On 1/6/23, Xin Li wrote:
> Security team has discussed this a decade ago. See
> https://www.miknet.net/security/skey-dungeon-attack/
> for technical details.
That would mean that FreeBSD knowingly left users exploitable without
doing even the "easy fix" in that article to the opie code for over
On 1/5/23, Graham Perrin wrote:
> I recall the original email
Orthagonal as it, and some notes since neither consider any
potential gap issue or/of any perhaps whimful removal process,
nor moves forward on any of potential better alternatives to that
which were hint (port) a bit in posts even bef
>> looks like the "make delete-old-libs" has deleted that lib pam_opie.so.6
>> and now I cannot pass the login prompt
>> says the error "pam_opie.so: not found
>> how can I get it back? I tried everything and nothing brought it back
> commit 0aa2700123e22c2b0a977375e087dc2759b8e980
> Differential
Again, FreeBSD should not be including the bundle in base, if users
choose to, they can get it from ports or packages or wherever else.
Including such bundles exposes users worldwide to massive risks.
You need to do more gpg attestation, pubkey pinning [1], tofu, and
cert management starting from e
> What is the current state of support for Alder Lake CPUs
Some opensource support and tools for managing certain
aspects of Alder Lake should be appearing before long...
https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge
On 9/15/22, Dag-Erling Smørgrav wrote:
> Neither HOTP nor TOTP require dedicated devices.
> HOTP codes are sequential and can be pre-generated...
Those aren't really their intended or advertised usage models,
nor do common implementations support those modes.
Is FreeBSD contributing and supplying
On 9/15/22, Dag-Erling Smørgrav wrote:
> I will be removing OPIE from the main branch within the next few days.
> It has long outlived its usefulness. Anyone still using it should look
> into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
> https://reviews.freebsd.org/D36592
A
On 8/nn/22, yet top-posted:
> [snip]
https://www.idallen.com/topposting.html
> https://github.com/freebsd/freebsd-doc/blob/main/documentation/content/en/books/handbook/eresources/_index.adoc
>
> FreeBSD Handbook: Appendix C: updates and corrections
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264754
>
> I'm glad that HTML is supported.
No, people should not be sendi
>> the “> ;†and leave empty lines between your text and the original
> Seems there is a charset mismatch.
> MUA displaying nonsense
> Oh the joy of UTF-8... ;-)
https://unicode-table.com/en/sets/quotation-marks/
The pages ...
https://docs.freebsd.org/en/books/handbook/eresources/#eresource
Around 6/2x/22, Many rammed their horribly formed
msgs upon others to parse:
> [Subject: MCE: Does this look possibly like a slot issue?]
> [snip]
Attention all list users...
Stop top-posting and bulk-quoting.
Just stop.
Go search and learn about and use the email post formatting netiquette.
For
Yes, some USB hw is very flaky,
but ZFS can work great on these...
https://www.youtube.com/watch?v=7z526m1jvls
https://www.youtube.com/watch?v=dougISKs2vQ
https://vimeo.com/13758987
https://www.youtube.com/watch?v=1zIoK_9UzHk
> Feb 6 11:56:43 alice kernel: (da0:umass-sim1:1:0:0): READ(10). CDB: 28
> 00 36 69 02 6e 00 00 80 00
> Feb 6 11:56:43 alice kernel: (da0:umass-sim1:1:0:0): CAM status: CCB
> request completed with an error
> Feb 6 11:56:43 alice kernel: (da0:umass-sim1:1:0:0): Retrying command,
> 2 more tries r
Replace FTP with IPFS.
Adopt distributed cryptosystems today :)
> Maybe you missed something - you cannot change flags when your system
> has security level (kern.securelevel) raised above 0.
Nobody missed that since anyone can
easily install default freebsd and observe...
$ sysctl kern.securelevel
kern.securelevel: -1
SECURITY(7) - introduction to security
Flags are not security since root will bypass everything.
While some may beg for anti-footshooting, but
where might that cry end up... chflags -Rhx schg / .
Nor should freebsd fill that role when local admins
know best for and given their own individual environments.
If local tendency is to run aro
> No. The system shell is supposed to make the system usable
> by the users. Actually, the real problem is that the easiest way
> to shoot one's own foot is by changing the language (say, the
> shell) spoken by default by FreeBSD.
Well, the FreeBSD system speaks sh for its own use, this is clearly
The system shell really only need to support the
language of the shipped scripts of the base tooling
such as rc subsystem.
If those were someday written in Greek, then the shell
serves alone, the most common expectation of any "unix"
to have there seems to be an "sh", from which users can
further c
> propose to make it the default shell for root starting FreeBSD 14.0-RELEASE
Make it so.
The whole rest of rc, pkg, base scripts and subsystems use a lot of sh, not csh.
So this is a good compatibility, consistancy, and gotcha-removing update,
needed for decades.
Even "bash" is a majority spoke
On 4/17/20, Ryan Moeller wrote:
>
>> On Apr 17, 2020, at 4:56 PM, Pete Wright wrote:
>>
>> On 4/17/20 11:35 AM, Ryan Moeller wrote:
>>> OpenZFS brings many exciting features to FreeBSD, including:
>>> * native encryption
>> Is there a good doc reference on available for using this? I believe th
On 4/17/20, Ryan Moeller wrote:
>
>> On Apr 17, 2020, at 4:56 PM, Pete Wright wrote:
>>
>> On 4/17/20 11:35 AM, Ryan Moeller wrote:
>>> OpenZFS brings many exciting features to FreeBSD, including:
>>> * native encryption
>> Is there a good doc reference on available for using this? I believe th
There is also this useful and efficient form of archive/mirror to include
in the update so that it does not remain broken for too long...
https://lists.freebsd.org/pipermail/freebsd-questions/2021-June/294104.html
https://lists.freebsd.org/archives/freebsd-hubs/2021-June/00.html
[cc'd for fyi, trim replies to arm]
>> https://www.pine64.org/pinephone
>> https://en.wikipedia.org/wiki/Librem_5
>> NXP i.MX 8M Quad core Cortex-A53, 64bit ARM
>>
>> https://puri.sm/products/librem-5/
>> https://en.wikipedia.org/wiki/PinePhone
>> Allwinner A64 ARM Quad core Cortex-A53
>>
>> https
FreeBSD Phones...
https://en.wikipedia.org/wiki/Librem_5
NXP i.MX 8M Quad core Cortex-A53, 64bit ARM
https://en.wikipedia.org/wiki/PinePhone
Allwinner A64 ARM Quad core Cortex-A53
https://www.youtube.com/watch?v=c32-QOrI4cw
https://www.youtube.com/watch?v=fCKMxzz9cjs
https://www.youtube.com/watc
> is in true GBs
"true" is not a modifier of any prefix or unit in any standard,
though false GB are what's reported by USB firmware in
cheapo USB drives from some sketchy vendors ;)
> 4.5 GigaBytes means 4.5 GiB.
45 does not equal or "mean" 4831838208.
International Standards IEC (re I
>Why is it that the project can't continue to operate the SVN server in
> addition to Git, gatewaying with -current as is being done with 12-stable?
> As a developer, I definitely need monotonic revision numbers and reliable
> dates when I'm trying to troubleshoot a regression. I understand tha
>> Though it can help attribute that to a source,
Meaning to source 'account', vs say weak old CVSROOT
that any could text edit on 200 account box, claim bitrot, etc.
Whether inspiration came from the pet dog's bug report
is moot, more secure systems narrow into accounts that
would then be examine
> No amount of cryptography can or will protect against that.
Though it can help attribute that to a source,
else ignore rainbow books and go back to telnet,
root password 'root', CVS, no backups, logs, etc.
> As interesting as this thread has been (not!)
Contrare.
Equally as interesting as thre
> There is already HTTPS to protect the "authenticity" of the magnet
> link.
No. FreeBSD fails to publish signed fingerprints of their TLS pubkeys,
therefore users can't pin them down, therefore any MITM can bypass
CA game and MITM attack users at will, feed them bogus infohash,
isos, git repo tof
>> SHA-256 arrives, if you look at the git history.
> git's SHA-256 [...] requiring a super new git version to even test it out.
It's "in" current release 2.30.0 and before, duly caveated as experimental
and not fully featured yet...
git-init(1)
--object-format=
Specify the giv
> We do have most of the keys in docs/share/pgpkeys/ plus history.
https://git.kernel.org/pub/scm/docs/kernel/ksmap
https://git.kernel.org/pub/scm/docs/kernel/pgpkeys
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo
> loss of continuously increasing revision numbers
git rev-list --count HEAD
git describe --tags / parent
Plus a bunch of similar ways to do it,
from different points, in different formats,
search internet for them all... git revision version numbering...
Some deploy structured metadata in tag s
>> I mainly asked because GitLab seems to offer a richer toolset IMHO.
>
> The project is publishing many places, and will use features of the places
> it publishes as it refines the future workflow. The different
> mirroring/hosting services offer different features and it's not yet clear
> how we
>> A full comparison would also want to note and point to
> My ipf work is documented at https://wiki.freebsd.org/IPFilter.
So links to works / pages like that from the bsd's could
also be included in the comparison wiki.
___
freebsd-current@freebsd.org
> in reaction to the license
Yes, license matters, and woe the history.
> It's hardly deprecated in NetBSD. Christos Zoulas and I have exchanged a
> fair bit of code.
>
> Darren Reed released and maintained IPF through the Australian National
> University. NetBSD imported it, like we do here at F
>>> What's the "best" [1] choice for firewalling these days
>>> There's pf, ipf and ipfw.
>>
>>This question comes up over years.
>>
>>Consider starting and joining with people to create
>>a comparison page on the FreeBSD Wiki,
>>both a feature / capability comparison table,
>>and contextual paragr
> What's the "best" [1] choice for firewalling these days, in the list's
> opinion?
> There's pf, ipf and ipfw.
This question comes up over years.
Consider starting and joining with people to create
a comparison page on the FreeBSD Wiki,
both a feature / capability comparison table,
and contextu
Possibly check ForwardX11Timeout .
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
On 9/6/20, Kevin Oberman wrote:
> On Sat, Sep 5, 2020 at 8:04 PM Yoshihiro Ota wrote:
>> Is "403 Forbidden" an intended response for a brower access to
>> http://pkg.freebsd.org/FreeBSD:12:i386/ nowdays?
>>
>> I used to see available packages with a brower and decided which one to
>> use.
Some m
> The underlying initializing 'git init' commit hash must be
> signed by security officer key having sufficient human PGP-WoT.
>
> Git also supports sha-256 soon now, adoption should
> be researched from various online article series and
> work product before committing plans...
> https://lwn.net/A
On 9/1/20, Shawn Webb wrote:
> I'm curious if there's any plans for read-only access over ssh.
> Trusting FreeBSD's ssh key material is likely easier than trusting
> HTTPS in certain regions.
A bit moot when such key materials of all services, and repos,
and ticketing, and reviews, and builds, an
The underlying initializing 'git init' commit hash must be
signed by security officer key having sufficient human PGP-WoT.
Git also supports sha-256 soon now, adoption should
be researched from various online article series and
work product before committing plans...
https://lwn.net/Articles/82335
Thanks go to all the ongoing teams working the
things like gpgpu / compute, and graphics,
whether on-cpu-die or on-pci-card.
And even some things like BSD on Pinephone too.
https://www.pine64.org/pinephone
___
freebsd-current@freebsd.org mailing list
htt
List users please adhere to email formatting netiquette
and *stop* blockquoting massive amounts of reply text,
it is not necessary, trim it out leaving only the few lines
of what you are replying to directly above your reply.
___
freebsd-current@freebsd.o
People appear to be talking about using and
"authenticating / verifying" TLS certs now with at least
perhaps this NFS, and certainly with other apps.
If so, it's required critical thing for the admins and users to have
the option to pin the certificate pubkey fingerprints in four ways...
- Ignore
>> would be really nice also to get UEFI BOOT compatible with SECURE BOOT
>> :-)
>
> Unless you are using your own BIOS, the above means getting Microsoft
> to sign boot1.efi or similar. Shims that simply work around lack of
> acceptible signature don't help.
As before in this thread, some motherb
On 10/4/19, Igor Mozolevsky wrote:
> On Fri, 20 Sep 2019 at 22:01, grarpamp wrote:
>>
>> For consideration...
>> https://lists.freebsd.org/pipermail/freebsd-security/2019-September/010099.html
>>
>> SVN really may not offer much in the way of native
>&g
Although somewhat different from the virtualization part of the subject, both...
- AMD (Secure Memory Encryption, and Memory Guard) on
both EPYC and Ryzen Pro today
and
- Intel (Multi Key Total Memory Encryption) likely on Xeon
in the near future
... also do seem to have some OS dependant bits
>> Just whose secure keys do you suggest? I go to a lot of trouble to disable
>> secure boot so I can load any operating system I want.
Some motherboards have BIOS that allows you to both
- Upload your own keys
- Delete all the spooky Microsoft keys
Read the UEFI Secure Boot specification documen
https://developer.amd.com/sev/
https://github.com/AMDESE/AMDSEV
https://arstechnica.com/gadgets/2019/08/a-detailed-look-at-amds-new-epyc-rome-7nm-server-cpus/
http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
https://libvirt.org/kbase/laun
On Thu, Oct 12, 2017 at 11:15 AM, John Baldwin wrote:
> In this case the panic is separate from the LOR, and
> for a panic we really
> need the panic message in addition to the stack trace.
With release kernels stack trace appears with this
message, then it sits in ddb, forget how to print panic
On Wed, Oct 11, 2017 at 5:18 PM, grarpamp wrote:
> Let 12.0-current r324306 amd64 efi boot from usb to installer screen,
Another way to trigger this one is
boot snapshot install media single user verbose
mdmfs -s 10m md /mnt
umount -v /mnt
[LOR stack backtrace, remains usa
Let 12.0-current r324306 amd64 efi boot from usb to installer screen,
try to write zeroes to an unallocated part of ada0, mount -uw a
separate part of ada0 ...
1st 0xc5ce5f0 ufs kern/vfs_mount.c:1274
2nd 0xc565b78 devfs ufs/ffs/ffs_vfsops.c:1414
db_trace_self_wrapper
vpanic
kassert_panic+0x126
g_
FYI two repeatable LOR's...
Let 12.0-current r324306 amd64 efi boot from usb to installer screen,
do nothing but hit ctrl-alt-del...
1st 0x7f028e0 filedesc structure kern/sys_generic.c:1490
2nd 0x7da8068 devfs kern/vfs_vnops.c:1524
Let 12.0-current r324306 amd64 efi boot from usb to installer sc
I looked through these pages and did not see
an option to bind the resolver query from a specific
IP address (as in the case where you have multiple
interfaces and/or alias addresses and wish to pick
one instead of the default route).
resolver(3)
gethostbyname(3)
resolver(5) [resolv.conf]
You cou
> https://lists.freebsd.org/pipermail/freebsd-security/2013-October/007226.html
http://www.freebsd.org/news/status/report-2013-07-2013-09.html#AES-NI-Improvements-for-GELI
http://www.freebsd.org/news/status/report-2013-07-2013-09.html#Reworking-random(4)
___
>> sgk
>> So, I decided to test FreeBSD-10 under a user desktop condition. In
>> so doing, I upgraded the circa August 2012 FreeBSD-current that ran
>> on my Dell Latitude D530 (which ran rock-solid) to top-of-tree. This
>> included re-installing all ports under the pkgng paradigm.
> phk
> First
> When was the last time anybody tried that with a FreeBSD release ?
Routinely :) Often archiving piles of floppies as images too.
Imagine the legacy gaming crowd does this as well to use, while preventing loss.
Also, fdformat(1), fdcontrol(8), fdread(1), and fdwrite(1) are important
complimentary
I commonly use mfs for /var and /tmp.
Sometimes even symlinking /var/tmp -> /tmp to save ram.
Mostly because I want nothing leftover in them on boot, and it's fast.
rc/mtree/etc takes care of populating them.
/, /boot, /usr and /usr/local are read-only.
[nssswitch host.conf still needs fixed to d
In the past, I've used the ftp cdrtools pkg (made from the
port of course) and it failed to work. It's a popular tool so my
machine was probably out of sync. Same with burncd. However,
compiling the current cdrtools source worked fine. So I'd try
that first, compare, and send up a bug if need be.
Hi. I have many dependencies on CVS that I 'need' 'out of the box'.
Yet at the same time, I would not mind at all if it went to ports.
In fact, and from a general position regarding all third party apps,
I encourage it.
Mostly because they are not authored or maintained by FreeBSD. Yet
they are in
> Why on earth would you want this?
Hi. Since your quote of my note was not to the original,
I'll repost it here. Kurt Lidl also posted useful situations
on these lists. Also, being able to have time tick backwards
in jails could be interesting fuzzing too :-) Enjoy.
Would be nice to be able to
> possibly achievable in libc?
I don't know. Where else would it be done?
stat, utimes, gettimeofday, clock_gettime,
adjtime, etc and their variations.
I've not checked what currently happens, but I
don't think root in a jail should be able to set
any kernel time parameters, absent a syscall
that
Sysinstall is fine, as I'm sure any replacement will be. So I'll
just note a few things I'd like to see in any such replacement...
1 - I used install.cfg's on floppies to clone systems, a lot. Hands
on the box were needed with that. Operators skills were in question,
so having them use the dialog
Wanted to say thank you for those working on keeping ZFS up to date :-)
Are all the non-FreeBSD specific fixes being made by the FreeBSD team
being punted back up to the [Open]Solaris folks so that they may include
them in their native ZFS... and thus trickle back down to FreeBSD, thereby
minimizi
65 matches
Mail list logo