[Openvpn-devel] Summary of the community meeting (Wed, 21st Mar 2018)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.
---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 21st Mar 2018
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:

<https://community.openvpn.net/openvpn/wiki/Topics-2018-03-21>

The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

SUMMARY

cron2, dazo, janjust, mattock, ordex and syzzer participated in
this meeting.

--

Janjust initialized the meeting with virtual group hug.

--

Discussed the security issue in tap-windows6 reported to the security
mailing list. While the issue is not critical it needs to be fixed.
Mattock will produce an installer with the fix. Cron2 will compare
unfixed and fixed versions to verify that the problem is gone. Dazo will
get us a CVE for the problem. Once this is done we will release new
Windows installers for OpenVPN 2.4.5.

--

Discussed "multi-port/multi-ip listening support: config format". The
format agreed upon in the meeting was this:

  local IP [port] [proto]

Where IP can be an IPv4 address, and IPv6 address, or * which means
dual-stack IPv4/IPv6. Proto can be either udp or tcp; the udp6 and tcp6
variants are not needed as they can be deduced from the IP address.

Note that on OpenBSD "local *" will bind to IPv6 addresses only. This is
because v4-mapped v6 sockets are not available on that platform.

--

Discussed Viscosity's patches to OpenVPN and their tap-windows adapter.
According to janjust Viscosity's tap-windows6 adapter performs
significantly better than our tap-windows6 adapter. Agreed that we
should first verify that they're using tap-windows6 and not something
they wrote themselves. If yes, we should check if their source code is
available. And if not, we should ask them to publish it according
GPLv2's requirements.

Janjust will do more testing with Viscosity's driver and report the
results to mattock who will start bugging Viscosity as necessary.

--

Discussed the "netlink support: quick roadmap recap" topic. Previously
we have agreed on providing unit tests to check the output of netlink
with what is expected from using ip/route/ifconfig. Agreed that we
should have unit tests in place at merge time. Otherwise we fear the
unit tests will never arrive.

Also agreed that we should try to provide testing Debian/Ubuntu package
for this. While that is doable right now, it requires manual work. It
would thus make more sense to automate the package creation process.

--

Dazo informed that OpenVPN 3 developers will start using openvpn-devel
for their patches. We will need to figure out how to make patchwork
detech whether a patch belongs to openvpn2 or openvpn3.

