Hi,
Here's the summary of the IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-meeting on libera.chat
Date: Wed 14th September 2022
Time: 10:30 CEST (9:30 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2022-09-14>
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, d12fk, dazo, djpig, lev, mattock, MaxF, ordex, plaisthos, rob0
participated in this meeting.
---
The hackathon date has been set. Status of Friday is still unclear. We
need to leave Fox-IT Premises by 19.00, but that's fine (pub time anyways).
---
Coordinated patches that are aimed at 2.6 and 2.7. Cron2 will start
going through them now that his vacation is over.
---
Noted that Lev has a new, signed tap-windows6 driver ready with fixes.
For unknown reasons building the arm64 version of tap-windows6 MSM
failed. Once that is fixed mattock can push out a new 2.5 Windows installer.
Also noted that HP has sent a PR to tap-windows6 which will need some
work and may even violate GPLv2.
---
Talked about data-channel offload. Lev is waiting on review + ack +
merge of two Windows DCO patches. The FreeBSD DCO needs two fixes. The
p2p mode needs to be fixed in both FreeBSD and Linux.
---
Talked about uncrustify. Noted that it is broken in some cases because
it is not a real C parser. One alternative is clang-format. The
challenge there is that clang-format may not be customizable enough to
be able to adapt to our current uncrustify rules. Also, according to
dazo, going the clang-format route is not trivial, either.
Agreed not to just use uncrustify as-is for now, in order to avoid
time-consuming bikeshedding discussions.
---
Talked about automated Windows testing. Mattock's
openvpn-windows-buildtest repository on GitHub should be a good starting
point:
<https://github.com/OpenVPN/openvpn-windows-test>
---
Talked about unacceptable, one could say "toxic", behavior of a certain
forum moderator. This issue will be brought up with him in person.
--
Full chatlog attached
(11:27:27) cron2__: good morning maxf :)
(11:27:39) MaxF: good morning!
(11:29:08) plaisthos: moin moin
(11:30:37) rob0: zzZZZzz
(11:30:59) ***cron2__ wakes up rob0
(11:31:18) cron2__ ha scelto come argomento:
https://community.openvpn.net/openvpn/wiki/Topics-2022-09-14
(11:31:31) cron2__: not much there
(11:32:01) mattock: hi!
(11:33:04) ordex: ding dang
(11:33:17) ***ordex pokes everybody with a pointy stick
(11:33:22) ***cron2__ jumps
(11:33:28) cron2__: I'm awake! I'm awake!
(11:34:36) ordex: sooo
(11:35:06) ordex: any imminent aspect to discuss?
(11:35:08) MaxF: hackathon: Date is confirmed. I added some hotels to the wiki
page
(11:35:10) ordex: MaxF: u there?
(11:35:11) ordex: ah there!
(11:35:27) ordex: MaxF: thanks! did you get a response for friday as well?
(11:35:30) cron2__: cool. So what's the status of "Friday"?
(11:35:33) cron2__: hah
(11:35:42) ordex: <o/
(11:35:51) MaxF: Not sure about that yet
(11:36:38) ordex: ok - once we know that we could start booking tickets/hotel I
guess
(11:36:57) ordex: MaxF: regarding the time, do we have any specific constraint
about when to arrive/leave the office on sat/sun ?
(11:37:30) MaxF: We can't stay very late, we should be out by 7 pm
(11:37:50) cron2__: that is fine, I think... leave when the pubs open :)
(11:38:01) ordex: ay ay
(11:38:02) ordex: :D
(11:40:06) cron2__: so, 2.5?
(11:40:11) djpig: moin moin
(11:40:23) cron2__: hiya
(11:40:55) plaisthos: the 1/3 patch of my newest patch set might be 2.5
material but probably not since that S_GENERATED_KEYS might not yet exist in
2.5
(11:41:04) plaisthos: the rest of the patchset might be even 2.7 %)
(11:41:35) cron2__: I only skimmed that patchset and decided "this needs more
brain cycles to understand"
(11:43:16) plaisthos: short summary is, do renegotions with a dynamic tls-crypt
key so neither replayed nor faked packets can interfere with renegotions
(11:43:31) plaisthos: it is kind of the nuclear option to solve the problem :D
(11:43:31) cron2__: that is the 3/3 patch, but I already failed at 1/3
(11:44:10) plaisthos: 1/3 is just "only allow tostart renegotion" if the
previous session is fully completed and not just 80%
(11:44:11) cron2__: 3/3 might run into "the client *restarts* and is not let in
anymore, because the server thinks it's a renegotiation" issue
(11:44:41) plaisthos: cron2__: no, then you have a P_HARD_RESET instead of
SOFT_RESET and key_id == 0 and use TM_UNTRUSTED instead of TM_ACTIVE
(11:45:16) cron2__: ah. more brain cycles... (or more coffee)
(11:46:23) plaisthos: on more 2.6/2.7 news, I am currently working on a patch
to decouple auth-token lifetime from reneg-sec
(11:49:00) ordex: plaisthos: what if a client restarts in the middle of a
negotiation? so not complete at 100%, but has to allow a restart? will that
work?
