Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-22 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 22/02/12 17:46, David Sommerseth wrote:
> On 22/02/12 17:13, Alon Bar-Lev wrote:
>> Dear project managers. I need a decision regarding the minimum 
>> supported openssl.
> 
> I'd say we support these libraries and tools as the oldest supported:
> 
>> =autoconf-2.59 =automake-1.9 =libtool-1.5.22 =lzo-2.02
>> =openssl-0.9.8 =pkcs11-helper-1.07

(Thank you Thunderbird for screwing up my mail!)

Hopefully this passes through without any issues

 * >=autoconf-2.59
 * >=automake-1.9
 * >=libtool-1.5.22
 * >=lzo-2.02
 * >=openssl-0.9.8
 * >=pkcs11-helper-1.07

> This covers RHEL5 environments easily.
> 
> James: RHEL4 support officially ends in 6 days from Red Hat.  I'm
> here proposing to kill RHEL4 support, and have RHEL5 support as the
> minimum. If people want to be stuck on RHEL4, they're stuck with
> OpenVPN 2.2 and older.
> 
> I would even say that if nobody rejects this idea within the next 72 
> hours, then it is decided.  If James can reply and give it an ACK, it 
> will be valid instantly.
> 
> Is that fine with everyone?


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9FHNwACgkQDC186MBRfrpa4gCglUZuoEbnt1rKHUpxqkBW+Cmg
Ss4AoITDMPQCB/dcclG/DN0fMoGOxSDt
=7bQC
-END PGP SIGNATURE-

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-22 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 22/02/12 17:13, Alon Bar-Lev wrote:
> Dear project managers. I need a decision regarding the minimum
> supported openssl.

I'd say we support these libraries and tools as the oldest supported:

> =autoconf-2.59 =automake-1.9 =libtool-1.5.22 =lzo-2.02 =openssl-0.9.8 
> =pkcs11-helper-1.07

This covers RHEL5 environments easily.

James: RHEL4 support officially ends in 6 days from Red Hat.  I'm here
proposing to kill RHEL4 support, and have RHEL5 support as the minimum.
If people want to be stuck on RHEL4, they're stuck with OpenVPN 2.2 and
older.

I would even say that if nobody rejects this idea within the next 72
hours, then it is decided.  If James can reply and give it an ACK, it
will be valid instantly.

Is that fine with everyone?


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9FG9EACgkQDC186MBRfrrozQCbBg6I2Tzm3SwV1sTJn1cMUebS
sAcAn2btP5D10ChDNZGSywqbEebzonRQ
=q7wE
-END PGP SIGNATURE-

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-22 Thread Alon Bar-Lev 
Dear project managers.
I need a decision regarding the minimum supported openssl.

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Gert Doering 
Hi,

On Tue, Feb 21, 2012 at 09:20:50PM +0200, Samuli Seppänen wrote:
> Also, ecrist publishes source tarballs every couple of weeks already...
> couldn't these old autotools users use those and still get failrly
> recent OpenVPN versions on their boxes?

Exactly.

You need autotools if you want to build "directly from git", and the
group of people that a) use git versions, b) use ancient operating 
systems (that *do* have tun/tap), and c) can't find a more recent
system to run "autoreconf" for them should be really small...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpgLukIOi5vV.pgp
Description: PGP signature

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Gert Doering 
Hi,

On Tue, Feb 21, 2012 at 04:56:37PM +0100, David Sommerseth wrote:
> There might be similar restrictions related to autoconf/automake tools
> too.  As James has some automation for the Access Server builds for those
> supported platforms, we must be sure we don't break that for him.  From
> what I see, on a recent 5.7 box ...
[..]
> Otherwise, I presume most of the *BSD versions have more recent versions.

As Alon has already pointed out, to compile the tarball, you don't
need to have the autotools installed - and "configure" will work even on
older systems.

On the *BSD buildslaves, we can install whatever we need (and their
autotools versions are coming from ports/pkgsrc, and that's up-to-date 
anyway :-) ).

Now we just need to see whether this causes problems for James' build
environment.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgp6AxoXnzScN.pgp
Description: PGP signature

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Gert Doering 
Hi,

On Tue, Feb 21, 2012 at 05:15:22PM +0200, Alon Bar-Lev wrote:
> OpenVPN supports minimum openssl version of 0.9.6, while this version
> is unsupported by upstream and probably a security risk.
> 
> What would be a suitable minimum version to support?
> 
> I think that 0.9.8 is the one.

FreeBSD 7.3 has 0.9.8e, and that's the oldest version supported by
the FreeBSD security team.  So if anyone wants to run OpenVPN on an
older version of FreeBSD, they need to use the ports version of 
openssl - but that's their decision to not upgrade.

I'm not exactly sure at which point NetBSD and OpenBSD moved to 0.9.8,
but I'm fairly sure that dropping support for anything older than
that is OK for these platforms as well (and if needed, the pkgsrc
version of openssl can be used).

