= Basic info = * Time: Wednesday 26 July 2023 at 13:00 CET (12:00 UTC) * Place: #openvpn-meeting channel on !LiberaChat IRC network = Topics = == Current topics == * **an issue was brought up on security list by Mathy**\\''this was discussed internally\\at the moment it is not yet clear if this really is a CVE reportable issue\\we do see that there are issues here that need to be addresses so we acknowledge it and commit to implementing mitigations'' * **security assessment topic that dazo wanted to bring up**\\''TOB-OVPN-14, NTLM issues in some buffer length checks\\an audit will be done on code fixes for software assessment and this is the most relevant one requiring code changes that is left\\conclusion is that we will document that if challenge is too short we will fill remaining bytes with zero bytes from buf2'' * **how to handle coverity scans/results by djpig**\\''the idea was to use the company coverity code scanner but there may be licensing issues\\also it turns out there is a free version (Travis CI) that we used in the past but stopped working\\we should instead focus on getting that free service working again.'' * **2.6.6 release plans**\\''moved from last week of july to tentatively first week of august\\there's not all that much new to release yet but we could do the cmake backport in this release'' * **Hackathon arrangements**\\''See https://community.openvpn.net/openvpn/wiki/Hackathon2023'' * **Teach someone other than djpig to do releases**\\''uddr and djpig will work together so they can share the responsibility/knowledge of openvpn2 releases.\\likewise dazo and djpig will share knowledge about copr/fedora releases.\\**update:** dazo sort of back from vacation'' * **License amendment for OpenVPN2 to solve openssl/mbedtls licensing issues**\\''we have a deadline at august 1st\\**update**: 2 additional people reached successfully\\others could not be reached.'' * **Static-key mini how-to is outdated.**\\''This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/ \\company will send this to tecch writer to redo based on https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info\\and also retain a link to that github doc.'' * **Website release process woes**\\''website team is working on migrating community downloads content to new cms system.'' == Topics on standby == * **OpenVPN 2.6 performance results.**\\''tests should cover: gre, ipsec, userland, dco\\linux, freebsd, windows\\requires time to be dedicated to doing this\\when time available will do it'' * **What's going on with new taskbar icons?**\\''matt provided icons in https://github.com/OpenVPN/openvpn-gui/issues/595\\**update:** will be picked up by selva when he has time'' * **security@openvpn.net mailing list**''\\company is trying to get to soc2 compliance.\\probably will need a simple nda to be signed by recipients of emails to security@openvpn.net\\company guy took standard nda we use for contractors, suggests to use that.\\novaflash thinks we should review that first to see if it's really suitable or not, community members are not contractors after all.'' * **Another key signing topic**\\''company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.\\in future we could possibly switch community to that same key. saves having to maintain 2 different keys.\\depends on how hard/easy it is to access company key signing thingee from community infrastructure.\\also no high priority at the moment, we have a working solution now.'' * **SBOM topic**\\''cron2 was asked if openvpn has a software bill of materials. answer was no.\\coincidentally, in openvpn inc a security requirement is to have an SBOM so this is on our list of things to do\\when we pick up this task we can coordinate on it.'' * **Forums machine on community infrastructure is only non-Linux system.**\\''mattock made a new forums system that runs on rocky linux 8 as agreed with ecrist.\\ecrist has looked at it but the current state of the migration is unknown.'' * **Management interface documentation on main website will be updated with info from doc/management-notes.txt**\\''novaflash will pick this up at some point'' * **https://openvpn.net/community-resources/openvpn-quickstart/ will be updated from /doc/man-sections/example-fingerprint.rst information.**\\''Static-key will be deprecated and contents updated with peer-fingerprint stuff.\\novaflash will pick this up again as time permits and other more important topics are done.'' * **Security assessment of OpenVPN2 codebase.**\\''company agreed to publish. novaflash to push this to marketing for a release on site.''