1 | |
---|
2 | <lev__> hello |
---|
3 | <lev__> I suggest to have a video call do discuss vulnerability report |
---|
4 | <cron2> *burp* sorry for being lagte |
---|
5 | <MaxF> hello |
---|
6 | <mattock2> hi |
---|
7 | <uddr35> aloha |
---|
8 | <MaxF> I saw the report on signal, we can do a video call but it sounds like you have a conclusion already |
---|
9 | <djpig> hello |
---|
10 | <Giaan> hi |
---|
11 | <cron2> I have a conclusion, Arne disagrees, and not sure what Lev is thinking :-) |
---|
12 | <lev__> this plugin issue is not Windows specific |
---|
13 | <MaxF> wait there's also something about tap-windows6 in the pdf? |
---|
14 | <lev__> so I don't think it requires a Windows-specific solution |
---|
15 | <lev__> yes |
---|
16 | <lev__> interestingly it is marked as "important" but plugin issues are "critical" |
---|
17 | <ordex> hi! |
---|
18 | <djpig> so I would say if you don't want to discuss it here, don't discuss it here |
---|
19 | <djpig> Anyone has any topics for this meeting? |
---|
20 | * djpig has changed the topic to: https://community.openvpn.net/openvpn/wiki/Topics-2024-02-21 |
---|
21 | <cron2> lev__: the plugin issue effectively is, since on linux, openvpn2 needs to be started with root privs, so you're f*cked anyway |
---|
22 | <cron2> "be aware what you are doing as root", unlike windows where we tell users "this runs with no privileges, nothing bad will happen"... |
---|
23 | <lev__> I have this vulnerability report as a topic but I dont want to discuss it here |
---|
24 | <cron2> so, where do we meet? |
---|
25 | <lev__> sent link to signal |
---|
26 | <cron2> okay |
---|
27 | <cron2> when? right after irc meeting? |
---|
28 | <plaisthos> I need 3-4 minutes to join if it is right now |
---|
29 | <djpig> Okay, let's go through the topics of last week whether any need updates |
---|
30 | <djpig> Pending Buildbot PRs: License change and Smoketest mechanism were merged |
---|
31 | <lev__> okay lets do IRC first |
---|
32 | <djpig> only pending one is now https://github.com/OpenVPN/openvpn-buildbot/pull/31, i.e. filter builds by files changed |
---|
33 | <djpig> mattock2: any questions we should discuss about #31? |
---|
34 | <djpig> okay, mattock2 doesn't react |
---|
35 | <djpig> my understanding of the state is that we he and I can agree on a regex now, need to test whether this works correctly with Gerrit, and need to decide whether this is a changeFilter or fileIsImportant filter |
---|
36 | <cron2> sounds good to me... |
---|
37 | <djpig> I think mattock2 said he wanted to try to set up a gerrit test instance. If that turns out too much work we might need to test in production... |
---|
38 | <djpig> the changeFilter vs fileIsImportant is mostly a display difference, so I think we can just go with whatever mattock2 proposes and change it later if we feel the need |
---|
39 | <mattock2> hmm |
---|
40 | <cron2> and there he comes :-) |
---|
41 | <cron2> is this a gerrit thing or a buildbot thing? |
---|
42 | <djpig> uddr35 proposed to do additional filters for gerrit but I would say that should happen in a separate PR afterwards |
---|
43 | <mattock2> +1 to change it later if needed |
---|
44 | <uddr35> @djpig @mattock2 it also possible to test this on production gerrit with fake-ovpn repo there and staging builbot |
---|
45 | <uddr35> and sure I dont mind to have them in a separate PR |
---|
46 | <djpig> mattock2: anything more to add for this topic? |
---|
47 | <mattock2> I would like to avoid setting up additional gerrits just for this purpoae |
---|
48 | <djpig> mattock2: okay, that is fine with me. I didn't think it realistic to be honest |
---|
49 | <djpig> mattock2: so if you could do the additional changes to the regex I requested we could roll out your branch on staging and start testing it |
---|
50 | <mattock2> I have other stuff in the works, but maybe after that a personal (or staging) gerrit would make sense |
---|
51 | <mattock2> e.g. to test notifactions etc |
---|
52 | <djpig> okay |
---|
53 | <djpig> Other topic: Server-side testing: cron2 proposed to do the meeting next Tuesday at 14:00 |
---|
54 | <djpig> mattock2: would that work for you? |
---|
55 | <djpig> ordex and I already said it would work for us |
---|
56 | <ordex> yeah |
---|
57 | <mattock2> I did an aptly poc and it was quite straightforward (related to publishing deb snapshots) |
---|
58 | <mattock2> that time should be fine, yes |
---|
59 | <mattock2> CET 14:00? |
---|
60 | <ordex> yap |
---|
61 | <cron2> urope/Berlin, whatever that is in 3-letters today |
---|
62 | <djpig> Okay, next topic: Easy-RSA |
---|
63 | <djpig> no feedback on Forum but I hear there was ample feedback on -user mailing list? |
---|
64 | <ordex> more than one person already reported using easy-rsa on windows |
---|
65 | <cron2> 3 replies, 2 of them using easy-rsa on windows for production rollouts |
---|
66 | <ordex> but most usage is "we use easy-rsa on windows for admin purposes, regardless of openvpn" |
---|
67 | <cron2> integrated in their workflows |
---|
68 | <ordex> that ^ |
---|
69 | <ordex> so providing an alternative way to install easy-rsa will work for them |
---|
70 | <djpig> okay, so one way or another we will should prepare a replacement for the 10 year old executables we bundle with it right now... |
---|
71 | <cron2> +1 |
---|
72 | <ordex> seems so |
---|
73 | <cron2> so... who? |
---|
74 | <lev__> who's responsibility will be to provide busybox.exe? Are we taking the binary from a trusted source our integrate the building into our machinery |
---|
75 | <ordex> can't we just depend on something else that the user needs to install? |
---|
76 | <ordex> isn't WSL something that can be installed on its own? |
---|
77 | <lev__> we could just drop windows part and tell users to use WSL |
---|
78 | <djpig> if you guys say WSL you mean WSL 1 or 2? |
---|
79 | <lev__> both work for easyrsa |
---|
80 | <d12fk> not sure it is the experience the average Windows user is looking for |
---|
81 | <cron2> yeah, but that would mean a significant change for those users, not "just run windows things" but "make sure your automatization works in WSL" |
---|
82 | <lev__> but average windows user won't use easyrsa |
---|
83 | <d12fk> still you force windows users to become linux users |
---|
84 | <cron2> sure, but those who say "we have integrated this in our deployment workflows" do, and they will be hit if you change it to WSL now |
---|
85 | <lev__> true |
---|
86 | <d12fk> and have them find out where the files are and such |
---|
87 | <djpig> hmm, either way I would say any big changes to the Windows installer will be more a 2.7 thing I would say. |
---|
88 | <lev__> if we dont want to break their workflow we have to go with busybox way |
---|
89 | <d12fk> what is the sh.exe used for in the first place? |
---|
90 | * becm has quit (Quit: becm) |
---|
91 | <djpig> easy-rsa is just a big shell script basically |
---|
92 | <djpig> so you need a shell to run it |
---|
93 | <lev__> something ecrist committed several years ago |
---|
94 | <d12fk> ah, so shortcut for windows support |
---|
95 | <djpig> d12fk: yes |
---|
96 | * becm (~Thunderbi@rtr.astos.de) has joined |
---|
97 | <lev__> there are many executables |
---|
98 | <lev__> but all could be replaced with a single busybox.exe |
---|
99 | <lev__> so we could take it from https://frippery.org/busybox/ for example |
---|
100 | <vpnHelper> Title: busybox-w32 (at frippery.org) |
---|
101 | <lev__> this won't require major changes to the installer |
---|
102 | <djpig> right. If someone (e.g. wiscii) does the verification that it works I'm happy to do the changes to windows installer build to integrate the change |
---|
103 | <lev__> and for 2.7 we could consider having easyrsa on windows as a separate package |
---|
104 | <djpig> yeah, agreed. unbundling seems like a good idea. But requires much more work |
---|
105 | <ordex> is that a trusted source? or are we opening to supply chain attacks? |
---|
106 | <ordex> otherwise we could build it ourselves with mingw? |
---|
107 | <lev__> "This version of BusyBox implements well over a hundred Unix-style commands." we need a very few |
---|
108 | <ordex> by compiling it by ourselves we can probably select what we need |
---|
109 | <ordex> is that much of a hassle? |
---|
110 | <plaisthos> do we really care about that? |
---|
111 | <djpig> I don't think we care, no |
---|
112 | <plaisthos> it is only 600kB anyway |
---|
113 | <djpig> reconfiguring your busybox is something for small routers, not Windows PCs |
---|
114 | <cron2> it's more a question "how many symlinks do you create" |
---|
115 | <djpig> right. And we have a list for that with the current executables |
---|
116 | <plaisthos> or you use busybox commands x y z iirc |
---|
117 | <djpig> plaisthos: but that would require patching the whole script. |
---|
118 | <ordex> ok |
---|
119 | <ordex> still we need to be sure about the source |
---|
120 | <ordex> if the guy decides to sneak in a rootkit we're in trouble |
---|
121 | <ordex> (unless this flippery thing is trusted enough - I have no clue) |
---|
122 | <djpig> right, we will look into it |
---|
123 | <lev__> webpage looks trustworthy :) |
---|
124 | <djpig> lol |
---|
125 | <djpig> definitely will take a look at the source code and try to build for myself |
---|
126 | <djpig> let's see where go from there |
---|
127 | <djpig> we* |
---|
128 | <ordex> k |
---|
129 | <djpig> anyway, I think the topic is discussed enough for today. Any other topics |
---|
130 | <djpig> ? |
---|
131 | <ordex> we had the "donation" topic pending |
---|
132 | <ordex> we can postpone to next week though - nothing exciting to say for now |
---|
133 | <ordex> or you want to here where we are? |
---|
134 | <ordex> *hear |
---|
135 | <lev__> still no money? |
---|
136 | <ordex> :D |
---|
137 | <djpig> okay, then I think this went long enough. Probably better to get started with the security discussion |
---|
138 | <ordex> yap |
---|
139 | <ordex> sounds good to me |
---|
140 | <djpig> I will try to write meeting minutes and send out the summary |
---|
141 | <ordex> I'll add the donation thing to the next agenda |
---|
142 | <djpig> k |
---|
143 | <cron2> I |
---|
144 | <cron2> I'm in jitsi, waiting for the moderator... |
---|
145 | <plaisthos> lev__: you wanted this, now join! |
---|
146 | <cron2> d12fk silenced me! |
---|
147 | <cron2> ... but that is all I see?! |
---|
148 | <cron2> leave, join, hooray |
---|