Re: Libressl verify failure with 3.9.0
> On Apr 8, 2024, at 5:44 AM, Theo Buehler wrote: > > On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote: >> Hello, >> >> I recently updated to -current (about a week ago). >> >> I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue >> (I did not see anything in the release notes that would impact my question). >> --- >> $ openssl version >> LibreSSL 3.9.0 >> --- >> >> Over the years, I have made certificates for personal servers/resources on >> my home network. This is just for me, so I do some things that would be >> frowned on (although, technically, there is nothing "wrong" with them). >> >> In this case, since I have Apple iOS devices that I want to connect to >> https, I backdate any certificates I create to 1/2/2019. Apple has imposed >> a 300 or 800 day time limit on the validity for certificates created after >> (about) 7/1/2019. Since I don't want to constantly make new certificates >> for my personal/home network, I have just been setting the certificates' >> "not before" date to early 2019. >> >> Anyway, this had worked fine. >> In fact, earlier this year (Jan 2024), I created a new certificate, and all >> is good. >> >> A few weeks ago, I added a new thing to the network - a raspberry pi (I got >> as a gift about 2013 and installed a linux image from 2019 on it) that is >> connected to the home alarm system. >> >> Since I was annoyed that my browser was constantly giving me self-signed >> certificate warnings, I decided to make a certificate for the nginx running >> on this appliance. >> >> I created a key, made a csr, and then signed it with: >> openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem -config >> /etc/ssl/openssl.cnf Did you create this certificate on OpenBSD with Libressl openssl? Or on linux or something else with an OpenSSL openssl? > > As a workaround, try using '-startdate 19010200Z' instead. I think > this is fallout from this commit: > > https://github.com/openbsd/src/commit/3feee4c53fbd67a4a480080d8ef5ae835d3fbf82 > > ASN1_TIME_set_string_X509() is documented as > > In LibreSSL, ASN1_TIME_set_string() and ASN1_TIME_set_string_X509() > behave identically and always set the time object to a valid value to use > in an X.509 certificate. > > It seems to me that this is just wrong (it is true that both behave > identically because RFC5280 is defined to 0), but they do not set the > time object to "a valid value to use in an X.509 certificate". > > Confusingly, ASN1_TIME_adj_internal() actually honours its RFC5280 > parameter by behaving the expected way whereas its meaning in > ASN1_TIME_set_string_internal() is different. > > I am unsure if the bug is in my commit above or in our version of > ASN1_TIME_set_string_X509() (or both). > >> >> This all works fine, and a certificate is created >> >> When I check with: >> openssl x509 -text -noout -in pi.pem >> >> everything seems as expected, including the not before/after dates: >> >>Validity >>Not Before: Jan 2 00:00:00 2019 GMT >>Not After : Apr 7 15:39:59 2054 GMT >> >> (yes, it is valid for 35 years - as I said before, if someone breaks into my >> house to secretly do things, I have way bigger problems) >> >> But, if I try to verify this on the openbsd system, I get: >> >> # openssl verify pi.pem >> C = US, ST = Illinois, L = ***, O = ***, OU = ***, CN = *** >> error 20 at 0 depth lookup:unable to get local issuer certificate >> pi.pem: verification failed: 20 (unable to get local issuer certificate) >> --- >> >> But, if I install this on the raspberry pi, which has a much older version >> of openssl on it: >> $ openssl version >> OpenSSL 1.1.1c 28 May 2019 >> >> The certificate verifies without an issue: >> $ openssl verify pi.pem >> pi.pem: OK >> >> The last time I created a certificate was in January of this year >> (1/22/2024). >> I am thinking the openbsd system was using Libressl 3.8.2 at that point. >> >> I created that certificate in the exact same way, backdating the start date: >> openssl ca -startdate 2019010200Z -in 54.csr -out 54.pem -config >> /etc/ssl/openssl.cnf >> >> This previously created certificate also has them same backdated and very >> long valid period: >> >>Validity >>Not Before: Jan 2 00:00:00 2019 GMT >>Not After : Jan 21 23:49:22 2054 GMT >> >> (Notice the not after date is a little different) >> Today, with the new libressl, this certificate verifies OK. >> >> $ openssl verify 54.pem >> 54.pem: OK >> >> Finally, if I create the new certificate WITHOUT backdating it >> e.g.: openssl ca -in pi.csr -out pi.pem -config /etc/ssl/openssl.cnf >> >> The certificate is created and verifies OK. >> >> So, it seems, there is some sort of issue with backdating the certificate, >> but not an issue with the crazy long validity window, that was not present >> in January of this year. >> >> However, as I said, if I
Re: ssl/libssl certificate validation broken?
On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something. You should probably submit a real bug report instead of jumping to conclusions on misc@ > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > certs to /etc/ssl/cert.pem works. > > Did I miss something? I guess something changed during k2k20 in "certificate > chain validation in libcrypto"? > > Thanks and with kind regards. > > Uwe > ... >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my >openldap proxies were screwed too. I configured explicitely > >olcTLSCACertificatePath: /etc/ssl/certs > >But that broke so I had to change to: "Broke".. how? >olcTLSCACertificateFile: /etc/ssl/cert.pem > >... and I had to change also /etc/openldap/ldap.conf from: > >TLS_CACERTDIR /etc/ssl/certs > >to > >TLS_CACERT /etc/ssl/cert.pem > >to keep syncrepl running. You are a little bit thin on details here. The changes in the validator should not affect the loading of your certificates. Are you using openldap from packages or something else? So please pass on some details and perhaps a succint way to reproduce and include the error messages you see. Probably as a real bug report instead of misc discussions.
Re: TOFU/cert pinning in libtls
On Sat, May 09, 2020 at 06:18:50PM +, Lucas wrote: > Hello Stephen, > > > My basic idea for the client is: > > > > - load a db of self-signed certs. > > - connect to host > > - if host cert is self signed > > - if not in db, prompt user and add to db > > - if in db, check fingerprint and warn user if they don't match. > > > > Browsing the manuals/source code, there doesn't seem to be an easy way > > to configure this. I don't want to have to use the OpenSSL API for this > > :(. > > I experimented with cert FP pinning in the past, too. tls_peer_cert_hash > is probably what you're looking for. Found it looking at > /usr/include/tls.h. Then tried to find it referenced in other manpages, > > oolong$ man -k Xr=tls_peer_cert_hash > nc(1) - arbitrary TCP and UDP connections and listens > > That's far from ideal IMO, but I don't know where, of the many tls_* > manpages, would I reference it. man tls_peer_cert_hash happily brings up the man page on my machines.
Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System
read fucking code. change fucking things. send some fucking diffs. get fucking yelled at. learn from your fucking mistakes. show some fucking passion. filter fucking misc@ and all this useless bleating into the toilet. none of us have time to spoon feed you in some “boot camp” there are two types of programmers. the self taught, and the hopeless. it is your job to turn yourself from the hopeless to the self taught. shut up and fucking hack. On Tue, Dec 31, 2019 at 23:50 Frank Beuth wrote: > On Wed, Jan 01, 2020 at 04:00:37AM +, e...@isdaq.com wrote: > >rather than the programmer being responsible for > >writing unsafe > >code we need to regulate what the programmer can do just like we need to > >regulate what the community can say, do, see, and think. > > where do I sign up for OpenBSD write-perfect-C-code programmer training > bootcamp? > >
Re: bug tracking system for OpenBSD
Christoph, your conversation is distracting. Nobody gives a damn about the tool. Everyone gives a damn about the triage. I hate to break it to you, but you are not the first person to broach this discusson. The only way this would work is with a dedicated team of people to triage each area and clean it up constantly. No such team exists. the tool used is irrelevant On Sun, Apr 1, 2018 at 9:44 AM, Christoph R. Murauerwrote: > My question was serious. I am not the enemy but I think this thing > will only work if the people who use it accept / like to use it and so > on. > >> bug tracking software is 1% of the solution. At least 80% of the > work is triage, and noone on this thread is serious about doing > that. > >
Re: Meltdown workaround enabled?
On Wed, Mar 14, 2018 at 05:38 Robert Paschedag <robert.pasche...@web.de> wrote: > > > Gesendet: Mittwoch, 14. März 2018 um 06:13 Uhr > > Von: "Bob Beck" <b...@obtuse.com> > > An: "Brian Camp" <br...@thecamps.org> > > Cc: "Theo de Raadt" <dera...@openbsd.org>, misc@openbsd.org > > Betreff: Re: Meltdown workaround enabled? > > > > Intel make kitty scared... What a fuckmess. > > Errdo I get it right, that a possibly vulnerable CPU > (from 2016) is still vulnerable to MELTDOWN but a newer > BIOS *fakes* the CPU flags so the MELTDOWN "detection code" > says, "this CPU is NOT vulnerable" > > Is that right? > > Robert > Just consume the broken crap like a good citizen. Intel is too big to fail so thinking about these things is bad for society. Right? > > > > On Tue, Mar 13, 2018 at 22:57 Brian Camp <br...@thecamps.org> wrote: > > > > > On Tue, Mar 13, 2018 at 10:39 PM, Theo de Raadt <dera...@openbsd.org> > > > wrote: > > > >> According to some sources, Intel and a handful of others have known > > > about the > > > >> issue since February 2017(!), so perhaps it has already been > patched in > > > the > > > >> 08Jan2018 BIOS. I too have doubts that to date any processor has > been > > > >> redesigned to avoid the flaws entirely, but then again... > > > > > > > > Sure. A BIOS can change the flag bits. > > > > > > > > Be nice to know. Did a BIOS change them? > > > > > > I downgraded the bios to try and figure this out. Going back just one > > > revision (1/8/2018 to 12/18/2017) causes it to lose the flag and > > > -current's MELTDOWN workaround to activate. > > > > > > Previous BIOS revision (12/18/2017): > > > bcamp@nuc6cayh:~ (OpenBSD 6.3) > > > $ cpuid 0x7 > > > eax = 0x 0"" > > > ebx = 0x2294e283 580182659"???"" > > > ecx = 0x 0"" > > > edx = 0x 0"" > > > > > > Newest BIOS revision (1/8/2018): > > > bcamp@nuc6cayh:~ (OpenBSD 6.3) > > > $ cpuid 0x7 > > > eax = 0x 0"" > > > ebx = 0x2294e283 580182659"???"" > > > ecx = 0x 0"" > > > edx = 0x2c00 738197504"???," > > > > > > > > > >
Re: Meltdown workaround enabled?
Intel make kitty scared... What a fuckmess. On Tue, Mar 13, 2018 at 22:57 Brian Campwrote: > On Tue, Mar 13, 2018 at 10:39 PM, Theo de Raadt > wrote: > >> According to some sources, Intel and a handful of others have known > about the > >> issue since February 2017(!), so perhaps it has already been patched in > the > >> 08Jan2018 BIOS. I too have doubts that to date any processor has been > >> redesigned to avoid the flaws entirely, but then again... > > > > Sure. A BIOS can change the flag bits. > > > > Be nice to know. Did a BIOS change them? > > I downgraded the bios to try and figure this out. Going back just one > revision (1/8/2018 to 12/18/2017) causes it to lose the flag and > -current's MELTDOWN workaround to activate. > > Previous BIOS revision (12/18/2017): > bcamp@nuc6cayh:~ (OpenBSD 6.3) > $ cpuid 0x7 > eax = 0x 0"" > ebx = 0x2294e283 580182659"???"" > ecx = 0x 0"" > edx = 0x 0"" > > Newest BIOS revision (1/8/2018): > bcamp@nuc6cayh:~ (OpenBSD 6.3) > $ cpuid 0x7 > eax = 0x 0"" > ebx = 0x2294e283 580182659"???"" > ecx = 0x 0"" > edx = 0x2c00 738197504"???," > >
Official OpenBSD 6.2 CD set up for auction on Ebay
So, the only 6.2 set to be produced is up for auction, featuring hand-drawn artwork by Theo. Artisanally Made in Canada! All proceeds of the sale to fund OpenBSD development. Go have a look at http://www.ebay.ca/itm/Official-OpenBSD-6-2-CD-Set/253265944606
Official OpenBSD 6.1 CD !
So. There *Is* an official OpenBSD 6.1 CD Just One. If you are interested, please bid on ebay : http://www.ebay.com/itm/The-only-Official-OpenBSD-6-1-CD-set-to-be-made-For-auction-for-the-project-/252910718452?hash=item3ae2a74df4:g:SJQAAOSwrhBZBqkd (It's a pretty cool little CD set!)
Re: Why isn't OpenBSD in Google Summer of Code 2017?...
We tried it for two years, it was too much effort on the part of the foundation organizers mentors to deal with the bureaucracy involved, and we didn't really see enough return in terms of new developers to the project, which, frankly being selfish on OpenBSD's part is the only reason for us to do it. Both Ken Westerback and I organized our end of it and dealt with the google paperwork the two years we did it, Neither of us is willing to do it again, and while I won't directly speak for Ken, I would not support us spending effort on this when there are lots of other things to do.. It just doesn't have the benefit for OpenBSD, especially in light of the effort of the volunteers necessary to participate. On Sun, Apr 2, 2017 at 8:54 AM, Luke Smallwrote:
Re: white noise about broken manpage (web) links
You need to complain at reyk - since these web pages are not in the openbsd www/ tree they didn't get fixed when we converted to man.openbsd.org On Tue, May 10, 2016 at 10:52 PM, Vivek Vinodwrote: > Dear Misc, > > I could not find a separate mailing list for openiked. Hence posting here. > > web manpage links appear to be broken on: > 1) http://www.openiked.org/ > 2) http://www.openiked.org/manual.html > > The referenced links are > 1A) http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd > > 2A) http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/iked.8 > 2B) http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/iked.conf.5 > 2C) http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ikectl.8 > > I get a "500 Internal server error... OpenBSD httpd" > > Unrelated - I have gotten the same error when clicking links on 3rd > party websites like daemonforums.org > > I promise to submit diffs when I am more confident of submitting them. > > Please ignore if trivial. > > Vivek
Re: ftp/www.openbsd.org will be down for an upgrade today.
it has been back for quite some time On Mon, May 9, 2016 at 1:02 PM, Markus Rosjat <ros...@ghweb.de> wrote: > Hi there, > > just a short question about the site coming up again. > Since our spamd-setup tries to get some blacklists form the site I was > wondering if there is any info about the the time schedule for the > maintenance? > > Regards > > Markus > > > Am 08.05.2016 um 23:44 schrieb Stefan Wollny: >> >> Am 05/08/16 um 20:03 schrieb Bob Beck: >>> >>> There will be an extended downtime of the main ftp and www sites for >>> an upgrade today starting in approximately one hour's time from now. >>> >>> The mirror sites should be unaffected - so use a mirror if you >>> discover the main site is unavailable today. >>> >> Anyone know of an up2date mirror of 'current.html'? >> (Google just found one with the latest entries from 2005...) >> :-( >> >> TIA. >> >> STEFAN >> > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT
Re: TLS now supported on openbsd.org?
>It's great to see OpenBSD Project supporting Let's Encrypt. I am absolutely not supporting Let's Encrypt. The client scares the shit out of me, and shows me how low the bar has become. Considering all I need is put something on a web site that I can convince a DNS server is the one they'll check, well, that's pretty darn bad - you'd all probably be a lot better off pinning self-signed certs. > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? And statements like this - and people that think this is a good idea, are why I spoof DNS answers in bars and coffee shops, and why I don't read misc@. This is never a good idea, unless you want the connections intercepted and MITM'ed.
ftp/www.openbsd.org will be down for an upgrade today.
There will be an extended downtime of the main ftp and www sites for an upgrade today starting in approximately one hour's time from now. The mirror sites should be unaffected - so use a mirror if you discover the main site is unavailable today. Thanks -Bob
Re: WAPBL?
I would hazard a guess that if you are running a random diff, the problem is with the diff you are running - not those other things. On Fri, Apr 1, 2016 at 9:30 AM, Amit Kulkarni <amitk...@gmail.com> wrote: > I see the writes are not being done to disk in case of a simple cvs update, > and the machine locks up for a solid couple of minutes afterwards also. This > happens in a dual CPU config with plenty of free memory, even with stefan, > mpi and kettenis recent diffs. For a curious kernel reader, where could the > bug(s) be? in amap, uvm/buffer cache, rthreads??? > > Thanks in advance > > > On Fri, Apr 1, 2016 at 9:06 AM, Bob Beck <b...@obtuse.com> wrote: >> >> I have more up to date versions of these patches around here. >> >> The problem with them is that fundamentally, the WAPBL implementation >> as it is assumes that it may infinitely steal >> buffers from the buffer cache and hold onto them indefinitely - and it >> assumes it can always get buffers from it. While the patch as it sits >> may "work" in the "happy case" on many people's machines, as it sits >> today it is dangerous and can lock up your machine and corrupt things >> in low memory situations. >> >> Basically in order to progres WAPBL (renamed "FFS Journalling" here) >> needs to have a mechanism added to allow >> it be told "no it can't have a buffer" and let it deal with it >> correctly. The first part is done, the latter part is complex. >> >> >> On Sat, Mar 26, 2016 at 1:27 PM, Martijn Rijkeboer <mart...@bunix.org> >> wrote: >> > Hi, >> > >> > Just out of curiosity, what has happend with WAPBL? There were some >> > patches >> > floating around on tech@ in the last months of 2015, but then it became >> > quiet. I'm not complaining just curious. >> > >> > Kind regards, >> > >> > >> > Martijn Rijkeboer
Re: WAPBL?
I have more up to date versions of these patches around here. The problem with them is that fundamentally, the WAPBL implementation as it is assumes that it may infinitely steal buffers from the buffer cache and hold onto them indefinitely - and it assumes it can always get buffers from it. While the patch as it sits may "work" in the "happy case" on many people's machines, as it sits today it is dangerous and can lock up your machine and corrupt things in low memory situations. Basically in order to progres WAPBL (renamed "FFS Journalling" here) needs to have a mechanism added to allow it be told "no it can't have a buffer" and let it deal with it correctly. The first part is done, the latter part is complex. On Sat, Mar 26, 2016 at 1:27 PM, Martijn Rijkeboerwrote: > Hi, > > Just out of curiosity, what has happend with WAPBL? There were some patches > floating around on tech@ in the last months of 2015, but then it became > quiet. I'm not complaining just curious. > > Kind regards, > > > Martijn Rijkeboer
But wait, there's more.. another 5.8 song!
Coming soon to http://www.openbsd.org/lyrics.html is the next 5.8 release song "A Year In The Life". I seem to have this bad habit of talking to Theo about release themes when drinking alcohol, and it brings out the poet (My inner Weird Al) in me. Then I get cajoled into finishing the Opus before release time. We've done stuff about LibreSSL before, but this particular song just fit with the release theme. While the lyrics can speak for themselves, "A Year In The Life" is representative of more than just LibreSSL. The pattern of LibreSSL development is a pattern that has repeated itself many times in OpenBSD -- a decision is made by a few people to do something, followed by action, and letting the world share it if they like it (such as with OpenSSH). To the developers actually doing the work, reactions to such efforts can often seem surreal, or irrelevant. The juxtaposition of working on the very real with the surreal going on around you can often make working on such projects feel like you're in a bit of an altered reality.. Sort of like the song. A number of us have had many years like this in the last 20. Anyhow, please enjoy -Bob
BitCoin donations to the OpenBSD Foundation.
We've recently noticed a few attempts at larger Bitcoin donations to the OpenBSD Foundation. Due to the nature of these, we don't actually know who is attempting to donate, so I'm posting here. Due to changing laws, our provider (BitPay) had to limit transactions to $1000/day causing these donations to fail (according to what we received from BitPay the potential donor would have been told this). As of a few hours ago, we have managed to get the limit raised to $1/day - and a note of this is now reflected at http://www.openbsdfoundation.org/donations.html If you are attempting to donate a sizable amount of BitCoin, please bear the limit in mind when donating.. Donations of more than $1 in value would need to be made over multiple days. Sorry for any inconvenience, this is just how these things work. -Bob
Re: OpenSSL vulnerabilities coming on the 19th
And while I will reiterate, stop mailing us privately and asking, I can confirm that the situation has changed, and core LibreSSL developers have now had disclosure from OpenSSL. We will be keeping discusssion of all details strictly to that group until such time as OpenSSL releases publicly. -Bob On Mon, Mar 16, 2015 at 2:52 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Please people stop mailing me privately and asking. (Probably bugging other people in the group as well). The OpenSSL group do not tell the LibreSSL group about vulnerabilities that they are fixing in upcoming releases. Why? Well, they just don't. That's the whole story. Hopefully the LibreSSL team has been aggressive enough at cleaning house, and the issue is already resolved in LibreSSL. Wait and see.
Re: a thankyou to OpenBSD
Wave.. Thanks Diana. I still owe you a beer or thirteen. On Tue, Feb 10, 2015 at 5:26 PM, Diana Eichert deich...@wrench.com wrote: I don't post much any more, my OpenBSD systems just work. Just wanted to post a thank you to OpenBSD because it does just work. My day job entails a lot of Linux support, lately I've been dealing with the big screwup associated with network interface naming. WHY can't Linux follow BSD's straightforward NIC naming? It's positively bizarre all the crappy little files and utilities they have come up with so you can munge NIC names to something more useful than p3p2!!!. In appreciation I just sent in a donation via the OpenBSD donation page. g.day fade to black diana Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005)
Re: new OpenSSL flaws
We are not on a linux distros mailing list, because we are not a linux distribution. And this private mailing list is not really an acknowledged conduit for vulnerability release. I was asked by someone privately if *I* would be on that mailing list on June 2nd. I said I would consider it, but as I felt the list was not being used for advanced disclosure in a practical means, I didn't see the reason for it. - but I would be open to it if it was being used for advanced disclosure.. my words on june 2 ended with: In a nutshell, I suppose I'm asking you - does this help if the list only gets notification at the same time, basically, as public release? Or are there some rules for participants? The reply I got said they couldn't give any details because there were not any - so obviously as of June 2, someone who was on and maintained that list did not feel that there was any need to be on the list for advance disclosure of bugs. For the record, we didn't get advance notice of Heartbleed either, so this is nothing new. On Thu, Jun 5, 2014 at 2:43 PM, Martin, Matthew phy1...@utdallas.edu wrote: That's exactly my though. Specially, because FreeBSD and NetBSD were warned, but not OpenBSD. If this was only a rant or any childish behavior from them, it's something stupid and, of course, not the right thing to do. But hey, we're all human. My real concern is if this something else, a hidden agenda, in that this stupid disclosure was indeed, carefully planed. One can never have too many conspiracy theories. Specially after what has been happening the last year. Thanks for the clarification. Mark Cox claims that the reason OpenBSD was not told is because OpenBSD is not on the distros mailing list and if we were then they'd be able to work with other distros on issues in advance. It's at http://oss-security.openwall.org/wiki/mailing-lists/distros . Not saying I believe or disbelieve him, but it can't hurt to join even if it is only until 5.6 comes out. - Matthew Martin
Re: new OpenSSL flaws
I may also remind people that those lists are acknowledged right at the top as experimental. They also do not allow for non personal subscriptions, so they aren't very practical for this. What if I was away for a day or three.. Or more.. Essentially this is a nice experiment, but not really a practical means of early disclosure. Nor were we informed it was anything beyond experimental. On 5 Jun 2014 17:39, Stuart Henderson s...@spacehopper.org wrote: On 2014/06/05 20:43, Martin, Matthew wrote: That's exactly my though. Specially, because FreeBSD and NetBSD were warned, but not OpenBSD. If this was only a rant or any childish behavior from them, it's something stupid and, of course, not the right thing to do. But hey, we're all human. My real concern is if this something else, a hidden agenda, in that this stupid disclosure was indeed, carefully planed. One can never have too many conspiracy theories. Specially after what has been happening the last year. Thanks for the clarification. Mark Cox claims that the reason OpenBSD was not told is because OpenBSD is not on the distros mailing list and if we were then they'd be able to work with other distros on issues in advance. The distros and linux-distros lists are a good way to contact *some* OS distributions and Amazon. http://oss-security.openwall.org/wiki/mailing-lists/distros But there are clearly a number of others for whom an OpenSSL bug would have big impact who are not on that list (OS such as OpenBSD and Apple, large scale hosting providers, etc). Many of these are listed on the security contacts page on the wiki, and actually, the page with information about sending to the distros list (which submitters cannot ignore as it has the required pgp key) says: Please notify upstream projects/developers of the affected software, other affected distro vendors link to http://oss-security.openwall.org/wiki/vendors, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply.
Re: panic: softdep_deallocate_dependencies
I'll be taking a peek based on what I see in his traceback. Travelling at the moment. On 9 May 2014 06:44, Philip Guenther guent...@gmail.com wrote: On Thu, May 8, 2014 at 8:14 PM, STeve Andre' and...@msu.edu wrote: On 05/08/14 22:43, Philip Guenther wrote: On Thu, May 8, 2014 at 2:59 PM, STeve Andre' and...@msu.edu wrote: Twice now in three or so weeks, I've gotten a panic on my -current_amd64 W500 laptop. I've updated my tree several times during this time, and have not seen other problems besides the known acpi heat problem. Uh, what was the date of the cvs update of your kernel build when they started? What was the cvs update date of your kernel before *that*? (I.e, what's your best estimate of the window in which the change to the kernel which triggered the panic occurred? (What, you don't keep a log of the timestamps of your kernel updates+builds? Doesn't everyone?) Actually, I do keep past kernels so I have the build date for them. I *thought* I had some notes on when this started but I am ashamed to see that I didn't put them in a safe place. Well, make your best, but conservative estimate of the window in which it started. (Certainly after _that_ kernel; not sure if before _this_ kernel but certainly before this+1...) I have both firefox and chrome running but I'm getting the feeling that things get more weird as I use lots of tabs in chrome. You're pushing the vm subsystem enough to page. Since you have 8GB, I wonder if you've raised yourkern.bufcachepercent, thus pushing on it harder. Nope, I try to avoid the knobs when possible. It's been at 20% ever since (bob?) raised it to 20%. Ok. I guess it's just memory pressure from chrome. I don't think I'm swapping? At least I haven't seen top tell me that. ...In the past (like a year+) ago, there were times when chrome went crazy with memory and I did swap. But chrome has gotten better--I don't think I've seen it do that for some time now. Heh, the backtrace starts from uvm_pageout so yes, it decided to page something out. :-) I'm not sure how well I can pin this down. If I go too far back with an older kernel I'll be out of sync with userland. Any suggestions on how to test this more? I don't recall any kernel ABI changes in the window, but hold off for now. Eyes more familiar with the involved subsystem may consider the backtrace you gave (thanks!) enough. Philip Guenther
Re: OpenBSD Foundation 2014 Fundraising Campaign.
On the web site at www.openbsdfoundation.org. On Fri, Apr 11, 2014 at 10:15 AM, trifle menot trifleme...@gmail.com wrote: On 4/10/14, Bob Beck b...@openbsdfoundation.org wrote: The Foundation will continue to strive to improve its financial resources, and hopes to be able to provide further support to the projects in the future. Please continue to contribute! Where can I read your financial reports?
OpenBSD Foundation 2014 Fundraising Campaign.
The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014 fundraising campaign has been reached. We wish to thank our contributors large and small. We will continue our fundraising efforts both in the current year and next year. The success of this year's effort has allowed the Foundation to reverse the recent decline in the support we were able to offer the OpenBSD project. The Foundation has been able to assume responsibility for funding more aspects of the project infrastructure, such as the server electricity bill. The Foundation is now able to support efforts underway to rebuild a significant part of the project server infrastructure. This included a few things that were, literally, rotting. 2014's slate of hackathons has been solidified, ensuring these critical events will continue to provide a stream of improvements to the OpenBSD and related projects. We would like to especially thank the contributors who have made commitments for continuing donations to the Foundation. Every recurring regular donation allows us to budget and plan more effectively. The Foundation will continue to strive to improve its financial resources, and hopes to be able to provide further support to the projects in the future. Please continue to contribute!
Re: OpenBSD Website, multilanguage faq
Well if you're going to have your thousand hands, perhaps they could just do one word at a time, in one language, and pretty soon we'll morph into something that isn't english and you'll all be a happy little umama ofebayo I'll even start, as I looked in the kernel for a phrase to change, and the only place it appeared happened to be in a file I commit to regularly, so therefore I'll submit the following kernel change to start your noble new effort: Index: kern/vfs_bio.c === RCS file: /cvs/src/sys/kern/vfs_bio.c,v retrieving revision 1.154 diff -u -p -u -p -r1.154 vfs_bio.c --- kern/vfs_bio.c 25 Jan 2014 04:23:31 - 1.154 +++ kern/vfs_bio.c 4 Apr 2014 00:53:55 - @@ -856,7 +856,7 @@ incore(struct vnode *vp, daddr_t blkno) /* * Get a block of requested size that is associated with - * a given vnode and block offset. If it is found in the + * a given vnode and block offset. If it butholakala in the * block cache, mark it as having been found, make it busy * and return it. Otherwise, return an empty block of the * correct size. It is up to the caller to ensure that the
Google Summer Of Code 2014.
The OpenBSD Foundation is pleased to announce that we have been accepted as a mentoring organization for Google Summer of Code 2014. As such if you are a student who qualifies to apply for GSOC, you will be able to find us in Google's Summer of Code Application process. We have an ideas page which is located at http://www.openbsdfoundation.org/gsoc2014.html I will repeat my usual disclaimer here on behalf of the foundation - doing anything with GSOC does *not* guarantee the result will end up in OpenBSD or any related project. That having been said we hope to be able to put some mentors together with students to accomplish things that may become useful to the community at large. This will be our first year doing this, so we hope to learn from the experience and see if it will work out in future years. -Bob Beck - The OpenBSD Foundation.
asdasd
Greetings All, About a week ago I warned you all that the OpenBSD project did not have the funds to cover our bills for the past year (especially the ability to handle the electricity) and that our funding sources were not sustainable. As most of you know the news of our predicament has been widely distributed over the last week, and the response from the community as well as corporate donors has been significant - some of this response has been hitting the internet media already. To all of you who have donated, please allow me to give you a huge Thank You. In a nutshell, we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation. From a developer's perspective let me assure you that this reaffirms the worth of what we are supporting and makes us want to work on it that much more. We would like to continue to build on your groundswell of support, and have set a target for $150,000 this year in fundraising. Please see http://www.openbsdfoundation.org/campaign2104.html If you have contributed already - Thank you! If you can help us by contributing - Please do. If you know or work for someone who can help us reach our goals, please contact us. Sincerely, -Bob
OpenBSD Foundation Fundraising for 2014
Greetings All, About a week ago I warned you all that the OpenBSD project did not have the funds to cover our bills for the past year (especially the ability to handle the electricity) and that our funding sources were not sustainable. As most of you know the news of our predicament has been widely distributed over the last week, and the response from the community as well as corporate donors has been significant - some of this response has been hitting the internet media already. To all of you who have donated, please allow me to give you a huge Thank You. In a nutshell, we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation. From a developer's perspective let me assure you that this reaffirms the worth of what we are supporting and makes us want to work on it that much more. We would like to continue to build on your groundswell of support, and have set a target for $150,000 this year in fundraising. Please see http://www.openbsdfoundation.org/campaign2104.html If you have contributed already - Thank you. If you can help us by contributing - Please do. If you know or work for someone who can help us reach our goals, please contact us. Sincerely, -Bob
Re: Request for Funding our Electricity
On Thu, Jan 16, 2014 at 10:58 AM, Daniel Cegiełka daniel.cegie...@gmail.com wrote: Another example: Google will pay even more than $3000 for finding an error in OpenSSH (Core infrastructure network services) - do they know about your problems? http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html Daniel Yes, we're aware of that program. However it still comes down to a bounty for bugfixes or change of some sort. so it's not a source of sustainable funding, unless we were to do something like introduce an annual quota of bugs and convincing looking churn for the sake of finding them every year. Would you want to depend upon software in your infrastructure that we were doing that to?
Re: Request for Funding our Electricity
Yes, I believe so - and we'll be ramping that up shortly . but realisticly the need is for donations in general - electricity is one thing that the funding can be applied to. On Wed, Jan 15, 2014 at 3:27 AM, Luca Ferrari fluca1...@infinito.it wrote: On Tue, Jan 14, 2014 at 9:18 PM, Bob Beck b...@openbsdfoundation.org wrote: And actually, if you're reading this, you can help by passing this on to people you know *off these lists*. Is it worth to post a call for support on the official website front-page (and the foundation one too)? Just to emphasize the need for electricity now. Luca
Re: Request for Funding our Electricity
Just to bring this issue back to the forefront. In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on. If you or a company you know are able to assist us, it would be greatly appreciated, but right now we are looking at a significant funding shortfall for the upcoming year - Meaning the project won't be able to cover 20 thousand dollars in electrical expenses before being able to use money for other things. That sort of situation is not sustainable. On Fri, Dec 20, 2013 at 5:08 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: I am resending this request for funding our electricity bills because it is not yet resolved. We really need even more funding beyond that, because otherwise all of this is simply unsustainable. This request is the smallest we can make. --- Hi everyone. The OpenBSD project uses a lot of electricity for running the development and build machines. A number of logistical reasons prevents us from moving the machines to another location which might offer space/power for free, so let's not allow the conversation to go that way. We are looking for a Canadian company who will take on our electrical expenses -- on their books, rather than on our books. We would be happiest to find someone who will do this on an annual recurring basis. That way the various OpenBSD efforts can be supported, yet written off as an off-site operations cost by such a company. If we reduce this cost, it will leave more money for other parts of the project. We think that a Canadian company is the best choice for accounting reasons. If a company in some other jurisdiction feels they can also do this successfully, we'd be very happy to hear from them as well. I am not going to disclose the actual numbers here. Please contact me for details if serious. Thanks.
Re: Request for Funding our Electricity
And actually, if you're reading this, you can help by passing this on to people you know *off these lists*. When we post to these mailing lists saying these things we are asking for your help to get the word out to people who support open source projects. Those people are not necessarily here, and often, you (the people who use it and work with it) need to make the case to them that their support is important - far better that explanation comes from you rather than someone they don't know. -Bob On Tue, Jan 14, 2014 at 1:03 PM, Bob Beck b...@openbsdfoundation.org wrote: Just to bring this issue back to the forefront. In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on. If you or a company you know are able to assist us, it would be greatly appreciated, but right now we are looking at a significant funding shortfall for the upcoming year - Meaning the project won't be able to cover 20 thousand dollars in electrical expenses before being able to use money for other things. That sort of situation is not sustainable. On Fri, Dec 20, 2013 at 5:08 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: I am resending this request for funding our electricity bills because it is not yet resolved. We really need even more funding beyond that, because otherwise all of this is simply unsustainable. This request is the smallest we can make. --- Hi everyone. The OpenBSD project uses a lot of electricity for running the development and build machines. A number of logistical reasons prevents us from moving the machines to another location which might offer space/power for free, so let's not allow the conversation to go that way. We are looking for a Canadian company who will take on our electrical expenses -- on their books, rather than on our books. We would be happiest to find someone who will do this on an annual recurring basis. That way the various OpenBSD efforts can be supported, yet written off as an off-site operations cost by such a company. If we reduce this cost, it will leave more money for other parts of the project. We think that a Canadian company is the best choice for accounting reasons. If a company in some other jurisdiction feels they can also do this successfully, we'd be very happy to hear from them as well. I am not going to disclose the actual numbers here. Please contact me for details if serious. Thanks.
Re: Request for Funding our Electricity
Kiril, a dedicated one purpose bank account or officially directed donations are somewhat problematic to a canadian not for profit - Normally for expenses the foundation supports we simply re-imburse the individuals for their costs from our funds. As far as the suggested donation meter that's an idea we'd probably like to put up - as it gets that crowdsourcing type interest going. But in this case it would likely not be 20K, more like a 150K yearly goal would be best. On Tue, Jan 14, 2014 at 2:16 PM, Kirill Bychkov ki...@linklevel.net wrote: On Wed, January 15, 2014 00:03, Bob Beck wrote: Just to bring this issue back to the forefront. In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on. If you or a company you know are able to assist us, it would be greatly appreciated, but right now we are looking at a significant funding shortfall for the upcoming year - Meaning the project won't be able to cover 20 thousand dollars in electrical expenses before being able to use money for other things. That sort of situation is not sustainable. Hi. Could we collect this sum on special bank account, to gather correct sum for covering electricity expenses? Or OpenBSD Foundation will pay a bill from it's funds? Simplier - should I send money to Foundation right now or should I wait info about direct-electricity-expenses-acccount? Unfortunately I can't send $20k, but if 200 community members send $100 each... I hope this will help to have another year for searching a company Theo was mentioning in his irst letter. On Fri, Dec 20, 2013 at 5:08 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: I am resending this request for funding our electricity bills because it is not yet resolved. We really need even more funding beyond that, because otherwise all of this is simply unsustainable. This request is the smallest we can make. --- Hi everyone. The OpenBSD project uses a lot of electricity for running the development and build machines. A number of logistical reasons prevents us from moving the machines to another location which might offer space/power for free, so let's not allow the conversation to go that way. We are looking for a Canadian company who will take on our electrical expenses -- on their books, rather than on our books. We would be happiest to find someone who will do this on an annual recurring basis. That way the various OpenBSD efforts can be supported, yet written off as an off-site operations cost by such a company. If we reduce this cost, it will leave more money for other parts of the project. We think that a Canadian company is the best choice for accounting reasons. If a company in some other jurisdiction feels they can also do this successfully, we'd be very happy to hear from them as well. I am not going to disclose the actual numbers here. Please contact me for details if serious. Thanks.
The OpenBSD Foundation now accepts BitCoin donations...
I'm happy to announce the OpenBSD foundation can now accept donations to assist in funding project activities in BTC. We are using BitPay.com to host our BitCoin donations, which are converted to CAD for use by the project. If you have been interested in making donations in BitCoin, please visit http://www.openbsdfoundation.org/donations.html, and visit the BitCoin donation link at the bottom of the page. Thanks, -Bob
Re: softdep issue in 5.3-current ?
Update to something that has version 1.27 of sys/kern/vfs_biomem.c and tell me if you still have the issue. On Wed, Jun 26, 2013 at 4:35 AM, Tori Mus torimus...@gmail.com wrote: Hi, I'm running current snapshot of OpenBSD on amd64 architecture, MP kernel (Lenovo Thinkpad to be concrete). Based on the official docs tried to tune disk performance by adding `softdep' mounting option for ffs slices. After updating of /etc/fstab and clean reboot, checked all particular slices like /home, /usr etc. are really mounted with softdep. The issue is about much worse performance then with the default nosoftdep. Now, for example, when extracting ports.tar.gz snapshot in /usr, other process cann't open even small files without very long delays like vi $HOME/.profile takes about 2 minutes whereas cpu usage shown with top is about 5% only ! Turning off softdep redeems the access time of the previous example to about 4 seconds. I've searched mailing lists and read about softdep regression on OpenBSD 4.8 that was later fixed. Is this regression back. Does anybody else experiences similar behaviour ?
Still looking for 1U servers in western canada.
I'm still looking for 1U servers in western canada. we have an opportunity to build a better build infrastructure for ports but need the gear to do it with. I would be keenly interested in 1) Workable semi-modern amd64 capable intel hardware, 1U - 4 GB of ram or more is nice, One disk drive. (more is nice too). needs a working serial port for serial console, Would be very nice to get 10 or so of these for parallel dpb infrastructure 2) Sparc64 based 1U machines such as sun V210 or V215.. similar to above needs. If they have rails for rack mounting that's even better. They're needed in Edmonton, Alberta - where we have a nice place to host them.
Call for support to continue Radeon KMS work...
Some of you may be aware of the recent developments in current that have brought us Intel KMS Support. With this we get proper accellerated X on current and future Intel graphics hardware. There are a few other nice side benefits to this work: - We gain the ability to use the kernel debugger and get debugging information when the system panics when you are in X windows. - This also provides support for modern graphics outputs like HDMI and DisplayPort. Work on this was largely done by Jonathan Gray (jsg@), and was supported by a generous sponsorship from M:Tier (http://www.mtier.org), and by funds from the OpenBSD Foundation. We would especially like to thank M:Tier at this time for that support. We would like to extend this work to support the ATI/AMD Radeon graphics hardware. To this end the Foundation as well as M:Tier have comitted to support Jonathan to continue the work done for Intel and extend it to the Radeon platform. Jonathan has started this work and basic KMS support is already working - however there is still a lot to do. At of this time the Foundation lacks sufficient funds to follow this work through to completion. To that end, we are actively looking for a company or companies that could commit to supporting these efforts so that Radeon KMS support may be completed. We are looking for a total sponsorship goal of approximately $40,000. If you or your company can help with these efforts, please contact the OpenBSD Foundation (http://www.openbsdfoundation.org). We can either accept your donations directly or make other arrangements. Thank you, -Bob
Need for modern i386/amd64 machines in Edmonton AB.
The project is looking for some modern i386/amd64 machines in edmonton, AB. They need to be relatively recent, and rack mountable. Ideally they should have rails, or the ability to find rack mount rails for them. 1U is best, ideally something that runs OpenBSD well. We're trying to use this to expand and beef up our ports building infrastructure, to reduce port build latencies and reduce associated costs to the project. If you have something that could be gotten to us in Edmonton, or nearby, please let me know the details. Thanks -Bob
CD ordering problems in the last day or so fixed.
The https.openbsd.org machines were under a denial of service attack originating from LeaseWeb USA and LeasWeb Netherlands: Their nets have now been filtered and you should be able to order again. Thank you to those who dropped me a note. -Bob If you know anyone here you could tell them if they care. attack originated from multiple IP's on both their USA and Netherlands networks. # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the -B flag. % Information related to '94.75.252.64 - 94.75.255.255' inetnum: 94.75.252.64 - 94.75.255.255 netname: LEASEWEB descr: LeaseWeb descr: P.O. Box 93054 descr: 1090BB AMSTERDAM descr: Netherlands descr: www.leaseweb.com remarks: Please send email to ab...@leaseweb.com for complaints remarks: regarding portscans, DoS attacks and spam. remarks: INFRA-AW country: NL admin-c: LSW1-RIPE tech-c: LSW1-RIPE status: ASSIGNED PA mnt-by: LEASEWEB-MNT source: RIPE # Filtered person: RIP Mean address:P.O. Box 93054 address:1090BB AMSTERDAM address:Netherlands phone: +31 20 3162880 fax-no: +31 20 3162890 abuse-mailbox: ab...@leaseweb.com nic-hdl:LSW1-RIPE mnt-by: OCOM-MNT source: RIPE # Filtered # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=108.59.1.227?showDetails=trueshowARIN=falseext=netref2 # NetRange: 108.59.0.0 - 108.59.15.255 CIDR: 108.59.0.0/20 OriginAS: AS30633 NetName:LEASEWEB-US NetHandle: NET-108-59-0-0-1 Parent: NET-108-0-0-0-0 NetType:Direct Allocation Comment:LEASE-ARIN RegDate:2010-11-18 Updated:2012-02-24 Ref:http://whois.arin.net/rest/net/NET-108-59-0-0-1 OrgName:Leaseweb USA, Inc. OrgId: LU Address:9480 Innovation Dr City: Manassas StateProv: VA PostalCode: 20109 Country:US RegDate:2010-09-13 Updated:2012-10-09 Comment:www.leaseweb.com Ref:http://whois.arin.net/rest/org/LU
OpenBSD 5.2 Released
. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexander Schrijver, Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Austin Hook, Benoit Lecocq, Bob Beck, Brandon Mercer, Bret Lambert, Brett Mahar, Bryan Steele, Camiel Dobbelaar, Can Erkin Acar, Charles Longeau, Christian Weisgerber, Christiano F. Haesbaert, Claudio Jeker, Damien Bergamini, Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze, Jakob Schlyter, Janne Johansson, Jason George, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Knight, Joel Sing, Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joshua Elsasser, Joshua Stein, Kenji Aoyama, Kenneth R Westerback, Kirill Bychkov, Kurt Miller, Landry Breuil, Laurent Fanis, Lawrence Teo, Luke Tymowski, Marc Espie, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel, Robert Nagy, Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Benoit, Sebastian Reitenbach, Simon Perreault, Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt, Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo
ftp/www.openbsd.org downtime today. don't panic
Hi Folks, The main web, ftp, and anoncvs servers are going to be down for a short period today while they move from data center to data center at the University of Alberta. The University has been so kind as to offer the project space in two racks in their new state of the art data centre in a new building, and we are moving equipment into the new place. We will minimize the downtime as much as possible, but it will be for a short while (likelye an hour or so) as we pick up the gear and move it. Please don't panic. Thanks, -Bob
Re: quick query.
It is for me #export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64 # pkg_add tor tor-0.2.2.39: ok The following new rcscripts were installed: /etc/rc.d/tor See rc.d(8) for details. # pkg_info tor Information for inst:tor-0.2.2.39 Comment: anonymity service using onion routing Description: Tor is a connection-based low-latency anonymous communication system that protects TCP streams: web browsing, instant messaging, irc, ssh, etc. Maintainer: Pascal Stumpf pascal.stu...@cubes.de WWW: http://www.torproject.org/ Looks like PEBKAC. On Wed, Oct 10, 2012 at 4:48 PM, sharon dvir bpmcont...@gmail.com wrote: it looks like Tor just isn't there. which means that in order to go from 2.2.35 to 2.2.39 i'll have to compile it manually. which is no problem, but hence a need for the tool i originally asked about. or am i missing something? BTW, 2.2.39 fixes some remote exploits for Tor, in case anyone is running it. thanks everyone. On 10 October 2012 18:09, Peter N. M. Hansteen pe...@bsdly.net wrote: Martin Pelikan martin.peli...@gmail.com writes: as sthen@ kindly corrected me the some time ago, we now have pkg.conf(5) and installpath. You're right of course -- pkg.conf has been with us for a while (first appearance in 4.8 it seems). This way it'll work even if you don't invoke package updates from your shell, but using some kind of remote administration software for example. Yes. That functionality would be relevant to the OP. I'd managed to forget all about it, probably because the old .profile trick works so well in other contexts. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
OpenBSD 5.2 song - and pre-orders for 5.2!
We have made available the song that will come out with the 5.2 release. The song and details of it are linked from: http://openbsd.org/lyrics.html Go have a look and a listen! The details for the upcoming 5.2 release are available at http://www.openbsd.org/52.html A reminder to you all that Pre-orders for 5.2 are can be made by starting from: http://openbsd.org/orders.html Please consider buying a CD or three. Sales of CD's and merchandise are vital to OpenBSD's continued existence. It is only this revenue stream that keeps the power and air conditionong on, and keeps us all hacking. Thanks!
Re: OpenBSD - UEFI Secure Boot
On Sat, Jul 7, 2012 at 11:25 AM, Tomas Bodzar tomas.bod...@gmail.comwrote: World is trying much worse stuff than UEFI http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html What? they're going to ban porn? That's it, I'm quitting the internets.
OpenBSD 5.1 released May 1, 2012
. The 5.1 ports collection, including many of the distribution files, is included on the 3-CD set. Please see the PORTS file for more information. Note: some of the most popular ports, e.g., the Apache web server and several X applications, come standard with OpenBSD. Also, many popular ports have been pre-compiled for those who do not desire to build their own binaries (see BINARY PACKAGES, below). A large number of binary packages are provided. Please see the PACKAGES file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/PACKAGES) for more details. The CD-ROMs contain source code for all the subsystems explained above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/README) file explains how to deal with these source files. For those who are doing an FTP install, the source code for all four subsystems can be found in the pub/OpenBSD/5.1/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz Ports tree and package building by Jasper Lievisse Adriaanse, Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler, Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber. System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat. X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem layout by Theo de Raadt. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who pre-ordered the 5.1 CD-ROM or bought our previous CD-ROMs. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Alexander Bluhm, Alexander Hall, Alexander Schrijver, Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert, Bryan Steele, Camiel Dobbelaar, Can Erkin Acar, Charles Longeau, Chris Kuethe, Christian Weisgerber, Christiano F. Haesbaert, Claudio Jeker, Dale Rahn, Damien Bergamini, Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill, David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jakob Schlyter, Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Knight, Joel Sing, Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joshua Elsasser, Joshua Stein, Kenji Aoyama, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller, Landry Breuil, Laurent Fanis, Luke Tymowski, Marc Espie, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor, Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth, Pascal Stumpf, Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel, Reyk Floeter, Robert Nagy, Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Benoit, Sebastian Reitenbach, Simon Bertrang, Simon Perreault, Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt, Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries, Uwe Stuehler, Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo
Re: Google SoC 2012 is accepting open source organisations
Actually, there are a couple of organisations that are willing to act as a proxy for the payments to organisations that are unable to deal with the legalities imposed by the US IRS - it is not just foreigners that have issues some projects inside the US just don't have the ability to deal with the tax monster. I cannot recall which ones they are at the moment, if asked they will take the money from google and hand it on. Just ask on the GSoC mentors mailing list. I know of no such mailing list, and certainly Google didn't put me on to it when I had problems with their contract. If you guys want this so freaking badly wake up.. I'm right here. I'm willing to write the project proposals working with the other developers, and I'm willing to supervise and mentor a worthy few students. I'm not willing to put myself, or the OpenBSD foundation, in a nasty legal situation over this. If some proxy organization will deal with the damn google contract, then they need to talk to me. You guys want it, put people in touch with me.
Re: Google SoC 2012 is accepting open source organisations
I have done GSoC as a mentor before though I have not been the admin for a project Have you dealt with the google contract then?
Re: Google SoC 2012 is accepting open source organisations
1) The OpenBSD Foundation is NOT OpenBSD. 2) That application never elicited a reply from Google, so no contract to read or sign was presented or known of. 3) At some later point the required contract was obtained and, as Theo has said, nobody in the OpenBSD project or at the OpenBSD Foundation was interested in signing it after reading it. In a nutshell, I'm the guy who is willing to take on some personal responsibility in order to have this happen. However when the contract is put in front of me and I (as a non USA person) ask questions about it, basically the people at Google stop answering. I don't personally blame them, they are techies, they are trying to do the right thing. However they don't end up in a position where they are able to talk to anyone at the company about the pitfalls of someone foreign signing something with USA tax consequences. Heck as the supervisor they want to give me money - an Hororarium. I don't *want* the money because it causes me problems personally to accept it from them (and when signing something as a director of a Canadian not for profit I actually can't legally take it!) and while they seem able to say they will not give me the money, they can't remove all the parts of the contract about me taking the money that give me problems. I would just like to get the interested student the money. However it has always bogged down around issues like this. Unfortunately this all gets turned into we don't want to participate in SOC. this isn't true for all of us. I would be willing to try, and have. it just has not been workable for an entity that does not have a legal presence in the United States. I'm always willing to try again if this message is read by someone at Google who can untangle the bureaucracy...
Re: Google SoC 2012 is accepting open source organisations
they didn't say that Theo refused to sign any paper. Just wonder, what kind of responsibilty that paper was about ? Accepting student's code to OpenBSD code base or something ? No, it's actually about personal liability for the mentor (i.e. me) for taxes and other such nonsense. Google SOC actually does *not* require that the code be accepted into the project at the end. Fundamentally, I have no objections to the principle of summer of code, it's the byzantine paperwork and scary contract I have to sign as a mentor to do this for you. I'm more than willing to hang my personal ass out there a little bit for this, working at a university I can sort of blah blah blah a lot of the legal crap when it comes to students, but I do have my limits.. sorry... and as soon as I delete objectionable bits in the contract, the dialogue with the Googlers stops, I suspect because they can't get any traction with their internal legal people.
Re: Google SoC 2012 is accepting open source organisations
at first, I'd notice, 3) != 4), right ? May not be the same, however they do want mentorship from somwhere associated to the projects. at second, taxes are rather government thing, not googlish ? why should I sign something with Google about taxes ? It doesn't make any sense. Because companies in the usa just do this.. whether it is to avoid paying taxes or to keep the governmental tax-gestapo at bay.. I don't pretend for it to make sense.
Anyone got a 48 port gigabit switch, small and lower power? looking for a good home?
OpenBSD's building infrastructure has a need for such things. if you are in the process of rewhacking your network, I would love to hear from you if you have such beasts that might be sent our way. We are looking to get these things in Calgary, Canada.
Re: locate weirdness
So, you're advocating incomplete information? Is that not a bigger problem? No, we don't support old releases. 4.3 is very old. You should update your OS to something supported, and likely your problem will go away.
Openbsd 4.9 released May 1, 2011
and macppc. During installation, you can install X.Org quite easily. Be sure to try out xdm(1) and see how we have customized it for OpenBSD. The OpenBSD ports tree contains automated instructions for building third party software. The software has been verified to build and run on the various OpenBSD architectures. The 4.9 ports collection, including many of the distribution files, is included on the 3-CD set. Please see the PORTS file for more information. Note: some of the most popular ports, e.g., the Apache web server and several X applications, come standard with OpenBSD. Also, many popular ports have been pre-compiled for those who do not desire to build their own binaries (see BINARY PACKAGES, below). A large number of binary packages are provided. Please see the PACKAGES file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.9/PACKAGES) for more details. The CD-ROMs contain source code for all the subsystems explained above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.9/README) file explains how to deal with these source files. For those who are doing an FTP install, the source code for all four subsystems can be found in the pub/OpenBSD/4.9/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz Ports tree and package building by Jasper Lievisse Adriaanse, Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler, Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber. System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat. X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem layout by Theo de Raadt. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who pre-ordered the 4.9 CD-ROM or bought our previous CD-ROMs. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aleksander Piotrowski, Alexander Bluhm, Alexander Hall, Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov, Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski, Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert, Camiel Dobbelaar, Can Erkin Acar, Charles Longeau, Chris Kuethe, Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini, Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill, David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade, Giovanni Bechis, Henning Brauer, Hikaru Abe, Ian Darwin, Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, James Wright, Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Sing, Johan Mson Suorra, Jolan Luff, Jonathan Armani, Jonathan Gray, Jordan Hargrave, Joshua Elsasser, Joshua Stein, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil, Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Mark Uemura, Markus Friedl, Martin Hedenfalk, Martynas Venckus, Mathieu Sauve-Frankel, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto, Mike Belopuhov, Mike Larkin, Miod Vallat, Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen, Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Ozawa Tsuyoshi, Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Ray Lai, Remi Pointel, Reyk Floeter, Robert Nagy, Ryan Thomas McBride, Ryo Shimizu, Sasano, Sebastian Reitenbach, Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Suenaga Hiroki, Takuya Asada, Ted Unangst, Theo de Raadt, Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky, Xavier Santolaria, Yasuoka Masahiko, Yojiro Uo
Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
Hi all, A number of you may have noticed the recent flurry of activity, leading to stuff like bigmem being turned on.. Some more good stuff is coming soon (my amd64 at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds without touching disks..). Some really cool stuff is being worked on and is coming to a source tree near you soon. However, I'd like to take the opportunity to remind you all, that the project does depend on CD and shirt sales to keep it alive. Yes you may not use a CD all the time, but the latest one is pretty cool. So, short answer? go buy a CD. pre-orders are a little slow this release, and we need to see some more activity in that area. Then maybe I'll stop worrying about it and commit that thing that will make your amd64 use even more buttloads of memory too! So - yes we like donations, but we also like CD sales.. now is the time to help out. Thanks -Bob
Re: OpenBSD 4.8 freezes on certain activities
Are you able to try the following? see if it solves your problem. Index: sys/kern/vfs_bio.c === RCS file: /cvs/src/sys/kern/vfs_bio.c,v retrieving revision 1.126 diff -u -r1.126 vfs_bio.c --- sys/kern/vfs_bio.c 3 Aug 2010 06:30:19 - 1.126 +++ sys/kern/vfs_bio.c 5 Nov 2010 17:32:44 - @@ -672,21 +672,10 @@ */ if (!ISSET(bp-b_flags, B_DELWRI)) { SET(bp-b_flags, B_DELWRI); - bp-b_synctime = time_uptime + 35; s = splbio(); reassignbuf(bp); splx(s); curproc-p_stats-p_ru.ru_oublock++;/* XXX */ - } else { - /* -* see if this buffer has slacked through the syncer -* and enforce an async write upon it. -*/ - if (bp-b_synctime time_uptime) { - bawrite(bp); - return; - } - } /* If this is a tape block, write the block now. */ if (major(bp-b_dev) nblkdev @@ -727,7 +716,6 @@ if (ISSET(bp-b_flags, B_DELWRI) == 0) { SET(bp-b_flags, B_DELWRI); - bp-b_synctime = time_uptime + 35; reassignbuf(bp); } } On 3 November 2010 05:17, Michay Koc m...@prime.pl wrote: Hi All, I've just upgraded two of my OpenBSD machines to 4.8: hw.machine=i386 hw.model=Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) hw.product=DG31PR and hw.machine=i386 hw.model=Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) hw.product=D510MO Dmesgs are below. The problem is that they freeze every time I try to: - rsync two local filesystems on different physical disks - high disk IO - about 30GB - run nagios with about 900 probes - hight network IO and ndcpy like 3000 in systat, lots of forks, load average raising to 5 and above High disk IO freeze occurs about 30 seconds after rsync start and is permanent. High network IO freeze occurs several minutes after nagios start and sometimes machines are responsive for limited time. Pkill nagios resolves the problem, machine becomes responsive. In both cases machines behind nat still have internet connectivity. Local services like ssh or console are unavailable. Snapshot from 2010-11-02 22:51:00 does not resolve the issue. The Atom machine freezes much faster than Core2Duo. any help appreciated best regards M.K. Core2Duo dmesg: OpenBSD 4.8 (GENERIC.MP) #359: Mon Aug 16 09:16:26 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,S SSE3,CX16,xTPR,PDCM,SSE4.1 real mem = 3476889600 (3315MB) avail mem = 3410038784 (3252MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/27/08, SMBIOS rev. 2.4 @ 0xe8170 (42 entries) bios0: vendor Intel Corp. version PRG3110H.86A.0047.2008.0227.1745 date 02/27/2008 bios0: Intel Corporation DG31PR acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC HPET MCFG acpi0: wakeup devices P0P1(S3) PS2K(S3) PS2M(S3) UAR1(S3) P0P2(S4) USB0(S3) USB1(S3) USB2(S3) USB3(S3) EUSB(S3) MC97(S4) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) SLPB(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,S SSE3,CX16,xTPR,PDCM,SSE4.1 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P0P2) acpiprt2 at acpi0: bus 2 (PEX0) acpiprt3 at acpi0: bus 3 (PEX1) acpiprt4 at acpi0: bus -1 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpicpu0 at acpi0:, C3, C2, C1, PSS acpicpu1 at acpi0:, C3, C2, C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xb400! cpu0: Enhanced SpeedStep 3000 MHz: speeds: 2997, 1998 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82G33 Host rev 0x10 ppb0 at pci0 dev 1 function 0 Intel 82G33 PCIE rev 0x10: apic 0 int 16 (irq 11) pci1 at ppb0 bus 1 vga1 at pci0 dev 2 function 0 Intel 82G33 Video rev 0x10 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size
Re: Same shit all over again
Well, tinyurl redirects to my box which redirects to trollaxer. Here is the culprit log for falling for such a silly trick. 83.101.24.229 - - [15/Aug/2010:19:13:12 -0400] GET /why.html HTTP/1.1 200 136 - Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.0.11) Gecko/2009070118 Firefox/3.0.11 # host kd85.com kd85.com has address 83.101.24.229 # cat why.html html head meta http-equiv=refresh content=0;url=http://www.trollaxor.com/2010/06/why-i-left-openbsd.html; / /head /html Nicely done David - I'm very impressed - as you know I mentioned before this on hackers that this sounded very kd85 like - and you confirmed my suspicions very effectively. Any time I see someone talking about commit bits I think of this and laugh - as this is someone who has never done a commit to OpenBSD. The lies in the message that was sent are pretty good to - Were we in the middle of a release cycle - were people cranky? Yes, absolutely - you know what - sane people have disagreements - all the time. however. Machines were not turned off. Everyone still had access to what they were doing Was the tree locked? yes - as problems have been found in test and need to be fixed. It's still locked - but we'll ship a good release for that. The priceless one is how the wim calls for a vote - yeah - that works real well for netbsd. and is also signing his messages H and R to decieve people as to the real identity and to foster suspicion within the community I find that particularly reprehensible - but not surprising. Nothing could surpirse me from this source anymore. I get the impression that this sort of behaviour is normal from Wim - it seems to make the same amount of sense as kd85's normal business practices - Sorry I can't go along with that. I pay my taxes, and I pay for my own house with my own money. I encourage Wim to fork his own project that will be run and funded fully, and openly, and accountable to all involved. I'm sure it will be a resounding success.
Re: Same shit all over again
Theo has been back for a day already. and like the rest of a lot of us, is trying to get a test and release cycle out the door to ship a release - that means we have better things to do than entertain misc@ by responding to Wim's idiotic bullshit. Wanna help? go install snapshots on as many different things as you can and tell us if you see any problems. That's a much more useful activity than watching misc@ for trolls. Pop popcorn with the waste heat of all the machines you are spinning up. On 16 August 2010 10:46, Bryan Irvine sparcta...@gmail.com wrote: Will someone warn me 2 minutes before Theo gets back? I'd like to have some popcorn ready. :-) On Mon, Aug 16, 2010 at 9:27 AM, Bob Beck b...@ualberta.ca wrote: Well, tinyurl redirects to my box which redirects to trollaxer. Here is the culprit log for falling for such a silly trick. 83.101.24.229 - - [15/Aug/2010:19:13:12 -0400] GET /why.html HTTP/1.1 200 136 - Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.0.11) Gecko/2009070118 Firefox/3.0.11 # host kd85.com kd85.com has address 83.101.24.229 # cat why.html html head meta http-equiv=refresh content=0;url=http://www.trollaxor.com/2010/06/why-i-left-openbsd.html; / /head /html Nicely done David - I'm very impressed - as you know I mentioned before this on hackers that this sounded very kd85 like - and you confirmed my suspicions very effectively. Any time I see someone talking about commit bits I think of this and laugh - as this is someone who has never done a commit to OpenBSD. The lies in the message that was sent are pretty good to - Were we in the middle of a release cycle - were people cranky? Yes, absolutely - you know what - sane people have disagreements - all the time. however. Machines were not turned off. Everyone still had access to what they were doing Was the tree locked? yes - as problems have been found in test and need to be fixed. It's still locked - but we'll ship a good release for that. The priceless one is how the wim calls for a vote - yeah - that works real well for netbsd. and is also signing his messages H and R to decieve people as to the real identity and to foster suspicion within the community I find that particularly reprehensible - but not surprising. Nothing could surpirse me from this source anymore. I get the impression that this sort of behaviour is normal from Wim - it seems to make the same amount of sense as kd85's normal business practices - Sorry I can't go along with that. I pay my taxes, and I pay for my own house with my own money. I encourage Wim to fork his own project that will be run and funded fully, and openly, and accountable to all involved. I'm sure it will be a resounding success.
Re: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org
It's rather astonishing what attempts to passfor a credible security advisory today. oh, I made a lot of connections to the site and they blocked me. Thank you, Maksymillian, for showing us all that you can execute a denial of service attack from 90.156.82.13. I wonder how many connections his site supports to his services. perhaps some similar security expert can test his connection rate and let us all know. # traceroute -n 90.156.82.13 traceroute to 90.156.82.13 (90.156.82.13), 64 hops max, 40 byte packets 1 129.128.5.2 6.906 ms 0.818 ms 1.444 ms 2 129.128.3.194 0.306 ms 0.303 ms 0.306 ms 3 129.128.3.130 0.345 ms 0.502 ms 0.656 ms 4 129.128.3.170 0.502 ms 0.726 ms 1.443 ms 5 64.42.209.114 5.628 ms 5.562 ms 5.272 ms 6 216.18.32.13 6.337 ms 5.676 ms 5.752 ms 7 66.59.190.198 18.936 ms 19.18 ms 18.523 ms 8 66.59.190.18 18.384 ms 18.659 ms 18.426 ms 9 67.69.199.105 17.797 ms 17.785 ms 18.111 ms 10 64.86.115.13 17.369 ms 17.651 ms 17.175 ms 11 216.6.98.29 68.828 ms 69.162 ms 69.146 ms 12 216.6.57.9 87.943 ms 87.828 ms 87.879 ms 13 195.219.69.29 175.930 ms 176.47 ms 175.804 ms 14 195.219.69.2 189.366 ms 176.757 ms 179.460 ms 15 195.219.180.6 193.562 ms 197.755 ms 197.880 ms 16 195.219.246.2 181.461 ms 201.536 ms 179.635 ms 17 83.238.251.56 177.432 ms 177.971 ms 177.115 ms 18 83.238.250.38 189.741 ms 190.70 ms 189.646 ms 19 83.238.250.12 191.123 ms 193.99 ms 192.135 ms 20 83.238.251.41 189.843 ms 189.805 ms 189.245 ms 21 87.204.248.202 188.981 ms 189.167 ms 459.987 ms 22 87.99.33.90 190.739 ms 190.637 ms 190.955 ms 23 87.99.32.202 190.180 ms 190.271 ms 190.160 ms 24 90.156.82.13 289.39 ms 331.276 ms 319.419 ms ^C # host 90.156.82.13 13.82.156.90.in-addr.arpa domain name pointer 90-156-82-13.magma-net.pl. # On 2 July 2010 15:47, Theo de Raadt dera...@cvs.openbsd.org wrote: OK, I am letting the maintainer of the site know, at the University Campus that you have just executed a denial of service against. I am surprised that you would go out of your way to declare so freely that you have purposely participated in a denial of service. Return-Path: c...@securityreason.com Delivery-Date: Fri Jul 2 15:38:24 2010 Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163]) by cvs.openbsd.org (8.14.3/8.12.1) with ESMTP id o62LcNgR016472 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=FAIL) for dera...@cvs.openbsd.org; Fri, 2 Jul 2010 15:38:24 -0600 (MDT) Received: from v117864.home.net.pl (v117864.home.net.pl [89.161.252.8]) by shear.ucar.edu (8.14.3/8.14.3) with SMTP id o62LcG20025931 for dera...@openbsd.org; Fri, 2 Jul 2010 15:38:17 -0600 (MDT) Received: from 90-156-82-13.magma-net.pl [90.156.82.13] (HELO [127.0.0.1]) by securityreason.home.pl [89.161.252.8] with SMTP (IdeaSmtpServer v0.70) id a6e20078b871f388; Fri, 2 Jul 2010 22:38:15 +0200 Message-ID: 4c2e4e40.4080...@securityreason.com Date: Fri, 02 Jul 2010 22:38:24 +0200 From: Maksymilian Arciemowicz c...@securityreason.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: dera...@openbsd.org, secur...@openbsd.org Subject: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ?php /* Libc/glob(3) denial-of-service Maksymilian Arciemowicz from SecurityReason.com This script has been used to attack ftp.openbsd.org and ftp.netbsd.org Result (ftp.openbsd.org): - - Connection refused and in the end # telnet ftp.openbsd.org 21 Trying 129.128.5.191... Connected to ftp.openbsd.org. Escape character is '^]'. 421- If you are seeing this message you have been blocked from using 421- this ftp server - most likely for mirroring content without paying 421- attention to what you were mirroring or where you should be mirroring 421- it from, or for excessive connection rates. 421- OpenBSD should *NOT* be mirrored from here, you should use 421- a second level mirror as described in http://www.openbsd.org/ftp.html 421 Connection closed by foreign host. # ;] Result (ftp.netbsd.org): - - no more access for anonymous On 02.07.2010 20:29 CET, ftp.netbsd.org has return: 530 User ftp access denied, connection limit of 160 reached. Affter attack from one host */ $conf['host']= $argv[1] ? $argv[1] : HOST; $conf['user'] =$argv[2] ? $argv[2] : anonymous; $conf['pass'] =$argv[3] ? $argv[3] : m...@cxib.net; $conf['port']= $argv[4] ? $argv[4] : 21; $dirnames=array('A', 'B', 'C', 'D', 'E','F','G','H','I','J','K','M','N','O','P'); $pathsent={..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{ ..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*c x; // fts_levelsumary $fts_level=2;
OpenBSD 4.7 Released, May 19 2010
. During installation, you can install X.Org quite easily. Be sure to try out xdm(1) and see how we have customized it for OpenBSD. The OpenBSD ports tree contains automated instructions for building third party software. The software has been verified to build and run on the various OpenBSD architectures. The 4.7 ports collection, including many of the distribution files, is included on the 3-CD set. Please see the PORTS file for more information. Note: some of the most popular ports, e.g., the Apache web server and several X applications, come standard with OpenBSD. Also, many popular ports have been pre-compiled for those who do not desire to build their own binaries (see BINARY PACKAGES, below). A large number of binary packages are provided. Please see the PACKAGES file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/PACKAGES) for more details. The CD-ROMs contain source code for all the subsystems explained above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/README) file explains how to deal with these source files. For those who are doing an FTP install, the source code for all four subsystems can be found in the pub/OpenBSD/4.7/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz Ports tree and package building by Jasper Lievisse Adriaanse, Michael Erdely, Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy, Nikolay Sturm, and Christian Weisgerber. System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat. X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem layout by Theo de Raadt. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who pre-ordered the 4.7 CD-ROM or bought our previous CD-ROMs. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Alexander Bluhm, Alexander Hall, Alexander von Gernler, Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko, Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy, Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski, Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert, Can Erkin Acar, Chad Loder, Charles Longeau, Chris Kuethe, Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini, Damien Miller, Dariusz Swiderski, Darren Tucker, David Gwynne, David Hill, David Krause, Edd Barrett, Eric Faurot, Esben Norby, Fabien Romano, Federico G. Schwindt, Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gordon Willem Klok, Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson, Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing, Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Armani, Jonathan Gray, Jordan Hargrave, Joshua Stein, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil, Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher, Marco S Hyman, Marcus Glocker, Marek Vasut, Mark Kettenis, Mark Uemura, Markus Friedl, Martin Reindl, Martynas Venckus, Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian, Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto, Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit, Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen, Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd, Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Rainer Giedat, Reyk Floeter, Robert Nagy, Rui Reis, Ryan Thomas McBride, Simon Bertrang, Simon Perreault, Stefan Kempf, Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh, Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt, Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky, Xavier Santolaria, Yasuoka Masahiko, Yojiro Uo
Re: OpenBSD 4.7 Released, May 19 2010
Congratulations but I can't find a mirror with the release Did you read the entire message, in that was: ---8-- 1) Read either of the following two files for a list of ftp mirrors which provide OpenBSD, then choose one near you: http://www.OpenBSD.org/ftp.html ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/ftplist As of May 19, 2010, the following ftp mirror sites have the 4.7 release: ftp://ftp.eu.openbsd.org/pub/OpenBSD/4.7/ Stockholm, Sweden ftp://ftp.bytemine.net/pub/OpenBSD/4.7/ Oldenburg, Germany ftp://mirror.aarnet.edu.au/pub/OpenBSD/4.7/ Brisbane, Australia ftp://ftp.wu-wien.ac.at/pub/OpenBSD/4.7/Vienna, Austria ftp://ftp.usa.openbsd.org/pub/OpenBSD/4.7/ CO, USA ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.7/ CA, USA ftp://obsd.cec.mtu.edu/pub/OpenBSD/4.7/ Michigan, USA The release is also available at the master site: ftp://ftp.openbsd.org/pub/OpenBSD/4.7/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. ---8-- so I find it somewhat difficult to believe you could not find a mirror. Perhaps OpenBSD is not for you.
Re: OpenBSD 4.7 Released, May 19 2010
well, that looks a bit screwed, since it lists ftp.openbsd.org as not having everything :) On 19 May 2010 12:19, Stuart Henderson s...@spacehopper.org wrote: On 2010-05-19, Jorge Medina jo...@bsdchile.cl wrote: Congratulations but I can't find a mirror with the release http://spacehopper.org/up2date.html
wwww.openbsd.org//ftp.openbsd.org downtime - Sunday Mar 21, 0800-1530 MDT
Hey gang The University of Alberta is having a large scale electrician party in our data center on Sunday Mar 21 to bring more power into it. As a result we'll be without cooling for the duration. Expect ftp/www.openbsd.org along with anoncvs1.ca.openbsd.org and the web/ftp fanout machines to be unavailable for this period. Don't be surprised when we drop off the world for a little while on Sunday. If all goes well we should be back by 15:30 MDT (likely before) -Bob
Re: observed spamd behavior
2010/1/7 open...@noid.net: In the absence of any feedback, I would say that I have two feature requests for spamd (Bob, are you out there?): 1) Detect '500 5.5.1 Command unrecognized' loops, and when found, start to gap response times with an increasing delay. 2) When a client does not wait for spamd's 220 opening message to complete before sending, greytrap that client. I'll take a look at both. -Bob Thanks for your consideration. - Tor On Sat, Jan 02, 2010 at 03:15:03PM -0800, open...@noid.net wrote: Hello, I've got spamd working well (it's very cool!)... Sometimes I see in pftop a state entry that shows spamd has a very old connection that is actively still passing traffic (lasts for hours)... I was able to capture one of these as it began (using tcpdump). Here's what the trace shows (in distilled SMTP): send: 220 my recv: EHLO bogon.domain.com\r\n send: host.domain.net ESMTP MTA; Mon Dec 28 07:55:59 2009\r\n send: 250 Hello, spam sender. Pleased to be wasting your time.\r\n recv: HELO bogon.domain.com\r\n send: 500 5.5.1 Command unrecognized\r\n recv: \r\n send: 500 5.5.1 Command unrecognized\r\n recv: \r\n send: 500 5.5.1 Command unrecognized\r\n recv: \r\n ... etc, approximately two 5.5.1 errors per second This client sends it's EHLO before waiting for spamd to complete sending it's 220 opening message. I try to show that above using an indentation on the third line (the second send line). In fact, spamd is doing it's normal trick of stuttering out the 220 opening message one char per packet... I think spamd's state table is correct in not allowing the SMTP session to reset upon receiving the subsequent HELO. My questions are as follows: Should spamd start to reduce bandwidth for a session by extending reply times after some trigger like too many errors sent or too much time spent...? When a client sends it's EHLO (or anything at all) before waiting for the server's 220 opening message to complete, is that not grounds for immediate greytrapping? I do not think spamd enforces that at the moment. This would be similar to sendmail's FEATURE(`greet_pause') in that there would be a penalty for such misbehavior... Thanks for your consideration. - Tor
Re: spamd.conf format
2009/12/21 Nick Berg nickb...@gmail.com: From the spamd.conf manual: The format of the list of addresses is expected to consist of one network block or address per line (optionally followed by a space and text that is ignored). Comment lines beginning with # are ignored. Network blocks may be specified in any of the formats as in the following example: # CIDR format 192.168.20.0/24 # A start - end range 192.168.21.0 - 192.168.21.255 # As a single IP address 192.168.23.1 Given the condition that an entry followed by a space has the remaining text ignored, would that not invalidate the start - end range entry? Should that not get interpreted as: no. because a range entry is still an entry. 192.168.21.0 #comment starts here On that note, if a space after an entry denotes the start of ignored text, will Spamhaus' DROP list http://www.spamhaus.org/drop/drop.lasso get parsed correctly, or should that get run through sed to strip out everything after a semicolon? Its format: ; Spamhaus DROP List 12/22/09 - (c) 2009 The Spamhaus Project 110.44.0.0/20 ; SBL74731 116.199.128.0/19 ; SBL56563 119.42.144.0/21 ; SBL70035 120.143.128.0/21 ; SBL67396 121.46.64.0/18 ; SBL72673 128.168.0.0/16 ; SBL51908 that first line with the semicolon list will not parse.
Re: Web Browsers
2009/12/18 nixlists nixmli...@gmail.com: On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom sl...@peereboom.us wrote: firefox + adsuck What is your opnion on Chrome, OpenBSD gurus? Okay we all know about it's privacy and identity leakage concerns. It's designed by Google with this built-in - they want to know everything about you and don't care about your privacy, yada yada. But what about its supposedly more secure multi-process design. Is it really better than Firefox and others in this regard? Well, in theory, if they can stick to it, a privsep design is more secure from the point of view of the application. When done right. Now, is it a small and secure program? I dunno: You decide: # uname -a OpenBSD cthulhu.cns.ualberta.ca 4.6 GENERIC.MP#27 amd64 # pwd /usr/local/chrome # ldd chrome chrome: StartEnd Type Open Ref GrpRef Name 0040 02c9f000 exe 10 0 chrome 000209b99000 00020a0cc000 rlib 014 0 /usr/X11R6/lib/libX11.so.12.0 000210dbf000 0002111c8000 rlib 07 0 /usr/X11R6/lib/libXrender.so.5.0 0002069ca000 000206ddb000 rlib 07 0 /usr/X11R6/lib/libXext.so.10.0 000212468000 000212877000 rlib 01 0 /usr/local/lib/libexecinfo.so.0.0 00021037f000 000210bab000 rlib 01 0 /usr/local/lib/libgtk-x11-2.0.so.1402.0 0002111f4000 0002116aa000 rlib 02 0 /usr/local/lib/libgdk-x11-2.0.so.1402.0 000214671000 000214a8c000 rlib 03 0 /usr/local/lib/libgdk_pixbuf-2.0.so.1402.0 00020449 00020489d000 rlib 03 0 /usr/local/lib/libpangocairo-1.0.so.1801.0 00020a66 00020aa62000 rlib 03 0 /usr/X11R6/lib/libXinerama.so.5.0 00020ff75000 00021037f000 rlib 03 0 /usr/X11R6/lib/libXi.so.10.1 0002058fc000 000205d04000 rlib 03 0 /usr/X11R6/lib/libXrandr.so.6.1 00020db06000 00020df1 rlib 03 0 /usr/X11R6/lib/libXcursor.so.4.0 0002029e5000 000202de8000 rlib 03 0 /usr/X11R6/lib/libXcomposite.so.3.0 000202e4d000 00020325 rlib 03 0 /usr/X11R6/lib/libXdamage.so.3.1 0002065c 0002069c5000 rlib 06 0 /usr/X11R6/lib/libXfixes.so.5.0 000211fc2000 0002123e rlib 02 0 /usr/local/lib/libatk-1.0.so.2800.0 00020ce25000 00020d2b rlib 04 0 /usr/local/lib/libcairo.so.9.2 000213dfc000 000214236000 rlib 05 0 /usr/X11R6/lib/libpixman-1.so.15.8 00020976e000 000209b99000 rlib 05 0 /usr/local/lib/libglitz.so.2.0 00020df1 00020e338000 rlib 01 0 /usr/local/lib/libpng.so.9.0 00020efb6000 00020f3d2000 rlib 015 0 /usr/X11R6/lib/libxcb.so.2.0 000205d04000 000206105000 rlib 016 0 /usr/X11R6/lib/libpthread-stubs.so.0.0 00020d532000 00020d935000 rlib 016 0 /usr/X11R6/lib/libXau.so.9.0 0002130c2000 0002134c7000 rlib 016 0 /usr/X11R6/lib/libXdmcp.so.10.0 000207434000 0002078e1000 rlib 04 0 /usr/local/lib/libgio-2.0.so.1802.0 0002156c4000 000215af4000 rlib 04 0 /usr/local/lib/libpangoft2-1.0.so.1801.0 000204a99000 000204ee3000 rlib 05 0 /usr/local/lib/libpango-1.0.so.1801.0 00020610a000 00020654a000 rlib 012 0 /usr/local/lib/libgobject-2.0.so.1802.0 00020c7da000 00020cbdd000 rlib 010 0 /usr/local/lib/libgmodule-2.0.so.1802.0 00020eb7a000 00020efb1000 rlib 06 0 /usr/X11R6/lib/libfontconfig.so.6.0 000204ee3000 000205307000 rlib 07 0 /usr/lib/libexpat.so.9.0 000209038000 0002094ba000 rlib 07 0 /usr/X11R6/lib/libfreetype.so.17.0 000214a8c000 000214ea rlib 08 0 /usr/lib/libz.so.4.1 0002079f7000 000207dfb000 rlib 03 0 /usr/local/lib/libgthread-2.0.so.1802.0 00020fa0e000 00020fed7000 rlib 015 0 /usr/local/lib/libglib-2.0.so.1802.0 000203e02000 00020420d000 rlib 016 0 /usr/local/lib/libintl.so.4.0 00020326b000 000203764000 rlib 017 0 /usr/local/lib/libiconv.so.6.0 00020b96a000 00020bea5000 rlib 03 0 /usr/local/lib/libnss3.so.24.0 000212c95000 0002130c2000 rlib 01 0 /usr/local/lib/libsmime3.so.24.0 0002116aa000 000211af rlib 01 0 /usr/local/lib/libsoftokn3.so.24.0 00020e73c000 00020eb75000 rlib 01 0 /usr/local/lib/libssl3.so.24.0 0002152c1000 0002156c4000 rlib 06 0 /usr/local/lib/libplds4.so.21.0 00020e338000 00020e73c000 rlib 06 0 /usr/local/lib/libplc4.so.21.0 000206de 000207219000 rlib 08 0
Re: OT: Have you hugged your local OpenBSD dev lately?
From past experience, I would expect much waving of hands over a two weeks periods, with lots of expert telling you It's a complicated problem, running around in circle finding even MORE complicated problems to solve, and then things going back to its general state of apathy with respect to security issues. I don't believe it's apathy, as much as a realization that in general, the focus of the developers will always be on speed and eye candy to the expense of all else, including stability and security. As such we concentrate on looking at things that can mitigate somewhat, at least in the saner cases, such as when it is not an accellerated driver with full access to the machine. Then we at least have some more secure by default options. The fact is though, Monsterously accellerated X with full access to the machine hardware bypasseses much of the security protection openbsd provides. Do some people want/need it? sure. but they sould do so understanding that they are incurring a greater risk by using it. in this manner.
Re: OT: Have you hugged your local OpenBSD dev lately?
The Journal Of Child Psychology And Psychiatry has concluded that an estimated 98 percent of children under the age of 10 are remorseless sociopaths with little regard for anything other than their own egocentric interests and pleasures. http://www.theonion.com/content/news/new_study_reveals_most_children I just don't think in this case here that it is limited to Children only. (; The people who publish such research, and those that read it and find it novel have obviously never been parents themselves, or even someone's boss. People are at the core motivated by their own self-interest. Anyone who says they aren't is selling something.
Re: OT: Have you hugged your local OpenBSD dev lately?
| People are at the core motivated by their own self-interest. Anyone | who says they aren't is selling something. Yes, they're selling hilarity. It's The Onion, after all. Yes, but it's funny because it's true. Even OpenBSD developers are motivated by self interest...Ever wonder why the answers on misc@ are so taunting or dismissive for people who whine without producing code?
Re: malloc: out of space in kmem_map
2009/12/14 Jeff Ross jr...@openvistas.net: Hi all, While doing some pgbench runs on a new server before I put in on-line, I triggered a malloc: out of space in kmem_map panic. trace and ps (long) below, dmesg below that. I have adjusted sysctl values like so for postgres: # For PostgreSQL Port kern.seminfo.semmni=1024 kern.seminfo.semmns=9082 kern.shminfo.shmall=128000 kern.shminfo.shmmax=202800 I see softdep mentioned in the trace below, so here's /etc/fstab Doctor doctor.. It hurts when I do this.. Well.. Don't do that! Your problem is that the kernel has run out of kernel memory. Those knobs you all cranked up to eleventy billion consume kvm. The reason they are set to lower limits is to prevent the sort of situation you have encountered. When you crank them to eleventy billion, and then start eleventy billion processes that consume such resources. expect the possibility of issues.
Re: running openbsd 4.6 under qemu
Current qemu releases (more recent than in the ports tree) do not run on OpenBSD (have not been able to solve this yet *sigh*) so the above person has Linux running natively and OpenBSD inside a newer qemu. Originally it was kvm that had this bug but looks like qemu is now bug-for-bug compatible with this in recent versions of qemu. Whee. arch=qemu, arch=vmware anyone? it's not like it's and acutal PC :)
Re: Why is getaddrinfo breaking POSIX?
2009/12/11 Theo de Raadt dera...@cvs.openbsd.org: I did a quick perusal of the source (and compared it against the NetBSD tree) and it looks like the easiest way to make getaddrinfo() thread safe is to TURN OFF Yellow Pages (pee). NetBSD changes the only variable globals to local (in they yp code by removing the caching optimization) and puts a mutex in the yp code to protect its global variables. I would do the work but I can't test it (I have refused to use YP for the last 17.5 years). If someone volunteers to test, I'll rework the code. It would be silly to turn off YP to solve this. It's much like saying that the simplest way to avoid children being hurt in car accidents during their teens is to abort them at birth. YP is good stuff. It is going to get us LDAP for nearly free. Indeed. far more sane to just make YP thread safe... Then we wouldn't have to abort anything. (Won't someone think of the children!)
Re: ComixWall terminated [WAS: ComixWall 4.6 released, December 8, 2009]
COMIXWALL isn't a fork, its just a preinstalled configuration panel for OpenBSD and a collection of nice utilities. And considering (and no offence here) the COMIXWALL developers are enthusiasts not paid professional developers. So where's the harm asking some advice? After all lets face is some of the brightest minds in computer security lurk on this list and code for OpenBSD/OpenSSL. So it belongs as a a port then. Not as a distibution - and not sending release announcements to OpenBSD lists. Do we see release announcements here for other new ports? Do we see release announcements on our lists for Firefox? The point is not whether comixwall is a good thing. While I'll debate the wisdom of advertising yourself as a seperate distribtion when really you are a set of configuration tools, the point is simple: * Release Announcements For things that are not OpenBSD do not belong on OpenBSD lists * - We don't tell people who have other ported applications that run on openbsd to spew every release announcement over our lists - why should ComixWall be any different? This should not be difficult to understand.
Re: Free Gorillas
2009/12/8 Paige Thompson erra...@devel.ws: ftp.openbsd.org got rid of the free gorillas, whats up with that? According to eminent authority, it's because OpenBSD Developers are Masturbating Monkeys - not gorillas.
Re: spamd greylisting and 2nd MX question
I certainly do not see this behaviour. sounds to me very likely that your primary is not reachable for some reason and they are trying the secondary. 2009/12/5 inet_use...@samerica.com: Hi, I am using the -M option of spamd and I am seeing a lot good servers being trapped because they tried the secondary MX first. What I am assuming is that they tried the primary MX, which created a greylist entry. But this entry expired, and after that, they tried to connect to the 2nd MX. If I increase the greyexp value of the -G option (which is the default of 4 hours), I suppose the greylist entryfor these servers will last longer. Is there a chance that by doing so I will see less traps for this reason? Thanks in advance. Regards, Jose
Re: asynchronous I/O
2009/12/4 Ted Unangst ted.unan...@gmail.com: On Fri, Dec 4, 2009 at 10:20 AM, Luis Useche use...@gmail.com wrote: Exactly, I am more interested more in something close to aio_read aio_write. I was hoping there was some api I can use. Is there any reason why POSIX aio does not exist in OBSD? Nobody wrote it. And: APPLICATION USAGE The aio_read() function is part of the Asynchronous Input and Output option and need not be available on all implementations.
Re: TiVo + ATT/squid + web caching issue.
Here's a nickel kid - Get a better ISP. Fuck people, if you don't vote with your feet when they do this shit eventually you'll be able to do nothing. 2009/12/1 Christopher Hilton ch...@vindaloo.com: I'm having a problem running a TiVo for my mother-in-law. To save some money she changed her ISP to ATT. The issue is that ATT is running some sort of transparent web cache proxy at the base of their network and the TiVo will not load it's daily guide data through the cache. ATT also charges for this kind of Tech support so getting the caching issue fixed is not an option. I'm running my firewall on OpenBSD and my in-laws have a similar firewall setup. I have already setup an IPSEC VPN between their house and mine. The setup looks like this: Tivo [ In laws fw ] --- ( Internet ) --- [ my fw ] --- my net The firewall setup is for partially for my convenience. I want to seamlessly get to my servers when I'm over there for a bit of time. Their default gateway sends them to the internet through their ATT connection but can also get to things on my network. If the tunnel goes down the internet works fine but they cannot see things in my house. What I would like to do is arrange for their TiVo to pass all of it's traffic through the tunnel and out through my firewall since my ISP is a bit easier to deal with. -- Chris There will be an answer, Let it be. e: chris -at- vindaloo -dot- com
Re: Security via the NSA?
Like everyone verifies SSL.. right? 2009/11/21 Samuel Baldwin recursive.for...@gmail.com: 2009/11/21 AG computing.acco...@googlemail.com: Depends on whether one trusts the NSA or not. That's the nice thing about open source software; we don't have to, because we can verify their code or mathematics ourselves. -- Samuel Baldwin - logik.li
Re: Spamd china and korea lists
We're having issues witht them periodically blocking our access to the site - which has happened since we have a failure. I have a version of the lists there now, but I think it may actually be time to retire that example from spamd.conf - those lists just aren't as useful as they were in past years. 2009/11/24 Rod Whitworth glis...@witworx.com: On Tue, 24 Nov 2009 18:55:49 -0800, Jason LaRiviere wrote: Hello all, Willing to suffer scorn if I've missed a commit message or previous post on the matter, but I've been getting a 404 for these two lists since approximately the `unplanned maintenance' www event of a few weeks ago. Shall I comment them out of spamd.conf, or will they make their return? Regards, Jason. A long long time ago we had a similar problem. My solution has stayed in place ever since. Cobbled up QD but it works. script = okean: #!/bin/sh ftp -o /var/db/china.txt http://www.okean.com/chinacidr.txt ftp -o /var/db/korea.txt http://www.okean.com/koreacidr.txt crontab entry for okean: 26 14 * * * /root/bin/okean part of spamd.conf: 8 snip-- # Mirrored from http://www.okean.com/chinacidr.txt china:\ :black:\ :msg=SPAM. Your address %A appears to be from China\n\ See http://www.okean.com/asianspamblocks.html for more details:\ :method=file:\ :file=/var/db/china.txt: # Mirrored from http://www.okean.com/koreacidr.txt korea:\ :black:\ :msg=SPAM. Your address %A appears to be from Korea\n\ See http://www.okean.com/asianspamblocks.html for more details:\ :method=file:\ :file=/var/db/korea.txt: 8end snip- No more problems since. Hints: pick some oddball time for the cronjob, once a day is fine as changes are rare. I use a similar technique for nixspam too. Good enough for you? You're welcome! I think that the people running that site don't realise that it is better for OpenBSD to mirror it than to have us all hitting it daily but you just can't get through to some people. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: Authpf and more than 992 users
2009/11/18 Janusz Gumkowski janusz.gumkow...@am.torun.pl: Is it at all possible to have more than 992 simultaneous authpf users ? Yes, use more than one machine. Digging out an old post of mine, still not having any real solution but a couple of ugly hacks instead, trying to get rid of them finally. To the point: is allocating a pty for authpf logins really necessary ? Yes. What side-efects can I expect if I disable it ? Probably bad things.
Re: OpenBSD platform of choice?
i386/amd64. Nothing else is realistic these days. Sparc64 is wonderful but is basically legacy - it's great for finding bugs and I use it for hacking but is not something I run in production. All my production gear is i386 or amd64 - with a few exceptions. Yes, the hardware sucks and the biosen were written by monkeys and have their fingers in everything making the machine even more stupid. There are no realistic alternatives. There might have been if Sun hadn'tbeen so determined to turn itself from a good hardware company into a company trying to compete in Microsoft's product space (selling bad bloated software) where they had no hope of doing as well except in crowds that would buy it because at least it's not Microsoft. 2009/11/9 Daniel Gracia Garallar danie...@electronicagracia.com: Hi there! Now that I have to change my little server farm and I'm able to choose a new platform, I would like to choose wisely. It's a matter of fact that Intel x86 is bogus-prone, and after experimenting a lot with OpenBSD and listening about the different archs since several years ago, I tend to think that most of the delevopers have a taste for Sparc derived machines as being more... predictable. But of course, no machine is bug free. So thinking about security and stability, what would be your OpenBSD platform of choice? Keep in mind that in this question price is not a factor. I'm just curious about preferences based on CPU features and their implementation on OpenBSD. Regards! Dani
Re: OpenBSD platform of choice?
2009/11/12 Lars Nooden lars.cura...@gmail.com: Stupid business decisions aside, you can get if you try Sparc from Sun or Fujitsu for server work Kind of, but I don't really think it's got a future. It's kind of like advocating necrophila with a fresh corpse.. or maybe just doing it with a really hot coma patient. It might be really good for a short time but you know there isn't much potential there for a long term relationship.
Re: OpenBSD platform of choice?
2009/11/12 Bob Beck b...@ualberta.ca: Kind of, but I don't really think it's got a future. It's kind of like advocating necrophila with a fresh corpse.. or maybe just doing it with a really hot coma patient. It might be really good for a short time but you know there isn't much potential there for a long term relationship. Or at least that is, unless you're into the old, messy, and unnatural. We have people like that..
Re: Truncation Data Loss
2009/11/10 Jussi Peltola pe...@pelzi.net: On Tue, Nov 10, 2009 at 11:18:57AM -0700, Theo de Raadt wrote: If you want to never lose data, you have an option. Make the filesystem syncronous, using the -o sync option. If you can't accept the performance hit from that, then please accept that all the work done over the ages is only on ensuring metadata-safety for a low performance penalty. It has never been about trying to promise file data consistancy when that could only be achieved by syncronous file data writing. And the more or less correct solution to improve the performance is battery backed RAID write cache, but it's no silver bullet. Other than it will still blow goats because it will be bashing all that data synchronously over the bus. The best silver bullets are the bullets that just shoot the users that care either about this, and/or performance. Once you shoot enough of them performance improves to an acceptable level.
Re: kern.bufcachepercent
I don't know what version of plus46.html you are looking at - but that text doesnt' appear in any version I look at. Of course it is in the cvs commit log, but that's not the same thing. That same commit was backed out before 4.6 - and has since gone back into current. 2009/11/4 Luis Useche use...@gmail.com: On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck b...@ualberta.ca wrote: 2009/11/3 Luis Useche use...@gmail.com: I read in the 4.6 changelog that his was part of the release. Am I missing something? Do I have to recompile? Or this is just a bug? Yeah you are missing something. Listen to the *whole* presentation and read the *whole* changelog. This is *not* in 4.6 It is in current. OK. Sorry for the noise. In any case, this change is in the 4.6 changelog (twice, http://www.openbsd.org/plus46.html):
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
2009/11/3 Gilles Chehade gil...@openbsd.org: On Tue, Nov 03, 2009 at 04:58:25PM -0700, Theo de Raadt wrote: [bcc'd to Dan Goodin @ theregister] If anyone wants a choice quote from me about the recent Linux holes, this is what I have to say: Linus is too busy thinking about masturabating monkeys, he doesn't have time to care about Linux security. I was considering offering him this: http://www.wellcoolstuff.com/Merchant2/graphics/0001/20-Apr-07-05.jpg But couldn't get my hands on one yet ;-) God damn Gilles.. And you didn't find one to bring to us at a hackathon! Linus doesn't *deserve* one of those - I thought because I work on OpenBSD only I do! I will be deeply offended if Linus gets one of those before OpenBSD developers do.. Well, the hell with the rest of you.. *I* at least want one first.. Proudly! Linus doesn't deserve one 'till he has a commit in our tree. ;) -Bob
Re: kern.bufcachepercent
2009/11/3 Luis Useche use...@gmail.com: I read in the 4.6 changelog that his was part of the release. Am I missing something? Do I have to recompile? Or this is just a bug? Yeah you are missing something. Listen to the *whole* presentation and read the *whole* changelog. This is *not* in 4.6 It is in current.
Re: Secure way to delete data in hard disc
2009/10/28 Noah Pugsley noa...@bendtel.com: Can I interest you in a pair of steganograpanties? Or for cooler weather, steganograpantaloons? The problem with steganograpanties is that residual images of my ass are present *underneath* the panties - therfore if the offending Germans were to use high technology panty-removing chemicals (like ethanol) they could actually view the residual data present underneath the panties! As assuredly every german who is after my ass will possess this technology it behooves me to take adequate precatuions to obscure the data... I'm thinking kind of along the lines of the full-ass Kat-Von-D stenographic ass-stealthing tattoo...
Re: 200g harddisk after newfs = Available 174g?
There are many stupid ideas in other operating systems, I don't see why we should be required to implement them. Yeah, and the discussion of my ass is a more productive discussion than talking about making df display marketing gigabytes That'll happen in openbsd right after we switch the default filesystem to apple hfs, and while we're at it replace the yp code with netinfo because it's so much better.
Re: privileged instruction fault trap
2009/10/29 Roger Schreiter ro...@planinternet.de: Today, the system crashed, . kernel: privileged instruction fault trap, code=0 Stopped at ip_output +0xb8: ddb _ . Any helpful hints? http://www.openbsd.org/cgi-bin/man.cgi?query=crashapropos=0sektion=0manpat h=OpenBSD+Currentarch=i386format=html
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Yep. That's why https encrypts the url transmission. The point is you aren't *supposed* to be able to do that securely. Your reverse proxy which does this will look like the standard hotel room sillyness. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: openbsd ca tutorial
http://lmgtfy.com/?q=OpenSSL+set+up+own+Certificate+Authority 2009/10/29 Abdullah Sendul coffeesm...@gmail.com: Hi, I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. can you please point me correct place if there is one. thanks \sendul
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Not unless you know the ip addreses of everything you're hitting. No amount of magic will make relayd intercept an https session and get the url out without sending a bogus certificate to the user. If you have a limited set of places to go, sure, it'll work, but so will just a plain old pf rule restrincting outbound 443 connections to the same set of addresses. Trying to do this for akamai type moving targets willl be an exercise in frustration though. You could always just ensure all your users are using internet explorer or firefox with all the whining turned off, and intercept the ssl cookies anyway. Most of the users probably won't notice or will click ok and simply blather along after clicking ok enough times to make it accept the forgery. 2009/10/29 James Records james.reco...@gmail.com: may be able to do something with relayd, though i'm not sure. J On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
browsing ssl by IP addresses will also result in certificate conflicts - because the ssl cert is for the name not the IP address. So if they were willing to do that, they're willing to have your stupid reverse proxy mitm all your certificates since they'll also fail. Perhaps between my extermely subtle taunting, I should give up and just ask you *why* the hell do you want to do this? 2009/10/29 Matthew Young myoung24...@gmail.com: THis is great, however out LAN users are all technical. they would know and the next thing I have is people browsing the internet through IPs. It was good, but not applicable here. On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote: So run your own dns and only resolve good domains. Then the proxy can only find the things you want it to. On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy...
Re: Secure way to delete data in hard disc
I would rather my family photos Yeah, but I hike with bastards who take pictures of my ass and put it up on the internet for all to see.. So how can I delete the data from his web server? Is there some kind of remote bioctl --de-assify I could run?
Re: Secure way to delete data in hard disc
What, you have pictures of my ass too? Obviously I must make something to write a random pattern over my entire ass so that It won't be recognized if some germans steal it.
Re: Secure way to delete data in hard disc
2009/10/28 Henning Brauer lists-open...@bsws.de: * Bob Beck b...@openbsd.org [2009-10-28 20:57]: I would rather my family photos Yeah, but I hike with bastards who take pictures of my ass and put it up on the internet for all to see.. So how can I delete the data from his web server? Is there some kind of remote bioctl --de-assify I could run? yes: echo delete this pic of my ass: http:///; | mail -s asspic henning What, you have pictures of my ass too? :)
Re: CVSync problems?
ahhh. Nick, you should not be depending on mirrors to run cvsync to do that. Every time you pull the repository from me you should afterwards run a cvscan.. cvscan -c /etc/cvsyncd.conf which recreates the file correctly every time. -Bob 2009/10/19 Nick Holland n...@holland-consulting.net: naddy@ told me the solution... cvsync keeps what it calls a scanfile, apparently tracking what versions it has of what files. The file is specified in the cvsync config file you use when you run cvsync. In my case, it was about 14M in size. Rename that file, and re-run cvsync, it will recreate the file. This run will probably take a little longer, but it fixed my problem nicely. Naddy@ indicated that you may need to delete the gnu/gcc directory as well, but I don't seem to have needed to do that. It is POSSIBLE some mirrors might have this problem, in which case the mirror operator will need to do that, but my mirror (obsd.cec.mtu.edu) seems to have no cvsync problems itself, just my local copy was messed up. Nick. Nick Holland wrote: Emilio Perea wrote: There seems to be a problem with CVSync updates (at least anoncvs1.usa.openbsd.org and anoncvs3.usa.openbsd.org). I believe this started about the time a large number of changes to gcc were made. After updating the tree with csup, run cvsync: I'm seeing a problem, too, starting evening of Oct 15: ... Create src/gnu/gcc/fixincludes/tests/base/time.h,v Create src/gnu/gcc/fixincludes/tests/base/tinfo.h,v Mkdir src/gnu/gcc/fixincludes/tests/base/types Failed (and failures ever since) However, my upstream mirror (which I help manage :) is not showing an error, and has been happily cvsyncing before and after. I'm still investigating what is going on...I'm guessing something got partly synced, and may need to be fixed somewhere, but not sure where yet. I'm doing some testing, but it will take a while to give me any clues... Nick. - Forwarded message from Cron Daemon r...@hermes.walkereng.com - Date: 18 Oct 2009 13:30:01 - From: Cron Daemon r...@hermes.walkereng.com To: epe...@hermes.walkereng.com Subject: Cron epe...@hermes /home/eperea/Bin/cvsupdate Starting /home/eperea/Bin/cvsupdate: Sun Oct 18 08:30:01 CDT 2009 Connecting to anoncvs3.usa.openbsd.org port Connected to 192.43.244.161 port Running... Updating (collection openbsd/rcs) /open/anoncvs/cvs/ports/databases/py-storm/patches/patch-test,v: No such file or directory Socket Error: send: Broken pipe Mux(SEND) Error: send FileScan(RCS): UPDATE /open/anoncvs/cvs/ports/devel/gconf-editor/Makefile,v FileScan: RCS Error Socket Error: recv: Connection reset by peer Receiver Error: recv Mux(RECV) Error: not running: 1 Updater: RCS Error Mux(SEND) Error: not running: 0 DirScan: RCS Error Failed Finished updating cvs: Sun Oct 18 08:30:33 CDT 2009 - End forwarded message - Csup still runs without errors: - Forwarded message from Cron Daemon r...@hermes.walkereng.net - Date: 18 Oct 2009 13:45:01 - From: Cron Daemon r...@hermes.walkereng.net To: epe...@hermes.walkereng.net Subject: Cron epe...@hermes /home/eperea/Bin/old.cvsupdate Starting /home/eperea/Bin/cvsupdate: Sun Oct 18 08:45:01 CDT 2009 Connected to 194.45.27.107 Updating collection OpenBSD-all/cvs Append to CVSROOT/ChangeLog Append to CVSROOT/ChangeLog.37 Append to CVSROOT/val-tags Edit ports/infrastructure/build/libtool,v Finished successfully Finished updating cvs: Sun Oct 18 08:47:56 CDT 2009 - End forwarded message -
Re: Forum engine
... how inexperienced web developers default to using MySQL because it has a lower barrier to entry, without considering if it's the right tool for the job or how to configure and secure it appropriately for production use. s/MySQL/php/g s/MySQL/asp/g s/MySQL/JavaScript/g s/inexperienced//g --- If there are *experienced* web developers - they don't write the code. Now you see.. the problem isn't the tools.. it's the Tools that are using them. No all web developers aren't tools, but there's a vast majority, so much so it's hard to find one that doesn't suck that hasn't been assimilated into the Google collective or something similar.