Re: cwm: xterm -e and ssh-to
On Tue, Feb 22, 2011 at 07:03:37PM -0700, Clint Pachl wrote: I want my cwm to open xterm window with tmux on CM-Return, so I write in my ~/.cwmrc: command term uxterm +sb -bg #000 -fg #aaa -e tmux That does the trick with tmux, but ssh-to dialog fails to open. When I remove -e tmux from the command, ssh-to works fine, but I have to manualy start tmux of new xterm windows, which isn't a desired behaviour. Sure, I can have in ~/.cwmrc: bind CM-Return uxterm +sb -bg #000 -fg #aaa -e tmux command term uxterm +sb -bg #000 -fg #aaa But as I understand, the term command was supposed to avoid setting that twice. Therefor, the question is, what would be the right way to do what I want it to do? Does there exist some syntax for nested commands? Or is there some way of commands concatination? Or anything else I may be missing? Whenever I have a complex command sequence like this in cwmrc (I usually run into problems too), I just break it out into a separate script in ~/bin/ then bind a key sequence to that script. But there is bo complex command sequence here! I do actually want to do 4 simple things: 1. Run uxterm with some custom options as the default terminal emulator in cwm; 2. Still have a possibility to run uxterm with default settings when run from exec dialog; 3. Have uxterm started with tmux already running if no other task is bound to it by cwm. 4. Do 1-3 the right way. -- Dmitrij D. Czarkoff
Re: /etc/hosts comments update
On 2011-02-22, Joachim Schipper joac...@joachimschipper.nl wrote: I think your IPv4 text unwisely suggests that using e.g. 192.0.2.0/24 for your own stuff is okay. That's true only until you put a device with an appropriate list of unroutable IPs on your network, etc. the same applies to the standard rfc1918 nets we already list..
Your web development opinions
Hi, what does OpenBSD community think about new trends in web development HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? I am learning Django at the moment and I would like to know more about the nature of common OpenBSD user and how could I contribute to project with my webdev skills.
Haftanın Fırsatı
Marma Paket.jpg [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]
[no subject]
Subject: Oferta comerciala alpinism utilitar Stimate partener, Sunt Andrei Neboisa si reprezint ALPINO-Servicii la inaltime. Compania noastra presteaza servicii de alpinism utilitar si industrial la cele mai inalte standarde si cele mai bune preturi preturi pe tot teritoriul Romaniei si in toate statele unde aceasta activitate este autorizata. In cazul in care sunteti interesat de o oferta de pret nu ezitati sa ne contactati. Va multumesc! O zi buna, Andrei Neboisa, administrator mobil: +40.747.87.87.41 e-mail: off...@alpino.ro www.alpino.ro facebook.com/alpinobyqconstruct Piatra Neamt, str. Aleea Ulmilor nr.19, bl.B6, 610292, Neamt(NT), ROMANIA
Re: Your web development opinions
On Wed, Feb 23, 2011 at 6:04 PM, Tomas Vavrys vav...@cleancode.cz wrote: Hi, what does OpenBSD community think about new trends in web development HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do lots of code. lots of untested code. yes, i block javascript. my blood temp rises a bit when a site makes it a requirement. you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? not much choice. firefox. I am learning Django at the moment and I would like to know more about the nature of common OpenBSD user and how could I contribute to project with my webdev skills. the common openbsd user is male, closet romantic, mildly aggressive, mildly masochistic, highly opinionated, loves to use the word 'fuck' and definitely does the act more than linux users. Ana -- http://nybl.info
Re: Your web development opinions
They're a fucking disaster security-wise. +1 In general, blocking javascript won't get you too far, because most of the issues are not in the client, but rather in the use that's made of javascript. I basically block javascript to stop some adveritising and keep some sites from crashing firefox. But many, many sites require javascript to even login (i.e. many bank websites!) - trying to do https and having to deal with corrupt certificate authorities that don't guarantee too much in the end. CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content. No one has complained. Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end! Chris Bennett
Re: Your web development opinions
On Wed, 23 Feb 2011 11:04:58 +0100 Tomas Vavrys wrote: Hi, what does OpenBSD community think about new trends in web development HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? I like html5 just because it allows videos that can be viewed universally and hopefully one day to demote flash to easy to do basic animation as was originally intended before the apple vs microsoft format and patent wars and regain the oodles of power wasted by flash, especially on Linux. Hopefully a video format that is as free as we can get will stop this kind of video war with dire consequences in terms of owned boxes via flash ads etc., happening again. I am concerned about the data storage and other functions of html5 and privacy, though. Javascript does annoy me a great deal especially when they say it's required to click a link or download a pdf. I was shown a link the other day saying install flash 8?!?! or greater to download this pdf about a product. Have they not heard of w3c and audience maximisation. Generally I leave javascript off, it even annoys me on google searches but I occasionally turn it on when it's not required to get functionality on sites I trust. I use noscript in firefox but also have a disable button. Chromium availability has just come back, I think on OpenBSD. I may use chromium and/or xxxterm at times or in the future. Almost forgot all the exploits in browsers, related to javascript. I am learning Django at the moment and I would like to know more about the nature of common OpenBSD user and how could I contribute to project with my webdev skills.
OT: Risks of CAs (Re: Your web development opinions)
Just some OT thoughts. On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) The government would have the certificate, but not the private key, so I'm not sure how they can impersonate you with it. However, they can just get their own key to *any* shoddy CA included in browsers, and get a certificate linking that key to your services without much problem. The problem is not really whether there is a trust relationship between your CA provider and you, it's whether at least *one* CA is laxist enough that they give out certificates without thorough checking. Even with your self-signed approach, somebody could get a CA to issue a certificate that their key is good for your website, and impersonate it to any of your new-coming customers who haven't been exposed to your official key yet. I may also be wrong in my analysis, but as far as my understanding goes, it's correct. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 19:13:48 +0100, Manuel Guesdon ml+openbsd.m...@oxymium.net a icrit : Hello, We've got same problems (on a routeur, not a firewall). Increasing MAX_INTS_PER_SEC to 24000 increased bandwith and lowered packet loss. Our cards are Intel PRO/1000 (82576) and Intel PRO/1000 FP (82576). Did you try to increase the number of descriptor? #define EM_MAX_TXD 256 #define EM_MAX_RXD 256 I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it looks worth. My configuration is two firewalls in master/backup mode. On the first one the two most busy links are on the first card (Fiber). On the second, these two links are not on the same card, one is on the fiber card and the other on the cupper card. I've noticed today that the input Ierr rate is far lower on the second firewall than on the first. Is it possible to have a bottleneck on the ethernet card or on the bus? I will make more tests tomorrow... Thanks, regards.
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 10:22:16 -0800 (PST), James A. Peltier jpelt...@sfu.ca a icrit : Those documents do not necessarily apply any more. Don't go tweaking knobs until you know what they do. We have machines here that transfer nearly a gigabit of traffic/s without tuning in bridge mode non-the-less. Are you seeing any packet congestion markers (counter congestion) in systat pf? If so you might not have sufficient states available I log the congestion counter (each 10s) and there are at max 3 or 4 congestions per day. I don't think the bottleneck is pf. What about framentation? None. Interface errors? Quite a lot. There are many other non-tweakable issues that could cause this. Sure, it's hard to know. Thanks, regards.
hi
hello my friend i just order an iphone4 from this company www.elerong.com 8 good price and quality ! thoudans of products just do it now . good luck
Re: network bandwith with em(4)
On Wed, 23 Feb 2011 17:52:21 +0100 Patrick Lamaiziere patf...@davenulle.org wrote: | Le Tue, 22 Feb 2011 19:13:48 +0100, | Manuel Guesdon ml+openbsd.m...@oxymium.net a icrit : | | Hello, | | We've got same problems (on a routeur, not a firewall). Increasing | MAX_INTS_PER_SEC to 24000 increased bandwith and lowered packet loss. | Our cards are Intel PRO/1000 (82576) and Intel PRO/1000 FP | (82576). | | Did you try to increase the number of descriptor? | #define EM_MAX_TXD 256 | #define EM_MAX_RXD 256 | | I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it looks | worth. Thank you ! I'll investigate this ! | My configuration is two firewalls in master/backup mode. On the first | one the two most busy links are on the first card (Fiber). On the | second, these two links are not on the same card, one is on the fiber | card and the other on the cupper card. I've noticed today that the | input Ierr rate is far lower on the second firewall than on the first. | | Is it possible to have a bottleneck on the ethernet card or on the bus? May be (but I'm not an expert :-). In my case, the bus doesn't seems to be the problem (cards are on the PCI #1 64-bit PCI Express on a X8DTU http://www.supermicro.com/products/motherboard/QPI/5500/X8DTU.cfm). Manuel -- __ Manuel Guesdon - OXYMIUM
Re: Problems with USB on 4.9
Jacob Meuser jake...@sdf.lonestar.org wrote: it does seem to be that the hub has disabled a port. that is done by the usb stack when the disabling port message appears. but that only happens when trying to attach a device, and I don't see any other code that's intentionally disabling ports. and afaics, the only times the usb stack does anything to ports is when a device is attached or detached. Yes, I think you're right. I wish I could at least give some ideas about how to debug this, but I'm basically without any ideas right now. sorry. I'll keep thinking about it. Never mind, I was prepared that this would be difficult to debug. Thank you anyway. -- Dennis den Brok
Y Venda al Peru y al Mundo.............Publicidad
[IMAGE] [IMAGE]
Re: Your web development opinions
On 02/23/2011 08:59 AM, Ana Zgombic wrote: you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? not much choice. firefox. Regrettably, it is. Firefox is now more about: * users are too stupid to read * let's not have any buttons so user's don't click one they shouldn't * features confuse user, it's better to remove them/hide them. The only plus side, is that standard-complaint browsers with market share this way (a plus for web developers and standard-compliance). I remember firefox sync used to have an encryption passphrase for syncing data. Now that's gone, and users are motivated to PRINT an auto-generated one, because they can't remember the one that they set, and printing it is the safest way to make sure they don't loose it. Of course, if you CAN remember passphrases, you can't set your own any more. This stuff is happening all the time with firefox, and I hope some OpenBSD-like developers branch firefox some day. A browser for people who can read would be a great slogan. -- Hugo Osvaldo Barrera
Small fix to calendar.music
--- usr.bin/calendar/calendars/calendar.music.org Wed Feb 23 15:37:02 2011 +++ usr.bin/calendar/calendars/calendar.music Wed Feb 23 15:38:08 2011 @@ -89,7 +89,7 @@ 02/23 George Friedrich Handel is born in Halle on the Salle, Germany, 1685 02/23 Johnny Winter is born in Leland, Mississippi, 1944 02/23 Sir Edward William Elgar dies 1934 -02/24 Howard Hanson in Rochester, New York, 1981 +02/24 Howard Hanson dies in Rochester, New York, 1981 02/25 George Harrison born in Liverpool, England, 1943 02/27 Alexander Borodin dies, 1887 02/29 Jimmy Dorsey born, 1904
Re: Your web development opinions
On 2/23/11 5:34 PM, Hugo Osvaldo Barrera wrote: On 02/23/2011 08:59 AM, Ana Zgombic wrote: you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? not much choice. firefox. Regrettably, it is. Firefox is now more about: * users are too stupid to read * let's not have any buttons so user's don't click one they shouldn't * features confuse user, it's better to remove them/hide them. The only plus side, is that standard-complaint browsers with market share this way (a plus for web developers and standard-compliance). I remember firefox sync used to have an encryption passphrase for syncing data. Now that's gone, and users are motivated to PRINT an auto-generated one, because they can't remember the one that they set, and printing it is the safest way to make sure they don't loose it. Of course, if you CAN remember passphrases, you can't set your own any more. This stuff is happening all the time with firefox, and I hope some OpenBSD-like developers branch firefox some day. A browser for people who can read would be a great slogan. You can always try xxxterm from Marco for a more secure browser. It really isn't bad at all! Very Fast, small and I would say more trusted then firefox or other, but sure no question, definitely more trusted then IE. (; Doesn't support flash, but that's not a lost, I HATE flash! YMMV. I am not going to say it's full feature and fully compliant, I never tested it, but as long as it does what you need, who cares! May be some journalist trying to write an article, but then what Just a thought. My son use it and preach it! Yeap!!! Haven't been able to compile it on mac yet, but when time allow may be in 20 years or so! (:
Re: OT: Risks of CAs (Re: Your web development opinions)
On Wed, Feb 23, 2011 at 9:21 AM, Olivier Mehani sht...@ssji.net wrote: Just some OT thoughts. On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: CA's cannot be trusted to even pay attention to carefully securing your certificate. B Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) The government would have the certificate, but not the private key, so I'm not sure how they can impersonate you with it. it's a little more detailed than that they gov could say revoke his cert on the crl, and assign the next iteration to me with my arbitrary req generated with my arbitrary key at that point it would not matter if they don't have *his* private key if he controls the ca, then the gov/whoever is forced to do true mitm the big problem with the first is that chances are that your ca company is american/european (no bullet proof host), and they will give in like paypal wrt wikileaks However, they can just get their own key to *any* shoddy CA included in browsers, and get a certificate linking that key to your services without much problem. The problem is not really whether there is a trust relationship between your CA provider and you, it's whether at least *one* CA is laxist enough that they give out certificates without thorough checking. Even with your self-signed approach, somebody could get a CA to issue a certificate that their key is good for your website, and impersonate it to any of your new-coming customers who haven't been exposed to your official key yet. I may also be wrong in my analysis, but as far as my understanding goes, it's correct. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE B F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
ruby-thin: Errno::EPERM wtih QUIT Signal
I use Thin (ruby-thin) as the HTTP frontend for my web frameworks. STARTING/STOPPING: $ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} start $ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} stop THIN_PRODUCTION_CONF: --- rackup: config/config.ru address: localhost port: 3020 servers: 4 max_conns: 1024 max_persistent_conns: 512 timeout: 30 environment: production pid: tmp/thin-production.pid log: log/thin-production.log daemonize: true When sending the thin stop command, I get the following error on STDOUT: Stopping server on localhost:3020 ... Sending QUIT signal to process 15182 ... /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `getpgid': Operation not permitted (Errno::EPERM) from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `running?' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:118:in `send_signal' from /usr/local/lib/ruby/1.8/timeout.rb:67:in `timeout' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:117:in `send_signal' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:103:in `kill' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:87:in `stop' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:128:in `tail_log' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:86:in `stop' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in `send' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in `run_command' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:143:in `run!' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/bin/thin:6 from /usr/local/bin/thin:19:in `load' from /usr/local/bin/thin:19 Here's a snipped from daemonizing.rb: 6: def running?(pid) 7:Process.getpgid(pid) != -1 8: rescue Errno::ESRCH 9:false 10: end As you can see, the ESRCH error is rescued here, which is the other error that getpgid(2) can return. Can anyone explain this? When the thin processes are daemonized, are they detached from the session and that's why it's complaining with an EPERM error? The daemonized processes all do quit, but not without a delay, which may be the reason for entering the timeout.rb code? So I'm not sure I need to worry. I've been running things like this for over 2 years now, but I'd just like to quiet it down as it doesn't seem normal. Thanks, Clint
Re: ruby-thin: Errno::EPERM wtih QUIT Signal
Thanks Jeremy. I also reported this on Thin's bug tracking system as well. Jeremy Evans wrote: On Wed, Feb 23, 2011 at 4:32 PM, Clint Pachlpa...@ecentryx.com wrote: I use Thin (ruby-thin) as the HTTP frontend for my web frameworks. STARTING/STOPPING: $ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} start $ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} stop THIN_PRODUCTION_CONF: --- rackup: config/config.ru address: localhost port: 3020 servers: 4 max_conns: 1024 max_persistent_conns: 512 timeout: 30 environment: production pid: tmp/thin-production.pid log: log/thin-production.log daemonize: true When sending the thin stop command, I get the following error on STDOUT: Stopping server on localhost:3020 ... Sending QUIT signal to process 15182 ... /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `getpgid': Operation not permitted (Errno::EPERM) from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `running?' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:118:in `send_signal' from /usr/local/lib/ruby/1.8/timeout.rb:67:in `timeout' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:117:in `send_signal' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:103:in `kill' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:87:in `stop' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:128:in `tail_log' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:86:in `stop' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in `send' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in `run_command' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:143:in `run!' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/bin/thin:6 from /usr/local/bin/thin:19:in `load' from /usr/local/bin/thin:19 Here's a snipped from daemonizing.rb: 6: def running?(pid) 7:Process.getpgid(pid) != -1 8: rescue Errno::ESRCH 9:false 10: end As you can see, the ESRCH error is rescued here, which is the other error that getpgid(2) can return. Can anyone explain this? Yes. The original author is not checking all of the errors he should be checking. He should be rescuing Errno::EPERM and returning true, I think. Looks like a patch for exactly that was committed in June of last year: https://github.com/macournoyer/thin/blob/master/lib/thin/daemonizing.rb#L8 So thin should probably be updated after ports unlocks. I'll take care of it. Jeremy
El Regalo para tu cumple o para tus amigos
Queres festejar tu cumple con Barra libre de Cerveza y Pizza libre ? Si la fecha de tu cumple es en Febrero Marzo o Abril Te regalamos SIN CARGO en el mejor Resto Bar Lounge de Capital Federal Canilla libre de Cerveza + Pizza libre para vos y para tus invitados tenemos la mejor promo Si tenes el cumple de tus amigos reenviale este mail y ganan la cena con barra libre !!! Solo con reserva previa Capacidad limitada hasta 200 personas Nuestros telefonos oficina 4-331.6350 - Telefono Celular 153-801-5852 Tambien si te queres reunir con tus amigos o tenes alguna despedida tenemos el lugar ideal para que festejes a lo grande Ademas te regalamos consumiciones sin cargo para vos y Listas Free para todos tus amigos Te gustaria NO PAGAR ALQUILER DE SALON para realizar festejos de: Casamientos, Bautismos, Agasajos, Eventos, Graduados, Fiestas universitarias y cumple de 15 Enviar unicamente tu consulta a - masi...@apennootje.nl Nuestros telefonos oficina 4-331.6350 - Telefono Celular 153-801-5852 Promocion valida unicamente para Gran Buenos Aires y Capital Federal
Mode de Vie Estate - Burgundy's best value
MODE DE VIE ESTATE AFFORDABLE APPARTMENTS FROM R599 900 INVEST NOW! THE MARKET HAS TURNED! b Stylish 2 bedroom apartments b Full family bathroom (bath and shower) b Secure parking Kitchens with stainless steel appliances b Gymnasium b Built-in braai on patio / balcony b Price includes all costs b Only R20 000 reservation deposit Visit www.modedev.co.za for more information Regards Jaco Maritz 021 801 5400 We would like to ensure that we only communicate with investors/people that are interested in our current and future projects and would like to be kept informed via our regular newsletter. This email is intended for misc@openbsd.org. If you would like to unsubcribe please use the link provided. http://www.propertyinv.co.za/prop/unsubscribe.php?M=3815548C=0ddabfac7300f87257d733ec0b2a1f62L=93N=282 If the unsubscribe link is unsuccessful, please email: unsubscr...@propertyinv.co.za [demime 1.01d removed an attachment of type image/jpeg which had a name of 2aebe496defe080bfc818b3e10b6fe37] [demime 1.01d removed an attachment of type image/jpeg which had a name of 69376a480a030df70a54a2d0dbcb1b17] [demime 1.01d removed an attachment of type image/jpeg which had a name of 1463d177bbb6a21ac4919f1601acdc0b] [demime 1.01d removed an attachment of type image/jpeg which had a name of 3cc457c86916246519f29c6d95091157] [demime 1.01d removed an attachment of type image/jpeg which had a name of 5b11b08040c90f32bebce394b581d5b5]
Re: Your web development opinions
On 23/02/11 20:56, Andres Perera wrote: On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: On 02/23/2011 10:35 AM, Chris Bennett wrote: They're a fucking disaster security-wise. +1 In general, blocking javascript won't get you too far, because most of the issues are not in the client, but rather in the use that's made of javascript. I basically block javascript to stop some adveritising and keep some sites from crashing firefox. But many, many sites require javascript to even login (i.e. many bank websites!) - trying to do https and having to deal with corrupt certificate authorities that don't guarantee too much in the end. CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content. No one has complained. A simple man-in-the middle of that site, and replacing it's content would open the door for every site you refer to. If it's an SSL website, you're in and endless loop without a CA or trusted third party. Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end! Chris Bennett Supposing that's the case, the government can just request a CA a certificate for your domain, and do a man-in-the middle. User's won't get any prompt for invalid cert, and the same vulnerability you described using still exists. that's flawed because you're assuming his users are trusting equifax, cacert.org, and the countless of others that get bundled in certs packages for unix, or worse, his users are ussing a browser that comes bundled with its own set of certs and ssl library (firefox). That means you'd have to physically give the certificate to every user, with no trusted authority, or trusted third party, you have no way of establishing a secure (authenticated) communication, except physically being with that person. How do you then pay your taxes? Check your bank account, etc? I don't like having to trust dozens of CA and it's definitely not the best solution, but I don't see any alternative for this sort of thing. when you download openssh, does it come with bundled with a known hosts file? no, you go to the site and look at their public key. if they delegated their public keys to a central authority they excert no control over, they don't have the power to shutdown their site when it becomes compromised to display bogus public keys, or worse simlarly, i dont feed the cert bundle to sendmail, but instead feed it a *single* cert that i'm vary wary of if it changes ssl everywhere is a stupid concept because of this. you should only ssl select communications so that managing the certs is plausible Additionally, you have to make users accept the cert manually the first time (checking it, of course). It may not be much of a fuss, but I don't see you actually fixing any security holes. -- Hugo Osvaldo Barrera -- Hugo Osvaldo Barrera
Re: ruby-thin: Errno::EPERM wtih QUIT Signal
On Wed, Feb 23, 2011 at 4:32 PM, Clint Pachl pa...@ecentryx.com wrote: I use Thin (ruby-thin) as the HTTP frontend for my web frameworks. STARTING/STOPPING: $ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} start $ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} stop THIN_PRODUCTION_CONF: --- rackup: config/config.ru address: localhost port: 3020 servers: 4 max_conns: 1024 max_persistent_conns: 512 timeout: 30 environment: production pid: tmp/thin-production.pid log: log/thin-production.log daemonize: true When sending the thin stop command, I get the following error on STDOUT: Stopping server on localhost:3020 ... Sending QUIT signal to process 15182 ... /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `getpgid': Operation not permitted (Errno::EPERM) from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `running?' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:118:in `send_signal' from /usr/local/lib/ruby/1.8/timeout.rb:67:in `timeout' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:117:in `send_signal' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:103:in `kill' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller. rb:87:in `stop' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller. rb:128:in `tail_log' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller. rb:86:in `stop' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in `send' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in `run_command' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:143:in `run!' from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/bin/thin:6 from /usr/local/bin/thin:19:in `load' from /usr/local/bin/thin:19 Here's a snipped from daemonizing.rb: 6: def running?(pid) 7:Process.getpgid(pid) != -1 8: rescue Errno::ESRCH 9:false 10: end As you can see, the ESRCH error is rescued here, which is the other error that getpgid(2) can return. Can anyone explain this? Yes. The original author is not checking all of the errors he should be checking. He should be rescuing Errno::EPERM and returning true, I think. Looks like a patch for exactly that was committed in June of last year: https://github.com/macournoyer/thin/blob/master/lib/thin/daemonizing.rb#L8 So thin should probably be updated after ports unlocks. I'll take care of it. Jeremy
FSC CERTIFIED PRINTER
Having problems viewing this email? Please click here.For enquiry, please send email to i...@polywellps.com.hk eg!f3i1h.d;%d8ge'e.9oh+f f-$.ef d;;d=f%h)h+i;i5h3 i...@polywellps.com.hk eff(d8 f3e f6e0fegd?!d;6oh+fih#ie. Important Notice: Base on the Unsolicited Electronic Messages Ordinance, if you DO NOT want to receive any promotional email messages from us in the future, please kindly reply this e-mail for DELETION. If you would like to continue to receive our promotional email massages, you do not need to reply us.
AHCI configuration delay
Hi Guys, Today I installed a new machine with an ahci sata controller. When the machine is booting, during the configuration of the ahci driver, the kernel has a delay of aproximately 30 seconds. During this time, the disk led is constantly blinking. Then, the driver prints two messages of PHY offline on port and the machine boots normally. The snippet that matters: ahci0 at pci0 dev 31 function 2 Intel 82801I AHCI rev 0x02: apic 2 int 19 (irq 10), AHCI 1.2 ahci0: PHY offline on port 1 ahci0: PHY offline on port 5 scsibus0 at ahci0: 32 targets For the sake of completeness, I am also attaching the complete dmesg: OpenBSD 4.9 (GENERIC.MP) #811: Tue Feb 22 12:04:57 MST 2011 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3714764800 (3542MB) avail mem = 3601858560 (3435MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf70c0 (43 entries) bios0: vendor Dell Inc. version A00 date 01/06/2010 bios0: Dell Inc. Latitude 13 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET APIC ASF! MCFG TCPA SLIC SSDT acpi0: wakeup devices PCI0(S5) PCIE(S4) USB1(S0) USB2(S0) USB3(S0) USB4(S0) USB5(S0) USB6(S0) EHC2(S0) EHCI(S0) AZAL(S3) RP01(S3) RP02(S1) RP03(S3) RP04(S3) RP05(S3) RP06(S5) LID_(S3) PBTN(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Genuine Intel(R) CPU U7300 @ 1.30GHz, 1297.09 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG cpu0: 3MB 64b/line 8-way L2 cache cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Genuine Intel(R) CPU U7300 @ 1.30GHz, 1296.89 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG cpu1: 3MB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 2 (PCIE) acpiprt1 at acpi0: bus 11 (RP01) acpiprt2 at acpi0: bus 12 (RP02) acpiprt3 at acpi0: bus -1 (RP03) acpiprt4 at acpi0: bus 13 (RP04) acpiprt5 at acpi0: bus -1 (RP05) acpiprt6 at acpi0: bus 9 (RP06) acpiprt7 at acpi0: bus 0 (PCI0) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpitz0 at acpi0: critical temperature 107 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: PBTN acpibtn2 at acpi0: SBTN acpiac0 at acpi0: AC unit offline acpibat0 at acpi0: BAT0 model DELL NTG4J0B serial 409 type LION oem SMP acpivideo0 at acpi0: VID_ acpivout0 at acpivideo0: CRT_ acpivout1 at acpivideo0: TV__ acpivout2 at acpivideo0: LCD_ acpivout3 at acpivideo0: DP__ acpivout4 at acpivideo0: DP2_ acpivout5 at acpivideo0: DVI_ acpivout6 at acpivideo0: DVI2 acpivideo1 at acpi0: VID2 cpu0: Enhanced SpeedStep 1296 MHz: speeds: 1300, 1200, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel GM45 Host rev 0x07 vga1 at pci0 dev 2 function 0 Intel GM45 Video rev 0x07 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 (irq 11) drm0 at inteldrm0 Intel GM45 Video rev 0x07 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 2 int 20 (irq 10) uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 2 int 21 (irq 7) uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 2 int 22 (irq 5) ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 2 int 22 (irq 5) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x02: apic 2 int 21 (irq 7) azalia0: codecs: Realtek ALC269 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 2 int 16 (irq 0) pci1 at ppb0 bus 11 ppb1 at pci0 dev 28 function 1 Intel 82801I PCIE rev 0x02: apic 2 int 17 (irq 0) pci2 at ppb1 bus 12 iwn0 at pci2 dev 0 function 0 Intel WiFi Link 5100 rev 0x00: apic 2 int 17 (irq 4), MIMO 1T2R, MoW, address 00:24:d6:ad:e7:a8 ppb2 at pci0 dev 28 function 3 Intel 82801I PCIE rev 0x02: apic 2 int 19 (irq 0) pci3 at ppb2 bus 13 ppb3 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 2 int 17 (irq 0) pci4 at ppb3 bus 9 bge0 at pci4 dev 0 function 0 Broadcom BCM5761E rev 0x10, BCM5761 A1 (0x5761100): apic 2 int 17 (irq 4), address 00:26:b9:69:27:e6 brgphy0 at bge0 phy 1: BCM5761 10/100/1000baseT PHY, rev. 0 uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 2 int 20 (irq 10) uhci4 at pci0 dev 29 function
Re: Your web development opinions
On Wed, Feb 23, 2011 at 9:20 PM, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: On 23/02/11 20:56, Andres Perera wrote: On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: On 02/23/2011 10:35 AM, Chris Bennett wrote: They're a fucking disaster security-wise. +1 In general, blocking javascript won't get you too far, because most of the issues are not in the client, but rather in the use that's made of javascript. I basically block javascript to stop some adveritising and keep some sites from crashing firefox. But many, many sites require javascript to even login (i.e. many bank websites!) - trying to do https and having to deal with corrupt certificate authorities that don't guarantee too much in the end. CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content. No one has complained. A simple man-in-the middle of that site, and replacing it's content would open the door for every site you refer to. If it's an SSL website, you're in and endless loop without a CA or trusted third party. i hope that you realize that the loop applies to the initial distribution of the bundle aswell and that the difference after that is one is centralized (bigger target) and the other one isn't you're going to get their crl from them, right? like the millions of other people that trust them should? Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end! Chris Bennett Supposing that's the case, the government can just request a CA a certificate for your domain, and do a man-in-the middle. B User's won't get any prompt for invalid cert, and the same vulnerability you described using still exists. that's flawed because you're assuming his users are trusting equifax, cacert.org, and the countless of others that get bundled in certs packages for unix, or worse, his users are ussing a browser that comes bundled with its own set of certs and ssl library (firefox). That means you'd have to physically give the certificate to every user, with no trusted authority, or trusted third party, you have no way of establishing a secure (authenticated) communication, except physically being with that person. How do you then pay your taxes? B Check your bank account, etc? B I don't like having to trust dozens of CA and it's definitely not the best solution, but I don't see any alternative for this sort of thing. my bank account and other items would never account for the plethora of bundled certs, nor with the inability of a client to associate cacerts with specific hosts. the latter is why your argument is flawed, and it has nothing to do with self-singing a cert pool should have varying degrees of trust and reach. if firefox doesn't do this, the problem is firefox and not the server's cert distribution model when you download openssh, does it come with bundled with a known hosts file? no, you go to the site and look at their public key. if they delegated their public keys to a central authority they excert no control over, they don't have the power to shutdown their site when it becomes compromised to display bogus public keys, or worse simlarly, i dont feed the cert bundle to sendmail, but instead feed it a *single* cert that i'm vary wary of if it changes ssl everywhere is a stupid concept because of this. you should only ssl select communications so that managing the certs is plausible Additionally, you have to make users accept the cert manually the first time (checking it, of course). B It may not be much of a fuss, but I don't see you actually fixing any security holes. -- Hugo Osvaldo Barrera -- Hugo Osvaldo Barrera
Seminario: Guia a tu Equipo de Trabajo al Exito
Si no puede ver el mensaje haga click aqui