hello I suggest to have a video call do discuss vulnerability report *burp* sorry for being lagte hello hi aloha I saw the report on signal, we can do a video call but it sounds like you have a conclusion already hello hi I have a conclusion, Arne disagrees, and not sure what Lev is thinking :-) this plugin issue is not Windows specific wait there's also something about tap-windows6 in the pdf? so I don't think it requires a Windows-specific solution yes interestingly it is marked as "important" but plugin issues are "critical" hi! so I would say if you don't want to discuss it here, don't discuss it here Anyone has any topics for this meeting? * djpig has changed the topic to: https://community.openvpn.net/openvpn/wiki/Topics-2024-02-21 lev__: the plugin issue effectively is, since on linux, openvpn2 needs to be started with root privs, so you're f*cked anyway "be aware what you are doing as root", unlike windows where we tell users "this runs with no privileges, nothing bad will happen"... I have this vulnerability report as a topic but I dont want to discuss it here so, where do we meet? sent link to signal okay when? right after irc meeting? I need 3-4 minutes to join if it is right now Okay, let's go through the topics of last week whether any need updates Pending Buildbot PRs: License change and Smoketest mechanism were merged okay lets do IRC first only pending one is now https://github.com/OpenVPN/openvpn-buildbot/pull/31, i.e. filter builds by files changed mattock2: any questions we should discuss about #31? okay, mattock2 doesn't react my understanding of the state is that we he and I can agree on a regex now, need to test whether this works correctly with Gerrit, and need to decide whether this is a changeFilter or fileIsImportant filter sounds good to me... I think mattock2 said he wanted to try to set up a gerrit test instance. If that turns out too much work we might need to test in production... the changeFilter vs fileIsImportant is mostly a display difference, so I think we can just go with whatever mattock2 proposes and change it later if we feel the need hmm and there he comes :-) is this a gerrit thing or a buildbot thing? uddr35 proposed to do additional filters for gerrit but I would say that should happen in a separate PR afterwards +1 to change it later if needed @djpig @mattock2 it also possible to test this on production gerrit with fake-ovpn repo there and staging builbot and sure I dont mind to have them in a separate PR mattock2: anything more to add for this topic? I would like to avoid setting up additional gerrits just for this purpoae mattock2: okay, that is fine with me. I didn't think it realistic to be honest mattock2: so if you could do the additional changes to the regex I requested we could roll out your branch on staging and start testing it I have other stuff in the works, but maybe after that a personal (or staging) gerrit would make sense e.g. to test notifactions etc okay Other topic: Server-side testing: cron2 proposed to do the meeting next Tuesday at 14:00 mattock2: would that work for you? ordex and I already said it would work for us yeah I did an aptly poc and it was quite straightforward (related to publishing deb snapshots) that time should be fine, yes CET 14:00? yap urope/Berlin, whatever that is in 3-letters today Okay, next topic: Easy-RSA no feedback on Forum but I hear there was ample feedback on -user mailing list? more than one person already reported using easy-rsa on windows 3 replies, 2 of them using easy-rsa on windows for production rollouts but most usage is "we use easy-rsa on windows for admin purposes, regardless of openvpn" integrated in their workflows that ^ so providing an alternative way to install easy-rsa will work for them okay, so one way or another we will should prepare a replacement for the 10 year old executables we bundle with it right now... +1 seems so so... who? who's responsibility will be to provide busybox.exe? Are we taking the binary from a trusted source our integrate the building into our machinery can't we just depend on something else that the user needs to install? isn't WSL something that can be installed on its own? we could just drop windows part and tell users to use WSL if you guys say WSL you mean WSL 1 or 2? both work for easyrsa not sure it is the experience the average Windows user is looking for yeah, but that would mean a significant change for those users, not "just run windows things" but "make sure your automatization works in WSL" but average windows user won't use easyrsa still you force windows users to become linux users sure, but those who say "we have integrated this in our deployment workflows" do, and they will be hit if you change it to WSL now true and have them find out where the files are and such hmm, either way I would say any big changes to the Windows installer will be more a 2.7 thing I would say. if we dont want to break their workflow we have to go with busybox way what is the sh.exe used for in the first place? * becm has quit (Quit: becm) easy-rsa is just a big shell script basically so you need a shell to run it something ecrist committed several years ago ah, so shortcut for windows support d12fk: yes * becm (~Thunderbi@rtr.astos.de) has joined there are many executables but all could be replaced with a single busybox.exe so we could take it from https://frippery.org/busybox/ for example Title: busybox-w32 (at frippery.org) this won't require major changes to the installer right. If someone (e.g. wiscii) does the verification that it works I'm happy to do the changes to windows installer build to integrate the change and for 2.7 we could consider having easyrsa on windows as a separate package yeah, agreed. unbundling seems like a good idea. But requires much more work is that a trusted source? or are we opening to supply chain attacks? otherwise we could build it ourselves with mingw? "This version of BusyBox implements well over a hundred Unix-style commands." we need a very few by compiling it by ourselves we can probably select what we need is that much of a hassle? do we really care about that? I don't think we care, no it is only 600kB anyway reconfiguring your busybox is something for small routers, not Windows PCs it's more a question "how many symlinks do you create" right. And we have a list for that with the current executables or you use busybox commands x y z iirc plaisthos: but that would require patching the whole script. ok still we need to be sure about the source if the guy decides to sneak in a rootkit we're in trouble (unless this flippery thing is trusted enough - I have no clue) right, we will look into it webpage looks trustworthy :) lol definitely will take a look at the source code and try to build for myself let's see where go from there we* k anyway, I think the topic is discussed enough for today. Any other topics ? we had the "donation" topic pending we can postpone to next week though - nothing exciting to say for now or you want to here where we are? *hear still no money? :D okay, then I think this went long enough. Probably better to get started with the security discussion yap sounds good to me I will try to write meeting minutes and send out the summary I'll add the donation thing to the next agenda k I I'm in jitsi, waiting for the moderator... lev__: you wanted this, now join! d12fk silenced me! ... but that is all I see?! leave, join, hooray