Bug#1033006: unblock: openvpn/2.6.1-1 (preapproval)
On 25/03/23 10:17 PM, Sebastian Ramacher wrote: > > - upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the > > new DCO in experimental for the second review round > > > > I would prefer the last option. > > Let's go ahead with the last option. Please let us know once openvpn > 2.6.1 is in unstable. src:openvpn 2.6.1-1 is in unstable. I have cherry-picked the three most important fixes from 2.6.2 as well (one crash, one memory-leak and one stall due to a blocking socket) I have also uploaded src:openvpn 2.6.2-1~exp1 and src:openvpn-dco-dkms 0.0+git20230324-1~exp1 to experimental. Those are the version I'd like to end up in bookworm. I have filed an internal change to get 2.6.2+dcov2 installed on our eduVPN node next week. Bernhard signature.asc Description: PGP signature
Bug#1033006: unblock: openvpn/2.6.1-1 (preapproval)
Control: tags -1 moreinfo On 2023-03-24 23:46:56 +0100, Bernhard Schmidt wrote: > On 15/03/23 04:57 PM, Bernhard Schmidt wrote: > > Hi, > > > The upcoming DCO change will involve a new version of src:openvpn and a new > > version > > of src:openvpn-dco-dkms. The list of changes on the kernel side is already > > visible > > on https://github.com/OpenVPN/ovpn-dco/commits/master . > > > > In the past we managed to break DCO on above mentioned really heavily loaded > > OpenVPN server within a few hours. The new version is a major overhaul and > > more > > in-line with code upstreamable in Linux, and did survive torture tests. > > > > I know this is kind of late, but I think it would be better to include it > > as well > > as soon as it is released because > > > > - we cannot support the old deprecated module > > - openvpn uses DCO (of the right version) automatically and will > > transparently > > fall-back to non-DCO mode if the module is not found (or the wrong > > version) > > - it has not been in Bullseye previously, so if we see that DCO is too > > unstable > > with the new version we can just drop it before the release > > So, the release of 2.6.2 with the new DCO module has been done > yesterday, fixing a number of bugs already present in 2.6.0. > > https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst > > --- > New control packets flow for data channel offloading on Linux. 2.6.2+ > changes the way OpenVPN control packets are handled on Linux when DCO is > active, fixing the lockups observed with 2.6.0/2.6.1 under high client > connect/disconnect activity. This is an INCOMPATIBLE change and > therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID > 726fdfe0fa21) will not work anymore and must be upgraded. The kernel > module was renamed to "ovpn-dco-v2.ko" in order to highlight this change > and ensure that users and userspace software could easily understand > which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+ > will lead to disabling DCO at runtime. > --- > > So I need some guidance from the release team how to proceed. I can > think of > > - abandoning all of this, leading to a bookworm release using a buggy > OpenVPN version with a DCO kernel interface that noone else uses > - update experimental to 2.6.2 and the new DCO module, then ask for a > approval for upload to unstable (2.6.1+2.6.2) in one go > - upload 2.6.2 and the new DCO module to unstable right away > - upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the > new DCO in experimental for the second review round > > I would prefer the last option. Let's go ahead with the last option. Please let us know once openvpn 2.6.1 is in unstable. Cheers -- Sebastian Ramacher
Bug#1033006: unblock: openvpn/2.6.1-1 (preapproval)
On 15/03/23 04:57 PM, Bernhard Schmidt wrote: Hi, > The upcoming DCO change will involve a new version of src:openvpn and a new > version > of src:openvpn-dco-dkms. The list of changes on the kernel side is already > visible > on https://github.com/OpenVPN/ovpn-dco/commits/master . > > In the past we managed to break DCO on above mentioned really heavily loaded > OpenVPN server within a few hours. The new version is a major overhaul and > more > in-line with code upstreamable in Linux, and did survive torture tests. > > I know this is kind of late, but I think it would be better to include it as > well > as soon as it is released because > > - we cannot support the old deprecated module > - openvpn uses DCO (of the right version) automatically and will transparently > fall-back to non-DCO mode if the module is not found (or the wrong version) > - it has not been in Bullseye previously, so if we see that DCO is too > unstable > with the new version we can just drop it before the release So, the release of 2.6.2 with the new DCO module has been done yesterday, fixing a number of bugs already present in 2.6.0. https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst --- New control packets flow for data channel offloading on Linux. 2.6.2+ changes the way OpenVPN control packets are handled on Linux when DCO is active, fixing the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in order to highlight this change and ensure that users and userspace software could easily understand which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime. --- So I need some guidance from the release team how to proceed. I can think of - abandoning all of this, leading to a bookworm release using a buggy OpenVPN version with a DCO kernel interface that noone else uses - update experimental to 2.6.2 and the new DCO module, then ask for a approval for upload to unstable (2.6.1+2.6.2) in one go - upload 2.6.2 and the new DCO module to unstable right away - upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the new DCO in experimental for the second review round I would prefer the last option. Bernhard
Bug#1033006: unblock: openvpn/2.6.1-1 (preapproval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please give permission to upload OpenVPN 2.6.1-1 to unstable and let it migrate to testing (currently in experimental as 2.6.1-1~exp1 [ Reason ] Upstream has released the first minor release in the 2.6.x series. It is primarily a bugfix release but has one new security feature. https://github.com/OpenVPN/openvpn/blob/v2.6.1/Changes.rst | Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically | create a tls-crypt key that is used for renegotiation. This ensure that only | the previously authenticated peer can do trigger renegotiation and complete | renegotiations. I am afraid that this might be CVE material down the road and would be more invasive to backport during a stable release than adding it now. There is another release slated for next week that will overhaul the kernel interface to the optional DCO (data channel offload) kernel module. I have asked upstream to make 2.6.2 as small as possible compared to 2.6.1, so we can review 2.6.2 and the new DCO module in time. There have been no changes in the debian/ packaging [ Impact ] Missing out on this release would make us miss all the small bugfixes and make reviewing the DCO change a lot harder. [ Tests ] Upstream has a very thorough patch review process and CI pipeline 2.6.1-1~exp1 (but compiled on bullseye) has been running on my employers eduVPN server serving thousands of university students. [ Risks ] The code change is not trivial but managable https://github.com/OpenVPN/openvpn/compare/v2.6.0...v2.6.1 about half of the changes affect only Windows or FreeBSD I'm not smart enough to understand anything about the one new feature, but it has been extensively documented and tested by upstream https://github.com/OpenVPN/openvpn/commit/202a934fc32673ef865b5cbcb23ad6057ceb2e0b [ Checklist ] [x] all changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing I've omitted the debdiff because there have not been any changes apart from the new upstream version, which is a lot more readable as a list of commits on github than with a plain debdiff If you want me to attach a debdiff feel free to tell me. [ Other info ] The upcoming DCO change will involve a new version of src:openvpn and a new version of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible on https://github.com/OpenVPN/ovpn-dco/commits/master . In the past we managed to break DCO on above mentioned really heavily loaded OpenVPN server within a few hours. The new version is a major overhaul and more in-line with code upstreamable in Linux, and did survive torture tests. I know this is kind of late, but I think it would be better to include it as well as soon as it is released because - we cannot support the old deprecated module - openvpn uses DCO (of the right version) automatically and will transparently fall-back to non-DCO mode if the module is not found (or the wrong version) - it has not been in Bullseye previously, so if we see that DCO is too unstable with the new version we can just drop it before the release unblock openvpn/2.6.1-1