---

Full chatlog attached.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(12:31:27) dazo: hey!
(12:31:36) janjust: hi dazo
(12:31:50) dazo: nice that you could join, janjust :)
(12:32:23) ordex: hi!
(12:32:43) janjust: just don't get used to it, dazo ;)
(12:32:48) dazo: hehehe ;-)
(12:32:49) ordex: syzzer: here too?
(12:32:52) ordex: mattock: ?
(12:33:06) dazo: janjust: nah, that wouldn't make it so special!  We need to 
protect this special feeling ;-)
(12:33:14) janjust: lol
(12:33:14) mattock: good day
(12:33:20) ordex: we have some topics pending from last week that we did not 
really go through (nothing major I think): 
https://community.openvpn.net/openvpn/wiki/Topics-2018-03-14
(12:33:21) vpnHelper: Title: Topics-2018-03-14 – OpenVPN Community (at 
community.openvpn.net)
(12:33:22) cron2: grouphugs!
(12:33:26) ordex: :D
(12:33:30) ***janjust hugs cron2
(12:33:30) dazo: lol
(12:33:49) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2018-03-21
(12:33:51) vpnHelper: Title: Topics-2018-03-21 – OpenVPN Community (at 
community.openvpn.net)
(12:33:54) mattock: enough hugging already :D
(12:34:02) ***janjust hugs mattock 
(12:34:04) janjust: :P
(12:34:08) mattock: oh that was so nice :D
(12:34:10) ***dazo had to check which channel he joined
(12:34:13) cron2: ordex: can you just move over the agenda items from -14 to 
-21?
(12:34:22) ordex: yup
(12:34:26) cron2: (so we have *one* agenda to work, and put stuff to -28 then)
(12:35:12) ordex: done, refresh
(12:35:18) ***syzzer here now
(12:35:21) syzzer: sorry for the delay
(12:35:26) syzzer: reading backlog...
(12:35:30) dazo: btw ... There's one more topic regarding openvpn 3 development 
which needs to be added .... mostly FYI on what's happening
(12:35:30) cron2: pretty full agenda now :-)
(12:35:36) ordex: it's mostly about hugs, syzzer 
(12:35:37) ordex: :P
(12:35:41) cron2: syzzer: except lots of enjoyment, nothing missed :)
(12:35:44) mattock: dazo: sounds good
(12:35:48) janjust: yeah... I'm pretty interested in the tap-win part for today
(12:35:57) janjust: need a hug , syzzer ?
(12:36:08) syzzer: always :D
(12:36:28) cron2: *hugs*
(12:36:34) syzzer: \o/
(12:36:43) ordex: lol
(12:36:45) janjust: let's rename this channel to #openvpn-grouphug
(12:37:11) mattock: let's hug tap-windows6 for a while
(12:37:15) dazo: +1
(12:37:17) dazo: :-D
(12:37:38) mattock: so a problem was reported to security list
(12:37:46) janjust: good plan; I have a "tangent" question on it (later)
(12:37:48) mattock: not critical but needs to be fixed
(12:37:58) mattock: we have a patch from cron2, but afaik it has not gotten any 
review
(12:38:02) mattock: correct?
(12:38:17) cron2: mattock: correct.  You wanted to build a test installer with 
it :)
(12:38:30) cron2: I don't even know if it compiles, but it "looks reasonable"
(12:39:16) mattock: ah yes
(12:39:23) mattock: I was waiting for a formal review :)
(12:39:25) mattock: then build
(12:39:29) syzzer: hm, I should really fire up my tap-windows build env again 
too
(12:39:29) mattock: but we can reverse that
(12:39:47) cron2: is there documentation how to build tap-windows/tap-windows6?
(12:40:24) dazo: 1. Ask mattock
(12:40:25) dazo: 2. Profit
(12:40:56) mattock: cron2: yes, check the tap-windows6 repo in GitHub
(12:41:01) mattock: the instructions are fairly thorough
(12:41:11) cron2: the "how to build windows snapshots" installation is nice 
(just to mention it) :)
(12:42:09) mattock: cron2: you will need to play some tricks to use a pre-built 
tapinstall.exe (haven't been able to build it in years)
(12:42:09) cron2: well... the instructions are not dummy-level enough for me... 
"you need python 2.7, windows 7 wdk, windows code signing certificate, git".  
So, yes, and how do I get those? :)
(12:42:24) mattock: well you don't need the code signing certificate
(12:42:34) cron2: it says "required"... :)
