Re: [Openvpn-devel] OpenVPN project organization [WAS: Introducing OpenVPN Community Manager]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/09 11:54, Samuli Seppänen wrote: > >> On Mon, Dec 07, 2009 at 12:25:09PM +0200, Samuli Seppänen wrote: >> >>> Hello everybody, >>> >>> I'm the newly appointed community manager for OpenVPN Technologies. I >>> will be acting as a liaison between OpenVPN community and OpenVPN >>> Technologies. I will help us (the company) make our development more >>> community-oriented, e.g. by providing the tools and making development >>> >> [snip] >> >> Hi Samuli, >> >> Welcome! I hope the communication with the community will improve with >> your help. In this regard, I'd like to know if it's in your duties to >> deal with bug reports/feature requests, since there's a bunch [1] of >> them reported in the Debian Bug Tracking System. >> >> Please don't hesitate to contact me if you need my help at any time. >> >> Thanks, >> >> Alberto >> >> [1] >> http://bugs.debian.org/cgi-bin/pkgreport.cgi?include=tags:upstream;dist=unstable;package=openvpn >> >> > Hi Gonzales, > > We're definitely committed to making OpenVPN as close to a true > community project as possible. This will require rethinking how OpenVPN > development is done. In theory it's easy: just delegate responsibility > to community members. The problem is how to keep the work organized so > that the new development process actually produces better (and faster) > results. This is something I've already discussed with some community > members. One option mentioned was the Linux kernel model. In our case, > James would be Linus who (mostly) reviews other people's patches and > applies them. I strongly encourages such a model. This might be not needed information what I'm providing here now, but I'll add it for those who are don't know or just are interested in one approach of how such a community can work. This is purely my own experiences with working with such communities. I believe James have received several patches in the past from people on the mailing list - or directly. At least I hope he keeps an eye on the mailing list and might have an idea who might be potential candidates to help out in his "inner circle". Anyhow, it is important that this circle includes people which he can trust 100%. Each of these persons (maybe they will concentrate on different parts of the OpenVPN code, but this they need to arrange between themselves) will then pay attention to patches which hits their segment/interest field and they can validate these patches. It don't need to be many persons, it can be one or it can be fifteen, the amount is not that important, especially not right now. The important part is that there are someone who reviews and keeps an open dialogue with the community and also have a good connection with James. They will either include patches into their own source trees, or kick them back to be reworked or cancelled completely. Patches which are accepted will then be sent to James for a final review and inclusion. If James don't like it, it must be discussed on the mailing list so that everyone can see and understand why it was rejected and how to make it more acceptable for inclusion. If James can take the time to bring this discussion on the mailing list directly himself in these cases, that would bring the needed transparency. Further, it should hopefully not happen too often, as James' "inner circle" should already have made sure it is suitable for inclusion. These "inner circle" people do not need to be "community members". I don't know how big the OpenVPN Technologies Inc. company is, but it can even be people from here. But it is important that 1) James trust these persons ultimately and will be willing to grant them more privileges, 2) that these people are active and visible in the community. Even patches these people write themselves should be posted to the openvpn-devel list (or other another more suitable one). That way, more eyes can pay attention and raise awareness if something seems to be wrong or needs to be discussed. This part is, IMHO, the most important part to get implemented first. The rest will basically come as a result of this. > I think we'd also need to build teams for various > purposes, e.g. for QA, packaging, different GUI's... this would enable > easy participation in OpenVPN development, whether you're a coder or > not. This is something Ubuntu has done pretty well. Agreed, but this will need to come a litter bit later on. IMHO, get the development cycle in shape then QA and packaging/release engineering must come immediately afterwords. QA can most probably be done in cooperation with the bigger Linux distributors as well. The Fedora community is working hard on a big testing framework called Beaker, which is aimed at automatic testing of software. (I even think Beaker might support Windows testing in the future as well, but I have not checked it out) Other distroes might have similar systems as well. The important thing is to
