-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-built binary for openvpn3 client for the new stable release of Debian (version 12 codename bookworm) #193
Comments
I contacted support about this and they told me it's planned for the v21 release. I would love to have a timeline for when this will be available if possible. |
This is not a promise. But I do hope I can manage to have a v21 release out by end of August/early September. This will definitely include Debian 12 builds. It is holiday season now, so not much will happen in July. |
Hey @dsommers do you have an update on the release timeline? This would be a lifesaver. |
The v21 release has been delayed due to work related to solve #171 as well as some issues reported in the Core library by our internal QA. Hopefully a v21 for stable distribution releases (aka LTS distros, Debian, Ubuntu LTS, RHEL/CentOS) will be ready for internal QA within 2 weeks. Since #171 has now been taken out of the v21 release, I'm already wrapping up the last outstanding issues to get a proper build and packaging done. Once QA has approved the release, it will be shipped. The v21 release will ship with an updated OpenVPN 3 Core library, which is currently going through QA now. Even though issues found by QA in this library has so far had a very small impact on OpenVPN 3 Linux (it is also used in OpenVPN Connect), there are a still a few potential issues which might affect this project as well. |
@dsommers any further work on v21? I can muddle through with old openvpn2 client, but the v3 would be great to be able to use. |
@Drizzt321 The v21 is going through QA these days. If all goes well, end of the month is the main goal for the final release. I'm pushing out fixes needed for this release in the releaseprep/v21 branch. |
@mschlachter @jim-barber-he @samiramer @Drizzt321 I've attached here the latest QA build for Debian 12. Feel free to test it if you want. Any feedback would be valuable. openvpn3_0-20230919git6361bd5-1+bookworm_amd64.deb.gz Since GitHub is picky about such attachments, you need to
|
@mleeman is also preparing a regular/official Debian package at: |
Dang, busted :-P I've added some comments in the ticket, the highlights are:
These should work for amd64/bookworm or newer; I have a compilation issue with bullseye that I need to figure out (not much of a C++ expert, got stuck at C/glib myself).
i386 compilation is also failing, didn't look into that one either. Just checkout Feel free to comment, review |
@mleeman That's really cool you're looking into this! In regards to i386 ... There are some issues on some of the C++ templates converting between C++ data types to D-Bus data types which is not really happy on 32-bit platforms. Since the wast majority of users are on 64-bit platforms, this has not been a high priority to resolve. The documentation need to be updated also, the minimum C++ standard now will be C++17; this is due to the OpenVPN 3 Core library moved to that a while back. Further, the glib2 refactoring for #171 will also require C++17. In regards to source code, we will always publish source code as tarballs as well; which includes everything needed to build with If you want, I can provide a similar development source tarball for the binary posted a bit earlier today. Please reach out to me if you see any changes on our end to make the packaging better and/or smoother. Ideally we should not need to ship our own builds as a third-party repos. And this goes both for potential packaging efforts of the OpenVPN 3 Core library as well as the OpenVPN 3 Linux project. In regards to packaging, lintian will complain about D-Bus policies being too broad. I discussed a missing feature with the upstream "dbus-daemon" developers some years ago, and got acceptance for the |
To me, it does not really matter; packaging follows (as much as possible) upstream. I have mirrored the packaging structure on the git repo; so if you tag your release in github, I can fetch the tarball from there.
If you prefer to have full/integrated tarballs that you release on your website, I can change the watch files to match. I have indeed added a number of lintian-overrides (needs to be reviewed over time), but we have a working solution atm. As for patches, I'll send the ones that are valuable to the mailing list once the dust settles. |
FYI, there is some low hanging fruit (spelling errors) that got picked up by the debian tooling https://mentors.debian.net/package/openvpn3-linux/
and
|
|
@mleeman Two quick patches fixing the openvpn3-linux typ0s ...
These are queued up for the coming v21 release. |
fine with me, I will adjust the client to use your published snapshots. Is there a page where the index can be queried of the releases, any other URL but the openvpn maintainers use this page:
But openvpn3 is not listed there.
