Re: Defending OpenBSD Performance
On 14.09-20:43, Nick Holland wrote: [ ... ] Speed matters. Almost as much as some things, and nowhere near as much as others. beautifully specific and vague, i'd challenge anyone to sum up benchmarking better. if that's not a quote, it is now; i'm writing it down and sticking it to my wall. [ ... ] Practically speaking, the people who need the performance at the edge of what OpenBSD can deliver usually are too busy to argue benchmarks. careful, that could be seen as an admission ;-)
Re: Samsung HD License Issue
On 04.05-08:17, Jochem Kossen wrote: [ ... ] today i bought a Samsung Laptop Drive, 160GB, Model Number is HM160HC. It came in a anti-static plastic bag together with a little leaflet. Usually i don't read those, but today i did, and came across the following paragraph: Hybrid Disk Drive products are licensed for use only on devices that deploy the Windows VISTA Operating System as their principal operating System. If you or any other party install(s) an operating system on the computing device that is not Windows Vista, the use of this Hybrid Disk Drive may require an additional license from Microsoft. For further information, please contact Microsoft. [ ... ] It appeared more people were confused by the text, and both Microsoft and Samsung have explained that the terms mean, that if you use a different operating system than Windows with this drive, you need to get the appropriate license to use said different operating system. If you want to use an operating system owned by Microsoft with it, you have to get a license from them; if the operating system is not owned by Microsoft, you don't need to get a license from Microsoft. this is a legal two-step and i recommend that you refuse to be satisfied with the clarification by Samsung and Microsoft and contact the appropriate consumer bodies within your duristictions to have this matter lodged with them (assuming the drive is sold under those terms within your country).
Re: Donations (was, sadly, European orders)
On 02.04-09:49, Alf Schlichting wrote: [ ... ] as far as i am concerned (and most likely the majority of OpenBSD users) there is no need for you to justify yourself (or any other developer) in public. The product (OpenBSD) speeks for itself. +1
Re: ssh tunneling
On 01.04-17:21, Jay Jesus Amorin wrote: [ ... ] I have a firewall rule that allow ssh from computer-1 to computer-2 and deny ssh from computer-2 to computer-1. is it possible to a tunnel *ssh **myu...@computer-2* myu...@computer-2*'svn update svn+ssh://u...@computer-1/svn/data /home/myuser' *and use the same tunnel when *svn update svn+ssh://u...@computer-1/svn/data /home/myuser* is invoke going to computer-1 from computer2 through ssh, when ssh not allowed from computer-2 to computer-1. not sure i understand precisely what you're intending here but you can open a remote tunnel via the connection 'computer-1' to 'computer-,' which would allow 'computer-2' to connect through a localhost connection, via the tunnel, back to 'computer-1'. look up '-R' instead of '-L' in the man page.
Re: pppoe server
On 08.03-11:13, Lo?=?VAI DC!niel wrote: [ ... ] I wish to experiment setting up a PPPoE server (AC) on OpenBSD 4.4. Although I've read the pppoe(8) man page and googled around, it is not clear for me how to set up such configuration. man sppp
Re: Limit number of login sessions
On 24.09-09:48, Maximo Pech wrote: Well I guess I will have to resolve this by coding something. What do you think about this: [ ... ] would you not be better to use ALTQ to limit the bandwidth available to each user? then if they share their password their only sharing their own use? if not then i'd suggest you create a BSD auth module for processing the login sessions and add a 'login-max' capability.
Re: UPDATE: mozilla-firefox-3.0
On 17.07-10:26, Jason Dixon wrote: [ ... ] I don't have any customers that use Java for client-side image rendering, so I can't speak as to how it would compare. I suspect that Java wouldn't be as efficient as flash for passing instructions to the client, but that's just a hunch. performance of image rendering ? ? ? passing instructions ??? that's as meaningful as the banana flavoured lube. ;-) java is a language, flash is a solution. many would like to see an open alternative to flash but since flash is not microsoft i think it's below most radars. it's also, as many here have noted, 99.9% meaningless junk; and i'm 100% confident that any flash application could be re-implemented in Java, should needs, must. personally, i avoid flash as a retard filter; remove it and lots of sh1t suddenly disappears. p.s: java's image rendering is perfectly performant (assuming you accept java as an overhead in the first place ... of course, flashplayer is just as bad)
Re: timezone issue
On 10.04-11:06, Jordi Espasa Clofent wrote: [ ... ] [EMAIL PROTECTED] [~] [10:59:59] $ date -u Thu Apr 10 09:00:01 UTC 2008 presumably the prompt is showing local time which is UTC +2 (+1 for CET and +1 for summer time). so all is well. as for the sysmon output you'll probably find (but i don't know) that it's deliberately working in UTC.
cvs comparisons [ot]
been setting up a repository of various development stuff and finding subversion to be horrifically slow and very hard on resources. struggling to find actual comparisons with CVS (lots of opinions and statements about SVN tagging and branching being better) but hoping someone here could help with links or experiences. currently switching back to CVS but hopeful of something quantative for future reference.
Re: IPSec tunnel problem
On 01.03-00:39, Alexey Vatchenko wrote: [ ... ] No, i don't use same network address for two networks. then you need to alter you settings to specify the actual networks that you're using. for example, you could define the remote network to be 192.168.123.123/32 and then route everything for 192.168.0.0/16 through the tunnel. if you define a home network (like 192.168.123.0/24) then you'll need the bypass rule to avoid routing that through the tunnel. the fact that the tunnel end point moves is irrelevant but you will need to define a local network alias within the home network (i.e. 192.168.123.123 or something) so that the system knows to route that traffice through the tunnel. for routing you only need to define a route to the office gw system (e.g. 192.168.111.111) for the entire 192.168/16 space . note, if your networks don't overlap (i.e. 192.168.123/24 and 192.168.111/24) then you won't need the bypass rule.
Re: 4.2 patchset for PR#5563/#5704
On 17.01-22:14, [EMAIL PROTECTED] wrote: need an education here. created a patchset for this problem and i'm about to test that against 4.2 GENERIC and have a couple of questions 1. are the results generally intersting? should i post them somewhere (assuming tests go right) assuming above is yes 2. had to manually add the line from r1.94 to 'mbuf.h' to skip the other changes in r1.93. is there a cvs way to do that or should it be manual and i assume there's nothing for me relevant to branching etc as that is only relevant to the repository/commiter, right? 3. m_gethdr duplicates the new m_inithdr code which seems ... not great ... would it be better to (a) call the m_inithdr function from m_gethdr (b) change it to a macro (c) change the m_inithdr to inline and call it from m_gethdr (no idea whether the function would get inlined anyway). i guess the answer to '1' in no but i'm posting this for anyone who may find it useful. it's working nicely for me. comments welcome. nb: this should patch against 4.2 Index: sys/sys/mbuf.h === RCS file: /cvs/src/sys/sys/mbuf.h,v retrieving revision 1.92 diff -r1.92 mbuf.h 220a221,254 * mbuf initialisation macros: * *MINITDATA(struct mbuf *m, int type, u_short flags, caddr_t data) * initialize mbuf internal data (pulled in by MINIT and MINITHDR) * *MINIT(struct mbuf *m, int type) * initialize an mbuf * *MINITHDR(struct mbuf *m, int type) * initialize mbuf with packet header */ #define MINITDATA(m, type, flags, data) \ (m)-m_type = (type); \ (m)-m_flags = (flags); \ (m)-m_data = (data); \ (m)-m_next = (struct mbuf *)NULL; \ (m)-m_nextpkt = (struct mbuf *)NULL #define MINIT(m, type) \ MINITDATA((m), (type), 0, (m)-m_dat); #define MINITHDR(m, type) \ MINITDATA((m), (type), M_PKTHDR, (m)-m_pktdat); \ (m)-m_pkthdr.rcvif = NULL; \ SLIST_INIT((m)-m_pkthdr.tags); \ (m)-m_pkthdr.csum_flags = 0; \ (m)-m_pkthdr.pf.hdr = NULL; \ (m)-m_pkthdr.pf.rtableid = 0; \ (m)-m_pkthdr.pf.qid = 0; \ (m)-m_pkthdr.pf.tag = 0; \ (m)-m_pkthdr.pf.flags = 0; \ (m)-m_pkthdr.pf.routed = 0 /* Index: sys/kern/uipc_mbuf.c === RCS file: /cvs/src/sys/kern/uipc_mbuf.c,v retrieving revision 1.85 diff -r1.85 uipc_mbuf.c 167d166 m-m_type = type; 169,172c168 m-m_next = (struct mbuf *)NULL; m-m_nextpkt = (struct mbuf *)NULL; m-m_data = m-m_dat; m-m_flags = 0; --- MINIT(m, type); 187d182 m-m_type = type; 189,201c184 m-m_next = (struct mbuf *)NULL; m-m_nextpkt = (struct mbuf *)NULL; m-m_data = m-m_pktdat; m-m_flags = M_PKTHDR; m-m_pkthdr.rcvif = NULL; SLIST_INIT(m-m_pkthdr.tags); m-m_pkthdr.csum_flags = 0; m-m_pkthdr.pf.hdr = NULL; m-m_pkthdr.pf.rtableid = 0; m-m_pkthdr.pf.qid = 0; m-m_pkthdr.pf.tag = 0; m-m_pkthdr.pf.flags = 0; m-m_pkthdr.pf.routed = 0; --- MINITHDR(m, type); Index: sys/dev/ic/elink3.c === RCS file: /cvs/src/sys/dev/ic/elink3.c,v retrieving revision 1.69 diff -r1.69 elink3.c 1390c1390 /* Convert one of our saved mbuf's. */ --- /* Convert one of our saved mbuf's ... */ 1392,1395c1392,1393 m-m_data = m-m_pktdat; m-m_flags = M_PKTHDR; m_tag_init(m); m-m_pkthdr.csum_flags = 0; --- /* ... and reset the buffer info */ MINITHDR(m, m-m_type);
4.2 patchset for PR#5563
need an education here. created a patchset for this problem and i'm about to test that against 4.2 GENERIC and have a couple of questions 1. are the results generally intersting? should i post them somewhere (assuming tests go right) assuming above is yes 2. had to manually add the line from r1.94 to 'mbuf.h' to skip the other changes in r1.93. is there a cvs way to do that or should it be manual and i assume there's nothing for me relevant to branching etc as that is only relevant to the repository/commiter, right? 3. m_gethdr duplicates the new m_inithdr code which seems ... not great ... would it be better to (a) call the m_inithdr function from m_gethdr (b) change it to a macro (c) change the m_inithdr to inline and call it from m_gethdr (no idea whether the function would get inlined anyway). and finally, how do i create a patchset? is it simply a concat of the individual file patches?
Re: no 4.2-stable package updates??
On 12.12-16:25, [EMAIL PROTECTED] wrote: I tried using pkgsrc-2007Q3 but it sucks. Updating userland in production environment with pkgsrc on a non-NetBSD platform is a nightmare. i'm working on this. will post when significant progress has been made. in my opinion having a working pkgsrc tree is better for everyone, doesn't mean we can't have an openbsd branch (so to speak) but unifying our efforts with others in this field will have benefits.
Re: HUAWEI not recognized properly (3 modem)
On 11.12-16:11, Stuart Henderson wrote: On 2007/12/11 16:13, Markus Bergkvist wrote: I borrowed a HUAWEI modem just to see how it is recognized. With umass enabled it is recognized as a CD. Disabling umass and it is found as ugen. From this thread http://marc.info/?l=openbsd-miscm=118468178731619w=2 I figured it should have been recognized as ubsa. Any suggestions? I was wrong with ubsa, it looks like it should actually be umsm, but the device needs poking with a USB command before it switches off the umass-based Windows driver CD, and turns on the other interfaces (the AT-compatible modem-like interface, and the control interface). I'm not aware of it being supported yet. with my version of this device it *appears* to timeout to the modem interface if it is inserted during boot. i won't go into the reasons as to why i believe that, suffice to say they're thin in evidence but it'd suggest you try forcing a rescan of the device after a couple of minutes (assuming the umass interface hasn't been tickled, activating it).
pf max-src-conn states
two questions relating to the above 1. trying to use 'max-src-conn 1' to limit service to one connection per host (with overload table) but when i disconnect and re-reconnect i get blocked. should this state expire when correctly closed, allowing a second connection, or is the timeout needed? 2. is source-track required for the above? i can't decipher the relationship. current confusion is does source-track turn 'max' into a per-IP match or simply allow the per-IP functions to operate? nb: not sure the service is closing the connection correctly which may be causing the timeout issue.
Re: PPD vs printer driver question
On 10.11-17:01, Predrag Punosevac wrote: [ ... ] PPD files are post script description files that act as a drivers for post script printers. This seems clear to me. no. they simply describe the functions available on the printer. this allows the interface to display those printer options to you. for PS compatible printers this is enough, you select the options and the document, with the selected options, are passed along to the printer. for non-PS printers the options are passed to the backend processor which produces the relevant commands for that printer. with CUPS you'll (most likely) have ghostscript as a backend processor. this comes with support for a good range of printer backends (e.g. PCL) as well as being easily extensible with vendor processors (like the hpijs processor from HP). with lpd and apsfilter you process the incoming text or latex file into postscript. this works fine if the printer supports PS. if not then you'll pipe that postscript onto ghostscript which will then process the PS into the native printer language (e.g. PCL).
Re: Printing with apsfilter
On 11.11-06:51, Girish Venkatachalam wrote: [ ... ] Now I only know what you people seem to be saying about PPD files and drivers. I have never used CUPS either. However long ago I have read that postscript is a PCL - printer command language. And most printers these days support printing using postscript and the LPD daemon which listens at TCP port 515 . PCL is a printer control language. PS is a stack based programming language with graphics primitives for drawing. it may also be classed as a PDL (page description language). i would guess that you are assuming that most printers can process PS because most unix print services use ghostscript to process these files into a native printer langauge. in fact most printers cannot process PS because implementing a PS processor is quite expensive (requires significant processing and memory) compared to control protocols (like PCL), although PS has other advantages. this pre-processing is supported by cups and lpr but installation is generally simpler with cups (due to greater vendor attention). cups also has better integration with the new ghostscript processing structure, which allows more feedback from the print processor. this is particularly useful when using control languages (or host based raster processing) instead of PDLs. the lpr protocol also has some fundamental issues in it's design (much like FTP does). in short, i'd suggest you use, use cups unless you have a specific reason not to.
Re: OpenBSD kernel janitors
On 31.10-08:40, Theo de Raadt wrote: [ ... ] Yeah, right. [ ... ] I don't understand. Is newbies learning new things a waste to you? Do you think they won't really learn anything unless the patch is approved? Or will the patches not be subject to peer review? Or are you worried at who would pass for peer review getting overwhelmed by a huge volume of poor quality patches? and i would suggest that the severe and prevelant attitude toward the possibilty of poor patches or under-educated actions is the most significant barrier to encouraging new/young developers.
Re: OpenBSD kernel janitors
On 31.10-08:20, Theo de Raadt wrote: [ ... ] They don't need a list. They could already have started coding. Yet we see how few people actually do start coding. Instead, they choose to write in english... on the counter-side we appear to have people who can code but are unable to communicate productively otherwise. surely there must be _some_ merit to creating a list of lower level development tasks (as dictated by those with experience to judge) to encourage people to enter the development cycle. of course, there will be a large attrition rate, most people like the idea but can't stick the learning curve. others may be intelligent and able but less confident and just need pointed in the right direction. obviously the intention should be to try and capture the latter without loosing energy on the former.
Re: To whom can I direct email for artwork use permission pls?
On 02.10-09:56, Marcus Andree wrote: Theo is the copyright holder of the CD directory structure used by the install CDs. If someone wanna sell a CD (or DVD) legally, s/he will have to: - get a written permission from Theo or - code an entirely new installation procedure i find this all rather sad and mis-guided, the software is freely available to those who wish to use it. we should also endeavour to make it as widely available as possible. the artwork is another question for theo (assuming he's the owner of that), i mean, openbsd is his brand and what he does there is his business. it is also not possible to limit use of the directory structure with copyright. you would need to alter the license to include a clause around installation media and distribution or release the install scripts and programs under a different license; of course such a clause would be almost directly contradictory to current license. i.e. some stupid trick around CD directory structure is directly contradictory to the priciples encapsulated in our licensing. paying for it requires a choice, no matter what tricks we put in place around CDs. surely we can simply trust and encourage contributions particularly when people intend to profit. and if the original poster reads this you may read that as, whatever the actual outcome, if you make a profit please ensure you give something back. and oh, yeah, try to encourage the users to do the same once they get the CD home (though i have to confess, i haven't made a donation since i upgraded my gateway to 4.1 ... i have an excuse !!! and it was only last week. and i will)
Re: OpenBSD sticker considered cool by a layman
On 02.10-15:43, ?ke Nordin wrote: [ ... ] http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 Cool link... Information about an article about privacy, and for downloading it you need javascript and whatever more... (I didn't manage to get the full text). Not to mention no download unless registration. just for the record i managed without any trouble. and don't think it required javascript either.
Re: To whom can I direct email for artwork use permission pls?
On 02.10-11:46, Bob Beck wrote: (though i have to confess, i haven't made a donation since i upgraded my gateway to 4.1 ... i have an excuse !!! and it was only last week. and i will) And this is exactly the problem. Look, you guys can quibble all you want about awww, we should be able to make our own distros Yes, you can. no, this is a problem. and there's no question that it's important but the relevant discussion was above your cut. even less to the point, i contribute more than the cost of a CD set without the overhead (but then it's value is greater to me than it may be to others). encouraging people to purchase CD sets is great (bit like a suggested donation at a museum) but more important is iterating to people the value of the software and that it is their *responsibility* to refelect that value in their contibutions; whatever form that contribution takes.
Re: OpenBSD sticker considered cool by a layman
On 30.09-10:03, Anton Karpov wrote: [ ... ] The same here. I have wireframe puffy on the back of my car. VERY attractive: of course, if you were _really_ security conscious you would have cropped the license plate no ;-)
Re: Loading PF after pppoe
On 27.09-08:59, Amit Finkler wrote: I now use the in-kernel pppoe and pf, but on boot pf loads itself before the networking is up. How does one cause the networking to be up before the pf rules? i tend to load a basic ruleset during boot and then either overwrite it or update it with alternative confgurations / anchors as part of '/etc/hostname.if' configurations.
Re: The Atheros story in much fewer words
but it allows some users to not have the freedoms you claim to defend. think you'll struggle to find people here who claim to defend freedom. personally, i'm a believer and practitioner, i leave the defending to the mis-guided and the hypocrites.
Re: OBSD's perspective on SELinux
On 24.09-10:25, Jason Dixon wrote: [ ... ] What I'm trying to say is that all the services I listed before make their own little SELinux layer with appropriate policy built into them. Better than SELinux though is that the monitor is enabled by default and generally can't be turned off. Even more interesting is that this policy enforcement is portable to other unix like operating systems, it's not restricted to the OpenBSD kernel. What makes this so effective is that it's built-in by the people who understand it best, the developers. Not some Jr. Sysadmin tasked with standing up a new Linux server and trying to write his own SELinux policy from scratch. little sad to see such slating of extended security feature sets by such a security conscious group. policy cannot be defined or implemented in the application. it must be enforced by the kernel to be meaningful. this, of course, does not preclude privilage seperation within an application but that is good application programming not secure policy. SELinux's policy features are a superset of standard Unix. I was unaware of 'systrace' in openbsd but have found these poor and cumbersome previously but will certainaly review it. i agree completely with the general tack of opinion here, there is very little that cannot be done with consious administration and intelligent use of available features. it's a little like ACLs, it's definately a security feature but getting real value add from it is rare (particularly when you take into account the overhead of these features) and whether it increases or decreses overall security is a serious question too. in many instances (on various trusted operating systems and policy systems, not just selinux) i have seen the most appalling policies simply because administrators became significantly frustrated that they simply opened stuff until the application worked.
Re: OBSD's perspective on SELinux
On 24.09-11:49, Can E. Acar wrote: [ ... ] The guy can be some stupid binary software with an if(uid!=root) bail(); People running arbitrary binary software requiring root on their systems deserve what they get. You can not work around this stupidity by ANY policy. that is not the case and is, in fact, the entire point of defining policy. to define what the applications on the system can and cannot do, irrespective of how stupid they (or their programmer), or how malicious they (or their programmer) is / was.
Re: OBSD's perspective on SELinux
On 24.09-13:48, Darren Spruell wrote: [ ... ] Oh, that sounds like a recipe for success. - Run _arbitrary_ _binary_ application on system. Intend to use policy wrapper to restrict to allowed operations. exactly, if the application cannot run within the defined policies it will not be allowed to run, this is precisely the assurance that some businesses look for. it is, in fact, a process that helps identify poor applications. whether the system is opened up or not depends on the business. The intentions are great and look good on paper. The reality is a bit different, as others have pointed out. indeed, i am one of them. and probably as painfully aware of it as any. that is not the point, writing them off wholesale is folly, and suggesting the same can be achieved with current toolsets available is just plain wrong.
Re: OBSD's perspective on SELinux
On 24.09-14:28, Luke Bakken wrote: [ ... ] Intelligent sysadmins know every setuid binary on their system. Unintelligent ones get owned. you'll forgive me if this does not sound intelligent to me. a consiencous sysadmin looks at the requirements and picks the best tools to match. in the vast majority of cases best results can be achieved with simplicity and an intelligent use of basic tools. complex policy systems have diminising returns but there is no question that they bring additional tools to the toolkit.
Re: OpenBSD firewalls as virtual machine ?
On 22.09-02:06, Luca Corti wrote: [ ... ] We are talking about OpenBSD here, and support for VRF is not there. That may change faster then you expect These are great news. If the implementation will allow to assign interfaces to different VRFs it would solve the virtual router/firewall setup without the need for OS virtualization. i have a feeling that the funds currently available for your virtualisation project would improve the quality and delivery of these requirements.
Re: OBSD's perspective on SELinux
On 22.09-16:21, Douglas A. Tutty wrote: [ ... ] exercise for the reader: find somebody using SELinux. ask them to describe their policy over the phone. then repeat it back to them. did you get it right? [ ... ] In other words, since debian packages, by policy, must just work on install (come with a reasonable default setup), (except for a few things like the Shorewall firewall builder that installs to a disabled state that prints a warning), once Debian decides on a SELinux policy, all the thousands of packages have to be set up to detect the SELinux policy on the box at the time and integrate themselves into it. i would be willing to bet this will never happen, particularly in a community like debian's. if, by some miracle, it does i'd make a further bet that they'll have to roll back the decision because their users will be crippled. basically, good programming practices get you a lot more for a lot less than wide ethos changes. having said that the extended feature set of selinux can solve issues that unix systems are not able to. in short, stick to openbsd. if you need selinux you'll know it ... then you'll go find another product that's not such a nightmare ... actually, nearly all of them are but that's another story.