[Openvpn-devel] OpenVPN project organization [WAS: Introducing OpenVPN Community Manager]
> On Mon, Dec 07, 2009 at 12:25:09PM +0200, Samuli Seppänen wrote: > >> Hello everybody, >> >> I'm the newly appointed community manager for OpenVPN Technologies. I >> will be acting as a liaison between OpenVPN community and OpenVPN >> Technologies. I will help us (the company) make our development more >> community-oriented, e.g. by providing the tools and making development >> > [snip] > > Hi Samuli, > > Welcome! I hope the communication with the community will improve with > your help. In this regard, I'd like to know if it's in your duties to > deal with bug reports/feature requests, since there's a bunch [1] of > them reported in the Debian Bug Tracking System. > > Please don't hesitate to contact me if you need my help at any time. > > Thanks, > > Alberto > > [1] > http://bugs.debian.org/cgi-bin/pkgreport.cgi?include=tags:upstream;dist=unstable;package=openvpn > > Hi Gonzales, We're definitely committed to making OpenVPN as close to a true community project as possible. This will require rethinking how OpenVPN development is done. In theory it's easy: just delegate responsibility to community members. The problem is how to keep the work organized so that the new development process actually produces better (and faster) results. This is something I've already discussed with some community members. One option mentioned was the Linux kernel model. In our case, James would be Linus who (mostly) reviews other people's patches and applies them. I think we'd also need to build teams for various purposes, e.g. for QA, packaging, different GUI's... this would enable easy participation in OpenVPN development, whether you're a coder or not. This is something Ubuntu has done pretty well. Currently we're lacking basic community services (e.g. forums, trackers, wiki, [sub]project hosting), but we're working on that. However I think the basic development model should be agreed upon before building any services. Anyways, I'm very interested in any ideas on how to organize the project in a more community-oriented fashion. So please let me know of any ideas / insights you might have. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc
[Openvpn-devel] [PATCH] Hardened down-root.so plug-in with more context pointer checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Make sure that the context is pointing somewhere before continuing. Signed-off-by: David Sommerseth - --- plugin/down-root/down-root.c |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/plugin/down-root/down-root.c b/plugin/down-root/down-root.c index 77497ad..000ac40 100644 - --- a/plugin/down-root/down-root.c +++ b/plugin/down-root/down-root.c @@ -274,6 +274,8 @@ openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char * Allocate our context */ context = (struct down_root_context *) calloc (1, sizeof (struct down_root_context)); + if (!context) +goto exit; context->foreground_fd = -1; /* @@ -317,6 +319,9 @@ openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const ch { struct down_root_context *context = (struct down_root_context *) handle; + if (!context) +return OPENVPN_PLUGIN_FUNC_ERROR; + if (type == OPENVPN_PLUGIN_UP && context->foreground_fd == -1) /* fork off a process to hold onto root */ { pid_t pid; @@ -409,6 +414,9 @@ openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) { struct down_root_context *context = (struct down_root_context *) handle; + if (!context) +return; + if (DEBUG (context->verb)) fprintf (stderr, "DOWN-ROOT: close\n"); - -- 1.6.2.5 (patch attached for convenience) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksfdq4ACgkQDC186MBRfro7jgCgm3WM29OaAjIN1rnLbiFfEUm6 2pYAn3FVWu9++5Cl2lsT9FFJzvmop1T4 =Ywbn -END PGP SIGNATURE- >From c67bb0fb0afb3045b2b07873583086d6dfbad8e9 Mon Sep 17 00:00:00 2001 From: David Sommerseth List-Post: openvpn-devel@lists.sourceforge.net Date: Wed, 9 Dec 2009 10:44:31 +0100 Subject: [PATCH] Hardened down-root.so plug-in with more context pointer checks Make sure that the context is pointing somewhere before continuing. Signed-off-by: David Sommerseth --- plugin/down-root/down-root.c |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/plugin/down-root/down-root.c b/plugin/down-root/down-root.c index 77497ad..000ac40 100644 --- a/plugin/down-root/down-root.c +++ b/plugin/down-root/down-root.c @@ -274,6 +274,8 @@ openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char * Allocate our context */ context = (struct down_root_context *) calloc (1, sizeof (struct down_root_context)); + if (!context) +goto exit; context->foreground_fd = -1; /* @@ -317,6 +319,9 @@ openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const ch { struct down_root_context *context = (struct down_root_context *) handle; + if (!context) +return OPENVPN_PLUGIN_FUNC_ERROR; + if (type == OPENVPN_PLUGIN_UP && context->foreground_fd == -1) /* fork off a process to hold onto root */ { pid_t pid; @@ -409,6 +414,9 @@ openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) { struct down_root_context *context = (struct down_root_context *) handle; + if (!context) +return; + if (DEBUG (context->verb)) fprintf (stderr, "DOWN-ROOT: close\n"); -- 1.6.2.5 0002-Hardened-down-root.so-plug-in-with-more-context-poin.patch.sig Description: PGP signature