(12:42:44) mattock: I suggest "python windows", "git windows" for starters :)
(12:42:51) mattock: those will lead you to correct page
(12:42:52) mattock: s
(12:43:17) ordex: mattock: does tap-windows need to be re-signed with some 
special key that is accepted by Windows everytime?
(12:43:20) cron2: yeah, but anyway, like "Win 7 WDK" - does that mean "it has 
to be a windows 7 machine" or "the WDK has a version number, 7.x", ...
(12:43:24) cron2: ordex: yes
(12:43:28) ordex: k
(12:43:40) mattock: cron2: I build on Windows 2012r2 so no
(12:43:43) cron2: (you can tell windows to ignore driver signing requirements, 
but that is not a generally good idea)
(12:44:02) mattock: lemme check the WDK verison
(12:44:03) mattock: version
(12:44:06) cron2: ((and it's a boot-time selection...))
(12:44:33) ordex: (I see, so it has to be signed every time - ok)
(12:44:43) mattock: WinDDK 7600 is supposed to work
(12:44:46) syzzer: cron2: you can build on newer windows
(12:44:47) cron2: while a major PITA, it's generally speaking a good idea
(12:44:54) mattock: how to get it: don't know
(12:45:10) syzzer: probably even with newer WDK - there is some compat version 
thingy defined somewhere iirc...
(12:45:16) mattock: download a version of WinDDK for your OS and hope it is not 
too recent
(12:45:17) cron2: I see me send a PR with "for dummies, click here, click 
there" :-)
(12:45:32) mattock: cron2: I will gladly merge that kind of PR
(12:45:37) cron2: anyway: next steps - test installer or review?
(12:45:38) janjust: 
https://www.microsoft.com/en-us/download/details.aspx?id=11800
(12:45:39) vpnHelper: Title: Download Windows Driver Kit Version 7.1.0 from 
Official Microsoft Download Center (at www.microsoft.com)
(12:46:09) janjust: https://tortoisegit.org/download/
(12:46:12) vpnHelper: Title: Download – TortoiseGit – Windows Shell Interface 
to Git (at tortoisegit.org)
(12:46:21) mattock: janjust: that WinDDK link looks promising
(12:46:27) mattock: 7600 in the ISO filename and all
(12:46:50) janjust: https://www.python.org/downloads/release/python-2714/
(12:46:52) vpnHelper: Title: Python Release Python 2.7.14 | Python.org (at 
www.python.org)
(12:46:55) cron2: 7.1.0 has 7600 in the filename.  Yay :)
(12:47:14) cron2: janjust: thanks - I'll do the searching and testing and send 
mattock a PR
(12:48:44) mattock: I can build a new tap-windows6 installer later today
(12:49:00) mattock: I happened to test the build system a few weeks ago and it 
was not horribly broken
(12:49:12) mattock: then we can do the code review
(12:49:26) mattock: then make an installer release for 2.4.5
(12:49:35) cron2: cool.  Then I can clone a VM and try to generate a "bad 
packet" and see if I can actually break the old tap driver, and see if that 
does not break anymore afterwards (and nothing else breaks)
(12:49:44) cron2: dazo: can you get us the CVE?
(12:50:13) dazo: cron2: sure! ... Now I might even be able to do it directly 
with MITRE as well
(12:50:24) cron2: good :)
(12:53:02) dazo: I might need some help to draft the contents of the 
vulnerability, but will let you know when I've prepared a draft
(12:53:11) cron2: ack
(12:53:55) syzzer: sounds good
(12:54:05) dazo: mattock: [off-topic] .... would it be possible and a good idea 
to get a openvpn community etherpad, restricted with LDAP auth from community 
LDAP?
(12:54:16) cron2: yes
(12:54:22) dazo: would be a better place to collaborate on such security notes
(12:54:29) mattock: dazo: definitely (next month, too busy this month)
(12:54:35) dazo: sure
(12:54:40) mattock: I will add a ticket for myself
(12:54:43) dazo: thx!
(12:55:17) dazo: next topic?
(12:55:23) mattock: +1
(12:55:33) mattock: "Security list GPG key expiry policies"
(12:55:40) cron2: mattock: reload :)
(12:55:40) mattock: something we touched briefly elsewhere
(12:55:56) mattock: oh some nasty person added stuff there :P
(12:55:57) mattock: ok
(12:55:59) ordex: :P
(12:56:01) mattock: topic #1
(12:56:09) ordex: but we can finish the gpg thing first if we want
(12:56:13) mattock: ​https://patchwork.openvpn.net/patch/263/
(12:56:14) cron2: we skip that one, I'd say, since it's plaisthos'
(12:56:15) vpnHelper: Title: [Openvpn-devel,v2] Rework OpenVPN auth-token 
support - Patchwork (at patchwork.openvpn.net)
(12:56:17) ordex: plaisthos: is not here apparently - he "owns" topic #1
(12:56:19) ordex: yeah
(12:56:22) mattock: next then
(12:56:28) cron2: ordex: yours
(12:56:31) mattock: multi-port/multi-ip listening support: config format 
(12:56:34) ordex: yeah
(12:56:49) ordex: I just wanted to quickly hear your opinion about how to 
re-arrange the config options once introducing the multiport feature
(12:57:01) ordex: basically a server will be able to listen on multiple ports
(12:57:13) ordex: so it will be possible to define "port xxx" multiple times 
with different xxx each time
(12:57:16) cron2: my thoughts on that: while apache generally stinks, the 
"Listen" directive from there ("Listen <port>" or "Listen <ip>:<port>") 
generally seems to be easy to understand
(12:57:35) ordex: mh yeah that's a good idea
(12:57:50) cron2: what we have now with "bind", "port", "lport" is confusing at 
best - but if you all tell me "multiple lport statements are good", fine with 
me :)
(12:58:22) ordex: well multiple lport is equivalent to multiple Listen <port> 
no ?
(12:58:30) cron2: ye
(12:58:31) cron2: s
(12:58:41) ordex: the problem is: if we have multiple IPs to listen to, and 2 
ports
(12:58:48) ordex: does the user need to list all the combinations ?
(12:59:02) ordex: Listen ip1:port1 Listen ip1:port2, etcc
(12:59:20) cron2: the socket API needs this explicitly
(12:59:37) ordex: sure, but the config does not need to be 1:1 with the API :P 
it's for people after all
(12:59:44) cron2: you can either bind *:port or *-v4:port or *-v6:port or "one 
fixed IP":port
(12:59:50) cron2: understood
(13:00:35) cron2: so you'd prose to do multiple "local" and "lport" statements, 
and then combine them?
(13:00:38) cron2: local 1.2.3.4
(13:00:44) cron2: local 2001:db8::5
(13:00:49) cron2: lport 80 udp
(13:00:51) cron2: lport 443 tcp
(13:00:52) cron2: ?
(13:00:54) ordex: right
(13:00:57) ordex: this is one way
(13:01:02) ordex: even though I am not fully convinced
(13:01:15) ordex: probably the listen ip:port is just simpler to understand and 
avoid ambiguity
(13:01:20) cron2: we need to expand "lport" in any case to add udp/tcp
(13:01:26) ordex: yap
(13:02:05) dazo: I'm wondering of "Listen" + "lport" will confuse users even 
more though .... as they essentially do almost the same .... the difference 
though, lport can also be used on client side as well
(13:02:31) dazo: but the "listen" semantic is simpler
(13:03:10) ordex: we can still support "lport" but document the clear mapping 
in behaviour. i.e. if you specify lport X, this is just an alias for "listen 
:X" check --listen in manpage
(13:03:13) cron2: if you want to do stuff like "listen on 1.2.3.4:80 and 
4.5.6.7:443", you cannot specify this with two individual options
(13:03:15) dazo: since we have --remote which can be used multiple times, and 
have support for ports and protocols ... wouldn't it be better to have the same 
syntax approach for 'local' instead?
(13:03:22) ordex: cron2: right
(13:03:35) cron2: I would not mind extending local into "local $ip:$port $proto"
(13:03:36) dazo: cron2: yeah
(13:03:41) cron2: does not have to be called "listen"
(13:03:56) ordex: listen is good because it does not exist for now :D and 
matches other server configs
(13:03:59) dazo: I think that's a better approach ... no new option, just a 
natural expansion
(13:04:03) cron2: lol
(13:04:12) ordex: ah "local"
(13:04:14) ordex: sorry I misread
(13:04:15) dazo: yeah
(13:04:22) cron2: you do agree beforehand on who agrees and who disagrees, 
simultaneously, do you?
(13:04:26) ordex: hmmm but we have to keep it backward compatible
(13:04:28) dazo: :-P
(13:04:36) dazo: IRC latency is tricky some times :-P
(13:04:49) dazo: ordex: yeah
(13:05:07) ordex: so if somebody specifies "local ip:port proto" and *also* 
lport we trigger an error?
(13:05:08) dazo: ordex: but lets aim for the same argument order as --remote
(13:05:21) dazo:        --remote host [port] [proto]
(13:05:31) cron2: works for me
(13:05:40) ordex: the error or the order?
(13:05:40) dazo: so for --local, it would be   --local IP [port] [proto]
(13:06:02) ordex: --local IP [port] [proto] << sounds good
(13:06:21) cron2: dazo: how to specify "I do not care about the IP address 
(=ANY) but I want 1194/udp + 443/tcp"?
(13:06:27) cron2: local * 1194 udp
(13:06:31) cron2: local * 443 tcp
(13:06:31) cron2: ?
(13:06:33) dazo: I was just pondering on that ..... 0.0.0.0 as IP?
(13:06:40) dazo: oh ipv5
(13:06:42) dazo: ipv6*
(13:06:45) ordex: yeah
(13:06:46) cron2: that is legacy IP only, which you might want, or not
(13:06:47) dazo: yeah *
(13:06:51) ordex: * is better
(13:06:54) dazo: agreed
(13:07:08) cron2: so 0.0.0.0 is "any v4", :: is "any v6", * is "do a dual-stack 
v6 socket"
(13:07:09) dazo: * or ANY ... I don't care :)
(13:07:20) dazo: agreed
(13:07:25) ordex: cron2: waitttttt don't let new features sneak in :P
(13:07:26) mattock: that sounds reasonable
(13:07:33) dazo: :-P
(13:07:38) ***cron2 sees an incoming patch from ordex with "we do DNS 
resolution on this" with a special case for "ANY" :)
(13:07:44) ordex: LOL
(13:07:45) cron2: ordex: mmmh?
(13:07:45) mattock: many daemons do 0.0.0.0 / :: / * thingy
(13:08:06) ordex: cron2: the dual socket thing is currently not addressed by 
all this
(13:08:20) ordex: this reminds me: protocol udp6/4 are not required anymore 
then ?
(13:08:30) ordex: because 0.0.0.0 will imply udp/tcp4 ?
(13:08:31) cron2: ordex: it actually is - if you throw 0.0.0.0 or :: at 
getaddrinfo(), you get back "v4" or "v6" ANY chunks
(13:08:39) ordex: yeah true
(13:09:07) ordex: it's the * case that is not well defined (unless you meant 
that openvpn will open two sockets)
(13:09:12) cron2: ordex: indeed, if you do multi-socket, the old "proto" thing 
is not generic enough - so it would still be there for single-socket, and maybe 
lport/proto should trigger an error if multiple "local" are there
(13:09:33) ordex: ok
(13:09:37) dazo: yeah, that makes sense ... multiple local with lport/proto 
should bail out
(13:09:39) cron2: ordex: well, "*" could mean what "bind !ipv6only" does today: 
do a v6-socket with dual-stacking enabled
(13:09:40) ordex: so if proto exist -> allow only 1 local
(13:09:52) ordex: cron2: that works on every platform?
(13:09:54) dazo: yeah
(13:10:15) cron2: ot works on everything but OpenBSD (who removed v4-mapped v6 
sockets)
(13:10:24) dazo: hmmm .... server side, that should be how it is today .... 
client side ... might be different
(13:10:36) cron2: but "just do two binds with v6only=1" might be more explicit 
plus also OpenBSD-portable
(13:11:02) ordex: yap
(13:11:13) cron2: dazo: client side *if you do not bind* is basically "we do 
not need to care".  If the client wants to bind to multiple addresses, things 
will be interesting, but we can just disallow it
(13:11:32) ***cron2 tends to "show me a good use case for a multi-bind client"
(13:11:34) dazo: yeah, agreed ... I think that makes sense, at least for now
(13:11:42) ordex: client and multiple addresses? guys please, no smoking :D
(13:11:46) ordex: hehe
(13:11:47) ordex: yeah
(13:11:55) dazo: We just need to tackle users doing that without exploding ;-)
(13:12:04) mattock: :P
(13:12:16) ordex: < cron2> but "just do two binds with v6only=1" might be more 
explicit plus also OpenBSD-portable << cron2 so this means 2 sockets, one bound 
to 0.0.0.0 and one to :: ?
(13:12:17) cron2: ordex: someone, somewhere will have a setup that would 
benefit from it :-) - and then do load-sharing between both sockets
(13:12:19) dazo: and failing with a M_FATAL when users try to do that is very 
fine for me
(13:12:21) mattock: if it explodes we will get email to openvpn-devel list 
sooner or later
(13:12:21) ordex: (or with v6only)
(13:12:59) cron2: ordex: wrt "one or two sockets", I do not care much either 
way - both works everywhere but OpenBSD, and on OpenBSD one could always do 
"local 0.0.0.0 1194" + "local :: 1194"
(13:13:19) ordex: cron2: right
(13:13:26) dazo: mattock: uncontrolled explosions are bad - they might trigger 
security issues ... failing controlled (like M_FATAL) is a controlled behaviour 
with not risks
(13:13:43) dazo: s/not /no /
(13:13:47) mattock: I was not implying that we should blow up thing in 
uncontrolled fashion :)
(13:13:53) dazo: :)
(13:14:06) mattock: just that somebody _will_ complain if we break a highly 
esoteric use-case
(13:14:14) cron2: always
(13:14:24) ordex: do we agree that "local" will support only udp/tcp (without 
any 6 or 4 at the end)
(13:14:26) ordex: ?
(13:14:28) dazo: as long as it is documented, we can do the RTFM
(13:14:34) cron2: 5 years later, in CAPITAL LETTERS, in trac :)
(13:14:39) ordex: lol
(13:14:51) cron2: ordex: yes, because 4/6 is explicit from the address
(13:14:55) dazo: ordex: yeah, that makes sense to me .... IPv4/IPv6 is given by 
the IP address
(13:15:01) cron2: first!
(13:15:10) dazo: heh :-D
(13:16:03) ordex: good
(13:16:08) ordex: :)
(13:16:34) ordex: i think this closes the topic. it seems we pretty much 
covered all the cases for the next 10 years
(13:16:46) cron2: .oO(what about sctp...)
(13:16:51) ***cron2 hides
(13:16:54) dazo: heh
(13:16:58) cron2: and no, it does not make sense
(13:17:08) janjust: you forget openvpn-over-icmp ;)
(13:17:11) ordex: we might have other protocols coming from plugin
(13:17:18) ordex: but those might need to be "registered" somehow
(13:17:18) ordex: :P
(13:17:25) dazo: but that's tackled by the plugins ;-)
(13:17:29) ordex: yeah
(13:17:56) janjust: before this meeting is closed I have a question on 
tap-windows and the windows version of Viscosity
(13:18:31) cron2: go ahead :)
(13:19:04) janjust: I've got access to the win version of viscosity; it seems 
those guys patched openvpn itself and even provide their own tap adapter
(13:19:18) janjust: that adapter performs *BETTER* than the tap-win adapter
(13:19:28) mattock: hmm
(13:19:31) dazo: hmmmm
(13:19:36) janjust: question is: has anyone else seen this?  question 2:  
should we go "after them" to release their patches?
(13:19:41) mattock: we need to check if they version's code is available 
somewhere
(13:19:46) mattock: no and yes
(13:20:07) mattock: what is the performance difference?
(13:20:10) dazo: first we need to dissect it, to see if it is plausible it 
contains tap-windows code
(13:20:31) ordex: but they should definitely publish the openvpn changes, I 
think
(13:20:36) dazo: they could have written something from scratch ... "white 
reverse engineered" or something like that
(13:20:41) mattock: yes, and also tap-windows6 changes as both are GPLv2
(13:20:46) cron2: janjust: is that adapter compatible with us?  So, if 
viscosity is installed, and you fire up openvpn.exe, what does it see?
(13:21:09) cron2: (and of course, publish changes to GPLed code)
(13:21:11) janjust: hmm I haven't tested that, cron2, will do so after this 
meeting (I need to reboot into win7)
(13:21:58) janjust:  but AFAICT viscosity uses a patched version of openvpn.exe 
so I wouldn't be surprised if you can mix&match
(13:23:11) mattock: I can start bugging them for their changes once we have 
more info