(11:49:00) lev__: for 2.6, "dco on windows by default" and "persist-tun for
dco-win" are waiting for review
(11:49:00) cron2__: looking into 2.6 - there's some leftovers of the MTU and
HMAC/ACK patchsets still not merged... we should see that we regain traction on
that in the next (few) weeks
(11:49:00) d12fk: looking at those at the moment
(11:49:00) plaisthos: ordex: TM_ACTIVE and TM_UNTRUSTED can be both active
(11:49:00) cron2__: d12fk: cool
(11:49:00) ordex: ok
(11:49:01) plaisthos: once TM_UNTRUSTED reaches S_ACTIVE, it replaces TM_ACTIVE
and kicks out the old session
(11:49:01) ordex: plaisthos: I was commenting on your statement: 1/3 is just
"only allow tostart renegotion" if the previous session is fully completed and
not just 80%
(11:49:02) ordex: if session is at 80%, but we restart the peer
(11:49:11) ordex: it will try to start a new session
(11:49:14) plaisthos: ordex: same things.
(11:49:18) ordex: maybe that works because this is not a "renegotiation"
(11:49:23) plaisthos: yes
(11:49:25) ordex: ok
(11:49:26) ordex: cool
(11:51:19) cron2__: so, back to "2.5" - so we have that patch which might want
to go into 2.5
(11:51:27) cron2__: how did the TAP driver signing go?
(11:51:52) lev__: it is done
(11:52:24) cron2__: including "updating the download packages", "openvpn-build
URLs and version numbers", etc?
(11:52:50) lev__: I got a mail from a guy from Paderborn who experienced the
same issue with Windows Server which my fix has addressed and he was wondering
when we could provide signed driver
(11:52:52) cron2__: so we could ask mattock to build a new 2.5 package for
people to test the new installer...
(11:53:14) lev__: I did signing and he confirmed that problem is now fixed
(11:53:16) mattock: yep
(11:53:27) cron2__: nice
(11:53:31) lev__: apparently they use tap driver without openvpn
(11:53:33) cron2__: (on both accounts :) )
(11:53:56) plaisthos: guy from Paderborn = dSpace
(11:54:35) lev__: mattock: I think I still need to build MSM for arm64 - by
some reasons scripts on signing machine didn't do that
(11:54:36) plaisthos: a company working mainly on development/test tools
(computer stuff) for automative companies
(11:54:46) cron2__: ncie
(11:55:17) lev__: and today we got a PR from HP to tap-windows6
(11:55:44) lev__: maybe it is time for tap-windows6-nx
(11:55:53) cron2__: that PR from HP was... not very good
(11:55:59) plaisthos: that PR probably violates the GPL
(11:56:06) ordex: :D
(11:56:10) plaisthos: I say probably only because I am not a lawyer
(11:56:10) ordex: be kind to clueless people
(11:56:19) cron2__: it definitely violates good manners
(11:56:45) ordex: when somebody has no clue about what they're doing, it can
hit all kind of corners. be gentle :D
(11:56:48) mattock: lev: hmm, ok, maybe I'd have better luck with it
(11:57:29) lev__: mattock: I haven't really looked into it, I was just
following orders and followed steps from readme
(11:57:33) cron2__: ordex: I was refraining myself :-)
(11:57:36) ordex: :p
(11:57:41) ordex: you Germans!!
(11:57:44) ordex: hehe
(11:58:04) cron2__: I could have asked novaflash for very direct dutch reply...
*that* will hurt
(11:58:13) ordex: haha
(11:58:39) dazo: lev__: where did that patch from HP arrive?
(11:58:47) plaisthos: dazo: github pr to tap repo
(11:59:06) lev__: https://github.com/OpenVPN/tap-windows6/pull/150
(11:59:45) MaxF: wow
(11:59:51) dazo: ahh, it was closed
(12:00:10) cron2__: I closed it because "this is not something which can be
amended"
(12:00:14) dazo: " Corrected the copyright info. " .... I mean .... wow ....
