Resending as the original one probably got blocked.



Here's the summary of the IRC meeting.



Place: #openvpn-meeting on
Date: Wednesday 3rd April 2019
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:


The next meeting is scheduled to Thursday 11th April 20:00 CEST.

Your local meeting time is easy to check from services such as



cron2, mattock, rozmansi and syzzer participated in this meeting.


Planned the tap-windows6 release. Mattock will produce a test
tap-windows6 driver which includes the following PRs from Jon and Selva:

In addition a fix to a security vulnerabily will be included. If/when
the tap-windows6 driver passes basic testing those PRs will be merged
and signed driver and installers (9.23.1) will be produced for the
following platforms:

- Windows 7/8/8.1/Server 2012r2
- Windows 10 (including arm64)

Windows Server 2016 will follow after that one. Mattock does have a
physical Windows Server 2016 box he can use as a HLK test client. But it
will take a few weeks before Stephen's patches can be reviewed, tested
and merged, and before a WHQL-certified tap-windows6 driver can be
released for that platform.

As Windows Server 2016 users will have to use to the old (9.22.1)
tap-windows6 driver a bit longer we will simply advise them to avoid
using it on machines with untrusted people.


Full chatlog attached.

(12:32:02) cron2: moin
(12:34:59) cron2: theory says we have a meeting today, for the last time (and 
then, thursday evening next week)
(12:35:24) mattock: hello!
(12:35:41) mattock: not only theory, but also the invitation
(12:35:58) mattock: now, who do we have here besides me and cron2?
(12:36:10) mattock2 ha abbandonato la stanza (quit: Quit: IRC for Sailfish 0.9).
(12:38:13) ***cron2 looks frustrated, but this reflects accurately on the 
general process
(12:39:30) mattock: yeah unfortunately
(12:39:40) cron2: so, as I have a lunch appointment at 12:15, maybe we should 
quickly cover the news?
(12:39:45) mattock: yep
(12:40:08) mattock: I now have a physical Windows Server 2016 box which can 
operate as a HLK test client
(12:40:16) cron2: cool :)
(12:40:37) mattock: that one has two VMs that can serve as the HLK openvpn 
server and as the "support machine"
(12:40:52) mattock: if that approach does not work, those two VMs can be moved 
over to EC2
(12:41:09) syzzer: oops, almost forgot the meeting
(12:41:10) cron2: I was about to wonder if that will work or fail in 
spectacular ways
(12:41:13) mattock: I'm told that we do have an EV dongle we can use for 
EV-signing tap-windows6
(12:41:13) syzzer: present now :)
(12:41:27) cron2: mattock1: cool.  syzzer: hello again ;-)
(12:41:29) mattock: yeah it could fail, but that would not be a catastrophe
(12:41:32) mattock: hi syzzer!
(12:41:39) mattock: now we have genuine meeting :)
(12:42:17) mattock: also, I am supposed to be on vacation next week 
(unfortunate timing this tap-windows6 issue)
(12:43:21) mattock: so it would probably make most sense to release for Windows 
7/8/8.1 and Windows 10 first, followed by Windows Server 2016
(12:43:26) mattock: thoughts?
(12:43:37) mattock: the first part would almost certainly be doable this week
(12:44:51) ***rozmansi here now
(12:45:29) mattock: hi rozmansi!
(12:45:40) cron2: I still think that we should do this - release a fixed+signed 
Win10-compatible driver, if we can do that, and document the shortcomings of 
the current driver (= do not use on machines with untrusted people on it)
(12:45:56) cron2: I'm sitting on the patch and could push it out any day :))
(12:46:15) mattock: now, should we release it as 9.21.2 + security fix for now?
(12:46:23) cron2: yes
(12:46:24) mattock: instead of trying to merge Stephen's work first
(12:46:35) mattock: so 9.21.3 it would be
(12:46:50) syzzer: +1 on not waiting anymore
(12:46:54) cron2: Stephen's work will definitely take a few weeks - I have seen 
some of the patches, all the code looks good, but to truly understand what is 
changed takes time
(12:47:12) cron2: mattock1: haven't we upped the version to 9.22.x already?
(12:47:26) mattock: yes that was the broken driver (9.22.1)
(12:47:35) cron2: so we do 9.22.2 then, not 9.21.3
(12:47:46) mattock: yeah you're correct
(12:48:26) cron2: or maybe 9.23.1 to really communicate "this is new!"
(12:48:30) rozmansi: will the 9.22.2 include ARM64 version too?
(12:48:45) mattock: rozmansi: hmm, good question
(12:49:00) mattock: we did receive tons of patches from Jon that enabled arm64 
(12:49:09) cron2: we should be able to...
(12:49:14) mattock: yeah
(12:49:18) rozmansi: but we haven't tested any ourself. :(
(12:49:33) mattock: that is correct :)
(12:49:43) cron2: rozmansi: no, but if you want an ARM laptop to test, just 
holler :-)
(12:49:43) mattock: we can probably outsource the arm64 testing to Jon
(12:49:44) mattock: for now
(12:49:48) cron2: as well
(12:50:14) rozmansi: mattock1: Can you compile ARM64 and sign it. I'd need it 
at least to start adding ARM64 support  to MSI.
(12:50:15) mattock: so, 9.23.1, with jon's arm64 patches, i386/amd64/arm64, no 
stephen stuff yet
(12:50:24) cron2: yes
(12:50:25) mattock: rozmansi: I shall
(12:50:38) mattock: and this would an interim release
(12:50:42) rozmansi: We don't need to advertise tap-windows6 ARM64 installer 
out loud yet.
(12:50:44) cron2: yes
(12:50:49) cron2: (and yes)