(13:23:22) janjust: alright, I will send feedback to you mattock 
(13:23:26) mattock: thanks!
(13:23:58) mattock: next topic?
(13:24:04) mattock: 54 minutes in
(13:24:15) ordex: quickie about netlink?
(13:24:16) cron2: netlink: quick recap, 5 minutes?
(13:24:19) cron2: :)
(13:24:20) ordex: yeah
(13:24:20) mattock: sounds good
(13:24:21) dazo: https://www.sparklabs.com/blog/ ... They definitely use 
openvpn 2.x
(13:24:23) vpnHelper: Title: Blog - SparkLabs (at www.sparklabs.com)
(13:24:30) mattock: yeah they do
(13:24:38) mattock: and they did use tap-windows6 in the past at least
(13:24:52) mattock: they actually reported a bug in it, maybe even provided a 
patch early on
(13:24:55) ordex: we should definitely ask to publish the patches
(13:25:18) mattock: yep, I've done that in the past with them and they've been 
responsive
(13:25:37) mattock: anyhow, netlink
(13:25:41) ordex: ok
(13:25:48) ordex: so the code has been used by a couple of users so far for 
quite some time
(13:25:54) ordex: and it seems to work[tm]
(13:26:15) ordex: we agreed on providing unit tests to check the output of 
netlink with what is expected from using ip/route/ifconfig
(13:26:24) ordex: now, the unit tests are not there yet and may require quite 
some time
(13:26:39) ordex: however, how about we move on and try to review/merge the 
netlink code already?
(13:26:43) ordex: so people testing master can get it ?
(13:26:51) dazo: I'll create a Fedora Copr repo for Fedora/RHEL environments 
... I'll use that for testing in my servers at least
(13:26:52) ordex: unit-tests are expected to come before the release
(13:27:07) cron2: unit-tests are expected to come together with merging
(13:27:12) ordex: :D
(13:27:18) ordex: I tried!
(13:27:19) cron2: (otherwise unit-tests will never arrive...)
(13:27:20) mattock: cron2: +1
(13:27:32) ordex: yeah, I have to say you're right :P
(13:27:34) cron2: I've done too much software development :-)
(13:27:37) dazo: :)
(13:27:44) ordex: ok, so I'll publish the patches to the ml
(13:27:55) cron2: but looking at the stuff for a first round of feedback is 
certainly a good idea
(13:27:56) ordex: and hopefully I'll run them through buildbot, now that 
mattock has pointed it to the other repo
(13:28:17) ordex: ok. then work on the unit tests
(13:28:19) ordex: good!
(13:28:25) dazo: cool, and I'll use them for the Copr repo .... mattock, can we 
have a separate openvpn-netlink repo for testing for Deb/Ubu?
(13:28:25) ordex: I'll send them soon then
(13:28:39) cron2: we need to work on the patch queue already out there :-( - 
because the more patches are pending, the more merge clashes we end up with
(13:28:40) mattock: hmm
(13:28:46) ordex: yeah :/
(13:28:47) mattock: technically yes
(13:28:56) ***ordex will work on tls-crypt-v2
(13:29:19) dazo: mattock: perhaps we should try to make something automated 
.... would benefit openvpn3 too
(13:29:34) mattock: dazo: I fully agree, but time is a scarse resource
(13:29:39) dazo: yeah, I know
(13:29:49) mattock: I would like to just take a commit and push out various 
"things" built from that commit
(13:29:49) syzzer: whee, my build bot claims to have built both tap-windows and 
tap-windows6 :)
(13:29:50) ordex: mattock: dazo: we could create a new openvpn-testing repo and 
have packages in there built from different branches? (only some)
(13:30:03) dazo: yeah, that's my thought
(13:30:04) cron2: mattock: so to be sure I understand the setup - the 
buildslaves are fetching from your new repo on "build" now, and "we" can all 
push to branches there?
(13:30:13) mattock: cron2: that is correct
(13:30:14) syzzer: ordex: oh, I should do that too...
(13:30:16) cron2: ("we" being "people that have mailed you their ssh key and 
are trusted")
(13:30:24) mattock: and have VPN access
(13:30:27) mattock: so double trusted
(13:30:32) cron2: build is not in vpn
