Re: chroot browser

[Tobias Weisserth]

I guess you should take a look at Systrace:
http://en.wikipedia.org/wiki/Systrace

On Thu, Mar 26, 2009 at 11:28 AM, punoseva...@gmail.com wrote:

 Hi misc,

 I was wondering if you could give me some input about the following
 security
 matter. It seems to me that using a web-browser, an email client, and
 a chat client (if permitted at all)  are the
 un-safest forms of interaction of a typical desktop user with his/hers
 computer. Apart of standard protective techniques as using a web-proxy
 is there are any benefit in running web-browser in chroot environment
 per user? It looks to me no, especially in a light of the fact that
 application must have the access to X server. Could anybody elaborate
 on what would be a typical desktop application, if any, which would be a
 good candidate for chroot.

 Thanks,
 Predrag

Re: Missing security announcements

[Tobias Weisserth]

Ted,

everybody knows that's not going to happen. Why no scrap the security
announcement list if it's not being used or just whenever someone feels like
it? The mere existence of this list implies to users that new errata are
being announced to that list which is not the case. Get rid of the list and
the problem is solved.

The website is updated with new errata. Everybody should be able to follow
the CVS. The list is flawed and obsolete.

Just my 2 cents, as I remember having asked the same question YEARS AGO and
nothing has changed since then.

cheers,

Tobias

On Thu, Nov 13, 2008 at 2:55 PM, Ted Unangst [EMAIL PROTECTED] wrote:

 So get on the developer's case when they don't send out notifications.
  All this chatter now isn't going to change anything when the next
 errata comes out.  You want security announcement? Do something to
 make it happen!

Re: Missing security announcements

[Tobias Weisserth]

Janne,

On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote:

  everybody knows that's not going to happen.
  I remember having asked the same question YEARS AGO and
  nothing has changed since then.

 Reading those two next to eachother says everything.


Why ain't you a bit more explicit? Should /I/ have managed that list? Why
didn't you if you care to post messages in this thread? This kind of answer
is so redundant and hypocritical at the same time.

Bernstein puts qmail in public domain

[Tobias Weisserth]

Hi everybody,

I just wanted to point out that D.J. Bernstein has put qmail in public
domain. I'm not implying anything but wouldn't it be a perfect opportunity
to get rid of sendmail (GNU GPL) and have qmail as the standard MTA in
OpenBSD? qmail's security record is better and many OpenBSD users prefer it
to sendmail.

http://cr.yp.to/qmail/dist.html

I hereby place the qmail package (in particular, qmail-1.03.tar.gz, with
MD5 checksum 622f65f982e380dbe86e6574f3abcb7c) into the public domain. You
are free to modify the package, distribute modified versions, etc.

regards,

Tobias W.

Re: Kuro5hin: OpenBSD Founder Theo deRaadt Has Conflict of Interest With AMD

[Tobias Weisserth]

Hi there,

What a crappy article. Whoever gives a sh*t about what that guy  
wrote, I don't know.


But that's just me.

For example, notice how he starts the article.  The first paragraph  
is supposed to sound like a compliment but in fact it's an insult.


regards,
Tobias W.

On Aug 5, 2007, at 10:50 PM, chefren wrote:


OpenBSD Founder Theo deRaadt Has Conflict of Interest With AMD
  By David Marcus, 2007-08-05 03:41:29
  Section: Technology, Topic:

  I formerly had a great deal of respect, bordering on admiration, for
Theo deRaadt's refusals to compromise his open source principles,  
even in

the face of stiff opposition. Although he has occasionally gone
over-the-top, recommended some frankly very dubious changes to  
OpenBSD,

and is regularly arrogant (which is even more annoying because he's so
often right!), he's always remained consistent in his devotion to the
cause of GNU/Free Software.

http://www.kuro5hin.org/story/2007/8/2/15233/84896

carp and alias

[Tobias Weisserth]

Hi everybody,

I read the carp(4) manpage, the carp FAQ entry and http:// 
www.countersiege.com/doc/pfsync-carp/ yet I still have some questions.


Let's say I have an OpenBSD host like this:

#/etc/hostname.xl0
inet 10.0.0.1 255.255.255.0 NONE
inet alias 10.0.0.2  255.255.255.0
inet alias 10.0.0.3  255.255.255.0
inet alias 10.0.0.4  255.255.255.0

This might be the external interface.

Now I want to have one carp interface with the address 10.0.0.250:

#/etc/hostname.carp0
inet 10.0.0.250 255.255.255.0 10.0.0.255 vhid 1 pass foo

Is it possible to let carp0 have the alias definitions like this?

#/etc/hostname.carp0
inet 10.0.0.250 255.255.255.0 10.0.0.255 vhid 1 pass foo
inet alias 10.0.0.2  255.255.255.0
inet alias 10.0.0.3  255.255.255.0
inet alias 10.0.0.4  255.255.255.0

and remove those from /etc/hostname.xl0?

regards,
Tobias W.


*
God is real, unless declared integer.

Re: Webhosting Control Panel

[Tobias Weisserth]

Hi Karel,

On May 31, 2007, at 4:27 PM, Karel Galuka wrote:


Could you recommend me some Webhosting control panel for OpenBSD?


How about /bin/ksh?

:-)

I really don't know what you're expecting from a question like this.
At least name an example that might be familiar to some readers when
you expect alternatives.

regards,
Tobias



*
God is real, unless declared integer.

Re: SSHJail patch for OpenBSD

[Tobias Weisserth]

Hi,

On Apr 27, 2007, at 1:38 PM, Jeffrey 'jf' Lim wrote:


On 4/27/07, Chris Lawson [EMAIL PROTECTED] wrote:
Read the web page, it explains the reasoning right at the top.  If  
you

are instead being disingenuous (yes yes, I know you are) perhaps you
could explain to us why you think this isn't a good idea.


How about a solution involving systrace to lock a user's login shell  
within certain parameters? Such a scenario has been done, I've read  
about it on undeadly.


regards,
Tobias

Re: bcw(4) is gone

[Tobias Weisserth]

Hi there,

On Apr 9, 2007, at 7:29 PM, Jeroen Massar wrote:
...

GPL is good though if you want to force people to give back the  
code to

you so that you can use it in your own dual-licensed projects.

For people wanting true freedom of their code use: BSD or ISC it ;)


The problem is the word free. BSD people tend to interpret free  
as I can do whatever I want with that code! Hell, I can even make it  
unfree again by turning it into a proprietary product!. In my  
opinion, /code/ that is labeled free should always remain free,  
no matter what the possible actions are. This ain't the case with BSD  
code. /You/ may do as you like with the code, but this doesn't make  
the code free, it just liberates your actions. BSD code is not  
free code as such. It just implies free actions. It's just a  
matter of perspective.


Tip for coders: Start a lousy little project that many people will  
like,

then release it as GPL, then if lucky people will use it and give you
patches, now you can sell it back to them ;) Okay, that stops at the
moment you have other people's code in there which you can't
dual-license though, and that is the fun of GPL: you cripple yourself.


You don't have to accept GPL contributions to your own codebase if  
you want to dual license. Their code contributions, your choice. As  
easy as that. It's all about respect. Respect their copyright or drop  
it. Easy, simple, fair. In fact, GPL projects offer more incentives  
of contributing that BSD projects. Someone wanting to contribute to a  
BSD project has to give up all control of their contribution. Not  
everybody is willing to follow down that road. The GPL at least makes  
sure that nobody can legally exploit a contribution without making it  
available to the users so that they can profit too. This is a much  
more valuable incentive to participate.


If you /really/ want to include GPL contributions in your codebase in  
dual licensing schemes, you'll have to ask for permission of the  
copyright owner of that contribution. This is the most natural thing  
in the world.


This whole bcw(4) discussion turned out to be a Those GNU/Linux/GPL  
fanatics don't allow us to be even more free than they claim to be!  
cryout. The funny thing is that it comes down to an OpenBSD  
contributor who didn't respect the copyright of some other party by  
redistributing GPL code without the GPL license through a public CVS  
repository. It's amazing how a community that should actually take a  
defensive position in a matter like this switches into attack mode  
and makes the violated party the culprit. The majority of the posts  
in this discussion, be it on undeadly, some other mailing list or  
here on [misc], reflect the mental pattern of six-year olds who  
cannot argue reasonably. I really have to admit that if these people  
represent the majority of the OpenBSD community, I am disgusted and  
most of all disappointed. But of course, it just may be so that  
decent people choose not to take part in these threads at all.


regards,
Tobias

Re: bcw(4) is gone

[Tobias Weisserth]

Hi there,

On Apr 9, 2007, at 8:40 PM, Jessie D wrote:


 ericfurman at fastmail.net writes:


To ease his work, and to let others in our group to step in in his
efforts, he committet it to our work area which we call cvs.


A CVS is not by any stretch of the imagination a public repository
of code for anyone to use.


Exactly.


Exactly? How so?! If I take a look into the OpenBSD FAQ, using the  
public CVS repositories is a common and documented method of updating  
an OpenBSD system by end users.


So no code was released hence no license violation. It doesn't  
take a genius.


The amount of hipocrisy and denial among people on this list is  
simply amazing. Many seem to have a twisted and shifted cognition  
when it comes to waving with the red GPL/Linux flag.


Simply unbelievable.

Tobias W.

Re: bcw(4) is gone

[Tobias Weisserth]

Hi there,

On Apr 9, 2007, at 8:43 PM, Robby Workman wrote:


It's not a matter of perspective - forced freedom is not freedom.


That statement also is a matter of perspective. ;-) If you mean by  
freedom, the liberty to do whatever you want, then BSD is freedom.  
If you mean by freedom, the security that users have the same  
rights with the code tomorrow they already have today, even if  
numerous people contribute to the code, the GPL is freedom. GPL is a  
license that ensures code stays free in the sense of open for users.  
It doesn't mean you can do with it whatever you want. It's not you  
that's free, it's the code. That's what I ment with matter of  
perspective. You don't have to agree with this at all, but at least  
you have to understand and respect the idea and that other people  
contribute to this model. It's nothing that should be rejected like I  
have the impression it is done by many stubborn people on this list.



To ignore the possibility that it was an honest mistake is part of the
problem.  I won't claim to know what Marcus Glocker was thinking, but
it seems quite plausible that he had every intention of removing the
infringing code prior to making the bcw(4) work public, but in the
excitement of some initial positive results, he simply forgot.  Either
way, he admitted that a mistake had been made.
The reason (as I see it - again, I won't speak for anyone else) that
the OpenBSD community came down so hard on the bcm43xx dev is due to
the way he pursued the issue.  There was absolutely no good reason to
initially address the issue on a public mailing list and CC'd to a
bunch of other people.  If the initial mail had been sent privately to
Marcus, then he could/would have removed the infringing code (or
perhaps the entire driver temporarily).  He could have then issued a
public statement on *why* he did it (which would have satisfied the
need to have it out in public that some of the code wasn't actually
BSD licensed).  Had it happened that way, everybody wins, and we
don't have all of this fuss over it.


Yes, that's exactly what I have been talking about on undeadly when  
that stupid death of a driver article was published to promote the  
myth. The reason why I'm bothering to participate in this discussion  
at all, is that many people claiming to take the OpenBSD side in  
this argument are actually no better than the bcm43xx devs when they  
had the idea to go public. This whole issue has been escalated  
primarily by OpenBSD folks, not the other way around. I'd say it's  
time to simply drop it.


kind regards,
Tobias W.

Re: bcw(4) is gone

[Tobias Weisserth]

Hi there,

On Apr 9, 2007, at 8:49 PM, Adam wrote:


Tobias Weisserth [EMAIL PROTECTED] wrote:


The problem is the word free. BSD people tend to interpret free
as I can do whatever I want with that code! Hell, I can even make it
unfree again by turning it into a proprietary product!.


Don't believe RMSs FUD.  You can't turn code unfree, the BSD  
licensed

code is still there.  Just because some evil corporation uses my BSD
licensed code in a closed source product, doesn't make my code unfree.
Its still there, still just as free as it always was, for anyone and
everyone to use.  That is free.  The code they added to it is not  
free,
but the BSD licensed code is.  The GPL is not about releasing free  
code,

its about trying to force other people into releasing their code under
the GPL.


Everything you said is true, fair and square. But does it really  
change anything? A copyright owner can decide whatever he wants when  
it comes to /his/ code. If he decides that other people may only use  
it if they offer it under the same restrictions it has been  
originally offered, then this is also fair and square. It's his code,  
his copyright. Take it as it is or leave it. As simple as that.


Regarding freedom: Take the Linksys routing devices. They ship with  
GPL software. Taking what you said as an example, it would be OK if  
Linksys made proprietary changes to the free software and deliver a  
closed software on the device. If for example the proprietary changes  
make the free software work on the device in the first place, the  
software is in effect not free anymore, as the free version of the  
software is useless in effect. If there is no other option than to  
buy these Linksys devices or similar devices in the future and the  
originally free software cannot be used on any other device anymore,  
then the propriety changes to a free software has made this software  
unfree for users. What's the freedom of BSD software worth when it  
can't be used in its free form anymore? That can't happen with GPL'ed  
software.


Think one step further. Take computers. Take computers that  
incoporate hardware that checks wether you run a signed binary from a  
particular vendor only. What use is BSD free code then? None at  
all. You'll have to start reverse-engineering. That's not a myth,  
that's not propaganda, that's simply a fact and that's a danger the  
Free Software Foundation wants to ward off by offering the GPL.  
You'll say: hey, what does it matter? I have plenty of choices in  
computer devices. What happens, when that is going to change? The GPL  
FORCES people to respect users rights to run free software on any  
devices that have been delivered with software based on free software  
and that ain't a bad idea at all. In fact it's pretty clever.


There are many cases where a GPL license is the only sensible choice  
in my opinion. Of course, I don't reject the BSD license either. It  
all depends on what you want to bring about and secure. There is no  
one-and-only-free license.



opinion, /code/ that is labeled free should always remain free


And code that has seriously restrictive licenses like the GPL  
should not

be labeled free in the first place.


I simply can't follow this absolute rejection of the positive effect  
the GPL ensures. It's not that the BSD license and GPL license fight  
a battle for world domination. Not that it would be fair, given the  
viral character of the GPL... :-P


regards,
Tobias W.

Re: bcw(4) is gone

[Tobias Weisserth]

Hi there,

On Apr 10, 2007, at 3:20 AM, Marco Peereboom wrote:


It is because you do not understand the definition of free.


Who the hell do you think you are that you can impose a definition of  
free on me? Freedom is also a matter of perception and perspective. I  
have given you a practical example which you simply rejected without  
even considering it. Do you really think you can make a rude point by  
copying and pasting from a dictionary? This is ridiculous.


Tobias

Re: Installing Skype

[Tobias Weisserth]

Hi there,

On Mar 23, 2007, at 6:47 AM, Rafael Morales wrote:


I have OpenBSD 4.0 on a HP laptop and I need to
install Skype because is for the comunication in my
job and I have the freedom for install my lovely
OpenBSD.
This what I have done:

1. I installed the redhat_base-8.0p8.tgz for the
emulation.
2. Download the skype-0_90_0_1.rpm and installed it
with the /emul/linux/bin/rpm, all seemed good.
3. If I try to run it, I just see a error message
looking for the lib file libXss.so.1.

If someone has installed the skype could help me
please ???.


Skype is a buggy piece of sh*t. If you have to use it, then wrap it  
in a solid systrace policy if that's possible at all. I don't know  
about systrace and Linux emulation on OpenBSD.


I wouldn't use the rpm, I'd instead download the statically linked  
file that's available on the Skype site:


http://www.skype.org/go/getskype-linux-static

That should solve all library issues.

kind regards,
Tobias W.

Re: Installing Skype

[Tobias Weisserth]

Hi,

On Mar 23, 2007, at 6:24 PM, Rafael Morales wrote:


I need the shared library libasound.so.2, anybody
could send to me ???, I don't have a linux box here.


I need my box rooted, can anybody please send me a trojaned binary  
library I have to trust blindly?


If you really need binary libraries at least try to get them from a  
trustworthy source. Use any of the RPM search engines and search for  
an RPM package that contains that library. Use a RPM package from any  
of the official mirrors of major distributions. Download the RPM,  
verify its signature with GnuPG and extract its contents. The GnuPG  
key to verify against should be on the installation CDs of the  
distribution. Maybe packages even have MD5 sums, I don't know...


Good luck!

Tobias W.

Re: OpenBSD SECURITY FIX: Incorrect mbuf handling for ICMP6 packets, 2nd revision

[Tobias Weisserth]

Hi,

On Sunday, 18. March 2007 12:28, Henning Brauer wrote:
 * Tobias Weisserth [EMAIL PROTECTED] [2007-03-18 01:17]:
  Can I apply it if I already applied the first revision to 4.0 release +
  errata up to 010 first revision?

 you need to remove the first revision of th 010 patch first (patch -R).

Thanks, I just did as described on undeadly and copied back the original file.

 or just getth ecode from the cvs stable branch, I never understand why
 people bother with release code and hand patching in the first place :)

Easy. I don't have to download large quantities of source with CVS, I only 
have to compile those parts of the source that are affected by a patch.

  Or do I have to edit the latest patch to only add the if test?
  I also noticed the index is different in the two revisions of the patch.
  The first revision is using sys/kern/uipc_mbuf2.c as index, the second
  revision only uses uipc_mbuf2.c.

 this was an error on my side that has been fixed in the patches files
 since then. sorry for that.

No problem. Errors happen. Keep up the good work. I can't wait to get my hands 
on the 4.1 CDs I already ordered.

kind regards,
Tobias W.

Re: OpenBSD SECURITY FIX: Incorrect mbuf handling for ICMP6 packets, 2nd revision

[Tobias Weisserth]

Hi,

On Sunday, 18. March 2007 14:00, Henning Brauer wrote:
...
 Easy. I don't have to download large quantities of source with CVS, I
  only have to compile those parts of the source that are affected by a
  patch.

 err? assuming you have release code intsalled (which you need for
 patching too),
   cd /usr/src/sys; cvs -d [EMAIL PROTECTED]:/cvs up -rOPENBSD_4_0
 will not download large quantitites of source

I guess you're right, but compared to the amount of bits an errata takes, 
anything else certainly is large by comparison ;-)

Also, I actually like the idea of the errata because I can grasp changes 
quickly without having to check CVS entries. I just open the patch file, take 
a quick look at the changes and most of the time I actually can grasp the 
differences. This doesn't take more than a couple of minutes normally. And 
since errata are more or less the exception I don't have to patch so often.

regards,
Tobias W.

Re: Seeking opinion about OpenBSD

[Tobias Weisserth]

Hi,

On Sunday, 18. March 2007 19:00, Thomas Leveille wrote:
 Am I the only one to find this stupid ? Why should you need a browser
 in a server ?

I sometimes depend on lynx to download stuff from sourceforge where no direct 
download link is supplied.

regards,
Tobias W.

OpenBSD SECURITY FIX: Incorrect mbuf handling for ICMP6 packets, 2nd revision

[Tobias Weisserth]

Hi everybody,

I just noticed Henning's addition to the latest patch.

Can I apply it if I already applied the first revision to 4.0 release + errata 
up to 010 first revision?

Or do I have to edit the latest patch to only add the if test?

I also noticed the index is different in the two revisions of the patch. The 
first revision is using sys/kern/uipc_mbuf2.c as index, the second revision 
only uses uipc_mbuf2.c. Will it apply without errors when called 
with cd /usr/src  patch -p0  010_m_dup1.patch?

thanks,
Tobias W.

Re: Contradictory statement on vulnerability

[Tobias Weisserth]

Hi,

On Friday, 16. March 2007 12:09, Karel Kulhavy wrote:
 I am not following anything - just installed OpenBSD 4.0 from a CD. What
 should I follow, then?

That's your choice.

If you just want a stable and reliable OpenBSD then install -release (that's 
what you did). If you want to keep it patched without tracking the 
development of OpenBSD, then follow -stable. Just apply the errata you can 
find on the OpenBSD website.

A nice newbie site explaining this with examples is www.openbsd101.com, if you 
don't understand the OpenBSD FAQ.

 In other operating system the concept of upgrading is straightforward -
 Windows ask you and you press OK, in Gentoo Linux you type a magic sequence
 of magic commands and your system is up to date.  But in OpenBSD it seems
 that the versions are not a sequence, but a tree with a lot of one way
 streets and that's what confuses me.

OMG, you're comparing OpenBSD to Gentoo and you're still complaining?! You 
can't be serious. But let's put it this way: what you do in Gentoo is roughly 
the same you'd do when you follow -current. Or in other words: there's no way 
to just have a stable and reliable system that doesn't move, when you're 
using Gentoo. As a sidenote: I've been using Gentoo for almost two years and 
never have I wasted more time just to keep a computer running than with 
Gentoo...

And I certainly won't get started about the Windows comparison...

The concept of upgrading (an upgrade is something different actually than 
what you are obviously thinking about) is perfectly straightforward in 
OpenBSD - if you care to actually read the documentation that comes along 
with OpenBSD. I don't know any other operating system, that does 
documentation so well.

good luck,

Tobias W.

Re: Contradictory statement on vulnerability

[Tobias Weisserth]

Hi,

On Friday, 16. March 2007 21:04, Karel Kulhavy wrote:
...
 Thanks, this is a much better explanation than in FAQ sec. 5. The
 explanation in FAQ doesn't mention the fact that not only the -current, but
 also the -stable is a moving target, though a slowly moving one.

 Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which
 version of sources should I download then? 4.0-release or 4.0-stable?

You still haven't got it.

This is what the FAQ states:

-release: The version of OpenBSD shipped every six months on CD.
-stable: Release, plus patches considered critical to security and 
reliability.

-stable is not moving. It's just -release plus the errata from 
http://www.openbsd.org/errata40.html as stated in he FAQ.

Get the sources from your CDs or from the FTP servers. Then apply the errata 
and you'll have -stable. It's as easy as that.

If you're unable to grasp the concept you should buy a good book on OpenBSD 
and/or try a little harder to understand what you read in the FAQ. There's a 
book section on the OpenBSD website that names some good books on OpenBSD.

Did you check www.openbsd101.com? Seemingly you didn't, otherwise you wouldn't 
have asked this latest question of yours.

regards,
Tobias W.

Re: Slightly OT: i386 Sound Card Recommendation

[Tobias Weisserth]

Hi,

On Friday, 16. March 2007 21:26, JT Croteau wrote:
 This may seem like a simple question but it has been a long time since
 I've done any multimedia work on a *nix platform and never on OpenBSD.
  I need to add a sound card to my OpenBSD desktop box for basic audio
 playback from .mp3's and cd's and to do some basic recording.  What
 would be a good PCI based card to go with?  I am currently leaning
 towards a SoundBlaster 128 or 512.

Check there first:

http://www.openbsd.org/i386.html#hardware

Then figure out what products have a supported chipset. Choose the product 
that you like most.

Change the above URL if you have another architecture.

I chose a Terratec soundcard that way and I am quite happy with the outcome.

regards,
Tobias W.

Re: Contradictory statement on vulnerability

[Tobias Weisserth]

Hi,

On Friday, 16. March 2007 23:41, Jeremy Huiskamp wrote:
...
 Um, no.  If you apply the errata to -release you have -release + errata.
 There are things in stable that are not in the errata, albeit not much.
 Tracking -stable requires using cvs which, frankly is much easier than
 patching -release, unless you're worried about the time spent doing a
 cvs
 update and possible extra compilation time.

You're right of course. I was assuming he was looking for the easiest way to 
get a -release version with patches applied. That's what I wanted to explain 
and obviously I got it confused with -stable.

regards,
Tobias W.

Re: OpenBSD as Virtualbox guest

[Tobias Weisserth]

Hi there,

On Tuesday, 27. February 2007 20:17, Peter wrote:
 I'm looking for comments from people who have installed OpenBSD 4.0 as a
 Virtualbox guest.  I am currently running Virtualbox 1.3.6 on Gentoo
 Linux 2006.1.  The manual does not mention OBSD as guest even though
 their website states that it is possible.  My main question is how to
 create an OBSD image since it seems that I need an ISO image.

You can buy the OpenBSD CDs here:

http://www.openbsd.org/orders.html

You can also try to do a FTP installation inside your virtual box, it should 
have access to the Internet if you configured your host box correctly. 
There's a tiny ISO on the FTP servers that allows you to boot into the 
installation program.

Another option is to create a full ISO image yourself. Just use Google to 
lookup the details. It's not difficult at all.

regards,
Tobias W.

Re: Virtualisation on OpenBSD?

[Tobias Weisserth]

Hi there,

On Jan 24, 2007, at 1:49 PM, John Tate wrote:

Is there any software that supports OpenBSD that can do full  
virtualisation?

I don't think VMware would be supported on OpenBSD.


I don't think there is anything that really fits what you're looking  
for. The NetBSD project has neat Xen integration both for running  
NetBSD as host or guest system.


If you're looking for something like vmware then check out  
www.virtualbox.de. The GPL'ed the software recently and I've got it  
running on openSUSE. It runs a lot of guest systems including OpenBSD  
and it's much faster than qemu. There's a Linux kernel module  
included. I guess it does the same as the closed-source qemu module,  
so maybe this is sufficient for you. Hope this helps somehow.


regards,
Tobias

SMP kernel on single CPU machines?

[Tobias Weisserth]

Hi everybody,

this may be a really stupid question but I'm going to ask it anyway since I 
didn't find anything using Google or in the archives.

I was looking at

http://www.openbsd.org/faq/faq8.html#SMP

I'm wondering if there are any disadvantages if I run a SMP kernel on a 
machine with only one CPU. Is there any harm running an SMP kernel on a 
machine with only one CPU?

thanks,
Tobias W.

Re: binpatch, was: moving kernels...

[Tobias Weisserth]

Hi there,

On Saturday, 6. January 2007 17:24, Ingo Schwarze wrote:
...
 So if you use it, you will probably need to do maintenance work
 yourself, first of all adapting it to OpenBSD 4.0.

Have a look here:

http://erdelynet.com/binpatch/

Mike has a Makefile for 4.0 stable that I'm using too. It's a good thing to 
start with and add whatever you need on top of it.

kind regards,
Tobias W.

Re: help! 855 chipset resolution

[Tobias Weisserth]

Hi there,

On Dec 13, 2006, at 3:09 PM, Vim Visual wrote:


yes... that's probably the solution...

gosh... this means that I have to re-install both things... anyway...


Nonsense! :-) You can make room on your harddrive by resizing some of  
your partitions so that OpenBSD fits on it too. All you need is  
Knoppix or some other Live CD of your choice with some decent  
partitioning tools on it.


regards,
Tobias

Re: ahem... skype on o'bsd

[Tobias Weisserth]

Hi,

On Dec 11, 2006, at 6:15 PM, Vim Visual wrote:


the proof ;)

http://www.aei.mpg.de/~pau/skype.png

I don't have any contacts under that nickname; therefore the list  
is empty...


I would be careful with Skype. My father's Mandriva Linux PC was  
trojaned using an outdated version of Skype as entry point.


Maybe you should post a systrace policy along with how to use Skype  
in OpenBSD ;-)


regards,
Tobias W.

Re: livecd error

[Tobias Weisserth]

Hi,

I hope this is not considered thread-highjacking but it sort of fits into this 
thread, so here it goes:

I'm trying to follow these instructions to build a live CD based on 4.0 
stable:

http://www.onlamp.com/pub/a/bsd/2005/07/14/openbsd_live.html

I'm in trouble when building the RAMDISK kernel with the modified 
Makefile.inc:

cd /usr/src/distrib/i386/ramdisk_cd  make

make stops with an error because it tries to copy too much into a mounted 
device with too little space:

###make output###
...
rm -f bsd
ld -Ttext 0xD0200120 -e start -N -S -x -o bsd ${SYSTEM_OBJ} vers.o
textdatabss dec hex
4730816 2163584 867984  7762384 7671d0
cp 
/usr/src/distrib/i386/ramdisk_cd/../../../sys/arch/i386/compile/RAMDISK_CD/bsd 
bsd
cc -DDEBUG -o 
rdsetroot /usr/src/distrib/i386/ramdisk_cd/../../common/elfrdsetroot.c
cp bsd bsd.rd
/usr/src/distrib/i386/ramdisk_cd/rdsetroot bsd.rd  mr.fs
segment 0 rd_root_size_off = 0x490740
rd_root_image_off = 0x490760
rd_root_size  val: 0x001DB000 (3800 blocks)
copying root image...
...copied 1945600 bytes
cp bsd.rd bsd.strip
strip -s -R .comment -K cngetc bsd.strip
gzip -c9 bsd.strip  bsd.gz
dd if=/dev/zero of=/var/tmp/image.27740 bs=10k count=288
288+0 records in
288+0 records out
2949120 bytes transferred in 0.271 secs (10881719 bytes/sec)
vnconfig -v -c svnd0 /var/tmp/image.27740
svnd0: 2949120 bytes on /var/tmp/image.27740
disklabel -w -r svnd0 floppy288
newfs -m 0 -o space -i 524288 -c 80 /dev/rsvnd0a
/dev/rsvnd0a:   5760 sectors in 80 cylinders of 2 tracks, 36 sectors
2.8MB in 1 cyl groups (80 c/g, 2.81MB/g, 32 i/g)
super-block backups (for fsck -b #) at:
 32,
mount /dev/svnd0a /mnt
cp /usr/mdec/boot /usr/src/distrib/i386/ramdisk_cd/boot
strip -s -R .comment -K cngetc /usr/src/distrib/i386/ramdisk_cd/boot
dd if=/usr/src/distrib/i386/ramdisk_cd/boot of=/mnt/boot bs=512
77+1 records in
77+1 records out
39572 bytes transferred in 0.016 secs (2371001 bytes/sec)
dd if=bsd.gz of=/mnt/bsd bs=512

/mnt: write failed, file system is full
dd: /mnt/bsd: No space left on device
5601+0 records in
5600+0 records out
2867200 bytes transferred in 1.233 secs (2324260 bytes/sec)
*** Error code 1

Stop in /usr/src/distrib/i386/ramdisk_cd (line 30 
of /usr/src/distrib/i386/ramdisk_cd/../common/Makefile.inc).

#

I haven't really understood what the 2.8MB device is for regarding the whole 
process. Can anybody explain and propose a solution? Can't I just copy the 
stuff to another device, that's bigger? If this is just for creating a floppy 
image that's bootable and is insignificant regarding my live CD, can I just 
delete these instructions from Makefile.inc?

The instructions by Kevin Lo say:
In the /usr/src/distrib/i386/ramdisk_cd directory, copy the two files bsd and 
cdrom36.fs to the /livecd directory.

The cdrom36.fs in my case would be cdrom40.fs and has a fliesize bigger than 
2.8MB anyway? I'm not able to spot any reference to any cdrom{version}.fs 
file being created in the Makefile.inc. What's my problem?

Since I haven't been able to apply the patch 
to /usr/src/distrib/i386/common/Makefile.inc with patch I deleted the lines 
with a - in front of it in the patch file and added the lines with the + 
at the appropriate lines. Just to avoid simple mistakes, I'll include the 
whole Makefile.inc here. Sorry, if this is not appropriate.

Makefile.inc##

#   $OpenBSD: Makefile.inc,v 1.15 2004/11/25 22:02:08 deraadt Exp $

TOP=${.CURDIR}/..

.include ${TOP}/Makefile.inc
IMAGE=  mr.fs
CBIN?=  instbin
CRUNCHCONF?=${CBIN}.conf
LISTS?= ${.CURDIR}/../common/list
UTILS?= ${.CURDIR}/../../miniroot

MOUNT_POINT=/mnt
MTREE=  ${UTILS}/mtree.conf

XNAME?= floppy
FS?=${XNAME}${REV}.fs
VND?=   svnd0
VND_DEV=/dev/${VND}a
VND_RDEV=   /dev/r${VND}a
VND_CRDEV=  /dev/r${VND}c
PID!=   echo 
REALIMAGE!= echo /var/tmp/image.${PID}
BOOT=   ${DESTDIR}/usr/mdec/boot
FLOPPYSIZE?=144
FLOPPYTYPE?=floppy3

all:${FS}

${FS}:  bsd.gz
dd if=/dev/zero of=${REALIMAGE} bs=10k count=${FLOPPYSIZE}
vnconfig -v -c ${VND} ${REALIMAGE}
disklabel -w -r ${VND} ${FLOPPYTYPE}
newfs -m 0 -o space -i 524288 -c 80 ${VND_RDEV}
mount ${VND_DEV} ${MOUNT_POINT}
cp ${BOOT} ${.OBJDIR}/boot
strip -s -R .comment -K cngetc ${.OBJDIR}/boot
dd if=${.OBJDIR}/boot of=${MOUNT_POINT}/boot bs=512
dd if=bsd.gz of=${MOUNT_POINT}/bsd bs=512
/usr/mdec/installboot -v ${MOUNT_POINT}/boot \
${DESTDIR}/usr/mdec/biosboot ${VND_CRDEV}
@echo 
@df -i ${MOUNT_POINT}
@echo 
umount ${MOUNT_POINT}
vnconfig -u ${VND}
cp ${REALIMAGE} ${FS}
rm ${REALIMAGE}

DISKTYPE?=   rdroot
NBLKS?=  3800
# minfree, opt, b/i  trks, sects, cpg
NEWFSARGS= -m 0 -o space -c 16 -i 4096

bsd.gz: bsd.rd
cp bsd.rd 

Re: java on openbsd

[Tobias Weisserth]

Hi Marc,

On Nov 14, 2006, at 5:27 PM, [EMAIL PROTECTED] wrote:
...

I didn't try any linux 1.5/1.6 jdk, but perhaps you missed something
for your linux emulation? read man compat_linux, perhaps it helps.

the other options you have is having someone mail you the source on
cd, or use kaffe (don't know how useful it is for your purposes).

--knitti


Thanks for your response. Kaffe won't work for me as it is missing  
a few feature s that I need (most notable swing support is not up  
to snuff yet).


This is probably not what the poster meant. You really need to read  
the FAQ:


http://www.openbsd.org/faq/faq8.html#Programming

What your are looking for is Building the Sun JDK.

The JDK requires a working Java 2 compiler as a bootstrap to build.  
For this purpose, since OpenBSD 4.0, the port of JDK 1.5 uses kaffe,  
which allows JDK 1.5 to be used on both i386 and amd64 platforms, and  
reduces the build time considerably.


You only need kaffe to build SUN's JDK.

It's all in the FAQ (and probably in the archives).

@others: stop picking on SUN and Java. It's actually a nice language  
and going to be GPL software very soon, so I guess there will be an  
option for binary packages and other nice stuff soon.


regards,
Tobias

Re: java on openbsd

[Tobias Weisserth]

Hi list, hi Jacob,

On Tuesday, 14. November 2006 19:35, Jacob Yocom-Piatt wrote:

 Java is a shitshow, it isn't a nice language.  Stop defending Sun and
  their ridiculous licenses.  The day Sun shows up as a real player in the
  open source world this could be justified.  For now they are just another
  closed vendor.

There's no other just another closed source vendor on this planet that has 
freed so much closed source like SUN. Solaris is going to be Open Source in 
the end, as will Java. This is official so stop fudding around.

If you think the CDDL or the GPL are ridiculous licenses this is simply your 
problem. It works out fine for a majority of people, including me. Hey, if 
you can't comply with the GPL for personal reasons you wouldn't even be able 
to enjoy OpenBSD as it's still being built with a GNU toolchain.

And regarding the language: Java runs on millions if not billions of devices. 
There's a reason for this and it's not just marketing. Anybody denying this 
is just plain ignorant - or stupid.

Besides that, the language is easy to learn (and teach) and unlike most other 
languages, there's tons of high quality development tools that are 
user-friendly for non-UNIX-geeks and programming rookies.

 You don't get a cookie for trying or pretending.

Well, ignorance - or stupidity for that matter - won't earn you points 
either ;-)

 don't you know you're not licensed to circulate compiled opinions about Sun
 source code? you're supposed to let everyone else click through the stupid
 menus, download source packages that are about as big as the openbsd
 install sets, adjust their ulimits, spend a lot of time compiling something
 that should be available as a package and THEN they can form a properly
 licensed opinion.

Well Jake, that's luckily going to change soon, now that Java and its various 
components are going to be GPL software. You'll be able to redistribute in 
any form you like, given that you comply with the GPL terms and don't violate 
the Java trademark that SUN will still control.

kind regards,
Tobias W.

weird /etc/fstab problem

[Tobias Weisserth]

Hi everybody,

I have setup an old Pentium with OpenBSD 3.9 to do some basic  
filtering and NAT at my parents place after a Smoothwall installation  
I did some two years ago got rooted recently.


Everything works just fine, except I have a problem with mounting  
partitions from /etc/fstab that I don't understand.


This is what my /etc/fstab looks like at the moment:

/dev/wd0a / ffs ro 1 1
/dev/wd0g /home ffs rw,nodev,noexec,nosuid 1 2
/dev/wd0f /tmp ffs rw,nodev,noexec,nosuid 1 2
/dev/wd0d /usr ffs rw,nodev 1 2
/dev/wd0e /var ffs rw,nodev,noexec,nosuid 1 2

After I boot the machine, mount -v outputs this:

/dev/wd0a on / type ffs (rw, local, ctime=Sun Oct 29 11:04:57 2006)
/dev/wd0g on /home type ffs (rw, local, nodev, noexec, nosuid,  
ctime=Sun Oct 29 11:04:57 2006)
/dev/wd0f on /tmp type ffs (rw, local, nodev, noexec, nosuid,  
ctime=Sun Oct 29 11:04:57 2006)
/dev/wd0d on /usr type ffs (rw, local, nodev, ctime=Sun Oct 29  
11:04:57 2006)
/dev/wd0e on /var type ffs (rw, local, nodev, noexec, nosuid,  
ctime=Sun Oct 29 11:04:57 2006)


Why is / not mounted read-only? Is it because the system needs it to  
be writable during system startup? Do I have to remount it ro after  
booting?


Thanks for your help,
Tobias W.

Re: weird /etc/fstab problem

[Tobias Weisserth]

Hi,

On Oct 29, 2006, at 12:27 PM, Stuart Henderson wrote:


vi +/uw /etc/rc


This is exactly what I was looking for. Thanks for the hint. I'll  
give it a try.


regards,
Tobias W.

Re: auditing when permissions are changed

[Tobias Weisserth]

Hi,

On Thursday, 26. October 2006 23:07, ropers wrote:
 Hi,

 This is a sorta n00bish question, but I've just discovered that unlike
 what I've always assumed to be the case, changing a file's permissions
 doesn't touch its last modified time/date stamp.

 Is there any way to find out when a file's permissions were last modified?

I'm using AIDE, it's in ports and there is a package. The newest version is 
0.11, which I think is not yet in ports.

kind regards,
Tobias W.

Re: new tool: openportd

[Tobias Weisserth]

Hi,

On Oct 22, 2006, at 4:41 PM, Steffen Wendzel wrote:


this isn't correct. Every service had some security problems in the
past. Imagin that your service X is vulnerable (only since a few h
by a zero day exploit or so) and someone tries to exploit it at  
2:00 in

the morning.

but if you run some port knocking service (and your attacker does not
know the port combination/secrect key or even does not know about a
running port knocking system, he can not attack your service.


This is security by obscurity.


if you only need the service for administration, you could do such a
hiding of the service. you only would need to open the port by the
portknocking service a few min while you use it to do some  
administration.


The thing about running a port knocking service to protect or  
hide other services just adds another point of failure. Can you  
promise that this port knocking service which is running with root  
privileges, is not vulnerable to some overflow problem that could  
allow attackers to just send a knocking sequence that opens up the  
whole box?! No thanks. I'll stick with what I've got.


If you're so worried about 0-day exploits for OpenBSD services then  
just jail these services you're running with systrace. With Linux you  
can use SELinux or AppArmor.


The idea of port knocking is nice at first view but given the extra  
complexity it adds and the extra risk it's just not worth it, sorry.


just my thoughts about this,

Tobias W.

Re: How do I convert a man page to PS or PDF?

[Tobias Weisserth]

Hi,

On Oct 20, 2006, at 10:53 PM, Steve B wrote:

I'm leaving on vacation and wanted to have something to read on the  
plane
and at the beach. How can I convert a couple of man pages into  
either PS or

PDF so that I can print them?


If you're talking about manpages from any OpenBSD release you can use  
the OpenBSD website to open them in a browser and print from the  
browser. The easiest solution to your specific situation I guess ;-)


http://www.openbsd.org/cgi-bin/man.cgi

regards,
Tobias

Re: Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8 stable

[Tobias Weisserth]

Hi everybody,

Darren has just become my hero of the day.

Rebuilding OpenSSH like Darren described earlier works on my OpenBSD  
3.8 box. No more problems. Happiness.


thanks a lot Darren!

regards,
Tobias W.

Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8 stable

[Tobias Weisserth]

Hi everybody,

I just patched OpenSSH on OpenBSD 3.8 and restarted OpenSSH.

Now I can't login anymore using public/private key authentication.

I get this on the client side:

Enter passphrase for key '/Users/user/.ssh/id_dsa':
Connection to host.xy closed by remote host.
Connection to host.xy closed.

The key seems to be alright (there have not been any changes to it), / 
var/log/authlog on the server says that OpenSSH accepts the key.  
There's no other stuff in there or in /var/log/messages that  
indicates any trouble.


Any ideas? Right now, I have effectively locked myself out of my box.  
Luckily it's right in the next room...


regards,
Tobias W.

Re: /etc/motd SHA1 checksum keeps changing

[Tobias Weisserth]

Hi,

On Oct 10, 2006, at 1:56 AM, Mathieu Sauve-Frankel wrote:


did you read the man page ?

$ man motd
$ grep motd /etc/rc


The manpage would have solved my question. Thanks! :-) I guess I  
didn't realise that there even was a manpage for /etc/motd. I should  
check first in the future...


Thanks for your help.

regards,
Tobias

/etc/motd SHA1 checksum keeps changing

[Tobias Weisserth]

Hi everybody,

I have a weird problem on a i386 box with OpenBSD 3.8. Im running the  
patch branch with the AIDE package installed.


AIDE keeps reporting a change in the SHA1 checksum of /etc/motd. Even  
after I run a aide --update and use the updated database for future  
checks the checksum keeps changing. I didn't notice such a behavior  
in the past. I protect my AIDE database by putting it into an  
encrypted filesystem, that I only mount writable when I update the  
database.


Any idea what is happening? The content of the file seems to be  
unchanged when I look at it.


I did a thorough check of the system and didn't notice any funny  
stuff. A portscan from the outside doesn't reveal any additional open  
ports. In fact, the machine is not running any service other than  
OpenSSH and doesn't allow root logins via SSH. It has a tight pf  
ruleset. It gets patched as soon as new patches are released, there  
are almost no packages installed (pico, aide and dependencies).


regards,
Tobias

Re: Do mp3 concatenation programs exist?

[Tobias Weisserth]

Hi,

On Saturday, 15. July 2006 21:24, z0mbix wrote:
 On 7/15/06, Peter Philipp [EMAIL PROTECTED] wrote:
  Hi misc@,
 
  I have a an original setup at home.  I crontab logging on and off the
  Internet on a minutely basis, so that I aquire a new IP every minute.  I
  do this for personal reasons and I like it this way.

 This is just the most idiotic thing I've ever heard. You are creating
 a whole bunch of unneccessary problems for yourself.

It's pretty obvious he's trying to hide his true identity because of these mp3 
activities on the Internet. If he's that paranoid about his probably illegal 
activities I don't understand why he talks about them in detail on a public 
mailing list... :-)

  At the same time I also stream
  mp3's from a radio station in Toronto.  Since my IP changes every minute

cheers,
Tobias

Re: Voice-Chat Software (maybe even a Client wich works on openBSD? ;) ) ?

[Tobias Weisserth]

Hi,

On Thursday, 13. July 2006 04:16, Sebastian Rother wrote:
 Hello everybody,

 I`m looking for a Voice-Chat/VoIP Solution.

 Requirements: Peoples with different OSs should be able to talk to each
 other (maybe even some little meetings).
 The peoples I know use mainly: Linux, OpenBSD, rare FreeBSD and Windows.

I'd use open standards and Open Source software whereever possible. Don't go 
for Skype, Teamspeak...

Probably a good solution would be the use of the SIP protocoll. There are many 
applications that support this. For OpenBSD I'd recommend KCall, which 
integrates with Kontact in KDE. I don't know if it's in the ports but it 
compiles fine on my i386 3.9 box if you compile it from source. Other SIP 
clients work fine also probably if you rather prefer something from the GNOME 
universe.

You also need some server setup to route calls from the Internet to ordinary 
landlines. Asterisk is the way to go these days, I guess.

If you don't want to setup your own server, you could investigate the use of 
the services of GMX, 11 and so on.

kind regards,
Tobias W.

Re: Partitions

[Tobias Weisserth]

Hi,

 So am I going overboard? or am I missing any good partions.

I never understood why putting /tmp on its own partition is good when nobody 
notices /var/tmp. In addition to /tmp I always put /var/tmp on its own 
partition too, so that I can mount it with nodev,noexec,nosuid.

I also try to split things up in a way that I can mount many things with the 
ro option where there should be no changes to the filesystems unless you 
perform an update, patch something etc.

regards,
Tobias W.

Re: public_html and apache chroot

[Tobias Weisserth]

Hi,

On Jun 24, 2006, at 9:53 PM, n.v.t n.v.t wrote:


Hello,

I hope all of you are in best shape of health. I'm experiencing  
some problems with apache.

I'm trying to enable Userdirs and keep the chroot.

(root here)
1) mkdir /var/www/user/me
2) cd /var/www/user/me ; ln -s /var/www/user/me /home/me/
3) modified my httpd.conf in /var/www/conf/


If you want to benefit from Apache chroot, then you certainly don't  
want to escape it with a symlink! :-)


You have to put things into the chroot if Apache is supposed to read  
them. Apache can't follow smylinks out of the chroot if you run it  
within a chroot. That would


Just create your home directories inside the chroot and you're fine.

I suggest you read the FAQ: http://www.openbsd.org/faq/ 
faq10.html#httpdchroot and http://www.openbsd.org/cgi-bin/man.cgi? 
query=chrootsektion=2 ;-)


kind regards,
Tobias W.

Re: XF4 Patches (Again) :(

[Tobias Weisserth]

Hi,

I asked exactly the same question a couple of weeks ago, by the time  
the patch was released. You should be able to find the answers to  
your question in the archives ;-)


kind regards,
Tobias W.

On Jun 21, 2006, at 10:56 PM, Jack J. Woehr wrote:


Okay, I read the threads on misc@ and I'm still confused.

The XF4 patch (3_9.002) says:

Apply by doing:
cd /usr/src/XF4
patch -p0  002_xorg.patch

The website (http://openbsd.org/anoncvs.html) says:

 # cd /usr
 # tar xzf XF4.tar.gz

which puts XF4 in /usr/XF4

Should I make a link to X4 in /usr/src or just build in /usr/X4?

Thanks (before I screw up my system).

Re: cruxports for OpenBSD

[Tobias Weisserth]

Hi,

On Saturday, 17. June 2006 18:36, Deanna Phillips wrote:
...
 As I see it, this is an example of working _against_ a project
 instead of with and for it.  A personal NIH syndrome, if you
 will.  It's not just some Linux thing he put together that also
 works here.  Look at his quote: package-manger for OpenBSD.
 and the hidden subtext: With -MY- name on it!

I don't see any harm in what he does. Is he forcing you to use his software? 
No. So what's the harm? Why the hostility?

And concerning the hidden subtext: isn't that part of the reason OpenBSD 
exists after all? I guess we would be using NetBSD instead then.

I haven't taken a look at his software but in general I welcome any addition 
to the choices there already are. What I don't welcome is this hostile 
environment on this list. This is not the spirit I'm used to when getting 
involved with Open Source projects. It's his freedom to create things, it's 
his freedom to announce such stuff here. I can't understand the lack of 
respect.

regards,
Tobias W.

Re: they say openbsd is not as scalable as others

[Tobias Weisserth]

Hi,

On Sunday, 28. May 2006 19:06, Matthias Kilian wrote:
...
 Oh, but comparing general performance of Linux vs. OpenBSD on a
 typical desktop/development PC, I *can* tell you that OpenBSD
 performs much better, especially when the machine does lots of IO
 in the background.

A daring statement.

 On my office PC (running Gentoo Linux), an emerge-webrsync pushes
 the box into a nearly unusable state for 10 to 15 minutes.
 Incomparision, when I rsync /usr/{XF4,ports,src} within my home
 network from one machine to another, or just run cvs up on those
 trees, the system is still usable. So much about Linux and performance
 (sometimes I've the impression that Linux is only fast when idling).

This statement is clearly ridiculous. This whole discussion is ridiculous and 
pointless.

There is no such thing as Linux and there CERTAINLY is no such thing as 
Gentoo. Matthias, if /your/ Gentoo box is nearly unusable when you 
emerge-webrsync then *you* certainly suck at maintaining an Gentoo 
installation! :-) You really should consider running something else, maybe 
something with sane default settings and a decently compiled kernel, since 
obviously you don't know how to. Consider Debian, Ubuntu, Fedora, SuSE and 
the like.

I'm running OpenBSD 3.9 release branch and OpenSuSE 10.1 in dualboot on the 
same 1400MHz Athlon, both with KDE 3.5.1. I haven't changed either kernel. 
Converting the same Audio CD into OGG/Vorbis coded files takes 80 seconds 
less running KAudioCreator in SuSE than it does running KAudioCreator in 
OpenBSD 3.9. And guess what: the drive SuSE has to write the finished files 
to is encrypted with AES256 which takes some additional CPU time. Both 
installations remain responsive while doing this.

I'm pretty confident that if I'd change the SuSE kernel with a somewhat more 
experimental kernel like one of the MM series, SuSE would still gain a little 
bit.

But anyway, who the f*ck cares about this? I didn't choose OpenBSD because I 
wanted the fastest, most performant system for desktop use! Then I'd probably 
installed FreeBSD instead of OpenBSD which comes with a better package/ports 
management, many more ports for desktop use and offers a great deal of what 
OpenBSD offers in other respects as well.

I chose OpenBSD because of its small installation footprint, good 
documentation, stability (because heck, it's certainly the most stable OS 
I've ever used!), security and the chance to learn something useful. Trying 
to get into Linux development is nearly impossible because there is no common 
direction, every major company is trying to get their stuff into it no matter 
what and interfaces change from kernel release to kernel release. There is no 
strong link between kernel and userland and documentation is weak.

And then there are the distributors. Ever compared a Mandriva kernel against 
the Vanilla one? Happy nightmares! It's hard to find a decent Linux 
distributor. Debian has always been a stable choice yet their release cycles 
are so darn f*cked up and they lack good people for a security response team 
(one person just isn't enough!).

OpenBSD is a sane choice if you need stability and quality in general. If you 
plan to use OpenBSD for a product or other solution, then these two count 
more than the nebulous term scalability IMHO.

well, these were my two cents, for what it's worth.

kind regards,
Tobias W.

Upgrading packages from ports question

[Tobias Weisserth]

Hi everybody,

I'm getting familiar with ports at the moment since I restricted  
myself to using packages exclusively in the past. I have been  
skimming throught the FAQ and the manpages covering ports and the  
possible make targets. I have also read the chapter covering ports in  
Secure architectures with OpenBSD.


There are some questions that I couldn't find the answers to, however.

I have read about the out-of-date tool in /usr/ports/infrastructure/ 
build/ yet I coudn't find a manpage on the OpenBSD website or any  
other reference to it.


What I'm after is something like this:

I'm using DarwinPorts on an Apple Mac OS X machine. When I want to  
sync the tree I simply do a port sync and maybe a port selfupdate  
to update the DarwinPorts system itself. This would correspond to  
doing a CVS checkout or update. So far no problem :-)


Now I'd do a port outdated to see what ports need upgrading. This  
corresponds to doing a ./infrastructure/build/out-of-date in /usr/ 
src. Still no problem.


Now comes the tricky part. Using DarwinPorts I'd do a port upgrade  
installed to upgrade all installed ports. What would correspond to  
this in OpenBSD? Do I have to go after each individual port and its  
dependencies myself that gets mentioned by out-of-date like  
described in Secure architectures with OpenBSD? Brandon Palmer and  
Jose Nazario write that it would be easier to just upgrade an entire  
ports tree. How is this done? Let's say, out-of-date outputs a  
collection of 7 packages. How do I get rid of the 7 old installed  
packages, install the seven newer versions of those packages,  
including removing, rebuilding and installing all depending packages  
through ports in a convenient way like port upgrade installed?


kind regards,
Tobias W.

Re: basic questions regarding patching, errata and stable branch

[Tobias Weisserth]

Hi,

On Monday, 22. May 2006 19:55, Ted Unangst wrote:

  I have read that mixing up checked out subsystems from CVS like src,
  ports and XF4 cannot be done across different branches without breaking
  the system at some time. Let's assume I don't want to spend the extra
  compile time and bandwidth following stable and I'll stick with the
  release and apply the patches. How does that leave me with ports? Is it
  safe to use a release, apply the errata and checkout/use the ports from
  CVS stable? If not, what alternative do I have?

 that's ok.  you can't mix stable src and current ports, or other
 combos, but stable ports and errata patches are the same.

OK, I have found it in the FAQ, though I have to admit this is hidden pretty 
deep:

http://www.openbsd.org/faq/faq15.html#NoFun

Because no intrusive changes are made in -stable, it is possible to use a 
-stable ports tree on a -release system, and vice versa. There is no need to 
update all your installed packages after applying a few errata patches to 
your system.

This answers my question to the point! :-) Why is this hidden behind such a no 
giveaway question like I'm getting all kinds of crazy errors. I just can't 
seem to get this ports stuff working at all.?! This information should be 
sticked with information about the release branch, wouldn't you agree?

thanks everybody,
Tobias W.

basic questions regarding patching, errata and stable branch

[Tobias Weisserth]

Hi everybody,

I am still trying to sort out some of the information on the OpenBSD website 
about how to follow a specific branch and what are the benefits of each 
method.

I understood what STABLE, CURRENT and RELEASE are and how to follow them.

I still have some difficulties figuring out what the difference between stable 
and release+applied errata is:

Starting with 2.7, OpenBSD provides a source tree that contains important 
patches and fixes (i.e. those from the errata plus others which are obvious 
and simple, but do not deserve an errata entry) and makes it available via 
CVS in addition to the current source.

from http://www.openbsd.org/stable.html

So having a release and applying patches to it is not exactly the same as 
following the stable branch. How far are those methods apart?

I have read that mixing up checked out subsystems from CVS like src, ports and 
XF4 cannot be done across different branches without breaking the system at 
some time. Let's assume I don't want to spend the extra compile time and 
bandwidth following stable and I'll stick with the release and apply the 
patches. How does that leave me with ports? Is it safe to use a release, 
apply the errata and checkout/use the ports from CVS stable? If not, what 
alternative do I have?

Mixing and matching of patching solutions can be done if you understand how 
everything works, but new users should pick one method and stick with it.

from http://www.openbsd.org/faq/faq10.html#Patches

Is this what I was reffering at?

I guess the best solution would be to follow stable but speaking honestly 
this seems like a lot of wasted bandwidth and CPU time for a few small 
changes at best?

kind regards and thanks,
Tobias W.

Re: XF4.tar.gz in /usr or /usr/src?

[Tobias Weisserth]

Hi,

On Saturday, 20. May 2006 12:06, Joachim Schipper wrote:

 Ultimately, it doesn't matter where you keep X. My tree lives under
 /usr/src/XF4, with a symlink from /usr/XF4 just to be sure.

 I'm fairly certain both things work; the canonical way, though, is to
 put XF4 under /usr.

I solved this out by reading the documentation on the OpenBSD website 
concerning rebuilding OpenBSD from source: 
http://www.openbsd.org/faq/faq5.html#Xbld

First, I extracted XF4.tar.gz in /usr (like the OpenBSD FAQ suggests) and made 
a symbolic link in /usr/src similar to like you suggested (since this can't 
be bad).

I then patched the source with the patch:

Apply by doing:
cd /usr/src/XF4
patch -p0  002_xorg.patch

And then rebuild and install X:
make build

But instead of following the patch instructions to rebuild and install X which 
in my opinion just suck, I reread the FAQ from above and followed those 
instructions and everything worked out fine.

* First I installed the tcl and tk packages.
* Then, I followed this:

# rm -rf /usr/Xbld
# mkdir -p /usr/Xbld
# cd /usr/Xbld 
# lndir ../XF4
   [...lots of output...]
# make build
   [...lots of output...]

This is what the patch should have been including, not the really mistakable 
instructions, which suggest that the source is located in /usr/src/XF4 
instead of /usr/XF4 (as described in the FAQ, which a user is probably going 
to follow) and that all that is required to build X is running make build.

I'm going to mistrust the instructions from the patches from now on. The FAQ 
is the most valuable source of information I have found so far.

kind regards,
Tobias Weisserth

XF4.tar.gz in /usr or /usr/src?

[Tobias Weisserth]

Hi everybody,

I hope this is the right place to post this.

I was just installing my 3.9 release from the CDs Wim sent me (Thanks  
Wim!!) and right now I'm in the process of applying the errata  
patches. I have spent the last three hours reading the online  
documentation from the website when I stumbled across something I  
cannot explain as I read the instructions for the second errata  
(ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch).


It reads:

Apply by doing:
cd /usr/src/XF4
patch -p0  002_xorg.patch

And then rebuild and install X:
make build

This conflicts with what I did according to http://www.openbsd.org/ 
anoncvs.html:


To extract the source tree from the CD to /usr/src (assuming the CD  
is mounted on /mnt):


# cd /usr/src; tar xzf /mnt/src.tar.gz
# cd /usr; tar xzf /mnt/XF4.tar.gz
# tar xzf /mnt/ports.tar.gz

I unpacked XF4.tar.gz in /usr like the web page suggests, but the  
patch assumes the XF4 sources are located in /usr/src. So I have no / 
usr/src/XF4 directory.


I assume the patch instructions are correct and the web page is  
wrong? I just moved the XF4 directory into /usr/src and applied the  
instructions from the patch. It compiled for some time and just as  
I'm writing this it aborted with multiple error code 1 messages in  
the Makefile. I guess I misunderstood something here.


Can anybody help me out please? I'm a little confused about this.  
Thanks.


kind regards,
Tobias W.