Regarding chocolatey.org repository

[mattock]

Hi,

We at the OpenVPN project are going to start distributing our Windows installers using Chocolatey. The goal is to allow easy upgrades for users, as well as for our CI systems. The details are not set yet, so I'm contacting you before moving forward. For Debian/Ubuntu we have a fairly wide range of repositories (source):

• stable: stable releases only - no alphas, betas or RCs
• testing: latest releases, including alphas/betas/RCs
• release/2.3: OpenvPN 2.3 releases
• release/2.4: OpenVPN 2.4 releases, including alphas/betas/RCs

For Windows we're planning on having two repositories initially:

• stable: stable releases only - no alphas, betas or RCs
• snapshots: packages based on latest Git "master" code

It looks like your release strategy on chocolatey.org is very close to stable, and I don't think it makes sense for the OpenVPN project to create its own repository where it would distribute an openvpn package which is essentially identical to what you distribute on chocolatey.org.

So, would you be willing to co-operate with us on the stable OpenVPN Windows releases? Besides working together on code in this repository, I would like to see new, stable OpenVPN versions getting into chocolatey.org on the release day (if possible).

Thoughts?

[wget]

Hi @mattock

Thanks for your interest. Of course I'm willing to collaborate. I have just given to you the commit rights to this repository and to the OpenVPN space on Chocolatey.

I haven't recovered the access to the deprecated package called openvpn-community initially submitted by @Okhoshi. @Okhoshi Now it's time to put me as a maintainer :) That way I can give right to @mattock as well.

The way I work:

• I'm not using AU to autoupdate my packages yet. Because: it's written in PowerShell and I don't want to put a Windows VM just to monitor things and because I'm quite a Linux guy. I have just a bunch of Python scripts running on my Raspberry that monitors your download page for changes. I apply the changes and push things manually.
• The PowerShell code I wrote has the ability to check the GPG signatures and to reset the OpenVPN service to the state it was before the Choco package is being upgraded.

The OpenVPN package has been trusted by the Chocolatey team. I haven't tested it yet since the trust happened after the 2.4 release, but it simply means if the server checks succeed the package is published without any manual intervention from the chocolatey admins.

[mattock]

Does you Raspberry PI scripts monitor this file? That file gets (semi)automatically updated when I make a new release.

I skimmed through the files in this repository, and noticed the service state restore code you mentioned. It would probably be best if the openvpn.nsi script could restore the state instead, so that even manual installs would get the benefit. I'll check if that is doable early next week.

Am I correct in assuming that during upgrades, Chocolatey installs OpenVPN on top of the old installation?

[wget]

@mattock Yes this is that file I'm monitoring. Each time a check is made, it checks in the small sqlite db I have the version previously stored. If it differs, I get a new mail and the new version is stored. Simple and stupid.

Yes, you're right. chocolatey does not remove the package during an update. It's installed on top.

Since you are at it, playing with the .NSI file. Could you renew the TrustedPublisher certificate for the TAP driver? The certificate is not longer valid (but, by default, Windows does not complain about it, although I'm not in a corporate environment).

[wget]

@mattock Also, I was wondering whether we should still use "Community" keyword in the nuspec title tag, since, any way, the other OpenVPN version (OpenVPN Access Server) have not been provided for Windows recently: couldn't find it on your website and the Windows VHD appliance does not resolve.

Btw, I added some pieces of information about the editions available on Wikipedia.

[Okhoshi]

@wget And it's finally done, I just added you as a maintainer of openvpn-community package.

Sorry it took so long, I'm quite busy these days :/

[mattock]

@Okhoshi thanks!

@wget afaics Access Server (AS) has never been available for Windows. It's our proprietary SMB server product which relies heavily on iptables for load balancing and such. AS is able to dynamically create client ("OpenVPN Connect") installers which include a client profile for connecting to that particular AS instance. Bundling OpenVPN Connect separately is not very useful, eve though it could be done. So yes, I think we can rename "OpenVPN Community" as "OpenVPN".

The TrustedPublisher certificate will need to be updated when I get to rebuilding tap-windows6 driver. We've had a new kernel-mode code signing certificate available for a while, but the actual tap-windows6 driver code changes quite rarely, so there has been no reason for a rebuild yet. The expired publisher certificate probably won't cause any issues as long as the drivers have timestamp signatures.

[mattock]

FYI: the GPG key used to sign the OpenVPN installers changed today.

[wget]

Need to fix this to make the openvpn package supported by the official core team packages.

[wget]

@mattock Hi there. Do you plan to make a new OpenVPN release before the end of the year (2017)? Just asking :)

[wget]

@mattock We are in 2021, do you still need testing builds with specific snapshots like you specified in your OP post? :)

If you are still intending to have this; don't hesitate to reopen. Closing for now :)