Bug#1033006: unblock: openvpn/2.6.1-1 (preapproval)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please give permission to upload OpenVPN 2.6.1-1 to unstable and let
it migrate to testing (currently in experimental as 2.6.1-1~exp1
[ Reason ]
Upstream has released the first minor release in the 2.6.x series.
It is primarily a bugfix release but has one new security feature.
https://github.com/OpenVPN/openvpn/blob/v2.6.1/Changes.rst
| Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically
| create a tls-crypt key that is used for renegotiation. This ensure that only
| the previously authenticated peer can do trigger renegotiation and complete
| renegotiations.
I am afraid that this might be CVE material down the road and would
be more invasive to backport during a stable release than adding it now.
There is another release slated for next week that will overhaul the
kernel interface to the optional DCO (data channel offload) kernel
module. I have asked upstream to make 2.6.2 as small as possible
compared to 2.6.1, so we can review 2.6.2 and the new DCO module
in time.
There have been no changes in the debian/ packaging
[ Impact ]
Missing out on this release would make us miss all the small bugfixes and
make reviewing the DCO change a lot harder.
[ Tests ]
Upstream has a very thorough patch review process and CI pipeline
2.6.1-1~exp1 (but compiled on bullseye) has been running on my employers
eduVPN server serving thousands of university students.
[ Risks ]
The code change is not trivial but managable
https://github.com/OpenVPN/openvpn/compare/v2.6.0...v2.6.1
about half of the changes affect only Windows or FreeBSD
I'm not smart enough to understand anything about the one
new feature, but it has been extensively documented and
tested by upstream
https://github.com/OpenVPN/openvpn/commit/202a934fc32673ef865b5cbcb23ad6057ceb2e0b
[ Checklist ]
[x] all changes are documented in the d/changelog
[ ] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
I've omitted the debdiff because there have not been any changes
apart from the new upstream version, which is a lot more readable
as a list of commits on github than with a plain debdiff
If you want me to attach a debdiff feel free to tell me.
[ Other info ]
The upcoming DCO change will involve a new version of src:openvpn and a new version
of src:openvpn-dco-dkms. The list of changes on the kernel side is already visible
on https://github.com/OpenVPN/ovpn-dco/commits/master .
In the past we managed to break DCO on above mentioned really heavily loaded
OpenVPN server within a few hours. The new version is a major overhaul and more
in-line with code upstreamable in Linux, and did survive torture tests.
I know this is kind of late, but I think it would be better to include it as well
as soon as it is released because
- we cannot support the old deprecated module
- openvpn uses DCO (of the right version) automatically and will transparently
fall-back to non-DCO mode if the module is not found (or the wrong version)
- it has not been in Bullseye previously, so if we see that DCO is too unstable
with the new version we can just drop it before the release
unblock openvpn/2.6.1-1
Reply to: