info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1033006: unblock: openvpn/2.6.1-1 (preapproval)
11 views
Skip to first unread message
Bernhard Schmidt
Mar 15, 2023, 12:10:04 PM3/15/23
to
Package: release.debian.org
Severity: normal
User: release.d...@packages.debian.org
Usertags: unblock
Please give permission to upload OpenVPN 2.6.1-1 to unstable and let
it migrate to testing (currently in experimental as 2.6.1-1~exp1
[ Reason ]
Upstream has released the first minor release in the 2.6.x series.
It is primarily a bugfix release but has one new security feature.
https://github.com/OpenVPN/openvpn/blob/v2.6.1/Changes.rst
| Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically
| create a tls-crypt key that is used for renegotiation. This ensure that only
| the previously authenticated peer can do trigger renegotiation and complete
| renegotiations.
I am afraid that this might be CVE material down the road and would
be more invasive to backport during a stable release than adding it now.
There is another release slated for next week that will overhaul the
kernel interface to the optional DCO (data channel offload) kernel
module. I have asked upstream to make 2.6.2 as small as possible
compared to 2.6.1, so we can review 2.6.2 and the new DCO module
in time.
There have been no changes in the debian/ packaging
[ Impact ]
Missing out on this release would make us miss all the small bugfixes and
make reviewing the DCO change a lot harder.
[ Tests ]
Upstream has a very thorough patch review process and CI pipeline
2.6.1-1~exp1 (but compiled on bullseye) has been running on my employers
eduVPN server serving thousands of university students.
[ Risks ]
The code change is not trivial but managable
https://github.com/OpenVPN/openvpn/compare/v2.6.0...v2.6.1
about half of the changes affect only Windows or FreeBSD
I'm not smart enough to understand anything about the one
new feature, but it has been extensively documented and
tested by upstream
https://github.com/OpenVPN/openvpn/commit/202a934fc32673ef865b5cbcb23ad6057ceb2e0b
[ Checklist ]
[x] all changes are documented in the d/changelog
[ ] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
I've omitted the debdiff because there have not been any changes
apart from the new upstream version, which is a lot more readable
as a list of commits on github than with a plain debdiff
If you want me to attach a debdiff feel free to tell me.
[ Other info ]
The upcoming DCO change will involve a new version of src:openvpn and a new version
of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible
on https://github.com/OpenVPN/ovpn-dco/commits/master .
In the past we managed to break DCO on above mentioned really heavily loaded
OpenVPN server within a few hours. The new version is a major overhaul and more
in-line with code upstreamable in Linux, and did survive torture tests.
I know this is kind of late, but I think it would be better to include it as well
as soon as it is released because
- we cannot support the old deprecated module
- openvpn uses DCO (of the right version) automatically and will transparently
fall-back to non-DCO mode if the module is not found (or the wrong version)
- it has not been in Bullseye previously, so if we see that DCO is too unstable
with the new version we can just drop it before the release
unblock openvpn/2.6.1-1
Severity: normal
User: release.d...@packages.debian.org
Usertags: unblock
Please give permission to upload OpenVPN 2.6.1-1 to unstable and let
it migrate to testing (currently in experimental as 2.6.1-1~exp1
[ Reason ]
Upstream has released the first minor release in the 2.6.x series.
It is primarily a bugfix release but has one new security feature.
https://github.com/OpenVPN/openvpn/blob/v2.6.1/Changes.rst
| Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically
| create a tls-crypt key that is used for renegotiation. This ensure that only
| the previously authenticated peer can do trigger renegotiation and complete
| renegotiations.
I am afraid that this might be CVE material down the road and would
be more invasive to backport during a stable release than adding it now.
There is another release slated for next week that will overhaul the
kernel interface to the optional DCO (data channel offload) kernel
module. I have asked upstream to make 2.6.2 as small as possible
compared to 2.6.1, so we can review 2.6.2 and the new DCO module
in time.
There have been no changes in the debian/ packaging
[ Impact ]
Missing out on this release would make us miss all the small bugfixes and
make reviewing the DCO change a lot harder.
[ Tests ]
Upstream has a very thorough patch review process and CI pipeline
2.6.1-1~exp1 (but compiled on bullseye) has been running on my employers
eduVPN server serving thousands of university students.
[ Risks ]
The code change is not trivial but managable
https://github.com/OpenVPN/openvpn/compare/v2.6.0...v2.6.1
about half of the changes affect only Windows or FreeBSD
I'm not smart enough to understand anything about the one
new feature, but it has been extensively documented and
tested by upstream
https://github.com/OpenVPN/openvpn/commit/202a934fc32673ef865b5cbcb23ad6057ceb2e0b
[ Checklist ]
[x] all changes are documented in the d/changelog
[ ] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
I've omitted the debdiff because there have not been any changes
apart from the new upstream version, which is a lot more readable
as a list of commits on github than with a plain debdiff
If you want me to attach a debdiff feel free to tell me.
[ Other info ]
The upcoming DCO change will involve a new version of src:openvpn and a new version
of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible
on https://github.com/OpenVPN/ovpn-dco/commits/master .
In the past we managed to break DCO on above mentioned really heavily loaded
OpenVPN server within a few hours. The new version is a major overhaul and more
in-line with code upstreamable in Linux, and did survive torture tests.
