Re: confused about updating -current
If you use a snapshot you'll be very close to current and --- On Thu, 29/4/10, Jacob Meuser jake...@sdf.lonestar.org wrote: From: Jacob Meuser jake...@sdf.lonestar.org Subject: Re: confused about updating -current To: misc@openbsd.org Date: Thursday, 29 April, 2010, 2:59 On Wed, Apr 28, 2010 at 05:05:06PM -0500, Chris Bennett wrote: A while back on some thread, someone said that they ran -current versions for a long while, updating ports tree for that snapshot and could run with that particular -current as long as they liked by adding packages as needed by building with that ports snapshot, rather than using a later ports tree or packages. This seems like it could be a good way to jump forward but not need to constantly update even if a new package is needed, since ports tree holds proper builds for that snapshot at that time. If you run current you will likely have very few problems running any packages you like apart from temporary problems due to being in the middle of ongoing changes but may have to be prepared to resync and try again. If you run a snapshot or current without keeping up then you may be able to get it to work with a particular package for a few months, years or just a few days/hours but you may be able to add libraries etc to buy time. This is not supported because the consequences would be complicated, cannot be checked and possibly only known to a particular developer, but may work for you. If you run stable, everything in the stable ports tree should work fine and more of it is being kept upto date. I heard 4.7 will likely keep firefox upto date :-). Server packages such as postgresql are more likely to be kept upto date. If you jump from stable to current/snapshot and the upgrade guide isn't out yet, you may find your pf.conf needs updating, or other problems etc. www.openbsd.org/plus47.html may help you here but will never be as clear as the upgrade guide. It is easy to see what versions packages are at in cvs web or snapshot folders etc. I'm not sure if you can in stable aside from by building the port?
Re: confused about updating -current
I've written setup scripts (took a while though) for my different systems which will never be as quick as the upgrade process but I've got it reasonably quick and means I can keep moving forward like the openbsd project does, switch between current, stable and snapshots without a sudden need to spend time on an unexpected install, whilst keeping clean systems, reduce cross contamination (though more likely a concern in firefox profile etc.). It also means I can run tests easily and setup remote servers with less upload time, the sysmerge code helped me, thanks go to ajacoutot. p.s. I did some speed comparisons using apachebench and apache on i386 and amd64. I only have one fairly old amd64 system at the mo and plan on more testing later on the server hardware when I have more demand on my server. I found i386 way outperformed amd64 and was going to publish the results, but i386 won on every aspect so theres not much point and I will try other newer hardware to confirm at some point. I also found whilst the requests per second stayed the same for 4.6 to 4.7 (web page) the throughput doubled (cpu bottlenecked). KeV
Re: confused about updating -current
--- On Wed, 28/4/10, trustlevel-...@yahoo.co.uk trustlevel-...@yahoo.co.uk wrote: I also found whilst the requests per second stayed the same for 4.6 to 4.7 (web page) the throughput doubled (cpu bottlenecked). Sorry mistyped that, it was the requests that bottlenecked the cpu, not the throughput so 4.7 may be faster there too? My old radeon laptop which wouldn't auto configure on X (4.5 I think) now seems to be autoconfiguring too. :-) KeV
How secure is bsdauth with skey one time passwords, by itself.
Google turned up Races and dictionary attacks if the skey file is readable. I imagine dictionary attacks via bsd auth would be the only possible known attack on a properly setup system. I am intending to use it as a secondary line of defense but how secure would skey be as a primary defense. Are the hash algorithms perfectly adequate. Would sha1 or rmd160 be your choice. If a user had a shell via login or exploit and was able to raise priviledges to a different user via skey, and so could use all commands including su to use skey. Any idea how long it would likely take to brute force at the default settings. Would it be the same time as a standard login (not including the difference if any between local and remote script time) and so almost as secure, aside from environment polution. KeV
Re: OpenBSD culture?
Now I'm seeing new PCs with. 1) Primary partition for the M$ equivalent of /boot 2) Primary partition with the main M$ install 3) Primary partition with the recovery bits. Install Linux and that 4th primary partition becomes the extended partition. No place for OpenBSD. You can actually have MANY more than 4 OS on one drive, but it does get rather complicated and not worth the effort which certainly wouldn't help here. = Your analogy doesn't go far enough. Better: guests in a home being asked for contributions and also being insulted, both by the hosts. Guess it depends on your recent culture, I can recall many times when me and my mates would insult each other and put money on the table for pizza, though I've never asked them to pay for something I've cooked but If I had a house full of strangers who could cook what they wanted, I wouldn't last long footing the bill by myself and you wouldn't blame a chef for the unruly customers but you could always come back later, ignore them or go to another room. Of course if a stranger insulted me without cause. I'd probably try to make him hit me, so I could hit him back ;-) I guess you saw an opportunity to get something off your chest but I know you know OpenBSD is more secure, stable and has a lower cost of ownership than Slackware, (if you knew how to get it to do what you need with your Database) and certainly deserves your support. I doubt you would have used it in the first place if you didn't realise these things.
Re: OpenBSD culture?
If you define freedom by the number of restrictions, then the only free license would be no license at all. Public domain. No copyright. Thus no restrictions. No ALL CAPs notices. Not even crediting the original developers. So you think that giving people the freedom to know where the code has come from to allow them to not get conned and not use old, possibly insecure code and giving them the ability to contribute to the original source of the code and possibly benefit themselves too is a restriction of freedom. No one will benefit from that. You've said how you think no license is the only free license, how is the GPL more free, because you have to give back the code which can be good and bad. (code contributed and product released v product not released etc.) You flame but don't offer why you feel that way. Filling this list with stuff that is arguably inappropriate to Openbsd is one thing but to say others are not providing reasons when they are probably tired of doing so and then not giving your own reasons should be obviously insulting especially when stating your case so strongly without any case given. Was your intent simply to annoy or did I miss some mails
Apache on amd64 or i386 and bsd.mp or bsd.sp
I'm unsure about using i386 or amd64 for an apache/php ssl webserver with relayd and pf running. I may test both as it shouldn't take too long, but I'd certainly like to know what people think. This isn't for a system with a large amount of memory. I imagine I'll need more systems and interfaces before needing 4G and I can switch quite easily and also move relayd to it's own system(s) to scale up. There is external firewalls but they have to be quite liberal on what they allow. What I'm thinking: i386 has more bug searching time under it's belt and probably more active users. i386 is said to filter packets more quickly according to Henning, though that is based on tests a while back and only for a pure firewall system. Attacks may be more likely to target i386. i386 has a few more packages, none of which I need to use the compiler may be configured to optimise apache for i386 amd64 cpu stack is reversed and so possibly more secure, so if speed is comparable i may as well use amd64. If I ever have a need for lots of memory, amd64 will handle it. What I'd like to know: 1./ are security related port upgrades such as php and sql almost as prompt on amd64 as i386. 2./ Would you choose bsd.mp or bsd.sp with amd64 or i386. I realise there's no substitute for real world tests and config checking, but I would appreciate any input. KeV
Best Mail Archive
I noticed the mailing list archives seem to have different levels of content or maybe search mechanism (more found in gmane than monkey.org). What do people think is the best one, the danger being that one could possibly get overloaded, if mentioned here. KeV
Re: -current or -stable [was: Not another Browser Question]
I had read the faq many times before asking the question. I admit not just beforehand. I wasn't specific enough about my thought processes and asked too many questions at once, but thanks for all the insights. I've decided to use release when available and switch to current as needed. Out of interest how many members of the OpenBSD crew constantly track current. Do you mainly do that on testing and development machines? Do you watch for commits and merge those changes into /etc or keep userland close to current and occassionally sync /etc or update everything every few days, weeks or months and have a per system tailored update script that maybe uses sysmerge. The faq mentions flag days. I realise that snapshots would avoid this problem, but if I wanted to build a kernel. How would I check if today is a flag day. Thanks KeV
Re: -current or -stable [was: Not another Browser Question]
--- On Thu, 4/3/10, Tomas Bodzar tomas.bod...@gmail.com wrote: From: Tomas Bodzar tomas.bod...@gmail.com Subject: Re: -current or -stable [was: Not another Browser Question] To: trustlevel-...@yahoo.co.uk Cc: misc@openbsd.org Date: Thursday, 4 March, 2010, 14:37 On Thu, Mar 4, 2010 at 12:52 PM, trustlevel-...@yahoo.co.uk wrote: I had read the faq many times before asking the question. I admit not just beforehand. I wasn't specific enough about my thought processes and asked too many questions at once, but thanks for all the insights. I've decided to use release when available and switch to current as needed. Why not use the even more trusted and tested code from the cd at release time untill one of the few packages I need or one of it's dependencies breaks. Out of interest how many members of the OpenBSD crew constantly track current. I meant how often do they sync (everyday on i386?, I guess it would depend on what they were working on at the time and who with) Do you (anyone) manage /etc separately watching source commits/changes or just apply their changes each time it's replaced via script etc or simply leave it to be updated less frequently than the rest of the system. The faq mentions flag days. I realise that snapshots would avoid this problem, but if I wanted to build a kernel. How would I check if today is a flag day. If you are using snapshots then you don't need build kernel as you can do binary upgrades from snapshot to snapshot. I know, I did say snapshots would avoid that problem, but if I want to use an unsupported kernel configuration, how would I tell if it's a flag day, because the source simply won't fetch? Would it just mean an secondary mirror would stay a day or two old etc. p.s. I always keep a GENERIC around anyway. Thanks KeV
Not another Browser Question
Hey all Please don't dismiss me because what I have been doing is unsupported untill you've read a little, I do realise you do far too much for too little as it is and when I make enough money I'll hopefully become a donator and regular merchandise/cd buyer. Whilst the subject of firefox on current is covered and I understand to a reasonable degree why firefox only has the bugfixes in current when the tree is open and don't have the time right now to look into backporting which I imagine will be rather difficult for such a large port especially in meeting ports standards. I feel the info currently in the mailing list archives could be more complete to enable me and others to make more educated decisions. I've been running stable and have had the current firefox running seemingly without problems (may be for months at a time and then obviously it will break at some point and you upgrade and then it may be days, weeks or if your lucky months before the build breaks and dependencies go too far out of sync. I imagine the answer is to install stable keep going for as long as possible untill firefox breaks get a snapshot and test it. Upgrade to that snapshot when needed and install the latest firefox port. Or just sync with current every month and make a backup before upgrading. === I do have a few questions however. How much security would you lose by using say the opera linux browser or linux firefox and installing the linux libs keeping an eye on libc6 vulns and others compared to the openbsd firefox with pro police patches etc. How often might these patches protect you from current vulnerabilities in firefox, usually in javascript so I imagine not often, but then you can just just turn jscript off?. I currently disable linux support when I don't intend to use it. It's quite a good feeling, reading the latest vulnerability measures or stability problems knowing you avoided it through a necessity policy. ipv6 + pf springs to mind of many. (happens far less on OpenBSD of course but just using OpenBSD gives that feeling when reading about Linux :) Does anyone have any info about the Miros mirzilla firetapir port which is said to build for openbsd and kept upto date??? Searching shows up nothing but a few Miros pages and it's not installed on their livecd, which wouldn't boot anyway. I also tried to find what the dispute between Theo and the Miros project leader was but Couldn't find much. What browser (perhaps a simple open source one) would you use for important stuff fullstop or whilst firefox has vulns. I know this question has been asked before so have there been any new ones come on the block. Dillo w3m and lynx seemed popular on the lists. I'm sure I installed a graphical w3m but haven't really tried it yet. What's the most secure way of running java support occassionally within a browser on openbsd and making sure it is disabled for the rest of the time. Does anyone have any tips on getting good rendering speed in browsers on graphic laden sites. I read on this list that now the ati driver has been open sourced it is quite decent on openbsd. I'm guessing that doesn't include older ati graphics chips in old laptops? I thinks that's more than enough questions now, Thanks for your time KeV
Re: Not another Browser Question
On Tue, 2 Mar 2010 10:28:39 -0800 J.C. Roberts list-...@designtools.org wrote: On Tue, 2 Mar 2010 10:44:38 + (GMT) trustlevel-...@yahoo.co.uk wrote: The short answer is painfully simple; if you're running OpenBSD as your desktop/laptop and you have a clue, then run just -current. Your right, I must follow the crowd and appreciate how well the current packages are kept upto date, It was just a let down after managing to apply updates for nearly a year to have it break just after my new image was installed. That was a while back. I've been busy. I've already downloaded a snapshot for my desktop but it shows how much development goes on. I struggled to get the same checksums from more than one server. These days, the -stable branch still exists primarily due to historical precedence for people unwilling to update their thinking. I'm still going to stick to stable for my servers, especially now with port updates for the more maintainable and server oriented packages like php. I've read a few times you should buy the cd because theo and close friends do a level of code audit before release. I imagine with many people running stable they are also more likely to spot activity due to a trojan and it would be harder to get one onto any server or easier to spot, however unlikely. Support for running binaries from other systems exists because it can be very useful when you don't have any other choice. Though it was much more of a problem a long time ago, there are still rare situations where running alien binaries can still be useful. In general, it is extremely rare to find the required Darn Good Reason (DGR) to enable compatibility with binaries from other systems, and you should avoid it if at all possible. The only viable reason/excuse to turn on binary compatibility is when you cannot find a suitable replacement for a closed source, proprietary application that you absolutely *must* have. Sorry. A web browser doesn't meet the requirement of having a DGR. Although Opera is a nice browser, there is no compelling reason to run an unknown, untrusted and unaudited binary from them. To be honest I totally agree, this was more out of interest about peoples views on the patches effectiveness to browser vulns and possibly what was best as a stop gap untill upgrade of current or stable. Does anyone have any info about the Miros mirzilla firetapir port which is said to build for openbsd and kept upto date??? Searching shows up nothing but a few Miros pages and it's not installed on their livecd, which wouldn't boot anyway. Never heard of it. Neither had I, I thought it was an official project but theres nothing to be found aside from on the miros site. All I found was something about making it easier to port but I got the feeling it may be antiquated, of course that might be a good thing (simpler) aside from lacking ogg theora (if you use it but flash is almost always insecure), but I still have no idea about mirzilla tapir (weird name). I also tried to find what the dispute between Theo and the Miros project leader was but Couldn't find much. Why drag it into a public discussion? --If you really must know, ask them directly and privately, but realize it's probably none of your business so you'll probably be ignored. Fair enough, no need to know. The motivation was to stop me investigating miros and save me time because of what theo had disagreed with, expecting I would also disagree. I wouldn't waste his time, if he thinks it's worth me knowing he could mail me, but I guess, if it was worth knowing, it would be on the net already. http://www.openbsd.org/faq/faq8.html#Browsers Try things out to find what *you* like. As for new browsers, you might want to check the new xxxterm. http://marc.info/?t=12670728733r=1w=2 I haven't had a chance to look at it yet, but considering the source, it's probably a winner. I'll check it out, nice one What's the most secure way of running java support occassionally within a browser on openbsd and making sure it is disabled for the rest of the time. The most secure way to run java from the web in a browser is to uninstall java completely. Similar is true for javascript, but it's much more difficult to get rid of it. For those who want to regurgitate the typical lies about supposed security being provided by sandboxes or virtual machines, you've got your head up your ass. They can be broken. Worse yet, you don't even need to break out of them to do a whole lot of malicious things. There is really only a single rule in computer security; If someone can run their code on your system, then it's not your system. I couldn't agree more, you may have noticed I'm using yahoo classic because I don't want to use javascript and want to make sure my non aliased email address is not printed on the internet (yahoo seems to only allow my alias out in webmail?). I've ranted about javascript being used for
Apache Firefox and Ogg Theora (Byte-range requests)
Hi, The Question first (may save time) I've seen examples of earlier versions than Apache 1.3.29 said to be working with byte-range requests, has anyone got the byte range requests to work with openbsd without using php code or know how this can be done or if it works by default. The Story I've had some problems with my web host or rather they have had problems (ssl key stuck and ssh has been disabled for over a month now???) and so have been creating an image for a dedicated web server with the default apache 1.3 to give me more control and security. Everything was going well and I was about to move onto performance testing and pf optimisation. I then found that my .ogv video files were causing a connection loop even when loaded via a direct url. This doesn't happen in firefox 3.1b3 but does in firefox 3.5 alphas. In firefox 3.1b3 the seeking didn't work but the video played. The mimetype is being provided by apache. Ogg video also works in Opera 10.50 beta, probably because it's not fully implemented as per the w3c recommendations yet as I would guess for firefox 3.1b3. I've since learned via sniffing, curl and the http headers that byte-range requests are being ignored (hence no seeking) and the whole file delivered via a 200 response rather than the portion requested via a 206 response as works with the same httpd.conf configuration on Linux Apache 1.3. After investigating if any packets being dropped were the cause due to wireshark indicating dropped packets (just wireshark I think with looped connections (1000s of packets in seconds)) and giving the message tcp segment of a reassembled pdu, I tried running curl on the loopback of the openbsd box and reviewing the apache config and the source code (a little) and also network settings but without any luck in getting byte-range requests to work. It looks like I may have to drop support of native firefox video, something I have great support for with the security nightmare of flash. I could also try apache2 which I would rather not as I have read the openbsd apache is heavily modified and audited and ports well tested and ready to go. The Question (Again) I've seen examples of earlier versions than Apache 1.3.29 said to be working with byte-range requests, has anyone got the byte range requests to work with openbsd without using php code or know how this can be done or if it works by default. Byte-range support can be tested with the following, if you have curl installed and apache enabled or know of openbsd served websites. /usr/local/bin/curl --range 3-5 http://www.openbsd1.3server.org/filelargethan5bytes /dev/null Output = received 3 bytes /usr/local/bin/curl --range 5-800 http://www.openbsd1.3server.org/filelargethan800bytes /dev/null Output = received 796 bytes Thanks for any help KeV == After an exploit in smoothwall and a mountain of Livecd's and pdfs, an install of netbsd and trustix, I was finally stunned by Openbsd (a real element) and rarely look back.