So "+1" on that one.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpaExJchDDlV.pgp
Description: PGP signature

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Alon Bar-Lev 
2012/2/21 Samuli Seppänen :
> I would be inclined to focus on cutting down complexity as much as
> possible. I think the best way to gauge real need for old autotools is
> to scrap support for it. We can always fix things afterwards, if
> necessary. I can ask James' opinion if he does not step in soonish.

Never mind.
I've updated build to support >=autoconf-2.59, >=automake-1.9, >=libtool-1.5.22
I hope it won't get more complex than this.
Please try it[1] out.

But you must promise me that formal tarballs will be relased using
>=autoconf-2.65, >=automake-1.11, >=libtool-2.4.

Why? So people won't be required to autoreconf if they like to do cross compile.

Alon.

https://github.com/alonbl/openvpn/downloads

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Samuli Seppänen 

> On Tue, Feb 21, 2012 at 7:51 PM, David Sommerseth
>  wrote:
>>> No there is none. Unlike other dependencies autotools dependencies are
>>> of development machine. You should create tarball on newer machine
>>> then compile it on the target platform. Target platform may not have
>>> autotools installed at all.
>>>
>>> The new build system will support >=autoconf-2.60, automake>=1.10,
>>> libtool>=2.2
>> That is not how James does his builds, from what I've understood.  He
>> does builds in his own compile farm straight from source repositories.
>> James might just as well pop up NACKing things if these changes breaks
>> his tool chain.  To put is simple: We are not allowed to break his
>> environments.
>>> Again, from experience generating tarball using these versions tends
>>> to work well on very old platforms.
>> That's good, which can solve RHEL4 issues in a nice way.  But I expect
>> James to do plenty of RHEL5 builds in the future, so there is noway we
>> are allowed to break this.
> I guess we should ask James.
> Adding him (at least his old address).
>
> Hello James,
>
> Can you please share your build environment so I know the impact?
> In all my build environments I check out the source at central build station,
> autoreconf, configure, make dist and then ssh the tarballs to targets
> for building.
> What exactly is your process?
>
> Supporting old autotools results in ugly hard to maintain implementations.
> More productive is to help fixing the build environment.
>
I don't think build farmers like Alon, James or me will suffer much from
having to split the build into two parts like this. The real impact will
be felt by casual builders using old operating systems. I think the
questions are:

- How often do people build OpenVPN themselves? [1]
- How old is new enough?
- Do other projects also require fairly recent autotools, i.e. how
likely is it to see new
  autotools installed on old operating systems?
- How much simpler will the buildsystem be by not having to support old
autotools versions?

I would be inclined to focus on cutting down complexity as much as
possible. I think the best way to gauge real need for old autotools is
to scrap support for it. We can always fix things afterwards, if
necessary. I can ask James' opinion if he does not step in soonish.

Also, ecrist publishes source tarballs every couple of weeks already...
couldn't these old autotools users use those and still get failrly
recent OpenVPN versions on their boxes?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[1] Last time I checked the ratio of source downloads to Windows
installer downloads was aroung 1:10.

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Alon Bar-Lev 
On Tue, Feb 21, 2012 at 7:51 PM, David Sommerseth
 wrote:
>> No there is none. Unlike other dependencies autotools dependencies are
>> of development machine. You should create tarball on newer machine
>> then compile it on the target platform. Target platform may not have
>> autotools installed at all.
>>
>> The new build system will support >=autoconf-2.60, automake>=1.10,
>> libtool>=2.2
>
> That is not how James does his builds, from what I've understood.  He
> does builds in his own compile farm straight from source repositories.
> James might just as well pop up NACKing things if these changes breaks
> his tool chain.  To put is simple: We are not allowed to break his
> environments.

>
>> Again, from experience generating tarball using these versions tends
>> to work well on very old platforms.
>
> That's good, which can solve RHEL4 issues in a nice way.  But I expect
> James to do plenty of RHEL5 builds in the future, so there is noway we
> are allowed to break this.

I guess we should ask James.
Adding him (at least his old address).

Hello James,

Can you please share your build environment so I know the impact?
In all my build environments I check out the source at central build station,
autoreconf, configure, make dist and then ssh the tarballs to targets
for building.
What exactly is your process?

Supporting old autotools results in ugly hard to maintain implementations.
More productive is to help fixing the build environment.

>
> On the RHEL5.7 base, libtool-1.5.22 is the base version.

This is supported but none for Windows... I think it is sufficient.

Alon.

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 21/02/12 17:12, Alon Bar-Lev wrote:
> On Tue, Feb 21, 2012 at 5:56 PM, David Sommerseth 
>  wrote:
>> There might be similar restrictions related to autoconf/automake
>> tools too.  As James has some automation for the Access Server
>> builds for those supported platforms, we must be sure we don't break
>> that for him.  From what I see, on a recent 5.7 box ...
> 
> No there is none. Unlike other dependencies autotools dependencies are
> of development machine. You should create tarball on newer machine
> then compile it on the target platform. Target platform may not have
> autotools installed at all.
> 
> The new build system will support >=autoconf-2.60, automake>=1.10,
> libtool>=2.2

That is not how James does his builds, from what I've understood.  He
does builds in his own compile farm straight from source repositories.
James might just as well pop up NACKing things if these changes breaks
his tool chain.  To put is simple: We are not allowed to break his
environments.

