Basic info

• Time: Wednesday 6 September 2023 at 13:00 CEST (11:00 UTC)
• Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

• openvpn release process topics
  djpig explained release process to uddr. dazo explained copr release process to djpig. So progress on spreading release process knowledge around.
  when 2.6.7 goes out it will be done by uddr under supervision from djpig. that way we'll be sure we have a good backup.
  there was also the request in ​https://github.com/OpenVPN/openvpn/issues/397 to have releases on github as well. djpig seems to think it would be fairly doable to copy/paste that info to github as well.

• Tunnelcrack published now ​https://tunnelcrack.mathyvanhoef.com
  we do see that there are issues here that need to be addresses so we acknowledge it and commit to implementing mitigations
  we'll put together a draft here ​https://cryptpad.fr/pad/#/2/pad/edit/TWa9QJYxSQLjllhUfstlb13T/
  in the company there will also be discussions about possible mitigations. any mitigation plans we can put into the draft and publish it on community side.
  company will then reference that document on main website and contribute/participate in making the mitigations happen.

• security assessment review
  currently the fixes are being reviewed.

• Hackathon arrangements
  See ​https://community.openvpn.net/openvpn/wiki/Hackathon2023\\a possible topic for discussion is deprecation of NTLM and when to deprecate
  t-shirts?

• License amendment for OpenVPN2 to solve openssl/mbedtls licensing issues
  there are a total of 5 contributions that need to be reimplemented/removed to finalize the license change.
  1 item was reimplemented by plaisthos and merged already, so 4 remain
  one of them wanted
  one person asked if old exception could be kept, for libressl, plaisthos asked for clarification. djpig volunteered to look at the original changes to describe them for people interested in reimplementing them. MaxF has volunteered to help with any mbedtls related required changes. dazo will speak to Pam to get her opinions on the contributions. plaisthos has volunteered to reimplement tls-export-cert.

• how to handle coverity scans/results by djpig
  the idea was to use the company coverity code scanner but there may be licensing issues
  also it turns out there is a free version (Travis CI) that we used in the past but stopped working
  we should instead focus on getting that free service working again.
  patch is available for GHA. Just needs to be merged to master.

• Static-key mini how-to is outdated.
  This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
  company will send this to tech writer to redo based on ​https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
  and also retain a link to that github doc.
  having a simple guide online will help adoption

• Website release process woes
  website team is working on migrating community downloads content to new cms system.

Topics on standby

• OpenVPN 2.6 performance results.
  tests should cover: gre, ipsec, userland, dco
  linux, freebsd, windows
  requires time to be dedicated to doing this
  when time available will do it

• What's going on with new taskbar icons?
  matt provided icons in ​https://github.com/OpenVPN/openvpn-gui/issues/595\\**update: will be picked up by selva when he has time

• security@… mailing list
  company is trying to get to soc2 compliance.
  probably will need a simple nda to be signed by recipients of emails to security@…
  company guy took standard nda we use for contractors, suggests to use that.
  novaflash thinks we should review that first to see if it's really suitable or not, community members are not contractors after all.

• Another key signing topic
  company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
  in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
  depends on how hard/easy it is to access company key signing thingee from community infrastructure.
  also no high priority at the moment, we have a working solution now.

• SBOM topic
  cron2 was asked if openvpn has a software bill of materials. answer was no.
  coincidentally, in openvpn inc a security requirement is to have an SBOM so this is on our list of things to do
  when we pick up this task we can coordinate on it.

• Forums machine on community infrastructure is only non-Linux system.
  mattock made a new forums system that runs on rocky linux 8 as agreed with ecrist.
  ecrist has looked at it but the current state of the migration is unknown.

• Management interface documentation on main website will be updated with info from doc/management-notes.txt
  novaflash will pick this up at some point

• https://openvpn.net/community-resources/openvpn-quickstart/ will be updated from /doc/man-sections/example-fingerprint.rst information.
  Static-key will be deprecated and contents updated with peer-fingerprint stuff.
  novaflash will pick this up again as time permits and other more important topics are done.

• Security assessment of OpenVPN2 codebase.
  company agreed to publish. novaflash to push this to marketing for a release on site.