Re: Bind in FreeBSD, security advisories
On Wed, Jul 31, 2013 at 07:22:20AM -0500, Mark Felder wrote: Let's take a moment and consider the state of the internet and DNS attacks. The RRL and RPZ2 patchsets[1] are newer developments that successfully add additional security and features to BIND. It was also recently announced that due to the success of this work the RRL[2] patch will be accepted by ISC into BIND mainline. How many users of BIND on FreeBSD are going to realize they need to run a copy of BIND from ports to get this extremely important protection? It certainly isn't going to get backported to 8-STABLE or 9-STABLE; I don't even know if it will show up in 10.0-RELEASE as a quick grep shows it's not there. To put some perspective on it, FreeBSD 8.x users are literally 6 years behind CURRENT... 3rd party, and especially those that are still being distributed as experimental, will not be part of the base BIND code. It will only contain a direct import from the vendor sources. After a -STABLE branche is branched into a -RELEASE branch, the latter will only get security updates, sometimes backported depending on the upstream life cycle. For feature update, users have always been dependent on ports as the BIND versions included in -RELEASE are quickly falling behind. On a side note, BIND 10 introduces a large number of 3rd party dependencies, none of which are very attractive to include in the FreeBSD base system by default. This means that we can use BIND9 so far, but for the long term, we'll have to look into a more viable alternative anyway. Erwin -- Erwin Lansinghttp://droso.dk er...@freebsd.orghttp:// www.FreeBSD.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: pkg_add -r does not find packages FreeBSD 9.0 rc1
On Sat, Nov 12, 2011 at 06:13:59PM +0200, Luchesar V. ILIEV wrote: On 12/11/2011 16:36, Kenneth Hatteland wrote: I have installed RC1 and after getting confused with the new install routines, I have my system up. But when I try to install packages like nano and cvsup-without-gui to build my machine up from base the system reports no packages found. This have only rarely happened on my other systems and never on a fresh install.any clues ??? Could it be related to this PR? http://www.freebsd.org/cgi/query-pr.cgi?pr=162490 This is an unfortunate sideeffect of our current release process for major version releases where it's hard to synchronize the change needed to pkg_add and the package sets on the mirrors. There are some workarounds that may make this a bit less painfull, but in general this is one of the reasons why we really should aim for maing the src and ports releases independent from eachother. For now, the best option for BETA and RSs is to override PACKAGESITE as Bane Ivosev suggested. Erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: [HEADSUP]: ports feature freeze starts soon
On Fri, Oct 07, 2011 at 11:20:28AM +0200, Erwin Lansing wrote: In preparation for 9.0 the ports tree will be in feature freeze after release candidate 2 (RC2)is released, currently planned for October 17. Depending on your timezone, October 17 has come and gone and the ports tree has not frozen yet. As always, we'll follow the actual dates during the release cycle and not the estimated dates in the tentative schedule. A rough guess would be that RC2, and thus the ports feature freeze, will happed at the end of the month, so please take this as a reminder to get anything you want included in the release into the tree as soon as possible. Erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
[HEADSUP]: ports feature freeze starts soon
In preparation for 9.0 the ports tree will be in feature freeze after release candidate 1 (RC2)is released, currently planned for October 17. If you have any commits with high impact planned, get them in the tree before then and if they require an experimental build, have a request for one in portmgr hands within the next few days. Note that this again will be a feature freeze and not a full freeze. Normal upgrade, new ports, and changes that only affect other branches will be allowed without prior approval but with the extra Feature safe: yes tag in the commit message. Any commit that is sweeping, i.e. touches a large number of ports, infrastructural changes, commts to ports with unusually high number of dependencies, and any other commit that requires the rebuilding of many packages will not be allowed without prior explicit approval from portmgr after that date. -erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Ports and Packages for Supported Releases
Portmgr published a new page on their website which describes the current support and EoL policies for the ports tree and released packages. The main take-home messages are: - Support of FreeBSD releases by ports and the ports infrastructure matches the policies set out by the FreeBSD Security Officer. - Package builds will use the oldest supported minor release within each major branch to ensure ABI and KBI backwards compatability within each major branch, and support all minor versions of each major branch, including -RELEASE and -STABLE. See the full policy on the portmgr webpage: http://www.freebsd.org/portmgr/policies_eol.html On behalf of portmgr, -erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org pgpdNB8tx5lxz.pgp Description: PGP signature
[HEADSUP]: Ports feature freeze for 8.1 now in effect
In preparation for 8.1-RELEASE, the ports tree is now in feature freeze. Normal upgrade, new ports, and changes that only affect other branches are allowed without prior approval but with the extra Feature safe: yes tag in the commit message. Any commit that is sweeping, i.e. touches a large number of ports, infrastructural changes, commits to ports with unusually high number of dependent ports, and any other commit that requires the rebuilding of many packages is not allowed without prior explicit approval from portmgr after that date. When in doubt, please do not hesitate to contact portmgr. -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org pgpjUJDoWTfnI.pgp Description: PGP signature
Re: [HEADS UP] Ports feature freeze coming soon
On Tue, Jun 08, 2010 at 02:20:53PM -0400, FreeBSD portmgr secretary wrote: In preparation for 8.1-RELEASE, the ports tree will be in feature freeze after release candidate 1 (RC1) is released, currently planned for June 11. As you may have noticed, RC1 has not been released as yet, but the delay is not expected to be more than a few days. The ports feature freeze will therefore be postponed until this Friday, June 18, 12pm UTC. We do still ask you to be conservative with your changes until then. -erwin If you have any commits with high impact planned, get them in the tree before then and if they require an experimental build, have a request for one in portmgr@ hands within the next few days. Note that this again will be a feature freeze and not a full freeze. Normal upgrade, new ports, and changes that only affect other branches will be allowed without prior approval but with the extra Feature safe: yes tag in the commit message. Any commit that is sweeping, i.e. touches a large number of ports, infrastructural changes, commits to ports with unusually high number of dependencies, and any other commit that requires the rebuilding of many packages will not be allowed without prior explicit approval from portmgr@ after that date. Thomas with portmgr-secretary@ hat on -- Thomas Abthorpe | FreeBSD Ports Management Team Secretary tabtho...@freebsd.org | portmgr-secret...@freebsd.org -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org pgpEJ11mZa5Tz.pgp Description: PGP signature
[HEADSUP]: ports feature freeze now in effect
In preparation for 7.3-RELEASE, the ports tree is now in feature freeze. Normal upgrade, new ports, and changes that only affect other branches are allowed without prior approval but with the extra Feature safe: yes tag in the commit message. Any commit that is sweeping, i.e. touches a large number of ports, infrastructural changes, commts to ports with unusually high number of dependent ports, and any other commit that requires the rebuilding of many packages is not allowed without prior explicit approval from portmgr after that date. When in doubt, please do not hesitate to contact portmgr. -erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org pgpilVCtRv3g7.pgp Description: PGP signature
[HEADSUP]: ports feature freeze starts in one week
In preparation for 7.3-RELEASE, the ports tree will be in feature freeze after release candidate 1 (RC1 )is released, currently planned for February 8. If you have any commits with high impact planned, get them in the tree before then and if they require an experimental build, have a request for one in portmgr hands within the next few days. Note that this again will be a feature freeze and not a full freeze. Normal upgrade, new ports, and changes that only affect other branches will be allowed without prior approval but with the extra Feature safe: yes tag in the commit message. Any commit that is sweeping, i.e. touches a large number of ports, infrastructural changes, commts to ports with unusually high number of dependencies, and any other commit that requires the rebuilding of many packages will not be allowed without prior explicit approval from portmgr after that date. -erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org pgph1PrfiVbnx.pgp Description: PGP signature
Re: ZFS performance degradation over time
On Wed, Jan 20, 2010 at 11:47:30AM +0100, Alexander Leidinger wrote: Quoting Jeremy Chadwick free...@jdc.parodius.com (from Tue, 19 Jan 2010 09:01:01 -0800): I've two recommendations: 1) Have you considered upgrading to RELENG_8 (e.g. 8.0-STABLE) instead of sticking with 8.0-RELEASE? There's been a recent MFC to RELENG_8 which pertain to ARC drainage. I'm referring to the commit labelled revision 1.22.2.2 (RELENG_8): http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c This patch can be merged stand-alone if necessary, no need to go to RELENG_8 if there are reservations. The commit you refer to above is just doing this: limiting the arc more to the arc_max than it was the case before. This patch is in 7-stable too (in case someone is interested). Two weeks ago, we started experiencing similar symptoms on the pointyhat package cluster. This was on 9.0-CURRENT from last September. Upgrading to last weeks HEAD has solved the problem for us. The system is heavily loaded both on CPU, memory and disk, and since the original patch was committed back in October, my guess is that it was this specific commit that solved the issue. I'd recommend people still experiencing this issue to upgrade to a system that includes this change, be it 8.0-STABLE or 7.2-STABLE after January 8, or manually merging it. Cheers, -erwin -- Erwin Lansing http://droso.org Prediction is very difficult especially about the futureer...@freebsd.org pgplvfNZgAtur.pgp Description: PGP signature
Re: FREEBSD_4_EOL tag, last known index file?
On Sun, Jul 15, 2007 at 03:05:30PM -0700, Jon Dama wrote: Is there a port index file that corresponds to the FREEBSD_4_EOL tag? I am unable to rebuild the index from the tagged checkout. The official INDEX file is no longer available nor supported. You should be able to build it by cd /usr/ports; make index'. If that doesn't work for you, I'm afraid the only supported configuration is to upgrade to 6.2-RELEASE, which you probably want to do anyway, if not just because security fixes are not applied to earlier versions. Cheers, -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgp0Sxj7X5MKB.pgp Description: PGP signature
Re: truss missing some files or directories
On Wed, Dec 20, 2006 at 01:08:54PM -0500, Ilya Vishnyakov wrote: Problem with truss, won't start. Please advise me what to do. truss /bin/echo hello truss: truss: cannot open /proc/42520/mem cannot open /proc/curproc/mem: : No such file or directory No such file or directory Do you have /proc mounted? # mount -t procfs proc /proc/ -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpr5TIisIO21.pgp Description: PGP signature
Kernel not installed from CD
I haven't seen a report on this before, although I heard other people being hit by the same problem before. Doing a fresh install from a BETA2 cd forgets to install the kernel and modules to disk. Everything else is installed just fine, so a simple copy of /dist/kernel/ to the installed disk easily fixes the problem. A wild guess would be that this has something to do with the SMP detection, although the first machine was SMP and the second UP. If this already is reported and fixed, I'll just shut up and get a newer BETA :-) -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpeDCy9vER6z.pgp Description: PGP signature
Re: Kernel not installed from CD
On Sun, Oct 22, 2006 at 01:27:16PM +0200, Erwin Lansing wrote: I haven't seen a report on this before, although I heard other people being hit by the same problem before. Doing a fresh install from a BETA2 cd forgets to install the kernel and modules to disk. Everything else is installed just fine, so a simple copy of /dist/kernel/ to the installed disk easily fixes the problem. A wild guess would be that this has something to do with the SMP detection, although the first machine was SMP and the second UP. If this already is reported and fixed, I'll just shut up and get a newer BETA :-) This seems to be related to choosing a distribution in sysintall (developer, X-developer, User, ...) Without choosing one, no kernel is installed. I guess implicitly installing the smallest distribution when no distribution is chosen from the menu would solve this problem. Thanks to [EMAIL PROTECTED] for the suggestion. -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpakjNeRM9tB.pgp Description: PGP signature
Re: em network issues
On Thu, Oct 19, 2006 at 11:40:16AM -0700, Jack Vogel wrote: On 10/19/06, Remko Lodder [EMAIL PROTECTED] wrote: Kip Macy wrote: On Wed, 18 Oct 2006, Jack Vogel wrote: I'm a bit confused from the way you worded this, do you have watchdogs with em, or you use em to avoid them? I have watchdogs with the current (post vendor update) em driver, but not with an older (pre vendor update) version of it. Same here! Didn't had the problem prior to the update, after the update it started doing watchdog timeouts, occassionaly the interface goes up/down after the watchdog error. I did not spot this on my other servers yet, but the traffic passing the if_em interface is not that much (just normal webtraffic, mail traffic etc). cheers, remko LOL, you arent helping, i need to know WHAT CVS deltas work vs dont, in other words, which delta in the REL_ENG_6 stream broke things?? If you quantify what 'the update' means that might help me, was this the 6.2 BETA or what? A bit more helpfull, but unfortunately not much is a datapoint saying no problems April 3rd and watchdog timeouts after September 28 RELENG_6. I know, probably too vague to be of any use, but there it is. Intel(R) PRO/1000 Network Connection Version - 6.1.4 on a workstation with next to no traffic. -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpYO4EHvmPYo.pgp Description: PGP signature
Re: em network issues
On Thu, Oct 19, 2006 at 12:13:33PM -0700, Jack Vogel wrote: On 10/19/06, Erwin Lansing [EMAIL PROTECTED] wrote: On Thu, Oct 19, 2006 at 11:40:16AM -0700, Jack Vogel wrote: On 10/19/06, Remko Lodder [EMAIL PROTECTED] wrote: Kip Macy wrote: On Wed, 18 Oct 2006, Jack Vogel wrote: I'm a bit confused from the way you worded this, do you have watchdogs with em, or you use em to avoid them? I have watchdogs with the current (post vendor update) em driver, but not with an older (pre vendor update) version of it. Same here! Didn't had the problem prior to the update, after the update it started doing watchdog timeouts, occassionaly the interface goes up/down after the watchdog error. I did not spot this on my other servers yet, but the traffic passing the if_em interface is not that much (just normal webtraffic, mail traffic etc). cheers, remko LOL, you arent helping, i need to know WHAT CVS deltas work vs dont, in other words, which delta in the REL_ENG_6 stream broke things?? If you quantify what 'the update' means that might help me, was this the 6.2 BETA or what? A bit more helpfull, but unfortunately not much is a datapoint saying no problems April 3rd and watchdog timeouts after September 28 RELENG_6. I know, probably too vague to be of any use, but there it is. Intel(R) PRO/1000 Network Connection Version - 6.1.4 on a workstation with next to no traffic. so, you mean you did a cvsup on 9/28, and one was done on april 3? Yup, precisely. -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpEGq5shkRVT.pgp Description: PGP signature
SW_WATCHDOG panic
While trying to debug why I couldn't use powerd(8) with two batteries in my IBM T41 (which seems related to kern/97383), I turned on SW_WATCHDOG only to get an almost immediate panic after turning it on with watchdog(8). Sources are from July 10 RELENG_6. Backtrace http://people.freebsd.org/~erwin/rabbit.txt If anyone wants to have a look, let me know if you need more information. Cheers, -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpqlYd0kxcw4.pgp Description: PGP signature
Re: Fwd: Problem with modern Postfix on 4.7
On Tue, May 23, 2006 at 11:02:38AM +0200, Matthias Andree wrote: Scott Harrison [EMAIL PROTECTED] writes: There was a suggestion on the web indicating that binutils is the problem and that that should be updated. However, I do not know the proper way to go about updating binutils. Can someone please tell me how to do it or point me to a resource that does? NOTE I haven't tried to understand all of your two posts. The easiest solution is probably to update FreeBSD 4.X using the official ways described in the handbook, I'd suggest using 4.11, as 4.10 is about to be discontinued, and kernel and base system security fixes are only provided for 4.10 and 4.11 at this time. The ports tree has been requiring FreeBSD 4.8 at a minimum for a very long time now, and I'd expect that even that it requires 4.11 soon enough. Or even better, upgrade to 6.x which is the current supported system. For those still on 4.x, please see http://www.freebsd.org/portmgr/policies_releng_4.html -erwin -- Erwin Lansing http://droso.org Security is like an onion. (o_ _o) It's made up of several layers \\\_\ /_///[EMAIL PROTECTED] And it makes you cry.) ([EMAIL PROTECTED] pgpIlTFLVCAB2.pgp Description: PGP signature
Re: Alright you primitive screwheads, LISTEN UP!!
On Mon, May 16, 2005 at 04:45:13PM -0500, Will Andrews wrote: On Mon, May 16, 2005 at 11:25:21PM +0200, Wilko Bulte wrote: Its' not officially William is it? You have my symphaty, no-one ever gets Wilko right. And it is dead simple derivative of Willem Coenraad. Wilko. Not Wilco. Right? I do not respond to the names Bill or Andrew, so don't ever call me that either. ;) Just never, ever, call med Edwin! -- Erwin Lansing DISCLAIMER: No electrons were harmed while sending this message. pgpSkxawZgLvL.pgp Description: PGP signature
Re: ftp.freebsd.org
On Sun, Oct 24, 2004 at 01:55:10AM +0200, Simon L. Nielsen wrote: On 2004.10.23 15:57:37 -0700, Brandon Fosdick wrote: Jack Raats wrote: At this moment I cann't connect with ftp.freebsd.org. I've had the same problem all day. The Danish part of ftp.freebsd.org (ftp.beastie.tdk.net) does not seem to respond, I have poked one of the admins, but since it's late night here in Denmark, it will probably be some hours before anyone can look at the problem. beatie paniced at about 3 am CEST and was rebooted. I don't know what caused the panic, but I see quite a lot of: Oct 23 04:51:29 ftp /kernel: swap_pager: indefinite wait buffer: device: #da/0x2 0001, blkno: 544, size: 4096 Oct 23 04:52:07 ftp /kernel: swap_pager: indefinite wait buffer: device: #da/0x2 0001, blkno: 544, size: 4096 -erwin -- _._ _,-'`-._ Erwin Lansing (,-.`._,'( |\`-/|[EMAIL PROTECTED] http://droso.org `-.-' \ )-`( , o o)[EMAIL PROTECTED] -bf- `-\`_`'- pgpMXrIXs3eFA.pgp Description: PGP signature
Re: ftp.freebsd.org
On Sun, Oct 24, 2004 at 06:58:21PM +0100, Robert Watson wrote: On Sun, 24 Oct 2004, Erwin Lansing wrote: The Danish part of ftp.freebsd.org (ftp.beastie.tdk.net) does not seem to respond, I have poked one of the admins, but since it's late night here in Denmark, it will probably be some hours before anyone can look at the problem. beatie paniced at about 3 am CEST and was rebooted. I don't know what caused the panic, but I see quite a lot of: Oct 23 04:51:29 ftp /kernel: swap_pager: indefinite wait buffer: device: #da/0x2 0001, blkno: 544, size: 4096 Oct 23 04:52:07 ftp /kernel: swap_pager: indefinite wait buffer: device: #da/0x2 0001, blkno: 544, size: 4096 The swap pager will wait hz*20 (20 seconds) for pages to be read back in from the swap space -- if it doesn't hear back in that time, it generates the above warning and then continue waiting. Typically, that kind of wait might occur because of a hardware problem. Did you see any related console output from the controller/device driver? Typically having swap space disappear out from under the system is not good for the health of the system... Also my thoughts that a disk is dying, but the controller is reporting everything as optimal. There should also be enough memory, so it's not really using swap space. I'll keep a close look with it, but this is really bad timing :( -- _._ _,-'`-._ Erwin Lansing (,-.`._,'( |\`-/|[EMAIL PROTECTED] http://droso.org `-.-' \ )-`( , o o)[EMAIL PROTECTED] -bf- `-\`_`'- pgpnaokAl7Or5.pgp Description: PGP signature
Re: World broken - pkgwrap.c missing
On Mon, Aug 11, 2003 at 11:12:18AM +0100, Neil Long wrote: Hi Just double cvsup'd RELENG_4 and buildworld exits in usr.sbin/pkg_install/lib pkgwrap.c is not present but is required in the Makefile. Kris already committed a fix. Just wait for it to spread out to the cvsup mirrors. Cheers, -erwin -- _._ _,-'`-._ Erwin Lansing (,-.`._,'( |\`-/|[EMAIL PROTECTED] http://droso.org `-.-' \ )-`( , o o)[EMAIL PROTECTED] -bf- `-\`_`'- pgp0.pgp Description: PGP signature