On the RHEL5.7 base, libtool-1.5.22 is the base version.

> Again, from experience generating tarball using these versions tends 
> to work well on very old platforms.

That's good, which can solve RHEL4 issues in a nice way.  But I expect
James to do plenty of RHEL5 builds in the future, so there is noway we
are allowed to break this.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9D2a4ACgkQDC186MBRfrr4RQCdFid58/1E8SEDyAs7QQvoo83q
KrkAn0KXXd5WRDJFeUnPa+iG1aIuH0CC
=uw9T
-END PGP SIGNATURE-

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Alon Bar-Lev 
On Tue, Feb 21, 2012 at 5:56 PM, David Sommerseth
 wrote:
> There might be similar restrictions related to autoconf/automake tools
> too.  As James has some automation for the Access Server builds for those
> supported platforms, we must be sure we don't break that for him.  From
> what I see, on a recent 5.7 box ...

No there is none.
Unlike other dependencies autotools dependencies are of development machine.
You should create tarball on newer machine then compile it on the
target platform.
Target platform may not have autotools installed at all.

The new build system will support >=autoconf-2.60, automake>=1.10, libtool>=2.2

Again, from experience generating tarball using these versions tends
to work well
on very old platforms.

Alon.

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 21/02/12 16:15, Alon Bar-Lev wrote:
> Hello,
> 
> OpenVPN supports minimum openssl version of 0.9.6, while this version 
> is unsupported by upstream and probably a security risk.
> 
> What would be a suitable minimum version to support?
> 
> I think that 0.9.8 is the one.
> 

Agreed.

The oldest Linux release James has been concerned about has been RHEL4.
That version ships an openssl based on 0.9.7a.  However, RHEL4 is
reaching EOL by the end of this month [1].  So I'd say RHEL5 should be
the natural oldest release to care about, which ships 0.9.8e.

Beware that even though those version numbers are looking old, there are
a lot of backports from newer versions.  The version number provided here
is the "base version" where fixes are applied on-top.

There might be similar restrictions related to autoconf/automake tools
too.  As James has some automation for the Access Server builds for those
supported platforms, we must be sure we don't break that for him.  From
what I see, on a recent 5.7 box ...

automake-1.9.6-2.3.el5
autoconf-2.59-12

We should probably try to get some RHEL5 based build slaves running too.
 We have CentOS6 which should be good enough for the RHEL6 base.

Otherwise, I presume most of the *BSD versions have more recent versions.


kind regards,

David Sommerseth



[1] 

(Side note:  RHEL4 does have an extended life cycle for customers who
really cannot upgrade yet.  In my point of view, this makes no sense to
support for OpenVPN, as those users will most likely never touch OpenVPN
related stuff which is not shipped by Red Hat.  Thus, if some customers
wants a newer OpenVPN and are willing to pay for it, Red Hat will have to
solve this issue for RHEL4 explicitly.  This is an add-on mostly for
bigger enterprises which are willing to pay for such support ... and if
not, there's always possibility to do a 'make dist' from the git tree on
a supported box and copy the tarball to the RHEL4 box)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9DvrMACgkQDC186MBRfrq3vwCfX05HK5MTNkC28F99/qxvXQVx
zVIAn3bm8XzuCED+jKNRUeKdE3J5Cyy7
=pyvY
-END PGP SIGNATURE-

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread g . esp 


- Mail original -
> De: "Alon Bar-Lev" 
> À: "openvpn-devel@lists.sourceforge.net" 
> Envoyé: Mardi 21 Février 2012 16:15:22
> Objet: [Openvpn-devel] [RFC] openssl minimum supported version
>
> Hello,
>
> OpenVPN supports minimum openssl version of 0.9.6, while this version
> is unsupported by upstream and probably a security risk.
>
> What would be a suitable minimum version to support?
>
> I think that 0.9.8 is the one.
>
> Regards,
> Alon.
>

I confirm openssl no more maintain 0.9.7 version.
RHEL-4 will reach end of life support at february end and use 0.9.7.
So supporting 0.9.8 as the last version make sense.

Gilles

Re: [Openvpn-devel] [RFC] openssl minimum supported version

2012-02-21 Thread Jan Just Keijser 
Alon Bar-Lev wrote:
> Hello,
>
> OpenVPN supports minimum openssl version of 0.9.6, while this version
> is unsupported by upstream and probably a security risk.
>
> What would be a suitable minimum version to support?
>
> I think that 0.9.8 is the one.
>   

EL5 and most SuSE distro's still use 0.9.8 , so I think that is probably
the right minimum version.

JJK