(12:00:37) cron2__: *that* is the harmless patch of the two commits :)
(12:01:07) cron2__: it just changes some strings that the other one introduces
(12:01:22) dazo: yeah, I just saw the main patch summary ... and then that
commit
(12:01:25) dazo: so yeah
(12:03:03) lev__: also I don't like that we would have to maintain #ifdef
VENDOR_X code
(12:04:17) cron2__: the actual code change is nicely contained behind an
ioctl()-settable value (even if I don't understand what it is for, it looks...
like misunderstood ethernet or so)
(12:04:34) cron2__: but the "we want this to look like our product" changes can
never go in
(12:05:16) dazo: agreed
(12:05:43) mattock2 [~ya...@mobile-access-bcee7d-214.dhcp.inet.fi] è entrato
nella stanza.
(12:07:26) cron2__: anyway, we're detouring again
(12:07:40) cron2__: 2.5 -> so, MSM next, then openvpn-build updats, then new
release ;-)
(12:07:42) cron2__: 2.6?
(12:08:01) cron2__: - lev__ is waiting on review+ack+merge of two window-dco
patches
(12:08:11) mattock: so we need a new 2.5.x release, or just new installer?
(12:08:24) cron2__: mattock: new installer. Sorry for wrong wording.
(12:08:27) mattock: ok
(12:08:31) mattock: I'm relieved :)
(12:08:42) mattock: I'll create a ticket for myself, so that I do not forget
(12:09:41) cron2__: more 2.6 -> FreeBSD DCO has 2 kernel side bugs to fix, but
besides that, looks very good (= passes all my torture testing now). Well, p2p
renegotiaton is broken the same way as Linux, so we'll see what ordex will come
up with :-)
(12:10:50) cron2__: I'm back from vacation and will try to make sense of all
open patches in patchwork "of this year, and some of last year", so I will come
and ask for reviews, new versions, etc...
(12:11:30) ordex: yeah, p2p/dco is wip
(12:12:39) lev__: when do we expect to get 2.6 RC ?
(12:12:46) plaisthos: cron2__: feel free to throw patch reviews for that in my
direction if you come across any
(12:13:04) ordex: lev__: when review of plaisthos's patches is done and p2p is
fixed
(12:13:04) plaisthos: lev__: when you, dazo and d12fk review my patches more ;P
(12:13:05) ordex: :p
(12:13:16) cron2__: plaisthos: most of the openpn patches have been authored by
you :-) - so you need to the rebasing and explaining, I think ;-)
(12:13:39) cron2__: "open" patches, that is :-)
(12:13:57) cron2__: we need to decide what to do about uncrustify and clang...
(12:14:09) cron2__: who wanted to investigate clang config for "make openvpn
pretty"?
(12:15:16) ordex: (again)
(12:15:21) ordex: if it ever was
(12:16:10) cron2__: well, what we have right now seems to be some kind of
consensus, but uncrustify is unable to fix the remaining inconsistencies... so
I seem to remember you discussed using clang instead
(12:16:19) dazo: clang-format config instead of uncrustify?
(12:16:23) ordex: yes
(12:16:25) dazo: ouch
(12:16:36) ordex: maybe djpig volunteered? or I am recalling wrong?
(12:16:44) djpig: uncrustify is broken in some cases due to not being a real C
parser
(12:16:46) dazo: that will be messy .... our current style does not really fit
well into any of the possibilities of clang-format
(12:17:03) ordex: dazo: clang-format can be customised, no?
(12:17:15) dazo: yes, but not to the extent we've done with clang-format
(12:17:22) dazo: *uncrustify
(12:17:24) ordex: ok
(12:17:43) djpig: I certainly did not volunteer. My understanding was that this
would be a fools errand where you sink a lot of time in and then someone
doesn't like the color of the bikeshed and all that time is lost
(12:18:29) dazo: We can move to clang-format .... but that will be lots of
style changes, and probably even more bikeshedding
(12:18:53) djpig: this would only work if people here would agreee on a base
format and basically waive any veto-power in advance
(12:19:11) dazo: yeah
(12:19:38) djpig: cron2__: I think you can either have a consistent format or
the format you want
(12:19:49) ***dazo has been involved in a task to reformat openvpn3 with
clang-format ... it's not trivial
(12:19:54) cron2__: I want a consistent format looking the way I want
(12:19:57) cron2__: :-)
(12:20:03) djpig: not possible, I think
(12:20:08) dazo: in that case, it's only uncrustify
(12:20:12) cron2__: (I hear what you are saying, and maybe I want too much
flexibility...)
(12:20:44) d12fk: one could change uncrustify to add the missing formatting
(12:21:05) dazo: cron2__: as a starting point .... try to run "clang-format
--style Microsoft" on options.c .... that's probably the closest base style to
our style
(12:21:07) djpig: d12fk: no, you would need to fix the uncrustify parser as well
(12:21:15) cron2__: OTOH I can live with "uncrustify enforces those bits that
work well *and* we have a clear agremeent on" and we do have a soft agremeent
on "the other bits"
(12:21:16) d12fk: sounds like a messy endeavour from far
(12:21:59) cron2__: the way we do it now - with pre-commit hooks - already goes
a long way
(12:22:22) ordex: djpig: ah ok :D
(12:22:49) cron2__: so if clang is not as flexible, and uncrustify is too
broken to move further, we could just leave it as it is now - we just need to
agree on that :-)
(12:23:12) djpig: okay, sounds to me like we will stick with the current
approach for now since we have no consensus on changing
(12:23:21) dazo: that will probably be the most peaceful alternative for now :D
(12:23:31) djpig: cron2__: so you could take a look at those uncrustify patches
from me :)
(12:23:40) djpig: except 3/3
(12:23:49) cron2__: last time we agreed on actually *changing* something, it
was at a hackathon and we had sufficient beer :-)
(12:24:28) cron2__: djpig: this was part of the reason why I brought this up
:-) - see what the state of discussion is, do we pursue these patches further
or drop them. I will have a look.
(12:24:32) djpig: so let's find out what we can accomplish with a hackathon and
weed cookies?
(12:25:00) cron2__: MaxF: what is the company policy on that? ;-)
(12:25:11) cron2__: this being the Netherlands, after all...
(12:25:18) cron2__: (where is novaflash??)
(12:25:45) dazo: cron2__: this is what we will add as the .clang-format for
OpenVPN 3 in the near future ... https://termbin.com/1969
(12:25:50) d12fk: what are the missing features of uncrustify?
(12:25:51) djpig: we pinged him in Signal, but no reaction
(12:26:14) djpig: d12fk: see my patch on the list that I NAKed myself for an
example for a broken feature
(12:26:20) cron2__: d12fk: I think the "add spaces around * operator" bit
explodes on macros or so
(12:26:27) ordex: yeah
(12:26:32) ordex: and also around &
(12:26:36) cron2__: SortIncludes: Never
(12:26:38) cron2__: huh
(12:26:51) ordex: it gets confused and does not know if it's a binary operator
or a unary operator
(12:27:20) djpig: cron2__: yeah, openvpn3 has required include order. Let's not
get started on that here
(12:27:21) d12fk: ah that
(12:27:46) dazo: djpig++
(12:28:49) cron2__: RequireLawAndOrder: true
(12:28:55) dazo: :D
(12:29:07) ordex: lol
(12:29:22) ordex: StickLength: 3m
(12:29:28) cron2__: so, some agenda items left...
(12:29:31) ordex: we're hitting 1h mark
(12:29:32) cron2__: IPv6 to community?
(12:29:56) cron2__: just asking...
(12:30:12) cron2__: but more importantly: network manager vs. DCO vs.
CAP_NET_ADMIN - dazo, any news?
(12:31:02) dazo: nope, unfortunately
(12:31:29) cron2__: okay...
(12:31:34) cron2__: so, "automated windows testing"
(12:31:48) cron2__: I've seen some discussion in last week's backlog, but no
plan how to move forward?
(12:32:35) cron2__: (I saw a question about running t_client against "other"
servers, and this should be discussed properly, but needs more than 1 minute)
(12:34:03) d12fk: was 10 minutes late, did we discuss hackathon friday?
(12:34:12) cron2__: d12fk: no statement on that yet
(12:34:16) rob0: It wasn't written in the agenda, but novaflash told me it
would be discussed: more forum complaints about TinCanTech a/k/a wiscii.
https://forums.openvpn.net/viewtopic.php?p=108520#p108520 is what I wrote about
it; novaflash wants to consider removing his forum moderator powers.
(12:34:17) vpnHelper: Title: How to prevent clients from accessing other
machines on the network. - OpenVPN Support Forum (at forums.openvpn.net)
(12:34:22) djpig: so try to discuss next week? I agreee we're out of time
(12:34:46) djpig: (re: automated testing)
(12:34:50) ordex: right, what rob0 mentions is an important point actually
(12:35:00) cron2__: we're running a bit out of time wrt 2.6.0 release - so we
should not let another week go without windows testing improvements...
