Re: portsnap and the imminent demise of svn->cvs ports tree export
On 21 January 2013 01:01, John Marshall wrote: > We are on notice that the current ports tree will be soon no longer > available via CVSup and friends. General consumers of the FreeBSD ports > tree are being encouraged to switch to portsnap. > > http://lists.freebsd.org/pipermail/freebsd-ports-announce/2013-January/49.html > > The presence of the file LASTCOMMIT.txt, and the content of the > $FreeBSD$ lines, in a portsnap-generated ports tree indicate that > portsnap sources its data from a CVS export of the tree. Are there That is correct. > plans to migrate the portsnap source to the subversion tree before the > end of February? Colin is working right now at migrating it. As it is a somewhat larger task (it also includes some cleanup of the portsnap codebase) it hasn't been done yet. I can guarantee that we will not make portsnap stop working by killing svn2cvs for ports before portsnap is migrated, but I don't think it should be a problem. While portsnap hasn't run as reliably as we want over the last two month due to high churn of changes on the FreeBSD.org sites (as we have basically been redoing all infrastructure for scratch) it is fully supported by clusteradm/security-officer. (Lack of monitoring after the security incident has also really hurt us, but that's coming back these days). PS. I consider it a very fair question. PPS. portsnap build recently moved to a new server which decreased the portsnap build time so changes should now show up even faster in portsnap. -- Simon L. B. Nielsen Hat: FreeBSD.org clusteradm and FreeBSD Security Officer ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Ports cvs deprecation warning
On 10 January 2013 16:50, Warren Block wrote: > Index: ports/UPDATING > === > --- ports/UPDATING (revision 310189) > +++ ports/UPDATING (working copy) > @@ -5,6 +5,16 @@ > You should get into the habit of checking this file for changes each time > you update your ports collection, before attempting any port upgrades. > > +20130110: > + AFFECTS: everyone using csup(1) or net/cvsup to update the ports tree > + AUTHOR: wbl...@freebsd.org > + > + The CVSup service is being phased out as of February 28, 2013. Please > + switch to one of the alternate update methods of portsnap(8) or > + devel/subversion before that time. See the Handbook for more > + information: > + > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-using.html The note should also talk about CVS IMO - I have frequently heard people use that (not many, but some). -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: FreeBSD wiki offline for a bit
On 6 January 2013 20:40, Simon L. B. Nielsen wrote: > Hey, > > tl;dr Wiki is back, and everybody with account need to reset their password. Small followup. The wiki's surge protection (yet again) got confused and blocked the frontend proxy. I think it should be fixed now. If you see any 'varnish guru meditation' please let me know, and include the XID number so I can trace it in the logs. -- Simon L. B. Nielsen Hat: clusteradm ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: FreeBSD wiki offline for a bit
Hey, tl;dr Wiki is back, and everybody with account need to reset their password. On 4 January 2013 22:38, Simon L. B. Nielsen wrote: > Due to a security issue in the moinmoin wiki software, the FreeBSD > wiki will be offline for a bit. I do not yet know if the issue > actually has been exploited in the FreeBSD wiki (haven't had the time > yet to examine it), but I took the wiki down just in case. > > Note that even if the software was compromised, it was considered > untrusted from the start and as such heavily sandboxed (including > jailed) to keep it away from any sensitive FreeBSD.org parts, so there > is absolutely no reason to believe a compromise would go any further > than the wiki itself. > > I hope to have the wiki back within 24 hours, assuming not too much > gets in the way. > > For further reference see: http://moinmo.in/SecurityFixes and > http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 . > > PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise. The wiki is back now. Looking at logs it there were people attempting to exploit this back in July but I do not think they actually succeeded. It seemed to mostly automated bot and not a target attempt. The wiki has been reinstalled from scratch and users and pages were copied. As I did a very selective copy it's entirely possible I made the wiki unhappy, so let me know if you see issues. Just to be extra safe I have reset all password, so everybody will need need to use the standard account recovery process to set a new password. On a side note we have ~23000 user accounts and had 26000 empty pages mostly caused by spammers, so someone(tm) will likely need to find a way to change how we handle wiki user accounts to fix this. PS. only reason I could see that they tried back in July was that I found out I had forgotten to set up log rotation, so the wiki logfile was over 3GB :-). (It was the internal log file which doesn't contain user IP's so privacy part isn't really an issue.) -- Simon L. B. Nielsen Hat: clusteradm ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Using http mirrors
On 5 January 2013 11:14, Chris Rees wrote: > Hi all, > > The submitter of ports/174427 tells me that using http for mirrors is > faster, due to the lack of authentication etc. > > I'm not convinced that the speed difference is huge, but can anyone > think of any reasons not to apply this patch? It will affect large > numbers of ports. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=174427 Please apply this. HTTP is a generally saner protocols, especially for people behind firewalls. -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
FreeBSD wiki offline for a bit
Hey, Due to a security issue in the moinmoin wiki software, the FreeBSD wiki will be offline for a bit. I do not yet know if the issue actually has been exploited in the FreeBSD wiki (haven't had the time yet to examine it), but I took the wiki down just in case. Note that even if the software was compromised, it was considered untrusted from the start and as such heavily sandboxed (including jailed) to keep it away from any sensitive FreeBSD.org parts, so there is absolutely no reason to believe a compromise would go any further than the wiki itself. I hope to have the wiki back within 24 hours, assuming not too much gets in the way. For further reference see: http://moinmo.in/SecurityFixes and http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 . PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise. -- Simon L. B. Nielsen Hat: FreeBSD clusteradm / FreeBSD Security Officer ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Ports "make fetchindex" still getting outdated INDEX-9
On 14 December 2012 13:08, Jim Pingle wrote: >>> On 13 Dec 2012 16:57, "Jim Pingle" wrote: >>> I saw a thread last month about the servers that build INDEX > files being >>> down since the security incident - is that still the case? >> >> On 12/13/2012 6:35 PM, Simon L. B. Nielsen wrote: >> I had forgotten about it again. I will try and to get it fixed within >> the next couple of days. > > Fantastic! I (and I'm sure many others) appreciate the effort. I managed to get a system set up based on portsnap a few days later, only to realize it was on the wrong server which in fact doesn't serve www.freebsd.org... doh. Anyway, it's fixed as of today fully based on portmgr based INDEX build. It's also now not served of www.FreeBSD.org which was a bit ugly IMO, but a HTTP redirect makes 'make fetchindex' work. PS. should people be so inclined, you can now also get it via rsync from rsync://bit0.us-west.freebsd.org/FreeBSD-bit/ports-index/ . -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
GNATS now available via rsync
Hey, The GNATS database can now be mirrored using rsync from: rsync://bit0.us-west.freebsd.org/FreeBSD-bit/gnats/ I expect that URL to be permanent, at least while GNATS is still alive. At a later point there will be more mirrors (a us-east will be the first) and I will find a place to publish the mirror list. On a side note, GNATS changes aren't mirrored to the old CVSup system right now, as cvsupd broke on FreeBSD 10.0, which the hosts running GNATS is running. There is no current plans from clusteradm@'s side to fix this now that an alternative way to get GNATS exists and cvsup is deprecated long term anyway. -- Simon L. B. Nielsen Hat: clusteradm@ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Ports "make fetchindex" still getting outdated INDEX-9
I had forgotten about it again. I will try and to get it fixed within the next couple of days. -- Simon L. B. Nielsen Via mobile Sorry about the top posting On 13 Dec 2012 16:57, "Jim Pingle" wrote: > I saw a thread last month about the servers that build INDEX files being > down since the security incident - is that still the case? > > The files obtained via make fetchindex are still out of date, so I > assume they're still off, but a while back they were just missed after > some maintenance as well so part of me hoped that it may be the case yet > again. > > Any ETA on when that service might return? I can always build the index > manually or use portsnap, but fetchindex is really convenient and I'd > love to see it brought back to life. > > Perhaps the fetchindex target could be altered to print a brief message > in the interim so people know that it's not currently being updated? > > Jim > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" > ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
GNATS web and cvsweb fixed
Hey, FYI, GNATS web and cvsweb are now fixed. Do note that cvsweb is now running off a mirror so changes does not show up right away. -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: svn: E175002: REPORT of '/ports/!svn/me': Could not send request: Operation not permitted (http://svn.freebsd.org)
On Wed, Oct 10, 2012 at 5:20 PM, O. Hartmann wrote: > I receive since two days on my FreeBSD 10 boxes this message when > updating the /usr/ports tree. What is this supposed to mean? > > The error is occuring from the university's net as well as from my > private provider, so I think it is something more sophisticated than > simply network issues ... > > [/usr/ports]: make update > -- >>>> Updating /usr/ports using Subversion > -- > cd /usr/ports; /usr/local/bin/svn update > Updating '.': > svn: E175002: REPORT of '/ports/!svn/me': Could not send request: > Operation not permitted (http://svn.freebsd.org) > *** [update] Error code 1 I'm not sure what that error means... somethimg is denying your.. but I'm not sure if it's local file permissions, local firewall remote rest of connection etc. Also note that you shouldn't use http://svn.freebsd.org as that means you are being redirected to svn0.us-west.freebsd.org using netcat... This at least increases the risk of something going wrong. See: http://www.freebsd.org/doc/en/books/handbook/mirrors-svn.html for current list of mirrors. -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [HEADSUP] current switched by default to pkgng
On Wed, Oct 10, 2012 at 2:44 PM, Baptiste Daroussin wrote: > Hi all, > > If you are using the ports tree on a FreeBSD current setup, then you are > concerned by the announce. > > As nvidia-drivers has been fixed and is now properly working with pkgng, the > ports tree as been switch by default to use pkgng on FreeBSD Current based on > version >= 117 which was the version when we tested the switch code. > > Make sure to read UPDATING (from ports) to correctly migrate your system or > find > instruction to make your system still running with legacy pkg_install tools. I read UPDATING, but I'm still not sure what this means when I use ports and not packages. Does it mean that I should install pkg to have /var/db/pkg managed, but otherwise ports keeps working the same way, or? -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [Full-disclosure] nvidia linux binary driver priv escalation exploit
On Wed, Aug 8, 2012 at 1:38 PM, Wesley Shields wrote: > On Wed, Aug 08, 2012 at 10:34:06AM +, Alexey Dokuchaev wrote: >> On Mon, Aug 06, 2012 at 01:49:50PM +0200, Rainer Hurling wrote: >> > Am 06.08.2012 10:03 (UTC+1) schrieb Doug Barton: >> > >On 08/01/2012 05:09, Oliver Pinter wrote: >> > >>I found this today on FD: >> > >> >> > >>http://seclists.org/fulldisclosure/2012/Aug/4 >> > > >> > >Apparently this affects us as well. Any news? >> > >> > Thanks for the info. I had been not aware of it before. >> > >> > NVidia has released a driver version 304.32 for FreeBSD i386 and amd64, >> > which should remedy these security issues. >> >> Luckily, they've released version 295.71 which is on Long Lived Branch. I >> will update the port shortly. > > Thank you! > >> VuXML entry will have to follow separately, as it is unclear whether new CVE >> number will be assigned or not. > > You can do the VuXML without a CVE for now and update it when/if one is > assigned. Eh, why wouldn't a CVE name not be assigned? If none is we should ask MITRE to assign one, but it would surprise me if NVIDIA or a Linux vendor hasn't done this already. -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Svn mirror seed has UUID wrong
On 21 Jul 2012, at 21:25, Simon L. B. Nielsen wrote: > If you don't have a local doc or ports svn mirror you can stop reading now. > > When creating the doc and ports svn mirrors, which the seeds on > http://ftp.freebsd.org/pub/FreeBSD/development/subversion/ are created from, > I forgot to set the repository UUID to the same as the one on the master > repositories. This may e.g. cause problems for people using a mirror and > switching to directly access svn.freebsd.org later. > > To fix this I have created new seeds for doc and ports. If you have a local > mirror you can either download the new seed files and use that, or just > change the uuid on your mirror using svnadmin. > > [doc] > Master repo UUID: c2e8774f-c49f-e111-b436-862b2bbc8956 > Fixed seed tar: > http://ftp.freebsd.org/pub/FreeBSD/development/subversion/svnmirror-doc-r39237.tar.xz > Command to fix a mirror: svnadmin setuuid /home/svn/doc > c2e8774f-c49f-e111-b436-862b2bbc8956 > > [ports] > Master repo UUID: 35697150-7ecd-e111-bb59-0022644237b5 > Fixed seed tar: > http://ftp.freebsd.org/pub/FreeBSD/development/subversion/svnmirror-ports-r301235.tar.xz > Command to fix a mirror: svnadmin setuuid /home/svn/ports > 35697150-7ecd-e111-bb59-0022644237b5 Hey, Sorry, I forgot to mention that any svn checkout from a repository with the incorrect UUID will not work with the repository after the UUID has been changed. It's possible svn can be convinced to work with a 'new' repository, sorry - I have no idea. -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Svn mirror seed has UUID wrong
Hey, If you don't have a local doc or ports svn mirror you can stop reading now. When creating the doc and ports svn mirrors, which the seeds on http://ftp.freebsd.org/pub/FreeBSD/development/subversion/ are created from, I forgot to set the repository UUID to the same as the one on the master repositories. This may e.g. cause problems for people using a mirror and switching to directly access svn.freebsd.org later. To fix this I have created new seeds for doc and ports. If you have a local mirror you can either download the new seed files and use that, or just change the uuid on your mirror using svnadmin. [doc] Master repo UUID: c2e8774f-c49f-e111-b436-862b2bbc8956 Fixed seed tar: http://ftp.freebsd.org/pub/FreeBSD/development/subversion/svnmirror-doc-r39237.tar.xz Command to fix a mirror: svnadmin setuuid /home/svn/doc c2e8774f-c49f-e111-b436-862b2bbc8956 [ports] Master repo UUID: 35697150-7ecd-e111-bb59-0022644237b5 Fixed seed tar: http://ftp.freebsd.org/pub/FreeBSD/development/subversion/svnmirror-ports-r301235.tar.xz Command to fix a mirror: svnadmin setuuid /home/svn/ports 35697150-7ecd-e111-bb59-0022644237b5 Thanks to John Marshall for reporting the issue. PS. no, the base seed does not have this problem. -- Simon L. B. Nielsen Hat: FreeBSD.org admins team ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Upgrade port audit now!
Hey, If you have portaudit installed, you should upgrade sooner rather than later! Begin forwarded message: > From: "Simon L. Nielsen" > Subject: cvs commit: ports/ports-mgmt/portaudit Makefile pkg-plist > ports/ports-mgmt/portaudit/files portaudit-cmd.sh > Date: 11 March 2012 21:32:58 GMT > To: ports-committ...@freebsd.org, cvs-po...@freebsd.org, cvs-...@freebsd.org > > simon 2012-03-11 21:32:58 UTC > > FreeBSD ports repository > > Modified files: >ports-mgmt/portaudit Makefile pkg-plist >ports-mgmt/portaudit/files portaudit-cmd.sh > Log: > Portaudit 0.6.0: > > Fix remote code execution which can occur with a specially crafted > audit file. The attacker would need to get the portaudit(1) to > download the bad audit database, e.g. by performing a man in the > middle attack. > > Add signature verification of the portaudit database. The public key > is for the database generated for portaudit.FreeBSD.org is included > in the distribution. > > Submitted by: Michael Gmelin > Reported by:Michael Gmelin , Joerg Scheinert > Security: Remote code execution > Security: > http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html > Feature safe: yes > With hat: so -- Simon L. B. Nielsen FreeBSD Deputy Security Officer ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Portaudit database build fixed
Hey, Just FYI, I accidentally stopped the jail which built the portaudit database a few days ago and didn't notice since I had forgotten the portaudit database was actually built there. It has been fixed now. -- Simon L. B. Nielsen signature.asc Description: Message signed with OpenPGP using GPGMail
Re: packages compressed with xz
On 30 Nov 2010, at 03:16, jhell wrote: > Agreed. Soon can be quantified by actual need and of which there is not > much need except for larger packages but adding this would just add > unneeded complication to the system that is already in place. We are running out of diskspace on event the FTP master site - currently we are at ~1TB. The xz compression gives as significant space saving - so there is already a need. PS. anyone saying a 1 TB etc. disk is cheap will be ignored. -- Simon L. B. Nielsen ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"