Re: GPG memory is not secure.
On Tue, 19 Aug 2014 21:49, pentako...@openmailbox.org said: In the installation i have this message and fail : gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Well, read the FAQ - although I am not sure that our new FAQ still has an answer. If not, please complain and it will be re-added. The reason for that warning is that the mlock() call failed to mark a couple of memory pages as non-swapable. On older Linux kernels you had to install gpg suid(root) to allow mlock() to work (gpg will drop the permissions right after allocating and locking the memory). Recent Linux kernels grant each process a certain amount of mlock()-able memory without root permissions. I am not sure about the current status on BSD kernels and frankly I tend to ignore the warning or use no-secmem-warning in my gpg.conf. Encrypted swap is anyway a better protection. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87vbpo6ttp@vigenere.g10code.de
Re: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Sat, 13 Nov 2010 21:38, r...@debian.org said: Yeah, that is a problem. Last weekend I tried to port it but I have a lack of understanding how the Debian packages are supposed to work together; in particular the kernel headers and the various system libraries like libgeom etc. For that we're missing a port of geli utility, figuring out some init.d I'd really like to help here because of the g13 tool of GnuPG which I would like to have support for geli as backend. I even pondered with the idea of rewriting geli and to integrate it closley into g13. The lack of documentation in this area makes it not very easy. I don't have time to work on this myself. Unless someone else does, I'd still recommend adding the SUID bit as a temporary solution. Might be the easiest way until we have proper disk encryption support. P.S. I suggest you update that FAQ ; -) Will do that. It is easier now because I converted the FAQ to orgmode and it will not be distributed with GnuPG anymore. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87eianu4jb@vigenere.g10code.de
Re: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Sat, 13 Nov 2010 14:58, r...@debian.org said: I disagree. This puts an additional burden on the user. Adding SUID I can't see why encrypting the swap puts an additional burden on the user or on the machine. If you need to swap/page something you are in either of these situations: - The process is idle for a long time. Thus there should be no burden to the user regarding the extra time it takes for the system to swap it out. The system is anyway under some stress. - There is a severe memory resource shortage and due to the ongoing swap operations in many processes, the system performance is I/O bounded and the CPU has enough time to do that little symmetric encryption. Even without having done any benchmarks I'd enbale swap encryption by default. bit doesn't seem like a security problem. Gnupg drops privileges as soon as it's not needed anymore, and upstream recommends this in their FAQ. Ahemm, the FAQ. Well that beast is old and hopefully the only unmaintained part of GnuPG. The background for the SUID stuff is that back in 1998 encrypted swap partitions were not widely available and disk encryption on GNU/Linux was not available at all (due to US export restrictions). The manual even states (at least I hope) that you should set the SUID bit only if you see the warning, on modern Linux kernels there is no need for it because any process may mlock a few pages which is sufficient. With an encrypted swap partition all stuff could be much much easier. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r5ept57v@vigenere.g10code.de
Re: Releasability of the kFreeBSD ports
On Thu, 5 Aug 2010 12:30, a...@debian.org said:
This is worse. It's even locally and I either never noticed that
because I use kfreebsd remotely most time (despite having that screen
on my desk) or it's an regression.
Emacs 22 works fine though.
I had the same problem for a long time. Now with Emacs 23.2.1 this
stupid hack helped me:
--- src/xterm.c~2010-04-28 07:01:29.0 +0200
+++ src/xterm.c 2010-04-28 07:35:52.0 +0200
@@ -9310,7 +9310,7 @@ x_make_frame_visible (f)
to be read. We used to raise a real alarm, but it seems
that the handler isn't always enabled here. This is
probably a bug. */
- if (input_polling_used ())
+ if (input_polling_used () || 1)
{
/* It could be confusing if a real alarm arrives while
processing the fake one. Turn it off and let the
Probably not how it should be but I am finally able to run Emacs 23 with
Gnus on my laptop without running into mule/UTF-8 problems in
~/.newsrc.eld. And org-mode is also more recent.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
--
To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87iq3izhnm@vigenere.g10code.de
Re: PPPoE support status update
On Mon, 10 May 2010 01:50, anar...@koumbit.org said: Ah! I didn't see those packages, they're not part of the official archive! Maybe not anymore - I didn't checked. PS: it seems you were able to compile PPP with a lot more features than I did. Did you patch the source or did it magically work? IIRC it was part of the first installation; autumn 2009 or so. The binary is dated Dec 18, 2006. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pr14qj2h@vigenere.g10code.de
Re: PPPoE support status update
On Sun, 9 May 2010 00:27, anar...@koumbit.org said: That I just don't understand at all... Are you using userland PPP? From what I can tell here, there's no ppp binary bundled with any kFreeBSD package I know of, I don't see how creating the lock directory changes I am using this: freebsd-hackedutils 6.1-3 Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87tyqhqflj@vigenere.g10code.de
Re: porting userland ppp to kfreebsd
On Sun, 21 Mar 2010 20:22, anar...@koumbit.org said: Could you clarify this? Are you saying I duplicated existing work and that you already had userland ppp working? Is it with upstream's usr.sbin/ppp? Yeah, I have userland ppp working as a client. It was a mere mkdir /var/spool/lock How about PPPoE? Anybody managed to do some of that? I have not tested it. From my experience with OpenBSD I suggest to use kernel ppp to connect to a fast DSL line. On a slow box the userland ppp is a severe bottleneck. I have no idea whether this works on kfreebsd. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wrx3osai@vigenere.g10code.de
Re: porting userland ppp to kfreebsd
On Sun, 21 Mar 2010 01:28, anar...@koumbit.org said: As far as I know, there's currently no possibility of doing PPP or PPPoE in Debian GNU/kFreeBSD. I'd like to see that fixed. I am using PPP for quite some time now with my UMTS stick. The gotcha is that the lock directory is a different one and thus you need to create it first. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87634pyamd@vigenere.g10code.de
Re: Some questions about the port
On Mon, 1 Mar 2010 18:53, t...@mirbsd.de said: with a bunch of GNU packages. The FSF likes to do Vendor lock-in, That is somewhat unfair. For one you can't speak of vendor lock-in in a FS project, second and more important is that glibc is the core of GNU (the OS) and third glibc is very much POSIX compliant. POSIX is actually the rule for all GNU hackers. Agreed, too many hackers know only GNU/Linux and have no clue that there are other POSIX OS in our world. Worse, some seem even not to know what POSIX is and use neglect to use a well defined POSIX API and favor something Linux specific. Ask the Hurd hackers how much trouble they had way back when they ported most of the Debian packages to GNU - and that was with glibc. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87bpf7zxuf@vigenere.g10code.de
[patch] devd and acpiconf
Hi!
I prepared a patch against the Debian source to include devd and
acpiconf. I am not a DD and thus I have no experience creating
packages; in particular the conf files are missing. What needs to be
included are these files:
/etc/devd.conf
/etc/devd/asus.conf
/etc/rc.suspend
/etc/rc.resume
and the /etc/init.d/devd needs to be written.You need thee latest libbsd and the
build dependencies should be changed to include g++.
I put acpiconf into /usr/sbin as in FreeBSD; it is only required to
make suspend work and thus not a basic requirement. I tested this
with the standard BSD files. rc.{suspend,resume} work nicely.
(Unfortunately it does not solve my problem with the backlight :-().
If you have suggestions on how to do better than with handcrafted
patch files, let me know. However, I hesitate to read all the DD docs
;-)
BTW, I noticed mismatching format strings in swapon.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
freebsd-utils-8.0-wk0.patch.gz
Description: Binary data
Re: [patch] devd and acpiconf
On Thu, 17 Dec 2009 12:23:23 +0100, Robert Millan wrote: Just a quick tip: you don't need to include all upstream files in your patch, as those end up in the orig tarball. Modifiing the get-orig-source routine in debian/rules should be enough. Okay. I have not looked to closely at the rules file and falsely assumed that this target is used manually. I hope the diffs are still okay, as I used head and not stable. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: devd, acpiconf and such
On Tue, 15 Dec 2009 23:10:07 +0100, Aurelien Jarno wrote: As far as I know, no one is working on that. Ideally this should be integrated to the freebsd-utils source package (possibly producing new binary packages), but this is probably a detail, the most important job being to port it to glibc. I am working on it now. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
devd now running on my box
Hi! I worked on devd and now I am able run the rc.suspend and rc.resume scripts on my X31. To make that really useful I also ported acpiconf. I added new functions pidfile_* to libbsd and would like to know how to proceed: Create a Debian patch or talk to upstream and get it into their repo first? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
[patch] pidfile_open (was: devd now running on my box)
On Wed, 16 Dec 2009 16:09:19 +0100, Guillem Jover wrote: I was in the process to release a new upstream release for libbsd, and can include those functions. I'll then proceed with an upload to Debian. Find below a patch against the debian source. * debian/control (Description): Update. * Makefile (LIB_SRCS): Add pidfile.c * Versions (LIBBSD_0.2): New. * include/libutil.h (struct pidfh): New. (pidfile_open, pidfile_write, pidfile_close, pidfile_remove): New. * src/pidfile.c: New. Taken from http://svn.freebsd.org/base/head/lib/libutil, rev 200601. (flopen): Merge using flopen.c from the same repo. I am not sure how you handle the versioning. I added the new functions under a new symbol versioning branch; it seems that is the policy for libbsd. I did not include flopen.c because it is not needed and may conflict with other code which uses the same symbol. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. libbsd-0.1.6-wk0.patch Description: Binary data
devd, acpiconf and such
Hi! Looking at the freebsd kernel event system I obviously came across the devd. Are there any plans to include it or is the plan to port the Linux udev system to kfreebsd? Looking at devd.conf and its usage I have to say that I really like it; in contrast to udev (or whatever the current hotplug system on GNU/Linux is) it is easy to understand and thus I assume also easy to debug. It is much like pf.conf in contrast to iptables. The devd code does not look too complex and it should be straightforward to port it to glibc. To support acpi suspend we also need the acpiconf tool, which is even more trivial. Anyone working on it? Shall I take it up? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
chvt for kfreebsd
Hi,
On my X31 I have problems switching the consoles via Alt-Fn. This is
annoying because there is no way to get back to the X server. Thus I
wrote a small replacement for chvt to do this job. Needs to be
installed suid(root).
The FreeBSD docs says something about /dev/ttys - is that all used in
kfreebsd?
On a different topic: The FreeBSD /etc/rc.suspend and /etc/rc.resume
scripts seem not to be supported. Is there any other way to run a
command before/after suspend/resume? In particular I need to switch off
the backlight to make an S3 suspend fully working.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
/* chvt.c - change virtual terminal for [k]freebsd
Copyright (C) 2009 Werner Koch
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. */
#include stdio.h
#include stdlib.h
#include string.h
#include fcntl.h
#include sys/types.h
#include sys/ioctl.h
#include sys/consio.h
#include errno.h
int
main (int argc, char **argv)
{
int fd, screen;
if (argc 1 || argc 2)
{
fputs (Usage: chvt [VTNO]\n, stderr);
return 1;
}
if (argc == 2)
{
screen = atoi (argv[1]);
if (screen 1 || screen 11)
{
fprintf (stderr, chvt: invalid screen numver %d\n, screen);
return 1;
}
}
fd = open (/dev/ttyv0, O_RDWR, 0);
if (fd == -1)
{
fprintf (stderr, chvt: error opening terminal: %s\n, strerror (errno));
return 1;
}
if (argc == 2)
{
if (ioctl (fd, VT_ACTIVATE, screen))
{
fprintf (stderr, chvt: VT_ACTIVATE failed: %s\n, strerror (errno));
return 1;
}
}
else
{
if (ioctl (fd, VT_GETACTIVE, screen))
{
fprintf (stderr, chvt: VT_GETACTIVE failed: %s\n, strerror (errno));
return 1;
}
printf (%d\n, screen);
}
return 0;
}