(13:30:35) dazo: btw ... openvpn3 development ... quick words here .... we're 
going to start pushing openvpn3 patches to the public mailing list in not too 
far future
(13:30:40) mattock: oh yes, it is also accessible without VPN
(13:30:45) mattock: I can definitely fix that though :P
(13:30:50) cron2: ah, "click on buildmaster", that needs VPN
(13:30:51) ordex: (even via ipv6!)
(13:30:53) cron2: no, the other part is good
(13:31:10) mattock: ok
(13:31:15) dazo: We will have done internal review on those patches coming from 
@openvpn.net addresses .... so they should all carry a "Approved-by:" line in 
the commit messages
(13:31:41) cron2: dazo: I'm curious how that is going to work out with 
patchwork :-)
(13:32:05) dazo: so they will be pushed to the git repo directly .... but 
copies patches to the ML for distributed archive purpose
(13:32:35) dazo: cron2: that's going to be interesting as well ... we might 
need to "tag" openvpn3 patches differently, as patchwork has this "project" 
reference
(13:32:53) ordex: i think one project = one mailing list ?
(13:32:54) cron2: something like that would be good, otherwise the "openvpn2" 
view would be confusing
(13:33:10) dazo: but I'd like to see these patches arrive in patchwork too ... 
but under a different project
(13:33:40) dazo: it might be a little bit noise in the beginning as we figure 
out these details ... the intention is not to make things worse than it is :)
(13:33:40) cron2: +1
(13:33:41) mattock: yeah, definitely have 1:1 mapping between a project and a 
mailing list
(13:33:54) mattock: patchwork can filter the emails, but I think that gets 
tricky
(13:34:12) cron2: I need to leave this discussion now, as $wife is biting other 
people already - time for lunch
(13:34:14) dazo: mattock: lets see how we can tackle this filtering
(13:34:15) mattock: it needs to have a clue as to where a patch belongs to
(13:34:25) mattock: let's stop here
(13:34:28) mattock: I need to eat also
(13:34:28) ordex: oky
(13:34:32) ***ordex too
(13:34:39) ordex: and the laptop does not taste good today
(13:34:46) ***syzzer too, before the canteen closes (which is about now :p )
(13:34:50) ordex: :D
(13:34:52) dazo: we discussed briefly earlier to have separate mailing lists 
for openvpn2 and openvpn3 ... but consensus was to have a unified one .... 
okay, lets eat :)
(13:34:52) ordex: run!
(13:35:05) mattock: ok bye guys!
(13:35:07) ordex: bye!
(13:35:11) syzzer: bye! :)
(13:35:15) mattock: let me know if this is accurate:
(13:35:16) janjust: hehe , bye everyone
(13:35:18) mattock: iscussed "multi-port/multi-ip listening support: config 
format". The format agreed upon in the meeting was this:
(13:35:18) mattock:   local IP [port] [proto]
(13:35:18) mattock: Where IP can be an IPv4 address, and IPv6 address, or * 
which means dual-stack IPv6. Proto can be either udp or tcp; the udp6 and tcp6 
variants are not needed as they can be deduced from the IP address.
(13:35:46) dazo: " which means dual-stack IPv6" --> " which means dual-stack 
IPv4/IPv6"
(13:35:55) mattock: ah yes
(13:36:18) ordex: yap
(13:36:25) dazo: yeah, that's a good summary
(13:36:27) mattock: will openbsd just break if "local *" is defined?
(13:36:36) mattock: that would worthy of mention
(13:36:43) ordex: nope, it will do the same as today with udp6
(13:36:47) ordex: which is not really dual-stack
(13:36:47) mattock: ok
(13:36:53) mattock: so IPv6 only
(13:36:59) ordex: yap
(13:37:01) mattock: ok
(13:37:14) ordex: we can have some define in the code to error out and suggest 
to use 2 local statements
(13:37:20) dazo: that could be improved later on though, to actually do dual 
sockets on OpenBSD ... but that's for later
(13:37:27) ordex: right
(13:38:41) janjust ha abbandonato la stanza (quit: Quit: Leaving).

0x40864578.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel