Problems applying 002_ssl.patch to 4.0 upgraded system
Anyone else seeing this? This was a 3.9 system upgraded to 4.0. I'm wondering if I missed something when clearing out the old source code? /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c: In function `RSA_X931_hash_id': /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: `NID_sha256' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: (Each undeclared identifier is reported only once /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: for each function it appears in.) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:168: error: `NID_sha384' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:171: error: `NID_sha512' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libssl/crypto. *** Error code 1 Stop in /usr/src/lib/libssl.
Re: Python wrapper for PF ? is that usefull ?
Gary B. wrote: On 9/26/06, fv <[EMAIL PROTECTED]> wrote: Hello, I'm studying the idea of writing a python library for controling pf internals. Do would find it usefull to write some simple scripts for controling PF. Is anyone think it's usefull ? Cheers, Frangois What sort of control scripts were you thinking of? It would be nice if there was a front-end to PF that is similar to that of ipchains/iptables. Pfctl?
Re: OpenBSD Order and austin@ encrypted block
Chris Zakelj wrote: Got my pre-order entered a couple days ago, but I still haven't been able to find what keyserver is being used, and thus, I have no idea what austin's PGP message block says. Google turned up nothing about austin@ except a message two years ago about a totally different issue. Is there an oBSD specific keyserver, or am I missing something else? Original Message hEwDrSNaAuoqDVkBAgCeqJQORcw6my6yFazgGyyTdHWmT7Rk67BW/t2XbTigq2u3 QLsMezjHQJu2C9lOnLtgKp+JNuOfjLtGRDcc+lqppgAAAWrDWEmE4f9LPMVZorkE 5a/72Av7vn0K3d7+bLuP4MhIvxt3AWdYmvXJ8ayNUWbMFczfSiEC/5PRRkVsvRVg ajImub3K01rERV7u5x0KS9eTYE9/eiXqjuFe+napu7rlEjgyCANwCmuM7do6PJ7R LHkRqy+mv++5XSdoBgmVGlaWR8d5wKP5e2/jL+mVcUwVp6KvtWT0uH2eb67opekO OiJWBGhMppaj6B4cQBRjI0MtXstjucVhdNu2YrM4P36o7TiVmcrJtmSqYdlFybaO F4Xs6IhQwC9/vBHzm9fFI6Qj+JmfirTX/tk9WtQ8STbzbgO1FYbxHV56y8ZOEuQd wlSWw9B8UY0Yxx7BEl84awAGXp//+JL/03RptWpRnsbArRlVOC7nenbAIGoKT+VN pjxm+MgBKqP1AJ5gnCDMua2D21LEQoEFxXGLkOuBUtDbmiIehoaxzGtH4V5KCPSK fjpUHwhdVroTaLkurQ== =8kgO -END PGP MESSAGE- I asked Austin the same question once and was told they have a shipping FAQ and was sent this: (14) BTW, the encrypted section at the end of the order confirmation mystifies some people. It's a copy of your order with the credit card info built in, and can only be decrypted by us. It also can serve as a proof of order, should that ever be necessary.
Re: Rotate many Apache logfiles
Mackan wrote: Hi! What is the preferred way of rotating Apache's logfiles? I have many virtual domains, each with its own access and error logfile. I'm using CustomLog, not TransferLog. Apache is chrooted. Adding every logfile to /etc/newsyslog.conf is one way, but hard to maintain. Is Apache's own rotatelogs program the way to go? Mackan Savelogs, if it's available, is a nice method, at least on FreeBSD. It's not in the ports or packages list for i386 on OpenBSD 3.9, but it's a perl script, so I would think it's doable.
Re: UTC vs UCT timezone
Mark Zimmerman wrote: On Tue, Sep 05, 2006 at 04:27:42PM -0400, Scott Plumlee wrote: The FAQ seems to reference UTC (at least in section 8), which would translate at Universal Time, Coordinated, from what I understand. Are these two the same? Yes, UTC is Coordinated Universal Time. The acronym is a compromise between english and french. I appreciate all the answers, both on and off list. Wikipedia was the first place I looked, so I understand the UTC is the official US abbreviation of Universal Coordinated Time. But I still don't see a reason why, if UTC==UCT, there are two files when it would seem that a link would remove the need for two separate files. # pwd /usr/share/zoneinfo/Etc # ls -lai UCT 87585 -r--r--r-- 2 root bin 56 Mar 2 2006 UCT # ls -lai UTC 87589 -r--r--r-- 6 root bin 56 Mar 2 2006 UTC So one has 6 links, one has 2 links. My guess is that somewhere in the system, there are other files that need both of these, perhaps for historical reasons. That's what I'm trying to figure out, but I don't know if there is a simple method for finding the files that reference a particular inode. Anyway, back to the original questions, if UTC==UCT, what is the reason the a symbolic link from UCT to UTC would not work? Please pardon the stupidity if the answer is blatantly obvious. Clue stick received with a smile, at least the first hundred times.
UTC vs UCT timezone
The FAQ seems to reference UTC (at least in section 8), which would translate at Universal Time, Coordinated, from what I understand. Are these two the same?
Re: Why no compiler on prod system [Was: Re: How to update httpd without a compiller]
NetNeanderthal wrote: On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote: Removing compiler doesn't bring much more security to your system, but it can make it a little bit safer. Very little bit, but safer. I mean, if your system has local root hole, for example, in this case cracker should compile his sploit somethere outside your box, and transfer binary file onto it, thus, it takes more time than "cat > /tmp/.slp01t.c && gcc /tmp/.spl01t.c && ./a.out". And usually, crackers limited in time resources. This patently futile measure contributes zero security to the system and it does not make the system even 'a little bit safer'. Please substantiate your claim based on the security record of a large Redmond-based OS that is distributed sans compiler. Disclaimer - I manage only a few, non-critical machines, and am at best a journeyman OpenBSD user. I like the point that Bruce Schneier often makes: security is about risk versus cost (or benefit versus cost). For different companies and different admins, these two choices have a different benefit and cost: having a compiler on a production machine or having to maintain another machine for performing make release (or whatever other method you prefer to use to upgrade - copy binaries, etc). If you don't have a second machine upon which to make release, then having the compiler on the production machine is acceptable because being able to patch the machine outweighs not having the compiler in terms of security benefit. As Nick said, if not having the compiler means you don't upgrade, then that's a pretty heavy risk for whatever benefit you do realize. I realize that this is a simplified way of looking at it, and there are other considerations (physical access to upgrade versus remote access, downtime needed, etc) but in the end any good business decision is risk/benefit versus cost. I don't think any of the methods that have been discussed are wrong or right, each is correct according the decisions that the admins have made for their own machines. Personally, I like to use make release, as I was pointed towards that method here once and it's worked for me. To each their own.
Re: Kernel panic ... Unknown source ...
o?= wrote: Hello, My OpenBSD 3.9-stable Box is quite unstable. I don't have physical access to my box so I can't debug it directly. I've recompiled a GENERIC kernel with DEBUG support and set ddb.panic to 0 in sysctl.conf so that it's rebooting automaticly. But no kernel dump is made after a kernel panic. I searched on the web without finding a solution. Everytime the kernel panic is different. I tried the -current (and also 3.8). The result is nearly the same: no more kernel panics but the system freeze but it's still responding to the ping. As I said before in another mail, this is NOT due to an hardware failure. Many SAME machines work perfectly. The only difference is the revision of the bios (vcore updated and Pstate disabled). I want to find the source of the bug to correct it if I could. I'm still awfully new to *nix, but isn't saying that "it's not hardware just because other boxes like this don't fail" the same as "my car can't be out of gas because other cars of the same model are still driving by me"? I can understand if you mean that it's not due to an unsupported piece of hardware, in which case I would think the kernel panic would be the same, but how do you know it's not bad disk, cables, processor, heatsink, fan, etc etc here>? But again, I'm awfully new so I'll just follow the thread and see what happens.
Developers: you just ruined my night
Here I was, planning on spending an hour or two after work upgrading a 3.8-release system to -stable. Started the process from a release I built earlier in the day, and 8 minutes later I'm done. What am I supposed to do now, go home and have a beer? Thanks again for a superb product. This was my first time trying out making my own release (for upgrading a firewall with no compiler), and it was as simple and clean as the original install. Can't believe I've spent all that time applying patches by hand up till now.
Patching question - when patches require a rebuild of the kernel
Trying to do the 'right thing' and not keep the compiler installed on the firewall. I've been copying binaries over from another system after it's been patched by running make -n install to see what files would be updated, and then copying those files by hand. In the case of patches that require a kernel rebuild, is copying the actual bsd file after rebuilding from /usr/src/sys/arch/i386/compile/GENERIC to the firewall would be all that is needed? Great piece of software, thanks again to the developer team.
Re: Has anyone had Fogbugz on Openbsd working?
Bill wrote: Has anyone had Fogbugz (from fogcreek) running on openbsd? They list a bunch of O/S's including OSX and FreeBSD, but to find out if it works I need to buy it. Which means a bunch of paperwork and approvals to get it. Then more, if I have to return it and get something different. If they had a free download trial I would try that, but they only have online. I've not found anything on google or their forums on it. Thanks PS. Sorry if the waiting for approval one gets through also - i sent from the wrong acct (again). I spoke to a support rep about it before I bought it for our use on a FreeBSD machine. Wanted to get it running on OpenBSD, but they don't have anyone (as of several months ago) running it on OpenBSD that they could find in their knowledge base. They use a particular module that they don't release the source for (fogbugz.so, if I remember right), so it only works on particular platforms. I spent a few minutes the other day messing around with it to see what would happen if I did FreeBSD binary emulation, but I didn't have time to correct all the installation parameters to locate the various files in the right places. I had selected FreeBSD as the install OS, and it kept expecting things to be in different places. But it might work, and you can get a 30 day trial period when you can get a refund for any reason. We just run a single copy, and I think it's only about $130 total for one copy. If there is anyone else that's wanting to do this, I'll add our name to any push to have them make an OpenBSD release.
Re: How to patch a physically weak system & recommended use of sudo?
Nick Holland wrote: Tim wrote: Hello 1. I have a old computer that is slow and has little memory. But I want to keep it updated with patches. I can't compile these patches on the system but I could do it on another faster system. But how can I later apply the compiled patches to the weak system? In addition to the previously mentioned release(8) process (also documented here: http://www.openbsd.org/faq/faq5.html#Release), there is another thing you could do: run snapshots. They will have all the security and reliability updates (before they are in -stable, in fact), but also feature updates. 2. Alot of you seem to use sudo instead of su - when you want to do something that requires privileges. Why is this? What settings are you using for sudo? Took me a while to get interested in sudo, which is unfortunate. Way cool program. When I set up an OpenBSD system, one of the first things I do is create a personal user for myself, put myself in the wheel group, configure sudo to let wheel users do anything, log in as that user, and disable root logins. Completely disable. This does a few things... Is your preferred method for doing so to remove the root user, or set the shell to nologin, or something else? I like the idea, but I'd rather not shoot myself in the foot doing it.
upgrading from 3.5 -> 3.6 -> 3.7 worked perfectly
Pardon the noise, but I just finished my first ever upgrade of an OpenBSD machine. I'd like to thank the OpenBSD team for providing the clearest and easiest upgrade path I've ever experienced. Upgraded to 3.6 and then right to 3.7 without any problems as all, and then reinstalled all the packages and everything just worked without needing an extra keystroke at all. Thanks again for the best computing environment around.
Re: clamav package upgrade
FBN wrote: Hi I had installed "clamav-0.83.tgz" package in my OpenBSD 3.7, but it displays: LibClamAV Warning: LibClamAV Warning: *** This version of ClamAV engine is outdated. *** LibClamAV Warning: *** Please update it IMMEDIATELY!*** LibClamAV Warning: Do i have to uninstall the clamav package and install it again from source ? Thanks The current version of clamav is up to 0.86. Read the docs at clamav.net and you'll see that this warning is generated to let you know that you are running an older version, which may not catch all the varients the newest version does due to differences in the scanning engine. Depends on how up to date you want to be.
3.7.tar.gz patch file missing
The 3.7 patch tar file referenced on the errata page (http://openbsd.org/errata.html) doesn't exist on the ftp server. drwxr-xr-x7 1114 1114 512 Jan 07 12:30 2.2 -r--r--r--1 1114 1114 2866468 Jun 03 04:08 2.2.tar.gz drwxr-xr-x 13 1114 1114 512 Jan 07 12:28 2.3 -r--r--r--1 1114 1114 10217228 Jun 03 04:08 2.3.tar.gz drwxr-xr-x 13 1114 1114 512 Jan 07 12:28 2.4 -r--r--r--1 1114 1114 1300636 Jun 03 04:08 2.4.tar.gz drwxr-xr-x 14 1114 1114 512 Jan 07 12:28 2.5 -r--r--r--1 1114 1114 9736 Jun 03 04:08 2.5.tar.gz drwxr-xr-x 10 1114 1114 512 Jan 07 12:19 2.6 -r--r--r--1 1114 1114 537507 Jun 03 04:08 2.6.tar.gz drwxr-xr-x 11 1114 1114 512 Jan 07 12:19 2.7 -r--r--r--1 1114 111447836 Jun 03 04:08 2.7.tar.gz drwxr-xr-x 16 1114 1114 512 Jan 07 12:19 2.8 -r--r--r--1 1114 1114 3121346 Jun 03 04:08 2.8.tar.gz drwxr-xr-x 16 1114 1114 512 Jan 07 12:19 2.9 -r--r--r--1 1114 1114 315811 Jun 03 04:08 2.9.tar.gz drwxr-xr-x 15 1114 1114 512 Jan 07 12:19 3.0 -r--r--r--1 1114 1114 263914 Jun 03 04:08 3.0.tar.gz drwxr-xr-x 15 1114 1114 512 Jan 07 12:19 3.1 -r--r--r--1 1114 111433259 Jun 03 04:08 3.1.tar.gz drwxr-xr-x 15 1114 1114 512 Jan 07 12:19 3.2 -r--r--r--1 1114 111429096 Jun 03 04:08 3.2.tar.gz drwxr-xr-x 15 1114 1114 512 Jan 07 12:19 3.3 -r--r--r--1 1114 111429204 Jun 03 04:08 3.3.tar.gz drwxr-xr-x 16 1114 1114 512 Jan 07 12:19 3.4 -r--r--r--1 1114 111454398 Jun 03 04:08 3.4.tar.gz drwxr-xr-x 17 1114 1114 512 Mar 16 18:03 3.5 -r--r--r--1 1114 111444364 Jun 03 04:08 3.5.tar.gz drwxr-xr-x 18 1114 1114 512 Mar 16 18:03 3.6 -r--r--r--1 1114 111416562 Jun 03 04:08 3.6.tar.gz drwxr-xr-x 18 1114 1114 512 Jun 07 08:03 3.7 Temporary problem?
Re: openbsd list fckery
Look at the motherfucking installer for one tiny example. One keyfumble or one return too many and you are FUCKED, have to start over. Haven't you fucking ASSHOLES heard of "go back"? How far up your own ass do you have to be to code such a DEEPLY SHITTY INSTALLER that it won't even allow the user to go back and change that important N to a Y? You don't even have to keep state just store important choices as variables and allow us to change variables at each prompt. About a week ago, I was trying to upgrade my dual boot laptop to 3.7. I had to run the installer about 20 times to figure out my problem and correct it. In the process, I learned more about fdisk and disklabel than I had ever needed to before, and I count that as a good thing. It took no more than about 5 minutes each time to run the installer from scratch to completion in each case. Typing Ctrl-C and then "install" when you make a mistake isn't that difficult. -- Scott Plumlee PGP Public key: http://plumlee.org/pgp/