
(22:05:13) mattock: from my PoV this is probably the most silent meeting ever
(22:05:47) chipitsine [~chipitsin@] è entrato nella stanza.
(22:06:29) cron2_: definitely not a very heated discussion :)
(22:06:35) syzzer: you just /ignored everyone :p
(22:06:46) cron2_: so, what have you decided?
(22:10:00) ***dazo is here
(22:10:13) cron2_: dazo: welcome!  so let's start :)
(22:10:19) mattock: hi dazo!
(22:10:22) dazo: hey!
(22:11:27) ***dazo pokes at #825
(22:12:18) syzzer: yeah, so I actually think we all more-or-less agree
(22:12:29) syzzer: but we need to figure out what the exact policy is going to 
(22:12:34) cron2_: what was the question again?
(22:12:49) syzzer: "what to do with not properly attributed patches?"
(22:12:49) dazo: patch acceptance policy ... full name + email
(22:12:57) cron2_: ok
(22:13:54) slypknot: you manage to prize my name out of me .. so i think it 
should apply :)
(22:15:01) dazo: hehe :)  Yes, I do not want to deviate from this at all .... 
we are working on a security related product, so having proper channels to get 
in touch and to know whom contributes is valuable for the project as well
(22:15:43) dazo: plus it makes it less interesting for those "drop'n'run" 
patches ... a contribution should have a reasonable owner, IMHO
(22:16:11) slypknot: +1
(22:16:12) cron2_: so how should we handle #825, which is a bugfix (and not 
like a "here's 5000 lines of new features, thanks, bye")?
(22:17:34) dazo: If simix doesn't respond within a reasonable time I think one 
of us core people could take the ownership
(22:17:41) chipitsine: what if we put trac number to commit message ?
(22:17:56) syzzer: chipitsine: it's already there :)
(22:17:59) dazo: that's still not a real reference to a contributor
(22:18:10) dazo: it's a reference to a contributION
(22:19:36) syzzer: so, we wait a few days, and otherwise I rewrite the commit 
message, stating 'this patch is based on the patch from trac #825", and add my 
own signed-off-by line?
(22:19:45) dazo: (looking at the patch ... that may actually resolve another 
GCC optimization bug .... because  kt.cipher  is accessed *before* 'if 
(!kt.cipher)', the compiler may choose to optimize out the if() .... the kernel 
had a similar nasty security bug a few years ago)
(22:23:27) dazo: syzzer++
(22:23:27) cron2_: syzzer: sounds like it
(22:23:27) cron2_: dazo: well, it doesn't need to optimizie out the check - if 
kt.cipher is null, it will crash before reaching the if()... :)
(22:24:28) slypknot: how about making requirements clear in this : 
(22:24:29) vpnHelper: Title: Contributing – OpenVPN Community (at 
(22:24:45) slypknot: or at least a little more clear ..
(22:25:40) slypknot: i can't even program but i have read that a couple of times
(22:27:28) dazo: cron2_: ahh right!  we assign something to that (lvalue).... 
in the kernel issue, the variable caused this was a rvalue
(22:27:47) dazo: slypknot: agreed
(22:29:30) syzzer: ok, so we're clear on the 'patch-and-run'.  what about 
people that want to remain anonymous?
(22:29:51) syzzer: or do we tackle that once it becomes a real problem?   
that's maybe better
(22:29:52) chipitsine: I kinda expected that question ))
(22:32:58) slypknot: little patches can just be re-owned .. you all appear 
happy about the #825 patch .. but all the ssl-1.1 work ????
(22:33:18) slypknot: if that was anon .. what then ?
(22:33:19) cron2_: slypknot: huh?
(22:33:30) cron2_: well, if that was anon, we'd not take it - easy
(22:34:10) slypknot: openssl-1.1 patches from Emmanuel
(22:34:50) cron2_: they are not, so this is somewhat hypothetical - but if 
someone sends a large hit-and-run change, it's quite likely that we'll just 
ignore it
(22:35:02) slypknot: ok :)
(22:35:32) mattock: yeah, we probably don't want to maintain large hit-and-run 
patches ourselves
(22:36:03) mattock: it's getting quite late
(22:36:23) mattock: did we discuss 2.4.1 properly? 
(22:36:31) cron2_: very quietly :-)
(22:36:35) mattock: ok :)
(22:36:40) cron2_: the question is "when do we release, what is missing"
(22:36:44) mattock: exactly
(22:36:49) syzzer: openssl-1.1 would be nice
(22:37:05) mattock: there's nothing really urgent in the pipeline, so we could 
wait a bit, right?
(22:37:07) cron2_: as far as I understand Selva, a bugfix for the group 
handling in the GUI needs to be merged
(22:37:10) syzzer: but I know on whom that's blocking...
(22:37:38) cron2_: there's a number of bugfixes in release/2.4 already, among 
them the syzzer-broke-option-hashing bugfix
(22:38:07) syzzer: yeah, quite some 'enterprise users' seem to be running into 
the domain group thing
(22:38:10) cron2_: I think we should do a 2.4.1 fairly soon ("two weeks"-ish)
(22:38:19) slypknot: personally .. openssl-1.1 sounds more like openvpn-2.5 to 
me ..
(22:38:27) cron2_: slypknot: different topic
(22:38:46) dazo: actually we need openssl-1.1 into 2.4 ... can't wait for 2.5 
unless that is released in a few months
(22:38:51) mattock: we don't need to bundle OpenVPN 2.4 with OpenSSL 1.1.x
(22:38:57) cron2_: dazo: different topic :)
(22:39:10) dazo: what we want in 2.4.1 release?
(22:39:17) mattock: but we can have support for OpenSSL 1.1.x in OpenVPN 2.4.x
(22:39:28) cron2_: (but actually that statement from dazo was in solving the 
openssl-1.1 topic at hand "do we want this in release/2.4 or not?" nicely :-) )
(22:39:30) dazo: I say we should have openssl 1.1 into v2.4.1
(22:39:31) mattock: (assuming the patch does not break OpenSSL 1.0.0 support :) 
(22:39:48) mattock: sorry 1.0.1
(22:39:49) ***dazo brb
(22:39:50) syzzer: mattock: no, it shouldn't
(22:39:56) cron2_: dazo: I'd put that in 2.4.2, because otherwise 2.4.1 will be 
delayed too much
(22:39:59) syzzer: I tested against 0.9.8-1.0.2 already :)
(22:40:56) syzzer: let's see how much time I need to ACK the patch set, and 
then you and dazo can decide if you want to include it
(22:41:05) cron2_: well, to clarify my stance on the 1.1 patch set
(22:41:25) cron2_: I think we should just merge it into release/2.4, as each 
individual patch stands on its own, is nicely testable
(22:41:44) cron2_: but I would not want to hold up 2.4.1 release until the 1.1 
patch set is complete, that is "we do support openssl 1.1"
(22:41:52) syzzer: fully agree
(22:42:17) slypknot: ok
(22:42:56) slypknot: no no .. changed my mind .. sorry
(22:43:19) slypknot: er .. maybe
(22:43:55) cron2_: syzzer: I assume you have tests that cover "almost all" of 
the SSL code paths?
(22:44:17) cron2_: (well, s/assume/seem to remember/)
(22:44:55) syzzer: cron2_: yeah, though mostly manually for openssl
(22:45:04) syzzer: I have automated tests for mbedtls
(22:45:21) syzzer: since the behaviour is slightly different, I can't just use 
(22:45:50) syzzer: but because this patch set is so nicely split up, I just 
manually exercise the relevant code paths per patch
(22:46:05) cron2_: even better :)
(22:46:55) cron2_: so I have a lot of trust in these ACKs  (plus eworm already 
tests the full builds)
(22:48:45) cron2_: dazo: if you could just say "I agree, and let's do 2.4.1 in 
about two weeks" we're done for today... *bait*
(22:52:43) dazo: cron2_: okay, 2.4.2 is okay
(22:52:57) dazo: oh!
(22:53:05) dazo: "I agree, and let's do 2.4.1 in about two weeks"
(22:53:12) cron2_: *g*
(22:53:15) mattock: +1
(22:53:40) cron2_: I'll go and see that I can review Selva's GUI-related 
patches, and with #825 we have something useful to ship
(22:55:28) dazo: there is another patch which needs to be looked at again ... 
the auth-nocache + auth-token ... ordex is quite close, but there are some 
corner cases I'm discovering when testing it
(22:55:36) dazo: but that is 2.4.2 material
(22:55:48) cron2_: let's see what you two can achieve in two weeks :)
(22:55:53) dazo: heh :)
(22:56:20) mattock: mkay, end of meeting I'd say
(22:56:38) mattock: I'll send the summary and then hit the sack
(22:56:41) mattock: gg
(22:56:45) cron2_: good night!
(22:56:47) dazo: :)

Attachment: 0x40864578.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to