[patch] sioctl_open.3 - sioctl_onval return type
sioctl_onval(3) returns int not void 138 int 139 sioctl_onval(struct sioctl_hdl *hdl, 140 void (*cb)(void *, unsigned int, unsigned int), void *arg) 141 { 142 hdl->ctl_cb = cb; 143 hdl->ctl_arg = arg; 144 return hdl->ops->onctl(hdl); 145 } diff --git a/lib/libsndio/sioctl_open.3 b/lib/libsndio/sioctl_open.3 index b234e291200..7b6869b1d79 100644 --- a/lib/libsndio/sioctl_open.3 +++ b/lib/libsndio/sioctl_open.3 @@ -45,7 +45,7 @@ .Fa "void (*cb)(void *arg, struct sioctl_desc *desc, int val)" .Fa "void *arg" .Fc -.Ft void +.Ft int .Fo sioctl_onval .Fa "struct sioctl_hdl *hdl" .Fa "void (*cb)(void *arg, unsigned int addr, unsigned int val)"
Re: Opensmtpd auth in 6.4
On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: > Hey, am tryin to upgrade my opensmtpd > email server running on openbsd 6.3 towards a new one on 6.4, > i have used a simple config with the new syntax: > cat /etc/mail/smtpd.conf > > table aliases file:/etc/mail/aliases > > #table other-relays file:/etc/mail/other-relays > > pki mail.example.com cert "/etc/ssl/mail.example.com.crt" > pki mail.example.com key "/etc/ssl/private/mail.example.com.key" > > listen on lo0 > listen on vio0 port 587 hostname example.com tls-require pki mail.example.com > auth mask-source mask-source was changed to mask-src I think because mask-source is no longer a valid keyword its being interpreted as a parameter to auth. -- Carlin
Re: Segmentation fault when opening a particular PDF file in mupdf
On 16/02/2018 4:28 a.m., Xianwen Chen wrote: Dear OpenBSD users, mupdf crashes and reports segmentation fault when I try to open a particular PDF file: https://brage.bibsys.no/xmlui/bitstream/handle/11250/2440173/SoL-Rapport-2014-06.pdf?sequence=1&isAllowed=y If you use mupdf too, could you try to open the file and see whether mupdf crashes on your computer too? In that way, you can help me understand whether the problem is reproducible. Sincerely, Xianwen Are you using 6.2 with mupdf-1.11p1? There was a crash that's fixed on -current: https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/textproc/mupdf/patches/patch-source_fitz_load-jpx_c?rev=1.5&content-type=text/x-cvsweb-markup -- Carlin
Re: bug tracking system for OpenBSD
On Mon, Jun 19, 2017 at 06:51:24PM +0200, Harald Dunkel wrote: > Hi folks, > > would it be possible to establish a real bug tracking system for > OpenBSD? Something with bug owner, severity, attachments, assignee, > and (very important) some reliable response time and a databse > to search for known problems? > There was a GSOC project proposed for this in 2014 but it apparently didn't get any takers. It had fairly clear requirements: "A bug tracking system that integrates with sendbug(1) and doesn't suck dead bunnies through bent straws." https://web.archive.org/web/20140303013316/http://www.openbsdfoundation.org/gsoc2014.html#bug-tracking -- Carlin
git clone failing in vmm
I'm having an issue with git clone failing in a vmm vm. Happens consistently for any large trees, example: $ git clone https://github.com/openbsd/src.git Cloning into 'src'... remote: Counting objects: 1672334, done. remote: Compressing objects: 100% (867/867), done. fatal: pack has bad object at offset 2242336: inflate returned -5 fatal: index-pack failed This doesn't happen outside the vm. Syslog on the host says this: Mar 4 12:12:40 vorpal vmd[99431]: vionet queue notify - no space, dropping packet Other downloads (eg. downloading the sets) works fine, it's just git that fails. Anyone know what the problem might be or how to prevent it? The network on the host looks like this: vether0: flags=8943 mtu 1500 lladdr fe:e1:ba:d1:a5:21 index 8 priority 0 llprio 3 groups: vether media: Ethernet autoselect status: active inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 bridge0: flags=41 index 9 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp vether0 flags=3 port 8 ifpriority 0 ifcost 0 tap0 flags=3 port 10 ifpriority 0 ifcost 0 tap0: flags=8942 mtu 1500 lladdr fe:e1:ba:d2:bb:43 description: vm2-if0-tmpvm index 10 priority 0 llprio 3 groups: tap status: active -- Carlin
Re: openbsd -current: can't find firefox
On Tue, Nov 29, 2016 at 07:30:42AM -0800, jungle boogie wrote: > You mean like this: > $ cat /etc/doas.conf > permit persist :wheel > permit persist keepenv jungle as root > > $ doas pkg_add base64 > doas (jungle@host) password: > quirks-2.270 signed on 2016-11-26T13:32:57Z > base64-1.5: ok > Ah, sorry. The problem is that there's no package for standard firefox there. What's there is firefox-esr and the il8n packages. -- Carlin
Re: openbsd -current: can't find firefox
On Mon, Nov 28, 2016 at 11:50:25PM -0800, jungle boogie wrote: > Hi All, > > I'm running the latest i386 snapshot: > > [...] > > I'd like to install firefox: > $ doas pkg_add firefox > quirks-2.270 signed on 2016-11-26T13:32:57Z > Can't find firefox > > $ echo $PKG_PATH > http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/ > > At the link above, I can clearly see dozens of firefox versions. > > Can I not install it because pkg_add knows my system is newer than packages > listed? doas doesn't preserve the PKG_PATH variable by default. You need to use keepenv in doas.conf or set the path in pkg.conf instead. -- Carlin
Re: OpenBSD 5.9/amd64 (2-Jun-2016), httpd(40862): [syscall 5 "wpath"] error when attempting to start httpd with ssl
On Thu, Jun 09, 2016 at 01:19:50PM -0500, Troy Frericks wrote: > On the latest OpenBSD (5.9/amd64 at digitalocean.com), I'm able to start > httpd without > SSL using a simple httpd.conf file (below), but when I add SSL, I get error > in the messages log. > > I've focused on this error: [/bsd: httpd(40862): syscall 5 "wpath"] > You need to remove the password from your TLS private key. httpd is breaking its pledge when it tries to prompt for the password, but even if it could prompt it doesn't support it anyway (it would give a slightly more helpful error though). -- Carlin > I've spent hours googeling, and found only one mention that this may be a > kernel bug. > I've checked theOpenBSD 5.9 patch list, the OpenBSD 5.9 -current changes > log. > > I've struck out, seeking assistance... which is greatly appreciated! > > I've also requested assistance here. Had some helpful suggestions, but it's > still not working. > https://stackoverflow.com/questions/37681532/httpd-with-ssl-will-not-start-on-openbsd-5-9-amd64 > > Here is my httpd.conf file for the non-ssl configuration. The ssl > configuration is accomplished by > uncommenting out all the current comments, and I did then comment out the > 'root' for the port 80 section. > > # cat /etc/httpd.conf > interface="egress" > domain="infmgr.com" > prefork 3 > types { include "/usr/share/misc/mime.types" } > #server $domain { > #listen on $interface tls port 443 > #tls { > #certificate "/etc/ssl/server.crt" > #key "/etc/ssl/private/server.key" > #} > #hsts > #root "/htdocs/infmgr.com" # chrooted at /var/www/ > #} > server $domain { > listen on $interface port 80 > root "/htdocs/infmgr.com" # chrooted at /var/www/ > #block return 301 "https://$SERVER_NAME$REQUEST_URI"; > } > > Troy. > #
Re: ntpd tries to connect via ipv6
On Tue, May 31, 2016 at 01:45:23PM -0400, Ted Unangst wrote: > Jeremie Courreges-Anglas wrote: > > ntpd(8) doesn't use getaddrinfo+AI_ADDRCONFIG, which is supposed to skip > > DNS requests for IPv6 if the machine doesn't have IPv6 addresses > > configured. > > reyk added a comment to that effect, but I don't know why. > > /* ntpd MUST NOT use AI_ADDRCONFIG here */ > error = getaddrinfo(s, NULL, &hints, &res0); > ipv6 might become available after startup: https://marc.info/?l=openbsd-tech&m=142370671523470&w=2 -- Carlin
Re: ntpd: How to make TLS connection via IPv4?
On Mon, May 23, 2016 at 03:30:35PM +0200, Stefan Wollny wrote: > Hi there! > > I have 2 i386- and 2 amd64-machines, all running ~current. All report in > /var/log/messages lines like the following: > > May 23 15:01:57 idefix ntpd[19978]: tls connect failed: > 2a00:1450:4005:803::2004 (www.google.com): connect: No route to host > > Obviously this is from > constraints from "https://www.google.com"; > in /etc/ntpd.conf. > > On every machine I have the following line in pf.conf: > block quick inet6 all > > I think it is a valid guess that this prevents ntpd to make the > connection. My question is: Is it possible to persuade ntpd to make that > connection via IPv4? 'man ntpd.conf' does not mention this. Any other > hint on how to achive this other than remove the "block"-line in pf.conf? > In /etc/resolv.conf, add: family inet4 -- Carlin
[patch] tls_init(3) return types
It looks like the return types for tls_error() and tls_config_new() were mixed up. -- Carlin Index: lib/libtls/tls_init.3 === RCS file: /cvs/src/lib/libtls/tls_init.3,v retrieving revision 1.59 diff -u -p -u -r1.59 tls_init.3 --- lib/libtls/tls_init.3 28 Apr 2016 18:27:51 - 1.59 +++ lib/libtls/tls_init.3 8 May 2016 20:37:02 - @@ -79,9 +79,9 @@ .Fn tls_init "void" .Ft "const char *" .Fn tls_config_error "struct tls *config" -.Ft "struct tls_config *" -.Fn tls_error "struct tls *ctx" .Ft "const char *" +.Fn tls_error "struct tls *ctx" +.Ft "struct tls_config *" .Fn tls_config_new "void" .Ft "void" .Fn tls_config_free "struct tls_config *config"
pledge(2) proc and id syscall changes
`proc' lists a few syscalls that it doesn't provide now and misses a few that it does, and `id' is missing a couple. Index: lib/libc/sys/pledge.2 === RCS file: /cvs/src/lib/libc/sys/pledge.2,v retrieving revision 1.23 diff -u -p -u -r1.23 pledge.2 --- lib/libc/sys/pledge.2 9 Jan 2016 06:13:43 - 1.23 +++ lib/libc/sys/pledge.2 18 Jan 2016 21:33:13 - @@ -426,9 +426,11 @@ Allows the following process relationshi .Xr fork 2 , .Xr vfork 2 , .Xr kill 2 , -.Xr setgroups 2 , -.Xr setresgid 2 , -.Xr setresuid 2 . +.Xr getpriority 2 , +.Xr setpriority 2 , +.Xr setrlimit 2 , +.Xr setpgid 2 , +.Xr setsid 2 . .It Va "exec" Allows a process to call .Xr execve 2 . @@ -472,9 +474,11 @@ process: .Pp .Xr setuid 2 , .Xr seteuid 2 , +.Xr setreuid 2 , .Xr setresuid 2 , .Xr setgid 2 , .Xr setegid 2 , +.Xr setregid 2 , .Xr setresgid 2 , .Xr setgroups 2 , .Xr setlogin 2 , -- Carlin
Re: CD's arrived
On Thu, 8 Oct 2015, at 03:51 AM, M Wheeler wrote: > CD's arrived today UK. Thanks again. > CDs arrived in New Zealand today, and the poster arrived a few days ago. -- Carlin
Re: HSTS configuration in httpd.conf
On Fri, 2 Oct 2015, at 04:27 AM, Pablo Méndez Hernández wrote: > Thanks! > > As suggested by you, if I add this: > > server "www.mydomain.org" { > listen on $ext_addr port 80 > > block return 301 "https://$SERVER_NAME"; > } > > it works, but in that case I don't see the point of configuring HSTS if we > are forcing the redirect... :/ > That redirect will only be used the first time a browser (that supports HSTS) accesses the domain. Once they've been redirected to your https host the HSTS flag will be set in their browser and from then on the browser will immediately use https for your domain without going through the redirect. -- Carlin > > Kind regards. > > > > -- > Pablo Méndez Hernández
Re: HSTS configuration in httpd.conf
On Fri, 2 Oct 2015, at 03:37 AM, Pablo Méndez Hernández wrote: > Hi misc@, > > I'm trying to configure HSTS for my personal domain to no avail. > > According to my understanding of httpd.conf, you'd only need to include the > 'hsts' keyword in the tls part of the configuration with no need to > redirect to https in the http case, but my configuration doesn't seem to > work. No, you still need to create a virtual host that listens on port 80 and does a redirect to https. -- Carlin > > My configuration is as follows: > > $ cat /etc/httpd.conf > # > # Macros > # > ext_addr="egress" > > # > # Servers > # > > # A name-based "virtual" server > server "www.mydomain.org" { > listen on $ext_addr tls port 443 > > hsts { > subdomains > } > > tls { > ciphers "secure" > } > > root "/htdocs/www.mydomain.org" > } > > With this configuration, whenever I try to connect using http://, Chrome > fails with ERR_CONNECTION_REFUSED > > > Thanks in advance. > > -- > > Pablo Méndez Hernández
Re: httpd, SlowCGI, POST_MAX and 413 Payload Too Large
On Tue, 25 Aug 2015, at 12:48 AM, Torsten wrote: > Hi! > > OpenBSD 5.7, httpd, slowcgi > > upload.pl CGI: > > # [...] > $CGI::POST_MAX = 1024 * 1024 * 20; #20MB > # [...] > > But when I try to upload a file I get "413 Payload Too Large" if the > file is larger than 1MB. > > Help will be appreciated! > > T. > Check the httpd.conf(5) man page for "max request body", which defaults to 1M. -- Carlin
Re: What bad things could happen if we don't use sudoedit?
On Tue, 28 Apr 2015, at 04:46 AM, whynot sudo wrote: > Hello list, > > We know it's safer* to use sudoedit, but what bad things can happen if we > have the following in sudoers? > > Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi > foouser LOCALHOST = NOPASSWD: NOEXEC: FOO > > Can the "foouser" escape to root prompt? - of course besides that he > could now edit the /etc/shadow file to put a custom pwd hash to the root > user to become root in about 3 seconds.. > > Maybe some magic in .vimrc? > > *=sudo vi would run as root. but sudoedit would run as the given user, > the edited file will be copied before/after editing it. > > Thanks. > $ sudo vi /bin/ksh :w! /bin/ed :q $ sudo ed # -- Carlin
Re: httpd cgi (5.6-stable)
On Fri, 27 Mar 2015, at 05:41 AM, Alexei Malinin wrote: > On 03/26/15 18:33, Carlin Bingham wrote: > > On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote: > >> Hello. > >> > >> I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on > >> default /var/www but without success: > >> > >> [...] > >> > >> > >> Please tell me what I'm doing wrong? > >> > >> [...] > >> > >> ./cgi-bin: > >> total 1 > >> drwxr-xr-x 2 root daemon 512 Aug 8 2014 . > >> drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .. > >> -- 1 root bin 144592 Aug 8 2014 bgplg > > > > > > Check the man page for bgplg(8); you need to set the permissions to make > > it executable. > > I set the permissions to 0555 - result was the same as before. > > Have you started slowcgi(8)? -- Carlin
Re: httpd cgi (5.6-stable)
On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote: > Hello. > > I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on > default /var/www but without success: > > [...] > > > Please tell me what I'm doing wrong? > > [...] > > ./cgi-bin: > total 1 > drwxr-xr-x 2 root daemon 512 Aug 8 2014 . > drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .. > -- 1 root bin 144592 Aug 8 2014 bgplg Check the man page for bgplg(8); you need to set the permissions to make it executable. -- Carlin > > [...] > > > -- > Alexei Malinin
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
On Thu, 5 Mar 2015, at 07:37 AM, someone wrote: > "interoperable" - you mean there are still softwares that really count > and > still cannot use/support HIGH ciphers? wow. What a world we live in.. :\ > > On Wed, Mar 4, 2015 at 7:27 PM, Miod Vallat wrote: > > > > "Sometimes you have to break things to make it better" > > > > Yes, and getting people to stop using LibreSSL because it suddenly is > > not interoperable with anything would surely help a lot. > > > > Instead, we are trying to get developers to try and use LibreSSL > > provided libtsl, which defaults to sane, strong crypto choices. > > > > Miod > Disable RC4 and non-PFS ciphers in Firefox (there are extensions, eg. SSleuth, that can help with doing this) and see how many sites stop working. Better yet, see how many bank's sites stop working. -- Carlin
Re: typo in strip(1) man page
On Tue, 3 Mar 2015, at 05:11 AM, Naim, Halim. wrote: > Hi, there is a typo in the manpage for strip. In section > --only-keep-debug, In the first point, It says: > > 1. > That should be: that it is called > grep -sr ' is is ' /usr/src/gnu A common typo in the GNU-verse. -- Carlin
Re: index.php not loading on obsd 5.6
On Mon, 2 Feb 2015, at 10:41 AM, Joel Carnat wrote: > Hi, > > I just installed 5.6 amd64 on a virtual machine. > I installed php-fpm-5.5.14 and launched the daemon. > I configured httpd as such : > # egrep -v '^$|^#' /etc/httpd.conf > ext_addr="egress" > server "default" { > listen on $ext_addr port 80 > directory { no index, index "index.html", index "index.php" } > > location "*.php" { > fastcgi socket "/run/php-fpm.sock" > } > } > Then I started httpd. > > When I browse to http://host/index.php, the file is interpreted and > displayed. > When I browse to http://host/, the file is downloaded. > > What am I missing to display php files automatically ? > > TIA, > Jo > This problem is fixed in the httpd errata jumbo patch. http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig -- Carlin
Re: [Tor-BSD] Recognizing Randomness Exhaustion
On Thu, 1 Jan 2015, at 11:49 AM, Libertas wrote: > I also completely forgot to mention the below warning, which Tor > 0.2.5.10 (the current release) gives when run on OpenBSD 5.6-stable > amd64: > > > We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, > > but with a version of OpenSSL that apparently lacks accelerated > > support for the NIST P-224 and P-256 groups. Building openssl with > > such support (using the enable-ec_nistp_64_gcc_128 option when > > configuring it) would make ECDH much faster. > > Were the mentioned SSL features removed from LibreSSL, or have they not > yet been introduced? Could this be the culprit? > It appears the code is still there, just isn't enabled by default. Some searching suggests that OpenSSL doesn't enable it by default either as the config script can't automatically work out if the platform supports it. As a test I edited /usr/include/openssl/opensslfeatures.h to remove the OPENSSL_NO_EC_NISTP_64_GCC_128 define, and rebuilt libcrypto. running `openssl speed ecdhp224 ecdhp256` without acceleration: op op/s 224 bit ecdh (nistp224) 0.0003s 3113.0 256 bit ecdh (nistp256) 0.0004s 2779.1 with acceleration: op op/s 224 bit ecdh (nistp224) 0.0001s 10556.8 256 bit ecdh (nistp256) 0.0002s 4232.4 -- Carlin
Re: sys_socket() protection fault on -current
On Tue, 2 Dec 2014, at 07:47 AM, Philip Guenther wrote: > On Tue, 2 Dec 2014, Carlin Bingham wrote: > > On -current, running apachebench with a large number of concurrent > > requests is causing a protection fault. > > > > eg. the command: ab -n 1000 -c 1000 http://my.host/ > > > > Reproduced on two different machines. > > CNR on 5.6-release. > > > > > > kernel: protection fault trap, code=0 > > Stopped at sys_socket+0x6a:orb$0x1,0(%rax) > > ddb{1}> trace > > sys_socket() at sys_socket+0x6a > > syscall() at syscall+0x297 > > --- syscall (number 97) --- > > end of kernel > > end trace frames: 0x182f8a7adde8, count: -2 > > 0x182fbc0e1cba: > > ddb{1}> > > Gah, this is almost certainly my fault, trying to set the close-on-exec > flag even when the fd allocation failed. Can you reproduce it with this > diff applied? > > > Philip Guenther > > Index: uipc_syscalls.c > === > RCS file: /cvs/src/sys/kern/uipc_syscalls.c,v > retrieving revision 1.93 > diff -u -p -r1.93 uipc_syscalls.c > --- uipc_syscalls.c 9 Sep 2014 02:07:17 - 1.93 > +++ uipc_syscalls.c 1 Dec 2014 18:44:13 - > @@ -83,7 +83,7 @@ sys_socket(struct proc *p, void *v, regi > > fdplock(fdp); > error = falloc(p, &fp, &fd); > - if (type & SOCK_CLOEXEC) > + if (error == 0 && (type & SOCK_CLOEXEC)) > fdp->fd_ofileflags[fd] |= UF_EXCLOSE; > fdpunlock(fdp); > if (error != 0) > @@ -240,7 +240,7 @@ redo: > > fdplock(fdp); > error = falloc(p, &fp, &tmpfd); > - if (flags & SOCK_CLOEXEC) > + if (error == 0 && (flags & SOCK_CLOEXEC)) > fdp->fd_ofileflags[tmpfd] |= UF_EXCLOSE; > fdpunlock(fdp); > if (error != 0) { > Yes this seems to work, can not reproduce it with this applied. Thanks -- Carlin
sys_socket() protection fault on -current
On -current, running apachebench with a large number of concurrent requests is causing a protection fault. eg. the command: ab -n 1000 -c 1000 http://my.host/ Reproduced on two different machines. CNR on 5.6-release. kernel: protection fault trap, code=0 Stopped at sys_socket+0x6a:orb$0x1,0(%rax) ddb{1}> trace sys_socket() at sys_socket+0x6a syscall() at syscall+0x297 --- syscall (number 97) --- end of kernel end trace frames: 0x182f8a7adde8, count: -2 0x182fbc0e1cba: ddb{1}> OpenBSD 5.6-current (GENERIC.MP) #623: Fri Nov 28 22:09:45 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 16835846144 (16055MB) avail mem = 16383827968 (15624MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xacd3d000 (66 entries) bios0: vendor LENOVO version "GLET70WW (2.24 )" date 05/21/2014 bios0: LENOVO 20ANCTO1WW acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA UEFI MSDM ASF! BATB FPDT UEFI acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.60 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 2, package 0 cpu6 at mainbus0: apid 6 (application processor) cpu6: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.23 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu6:
Re: Smartmatch is experimental at
On Sat, 8 Nov 2014, at 04:25 AM, sven falempin wrote: > Dear misc, > > In openbsd 5.5 ~~ was not experimental. > > Insight ? > > -- > - > () ascii ribbon campaign - against html e-mail > /\ > Smartmatch was made experimental in perl 5.18[0]. OpenBSD 5.5 includes perl 5.16.3, OpenBSD 5.6 includes perl 5.18.2. [0] http://perldoc.perl.org/perl5180delta.html#The-smartmatch-family-of-features-are-now-experimental -- Carlin
Re: 5.6 arrived
On Thu, 30 Oct 2014, at 10:32 AM, Richard Toohey wrote: > On 10/30/14 07:26, Zé Loff wrote: > > Sighted on my mailbox today, in Lisbon, Portugal. > Arrived today in Tauranga, New Zealand. > Arrived today in the other half of New Zealand (Chistchurch). -- Carlin
Re: current snapshot installer not recognising USB devices
On Tue, 14 Oct 2014, at 10:24 AM, Carlin Bingham wrote: > On Tue, 14 Oct 2014, at 09:05 AM, Martin Pieuchot wrote: > > On 14/10/14(Tue) 06:40, Carlin Bingham wrote: > > > I have booted the latest (11/10/14) snapshot install56.fs from a USB > > > drive and want to install it to an external USB drive but the drive (and > > > other USB devices) are not being recognised. No kernel messages are > > > being displayed when USB devices are added/removed, and if I run `sh > > > MAKEDEV sd2` it gives "device not configured" when trying to mount it. > > > > > > In the installer with 5.5 release, it just works and kernel messages are > > > displayed as expected. > > > > > > Has something changed that would cause this? Or is there something I > > > need to do now to bring USB up? > > > > > > > > > This is on a Lenovo T440p. > > > > > > dmesg for 5.5 and the snapshot (both from the install shell): > > > > [...] > > > > > OpenBSD 5.6-current (RAMDISK_CD) #380: Sat Oct 11 16:04:03 MDT 2014 > > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD > > > [...] > > > uhub2 at uhub0 port 1 "vendor 0x8087 product 0x8008" rev 2.00/0.04 addr > > > 2 > > > uhub3 at uhub1 port 1 "vendor 0x8087 product 0x8000" rev 2.00 > > > SIZE 0.04 addr 2 > > > > This is really weird. Is it really what you're seeing? Apparently > > you don't get any interrupt from your rate-matching hub. That would > > explain why you don't see any new "blue lines" when connecting a > > device. > > > > Do you have an option in your BIOS to toggle USB3 support? Does it make > > any difference? > > In BIOS, USB 3.0 Mode was set to [AUTO], changing that to [DISABLED] > fixed it and, as expected, changing it to [ENABLED] breaks it. > > Thanks for your help. > Just out of curiosity, what would have changed that would cause USB 3.0 Mode being set to [AUTO] no longer work when it did work fine in 5.5? -- Carlin
Re: current snapshot installer not recognising USB devices
On Tue, 14 Oct 2014, at 09:05 AM, Martin Pieuchot wrote: > On 14/10/14(Tue) 06:40, Carlin Bingham wrote: > > I have booted the latest (11/10/14) snapshot install56.fs from a USB > > drive and want to install it to an external USB drive but the drive (and > > other USB devices) are not being recognised. No kernel messages are > > being displayed when USB devices are added/removed, and if I run `sh > > MAKEDEV sd2` it gives "device not configured" when trying to mount it. > > > > In the installer with 5.5 release, it just works and kernel messages are > > displayed as expected. > > > > Has something changed that would cause this? Or is there something I > > need to do now to bring USB up? > > > > > > This is on a Lenovo T440p. > > > > dmesg for 5.5 and the snapshot (both from the install shell): > > [...] > > > OpenBSD 5.6-current (RAMDISK_CD) #380: Sat Oct 11 16:04:03 MDT 2014 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD > > [...] > > uhub2 at uhub0 port 1 "vendor 0x8087 product 0x8008" rev 2.00/0.04 addr > > 2 > > uhub3 at uhub1 port 1 "vendor 0x8087 product 0x8000" rev 2.00 > > SIZE 0.04 addr 2 > > This is really weird. Is it really what you're seeing? Apparently > you don't get any interrupt from your rate-matching hub. That would > explain why you don't see any new "blue lines" when connecting a > device. > > Do you have an option in your BIOS to toggle USB3 support? Does it make > any difference? In BIOS, USB 3.0 Mode was set to [AUTO], changing that to [DISABLED] fixed it and, as expected, changing it to [ENABLED] breaks it. Thanks for your help. -- Carlin
current snapshot installer not recognising USB devices
I have booted the latest (11/10/14) snapshot install56.fs from a USB drive and want to install it to an external USB drive but the drive (and other USB devices) are not being recognised. No kernel messages are being displayed when USB devices are added/removed, and if I run `sh MAKEDEV sd2` it gives "device not configured" when trying to mount it. In the installer with 5.5 release, it just works and kernel messages are displayed as expected. Has something changed that would cause this? Or is there something I need to do now to bring USB up? This is on a Lenovo T440p. dmesg for 5.5 and the snapshot (both from the install shell): OpenBSD 5.5 (RAMDISK_CD) #237: Wed Mar 5 09:43:42 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 16835846144 (16055MB) avail mem = 16382713856 (15623MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xacd3d000 (66 entries) bios0: vendor LENOVO version "GLET70WW (2.24 )" date 05/21/2014 bios0: LENOVO 20ANCTO1WW acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA UEFI MSDM ASF! BATB FPDT UEFI SSDT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz, 2494.54 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 99MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpi0: WARNING EC not initialized acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG_) acpiprt3 at acpi0: bus 2 (EXP1) acpiprt4 at acpi0: bus 3 (EXP2) acpiprt5 at acpi0: bus -1 (EXP3) acpiprt6 at acpi0: bus -1 (EXP6) pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x0c04 rev 0x06 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 4600" rev 0x06 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) "Intel Core 4G HD Audio" rev 0x06 at pci0 dev 3 function 0 not configured "Intel 8 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured "Intel 8 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured em0 at pci0 dev 25 function 0 "Intel I217-LM" rev 0x04: msi, address 28:d2:44:90:04:6c ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x04: apic 2 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 "Intel 8 Series HD Audio" rev 0x04 at pci0 dev 27 function 0 not configured ppb0 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd4: msi pci1 at ppb0 bus 2 "Realtek RTS5227 Card Reader" rev 0x01 at pci1 dev 0 function 0 not configured ppb1 at pci0 dev 28 function 1 "Intel 8 Series PCIE" rev 0xd4: msi pci2 at ppb1 bus 3 "Intel Dual Band Wireless AC 7260" rev 0x83 at pci2 dev 0 function 0 not configured ehci1 at pci0 dev 29 function 0 "Intel 8 Series USB" rev 0x04: apic 2 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1 "Intel QM87 LPC" rev 0x04 at pci0 dev 31 function 0 not configured ahci0 at pci0 dev 31 function 2 "Intel 8 Series AHCI" rev 0x04: msi, AHCI 1.3 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed naa.5002538844584d30 sd0: 244198MB, 512 bytes/sector, 500118192 sectors, thin cd0 at scsibus0 targ 5 lun 0: ATAPI 5/cdrom removable "Intel 8 Series SMBus" rev 0x04 at pci0 dev 31 function 3 not configured isa0 at mainbus0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 uhub2 at uhub0 port 1 "vendor 0x8087 product 0x8008" rev 2.00/0.04 addr 2 urtwn0 at uhub2 port 2 "Realtek 802.11n WLAN Adapter" rev 2.00/2.00 addr 3 urtwn0: MAC/BB RTL8192CU, RF 6052 2T2R, address c4:a8:1d:f8:9d:e9 "vendor 0x8087 product 0x07dc" rev 2.00/0.01 addr 4 at uhub2 port 5 not configured "SunplusIT INC. Integrated Camera" rev 2.00/26.03 addr 5 at uhub2 port 6 not configured uhub3 at uhub1 port 1 "vendor 0x8087 product 0x8000" rev 2.00/0.04 addr 2 umass0 at uhub3 port 2 configuration 1 interface 0 "SanDisk Cruzer Edge" rev 2.00/1.03 addr 3 umass0: using SCSI over Bulk-Only scsibus1
Re: How to follow -stable and verify it with signify?
On Wed, 1 Oct 2014, at 04:46 AM, trondd wrote: > On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini > > wrote: > > > On 30-09-2014 11:56, trondd wrote: > > > >> There are SSH fingerprints published for each of the CVS servers. > >> > > They are published on a clear http page and there is no SSHFP on the dns. > > You need to access the anoncvs page from different places, using different > > connections/vpns/proxies, to be sure you are talking to the right anoncvs > > server. > > > Sure, you have to somehow verify that the fingerprint is good and check > it > against the fingerprint you get when first connecting to the CVS server. > How can you verify that fingerprint is good? I don't know. > > Is it good enough to grab the signed source tarball, then checkout from > CVS > over it and make sure nothing changed in the process? > Some of the servers have been up for years and the fingerprints are cached and mirrored all around the web. Compare what you're seeing with a few of the caches and mirrors to see if they match. -- Carlin
Re: provide public gpg key(s) by the install-isos
On Tue, 9 Sep 2014, at 12:46 AM, Joel Rees wrote: > On Mon, Sep 8, 2014 at 4:12 AM, Elmar Stellnberger > wrote: > > [...] > > P.S.: URL about NSA regularely intercepting laptop shipments: > > http://www.extremetech.com/computing/173721-the-nsa-regularly-intercepts-laptop-shipments-to-implant-malware-report-says > > > > Consider this -- How much is the NSA or some other similar > organization going to pay to run a man-in-the-middle on you? How much > would it cost them to intercept, not just the CD being shipped, but > also your queries on random mirrors? > > [...] > The keys have also been posted to the mailing list at least once (look for a post by Theo in the thread "a half-baked analysis of the verification chicken-and-egg problem, and request"). The mailing list is mirrored by many different services (such as marc), so also comparing the keys against the various mailing list mirrors would create additional complexity for any organisation trying to MITM the keys you receive. -- Carlin
Re: [patch] www/faq/faq6.html: add otus(4), rsu(4), urtwn(4) to wireless networking list
Did this get missed or am I just too impatient? On Sun, 24 Aug 2014, at 02:33 AM, Carlin Bingham wrote: > Just noticed that these drivers are not listed > > > > Index: faq6.html > === > RCS file: /cvs/www/faq/faq6.html,v > retrieving revision 1.318 > diff -u -r1.318 faq6.html > --- faq6.html7 Aug 2014 01:51:34 -1.318 > +++ faq6.html23 Aug 2014 14:20:42 - > @@ -2053,6 +2053,8 @@ > Intel WiFi Link 4965/5100/5300 802.11a/b/g/Draft-N wireless. >href="http://www.openbsd.org/cgi-bin/man.cgi?query=malo&sektion=4";>malo(4) > Marvell Libertas 802.11b/g > + href="http://www.openbsd.org/cgi-bin/man.cgi?query=otus&sektion=4";>otus(4) > +Atheros USB 802.11a/g/n >href="http://www.openbsd.org/cgi-bin/man.cgi?query=pgt&sektion=4";>pgt(4) > Conexant/Intersil Prism GT Full-MAC 802.11a/b/g >href="http://www.openbsd.org/cgi-bin/man.cgi?query=ral&sektion=4";>ral(4) > @@ -2060,6 +2062,8 @@ > Ralink Technology RT25x0 802.11a/b/g. (AP) >href="http://www.openbsd.org/cgi-bin/man.cgi?query=ray&sektion=4";>ray(4) > Raytheon Raylink/WebGear Aviator 802.11FH > + href="http://www.openbsd.org/cgi-bin/man.cgi?query=rsu&sektion=4";>rsu(4) > +Realtek RTL8188SU/RTL8192SU USB 802.11b/g/n >href="http://www.openbsd.org/cgi-bin/man.cgi?query=rtw&sektion=4";>rtw(4) > Realtek 8180 802.11b. (AP) >href="http://www.openbsd.org/cgi-bin/man.cgi?query=rum&sektion=4";>rum(4) > @@ -2072,6 +2076,8 @@ > Conexant/Intersil PrismGT SoftMAC USB 802.11b/g >href="http://www.openbsd.org/cgi-bin/man.cgi?query=urtw&sektion=4";>urtw(4) > Realtek RTL8187L USB 802.11b/g > + href="http://www.openbsd.org/cgi-bin/man.cgi?query=urtwn&sektion=4";>urtwn(4) > +Realtek RTL8188CU/RTL8192CU USB 802.11b/g/n >href="http://www.openbsd.org/cgi-bin/man.cgi?query=wi&sektion=4";>wi(4) > Prism2/2.5/3. (AP) >href="http://www.openbsd.org/cgi-bin/man.cgi?query=wpi&sektion=4";>wpi(4)
[patch] www/faq/faq6.html: add otus(4), rsu(4), urtwn(4) to wireless networking list
Just noticed that these drivers are not listed Index: faq6.html === RCS file: /cvs/www/faq/faq6.html,v retrieving revision 1.318 diff -u -r1.318 faq6.html --- faq6.html7 Aug 2014 01:51:34 -1.318 +++ faq6.html23 Aug 2014 14:20:42 - @@ -2053,6 +2053,8 @@ Intel WiFi Link 4965/5100/5300 802.11a/b/g/Draft-N wireless. href="http://www.openbsd.org/cgi-bin/man.cgi?query=malo&sektion=4";>malo(4) Marvell Libertas 802.11b/g +href="http://www.openbsd.org/cgi-bin/man.cgi?query=otus&sektion=4";>otus(4) +Atheros USB 802.11a/g/n href="http://www.openbsd.org/cgi-bin/man.cgi?query=pgt&sektion=4";>pgt(4) Conexant/Intersil Prism GT Full-MAC 802.11a/b/g href="http://www.openbsd.org/cgi-bin/man.cgi?query=ral&sektion=4";>ral(4) @@ -2060,6 +2062,8 @@ Ralink Technology RT25x0 802.11a/b/g. (AP) href="http://www.openbsd.org/cgi-bin/man.cgi?query=ray&sektion=4";>ray(4) Raytheon Raylink/WebGear Aviator 802.11FH +href="http://www.openbsd.org/cgi-bin/man.cgi?query=rsu&sektion=4";>rsu(4) +Realtek RTL8188SU/RTL8192SU USB 802.11b/g/n href="http://www.openbsd.org/cgi-bin/man.cgi?query=rtw&sektion=4";>rtw(4) Realtek 8180 802.11b. (AP) href="http://www.openbsd.org/cgi-bin/man.cgi?query=rum&sektion=4";>rum(4) @@ -2072,6 +2076,8 @@ Conexant/Intersil PrismGT SoftMAC USB 802.11b/g href="http://www.openbsd.org/cgi-bin/man.cgi?query=urtw&sektion=4";>urtw(4) Realtek RTL8187L USB 802.11b/g +href="http://www.openbsd.org/cgi-bin/man.cgi?query=urtwn&sektion=4";>urtwn(4) +Realtek RTL8188CU/RTL8192CU USB 802.11b/g/n href="http://www.openbsd.org/cgi-bin/man.cgi?query=wi&sektion=4";>wi(4) Prism2/2.5/3. (AP) href="http://www.openbsd.org/cgi-bin/man.cgi?query=wpi&sektion=4";>wpi(4)
Re: a half-baked analysis of the verification chicken-and-egg problem, and request
On Thu, 14 Aug 2014, at 12:38 AM, Giancarlo Razzolini wrote: > On 13-08-2014 09:04, Carlin Bingham wrote: > > Are there plans to get openbsd.org serving over SSL? That would help a > > bit in trusting the keys posted to the website. > > > No, it wouldn't. If we go down that path, DNSSEC, with all it's problems > is better than SSL for this. You can get free ssl certificates these > days, so the cost isn't the issue here. I do many things that the OP > said, such as downloading the sig's from different mirrors, using > different internet connections at different times. And even now that > there are the pub keys for the next release on the install, I'll keep > doing this, just to be sure. > > Cheers, > > -- > Giancarlo Razzolini > GPG: 4096R/77B981BC > Of course, but doing all that in addition to getting the keys over SSL is better than doing all that and not getting the keys over SSL.
Re: a half-baked analysis of the verification chicken-and-egg problem, and request
On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote: > >One suggestion/request, to make it even harder for the man-in-the-middle > >attack to be successfully employed, could the current checksums be posted in > >the announcement of the new version? > > http://www.openbsd.org/55.html > > signify(1) pubkeys for this release: > base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h > fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO > pkg: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5 > > For the upcoming 5.6 release (few months yet), the keys are already > included in your 5.5 install, or you can find them in your /etc/signify > directory. Or, check http://www.openbsd.org/56.html (warning: > incomplete) > > signify(1) pubkeys for this release: > base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV > fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw > pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb > > In fact the snapshots available since about a month ago already include > the public keys for the 5.7 release next May > Are there plans to get openbsd.org serving over SSL? That would help a bit in trusting the keys posted to the website.
Re: a half-baked analysis of the verification chicken-and-egg problem, and request
On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote: > >One suggestion/request, to make it even harder for the man-in-the-middle > >attack to be successfully employed, could the current checksums be posted in > >the announcement of the new version? > > http://www.openbsd.org/55.html > > signify(1) pubkeys for this release: > base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h > fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO > pkg: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5 > > For the upcoming 5.6 release (few months yet), the keys are already > included in your 5.5 install, or you can find them in your /etc/signify > directory. Or, check http://www.openbsd.org/56.html (warning: > incomplete) > > signify(1) pubkeys for this release: > base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV > fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw > pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb > > In fact the snapshots available since about a month ago already include > the public keys for the 5.7 release next May > Now checkout the keys in /src/etc/signify/ from cvs over ssh, check that the fingerprint of the cvs server matches what is on the website (and/or in the various caches), and compare the keys match what was posted. And as mailing list posts are mirrored on many archive sites, compare that the various archives agree with what keys were posted. And once you have a 5.5 that you're confident is legitimate, every subsequent release can be verified using the keys from it, and you will have a chain of trust.
Re: I have several questions
On 12/08/14 18:27, Long Wind wrote: > I raise the question again. > During installation, I am asked: > > Directory does not contain SHA256.sig. Continue without verification? [no] > > I have to enter yes to let it proceed: > > Installing bsd > Installing bsd.rd > Installing base55.tgz > ... > > I have downloaded CD image for i386 and burned it and booted it > I think I shall not encounter such a question > Why SHA256.sig isn't on CD? > > Thanks to all those who reply (replied)!! > If someone was able to modify the ISO to tamper with the sets, they could also alter the keys included, and change the checksums and .sig file. In this case, you would be told everything was fine and it would continue installing. That is why you should verify the install ISO itself before booting/installing.