(12:50:54) mattock: we'd make another release when Stephen's stuff is merged 
and HLK tests pass
(12:51:30) mattock: hmm, I wonder how is NSIS ARM64 support...
(12:51:33) cron2: yes, which would then be 9.24.1 ("this is really lots of 
changes"), so we *could* go back and do a 9.23.2 if we discover some minor bug 
and 9.24.x isn't working good enough yet
(12:52:01) mattock: worst case with arm64 - we can just provide the driver 
files in a zip with instructions on how to install them
(12:52:09) mattock: though
(12:52:18) mattock: arm64 windows has i386 emulation layer...
(12:52:28) mattock: anyways, let's see how it goes
(12:52:32) cron2: yes, the userland should just work "if we can get it 
(12:52:34) rozmansi: NSIS installer must be i386 in the end.
(12:53:00) mattock: ok so this release will be my main priority for this week
(12:53:02) rozmansi: Jon added PR for NSIS installer too.
(12:53:21) mattock: have a link?
(12:53:31) cron2: mattock1: so I push the bugfix, and we go public?  or shall I 
wait until tomorrow-ish, etc?  Who bumps the version number?
(12:53:49) mattock: let's wait until I'm 100% sure I have everything I need to 
sign the builds
(12:53:52) rozmansi: mattock1:
(12:53:54) mattock: =tomorrow
(12:53:54) vpnHelper: Title: Add ARM64 files to installer by jkunkee · Pull 
Request #57 · OpenVPN/tap-windows6 · GitHub (at
(12:54:00) cron2: mattock1: ok
(12:54:27) cron2: just let me know.  tomorrow during daytime I have to be at a 
customer site (and won't check IRC), but tomorrow evening/friday is good
(12:54:49) mattock: oh, we still have Jon's PRs open
(12:54:53) rozmansi: mattock1: I'm fine even if you don't provide the NSIS 
installer, as long as I get signed INF+SYS+CAB files. :)
(12:55:00) cron2: mattock1: we do?
(12:55:02) mattock: rozmansi: noted
(12:55:07) mattock:
(12:55:08) vpnHelper: Title: Pull Requests · OpenVPN/tap-windows6 · GitHub (at
(12:55:23) mattock: also one easy one from selva
(12:55:37) mattock: 48, 55, 56, 57
(12:55:45) mattock: 65
(12:55:58) cron2: yep, looking at that right now.  Haven't we ACKed all of them?
(12:56:08) mattock: not sure, let's check
(12:56:12) cron2: selva's definitely needs to go in to avoid confusions
(12:56:31) mattock: yeah
(12:56:42) mattock: it seems I promised to test it but got blocked/distracted
(12:57:12) mattock: do we trust selva's code or should I still test it?
(12:57:24) cron2: we do trust Selva's code, but you should still test it
(12:57:49) mattock: maybe I'll merge all of that stuff into my own clone and 
test them as a whole
(12:58:23) cron2: I think that was the original plan, last year, and then you 
got distracted.  I think it might have been "family stuff" - that tends to 
cause such effects
(12:58:28) rozmansi: actually, #48 from selva is mandatory - INF version and 
SYS (resource) versions must match.
(12:58:38) rozmansi: there's a test in HKL that verifies this.
(12:58:40) mattock: family, work, holidays, etc.
(12:59:15) rozmansi: Thou, Windows will hapilly accept driver even on INF vs. 
SYS version mismatches
(12:59:17) ***cron2 needs to talk to people at OpenVPN inc regarding the 
"holiday" time-waster...
(12:59:23) mattock: lol
(12:59:44) mattock: so I will produce a test installer with all those PRs
(13:00:03) cron2: +1  (my patch should be in your mailbox, but I can just mail 
it again)
(13:00:17) mattock: please mail it again - it is probably hidden somewhere
(13:00:32) cron2: sent
(13:00:34) mattock: ok, anything else on tap-windows6?
(13:00:36) mattock: thanks!
(13:00:55) ***cron2 <- happy with the path forward
(13:01:59) mattock: and I'm looking forward to fighting with Authenticode 
signatures again :)
(13:02:13) mattock: anyways, other topics? we have a couple of mins
(13:02:37) cron2: syzzer: if you can find a bit of time, a review of my 
rate-limiting patches would be nice
(13:02:59) syzzer: cron2: yeah, they're on my list, haven't forgotten about them
(13:03:34) syzzer: but remembering me does increase the likelyhood of me 
picking it up :p
(13:03:39) cron2: thanks :) - so, how many hundred other things are further up 
on that list? ;-)
(13:04:10) cron2: (insert rant about "2 colleagues at $work quit, 3rd colleague 
is sick since 2.5 months now, and we get lots of EXTRA work to compensate...")
(13:05:08) cron2: so... my next appointment just called in a bit early... and 
I'm off *now* :-) - *wave*, will read up what you come up with
(13:05:09) syzzer: well, dayjob is kinda hectic, which mostly costs energy 
(rather than time), and $gf is complaining I should spend more time on 
arranging a wedding :p
(13:05:46) syzzer: ok, ttyl!
(13:06:33) mattock: ok let's conclude the meeting unless somebody else comes up 
with something
(13:07:13) rozmansi: Excellent
(13:07:13) ***rozmansi back to work now...
(13:07:17) syzzer: I don't have any other topics to discuss now - jjk started 
an off-list discussion with me and dazo about the keygen options, but we'll get 
some consensus between us before we bring it back to the meeting and claim 
everyones time
(13:09:17) mattock: ok sounds good
(13:09:27) mattock: good meeting, and a short one!
(13:09:47) syzzer: great, I'm off to lunch then :)
(13:09:50) syzzer: thanks all :)

Attachment: signature.asc
Description: OpenPGP digital signature

Openvpn-devel mailing list

Reply via email to