IrcMeetings: irclog_2024-02-21.txt

 
 <lev__> hello
 <lev__> I suggest to have a video call do discuss vulnerability report
 <cron2> *burp* sorry for being lagte
 <MaxF> hello
 <mattock2> hi
 <uddr35> aloha
 <MaxF> I saw the report on signal, we can do a video call but it sounds like you have a conclusion already
 <djpig> hello
 <Giaan> hi
 <cron2> I have a conclusion, Arne disagrees, and not sure what Lev is thinking :-)
 <lev__> this plugin issue is not Windows specific
 <MaxF> wait there's also something about tap-windows6 in the pdf?
 <lev__> so I don't think it requires a Windows-specific solution
 <lev__> yes
 <lev__> interestingly it is marked as "important" but plugin issues are "critical"
 <ordex> hi!
 <djpig> so I would say if you don't want to discuss it here, don't discuss it here
 <djpig> Anyone has any topics for this meeting?
 * djpig has changed the topic to: https://community.openvpn.net/openvpn/wiki/Topics-2024-02-21
 <cron2> lev__: the plugin issue effectively is, since on linux, openvpn2 needs to be started with root privs, so you're f*cked anyway
 <cron2> "be aware what you are doing as root", unlike windows where we tell users "this runs with no privileges, nothing bad will happen"...
 <lev__> I have this vulnerability report as a topic but I dont want to discuss it here
 <cron2> so, where do we meet?
 <lev__> sent link to signal
 <cron2> okay
 <cron2> when?  right after irc meeting?
 <plaisthos> I need 3-4 minutes to join if it is right now
 <djpig> Okay, let's go through the topics of last week whether any need updates
 <djpig> Pending Buildbot PRs: License change and Smoketest mechanism were merged
 <lev__> okay lets do IRC first
 <djpig> only pending one is now https://github.com/OpenVPN/openvpn-buildbot/pull/31, i.e. filter builds by files changed
 <djpig> mattock2: any questions we should discuss about #31?
 <djpig> okay, mattock2 doesn't react
 <djpig> my understanding of the state is that we he and I can agree on a regex now, need to test whether this works correctly with Gerrit, and need to decide whether this is a changeFilter or fileIsImportant filter
 <cron2> sounds good to me...
 <djpig> I think mattock2 said he wanted to try to set up a gerrit test instance. If that turns out too much work we might need to test in production...
 <djpig> the changeFilter vs fileIsImportant is mostly a display difference, so I think we can just go with whatever mattock2 proposes and change it later if we feel the need
 <mattock2> hmm
 <cron2> and there he comes :-)
 <cron2> is this a gerrit thing or a buildbot thing?
 <djpig> uddr35 proposed to do additional filters for gerrit but I would say that should happen in a separate PR afterwards
 <mattock2> +1 to change it later if needed 
 <uddr35> @djpig @mattock2 it also possible to test this on production gerrit with fake-ovpn repo there and staging builbot
 <uddr35> and sure I dont mind to have them in a separate PR
 <djpig> mattock2: anything more to add for this topic?
 <mattock2> I would like to avoid setting up additional gerrits just for this purpoae
 <djpig> mattock2: okay, that is fine with me. I didn't think it realistic to be honest
 <djpig> mattock2: so if you could do the additional changes to the regex I requested we could roll out your branch on staging and start testing it
 <mattock2> I have other stuff in the works, but maybe after that a personal (or staging) gerrit would make sense
 <mattock2> e.g. to test notifactions etc
 <djpig> okay
 <djpig> Other topic: Server-side testing: cron2 proposed to do the meeting next Tuesday at 14:00
 <djpig> mattock2: would that work for you?
 <djpig> ordex and I already said it would work for us
 <ordex> yeah
 <mattock2> I did an aptly poc and it was quite straightforward (related to publishing deb snapshots)
 <mattock2> that time should be fine, yes 
 <mattock2> CET 14:00?
 <ordex> yap
 <cron2> urope/Berlin, whatever that is in 3-letters today
 <djpig> Okay, next topic: Easy-RSA
 <djpig> no feedback on Forum but I hear there was ample feedback on -user mailing list?
 <ordex> more than one person already reported using easy-rsa on windows
 <cron2> 3 replies, 2 of them using easy-rsa on windows for production rollouts
 <ordex> but most usage is "we use easy-rsa on windows for admin purposes, regardless of openvpn"
 <cron2> integrated in their workflows
 <ordex> that ^
 <ordex> so providing an alternative way to install easy-rsa will work for them
 <djpig> okay, so one way or another we will should prepare a replacement for the 10 year old executables we bundle with it right now...
 <cron2> +1
 <ordex> seems so
 <cron2> so... who?
 <lev__> who's responsibility will be to provide busybox.exe? Are we taking the binary from a trusted source our integrate  the building into our machinery
 <ordex> can't we just depend on something else that the user needs to install?
 <ordex> isn't WSL something that can be installed on its own?
 <lev__> we could just drop windows part and tell users to use WSL
 <djpig> if you guys say WSL you mean WSL 1 or 2?
 <lev__> both work for easyrsa
 <d12fk> not sure it is the experience the average Windows user is looking for
 <cron2> yeah, but that would mean a significant change for those users, not "just run windows things" but "make sure your automatization works in WSL"
 <lev__> but average windows user won't use easyrsa
 <d12fk> still you force windows users to become linux users
 <cron2> sure, but those who say "we have integrated this in our deployment workflows" do, and they will be hit if you change it to WSL now
 <lev__> true
 <d12fk> and have them find out where the files are and such
 <djpig> hmm, either way I would say any big changes to the Windows installer will be more a 2.7 thing I would say.
 <lev__> if we dont want to break their workflow we have to go with busybox way
 <d12fk> what is the sh.exe used for in the first place?
 * becm has quit (Quit: becm)
 <djpig> easy-rsa is just a big shell script basically
 <djpig> so you need a shell to run it
 <lev__> something ecrist committed several years ago
 <d12fk> ah, so shortcut for windows support
 <djpig> d12fk: yes
 * becm (~Thunderbi@rtr.astos.de) has joined
 <lev__> there are many executables
 <lev__> but all could be replaced with a single busybox.exe
 <lev__> so we could take it from https://frippery.org/busybox/ for example
 <vpnHelper> Title: busybox-w32 (at frippery.org)
 <lev__> this won't require major changes to the installer
 <djpig> right. If someone (e.g. wiscii) does the verification that it works I'm happy to do the changes to windows installer build to integrate the change
 <lev__> and for 2.7 we could consider having easyrsa on windows as a separate package
 <djpig> yeah, agreed. unbundling seems like a good idea. But requires much more work
 <ordex> is that a trusted source? or are we opening to supply chain attacks?
 <ordex> otherwise we could build it ourselves with mingw?
 <lev__> "This version of BusyBox implements well over a hundred Unix-style commands." we need a very few  
 <ordex> by compiling it by ourselves we can probably select what we need
 <ordex> is that much of a hassle?
 <plaisthos> do we really care about that?
 <djpig> I don't think we care, no
 <plaisthos> it is only 600kB anyway
 <djpig> reconfiguring your busybox is something for small routers, not Windows PCs
 <cron2> it's more a question "how many symlinks do you create"
 <djpig> right. And we have a list for that with the current executables
 <plaisthos> or you use busybox commands x y z iirc
 <djpig> plaisthos: but that would require patching the whole script.
 <ordex> ok
 <ordex> still we need to be sure about the source
 <ordex> if the guy decides to sneak in a rootkit we're in trouble
 <ordex> (unless this flippery thing is trusted enough - I have no clue)
 <djpig> right, we will look into it
 <lev__> webpage looks trustworthy :)
 <djpig> lol
 <djpig> definitely will take a look at the source code and try to build for myself
 <djpig> let's see where go from there
 <djpig> we*
 <ordex> k
 <djpig> anyway, I think the topic is discussed enough for today. Any other topics
 <djpig> ?
 <ordex> we had the "donation" topic pending
 <ordex> we can postpone to next week though - nothing exciting to say for now
 <ordex> or you want to here where we are?
 <ordex> *hear
 <lev__> still no money?
 <ordex> :D
 <djpig> okay, then I think this went long enough. Probably better to get started with the security discussion
 <ordex> yap
 <ordex> sounds good to me
 <djpig> I will try to write meeting minutes and send out the summary
 <ordex> I'll add the donation thing to the next agenda
 <djpig> k
 <cron2> I
 <cron2> I'm in jitsi, waiting for the moderator...
 <plaisthos> lev__: you wanted this, now join!
 <cron2> d12fk silenced me!
 <cron2> ... but that is all I see?!
 <cron2> leave, join, hooray