Re: How to run Microsoft Internet Explorer on NetBSD?

[Jose Luis Rodriguez Garcia]

> If you're content with VirtualBox, Microsoft themselves provide images
> of various versions of Windows with various versions of IE already
> installed.
>
> https://dev.windows.com/en-us/microsoft-edge/tools/vms/windows/

On Fri, Jan 29, 2016 at 2:08 PM, Marina Brown  wrote:

> They have a portal that requires windows. I think you can even get
> windows 10 for free under some circumstances. Not sure about this i had
> a windows license owned by my company.
>
> --- Marina Brown

Thank Marina, Coypu

I have opted by this way.

I have downloaded the image for virtual box for ie6_winxp. It has
worked with the qemu emulator.

I have done:

tar xf file.ovf
It has uncompressed a vmdk file. I have converted it to qcow2 with qemu-img:
qemu-img -c -O qcow2 "IE6 - WinXP-disk1.vmdk" "IE6 - WinXP-disk1.qcow2"

qemu-system-i386 -m 256 -net nic,model=ne2k_pci  -net user -hda "IE6 -
WinXP-disk1.qcow2"

and it worked ok.

It is slow..., but it works and it is easy if you think on wine.

kerTeX: latest D.E. Knuth's sources and mf with X11

[tlaronde]

KerTeX has been updated to the latest D.E. Knuth's sources (tex, mf and
some auxiliaries). AMS fonts 3.04 are also here.

The most visible change is the X11 online graphics output for METAFONT,
allowing to see on screen what one is drawing. This has two main
purposes:

1) To allow people to have totally what is described in the
METAFONTbook;

2) To give hints that METAFONT, generally ignored against TeX, is not
only a compiler/interpreter for a drawing language (for font design),
but is also a... rasterizer engine...

The instructions for compilation/installation are in the LISEZ.MOI / 
README files and a get_mk_install.sh POSIX.2 script does the job almost
automatically. See:

http://www.kergis.com/en/kertex.html /* english or sort of */

http://www.kergis.com/kertex.html /* french */

In a nutshell:

KerTeX is a distribution of D. E. Knuth's Computer and Typesetting
programs. It includes all D.E.K.'s programs and fonts, plus AMS fonts,
T1 versions of the CMR, dvips(1), Adobe AFM for PostScript standard
fonts, NTS e-TeX (TeX bidirectional), John Hobby's MetaPost, Oren
Patashnik's BibTeX and D.E. Knuth and Silvio Levy' cweb (and cwebmerge).

It is intended to be an universal kerTeX distribution since:

1) It uses only C89;

2) The tools to compile or to administrate are a small subset of POSIX.2
utilities. For POSIX compliant systems, it depends on strictly nothing
external;

3) It provides the kernel: for example, LaTeX is not a program but a seti
of macros to be interpreted by TeX (latex is just argv[0] for a version
of virtex(1) instructing TeX to load the precompiled set of macros).
LaTeX can be installed on kerTeX as a package (there are already a
good number of packages for kerTeX), but it runs on the "kernel";

4) For the building framework, it has been organized and simplified and
it is under a BSD like licence, allowing, too, the use in a commercial
offer (it has already happened)---D.E.K.'s programs and others have 
their own licence;

5) Once the "kernel" is installed (hosted), supplementary packages can 
be added and this is the same package on whatever system since it is 
then kerTeX problem and not the hosting system one.

KerTeX is small: the default install (it could be restricted to just
D.E.K.'s work and it would be far less) requests the download of a 10MB
tgz file; needs less than 40MB to compile; uses less than 50MB to
install, the majority of space being occupied by the fonts (generated
at installation time with the programs compiled when the METAFONT
sources are given, or when TFM files are generated from alien
fonts).

For the moment, kerTeX has been, at least at one time, compiled and used
on *BSD, Linuces, MacOSX, Plan9 and Windows (via Interix but a
native built will come soon).

Best,
-- 
Thierry Laronde 
 http://www.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

Re: How to run Microsoft Internet Explorer on NetBSD?

[Jose Luis Rodriguez Garcia]

>The so-called "Citrix Receiver" ? I've tried it using both Wine and Linux 
>emulation. The Linux version was a huge pain. It segfaulted, whined about SSL 
>/ x509 certificates (so tired of seeing this lately in apps), and had the 
>usual way-too-many-dependencies on a zillion worthless GUI libraries and 
>abstraction layers. Honestly, the Wine version looked like it was going to 
>work up until the last moment when ... it didn't. With Windows apps you can't 
>do much but just shrug when they fail.

I had always the same problem. I have read that the https problem is
resolved installing the crypt32 package (winetricks). But I have been
unable to test it. Explorer 7 and Explorer 8 fails to install.

Explorer 6 installs sucessfully (with crypt32) but crashes with the
SSL problem that you mention.

I  have read some report that may be for Explorer 8 it can help wine
mono/wine gecko native. May be I can try to compile them.

> It seems like the previous ICA client didn't have nearly as much kruft and 
> actually worked. I know I've used it at some point on NetBSD. Of course, that 
> version is probably no longer around. It's too bad, though. IIRC, you could 
> often use older clients with newer Citrix servers.

It is still in pkgsrc : net/citrix_ica version 10.6.115659.

It worked until my company changed the certificates to godaddy. I have
been unable to configure the SSL certificates. I am thinking that it
can be the SSL client doesn't understand the new certificates. Can it
be?

-Swift

On Fri, Jan 29, 2016 at 11:31 AM, Jose Luis Rodriguez Garcia
 wrote:
> I need to use Internet Explorer for access a web from my company:
> Siebel software.
>
> It uses Active X and it only works with Internet Explorer. (They
> haven't activated the mode of Siebel Software for non Microsoft
> browsers).
>
> .It is a application that I must use, very few times.
>
> It is the option that I have used (tested some of them). What option
> do you suggest?
>
> 1- Wine (I have tried it years ago with bad results with Explorer.
> 2- I can access with Citrix, but the citrix client from pkgsrc is very
> old ,and it has problems with certificates of our Citrix Server. I
> have tried to add the certificates without success. I don't know if I
> am doing the right thing, or the citrix client has some problem for
> understand the new certificates.
> 3- VMware.
> 4- Other emulator?

Re: How to run Microsoft Internet Explorer on NetBSD?

[Hal Murray]

swiftgri...@gmail.com said:
> hat 99% of folks who use SSL care about is  _transport_ encryption, NOT the
> chain-of-trust, which I consider to be  fundamentally flawed and broken at
> it's very core.

Without something like a chain-of-trust you don't know that your encrypted 
connection is going to the right site.

A man-in-the-middle can claim to be your bank.  How do you propose verify 
that?

-- 
These are my opinions.  I hate spam.

SSL makes me crazy (was Re: How to run Microsoft Internet Explorer on NetBSD?)

[Swift Griggs]

On Mon, 1 Feb 2016, Hal Murray wrote:

Without something like a chain-of-trust you don't know that your encrypted
connection is going to the right site.


I understand it's design purpose, but I disagree with where the design 
puts that trust. When it comes down to brass-tacks, do you trust Verisign 
is doing what they say they do to verify that the cert holder is the party 
you want to have an encrypted conversation with ? My answer to that 
question is "hell no". I don't trust Verisign or any other corporation 
that would be a CA under our current system. Thus, I think the system is 
flawed.


A man-in-the-middle can claim to be your bank.  How do you propose 
verify that?


Well, the way I understand it, (and I'm probably wrong) but a 
man-in-the-middle would have to be able to break Diffie Hellman unless you 
can force a key update. It doesn't have much to do with the cert being 
presented.  So, I'm not sure that's true (not trying to be difficult or 
troll, just saying). However, I do take your point. Ie.. how do you verify 
the remote party's identity without a trusted 3rd party saying "Yeah, 
that's him" ?  My preferred answer would involve removing the trust from 
the dirtbag corporation and giving it to another entity. Some 
possibilities include:


* A non-profit organization with fewer motives to get in bed with the NSA
  or other corporations.

* A pool or group of trusted users who rate / rank trustability. People
  with a vested interest in getting it right and difficult to pay off or
  bribe.

* Get rid of the trust idea altogether and use some kind of
  physical or manual challenge-response. The genius would be in coming up
  with one simple enough to work, yet maintain security. Do you really
  think folks are clicking on the cert and following the chain of trust
  anyway ? Most users don't even understand it's happening (not good).

I'm not saying that the same issue (authentication of a remote party's 
identity) wouldn't come up in any system you created. However, I am saying 
that SSL has done an exceptionally poor job at...  well... it's job. It's 
over-complicated, apparently quite insecure. So insecure in fact that it's 
been nearly completely broken twice. Each time the fixes have been 
increasingly painful and disruptive enough to warrant asking the question: 
Is SSL really a good system? My experience as a user and admin would 
prompt me to answer "No way, Jose. Start again without the committee."


As an example, PGP was designed well before SSL. PGP has survived all this 
time without any exposures on the order of what we've seen with SSL (it's 
had plenty of coding issues, but no completely-busted algorithm issues). 
It's also quite a bit more simple (and that's kind of my point). 
Complexity is the enemy of security since it only provides more attack 
surface. I would submit that to "secure" is most of the time to simplify.


It's nothing personal against you, Hal, or anyone else. Hopefully, nobody 
here used to work for Netscape or other folks involved with designing SSL. 
I just think SSL was badly designed from the start and I believe the facts 
(the security issues) back me up.


-Swift

Re: How to run Microsoft Internet Explorer on NetBSD?

[Swift Griggs]

On Mon, 1 Feb 2016, Jose Luis Rodriguez Garcia wrote:

It is still in pkgsrc : net/citrix_ica version 10.6.115659.


Ugh. I forgot about that. I need to go back to i386. It fails for AMD64, 
but yeah, it's still a certificate trust-nightmare.


 I used to mildly dislike SSL before it was completely broken by the 
NSA and others. Now, I consider it WAY too complicated to believe in and I 
really hate it. This whole idiocy with "trust" has gone down some road 
where I'm supposed to trust that one dirty corporation (like Verisign) 
believes that another slimey corporation is legit, (and their verification 
steps are easily defrauded/circumvented). What if I fundamentally despise 
both of them and don't trust either one? Then all I am left with is a 
turd-hunt for the latest certificate bundle that XYZ crapware needs to run 
and a bad attitude. What 99% of folks who use SSL care about is 
_transport_ encryption, NOT the chain-of-trust, which I consider to be 
fundamentally flawed and broken at it's very core. However, it's the 
chain-of-trust features that drag down SSL the most. Encryption is hard 
enough to understand & manage without adding in a double-batch of 
committee-based stupidity. Okay, now I'll be over here crying "KISS!" in 
the wilderness if anyone needs me...  :-P 


Also, IIRC, even on i386 (from memory, because I fiddled with it about 6-8 
months ago) it had major issues. The main thing I ran into was that 
without the browser plugin you just get prompted for what to do with an 
".ICA" file when the Citrix portal throws that at you. The package 
compiled & installed, but once I actually tried to use it, I noticed it 
had some other major issues (and it seems like they were more than just 
certificate issues). In fact, IIRC, I think the 'wfica' binary was missing 
some libraries it was linked to, and that was my biggest problem. Check 
your output from: ldd `which wfica`


Thanks,
  Swift

Re: kerTeX: latest D.E. Knuth's sources and mf with X11

[Greg Troxel]

  KerTeX has been updated to the latest D.E. Knuth's sources (tex, mf and
  some auxiliaries). AMS fonts 3.04 are also here.

That all sounds cool, and was a trip down memory lane; I adjusted
metafont input paramaters back in 1990 or so to make fonts look better
on a write-white printer (LN03?).

Is KerTex in pkgsrc?   I realize we have texlive, but it would be nice
to have kertex too.



signature.asc
Description: PGP signature

Re: SSL makes me crazy (was Re: How to run Microsoft Internet Explorer on NetBSD?)

[Hal Murray]

swiftgri...@gmail.com said:
> Well, the way I understand it, (and I'm probably wrong) but a
> man-in-the-middle would have to be able to break Diffie Hellman

How did you get your banks public key?  Without a chain-of-trust you have to 
get it on your own and the man in the middle has a good chance of subverting 
that process.

You aren't the only one who dislikes the current system, but nobody has come up 
with a better plan.  Yet.


> When it comes down to brass-tacks, do you trust Verisign is doing what they
> say they do to verify that the cert holder is the party  you want to have an
> encrypted conversation with ?

Verisign has serious incentives to do the right thing.  If they screwup they 
are likely to go out of business.  The NSA may be able to twist their arm, but 
Verizon or Comcast probably can't.

I think the major certificate issuing companies have various degrees of 
checking.  I don't know the details.  Checking costs money.  I think some of 
the options are serious enough to be appropriate for banks.

If I was going to put serious effort into this area, I'd look into a UI to 
display the chain so I could get convenient reminders about who was signing 
things I used.  Maybe a nightly summary.  Maybe a confirm step if the top level 
signer was strange where I get to maintain a white-list of sites that are 
non-strange for me.


-- 
These are my opinions.  I hate spam.

which dma mode?

[Darren]

Drive states 'using dma'  Which one?And how to I toggle it?
I tried numerous man pages and google before writing here.  

wd0(ahcisata0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 6 (Ultra/133) 
(using DMA)

Re: SSL makes me crazy (was Re: How to run Microsoft Internet Explorer on NetBSD?)

[Miguel C]

On Mon, Feb 1, 2016 at 11:16 PM, Swift Griggs  wrote:

> On Mon, 1 Feb 2016, Hal Murray wrote:
>
>> Without something like a chain-of-trust you don't know that your encrypted
>> connection is going to the right site.
>>
>
> I understand it's design purpose, but I disagree with where the design
> puts that trust. When it comes down to brass-tacks, do you trust Verisign
> is doing what they say they do to verify that the cert holder is the party
> you want to have an encrypted conversation with ? My answer to that
> question is "hell no". I don't trust Verisign or any other corporation that
> would be a CA under our current system. Thus, I think the system is flawed.
>
> A man-in-the-middle can claim to be your bank.  How do you propose verify
>> that?
>>
>
> Well, the way I understand it, (and I'm probably wrong) but a
> man-in-the-middle would have to be able to break Diffie Hellman unless you
> can force a key update. It doesn't have much to do with the cert being
> presented.  So, I'm not sure that's true (not trying to be difficult or
> troll, just saying). However, I do take your point. Ie.. how do you verify
> the remote party's identity without a trusted 3rd party saying "Yeah,
> that's him" ?  My preferred answer would involve removing the trust from
> the dirtbag corporation and giving it to another entity. Some possibilities
> include:
>
> * A non-profit organization with fewer motives to get in bed with the NSA
>   or other corporations.
>
> * A pool or group of trusted users who rate / rank trustability. People
>   with a vested interest in getting it right and difficult to pay off or
>   bribe.
>
> * Get rid of the trust idea altogether and use some kind of
>   physical or manual challenge-response. The genius would be in coming up
>   with one simple enough to work, yet maintain security. Do you really
>   think folks are clicking on the cert and following the chain of trust
>   anyway ? Most users don't even understand it's happening (not good).
>
> I'm not saying that the same issue (authentication of a remote party's
> identity) wouldn't come up in any system you created. However, I am saying
> that SSL has done an exceptionally poor job at...  well... it's job. It's
> over-complicated, apparently quite insecure. So insecure in fact that it's
> been nearly completely broken twice. Each time the fixes have been
> increasingly painful and disruptive enough to warrant asking the question:
> Is SSL really a good system? My experience as a user and admin would prompt
> me to answer "No way, Jose. Start again without the committee."
>
> As an example, PGP was designed well before SSL. PGP has survived all this
> time without any exposures on the order of what we've seen with SSL (it's
> had plenty of coding issues, but no completely-busted algorithm issues).
> It's also quite a bit more simple (and that's kind of my point). Complexity
> is the enemy of security since it only provides more attack surface. I
> would submit that to "secure" is most of the time to simplify.
>
> It's nothing personal against you, Hal, or anyone else. Hopefully, nobody
> here used to work for Netscape or other folks involved with designing SSL.
> I just think SSL was badly designed from the start and I believe the facts
> (the security issues) back me up.
>
> -Swift
>

Sorry to bum in, but are you aware of --> https://letsencrypt.org/ !?

Re: How to run Microsoft Internet Explorer on NetBSD?

[Eric Haszlakiewicz]

On 2/1/2016 3:51 PM, Jose Luis Rodriguez Garcia wrote:
It is still in pkgsrc : net/citrix_ica version 10.6.115659. It worked 
until my company changed the certificates to godaddy. I have been 
unable to configure the SSL certificates. I am thinking that it can be 
the SSL client doesn't understand the new certificates. Can it be? 
Sure, I supposed it's possible.  That is a 9 year old package and lots 
could have changed in the meanwhile.
Were you able to get the new certificate in the right format? (looks 
like the files in /usr/pkg/lib/ICAClient/keystore/cacerts are in DER format)
Do you happen to know what's different about your company's old and new 
certs?  If you look at the details of the cert (e.g. with "openssl x509 
-inform DER -in foo.crt -text") does anything jump out at you as being 
different?


Have you tried downloading a newer version of the client from Citrix's 
site?  I just tried running it, and after the following steps it at 
least seems to start:

  pkgin install suse_locale suse_motif suse_x11
  pkgin install suse_openmotif-10.0nb2
  pkgin install suse_gtk2
  mkdir citrix-ica
  cd citrix-ica
  ar x icaclient_13.1.0.285639_i386.deb
  tar xzf data.tar.gz
  cd opt/Citrix/ICAClient
  export ICAROOT=`pwd`
  ./wfica

I expect that once I get an X server up and running on this machine 
it'll complain about not being able to find the .../etc files, but I 
suspect that might not be too hard to fix (i.e. drop them in 
/emul/linux/etc)


Eric

Re: How to run Microsoft Internet Explorer on NetBSD?

[David Brownlee]

On 30 January 2016 at 20:26, Jose Luis Rodriguez Garcia
 wrote:
> I have tried this other time. (I tried it in the past also without success).
>
> The package is broken, and one file that tries to download from
> Microsoft is not longer available. (mfc42.cab)
>
> After of downloading manually the missing package from web archiv,
> fixing the scripts of ies4linux, it installs Internet Explorer 6.
>
> As always (as mi previous attempts) it fails at the few seconds of
> start the explorer.
>
> Have you tried with some older version of wine that worked better than
> the actual versions?

A few years back I ran up three XP VMs under qemu for occasional use
of IE 6, 7 & 8, and still have them, though I've been fortunate enough
not to need them very much recently. Its not as nice as being able to
have a free floating browser window, and not as performant as a
VirtualBox or xen solution, but its reliable and good enough for my
needs

Re: How to run Microsoft Internet Explorer on NetBSD?

[Swift Griggs]

On Sat, 30 Jan 2016, Jose Luis Rodriguez Garcia wrote:
Does anyone tried a new version of citrix (not the one from pkgsrc) 
client in NetBSD?


The so-called "Citrix Receiver" ? I've tried it using both Wine and Linux 
emulation. The Linux version was a huge pain. It segfaulted, whined about 
SSL / x509 certificates (so tired of seeing this lately in apps), and had 
the usual way-too-many-dependencies on a zillion worthless GUI libraries 
and abstraction layers. Honestly, the Wine version looked like it was 
going to work up until the last moment when ... it didn't. With Windows 
apps you can't do much but just shrug when they fail.


It seems like the previous ICA client didn't have nearly as much kruft and 
actually worked. I know I've used it at some point on NetBSD. Of course, 
that version is probably no longer around. It's too bad, though. IIRC, you 
could often use older clients with newer Citrix servers.


-Swift