Hi, Here's the summary of today's IRC meeting.
--- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Wednesday 15th Mar 2017 Time: 20:00 CET (19:00 UTC) Planned meeting topics for this meeting were here: <https://community.openvpn.net/openvpn/wiki/Topics-2017-03-15> The next meeting has not been scheduled yet. Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> SUMMARY cron2, mattock and syzzer participated in this meeting. -- Discussed the OpenVPN 2.4.1 release. Agreed to make the release the upcoming Monday (20th March). The OpenSSL support patches will have to be postponed to 2.4.2. -- Discussed the VLAN patchset: <https://github.com/OpenVPN/openvpn/pull/76> Agreed that it is too big a chunk to tackle right now. --- Full chatlog has been attached to this email. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
(21:05:12) mattock: hello all (21:05:17) syzzer: hi mattock (21:05:26) cron2: ullo (21:05:48) syzzer: what language is that? :p (21:06:46) mattock: :) (21:07:16) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2017-03-15 (21:07:17) vpnHelper: Title: Topics-2017-03-15 – OpenVPN Community (at community.openvpn.net) (21:07:27) mattock: start from the top? (21:07:29) mattock: 2.4.1 (21:07:40) cron2: right (21:08:21) cron2: 3 weeks ago, we planned for a release "in about two weeks", then mattock went hiding :) (21:08:43) mattock: well you could say so, yes (21:08:46) mattock: but not because of 2.4.1 :P (21:08:54) cron2: I would say "we agree whether we want the --ns-cert-type deprecation patch in, and then release" - anything else missing? (21:08:57) mattock: it was vacation to which I was forced to :D (21:09:03) cron2: poor guy :) (21:09:47) syzzer: yeah, it kind of depends on the --ns-cert-type (21:10:14) cron2: syzzer: how's the "we make --remote-cert-tls work with funky CAs" patch coming along? (21:10:26) syzzer: cron2: sort-of ready, but not well tested yet (21:12:11) cron2: does it make sense to release 2.4.1 with just one of them? I know that my users will then try the other option, and fail... (21:14:49) syzzer: so, what I think we should do wrt --ns-cert-type / --remote-cert-tls is: (21:14:49) syzzer: 1) Change --remote-cert-tls to require a specific EKU, but only *some* KU in the certificate, and let the crypto library check KU on its own (which both mbed TLS and OpenSSL do, but only if the extension is present) (21:14:49) syzzer: 2) Deprecate --ns-cert-type (21:14:50) syzzer: 3) release 2.4.1 (21:14:50) syzzer: 3) in 2.4.2+, change --ns-cert-type to just to what --remote-cert-tls does (21:15:27) syzzer: where the last 3 should of course be a 4 (21:15:45) cron2: I guessed so :-) - so with 1), my funky CA would work again? (21:15:52) syzzer: indeed (21:16:11) cron2: works for me... do you have an estimate how long 1) will take? (21:16:23) syzzer: it basically makes --remote-cert-tls less picky (it is now way more strict than it should be) (21:16:44) syzzer: if we don't quarrel too much, I can get the patch out tonight (21:17:35) cron2: sounds good :-) - mattock: any time that would be particularily convenient/inconvenient for you for a release? (21:18:33) mattock: not in particular (21:18:44) mattock: except weekends :) (21:19:08) mattock: better do it on Monday, just in case (21:19:17) mattock: rather than Friday (21:19:47) cron2: shall we aim for "next monday", then? And I'll go over the bug list until then to see whether I've missed something important (21:19:56) cron2: AFAIK all stuff from Selva got in (21:19:59) mattock: fine by me (21:20:23) syzzer: yeah, for me too (21:20:43) cron2: (and we should send a reminder to the -devel list "if you are aware of anything bugfixy that should go in, remind gert!") (21:20:55) cron2: so - openssl 1.1 support patches (21:21:33) cron2: about half the stuff is in, 05 has started a discussion syzzer/dazo which got stuck (21:23:20) mattock: dazo will be more or less absent for the the next two weeks (his own words) (21:24:02) syzzer: yeah, this basically got stuck on the --ns-cert-type stuff (21:24:33) syzzer: and I got side tracked by our current --remote-cert-tls implementation (21:25:20) cron2: ok, so we just postpone until that is settled, and then maybe we can discuss with more technical arguments about the (new) impact... (21:25:55) syzzer: indeed :) (21:26:06) syzzer: I'll continue with other patches if possible (21:26:21) ***cron2 stands ready to test & merge :) (21:26:37) cron2: that concludes 2., I think... (21:26:58) syzzer: yep, think so too (21:27:04) mattock: so do we postpone 2.4.1, or postpone the OpenSSL 1.1 patches to 2.4.2? (21:27:11) syzzer: the latter (21:27:12) cron2: mattock: the latter (21:27:13) mattock: ok (21:27:46) cron2: the way they are coded and merged mean they can go on one by one, with no negative impact on 1.0 builds - and when they are all in, we magically are 1.1 compatible (21:27:50) mattock: 2.4.2 might get some patches related to the security audit, then (21:28:16) cron2: indeed, so maybe 2.4.2 will follow quickly after 2.4.1 - and openssl 1.1 will be in 2.4.3 - we'll see :-) (21:28:21) mattock: yeah (21:28:31) ***cron2 is VERY curious what they have found (21:28:32) mattock: so then we only have the long-term topic of VLAN patchset (21:28:36) mattock: yeah, me too (21:28:54) syzzer: uhuh (21:29:13) cron2: I have nothing new to contribute to that :-( - no time to work on such a big chunk (21:29:22) mattock: yeah, it's a hanful (21:29:24) mattock: handful (21:29:46) mattock: plus, as cron2 so nicely said once, "all features have their merits, and then it blows up" (21:29:50) mattock: or something along those lines :P (21:30:19) cron2: it has blown up years ago, and then James ran away screaming :-) (21:30:46) mattock: well put (21:30:47) cron2: "wouldn't it be much nicer to have a small and compact openvpn client library with just the important options?" ;-) (21:30:58) mattock: indeed (21:31:09) mattock: until enough features are added, and then it's a garbage dump again (21:31:19) cron2: it's not completely true, though... but we indeed inherited quite a list of features :) (21:31:50) mattock: well OpenVPN 2.x is extremely stable all things considered (21:32:20) mattock: anyways, any other topics for today? (21:32:30) mattock: or was this really a 27 minute meeting? (21:32:47) cron2: true... no other topics from me (there's the --auth-nocache patch, but all we can do today is "remind people that it needs review and testing!") (21:33:05) syzzer: nothing from my side either (21:33:09) mattock: ok, great! (21:33:19) cron2: so, let's conclude the meeting and go work on the patches :-) (21:33:23) mattock: +1 (21:33:32) cron2: $wife is out anyway, kids are sleeping... (21:33:52) mattock: good hacking! (21:33:59) cron2: good night! (21:34:15) mattock: and good night! (21:34:27) syzzer: good night!
0x40864578.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel