wiki:Topics-2024-01-24

Context Navigation

Basic info

Time: Wednesday 24 January 2024 at 13:00 CEST (11:00 UTC)
Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

Closed: License amendment for OpenVPN2 to solve openssl/mbedtls licensing issues
All work on this is now completed.

New: security mailing list procedure can stand improvement
To be discussed in more detail later.

Updated: tasks related to build processes (Mattock)
- Buildbot can now skip builds that don't touch irrelevant files (https://github.com/OpenVPN/openvpn-buildbot/pull/31)
  - Which file and/or directory changes should trigger the buildbot builds?
  - Do we want the skipped builds to show up on the build state page? Or to be (almost) completely invisible to buildbot?
  - We do not have answers right now to these questions but the fact that we can now skip irrelevant things is great.
- Extending the above: Have different Builders and build steps for different types of files
  - We can have more than one Scheduler per project (e.g. openvpn)
  - Each Scheduler can have a different Change Filters for builds that are relevant for that type of build
  - Each Scheduler links to a set of Builders
  - Each Builder runs different commands on the Worker (e.g. "autoreconf -vi && ./configure ..." or "do-something-else")
  - Example Schedulers:
    - openvpn-default Scheduler (=what we have now) would:
      - Trigger normal builds on all builders
      - No build would be triggered on documentation changes
    - openvpn-rst Scheduler would:
      - Trigger RST sanity check on one builder when .rst file changes

Updated: OpenVPN 2.6.9 release
There is a small security issue reported in OpenVPN for Windows installer.
Once this is resolved we can make the 2.6.9 release.
lev, selva, and d12fk, are looking into this at the moment.
dazo will work with lev to arrange a CVE report.

Updated: forums topics
There has been a lot of spam. An antispam module had expired. We fixed that. But there's still the occasional bit of spam.
ecrist looked into setting up a new forum. Discovered that migrating data is not possible.
Suggested approach is to run both old and new side-by-side and let people finish discussions on old forums while new is up. Then after some time make the old forum read-only.
Regarding CloudFlare?, currently not enabled on forums, but we will enable it at some point on the new VM.

packet header order
plaisthos wanted to get consensus/decision on whether we do that as part of the rekeying improvements.
Generally in favor of adding a new negotiable packet format, so long as plaisthos and syzzer are in agreement.
Currently this is still in progress/discussion.

status of trac/wiki
ordex wanted to discuss state of trac/wiki. Do we move to something else? Do we update existing?
mattock has been volunteered to look into alternatives.
It must be open source. Self-hosted or hosted open-source both fine.
There is no hard requirement for LDAP capability.
Should have access controls so only approved members can edit.

status of community LDAP sign-in solution
We use it currently for forums, wiki, gerrit, patchwork. We are seriously considering getting rid of it.
The reality is that 99.99% of forums users do not interact with the other tools.
And that the small group of contributors to wiki and gerrit does not justify the need for an LDAP sign-in solution.
So we're inclined to disconnect from LDAP. For the forums we already intend to do that now.
No final decision reached at this time. Considering our options.

plan to improve server side testing
mattock posted https://community.openvpn.net/openvpn/wiki/ServerSideTestingImprovementPlan#no1
It's a plan to improve server side testing. mattock would like to get eyes on this and feedback.

TLS 1.0 PRF problem
Patches for this have been created and are in review, have not made it in yet.

community funding
ordex has an initiative he wants to bring up regarding dev resources to be added to community.
This may tie into the donations topic.
In short ordex convinced OTF (Open Tech Fund) to provide a "test FOSS funding scheme" to OpenVPN.
This would for example allow to pay for allocated hours for mattock and cron2 to work on OpenVPN community tasks.
This is to be worked out more and in collaboration between OpenVPN Community, OpenVPN Inc., and OTF.

Donations for OpenVPN community
There is currently no place to donate money to the community, and we do want to allow that.
We need to figure out how to deal with that legally, and what payment methods to accept and how.
Probably plastic-money is a must. Maybe paypal as well. Bitcoin seems to encounter some resistance in the discussions.
We definitely do not want the donation thing to be forced - have a mechanism to do it, but keep it out of the way.
Random things yelled out (to investigate): legal entity? stripe? paypal? plastic-money? open collective? github sponsors? linux foundation? sf conservancy?
ordex suggested that he will take a look in january to figure out what legalities etc are involved in getting a legal entity for OpenVPN community.

Website release process woes
Website team continues to report that they are on the verge of launching the new stuff.
But there is a release freeze planned for last weeks of December so we may not actually get it this year.

Tunnelcrack progress TunnelCrack community wiki article
Current status: when mitigations start appearing we will mention them in meeting notes.

OpenVPN community meetup 2024
Naming: We decided to rename from 'Hackathon' to 'OpenVPN community meetup'. This has a more open spirit to it, as we want to encourage developers and those interested in contributing to feel welcome.
Where: Karlsruhe, Germany. It is a relatively central location in Europe and is fairly easily reachable by train. A meeting location is yet to be arranged.
When: At the moment tentatively set to 20-22 September 2024.
Who: We'll do an open invitation to openvpn-devel mailing list, but also CC: specifically past attendees and people of interest.
Shirts: There is plenty of time still to prepare a shirt design.

Static-key mini how-to is outdated.
This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
company will send this to tech writer to redo based on https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
and also retain a link to that github doc.
having a simple guide online will help adoption

OpenVPN 2.6 performance results.
tests should cover: gre, ipsec, userland, dco
linux, freebsd, windows
requires time to be dedicated to doing this
when time available will do it

What's going on with new taskbar icons?
matt provided icons in https://github.com/OpenVPN/openvpn-gui/issues/595
last update: will be picked up by selva when he has time

security@… mailing list
company is trying to get to soc2 compliance.
probably will need a simple nda to be signed by recipients of emails to security@…
company guy took standard nda we use for contractors, suggests to use that.
novaflash thinks we should review that first to see if it's really suitable or not, community members are not contractors after all.

Another key signing topic
company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
depends on how hard/easy it is to access company key signing thingee from community infrastructure.
also no high priority at the moment, we have a working solution now.

SBOM topic
cron2 was asked if openvpn has a software bill of materials. answer was no.
coincidentally, in openvpn inc a security requirement is to have an SBOM so this is on our list of things to do
when we pick up this task we can coordinate on it.

Management interface documentation on main website will be updated with info from doc/management-notes.txt
novaflash will pick this up at some point

Last modified 8 months ago Last modified on 01/24/24 12:28:00

Download in other formats:

Plain Text