I know this is kind of late, but I think it would be better to include it as well
as soon as it is released because
- we cannot support the old deprecated module
- openvpn uses DCO (of the right version) automatically and will transparently
fall-back to non-DCO mode if the module is not found (or the wrong version)
- it has not been in Bullseye previously, so if we see that DCO is too unstable
with the new version we can just drop it before the release
unblock openvpn/2.6.1-1
Bernhard Schmidt
Mar 24, 2023, 7:00:04 PM3/24/23
to
On 15/03/23 04:57 PM, Bernhard Schmidt wrote:
Hi,
> The upcoming DCO change will involve a new version of src:openvpn and a new version
> of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible
> on https://github.com/OpenVPN/ovpn-dco/commits/master .
>
> In the past we managed to break DCO on above mentioned really heavily loaded
> OpenVPN server within a few hours. The new version is a major overhaul and more
> in-line with code upstreamable in Linux, and did survive torture tests.
>
> I know this is kind of late, but I think it would be better to include it as well
> as soon as it is released because
>
> - we cannot support the old deprecated module
> - openvpn uses DCO (of the right version) automatically and will transparently
> fall-back to non-DCO mode if the module is not found (or the wrong version)
> - it has not been in Bullseye previously, so if we see that DCO is too unstable
> with the new version we can just drop it before the release
So, the release of 2.6.2 with the new DCO module has been done
yesterday, fixing a number of bugs already present in 2.6.0.
https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst
---
New control packets flow for data channel offloading on Linux. 2.6.2+
changes the way OpenVPN control packets are handled on Linux when DCO is
active, fixing the lockups observed with 2.6.0/2.6.1 under high client
connect/disconnect activity. This is an INCOMPATIBLE change and
therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID
726fdfe0fa21) will not work anymore and must be upgraded. The kernel
module was renamed to "ovpn-dco-v2.ko" in order to highlight this change
and ensure that users and userspace software could easily understand
which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+
will lead to disabling DCO at runtime.
---
So I need some guidance from the release team how to proceed. I can
think of
- abandoning all of this, leading to a bookworm release using a buggy
OpenVPN version with a DCO kernel interface that noone else uses
- update experimental to 2.6.2 and the new DCO module, then ask for a
approval for upload to unstable (2.6.1+2.6.2) in one go
- upload 2.6.2 and the new DCO module to unstable right away
- upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the
new DCO in experimental for the second review round
I would prefer the last option.
Bernhard
Hi,
> The upcoming DCO change will involve a new version of src:openvpn and a new version
> of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible
> on https://github.com/OpenVPN/ovpn-dco/commits/master .
>
> In the past we managed to break DCO on above mentioned really heavily loaded
> OpenVPN server within a few hours. The new version is a major overhaul and more
> in-line with code upstreamable in Linux, and did survive torture tests.
>
> I know this is kind of late, but I think it would be better to include it as well
> as soon as it is released because
>
> - we cannot support the old deprecated module
> - openvpn uses DCO (of the right version) automatically and will transparently
> fall-back to non-DCO mode if the module is not found (or the wrong version)
> - it has not been in Bullseye previously, so if we see that DCO is too unstable
> with the new version we can just drop it before the release
yesterday, fixing a number of bugs already present in 2.6.0.
https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst
---
New control packets flow for data channel offloading on Linux. 2.6.2+
changes the way OpenVPN control packets are handled on Linux when DCO is
active, fixing the lockups observed with 2.6.0/2.6.1 under high client
connect/disconnect activity. This is an INCOMPATIBLE change and
therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID
726fdfe0fa21) will not work anymore and must be upgraded. The kernel
module was renamed to "ovpn-dco-v2.ko" in order to highlight this change
and ensure that users and userspace software could easily understand
which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+
will lead to disabling DCO at runtime.
---
So I need some guidance from the release team how to proceed. I can
think of
- abandoning all of this, leading to a bookworm release using a buggy
OpenVPN version with a DCO kernel interface that noone else uses
- update experimental to 2.6.2 and the new DCO module, then ask for a
approval for upload to unstable (2.6.1+2.6.2) in one go
- upload 2.6.2 and the new DCO module to unstable right away
- upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the
new DCO in experimental for the second review round
I would prefer the last option.
Bernhard
Sebastian Ramacher
Mar 25, 2023, 5:30:03 PM3/25/23
to
Control: tags -1 moreinfo
Let's go ahead with the last option. Please let us know once openvpn
2.6.1 is in unstable.
Cheers
--
Sebastian Ramacher
2.6.1 is in unstable.
Cheers
--
Sebastian Ramacher
Bernhard Schmidt
Mar 26, 2023, 3:33:59 PM3/26/23
to
On 25/03/23 10:17 PM, Sebastian Ramacher wrote:
> > - upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the
> > new DCO in experimental for the second review round
> >
> > I would prefer the last option.
>
> Let's go ahead with the last option. Please let us know once openvpn
> 2.6.1 is in unstable.
src:openvpn 2.6.1-1 is in unstable. I have cherry-picked the three most
> > - upload 2.6.1 from experimental to unstable, then stage 2.6.2 and the
> > new DCO in experimental for the second review round
> >
> > I would prefer the last option.
>
> Let's go ahead with the last option. Please let us know once openvpn
> 2.6.1 is in unstable.
important fixes from 2.6.2 as well (one crash, one memory-leak and one
stall due to a blocking socket)
I have also uploaded src:openvpn 2.6.2-1~exp1 and src:openvpn-dco-dkms
0.0+git20230324-1~exp1 to experimental. Those are the version I'd like
to end up in bookworm.
I have filed an internal change to get 2.6.2+dcov2 installed on our eduVPN
node next week.
Bernhard
0 new messages