(12:35:00) ordex: not sure we have time though - I totally forgot to bring it
up earlier
(12:35:29) rob0: Well, it's out there to think about for next week.
(12:36:11) djpig: cron2__: so "windows testing" specifically means porting
t_client to Windows? Or something else?
(12:36:13) ***cron2__ defers wiscii moderation to dazo
(12:36:37) plaisthos: I am completely out of the loop with forum and what is
going on there
(12:37:00) cron2__: djpig: what I really *want* is "new commits get built and
tested on windows, including actual VPN setups, with all driver variants we
have"
(12:37:08) rob0: On one hand he does help keep the spam down (I sure don't have
time to babysit the forum.) But OTOH he is very often toxic and unhelpful.
(12:37:26) cron2__: djpig: t_client.sh might provide a viable vehicle to go
there, or "rewrite it in python and use the mgmt API and the iservice to talk
to openvpn.exe"
(12:37:30) rob0: Pippin_: ^^ if you have comments about this?
(12:39:34) djpig: so I certainly could integrate any testing we have into
buildbot. But implement actual testing will require someone like lev__
(12:40:05) cron2__: mattock has also done some windows/python test drivers in
the past... not sure if that still works
(12:41:10) dazo: What I've seen on the forums lately with wiscii is not
acceptable .... and he has gotten enough chances to improve. I'm not giving
any further more chances. And he knows last time I had a chat with him about
it, it was the last time that would be tolerated.
(12:41:52) mattock2: the windows PowerShell testing broke at some point
probably due to PowerShell version changes
(12:42:03) dazo: so rob0, feel free to remove moderator status. If stronger
actions is needed, you have my support doing what is needed.
(12:42:08) mattock2: but is certainly fixable
(12:42:54) cron2__: so could you have a look if this is a good starting point
for more windows testing?
(12:43:41) ***ordex has to detach
(12:43:55) mattock2: it probably is a good start, it exercises OpenVPN.exe
command line, openvpn-gui and openvpnserv2
(12:44:14) cron2__: *like*
(12:44:50) mattock2: what is mainly missing is the CI glue
(12:44:50) djpig: which repo does that live in?
(12:44:50) mattock2: plus updating the PowerShell vode
(12:44:50) mattock2: code
(12:44:50) cron2__: (and with that, I need to go as well... 15 minutes to next
meeting, about corp/tax issues and decisions)
(12:44:50) dazo: so rob0, in regards to forum spam .... in many cases that is
better than "toxic help" for the community, as spam is easily understood and
accepted as spam - just annoying everyone. Toxic attitude can push people out
of the community; which is way worse. And we rather should look at how to
automatically detect and kill spam better
(12:44:52) djpig: I certainly could try to stand up a buildbot client based on
the packer stuff we have
(12:45:08) mattock2: openvpn-windows-test (mattock or OpenVPN, can't recall)
(12:46:01) djpig: https://github.com/OpenVPN/openvpn-windows-test
(12:46:08) djpig: so both, as usual ;)
(12:46:09) mattock2: +1
(12:48:24) d12fk: re forum, was looking at the thread and responses like that
do not earn a "Forum team" title in my book
(12:48:49) d12fk: seems the offending comment was removed, or where's the okie
dokie comment?
(12:49:14) rob0: oh, let me check
(12:49:38) d12fk: in any ways my 2¢: if you handle repeating issues with thread
starters like this instead of a canned response, maybe this support thing is
not for you
(12:49:40) dazo: d12fk: might be you need to be logged in with admin/moderator
status to see deleted posts
(12:51:09) rob0: did someone just delete it? I still see it, Sunday at 12:45 AM
(whatever TZ that is, not sure)
(12:51:54) djpig: okay, off as well
(12:52:40) d12fk: rob0: ah there got it
(12:53:01) d12fk: yeah, "jokes" on the internet no workee
(12:59:15) d12fk: is this new, that moderators get moderated? or why so
reluctant?
(13:08:49) rob0: My main reason to hesitate is that I/we are not ready to fill
in for what he does re: forum spam. But indeed looking through his posts (
https://forums.openvpn.net/search.php?author_id=37053&sr=posts ) "toxic" is the
best description.
(13:08:50) vpnHelper: Title: OpenVPN Support Forum - Information (at
forums.openvpn.net)
(13:09:15) rob0: I do also want to hear from Pippin_ about it.
(13:10:15) d12fk: yeah, I woudn't consider myself to have any say here, since
it is forum related and I am not. just giving my thoughts as a spectator
(13:13:10) ***d12fk leaves as well now
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
