OpenVPN/Developer documentation

From Secure Computing Wiki
Revision as of 10:52, 19 February 2010 by Dazo (Talk | contribs) (Testing (Git) repository: Some more leading hints on basic git commands)

Jump to: navigation, search


Most of the content here is the result of the the weekly IRC discussions.

Development processes

General workflow

The basic development process we follow is outlined in this diagram. So, in a nutshell:

  • All patches must be sent to "openvpn-devel" mailing list for review. The subject should preferably be prefixed with [PATCH]
  • All patches need to be reviewed and accepted (ACK) by at least two developers to make sure they meet our quality criteria
  • All accepted patches go to the OpenVPN "testing" tree (Git) first
  • Code is moved to the OpenVPN "stable" tree (SVN) after initial testing
  • All official releases are based on the "stable" (SVN) tree and go through a feature freeze and a Beta/RC process

If someone maintains their modifications in a git tree already, those git trees can be pulled as long as it will not cause any conflicts against the master/SVN development branch. However, the author must send a pull request to the devel mailing list, including a description in plain English of the changes. This is so to open up for a public discussion of the changes, and to allow the ACK process to work. Changes in git trees needs to get ACKed as well, just like patches. Pull requests to the mailing list should preferably be prefixed with [GIT PULL].

NOTE: Patches or "git pull requests" sent directly to a development tree ("stable" or "testing") maintainer will be rejected. All patches and contents of git pull requests must be public and must be discussed in public.

Feature deprecation

Feature deprecation process described here serves two purposes:

  • Maintain backwards compatibility and minimize the impact of feature removal (for users)
  • Keeping the codebase clean and understandable (for developers)

The initial process was drafted in the IRC meeting on 18th Feb 2010. Currently the process looks like this:

  1. Ask users if they are depending on a feature considered for deprecation (e.g. using the openvpn-users mailing list)
    • If users complain, discuss the issue and possible solutions with them
    • If there are no complaints, proceed to 2
  2. Add logging code to deprecated pieces of code that are thought to affect a lot of users. For example, make it output a warning to the logs (e.g. "WARNING: this feature is being deprecated and will be removed soon"). Keep the code enabled by default.
    • If users complain now, discuss the issue and possible solutions with them
    • If there are no complaints, proceed to 3
  3. Make the feature disabled by default, but allow enabling it at compile-time (use #ifdef's).
    • If users complain now, discuss the issue and possible solutions with them
    • If there are no complaints, proceed to 4
  4. Remove the feature entirely from the code
    • If users complain now, discuss the issue and possible solutions with them
    • If there are no complaints, proceed to 5
  5. Finished. The feature was not really important to anyone and is not cluttering the code anymore.

Each feature could be kept around in "deprecated" mode in the first stable release, disabled but available in the second and removed in the third release. This will give users plenty of time to reach, depending on the release cycle.

It is also necessary that each feature deprecation / removal needs is documented visibly in the release notes of each stable release.

Code quality

All patches need to meet certain generic quality criteria before being accepted:

  • All patches should be useful and beneficial for several OpenVPN users. This way we avoid spoiling the code base with features which is only requested for very special conditions.
  • All patches must contain an argumentation why this patch should be included and how it solves the issue in plain English.
  • Everyone who has contributed to this patch should be mentioned, with at least a valid e-mail address, preferably with full name in addition. This is to give credit to contributors.
  • All patches must be against the SVN development branch or git master branch, at least until a feature branch is created.
  • The patch should apply cleanly, without merge conflicts.
  • All initial patches must be sent as unified diff (diff -u)
  • New features need to make use of #ifdef's so that they can be disabled at compile-time. This is to enable better support for embedded systems and to track which code belongs to which feature.
  • Patch needs to respect our coding conventions to keep the codebase understandable and maintainable.

Coding conventions

This is work in progress, but will include things like

  • Code indenting
  • Scratch memory handling with "gc"

Code repositories

Old CVS repository

There is an old CVS repository hosted in This is not used for any development.

Stable (SVN) repository

The OpenVPN project makes use of two code repositories. The Stable SVN repository is maintained by James Yonan and hosted at Instructions for using it can be found here. Currently (Feb 2010) only James has write access to this repository, but anonymous read-only access is available.

Code from this repository should be used if stability is important for you, but the official releases are missing some essential piece of functionality.

Testing (Git) repository

The Testing repository is maintained by David Sommerseth and uses Git. This repository is hosted by under the OpenVPN project. The master branch in the git tree is based on the openvpn/branches/BETA21 SVN branch.

There are several branches in the Git tree, each of which tracks the different patches/contributions separately. There's also one branch that contains all the available patches:

    master       -- Should be identical to James' stable SVN development branch
    bugfix2.1    -- Contains only bugfixes for OpenVPN 2.1
    {featureX}   -- Contains only patches for feature X
    {featureY}   -- Contains only patches for feature Y
    {featureZ}   -- Contains only patches for feature Z
    allmerged    -- All branches above merged

This gives James a possibility to only include/merge in the features and bugfixes which he wants to include into his "stable" development branch.

It is expected that each contributor which have received a feature branch makes sure it merges cleanly against the development branch at any time. The same applies to maintainers of external development Git trees. Also, the development of the feature branch is the author's responsibility - "testing" tree maintainer only collects the patches and makes sure all features and bugfixes play nicely together to catch conflicts as early as possible (and of course do sanity review of all patches).

Generic instructions for using Git in can be found here. Generic usage instructions for OpenVPN project's Git repository can be found here. To fetch the latest development code, use

git clone git://

You will here get a openvpn-testing directory. When entering this directory, you will get the 'master' branch by default. To checkout the allmerged branch, use

git checkout -b allmerged origin/allmerged

To see all available branches, use

git branch -a

Use the code in the allmerged branch from this git tree if you want the latest and greatest features and you're willing to encounter problems. If you're unfamiliar with Git in general, take a look at these links: