Re: Thanks for ksh
People have long said the worst things about perl, but that's one thing that scripting language definitely gets right... It has a -T switch you have to use for every security sensitive script that handles potentially untrusted outside data. That switch is very thorough about not letting you do anything with outside data before sanitizing first (through regexps what else ?) yes, that includes the PATH, environment, locales, stdin... *everything* that's been audited as being a source of outside data.
Re: Ordering OpenBSD 5.6 in the US?
https://https.openbsd.org/cgi-bin/order from this page; http://www.openbsd.org/orders.html#ca/cshop On Mon, Sep 29, 2014, at 10:21 PM, Andrew Lester wrote: Hey all, I notice the Softpro books seller, the only one for the US, indicates that they will no longer sell OpenBSD as distribution is moving to Europe. That being the case, what would the best place to order the disc set for OpenBSD 5.6 in the US be? Any word on when a preorder will be available? Warm regards, Andrew
Re: X dies after suspend to ram
On 09/28/14 09:11, Mike Larkin wrote: On Thu, Sep 25, 2014 at 12:12:55PM -0400, Ted W. wrote: I have really enjoyed the last few weeks of running OpenBSD on my Thinkpad. Almost everything I need works and or worked right out of the box. The only real issue I've noticed is that when the system returns from suspend and press ctrl-alt-del to restart X either X or SLiM (not sure which) will not come back up. To work around this issue, I switch to TTY2, log in as root and run `/etc/rc.d/slim restart`. I've tried suspending with and without using slock first and the behavior stays the same. Any input on the matter would be appreciated, -- Ted W. t...@xy0.org No dmesg, no help. Thank you for letting me know. I was not sure what would be helpful information to provide here. I have included the dmesg output below. I have also included Xorg.0.log in case that's helpful. I'm happy to provide any other information that would be useful. == # dmesg : bus 6 device 0 cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0 pcib0 at pci0 dev 31 function 0 Intel 82801HEM LPC rev 0x03 pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 ignored (disabled) ahci0 at pci0 dev 31 function 2 Intel 82801HBM AHCI rev 0x03: msi, AHCI 1.1 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, ST500LM000-1EJ16, DEM4 SCSI3 0/direct fixed naa.5000c5006a47abd7 sd0: 476940MB, 512 bytes/sector, 976773168 sectors ichiic0 at pci0 dev 31 function 3 Intel 82801H SMBus rev 0x03: apic 1 int 23 iic0 at ichiic0 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 aps0 at isa0 port 0x1600/31 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 ugen0 at uhub2 port 2 STMicroelectronics Biometric Coprocessor rev 1.00/0.01 addr 2 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on sd0a (5d6cdf996da41425.a) swap on sd0b dump on sd0b ugen0 detached ugen0 at uhub2 port 2 STMicroelectronics Biometric Coprocessor rev 1.00/0.01 addr 2 iwn0: fatal firmware error firmware error log: error type = NMI_INTERRUPT_WDG (0x0004) program counter = 0x046C source line = 0x00D0 error data = 0x00020263 branch link = 0x4B0C04C2 interrupt link = 0x06DE4B22 time= 2978746026 driver status: tx ring 0: qid=0 cur=187 queued=0 tx ring 1: qid=1 cur=0 queued=0 tx ring 2: qid=2 cur=0 queued=0 tx ring 3: qid=3 cur=0 queued=0 tx ring 4: qid=4 cur=26 queued=0 tx ring 5: qid=5 cur=0 queued=0 tx ring 6: qid=6 cur=0 queued=0 tx ring 7: qid=7 cur=0 queued=0 tx ring 8: qid=8 cur=0 queued=0 tx ring 9: qid=9 cur=0 queued=0 tx ring 10: qid=10 cur=0 queued=0 tx ring 11: qid=11 cur=0 queued=0 tx ring 12: qid=12 cur=0 queued=0 tx ring 13: qid=13 cur=0 queued=0 tx ring 14: qid=14 cur=0 queued=0 tx ring 15: qid=15 cur=0 queued=0 rx ring: cur=40 802.11 state 4 iwn0: fatal firmware error firmware error log: error type = NMI_INTERRUPT_WDG (0x0004) program counter = 0x046C source line = 0x00D0 error data = 0x00020263 branch link = 0x4B0C04C2 interrupt link = 0x06DE4B22 time= 2503288226 driver status: tx ring 0: qid=0 cur=127 queued=1 tx ring 1: qid=1 cur=0 queued=0 tx ring 2: qid=2 cur=0 queued=0 tx ring 3: qid=3 cur=0 queued=0 tx ring 4: qid=4 cur=225 queued=0 tx ring 5: qid=5 cur=0 queued=0 tx ring 6: qid=6 cur=0 queued=0 tx ring 7: qid=7 cur=0 queued=0 tx ring 8: qid=8 cur=0 queued=0 tx ring 9: qid=9 cur=0 queued=0 tx ring 10: qid=10 cur=0 queued=0 tx ring 11: qid=11 cur=0 queued=0 tx ring 12: qid=12 cur=0 queued=0 tx ring 13: qid=13 cur=0 queued=0 tx ring 14: qid=14 cur=0 queued=0 tx ring 15: qid=15 cur=0 queued=0 rx ring: cur=16 802.11 state 4 iwn0: fatal firmware error firmware error log: error type = NMI_INTERRUPT_WDG (0x0004) program counter = 0x046C source line = 0x00D0 error data = 0x00020703 branch link = 0x837004C2
Re: X dies after suspend to ram
On Tue, Sep 30, 2014 at 08:14:22AM -0400, Ted W. wrote: On 09/28/14 09:11, Mike Larkin wrote: On Thu, Sep 25, 2014 at 12:12:55PM -0400, Ted W. wrote: I have really enjoyed the last few weeks of running OpenBSD on my Thinkpad. Almost everything I need works and or worked right out of the box. The only real issue I've noticed is that when the system returns from suspend and press ctrl-alt-del to restart X either X or SLiM (not sure which) will not come back up. To work around this issue, I switch to TTY2, log in as root and run `/etc/rc.d/slim restart`. I've tried suspending with and without using slock first and the behavior stays the same. Any input on the matter would be appreciated, -- Ted W. t...@xy0.org No dmesg, no help. Thank you for letting me know. I was not sure what would be helpful information to provide here. I have included the dmesg output below. I have also included Xorg.0.log in case that's helpful. I'm happy to provide any other information that would be useful. That dmesg is no good. Please provide one from a clean boot. The idea is to look at what hardware is on the machine. -ml == # dmesg : bus 6 device 0 cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0 pcib0 at pci0 dev 31 function 0 Intel 82801HEM LPC rev 0x03 pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 ignored (disabled) ahci0 at pci0 dev 31 function 2 Intel 82801HBM AHCI rev 0x03: msi, AHCI 1.1 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, ST500LM000-1EJ16, DEM4 SCSI3 0/direct fixed naa.5000c5006a47abd7 sd0: 476940MB, 512 bytes/sector, 976773168 sectors ichiic0 at pci0 dev 31 function 3 Intel 82801H SMBus rev 0x03: apic 1 int 23 iic0 at ichiic0 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 aps0 at isa0 port 0x1600/31 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 ugen0 at uhub2 port 2 STMicroelectronics Biometric Coprocessor rev 1.00/0.01 addr 2 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on sd0a (5d6cdf996da41425.a) swap on sd0b dump on sd0b ugen0 detached ugen0 at uhub2 port 2 STMicroelectronics Biometric Coprocessor rev 1.00/0.01 addr 2 iwn0: fatal firmware error firmware error log: error type = NMI_INTERRUPT_WDG (0x0004) program counter = 0x046C source line = 0x00D0 error data = 0x00020263 branch link = 0x4B0C04C2 interrupt link = 0x06DE4B22 time= 2978746026 driver status: tx ring 0: qid=0 cur=187 queued=0 tx ring 1: qid=1 cur=0 queued=0 tx ring 2: qid=2 cur=0 queued=0 tx ring 3: qid=3 cur=0 queued=0 tx ring 4: qid=4 cur=26 queued=0 tx ring 5: qid=5 cur=0 queued=0 tx ring 6: qid=6 cur=0 queued=0 tx ring 7: qid=7 cur=0 queued=0 tx ring 8: qid=8 cur=0 queued=0 tx ring 9: qid=9 cur=0 queued=0 tx ring 10: qid=10 cur=0 queued=0 tx ring 11: qid=11 cur=0 queued=0 tx ring 12: qid=12 cur=0 queued=0 tx ring 13: qid=13 cur=0 queued=0 tx ring 14: qid=14 cur=0 queued=0 tx ring 15: qid=15 cur=0 queued=0 rx ring: cur=40 802.11 state 4 iwn0: fatal firmware error firmware error log: error type = NMI_INTERRUPT_WDG (0x0004) program counter = 0x046C source line = 0x00D0 error data = 0x00020263 branch link = 0x4B0C04C2 interrupt link = 0x06DE4B22 time= 2503288226 driver status: tx ring 0: qid=0 cur=127 queued=1 tx ring 1: qid=1 cur=0 queued=0 tx ring 2: qid=2 cur=0 queued=0 tx ring 3: qid=3 cur=0 queued=0 tx ring 4: qid=4 cur=225 queued=0 tx ring 5: qid=5 cur=0 queued=0 tx ring 6: qid=6 cur=0 queued=0 tx ring 7: qid=7 cur=0 queued=0 tx ring 8: qid=8 cur=0 queued=0 tx ring 9: qid=9 cur=0 queued=0 tx ring 10: qid=10 cur=0 queued=0 tx ring 11: qid=11 cur=0 queued=0 tx ring 12: qid=12 cur=0 queued=0 tx ring 13: qid=13 cur=0 queued=0 tx ring 14: qid=14 cur=0 queued=0 tx ring 15: qid=15 cur=0
Re: OpenBSD 5.6 pre-orders in Germany possible
On Sat, 2014-09-27 at 07:30 +0100, OpenBSD Europe wrote: Hi folks, I just noticed that in Germany Lehmanns (see OpenBSD's order-site) already accepts pre-orders for OpenBSD 5.6-release. Guess what I just did :-) My little contribution to the project along with a big THANK YOU to the devs! Cheers, STEFAN Please don't do this and cancel your order. Things will become obvious on Monday :) I might have missed something, but could you provide me with an update on this issue?
How to follow -stable and verify it with signify?
Hi folks, I've been googling for a couple of hours now and not coming up with much here. I see how to download the -release source and then verify it, but I cannot find any way to grab -stable from CVS and do the same. I guess the only way I do see is to start out with the -release code, verify it, and then download each patch and apply it after verifying. That looks to me like it would be a lot of jumping through hoops. Am I missing something somewhere? Or is there really no way to do this (directly)? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 10:27 AM, Stefan Olsson stefan.karl.ols...@gmail.com wrote: I don't do this myself, but stable=patch branch, i.e. release + patches. All info you need is really in these two pages: Yes, I have it working great already. But at no point during that process does it have me verify that the source code I have downloaded is safe and came from the place I was expecting to get it from. That's the part I'm asking about. thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Thanks for ksh
On 9/30/2014 at 1:06 AM Stuart Henderson wrote: | [snip] | |Some other vectors: | |dhclient script - the dhclient in base doesn't have scripts any more, |so no issue there. Other dhclient implementations still do, unlikely |to use bash *by default*, though who knows what people may change on |their systems. | | [snip] = Some *distributions* symlink /bin/sh to bash, so even though a script says #!/bin/sh, it gets bash.
Re: How to follow -stable and verify it with signify?
There are SSH fingerprints published for each of the CVS servers. Alternatively, you use the patch files which are signed. There aren't so many of them that's it hard to catch up. Tim. On Tue, Sep 30, 2014 at 10:37 AM, Alan McKay alan.mc...@gmail.com wrote: On Tue, Sep 30, 2014 at 10:27 AM, Stefan Olsson stefan.karl.ols...@gmail.com wrote: I don't do this myself, but stable=patch branch, i.e. release + patches. All info you need is really in these two pages: Yes, I have it working great already. But at no point during that process does it have me verify that the source code I have downloaded is safe and came from the place I was expecting to get it from. That's the part I'm asking about. thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: How to follow -stable and verify it with signify?
On 30-09-2014 11:56, trondd wrote: There are SSH fingerprints published for each of the CVS servers. They are published on a clear http page and there is no SSHFP on the dns. You need to access the anoncvs page from different places, using different connections/vpns/proxies, to be sure you are talking to the right anoncvs server. Alternatively, you use the patch files which are signed. There aren't so many of them that's it hard to catch up. I use the mtier openup tool and their binpatches. Yes, I'm trusting a third party on this. Have been using it for some time now, and it work great. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini grazzol...@gmail.com wrote: On 30-09-2014 11:56, trondd wrote: There are SSH fingerprints published for each of the CVS servers. They are published on a clear http page and there is no SSHFP on the dns. You need to access the anoncvs page from different places, using different connections/vpns/proxies, to be sure you are talking to the right anoncvs server. Sure, you have to somehow verify that the fingerprint is good and check it against the fingerprint you get when first connecting to the CVS server. How can you verify that fingerprint is good? I don't know. Is it good enough to grab the signed source tarball, then checkout from CVS over it and make sure nothing changed in the process?
Re: How to follow -stable and verify it with signify?
Sounds like I'll need to go with the signed tarballs for the -release and then apply the signed patches to get -stable. Dangit, I already had my process down (building from CVS) and now I have to change it ...
Re: How to follow -stable and verify it with signify?
On 30-09-2014 12:46, trondd wrote: Sure, you have to somehow verify that the fingerprint is good and check it against the fingerprint you get when first connecting to the CVS server. How can you verify that fingerprint is good? I don't know. SSHFP. DNSSEC. And other ways. But these won't happen. And that's not necessarilly a bad thing. It makes you extra cautious. The downside is that it's up to the user to be able to check things securely. Not every user can or want to jump through all these hoops. Is it good enough to grab the signed source tarball, then checkout from CVS over it and make sure nothing changed in the process? No, this won't cut it. Unless you check every line changed, and understand completely what changed and the implications. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 11:57 AM, Giancarlo Razzolini grazzol...@gmail.com wrote: Is it good enough to grab the signed source tarball, then checkout from CVS over it and make sure nothing changed in the process? No, this won't cut it. Unless you check every line changed, and understand completely what changed and the implications. CVS will tell you if anything changed. Get the signed release tarball, then checkout release over top. In conjunction with the SSH fingerprint, you can trust this CVS server. Checkout stable and go. ...Unless just the stable branch of this server has compromised code in it. Then you'll have to compare all the changes to the signed patch files. At that point, might as well just use the patch files, I guess.
Re: quotas grace period none right away
Hello Otto, Wednesday, September 24, 2014, 2:36:58 PM, you wrote: OM Try to come up with a reproducable test case, include all relevant OM info and then we can investigate. Here is what I could reproduce: root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dd if=/dev/random of=w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 2.679 secs (58707553 bytes/sec) root@mail1 ~ # mv w00 ~test_spam/ root@mail1 ~ # chown test_spam /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 153660* 10 100 18:10 91 10 root@mail1 ~ # edquota -t Time units may be: days, hours, minutes, or seconds Grace period before enforcing soft limits for users: /var/mail: block grace period: 30 days, file grace period: 30 days root@mail1 ~ # date Mon Sep 29 14:12:42 CDT 2014 root@mail1 ~ # rm /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # date Mon Sep 29 18:47:44 CDT 2014 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dd if=/dev/random of=~test_spam/w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 2.059 secs (76367302 bytes/sec) root@mail1 ~ # chown test_spam /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 153660* 10 100 13:31 91 10 root@mail1 ~ # rm /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # date Tue Sep 30 08:38:03 CDT 2014 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dd if=/dev/random of=~test_spam/w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 2.074 secs (75822855 bytes/sec) root@mail1 ~ # chown test_spam /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 153660* 10 100none 91 10 root@mail1 ~ # rm /var/mail/test_spam/w00 root@mail1 ~ # quota test_spam Disk quotas for user test_spam (uid 1003): Filesystem KBytesquota limit gracefiles quota limit grace /var/mail 28 10 100 81 10 root@mail1 ~ # dmesg | head OpenBSD 5.4-stable (GENERIC.MP) #3: Wed Apr 2 16:44:04 CDT 2014 r...@build32.twopoint.com:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU 3060 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF real mem = 3621744640 (3453MB) avail mem = 3551121408 (3386MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 I've also started the test case on another computer (turned on user quotas and created a new user) - everything starts unfolding the same way: # quota test Disk quotas for user test (uid 1002): Filesystem KBytesquota limit gracefiles quota limit grace /wrk 4 10 100 11 10 # dd if=/dev/random of=/wrk/test/w00 bs=1M count=150 150+0 records in 150+0 records out 157286400 bytes transferred in 14.572 secs (10793030 bytes/sec) # chown test /wrk/test/w00 # quota test Disk quotas for user test (uid 1002): Filesystem KBytesquota limit gracefiles quota limit grace /wrk 153636* 10 100 7days 21 10 # rm /wrk/test/w00 # quota test Disk quotas for user test (uid 1002): Filesystem KBytesquota limit gracefiles quota limit grace /wrk 4 10
Re: How to follow -stable and verify it with signify?
On Wed, 1 Oct 2014, at 04:46 AM, trondd wrote: On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini grazzol...@gmail.com wrote: On 30-09-2014 11:56, trondd wrote: There are SSH fingerprints published for each of the CVS servers. They are published on a clear http page and there is no SSHFP on the dns. You need to access the anoncvs page from different places, using different connections/vpns/proxies, to be sure you are talking to the right anoncvs server. Sure, you have to somehow verify that the fingerprint is good and check it against the fingerprint you get when first connecting to the CVS server. How can you verify that fingerprint is good? I don't know. Is it good enough to grab the signed source tarball, then checkout from CVS over it and make sure nothing changed in the process? Some of the servers have been up for years and the fingerprints are cached and mirrored all around the web. Compare what you're seeing with a few of the caches and mirrors to see if they match. -- Carlin
Re: quotas grace period none right away
On Tue, Sep 30, 2014 at 11:20:23AM -0500, Boris Goldberg wrote: Hello Otto, Wednesday, September 24, 2014, 2:36:58 PM, you wrote: OM Try to come up with a reproducable test case, include all relevant OM info and then we can investigate. I indeed see strange things on sparc64 more or less -current. Not exactly what you are seeing, but for starters, edquota -t is giving me what looks like unitialized mem. I hope to find some time to investigate further... -Otto
Re: OpenBSD 5.6 pre-orders in Germany possible
Am 09/30/14 um 14:42 schrieb Martijn van Duren: On Sat, 2014-09-27 at 07:30 +0100, OpenBSD Europe wrote: Hi folks, I just noticed that in Germany Lehmanns (see OpenBSD's order-site) already accepts pre-orders for OpenBSD 5.6-release. Guess what I just did :-) My little contribution to the project along with a big THANK YOU to the devs! Cheers, STEFAN Please don't do this and cancel your order. Things will become obvious on Monday :) I might have missed something, but could you provide me with an update on this issue? The openbsdstore.com has opend. Guess what I just did? ;-) Cheers, STEFAN
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 09:44, Alan McKay wrote: Hi folks, I've been googling for a couple of hours now and not coming up with much here. I see how to download the -release source and then verify it, but I cannot find any way to grab -stable from CVS and do the same. I guess the only way I do see is to start out with the -release code, verify it, and then download each patch and apply it after verifying. That looks to me like it would be a lot of jumping through hoops. Am I missing something somewhere? Or is there really no way to do this (directly)? I think you've already gotten the answer, which is to trust the ssh fingerprints. (actually, after you've connected once, you're trusting the key, not just the fingerprint, which is even better.) In theory, we could sign the ssh fingerprint page, but I don't think that's a good idea at the current time. There are some issues with expiring old data. You do have to trust the mirror, so it's not completely end to end, but that's how things stand. Or switch to using patches. Secure and convenient do not always go hand in hand.
Re: thinkpad wifi/dhclient issue
the last part of this saga is, that i have moved to a new place, and the issue went away. so it seems it was router related. just another strange story from the home router front. -f -- i have nothing to say, but i can say it loudly.
Re: OpenBSD 5.6 pre-orders in Germany possible
Am 09/30/14 um 14:42 schrieb Martijn van Duren: The openbsdstore.com has opend. Guess what I just did? ;-) Cheers, STEFAN Yep. We had a some issues to start with. *Please*, if you order and hit a problem, email it to ord...@openbsdstore.com and not on these lists. It's *much* easier for us to deal with. They seem to have settled now.
Re: OpenBSD 5.6 pre-orders in Germany possible
On 2014-09-30, Stefan Wollny stefan.wol...@web.de wrote: I might have missed something, but could you provide me with an update on this issue? The openbsdstore.com has opend. So what does this mean with regard to Lehmanns? -- Christian naddy Weisgerber na...@mips.inka.de
Re: OpenBSD 5.6 pre-orders in Germany possible
On Tue, Sep 30, 2014 at 09:02:56PM +0200, Stefan Wollny wrote: Am 09/30/14 um 14:42 schrieb Martijn van Duren: On Sat, 2014-09-27 at 07:30 +0100, OpenBSD Europe wrote: Hi folks, I just noticed that in Germany Lehmanns (see OpenBSD's order-site) already accepts pre-orders for OpenBSD 5.6-release. Guess what I just did :-) My little contribution to the project along with a big THANK YOU to the devs! Cheers, STEFAN Please don't do this and cancel your order. Things will become obvious on Monday :) I might have missed something, but could you provide me with an update on this issue? The openbsdstore.com has opend. Guess what I just did? ;-) Cheers, STEFAN Beat me to it - I've just pre-order my 5.6 release :~)
Re: OpenBSD 5.6 pre-orders in Germany possible
Am 09/30/14 um 21:45 schrieb Christian Weisgerber: So what does this mean with regard to Lehmanns? Guess ... ;-)
Re: OpenBSD 5.6 pre-orders in Germany possible
On 9/30/14, OpenBSD Europe m...@openbsdeurope.com wrote: Am 09/30/14 um 14:42 schrieb Martijn van Duren: The openbsdstore.com has opend. Guess what I just did? ;-) Cheers, STEFAN Yep. We had a some issues to start with. *Please*, if you order and hit a problem, email it to ord...@openbsdstore.com and not on these lists. It's *much* easier for us to deal with. They seem to have settled now. I'm not sure where exactly to send these questions, so i'm simply replying to all. Two questions: 1. Is there no option for guest checkout? Must I be forced to create an account? 2. Is the system smart enough so to understand, if I were to purchase say, 10 CDs, but only wish to have 1 shipped, to properly calculate the shipping costs for the single CD being shipped to me? --patrick
Re: Question re dhclient.conf
On 2014-09-30, sven falempin sven.falem...@gmail.com wrote: I also parse and do custom action with the lease file, so i forgot all concern about the absence of script hook. I also regurlarly monitor the lease, so i did not use http://entrproject.org/ , looks good stuff It is. This isn't quite what it was designed for, but it's normal for a proper unix utility to be able to do that ;) (I believe may be wrong ) is there a working INotify for bsd in perl ? There's a (fairly early) libinotify port using a kqueue backend, no idea if there's anything that can use it in Perl. But, for BSDs, IO::KQueue is probably a better idea.
Re: OpenBSD 5.6 pre-orders in Germany possible
Am 09/30/14 um 22:08 schrieb patrick keshishian: I'm not sure where exactly to send these questions, so i'm simply replying to all. Two questions: 1. Is there no option for guest checkout? Must I be forced to create an account? Nope - just order via email to od...@openbsdstore.com. 2. Is the system smart enough so to understand, if I were to purchase say, 10 CDs, but only wish to have 1 shipped, to properly calculate the shipping costs for the single CD being shipped to me? I have no idea if any other order site has been able to handle such requirements. Again: Drop the guys 'n gals at ord...@openbsdstore.com a note with what you need. From experience I can tell you they will handle your requests - friendly - fast - professional Anything else? Cheers, STEFAN
Re: OpenBSD 5.6 pre-orders in Germany possible
On 9/30/14, OpenBSD Europe m...@openbsdeurope.com wrote: Am 09/30/14 um 14:42 schrieb Martijn van Duren: The openbsdstore.com has opend. Guess what I just did? ;-) Cheers, STEFAN Yep. We had a some issues to start with. *Please*, if you order and hit a problem, email it to ord...@openbsdstore.com and not on these lists. It's *much* easier for us to deal with. They seem to have settled now. I'm not sure where exactly to send these questions, so i'm simply replying to all. Two questions: 1. Is there no option for guest checkout? Must I be forced to create an account? No, just email us the order. You can pay via PayPal or over the phone with your CC. 2. Is the system smart enough so to understand, if I were to purchase say, 10 CDs, but only wish to have 1 shipped, to properly calculate the shipping costs for the single CD being shipped to me? Do you mean buy 10CDs but only ship one? and the rest being a donation? In that case, just buy one CD and donate the other 9 directly. The project does much better that way.
Re: How to follow -stable and verify it with signify?
On 2014-09-30, Alan McKay alan.mc...@gmail.com wrote: Sounds like I'll need to go with the signed tarballs for the -release and then apply the signed patches to get -stable. binpatchng can help you with this process. But note that -stable sometimes has extra commits that don't have errata; release+patches is not quite the same thing as -stable.
Re: OpenBSD 5.6 pre-orders in Germany possible
On 9/30/14, OpenBSD Europe m...@openbsdeurope.com wrote: On 9/30/14, OpenBSD Europe m...@openbsdeurope.com wrote: Am 09/30/14 um 14:42 schrieb Martijn van Duren: The openbsdstore.com has opend. Guess what I just did? ;-) Cheers, STEFAN Yep. We had a some issues to start with. *Please*, if you order and hit a problem, email it to ord...@openbsdstore.com and not on these lists. It's *much* easier for us to deal with. They seem to have settled now. I'm not sure where exactly to send these questions, so i'm simply replying to all. Two questions: 1. Is there no option for guest checkout? Must I be forced to create an account? No, just email us the order. You can pay via PayPal or over the phone with your CC. Excellent! 2. Is the system smart enough so to understand, if I were to purchase say, 10 CDs, but only wish to have 1 shipped, to properly calculate the shipping costs for the single CD being shipped to me? Do you mean buy 10CDs but only ship one? and the rest being a donation? In that case, just buy one CD and donate the other 9 directly. The project does much better that way. Yes. I've been doing that in the past with the old ordering system. My understanding is that CD sales help Theo directly; I believe that is still the case. Cheers, --patrick
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org wrote: binpatchng can help you with this process. I will have to look into that But note that -stable sometimes has extra commits that don't have errata; release+patches is not quite the same thing as -stable. Can you give 1 or 2 examples? I've been digging into this and it actually looks like release+patches will be easier for me to build than -stable -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 04:33:35PM -0400, Alan McKay wrote: On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org wrote: binpatchng can help you with this process. I will have to look into that But note that -stable sometimes has extra commits that don't have errata; release+patches is not quite the same thing as -stable. Can you give 1 or 2 examples? They happen whenever a fix is backported but not deemed critical enough or in wide enough use for errata. Here's the first two I found in 5.5-stable, there may be others but I stopped looking, since you just wanted a couple of examples. --- CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2014/09/07 13:41:51 Modified files: sys/dev/pci: Tag: OPENBSD_5_5 virtio.c virtiovar.h Log message: Fix hang with virtio event_idx feature backported from current virtio.c 1.6 / virtiovar.h 1.5: date: 2014/06/15 11:18:39; author: sf; commitid: 8b7wbadq7EgTO3mO; When using the RING_EVENT_IDX feature, we must first call publish_avail_idx() and then read VQ_AVAIL_EVENT(vq), or there is a race condition that may cause us to miss that the host needs to be notified. This resulted in an occasional hang of network in vio(4). --- VSROOT: /cvs Module name:src Changes by: d...@cvs.openbsd.org2014/04/20 18:30:48 Modified files: usr.bin/ssh: Tag: OPENBSD_5_5 bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h Log message: MFC: reliability fix for OpenSSH using curve25519-sha...@libssh.org key exchange method. ---
Re: How to follow -stable and verify it with signify?
On 30-09-2014 16:03, Ted Unangst wrote: In theory, we could sign the ssh fingerprint page, but I don't think that's a good idea at the current time. There are some issues with expiring old data. This would be a significant improvement. If you are 99,99% certain you got the release right, them you could quickly verify every other peace of the OpenBSD infrastructure. And it would render other solutions irrelevant (DNSSEC+SSHFP for example). Could you elaborate on the expiring issue? Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: How to follow -stable and verify it with signify?
On 2014-09-30, Giancarlo Razzolini grazzol...@gmail.com wrote: On 30-09-2014 16:03, Ted Unangst wrote: In theory, we could sign the ssh fingerprint page, but I don't think that's a good idea at the current time. There are some issues with expiring old data. This would be a significant improvement. If you are 99,99% certain you got the release right, them you could quickly verify every other peace of the OpenBSD infrastructure. And it would render other solutions irrelevant (DNSSEC+SSHFP for example). Could you elaborate on the expiring issue? There is no expiry time on a signify signature. If an anoncvs server were to be compromised such that you could no longer trust its key, there is no way we could revoke that signed web page. If an attacker was able to cause you to keep seeing an old version of the page, you'd have no way to know that this server's key was no longer to be trusted. This is actually something that dnssec can handle to some extent (you can set expiry times when signing a zone). But even then, signing a page with the host fingerprints...well, all it lets you do is verify that the server you're connecting to has a matching ssh host key and maybe that nobody has noticed and reported any problems with the code it's handing out within a certain window. It gives no guarantees that the program code handed out by that server is correct. In fact, verifying the host like this could be seen as giving a bit of a false sense of security.
Re: How to follow -stable and verify it with signify?
On 30-09-2014 20:24, Stuart Henderson wrote: There is no expiry time on a signify signature. If an anoncvs server were to be compromised such that you could no longer trust its key, there is no way we could revoke that signed web page. If an attacker was able to cause you to keep seeing an old version of the page, you'd have no way to know that this server's key was no longer to be trusted. Yes. I went on reading the signify man page, again, and found that to be the issue. This is actually something that dnssec can handle to some extent (you can set expiry times when signing a zone). But even then, signing a page with the host fingerprints...well, all it lets you do is verify that the server you're connecting to has a matching ssh host key and maybe that nobody has noticed and reported any problems with the code it's handing out within a certain window. It gives no guarantees that the program code handed out by that server is correct. In fact, verifying the host like this could be seen as giving a bit of a false sense of security. I didn't mentioned this attack, it's a form of trusting trust attack. But, I believe it would be better to have this than not to. OpenBSD do not have any secure way to get things. It's all up to the user. Not every user of OpenBSD can afford or even know how, to do what is necessary to at least have some confidence that you got things right. signify is a huge deal, but the project's infrastructure could be more secure in this sense. SSL? DNSSEC? signify signing of the site? I don't know what the project is willing to do, but I'm sure that something could be done. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014, at 09:02 PM, Giancarlo Razzolini wrote: On 30-09-2014 20:24, Stuart Henderson wrote: There is no expiry time on a signify signature. If an anoncvs server were to be compromised such that you could no longer trust its key, there is no way we could revoke that signed web page. If an attacker was able to cause you to keep seeing an old version of the page, you'd have no way to know that this server's key was no longer to be trusted. Yes. I went on reading the signify man page, again, and found that to be the issue. This is actually something that dnssec can handle to some extent (you can set expiry times when signing a zone). But even then, signing a page with the host fingerprints...well, all it lets you do is verify that the server you're connecting to has a matching ssh host key and maybe that nobody has noticed and reported any problems with the code it's handing out within a certain window. It gives no guarantees that the program code handed out by that server is correct. In fact, verifying the host like this could be seen as giving a bit of a false sense of security. I didn't mentioned this attack, it's a form of trusting trust attack. But, I believe it would be better to have this than not to. OpenBSD do not have any secure way to get things. It's all up to the user. Not every user of OpenBSD can afford or even know how, to do what is necessary to at least have some confidence that you got things right. signify is a huge deal, but the project's infrastructure could be more secure in this sense. SSL? DNSSEC? signify signing of the site? I don't know what the project is willing to do, but I'm sure that something could be done. If you don't realize the the OpenBSD team hasn't thought about, talked about and argued about these issues to an extremely large extent then you are very new here. You won't see it on these lists, but if users are making suggestions you can be rest assured it has already been extensively discussed privately with the team. They are way ahead of us.