Re: Install on compact flash

[Josh Grosse]

On Mon, Oct 19, 2015 at 04:34:31AM +0200, Einfach Jemand wrote:
>  No. As far as I understand it:
> The type (char or block), the major and minor number of the device
> special file and its name are means to activate the corresponding device
> handler ("driver") in the kernel and the bytes are sent to the device
> specified by the file. 

Ok.  I can at least tell you that the last time I tested an r/o
/dev was at OpenBSD 3.8 or so, and the filesystem was CD9660 rather
than FFS.  

It failed.  So from that point, until I stopped making live media
images at 5.0, I never tested again. /dev was merely one of a half
dozen r/w filesystems I used with MFS.

Re: Install on compact flash

[Einfach Jemand]

Am 18.10.2015 um 15:50 schrieb Josh Grosse:
> On Sun, Oct 18, 2015 at 01:08:48PM +0200, Paolo Aglialoro wrote:
> 
>> ...Still cannot understand why some of you have adviced to put /dev on
>> ramdisk: isn't MAKEDEV just run at install time and then only manually?
>> From what emerged in the discussion it looks that, besides /home, /var is
>> the only place where system makes its usual writes.
> 
> The "some of you" was me, if I recall the complete discussion thread.  :)
> 
> While it's true MAKEDEV needs to create the device special files, the
> device special files that are stored there need to be writeable.  
> 
> Here's one key example:
> 
> You mount(8) a device special file when you mount a filesystem.  
> All write operations to that mounted filesystem are directed through 
> the device special file.
>

No. As far as I understand it:
The type (char or block), the major and minor number of the device
special file and its name are means to activate the corresponding device
handler ("driver") in the kernel and the bytes are sent to the device
specified by the file. A simple test: If your /dev filesystem resides on
wd0a and you write from the network to a mounted filesystem on a second
disc, e.g. /dev/wd1a on /mnt and you watch this with iostat you will see
almost no activity on wd0.

To quote from "D.M. Ritchie and K. Thompson: ``The UNIX Time-Sharing
System'' Communications of the ACM, Vol. 17, No. 7, July 1974.":

"Special files constitute the most unusual feature of the UNIX
filesystem. Each supported I/O device is associated with at least one
such file. Special files are read and written just like ordinary disk
files, but requests to read or write result in activation of the
associated device. An entry for each special file resides in directory
/dev, although a link may be made to one of these files just as it may
to an ordinary file. Thus, for example, to write on a magnetic tape one
may write on the file /dev/mt. Special files exist for each
communication line, each disk, each tape drive, and for physical main
memory. Of course, the active disks and the memory special files are
protected from indiscriminate access. There is a threefold advantage in
treating I/O devices this way: file and device I/O are as similar as
possible; file and device names have the same syntax and meaning, so
that a program expecting a file name as a parameter can be passed a
device name; finally, special files are subject to the same protection
mechanism as regular files."

So I see no harm in /dev residing on the flash device.

> 
> 
> While you won't run MAKEDEV while the system is up and running,
> take a look at the MAKEDEV(8) man page.  You'll see a lot of device
> special files that will need to be writeable.
> 

Yes, but this is an _attribute_ of the device file that is used by the
kernel and the device handler. Nothing gets written to a device file in
the sense bytes are written to an ordinary file in a fileystem (e.g.,
/tmp/test).

HTH
rru

Re: It was twenty years ago you see...

[lists]

One happy user wishing everyone many more cycles! Heart warming stories
of the 20 years of OpenBSD development.

Theo de Raadt  wrote:
> The project is now at:
> 
> ~322,000 commits
> ~44 commits/day average
> ~356 hackers through the years

Thank you, Theo and friends for proving it's possible to set the right
goals and work up to them, and share to become the example, and standard.

Singing along, best regards!

httpd on 5.8

[urulab]

Hi, is feasible make URL rewriting via new patterns feature in httpd daemon?
I need rewrite to a PHP front controller. My nginx rule is: location /
{ try_files $uri $uri/ /index.php?$args; }

Re: syslogd: Syscall 28 (SYS_sendmsg) in 18 October (i386) snapshot

[Doug Hogan]

On Sun, Oct 18, 2015 at 03:42:07PM -0400, Sonic wrote:
> No clue if my bug is related. Attempting to upgrade -current today and I get:
> Oct 18 14:29:39 stargate /bsd: ksh(4880): syscall 131
> Oct 18 14:29:46 stargate /bsd: ksh(30776): syscall 131
> etc.

I don't think it's related since it's complaining about different
syscalls.  You ran into this situation:

Old kernel: accepts "flock" pledge but doesn't require it
Old ksh: no "flock" pledge
New kernel: accepts "flock" and requires it for the syscall
New ksh: added "flock" pledge

You went from old kernel + old ksh to new kernel + old ksh.  It killed
ksh because old ksh didn't request "flock" pledge before calling it.

The solution for me was to rebuild the userland programs that require
"flock" with the old kernel and then reboot with the new kernel.
However, that was yesterday and I did it shortly after that commit.
It's a fast moving target.  You may be better off upgrading from a
snapshot and then rebuilding -current.

Re: syslogd: Syscall 28 (SYS_sendmsg) in 18 October (i386) snapshot

[Theo de Raadt]

> On Sun, Oct 18, 2015 at 03:42:07PM -0400, Sonic wrote:
> > No clue if my bug is related. Attempting to upgrade -current today and I 
> > get:
> > Oct 18 14:29:39 stargate /bsd: ksh(4880): syscall 131
> > Oct 18 14:29:46 stargate /bsd: ksh(30776): syscall 131
> > etc.
> 
> I don't think it's related since it's complaining about different
> syscalls.  You ran into this situation:
> 
> Old kernel: accepts "flock" pledge but doesn't require it
> Old ksh: no "flock" pledge
> New kernel: accepts "flock" and requires it for the syscall
> New ksh: added "flock" pledge
> 
> You went from old kernel + old ksh to new kernel + old ksh.  It killed
> ksh because old ksh didn't request "flock" pledge before calling it.
> 
> The solution for me was to rebuild the userland programs that require
> "flock" with the old kernel and then reboot with the new kernel.
> However, that was yesterday and I did it shortly after that commit.
> It's a fast moving target.

> You may be better off upgrading from a snapshot and then rebuilding -current.

^

Re: syslogd: Syscall 28 (SYS_sendmsg) in 18 October (i386) snapshot

[Sonic]

On Sun, Oct 18, 2015 at 3:22 PM, Scott Vanderbilt  wrote:
> Another pledge(2) related issue, this time in syslogd.

No clue if my bug is related. Attempting to upgrade -current today and I get:
Oct 18 14:29:39 stargate /bsd: ksh(4880): syscall 131
Oct 18 14:29:46 stargate /bsd: ksh(30776): syscall 131
etc.

This is after installing the new kernel and rebooting to build
userland (it may just be an out of sync issue).
However after the reboot, I cannot login as root, I can login as a
user, but cannot "su -", although I can "su" (no dash). Also cannot
run tmux, it crashes.
I've reinstalled the old kernel to get back in sync with the userland.

Chris

syslogd: Syscall 28 (SYS_sendmsg) in 18 October (i386) snapshot

[Scott Vanderbilt]

Another pledge(2) related issue, this time in syslogd.

Unfortunately, this occurs on an ancient Soekris box where rebuilding 
the syslogd executable will be a non-trivial task. Hopefully I am 
providing enough details to here to allow someone more knowledgeable 
with the information necessary to make a fix:


# dmesg
OpenBSD 5.8-current (GENERIC) #1270: Sun Oct 18 08:03:38 MDT 2015
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 
586-class) 267 MHz

cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
real mem  = 267927552 (255MB)
avail mem = 250290176 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 20/50/29, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0: (uniprocessor)
cpu0: TSC disabled
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00
sis0 at pci0 dev 6 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: 
irq 10, address 00:00:24:c7:a7:d0

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 7 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: 
irq 10, address 00:00:24:c7:a7:d1

nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: 
irq 10, address 00:00:24:c7:a7:d2

nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" rev 0x00
gpio0 at gscpcib0: 64 pins
"NS SC1100 SMI" rev 0x00 at pci0 dev 18 function 1 not configured
pciide0 at pci0 dev 18 function 2 "NS SCx200 IDE" rev 0x01: DMA, channel 
0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA48, 15247MB, 31227840 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" rev 0x00: iid 6 
revision 3 wdstatus 0
ohci0 at pci0 dev 19 function 0 "Compaq USB OpenHost" rev 0x08: irq 11, 
version 1.0, legacy support

isa0 at gscpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1:
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 "Compaq OHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (4a7ad08651285594.a) swap on wd0b dump on wd0b
syslogd(27308): syscall 28
syslogd(25829): syscall 28
#
#
# grep 28 /usr/include/sys/syscall.h
#define SYS_sendmsg 28
[...]
#
# ktrace -di /usr/sbin/syslogd
syslogd: receive_fd: recvmsg: expected received 1 got 0
syslogd: receive_fd: no message header
syslogd: /dev/console
#
# kdump
[...]
 27711 syslogd  CALL  stat(0x39c4fbc0,0x39c4ffc0)
 27711 syslogd  NAMI  "/etc/syslog.conf"
 27711 syslogd  STRU  struct stat { dev=0, ino=291, mode=-rw-r--r-- , 
nlink=1, uid=0<"root">, gid=0<"wheel">, rdev=11582, 
atime=1445195141<"Oct 18 12:05:41 2015">.153570775, 
mtime=1438904602<"Aug  6 16:43:22 2015">.829126996, 
ctime=1438904602<"Aug  6 16:43:22 2015">.829126996, size=1472, blocks=4, 
blksize=16384, flags=0x0, gen=0x53936b06 }

 27711 syslogd  RET   stat 0
 27711 syslogd  CALL  open(0x39c4fbc0,0x4)
 27711 syslogd  NAMI  "/etc/syslog.conf"
 27711 syslogd  RET   open 3
 27711 syslogd  CALL  kbind(0xcf7e63c8,0xc,0xc335e692,0x5423a109)
 27711 syslogd  RET   kbind 0
 27711 syslogd  CALL  sendmsg(8,0xcf7e6450,0)
 27711 syslogd  STRU  struct msghdr { name=0x0, namelen=0, 
iov=0xcf7e647c, iovlen=1, control=0xcf7e646c, controllen=16, flags=0 }

 27711 syslogd  STRU  struct iovec { base=0xcf7e6484, len=4 }
 27711 syslogd  STRU  struct cmsghdr { len=16, level=SOL_SOCKET, 
type=SCM_RIGHTS, data=3 }

 27711 syslogd  GIO   fd 8 wrote 4 bytes
   "\0\0\0\0"
 27711 syslogd  RET   sendmsg 4
 27711 syslogd  CALL  close(3)
 27711 syslogd  RET   close 0
 27711 syslogd  CALL  read(8,0xcf7e66ec,0x4)
  1360 syslogd  CALL  kbind(0xcf7e6888,0xc,0xc335e692,0x5423a109)
  1360 syslogd  RET   kbind 0
  1360 syslogd  CALL  recvmsg(11,0xcf7e6920,0)
  1360 syslogd  GIO   fd 11 read 4 bytes
   "\0\0\0\0"
  1360 syslogd  STRU  struct cmsghdr { len=16, level=SOL_SOCKET, 
type=SCM_RIGHTS, data=12 }
  1360 syslogd  STRU  struct msghdr { name=0x0, namelen=0, 
iov=0xcf7e694c, iovlen=1, control=0xcf7e693c, controllen=16, flags=0 }

  1360 syslogd  STRU  struct iovec { base=0xcf7e6958, len=0 }
  1360 sysl

Re: CD's arrived

[Patrick Dohman]

CD+Case && Coffee Mug arrived here in Saint Paul, MN

> On Oct 7, 2015, at 9:51 AM, M Wheeler <6f84c...@refn.co.uk> wrote:
> 
> CD's arrived today UK. Thanks again.

Re: Because Theo and various users told them that the projects GnoBSD and Comixwall were worthless and that they weren't contributing to OpenBSD?

[Denis Fondras]

> Both, however, ended up shutting down after Theo and various users told them
> that their projects were worthless and that they weren't contributing to
> OpenBSD.
> 

I guess they didn't strongly believe in their added value if they cancelled the
project after someone told them it was not worth.

BTW, if you are looking for a fw GUI, you can ask Esdenera
(https://www.esdenera.com).

Re: Because Theo and various users told them that the projects GnoBSD and Comixwall were worthless and that they weren't contributing to OpenBSD?

[Delan Azabani]

You only need a great deal of memory if you wish to use deduplication,
which is an optional ZFS feature that some people consider worth the
cost. While the complexity and licensing of ZFS make it inappropriate
for inclusion in OpenBSD, at least in the near future, let's not throw
around insults as if OpenBSD is the only useful OS out there.

Re: Because Theo and various users told them that the projects GnoBSD and Comixwall were worthless and that they weren't contributing to OpenBSD?

[patric conant]

On Sun, Oct 18, 2015 at 10:41 AM, Kevin Gerrard  wrote:

> > Im going to chime in here a second, even though it probably is not my
> > place.
> >
> > I am not a network guru, or computer wizard. I have made a living for
> > the last 5 years by networking. We use nothing but OpenBSD routers for
> this.
> > With the help of the community I have been able to learn and market a
> > superb firewall/router for clients. Some versions are many years old
> > and still out there running for that client. Try doing that with
> > Cisco (lol) we will not go into the differences there
> > Kudos to this community for the help they provide...You show up in a
> > forum or community and complain, whine and bitch about things that
> > have to do with the community or project. Why do you waste your time
> > here and the leaders of this forum. NOBODY is making you use OpenBSD
> > and NOBODY wants to hear the bashing of their community within the
> > city limits.
> > This might sound harsh but people that go into a community or group
> > and start whining should be shot. This is the problem with America
> > today. One person is moving into a city and trying to make that city
> > conform to that one person's ways and beliefs Seems to me the city
> > should be able to shoot that person.
> > What you are doing is just like if I was to go into Cisco Forums or
> > Communities and start bashing and beating on the company and leaders
> > in the forum.Winks Do you think they would really care
> > Humor in this is what I see, not a valid user with a valid complaint
> > about anything that is worth listening to 
> >
> > My two cents worth, I will not respond again to this thread.
> >
> > Written by a cowboy wannabe that couldn’t make money doing it, now a
> > half assed networking tech making money
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Peter N. M. Hansteen
> Sent: Sunday, October 18, 2015 6:51 AM
> To: misc@openbsd.org
> Subject: Re: Because Theo and various users told them that the projects
> GnoBSD and Comixwall were worthless and that they weren't contributing to
> OpenBSD?
>
> On 10/17/15 15:59, français wrote:
> > I always find it amusing how OpenBSD is "audited", yet there's not one
> > audit report on the OpenBSD website. The closest answer I've been able
> > to find on the mailing list is to review all of the CVS commit logs.
> > Yeah, that's not opaque in the slightest...
>
> I was going to let this just pass because my day is a bit overfull already,
> but I guess I'm a glutton for punishment. Note that I don't have any formal
> attachment to the OpenBSD project, so what follows is my opinion only,
> formed by some years of interacting with the OpenBSD project as well as
> other parts of the open source world.
>
> Your choice of words is a bit curious - 'opaque' is certainly not what I
> would have called providing full access to the source code with close to
> real-time access to commits as they happen, in almost all cases with
> informative comments for each step. A potentially valid criticism at some
> level would have been to say that this provides too much detail and making
> sense of the overall picture is too hard for a newcomer.
>
> But keep in mind that OpenBSD is developed and maintained primarily for and
> by its developers, who are most certainly capable of making sense of source
> code and commit logs. We all get to use the system and enjoy the benefits,
> but if you're looking for a high-level executive summary style document,
> that's simply not something that's useful to the project itself. (Then
> again, I wouldn't be terribly surprised to find that such documents have
> been produced for their own internal use by organizations that were
> considering implementing OpenBSD in their systems.) You will find quite a
> few summaries of work done and planned at various stages in the papers and
> presentations collection http://www.openbsd.org/papers/, some of them may
> even be high level enough to give the less tech minded some idea of the
> overall work.
>
> And of course, by now we're looking back at a full 20 years of work, so
> even
> a very high level executive summary would either need to be quite a few
> pages or be essentially useless handwaving.
>
> That said, if reading commit logs and source code (even via the friendly
> cvsweb interface http://cvsweb.openbsd.org/cgi-bin/cvsweb/) is too much
> work, start with the papers and presentations at
> http://www.openbsd.org/papers/.
>
> > The bigger problem with OpenBSD is it's community. In the FreeBSD
> > world, you have PC-BSD and pfsense, both of which are generally
> > welcomed by the community. With OpenBSD, there were two sister
> > projects that tried to target a similar audience: GnoBSD and
> > Comixwall. Comixwall was the equivalent of pfsense for easy
> > router/firewall management and GnoBSD was an attempt to make an
> > easy-to-use desktop. Both, h

Re: It was twenty years ago you see...

[bofh]

On Sun, Oct 18, 2015 at 2:36 AM, Theo de Raadt  wrote:

> OpenBSD's source tree just turned 20 years old.
>

I discovered OpenBSD a couple of years later, and have been a fan since
then.  Thank you and the other developers very very much for the quality of
work, and the passion you put in to make the world a better place.

Re: It was twenty years ago you see...

[ilyes aiouaz]

Happy Birthday. And thanks to Theo and all the deveopers for OpenBSD !
A great OS. Congratulations.


Le 10/18/15 07:36, Theo de Raadt a écrit :

OpenBSD's source tree just turned 20 years old.

I recall the import taking about 3 hours on an EISA-bus 486 with two
ESDI drives.  There was an import attempt a few days earlier, but it
failed due to insufficient space.  It took some time to repartition
the machine.

It wasn't terribly long before David Miller, Chuck Cranor and Niklas
Hallqvist were commiting... then more people showed up.

The first developments were improvements to 32-bit sparc.

Chuck and I also worked on setting up the first 'anoncvs' to make sure
noone was ever cut out from 'the language of diffs' again.  I guess
that was the precursor for the github concept these days :-).  People
forget, but even FSF was a walled garden at the time -- throwing tar
files with vague logs over the wall every couple months.

I was lucky to have one of the few 64Kbit ISDN links in town,
otherwise this would not have happened.  My desktop was a Sparcstation
10; the third machine I had was a very slow 386.

The project is now at:

~322,000 commits
~44 commits/day average
~356 hackers through the years

--

On this day, is my pleasure to give you a song written for the
release by Todd Miller.

http://www.openbsd.org/lyrics.html#58a

It was twenty years ago you see
Theo opened a cvs tree
Made commits to many a file
Joined by others in a very short while

Take a moment to view
The source of all this code
The openbsd cvs repo...

We're the openssh repository
We hope you will enjoy the code
The openntpd repository
But that's not all that's here oh no...
The mandoc 'pository, smtpd 'tory
The libressl repo too

It's wonderful to see the code
Re-used far and wide
The license is so liberal
We'd love for you to code with us
We'd love for you to code...

I don't really want to have to go
But it's hackathon time and so
The coder will commit the code
That he wants all of you to load

So let me introduce to you the one and only Puffy Fish
And the openbsd cvs repo...

B... S... D...

--

(The 5.8 release will be announced and released in a few hours.)

Re: Because Theo and various users told them that the projects GnoBSD and Comixwall were worthless and that they weren't contributing to OpenBSD?

[Kevin Gerrard]

> Im going to chime in here a second, even though it probably is not my
> place.
>
> I am not a network guru, or computer wizard. I have made a living for
> the last 5 years by networking. We use nothing but OpenBSD routers for
this.
> With the help of the community I have been able to learn and market a
> superb firewall/router for clients. Some versions are many years old
> and still out there running for that client. Try doing that with
> Cisco (lol) we will not go into the differences there
> Kudos to this community for the help they provide...You show up in a
> forum or community and complain, whine and bitch about things that
> have to do with the community or project. Why do you waste your time
> here and the leaders of this forum. NOBODY is making you use OpenBSD
> and NOBODY wants to hear the bashing of their community within the
> city limits.
> This might sound harsh but people that go into a community or group
> and start whining should be shot. This is the problem with America
> today. One person is moving into a city and trying to make that city
> conform to that one person's ways and beliefs Seems to me the city
> should be able to shoot that person.
> What you are doing is just like if I was to go into Cisco Forums or
> Communities and start bashing and beating on the company and leaders
> in the forum.Winks Do you think they would really care
> Humor in this is what I see, not a valid user with a valid complaint
> about anything that is worth listening to 
>
> My two cents worth, I will not respond again to this thread.
>
> Written by a cowboy wannabe that couldn’t make money doing it, now a
> half assed networking tech making money

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Peter N. M. Hansteen
Sent: Sunday, October 18, 2015 6:51 AM
To: misc@openbsd.org
Subject: Re: Because Theo and various users told them that the projects
GnoBSD and Comixwall were worthless and that they weren't contributing to
OpenBSD?

On 10/17/15 15:59, français wrote:
> I always find it amusing how OpenBSD is "audited", yet there's not one
> audit report on the OpenBSD website. The closest answer I've been able
> to find on the mailing list is to review all of the CVS commit logs.
> Yeah, that's not opaque in the slightest...

I was going to let this just pass because my day is a bit overfull already,
but I guess I'm a glutton for punishment. Note that I don't have any formal
attachment to the OpenBSD project, so what follows is my opinion only,
formed by some years of interacting with the OpenBSD project as well as
other parts of the open source world.

Your choice of words is a bit curious - 'opaque' is certainly not what I
would have called providing full access to the source code with close to
real-time access to commits as they happen, in almost all cases with
informative comments for each step. A potentially valid criticism at some
level would have been to say that this provides too much detail and making
sense of the overall picture is too hard for a newcomer.

But keep in mind that OpenBSD is developed and maintained primarily for and
by its developers, who are most certainly capable of making sense of source
code and commit logs. We all get to use the system and enjoy the benefits,
but if you're looking for a high-level executive summary style document,
that's simply not something that's useful to the project itself. (Then
again, I wouldn't be terribly surprised to find that such documents have
been produced for their own internal use by organizations that were
considering implementing OpenBSD in their systems.) You will find quite a
few summaries of work done and planned at various stages in the papers and
presentations collection http://www.openbsd.org/papers/, some of them may
even be high level enough to give the less tech minded some idea of the
overall work.

And of course, by now we're looking back at a full 20 years of work, so even
a very high level executive summary would either need to be quite a few
pages or be essentially useless handwaving.

That said, if reading commit logs and source code (even via the friendly
cvsweb interface http://cvsweb.openbsd.org/cgi-bin/cvsweb/) is too much
work, start with the papers and presentations at
http://www.openbsd.org/papers/.

> The bigger problem with OpenBSD is it's community. In the FreeBSD
> world, you have PC-BSD and pfsense, both of which are generally
> welcomed by the community. With OpenBSD, there were two sister
> projects that tried to target a similar audience: GnoBSD and
> Comixwall. Comixwall was the equivalent of pfsense for easy
> router/firewall management and GnoBSD was an attempt to make an
> easy-to-use desktop. Both, however, ended up shutting down after Theo
> and various users told them that their projects were worthless and that
they weren't contributing to OpenBSD.
>
> Because Theo and various users told them that their projects were
> worthl

Re: It was twenty years ago you see...

[Jay Patel]

Happy Birthday. And congratulations. :)

On Sun, Oct 18, 2015 at 12:06 PM, Theo de Raadt  wrote:

> OpenBSD's source tree just turned 20 years old.
>
> I recall the import taking about 3 hours on an EISA-bus 486 with two
> ESDI drives.  There was an import attempt a few days earlier, but it
> failed due to insufficient space.  It took some time to repartition
> the machine.
>
> It wasn't terribly long before David Miller, Chuck Cranor and Niklas
> Hallqvist were commiting... then more people showed up.
>
> The first developments were improvements to 32-bit sparc.
>
> Chuck and I also worked on setting up the first 'anoncvs' to make sure
> noone was ever cut out from 'the language of diffs' again.  I guess
> that was the precursor for the github concept these days :-).  People
> forget, but even FSF was a walled garden at the time -- throwing tar
> files with vague logs over the wall every couple months.
>
> I was lucky to have one of the few 64Kbit ISDN links in town,
> otherwise this would not have happened.  My desktop was a Sparcstation
> 10; the third machine I had was a very slow 386.
>
> The project is now at:
>
> ~322,000 commits
> ~44 commits/day average
> ~356 hackers through the years
>
> --
>
> On this day, is my pleasure to give you a song written for the
> release by Todd Miller.
>
> http://www.openbsd.org/lyrics.html#58a
>
> It was twenty years ago you see
> Theo opened a cvs tree
> Made commits to many a file
> Joined by others in a very short while
>
> Take a moment to view
> The source of all this code
> The openbsd cvs repo...
>
> We're the openssh repository
> We hope you will enjoy the code
> The openntpd repository
> But that's not all that's here oh no...
> The mandoc 'pository, smtpd 'tory
> The libressl repo too
>
> It's wonderful to see the code
> Re-used far and wide
> The license is so liberal
> We'd love for you to code with us
> We'd love for you to code...
>
> I don't really want to have to go
> But it's hackathon time and so
> The coder will commit the code
> That he wants all of you to load
>
> So let me introduce to you the one and only Puffy Fish
> And the openbsd cvs repo...
>
> B... S... D...
>
> --
>
> (The 5.8 release will be announced and released in a few hours.)

OpenBSD 5.8 released

[Theo de Raadt]

OpenBSD 5.8 arrives on the 20th birthday of the OpenBSD project.


October 18, 2015.

We are pleased to announce the official release of OpenBSD 5.8.
This is our 38th release on CD-ROM (and 39th via FTP/HTTP).  We remain
proud of OpenBSD's record of twenty years with only two remote holes in
the default install.

As in our previous releases, 5.8 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
o New rtwn(4) driver for Realtek RTL8188CE wifi cards.
o New hpb(4) driver for HyperTransport bridges as found in the IBM
  CPC945.
o The ugold(4) driver now supports TEMPerHUMV1.x temperature and
  humidity sensors.
o Improved sensor support for the upd(4) driver for USB Power
  Devices (UPS).
o Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G
  and RTL8411, including PC Engines APU.
o re(4) now works with newer devices e.g. RTL8111GU.
o Partial support has been added for full-speed isochronous devices
  in ehci(4), allowing USB 1.1 audio devices to be used on
  EHCI-only systems in some cases.
o Improved macppc stability and G5 performances with MP kernels.
o acpicpu(4) uses ACPI C-state information to reduce power
  consumption of idle CPUs.
o Kernel supports x86 AVX instructions on CPUs that have them.
o Avoid assigning low address to PCI BARs, fixing various issues on
  machines whose BIOSes neglect to claim low memory.
o wscons(4) works with even more odd trackpads.
o Added pvbus(4) paravirtual device tree root on virtual machines
  that are running on hypervisors.
o New octdwctwo(4) driver for USB support on OpenBSD/octeon.
o New amdcf(4) driver for embedded flash on OpenBSD/octeon.
o Support for RTL8188EU devices was added to the urtwn(4) driver.

 - Removed hardware support:
o The lmc(4) driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3
  devices has been removed.
o The san(4) driver for Sangoma Technologies AFT T1/E1 devices has
  been removed.

 - Generic network stack improvements:
o MTU of vlan(4) devices can now be set independently from the
  parent interface's MTU.
o The same network range can now be assigned to multiple
  interfaces, using interface priorities to choose between them.
o New MPLS pseudowire driver mpw(4).
o Much preparatory work for MP unlocking of the network stack.

 - Installer improvements:
o The logic of the 'Allow root ssh login?' question has been
  changed.
   - The default answer is now 'no'.
   - 'prohibit-password' has been added to the list of possible
 answers.
o autoinstall(8) has been extended to allow
   - hostname-mode.conf response file names.
   - response files to be placed in a subdir of the webserver's
 document root.
   - passing a template file to disklabel(8) to automatically
 partition the disk.
o ntpd(8) is now enabled by default at install time.
o DUID support has improved enough that new installs now use them
  unconditionally.
o Installing sets from CD-ROM has been fixed if more than one
  CD-ROM drive is present.
o The 'Which CD-ROM contains the install media?' question has been
  removed. Available cdrom devices are now shown directly in the
  'Location of sets?' prompt.

 - Routing daemons and other userland network improvements:
o Many improvements and simplifications in ldpd(8), including
  configuration reload and support for mpw(4) pseudowire interfaces.
o bgpd(8) now allows rules to match on the peer AS number.
o For terminated BGP sessions, bgpctl(8) now displays the number of
  prefixes received on the last session.
o ospfd(8) now correctly handles carp(4) interfaces in "backup" mode
  at startup.
o Log messages in bgpd(8) and ospfd(8) have been made more specific.
o The default Diffie-Hellman group for VPNs configured by
  ipsec.conf(5) has been changed to modp3072.
o New radiusd(8), Remote Authentication Dial In User Service
  (RADIUS) daemon.

 - Security improvements:
o sudo in base has been replaced with doas(1), sudo is available as
  a package.
o file(1) has been replaced with a new modern implementation,
  including sandbox and privilege separation.
o pax(1) (and tar(1) and cpio(1)) now prevent archive extraction
  from escaping the current directory via symlinks; tar(1) without
  -P option now strips up through any ".." path components.
o Static PIE support for sparc.
o Alpha switched to secure PLT.
o Improved kernel checks of ELF headers.
o Support for the NX (No-eXecute) bit on i386, resulting in much
  better W^X enforcement in userland for hardware that has this
  feature.
o Enforcement of W^X in the kernel address space on i386 when using
  processors with the NX bit.
o Work started on a new pro

Re: It was twenty years ago you see...

[Siju George]

It has been 15 years or so
I had no degree, so no job
One kind soul called me to be
An apprentice without salary

Windows 2000 & Zonealarm
Was the firewall where I was
Once in 3 months required a reinstall
Because it became the cracker's ball

An apprentice not knowing too much
About networking far less securing
Began to google for a Linux firewall
But came across PF firewall

Went around asking for help
To install OpenBSD in firm
All I got from the Linux Gurus
Was discouragement, said it 's tough

Started reading the Install doc
Took a month to understand 'slice'
Partitions inside partition
Slowly things began to click

I learned things on 3.4
Had a firewall by 3.5 :-) (
http://undeadly.org/cgi?action=article&sid=20041013190823 )
Then there was no newbies list
misc@ that time was a little tough ;-)

The book would cost my 2 salaries
So there was no hope but misc@
Seeing my misery to comprehend
Two books J C Roberts sent

Soon I had a secure desktop in hand( https://goo.gl/142mRd )
And I loved it with all of my heart
Made my firm purchase CDs
Soon our backups were too in it.( http://goo.gl/ig2cRc, http://goo.gl/jExnCY
)

Now there is no looking back
Even EU said that they too back ( http://goo.gl/pNohhq )
Twenty years is no small thing
But Theo should not be relaxing ;-)

Thank you very much Theo and all developers. I learned a lot about security
just by reading through the misc mails and googling things I didn't
understand. And got kicked out from many free software mailinglists for
advocating OpenBSD and the BSD licence ;-)







On Sun, Oct 18, 2015 at 12:06 PM, Theo de Raadt  wrote:

> OpenBSD's source tree just turned 20 years old.
>
> I recall the import taking about 3 hours on an EISA-bus 486 with two
> ESDI drives.  There was an import attempt a few days earlier, but it
> failed due to insufficient space.  It took some time to repartition
> the machine.
>
> It wasn't terribly long before David Miller, Chuck Cranor and Niklas
> Hallqvist were commiting... then more people showed up.
>
> The first developments were improvements to 32-bit sparc.
>
> Chuck and I also worked on setting up the first 'anoncvs' to make sure
> noone was ever cut out from 'the language of diffs' again.  I guess
> that was the precursor for the github concept these days :-).  People
> forget, but even FSF was a walled garden at the time -- throwing tar
> files with vague logs over the wall every couple months.
>
> I was lucky to have one of the few 64Kbit ISDN links in town,
> otherwise this would not have happened.  My desktop was a Sparcstation
> 10; the third machine I had was a very slow 386.
>
> The project is now at:
>
> ~322,000 commits
> ~44 commits/day average
> ~356 hackers through the years
>
> --
>
> On this day, is my pleasure to give you a song written for the
> release by Todd Miller.
>
> http://www.openbsd.org/lyrics.html#58a
>
> It was twenty years ago you see
> Theo opened a cvs tree
> Made commits to many a file
> Joined by others in a very short while
>
> Take a moment to view
> The source of all this code
> The openbsd cvs repo...
>
> We're the openssh repository
> We hope you will enjoy the code
> The openntpd repository
> But that's not all that's here oh no...
> The mandoc 'pository, smtpd 'tory
> The libressl repo too
>
> It's wonderful to see the code
> Re-used far and wide
> The license is so liberal
> We'd love for you to code with us
> We'd love for you to code...
>
> I don't really want to have to go
> But it's hackathon time and so
> The coder will commit the code
> That he wants all of you to load
>
> So let me introduce to you the one and only Puffy Fish
> And the openbsd cvs repo...
>
> B... S... D...
>
> --
>
> (The 5.8 release will be announced and released in a few hours.)

Re: Install on compact flash

[Josh Grosse]

On Sun, Oct 18, 2015 at 01:08:48PM +0200, Paolo Aglialoro wrote:

> ...Still cannot understand why some of you have adviced to put /dev on
> ramdisk: isn't MAKEDEV just run at install time and then only manually?
> From what emerged in the discussion it looks that, besides /home, /var is
> the only place where system makes its usual writes.

The "some of you" was me, if I recall the complete discussion thread.  :)

While it's true MAKEDEV needs to create the device special files, the
device special files that are stored there need to be writeable.  

Here's one key example:

You mount(8) a device special file when you mount a filesystem.  
All write operations to that mounted filesystem are directed through 
the device special file.



While you won't run MAKEDEV while the system is up and running,
take a look at the MAKEDEV(8) man page.  You'll see a lot of device
special files that will need to be writeable.

Re: Because Theo and various users told them that the projects GnoBSD and Comixwall were worthless and that they weren't contributing to OpenBSD?

[Peter N. M. Hansteen]

On 10/17/15 15:59, français wrote:

I always find it amusing how OpenBSD is "audited", yet there's not one audit
report on the OpenBSD website. The closest answer I've been able to find on
the mailing list is to review all of the CVS commit logs. Yeah, that's not
opaque in the slightest...


I was going to let this just pass because my day is a bit overfull 
already, but I guess I'm a glutton for punishment. Note that I don't 
have any formal attachment to the OpenBSD project, so what follows is my 
opinion only, formed by some years of interacting with the OpenBSD 
project as well as other parts of the open source world.


Your choice of words is a bit curious - 'opaque' is certainly not what I 
would have called providing full access to the source code with close to 
real-time access to commits as they happen, in almost all cases with 
informative comments for each step. A potentially valid criticism at 
some level would have been to say that this provides too much detail and 
making sense of the overall picture is too hard for a newcomer.


But keep in mind that OpenBSD is developed and maintained primarily for 
and by its developers, who are most certainly capable of making sense of 
source code and commit logs. We all get to use the system and enjoy the 
benefits, but if you're looking for a high-level executive summary style 
document, that's simply not something that's useful to the project 
itself. (Then again, I wouldn't be terribly surprised to find that such 
documents have been produced for their own internal use by organizations 
that were considering implementing OpenBSD in their systems.) You will 
find quite a few summaries of work done and planned at various stages in 
the papers and presentations collection http://www.openbsd.org/papers/, 
some of them may even be high level enough to give the less tech minded 
some idea of the overall work.


And of course, by now we're looking back at a full 20 years of work, so 
even a very high level executive summary would either need to be quite a 
few pages or be essentially useless handwaving.


That said, if reading commit logs and source code (even via the friendly 
cvsweb interface http://cvsweb.openbsd.org/cgi-bin/cvsweb/) is too much 
work, start with the papers and presentations at 
http://www.openbsd.org/papers/.



The bigger problem with OpenBSD is it's community. In the FreeBSD world, you
have PC-BSD and pfsense, both of which are generally welcomed by the
community. With OpenBSD, there were two sister projects that tried to target
a similar audience: GnoBSD and Comixwall. Comixwall was the equivalent of
pfsense for easy router/firewall management and GnoBSD was an attempt to
make an easy-to-use desktop. Both, however, ended up shutting down after
Theo and various users told them that their projects were worthless and that
they weren't contributing to OpenBSD.

Because Theo and various users told them that their projects were worthless
and that they weren't contributing to OpenBSD?


If OpenBSD users and developers said that these projects were useless 
and that the people behind them were not contributing back to OpenBSD, 
maybe that was the (possibly unpleasant to some) truth?


It's been a while since both and I can't be bothered right now to look 
things up, but I can say this: I have yet to find a web interface to 
firewalls adminstration that I personally found useful, and barring 
exotic hardware trouble, I can get a useful desktop with OpenBSD up and 
running within 20 minutes from bare metal, and it's a reasonable 
assumption that most misc@ posters know enough pkg_add and package names 
to do the same.


So essentially the projects were packaging of something that was either 
trivial or not needed (or actively harmful, depending on who you ask), 
and if the people marketing these trivial efforts were seen to be 
unlikely to maintain a healthy relationship to their upstream project, I 
would call them useless too.


If you're doing a derivative of an open source project, keeping a sane 
relationship to your upstream is is an essential part of your self 
preservation. If those derivative projects were run by people who didn't 
see that fairly basic fact, that's their loss, not ours.


--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Install on compact flash

[Paolo Aglialoro]

Hi folks,

first of all thanks for all your interesting answers! I didn't expect this
topic to be so popular and I am quite satisfied to have received a broader
perspective than I had in mind.

My fault was not specifying exactly what jobs the machine would perform,
that could have narrowed down the possible answers. This machine is a
special project as, in itself is both a mod and a low power box. It's
purpose will be to be a "near-TV-set" server/client, doing stuff like
torrent, sftp, ftp, dlna, web surfing, media playing, gns3, etc. It should
use E17 as X desktop environment.

The original idea was that it had to be at the same time:
- small enough to fit a living room without being noticed
- not power hungry (very likely to be often 24h on)
- kinda stylish

The stylish hull came from a dead SparcClassic which has been completely
overhauled internally to fit a miniITX board and externally (painted in
lucid black, original leds, metal plates with "Sun" and "SparcClassic"
preserved), instead of a floppy drive it now features  a CF reader which
gives you the ability of "taking away the OS with you" whenever you want
like the keys of a car.

The box is sleek enough to fit any living room being woman-scream proof and
at the same time capable of potentially hosting two HD, one 5" 1/4 and one
3" 1/2.

After having read all the answers, I have excluded options which are read
only or modify the system so much that render it unsupported in a major
way, making also upgrades like gambling. This machine will be running
-release.

What I had more or less in mind, which buys the ticket, is what Marko and
Kenneth have suggested, so using mfs_mount with -P and rsyncing at shutdown
or even at regular intervals. I see this as the best compromise between a
totally ro system with unsupported upgrades and a bare CF- install without
being certain of timings for media wear-off. I would also like to minimise
the CF-upgrade process through time: it is time consuming and, with a
consistent policy to reduce CF writes, likely unnecessary.

The solution will look like the following:

- CF for / with mfs_mount -P for all /var
- 5" 1/4 HD for /home and swap
- 3" 1/2 HD somewhere inder /mnt for write intensive jobs, like for
instance torrent
- an extra rpm-regulated case side fan to exhaust extra heat if present

Still cannot understand why some of you have adviced to put /dev on
ramdisk: isn't MAKEDEV just run at install time and then only manually?
>From what emerged in the discussion it looks that, besides /home, /var is
the only place where system makes its usual writes.

Btw, thanks for the suggestions about reconciling syslog with security
checks!

Looks like I have the instruments to proceed now, pictures of the
SparcClassic mod are available in private for the curious ones.

Thanks!!!

Re: Diffie-Helman issue?

[ropers]

Also see: http://www.openbsd.org/58.html

Search that page for 1024 (two occurrences).

On 17 October 2015 at 14:03, Stuart Henderson  wrote:

> On 2015-10-17, <22xtrv+f800c4addk...@guerrillamail.com> <
> 22xtrv+f800c4addk...@guerrillamail.com> wrote:
> > According to
> >
> https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m
> > uch-crypto/
> >
> > "Since a handful of primes are so widely reused, the payoff, in
> > terms of connections they could decrypt, would be enormous. Breaking a
> single,
> > common 1024-bit prime would allow NSA to passively decrypt connections to
> > two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a
> > second 1024-bit prime would allow passive eavesdropping on connections to
> > nearly 20% of the top million HTTPS websites. In other words, a one-time
> > investment in massive computation would make it possible to eavesdrop on
> > trillions of encrypted connections."
> >
> > How is the prime set up for DH in
> > OpenSSH and is that something a user can change?
>
> See moduli(5), 'MODULI GENERATION' in ssh-keygen(1) and the script/Makefile
> in /usr/src/usr.bin/ssh/moduli-gen. You can build your own.
>
> The distributed file is updated from time to time (recently it's been at
> least
> once per release, sometimes more often). It's included in baseXX.tgz so
> local
> changes get overwritten when you update.
>
> These are used for 'diffie-hellman-group-exchange-sha1' and ...-sha256
> (RFC4419), there are also options with fixed moduli
> (diffie-hellman-group1-sha1
> and ...-group14-sha1). In recent code, the -group1 one is now disabled by
> default both client- and server-side. Also the fixed-group ones are
> blacklisted on the server for clients known to support RFC4419. And the
> shorter moduli have been removed from the distributed file.
>
> See also
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/thread.html#33892
> - but that's 5 months old, the code has moved on.

Re: It was twenty years ago you see...

[Fred]

On 10/18/15 07:36, Theo de Raadt wrote:

OpenBSD's source tree just turned 20 years old.

I recall the import taking about 3 hours on an EISA-bus 486 with two
ESDI drives.  There was an import attempt a few days earlier, but it
failed due to insufficient space.  It took some time to repartition
the machine.

It wasn't terribly long before David Miller, Chuck Cranor and Niklas
Hallqvist were commiting... then more people showed up.

The first developments were improvements to 32-bit sparc.

Chuck and I also worked on setting up the first 'anoncvs' to make sure
noone was ever cut out from 'the language of diffs' again.  I guess
that was the precursor for the github concept these days :-).  People
forget, but even FSF was a walled garden at the time -- throwing tar
files with vague logs over the wall every couple months.

I was lucky to have one of the few 64Kbit ISDN links in town,
otherwise this would not have happened.  My desktop was a Sparcstation
10; the third machine I had was a very slow 386.

The project is now at:

~322,000 commits
~44 commits/day average
~356 hackers through the years



Looking forward to the next 20 years!

Thanks to all the deveopers for such a great OS!

Cheers

Fred