[Openvpn-devel] [PATCH] openvpn-down-root.so causes a segfault on premature exits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If openvpn is interrupted before openvpn_plugin_open_v1() is called, there is no context allocated which openvpn_plugin_abort_v1() can use. Signed-off-by: David Sommerseth - --- plugin/down-root/down-root.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/plugin/down-root/down-root.c b/plugin/down-root/down-root.c index 5e0c002..77497ad 100644 - --- a/plugin/down-root/down-root.c +++ b/plugin/down-root/down-root.c @@ -434,7 +434,7 @@ openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle) { struct down_root_context *context = (struct down_root_context *) handle; - - if (context->foreground_fd >= 0) + if (context && context->foreground_fd >= 0) { /* tell background process to exit */ send_control (context->foreground_fd, COMMAND_EXIT); - -- 1.6.2.5 (patch attached in addition for convenience) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksfbOUACgkQDC186MBRfrqSgwCeOZPg+70ryTCCyoW8D9QtLmeF pwwAn2pWo9529hvBzlMgj8izabtG9Ioc =o0Ym -END PGP SIGNATURE- >From e7e12e33025e7b83a8a97121433b46045144ded9 Mon Sep 17 00:00:00 2001 From: David Sommerseth List-Post: openvpn-devel@lists.sourceforge.net Date: Wed, 9 Dec 2009 10:18:55 +0100 Subject: [PATCH] openvpn-down-root.so causes a segfault on premature exits If openvpn is interrupted before openvpn_plugin_open_v1() is called, there is no context allocated which openvpn_plugin_abort_v1() can use. Signed-off-by: David Sommerseth --- plugin/down-root/down-root.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/plugin/down-root/down-root.c b/plugin/down-root/down-root.c index 5e0c002..77497ad 100644 --- a/plugin/down-root/down-root.c +++ b/plugin/down-root/down-root.c @@ -434,7 +434,7 @@ openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle) { struct down_root_context *context = (struct down_root_context *) handle; - if (context->foreground_fd >= 0) + if (context && context->foreground_fd >= 0) { /* tell background process to exit */ send_control (context->foreground_fd, COMMAND_EXIT); -- 1.6.2.5 0001-openvpn-down-root.so-causes-a-segfault-on-premature.patch.sig Description: PGP signature
Re: [Openvpn-devel] [Openvpn-users] Introducing OpenVPN Community Manager
Nick Owen ha scritto: > 2009/12/7 Samuli Seppänen : > >> Hello everybody, >> >> I'm the newly appointed community manager for OpenVPN Technologies. I >> will be acting as a liaison between OpenVPN community and OpenVPN >> Technologies. I will help us (the company) make our development more >> community-oriented, e.g. by providing the tools and making development >> more transparent, so that both the community and the company benefit. To >> accomplish these goals I need to work with you. I'll keep my own work as >> transparent as possible so that you can constantly provide feedback >> (positive or negative). Also, if you have any suggestions let me know - >> preferably using the OpenVPN mailinglists. You can also talk to me >> ("mattock") in the OpenVPN IRC channel during daytime (in EET/EEST >> timezone). >> >> Now onto more concrete topics... I'm currently looking into community >> projects around OpenVPN. I've so far found 14 different OpenVPN GUI >> projects and two forum/wiki projects. I've listed them here: >> >> http://users.utu.fi/sjsepp/openvpn_community_projects.html >> >> Do you know of other OpenVPN-related projects? >> > > Samuli: > > I see you have WiKID Systems listed. Thanks! > > Here's a link for a WiKID/OpenVPN tutorial: > http://www.wikidsystems.net/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn/ > > We also have a how-to for ssl-explorer back from before the > Adito/OpenVPN-ALS fork. > http://www.wikidsystems.net/support/wikid-support-center/how-to/how-to-secure-an-ssl-vpn-with-one-time-passcodes-and-mutual-authentication/. > I haven't had time to update that, though it is on the to-do. This > setup takes advantage of WiKID's mutual https authentication to > validate the SSL cert for the user, providing protection against > network-based MITM attacks. > > In the long run, I'd be interested in a direct WiKID/OpenVPN-ALS > plugin and to perhaps a combined WiKID token/openvpn client. > > Great work! > > Nick > Hi Nick, Just drop a mail to openvpn-als-devel if you want to start developing an OpenVPN ALS WikID plugin: https://lists.sourceforge.net/mailman/listinfo/openvpn-als-devel You can also visit our IRC channel (#adito) at freenode.net. As ALS has RADIUS support (like SSL-E), binding WikiD and ALS should be no problem. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc