Re: possibility to disable relink in conf
On Thu, Sep 14, 2017 at 10:26 AM, sven falempin wrote: > > > On Wed, Sep 13, 2017 at 9:07 PM, Theo de Raadt wrote: >> >> > +[[ $reorder != NO ]] && /usr/libexec/reorder_kernel & >> >> No. Kernels get relinked. >> >> if you don't like it, make your own personal changes and suffer >> the consequences. >> >> We are not going to add buttons for 1 person. >> >> Stop suggesting changes which reduce safety. You provided no >> justifaction. "Here have a diff" is a stupid process. Ever wonder >> why you don't have an account? Hint: You don't discuss, you >> don't read commit messages, you don't read our justifications, >> you don't act in the same directions. D. >> > > > I completly missed the > > library_aslr > > and/but for kernel > > # Skip if /usr/share is on a nfs mounted filesystem. > > So yes, Kernels _often_ get relinked, > instead of being smart and guessing the NFS > is the only problem, being to explicitly in local conf is the only problem, being ABLE to explicitly WRITE in local conf > droping the cool re-link would be more visible THAT the cool re-link is being DROPPED ... > > and my diff is garbage. > > -- > -- > - > The 1 %on -- -- - Knowing is not enough; we must apply. Willing is not enough; we must do
Re: possibility to disable relink in conf
On Wed, Sep 13, 2017 at 9:07 PM, Theo de Raadt wrote: > > +[[ $reorder != NO ]] && /usr/libexec/reorder_kernel & > > No. Kernels get relinked. > > if you don't like it, make your own personal changes and suffer > the consequences. > > We are not going to add buttons for 1 person. > > Stop suggesting changes which reduce safety. You provided no > justifaction. "Here have a diff" is a stupid process. Ever wonder > why you don't have an account? Hint: You don't discuss, you > don't read commit messages, you don't read our justifications, > you don't act in the same directions. D. > > I completly missed the library_aslr and/but for kernel # Skip if /usr/share is on a nfs mounted filesystem. So yes, Kernels _often_ get relinked, instead of being smart and guessing the NFS is the only problem, being to explicitly in local conf droping the cool re-link would be more visible and my diff is garbage. -- -- - The 1 %on
Re: possibility to disable relink in conf
> +[[ $reorder != NO ]] && /usr/libexec/reorder_kernel & No. Kernels get relinked. if you don't like it, make your own personal changes and suffer the consequences. We are not going to add buttons for 1 person. Stop suggesting changes which reduce safety. You provided no justifaction. "Here have a diff" is a stupid process. Ever wonder why you don't have an account? Hint: You don't discuss, you don't read commit messages, you don't read our justifications, you don't act in the same directions. D.
Re: possibility to disable relink in conf
On Wed, Sep 13, 2017 at 11:58 AM, Theo de Raadt wrote: > Not going to do that. > >> Because sometimes you run not so good device, >> and you boot often. >> >> or you do not want to write on boot. >> >> ( attached file got the tabulation to apply ) >> >> Index: ./etc/rc.conf >> === >> RCS file: /cvs/src/etc/rc.conf,v >> retrieving revision 1.213 >> diff -u -p -r1.213 rc.conf >> --- ./etc/rc.conf 26 Feb 2017 16:51:18 - 1.213 >> +++ ./etc/rc.conf 13 Sep 2017 14:35:21 - >> @@ -51,6 +51,7 @@ rarpd_flags=NO >> rbootd_flags=NO >> relayd_flags=NO >> rebound_flags=NO >> +reorder= # NO to disable relink on boot >> ripd_flags=NO >> route6d_flags=NO # be sure to set net.inet6.ip6.forwarding=1 >> rtadvd_flags=NO # for normal use: list of interfaces >> Index: ./etc/rc >> === >> RCS file: /cvs/src/etc/rc,v >> retrieving revision 1.493 >> diff -u -p -r1.493 rc >> --- ./etc/rc 26 Feb 2017 16:51:18 - 1.493 >> +++ ./etc/rc 13 Sep 2017 14:35:21 - >> @@ -411,7 +411,7 @@ mount -s /var >/dev/null 2>&1 >> >> random_seed >> >> -reorder_libs >> +[[ $reorder != NO ]] && reorder_libs $reorder >> >> # Clean up left-over files. >> rm -f /etc/nologin /var/spool/lock/LCK.* >> >> -- >> -- >> - >> Knowing is not enough; we must apply. Willing is not enough; we must do >> >> --001a113fee683ba8120559132126 >> Content-Type: application/octet-stream; name=diff >> Content-Disposition: attachment; filename=diff >> Content-Transfer-Encoding: base64 >> X-Attachment-Id: f_j7j4r11g0 >> >> SW5kZXg6IC4vZXRjL3JjLmNvbmYNCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09 >> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxlOiAv Y3ZzL3NyYy9ldGMv >> cmMuY29uZix2DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMjEzDQpkaWZmIC11 IC1wIC1yMS4yMTMg >> cmMuY29uZg0KLS0tIC4vZXRjL3JjLmNvbmYJMjYgRmViIDIwMTcgMTY6NTE6 MTggLTAwMDAJMS4y >> MTMNCisrKyAuL2V0Yy9yYy5jb25mCTEzIFNlcCAyMDE3IDE0OjM1OjIxIC0w MDAwDQpAQCAtNTEs >> NiArNTEsNyBAQCByYXJwZF9mbGFncz1OTw0KIHJib290ZF9mbGFncz1OTw0K IHJlbGF5ZF9mbGFn >> cz1OTw0KIHJlYm91bmRfZmxhZ3M9Tk8NCityZW9yZGVyX2ZsYWdzPQkJIyBO TyB0byBkaXNhYmxl >> IHJlbGluayBvbiBib290DQogcmlwZF9mbGFncz1OTw0KIHJvdXRlNmRfZmxh Z3M9Tk8JIyBiZSBz >> dXJlIHRvIHNldCBuZXQuaW5ldDYuaXA2LmZvcndhcmRpbmc9MQ0KIHJ0YWR2 ZF9mbGFncz1OTwkJ >> IyBmb3Igbm9ybWFsIHVzZTogbGlzdCBvZiBpbnRlcmZhY2VzDQpJbmRleDog Li9ldGMvcmMNCj09 >> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09 >> PT09PT09PT0NClJDUyBmaWxlOiAvY3ZzL3NyYy9ldGMvcmMsdg0KcmV0cmll dmluZyByZXZpc2lv >> biAxLjQ5Mw0KZGlmZiAtdSAtcCAtcjEuNDkzIHJjDQotLS0gLi9ldGMvcmMJ MjYgRmViIDIwMTcg >> MTY6NTE6MTggLTAwMDAJMS40OTMNCisrKyAuL2V0Yy9yYwkxMyBTZXAgMjAx NyAxNDozNToyMSAt >> MDAwMA0KQEAgLTQxMSw3ICs0MTEsNyBAQCBtb3VudCAtcyAvdmFyID4vZGV2 L251bGwgMj4mMQ0K >> IA0KIHJhbmRvbV9zZWVkDQogDQotcmVvcmRlcl9saWJzDQorW1sgJHJlb3Jk ZXJfZmxhZ3MgIT0g >> Tk8gXV0gJiYgcmVvcmRlcl9saWJzICRyZW9yZGVyX2ZsYWdzDQogDQogIyBD bGVhbiB1cCBsZWZ0 >> LW92ZXIgZmlsZXMuDQogcm0gLWYgL2V0Yy9ub2xvZ2luIC92YXIvc3Bvb2wv bG9jay9MQ0suKg0K >> --001a113fee683ba8120559132126 >> Content-Type: application/octet-stream; name="diff.noflag" >> Content-Disposition: attachment; filename="diff.noflag" >> Content-Transfer-Encoding: base64 >> X-Attachment-Id: f_j7j4r1211 >> >> SW5kZXg6IC4vZXRjL3JjLmNvbmYNCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09 >> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxlOiAv Y3ZzL3NyYy9ldGMv >> cmMuY29uZix2DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMjEzDQpkaWZmIC11 IC1wIC1yMS4yMTMg >> cmMuY29uZg0KLS0tIC4vZXRjL3JjLmNvbmYJMjYgRmViIDIwMTcgMTY6NTE6 MTggLTAwMDAJMS4y >> MTMNCisrKyAuL2V0Yy9yYy5jb25mCTEzIFNlcCAyMDE3IDE0OjM1OjIxIC0w MDAwDQpAQCAtNTEs >> NiArNTEsNyBAQCByYXJwZF9mbGFncz1OTw0KIHJib290ZF9mbGFncz1OTw0K IHJlbGF5ZF9mbGFn >> cz1OTw0KIHJlYm91bmRfZmxhZ3M9Tk8NCityZW9yZGVyPQkJIyBOTyB0byBk aXNhYmxlIHJlbGlu >> ayBvbiBib290DQogcmlwZF9mbGFncz1OTw0KIHJvdXRlNmRfZmxhZ3M9Tk8J IyBiZSBzdXJlIHRv >> IHNldCBuZXQuaW5ldDYuaXA2LmZvcndhcmRpbmc9MQ0KIHJ0YWR2ZF9mbGFn cz1OTwkJIyBmb3Ig >> bm9ybWFsIHVzZTogbGlzdCBvZiBpbnRlcmZhY2VzDQpJbmRleDogLi9ldGMv cmMNCj09PT09PT09 >> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09 >> PT0NClJDUyBmaWxlOiAvY3ZzL3NyYy9ldGMvcmMsdg0KcmV0cmlldmluZyBy ZXZpc2lvbiAxLjQ5 >> Mw0KZGlmZiAtdSAtcCAtcjEuNDkzIHJjDQotLS0gLi9ldGMvcmMJMjYgRmVi IDIwMTcgMTY6NTE6 >> MTggLTAwMDAJMS40OTMNCisrKyAuL2V0Yy9yYwkxMyBTZXAgMjAxNyAxNDoz NToyMSAtMDAwMA0K >> QEAgLTQxMSw3ICs0MTEsNyBAQCBtb3VudCAtcyAvdmFyID4vZGV2L251bGwg Mj4mMQ0KIA0KIHJh >> bmRvbV9zZWVkDQogDQotcmVvcmRlcl9saWJzDQorW1sgJHJlb3JkZXIgIT0g Tk8gXV0gJiYgcmVv >> cmRlcl9saWJzICRyZW9yZGVyDQogDQogIyBDbGVhbiB1cCBsZWZ0LW92ZXIg ZmlsZXMuDQogcm0g >> LWYgL2V0Yy9ub2xvZ2luIC92YXIvc3Bvb2wvbG9jay9MQ0suKg0K >> --001a113fee683ba8120559132126-- >> > Sorry, i did not know the stuff was sending text file like that. The diff, from HEAD this time. http
Re: possibility to disable relink in conf
Not going to do that. > Because sometimes you run not so good device, > and you boot often. > > or you do not want to write on boot. > > ( attached file got the tabulation to apply ) > > Index: ./etc/rc.conf > === > RCS file: /cvs/src/etc/rc.conf,v > retrieving revision 1.213 > diff -u -p -r1.213 rc.conf > --- ./etc/rc.conf 26 Feb 2017 16:51:18 - 1.213 > +++ ./etc/rc.conf 13 Sep 2017 14:35:21 - > @@ -51,6 +51,7 @@ rarpd_flags=NO > rbootd_flags=NO > relayd_flags=NO > rebound_flags=NO > +reorder= # NO to disable relink on boot > ripd_flags=NO > route6d_flags=NO # be sure to set net.inet6.ip6.forwarding=1 > rtadvd_flags=NO # for normal use: list of interfaces > Index: ./etc/rc > === > RCS file: /cvs/src/etc/rc,v > retrieving revision 1.493 > diff -u -p -r1.493 rc > --- ./etc/rc 26 Feb 2017 16:51:18 - 1.493 > +++ ./etc/rc 13 Sep 2017 14:35:21 - > @@ -411,7 +411,7 @@ mount -s /var >/dev/null 2>&1 > > random_seed > > -reorder_libs > +[[ $reorder != NO ]] && reorder_libs $reorder > > # Clean up left-over files. > rm -f /etc/nologin /var/spool/lock/LCK.* > > -- > -- > - > Knowing is not enough; we must apply. Willing is not enough; we must do > > --001a113fee683ba8120559132126 > Content-Type: application/octet-stream; name=diff > Content-Disposition: attachment; filename=diff > Content-Transfer-Encoding: base64 > X-Attachment-Id: f_j7j4r11g0 > > SW5kZXg6IC4vZXRjL3JjLmNvbmYNCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 > PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxlOiAvY3ZzL3NyYy9ldGMv > cmMuY29uZix2DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMjEzDQpkaWZmIC11IC1wIC1yMS4yMTMg > cmMuY29uZg0KLS0tIC4vZXRjL3JjLmNvbmYJMjYgRmViIDIwMTcgMTY6NTE6MTggLTAwMDAJMS4y > MTMNCisrKyAuL2V0Yy9yYy5jb25mCTEzIFNlcCAyMDE3IDE0OjM1OjIxIC0wMDAwDQpAQCAtNTEs > NiArNTEsNyBAQCByYXJwZF9mbGFncz1OTw0KIHJib290ZF9mbGFncz1OTw0KIHJlbGF5ZF9mbGFn > cz1OTw0KIHJlYm91bmRfZmxhZ3M9Tk8NCityZW9yZGVyX2ZsYWdzPQkJIyBOTyB0byBkaXNhYmxl > IHJlbGluayBvbiBib290DQogcmlwZF9mbGFncz1OTw0KIHJvdXRlNmRfZmxhZ3M9Tk8JIyBiZSBz > dXJlIHRvIHNldCBuZXQuaW5ldDYuaXA2LmZvcndhcmRpbmc9MQ0KIHJ0YWR2ZF9mbGFncz1OTwkJ > IyBmb3Igbm9ybWFsIHVzZTogbGlzdCBvZiBpbnRlcmZhY2VzDQpJbmRleDogLi9ldGMvcmMNCj09 > PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 > PT09PT09PT0NClJDUyBmaWxlOiAvY3ZzL3NyYy9ldGMvcmMsdg0KcmV0cmlldmluZyByZXZpc2lv > biAxLjQ5Mw0KZGlmZiAtdSAtcCAtcjEuNDkzIHJjDQotLS0gLi9ldGMvcmMJMjYgRmViIDIwMTcg > MTY6NTE6MTggLTAwMDAJMS40OTMNCisrKyAuL2V0Yy9yYwkxMyBTZXAgMjAxNyAxNDozNToyMSAt > MDAwMA0KQEAgLTQxMSw3ICs0MTEsNyBAQCBtb3VudCAtcyAvdmFyID4vZGV2L251bGwgMj4mMQ0K > IA0KIHJhbmRvbV9zZWVkDQogDQotcmVvcmRlcl9saWJzDQorW1sgJHJlb3JkZXJfZmxhZ3MgIT0g > Tk8gXV0gJiYgcmVvcmRlcl9saWJzICRyZW9yZGVyX2ZsYWdzDQogDQogIyBDbGVhbiB1cCBsZWZ0 > LW92ZXIgZmlsZXMuDQogcm0gLWYgL2V0Yy9ub2xvZ2luIC92YXIvc3Bvb2wvbG9jay9MQ0suKg0K > --001a113fee683ba8120559132126 > Content-Type: application/octet-stream; name="diff.noflag" > Content-Disposition: attachment; filename="diff.noflag" > Content-Transfer-Encoding: base64 > X-Attachment-Id: f_j7j4r1211 > > SW5kZXg6IC4vZXRjL3JjLmNvbmYNCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 > PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxlOiAvY3ZzL3NyYy9ldGMv > cmMuY29uZix2DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMjEzDQpkaWZmIC11IC1wIC1yMS4yMTMg > cmMuY29uZg0KLS0tIC4vZXRjL3JjLmNvbmYJMjYgRmViIDIwMTcgMTY6NTE6MTggLTAwMDAJMS4y > MTMNCisrKyAuL2V0Yy9yYy5jb25mCTEzIFNlcCAyMDE3IDE0OjM1OjIxIC0wMDAwDQpAQCAtNTEs > NiArNTEsNyBAQCByYXJwZF9mbGFncz1OTw0KIHJib290ZF9mbGFncz1OTw0KIHJlbGF5ZF9mbGFn > cz1OTw0KIHJlYm91bmRfZmxhZ3M9Tk8NCityZW9yZGVyPQkJIyBOTyB0byBkaXNhYmxlIHJlbGlu > ayBvbiBib290DQogcmlwZF9mbGFncz1OTw0KIHJvdXRlNmRfZmxhZ3M9Tk8JIyBiZSBzdXJlIHRv > IHNldCBuZXQuaW5ldDYuaXA2LmZvcndhcmRpbmc9MQ0KIHJ0YWR2ZF9mbGFncz1OTwkJIyBmb3Ig > bm9ybWFsIHVzZTogbGlzdCBvZiBpbnRlcmZhY2VzDQpJbmRleDogLi9ldGMvcmMNCj09PT09PT09 > PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 > PT0NClJDUyBmaWxlOiAvY3ZzL3NyYy9ldGMvcmMsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjQ5 > Mw0KZGlmZiAtdSAtcCAtcjEuNDkzIHJjDQotLS0gLi9ldGMvcmMJMjYgRmViIDIwMTcgMTY6NTE6 > MTggLTAwMDAJMS40OTMNCisrKyAuL2V0Yy9yYwkxMyBTZXAgMjAxNyAxNDozNToyMSAtMDAwMA0K > QEAgLTQxMSw3ICs0MTEsNyBAQCBtb3VudCAtcyAvdmFyID4vZGV2L251bGwgMj4mMQ0KIA0KIHJh > bmRvbV9zZWVkDQogDQotcmVvcmRlcl9saWJzDQorW1sgJHJlb3JkZXIgIT0gTk8gXV0gJiYgcmVv > cmRlcl9saWJzICRyZW9yZGVyDQogDQogIyBDbGVhbiB1cCBsZWZ0LW92ZXIgZmlsZXMuDQogcm0g > LWYgL2V0Yy9ub2xvZ2luIC92YXIvc3Bvb2wvbG9jay9MQ0suKg0K > --001a113fee683ba8120559132126-- >
Re: possibility to disable relink in conf
On 2017/09/13 14:39, sven falempin wrote: > Because sometimes you run not so good device, > and you boot often. > > or you do not want to write on boot. > > ( attached file got the tabulation to apply ) Please check -current before proposing diffs. revision 1.216 date: 2017/05/30 12:04:26; author: tb; state: Exp; lines: +2 -1; commitid: 10TzgqVCDGumO7GM; Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the reordering of libraries by rc(8). This way machines with very slow disk I/O have a chance of booting within reasonable time now that libcrypto is also randomized. Discussed with various; input & ok from deraadt ajacoutot
possibility to disable relink in conf
Because sometimes you run not so good device, and you boot often. or you do not want to write on boot. ( attached file got the tabulation to apply ) Index: ./etc/rc.conf === RCS file: /cvs/src/etc/rc.conf,v retrieving revision 1.213 diff -u -p -r1.213 rc.conf --- ./etc/rc.conf 26 Feb 2017 16:51:18 - 1.213 +++ ./etc/rc.conf 13 Sep 2017 14:35:21 - @@ -51,6 +51,7 @@ rarpd_flags=NO rbootd_flags=NO relayd_flags=NO rebound_flags=NO +reorder= # NO to disable relink on boot ripd_flags=NO route6d_flags=NO # be sure to set net.inet6.ip6.forwarding=1 rtadvd_flags=NO # for normal use: list of interfaces Index: ./etc/rc === RCS file: /cvs/src/etc/rc,v retrieving revision 1.493 diff -u -p -r1.493 rc --- ./etc/rc 26 Feb 2017 16:51:18 - 1.493 +++ ./etc/rc 13 Sep 2017 14:35:21 - @@ -411,7 +411,7 @@ mount -s /var >/dev/null 2>&1 random_seed -reorder_libs +[[ $reorder != NO ]] && reorder_libs $reorder # Clean up left-over files. rm -f /etc/nologin /var/spool/lock/LCK.* -- -- - Knowing is not enough; we must apply. Willing is not enough; we must do diff Description: Binary data diff.noflag Description: Binary data