|
@mleeman Good point on the publicity aspects of new releases. We will look into how to do that better. Perhaps a quick solution for now would be to have use this file I just now pushed out: https://swupdate.openvpn.net/community/releases/openvpn3-linux.latest If you want a different layout here, we can probably script that a bit better. The version scheme is also fairly simple. I'm going to use three "release categories":
Stable releases will be the only releases which might have a minor version, like
This In a Debian and Ubuntu LTS context, I think it would be best stay on the Let me know what you think about this. |
Let me know what you prefer and I'll reset my salsa branches to your to the release tarball instead of the one generated from github. |
Regarding 1), that sounds like the best approach to me too; I generally would like package maintainers to add as few additional patches as possible - get them upstream first. (I'm also a Fedora package maintainer, so I have some packaging experience as well) We are aligned on the "stable" versions in Debian, so nothing more to discuss there. Packaging names ... okay, so this is "complicated". But it is related to some project names:
Currently the
The intension behind these package names is that
If we would package the OpenVPN 3 Core library, that should be named The reason the Debian packaging does not have such splits as the Fedora is that I heard from a Debian maintainer many years ago that Debian generally prefers to avoid sub-packages and only use them when strictly needed. In the Fedora land, sub-packages are more often used to split out functionality which does not need to be installed to have something working. The But you are of course free to do package this project in Debian as you see fit best with the Debian packaging guidelines. |
Debian packaging (in general) does tend to use smaller sub packages. What I would propose is to:
This way, the packaging names match to some extent the ones you defined for rpm packaging. As the need arises and if it is useful, I can split off components into different packages. At the moment, I would focus on getting How does this sound? |
That sounds great! Currently the packages (and docs) in our provided releases uses the Perhaps we should move our (OpenVPN Inc provided) packaging to also use the |
In openvpn2 we use the official Debian/Ubuntu packages as base and update from that as needed for the Community releases. Once there is official Debian packaging for openvpn3 we should probably go to a similar model. |
I have an initial version, most of the code could be re-used
One lintian error popped up that will probably require me to re-package the code:
Another one I need to look into, seems to be some data that is used during a test
|
We need to come up with a solution for that license issue in the OpenVPN 3 Core library. It's essentially a public domain license, which shouldn't really be a problem - but legalese is always annoying. that Both of these issues are coming from the OpenVPN 3 Core library. |
I am searching a bit and have found e.g.
it seems to be the same source and llvm is in
while the header file says (copy):
The file in
Maybe there has been an update since the 2001-2004 version that is in the core lib? Another reference: |
Good find! Thanks a lot for your research! Will dig into this and find a better licensed version. This is anyhow something needed to be tackled in the openvpn3 repository and will need to come in the next OpenVPN 3 Core release before pulling it into this (openvpn3-linux) project. |
A bit unrelated: |
took some time to get feedback on Debian, I am now processing it. |
I have to remove the unicode-impl.hpp because of the copyright, by pulling and adjusting the one from llvm this seem tackled. That one has a more recent copyright and should not be a problem for DFSG |
@mleeman May I know the status of the package? It seems to me the original upstream tarball contains the non-DFSG code and you provided a DFSG-free replacement as a Debian package patch. So that it's still blocks your package to upload into Debian. Please correct me if I'm wrong. |
As far as I know, the package can be uploaded to Debian, I don't think anything should block the upload. The DFSG patch was from another package that is free (in essence, a newer licence header). The only thing I need, is a sponsor; I have some ppl I could ask, but I preferred 'to follow the process' over calling in some favour. There was someone from OpenVPN that said he'd sponsor, but haven't heard from him after I asked. I've uploaded it twice already to mentors, but it gets stuck there. |
The package will be reject directly from NEW if the original upstream tarball contains any non DFSG code. Please upstream your DFSG-free patch instead. And then roll a git release tarball or wait for a new upstream release for the Debian package upload.
I am surely can find you sponsor once you solved all the issues in the package. The upstream tarball should no contains any non-DFSG license. And fixed all the issue that lintian detected on mentors:
And I also highly recommend to use the source package name matches with upstream tarball unless it has been taken by another package in Debian. This helps you to keep your |
It's been a couple months since I worked on it, but AFAIK
It's true, I decided to keep on referencing the single and validated source release of upstream and leave the bundling to them. This is also the reason why I have not split it off at the moment: the library is only used by a single application (i.e.. openvpn3-client). Picking openvpn3-client as a package is IMHO future proof and avoids creating transitional packages and reflects the reality better: contrary to openvpn2, openvpn3 only has a client component at the moment. |
Just beware that this is a bit "complicated". Upstream projects:
Package names used in the OpenVPN Inc provided packages:
In the future, when efforts to provide an OpenVPN 3 based server implementation happens, that is expected to end up in an This was discussed with @mleeman a while back, and he decided to put most of this into the I won't object to to the Debian packaging policies, I'm sure they have valid reasons for their decisions and if Debian wants more into each package, sure, that's fine. But documentation wise, it would be good if the "client functionality" would be placed in the |
Good to know.
Please temporary provide a lintian-override with the reason for
Please update your patches in DEP-3 format with proper tags and address the reason to have these patches and link with open issue addressed in upstream. [skip..]
Thank you for explain this. Now I understood why it's named BTW, does any reason that the package sets Architecture: Please fix or override lintian errors that detected in your latest upload on mentors and provide |
Yes, there has been some challenges compiling it successfully on 32-bit CPU architectures. There are some challenges with the C++ templates ending up with the wrong and conflicting data types; iirc it was related to 32-bit vs 64-bit This might change with the v22_dev work, where there is a brand new D-Bus integration where some if this code is changed and done a bit differently. But I'm not ready yet to lift the 32-bit exclusion. It needs to be thoroughly tested. |
In that case, we can specific more 64-bit architectures that Debian 13 will supported, eg:
|
I did a test build locally with arm64 and that one seems to compile, we just assume that that the architectures above work too and let the debian builders veirfy them (takes me the better part of an hour to verify a architecture with muti-arch/pdebuild)/cowbuilder. |
The Fedora Copr builds we already do a similar set of architectures as @alee-ntap suggests. They all build fine, but I don't know if anyone uses it on those. We do have reports though that the arm64 works on the 64-bit capable RPi. |
I already tested it works in an arm64 VM. Let's get all the lintian error fixed and upload into Debian. Would you prefer to use mentors or just your package git repo on salsa for reviews? |
I don't mind where the reviews are as long I as I pick them up, but a detailed Debian specific review might be better off on salsa. I uploaded a new copy, the watch warning is still there (even with the |
I would recommend to keep |
I either based my work on openvpn2 packaging or used work from @dsommers , I don't remember. In any case, I'll enable the unit testing (2 tests I see) and remove the unused variable.
The test-progs we leave out? |
It's better to have the review on your git repo on salsa then. :D
I think so. Unless it would be useful to provide in separate binary package eg: |
There might be one or two programs here which might be handy in really low level debugging. But if you need this kind of debugging, then you most likely are already deep into the code itself - so you have these tools easily available in a local build. Most of these programs are more to test various internal APIs and was more useful in the early days of the implementation before all the APIs had settled. If any of these tests programs are useful for general testing, I tend to convert them into a unit-tests instead. I would just leave them aside for now. In regards to the unit-test being disabled; yeah, we might have disabled that in the OpenVPN Inc packaging, as some of these tests depends on D-Bus and some systemd capabilities being available and functional. We do these builds inside docker containers where that is not the case, so the unit test would fail due to infrastructure issues. These tests are run elsewhere in our build infrastructure, as well as I'm running them regularly during development. |
@mleeman Great! You have mostly fixed all the issue that lintien detects. \o/ I found more than one Authors in the Here are an example package that also And I highly recommend to use |
I think this can be drop as Debhelper compatibility level 13 already handles that. |
Thanks for the review @alee-ntap , very much appreciated. The licence is something that I need to get a hang of, the debian/* part was removed because someone else suggested me that it was not needed if I kept the debian/* directory under the same licence as upstream.
The only thing that would warrant a difference here is the dates because the upstream code was released in 2023, while we are still working on the rest. In I am certain a lot of ppl have worked on the openvpn3 code itself; but shouldn't that be covered by the over arching copyright when released by upstream: if they state AGPL and covered with their company; does packaging need to provide more information, by extracting the authors from git? The licensecheck is a nice tool, and I see indeed that some copyrights are missing in debian/copyright (.e.g autotools/generated files). Again, do we need to provide the licence information that is part of upstream (and in this case, generated files)? I cannot imagine that this package is the only one that would sin against this. |
Right, so keep it as same as the example package will helps. :)
Correct, as the ftp-master will check to ensure the copyright is completely listed and without any non-DFSG code and binary file. Or your package will get rejected. That will takes more time to get another sponsor upload.
All the packages in Debian are required to list complete copyright due to Debian policy. And I found file in the I can easily find some examples on
Hope that helpful. |
Back to the drawing board, some more work:
|
Why is AGPL not suitable for non-network code? Sure the difference between AGPL and GPL only affects code that uses network but that does not make AGPL3 unsuitable for other code. |
@schwabe TBH, I do not know. One thing I've learnt when packaging this package; every different DD will give you different answers, especially for this software that has so many contribution from different corners. I think, in this particular case, is to change the licence of the debian directory. I have had a quick look and some other remarks are more technical so I can start working on those. |
It might be quiet about the topic of getting it in Debian, but sometimes I have to find some time to make the changes (or understand them) and getting things moving within Debian is another matter too; it just takes more time than anticipated. I cannot remember that this was the case years ago... |
@mleeman to be honest that debian directory cannot be AGPL3 if the whole project is AGPL3 sounds ridicioulous and probalby been said by someone with little experience/knowledge in liceses. That would like saying, you have to put man pages under a different license in GPL projects since GPL has section about code and libraries and man pages are only text. |
FYI: There are some minor spelling errors that lintian picked up: |
The latest Debian stable release came out on the 10th of June 2023.
Currently there is no pre-built openvpn3 Debian package built for the
bookworm
distribution.This is a request for adding a new package to support this since the other .deb packages have dependencies on packages that are too old.
The text was updated successfully, but these errors were encountered: