Re: contributing
Hi Eric, Eric Furman wrote on Sun, Nov 16, 2014 at 11:40:49PM -0500: > OpenBSD's man pages are fantastic, but one area I have > noticed that could be improved is that some entries could > benefit from having more and/or better examples of use. That is true. Not all manual pages are short of examples, but many are, and some examples can be improved. People knowing areas well such that they can distinguish good usage from cumbersome idioms and such that they know what is important are welcome to submit patches. If somebody with less experience has problems understanding some particular aspect of some particular manual and thinks that an example might help, saying so on this list can also be helpful because people knowing an area well often overlook problems that less experienced users may face. Yours, Ingo
contributing
OpenBSD's man pages are fantastic, but one area I have noticed that could be improved is that some entries could benefit from having more and/or better examples of use.
Re: Postfix SASL auth problem in OpenBSD 5.6
On Sat, Nov 15, 2014 at 7:00 AM, giacomo wrote: > Recently I have upgrade my system from OpenBSD 5.4 to 5.5 and 5.6. > In old system I installed the port of Postfix with SASL and MySQL support. > In the 5.4 the program work fine. After the two aupgrade with the same > configuration I have problem with authentication. What crypt(3) format was used for the passwords? In OpenBSD 5.6, support for MD5-style passwords where the hashed password starts with $1$ has been removed. Philip Guenther
Re: bridge + vlan broke after 5.5 > 5.6 upgrade
- Original Message - | > On 4 Nov 2014, at 06:41, Pieter Verberne wrote: | > | >> On 2014-11-02 13:51, Jorge Schrauwen wrote: | >>> Hey All, | >>> TL;DR: traffic leaving a bridge over a vlan does | >>> not get tagged but leaves untagged after upgrade. | >>> Is this by design? | >> Looks exactly like my problem. Running 5.6 release. | | bridge(4) puts frames on the wire by calling the outgoing interfaces start | routine, which in this case is vlan_start() because you're bridging vlan(4) | interfaces. | | mpi@ and weerd@ correctly identified the diff where henning@ changed | vlan_start(). he assumed that ether_output is always called before | vlan_start, and moved the tagging code into ether_output to make injecting | the vlan tag more streamlined. | | bridge obviously breaks this assumption cos it just shoves the packet into | vlan_start() which then just shoves the packet onto the parent interface. | | i have a massive headache and sleep deficit right now so im not going to | suggest a way to fix this. | | dlg | | Was a fix for this applied to current or -STABLE? -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: patch for FAQ14
On 11/16/14 16:09, Stuart Henderson wrote: > On 2014-11-16, Daniel Jakots wrote: >> Hi, >> >> I wanted to add some content to FAQ14 but I saw some errors there, so >> first I corrected them. >> >> The problems are >> - No 14.13 >> - No 20.2 > > That's intentional, we don't generally do a bulk renumbering if a section > is removed. yes...for a number of reasons...not just that I'm a lazy bum. A lot of sections I think of by number, not just by nameand sometimes it is nice to be able to insert a new section near where other sections are already in place without renumbering everything else. I do not want the renumber at this time...when I do, you will know (because I'll have done it. :) >> - 14.5.*, 14.17.* and 14.20.* are not linked in the "Table of Contents" > > It's probably worth splitting that out to a separate diff, I'm not > sure what Nick@ will think but that seems reasonable to me. > >> Also what's the policy about giving numbers (like 14.5.1)? Because they >> are assigned to "h3" heading tags, but not all "h3" are numbered. > > I'm not sure about that. For both the TOC and section numbers, no firm rule...the question is mostly one of "stand-alone-ability" -- If someone might be interested in the subsection without recognizing it as part of the parent section, then yes, it should definitely be broken out. If subsections are entirely dependent upon the parent section, probably not. And the TOC at the top of the page shouldn't be overly large, but should be useful. However, look at this kind of work just like coders look at KNF (style(9)) work. Coders do KNF as part of READING THE CODE looking for problems...and they find formatting errors and fix them to make the code easier to read. KNF for the sake of KNF does nothing for anyone...and in fact, may discourage the constructive reading/auditing of code. Adjusting the TOC and section numbers will generally not improve the FAQ experience for readers; if while looking for bigger issues the worst you can find is missing section numbers, great. But in this case, if that's even the biggest /formatting/ issue you have found, you need glasses. :) Nick.
Re: Contributing
Hi Eric, Eric Furman wrote on Sun, Nov 16, 2014 at 09:18:06PM -0500: > On Sun, Nov 16, 2014, at 12:50 AM, Ingo Schwarze wrote: >> andrew fabbro wrote on Sat, Nov 15, 2014 at 04:34:35PM -0800: >>> What about writing tutorials/articles? >> That is most definitely *not* a job for beginners. >> Writing good tutorials requires much more expertise and >> experience than writing reference documentation or >> hunting for bugs. >>> There's www.openbsdsupport.org which I believe is officially blessed >> Not at all. It is completely unofficial, i didn't even know about it, >> and a brief look gives me the impression that most of the content is >> probably completely outdated. Besides, i haven't ever heard of most >> of the authors, so i doubt the content could be trusted in the first >> place. >> >> I'd strongly advise against using that site for anything. > You could submit something to undeadly.org. Sure, but note that it's a news portal, not a documentation repository. It organizes content chronologically, not by topic, and it never updates published content that gets outdated, so searching it for documentation is relatively hard and likely to return outdated stuff, in particular since it mostly reports on brand new things, often before they have fully stabilized. We strongly believe in the principle "all documentation should be in one place" - to make it easy to find for users, easy to maintain for developers, and easy to use by following a consistent style. For reference documentation, that place is the manual pages. For all other documentation that doesn't fit into manuals, that place is the FAQ on the OpenBSD web site. So, to improve documentation, submit patches to manual and FAQ pages. Don't put up your own documentation snippets, neither on Undeadly nor elsewhere on the web. > BTW, is undeadly.org an official OBSD site? It is not a part of the OpenBSD project, but run by an independent group of Undeadly Editors who review submissions and post them, following a four-eye-principle for quality control. Some of the editors are also OpenBSD developers and many OpenBSD developers submit content to Undeadly now and then. Not all articles are perfect, but neither are all commits. In any case, the OpenBSD project encourages using Undeadly. In particular, developers are encouraged to post hackathon reports on Undeadly. Yours, Ingo
Re: Contributing
On Sun, Nov 16, 2014, at 12:50 AM, Ingo Schwarze wrote: > Hi Andrew, > > andrew fabbro wrote on Sat, Nov 15, 2014 at 04:34:35PM -0800: > > > What about writing tutorials/articles? > > That is most definitely *not* a job for beginners. > Writing good tutorials requires much more expertise and > experience than writing reference documentation or > hunting for bugs. > > > There's www.openbsdsupport.org which I believe is officially blessed > > Not at all. It is completely unofficial, i didn't even know about it, > and a brief look gives me the impression that most of the content is > probably completely outdated. Besides, i haven't ever heard of most > of the authors, so i doubt the content could be trusted in the first > place. > > I'd strongly advise against using that site for anything. You could submit something to undeadly.org. BTW, is undeadly.org an official OBSD site?
Re: making firefox less insecure
I use bookmarks, but I have them in my Drupal portal so no need to remember links, that by the way is restricted using apache authentication. The basic idea is this: any time I need to set something in Firefox I have to restart the VM as read-write, and while on it do not open any site. The first days I did that frequently, but last time I set something in Firefox was months ago. Best regards, Jorge. Worik Stanton wrote: >On 17/11/14 10:55, Jorge Gabriel Lopez Paramount wrote: >[snip] >> I restart every week that server as read-write to patch it and that's >> all, > >[snip] > >> I have been using that VM more than half a year and invested like 4 >> hours setting it up. Is it not worth 4 hours a software that you use >> every day for things as important as banking? > >So you do not have bookmarks? > >For banking that is a risk. If you miss-type your URL you may end up on >a phishing page. > >I always load my banking URL from a bookmark. > >Worik > > >-- >Why is the legal status of chardonnay different to that of cannabis? > worik.stan...@gmail.com 021-1680650, (03) 4821804 > Aotearoa (New Zealand) > I voted for love > >[demime 1.01d removed an attachment of type application/pgp-signature which >had a name of signature.asc]
Re: making firefox less insecure
On 17/11/14 10:55, Jorge Gabriel Lopez Paramount wrote: [snip] > I restart every week that server as read-write to patch it and that's > all, [snip] > I have been using that VM more than half a year and invested like 4 > hours setting it up. Is it not worth 4 hours a software that you use > every day for things as important as banking? So you do not have bookmarks? For banking that is a risk. If you miss-type your URL you may end up on a phishing page. I always load my banking URL from a bookmark. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: making firefox less insecure
Altho' I'm currently just using a) and don't do things like banking, (rather go check out the tellers if I've got to do banking... eases the agravation) I think that c would be reasonable if you had an automated setup that had already identified the dependancies firefox has. This would allow reinstancing the setup much like the VM method described. Dhu On Sun, 16 Nov 2014 14:08:39 -0500 Jonathan Thornburg wrote: > Web browsers scare me: they're huge pieces of code, un-audited, they > have embedded Turing-complete interpreters, they live in a horribly > imsecure environment, > [I have to put in a plug here for James Mickens' classic > rant "To Wash It All Aawy" (Usenix ;login, March 2014, p.2-8): > https://www.usenix.org/system/files/1403_02-08_mickens.pdf > ] > they pass untrusted data to image/audio/video plugins which are also > huge/unaudited/buggy, etc etc. > > So, I'm thinking about how to exploit-mitigate a web browser (I'll use > firefox here for purposes of illustration, but this is basically generic > to any other web browser). This is in the context of a single-user > OpenBSD desktop (say a laptop). > > My threat model is basically: > * I run firefox > * by default, the firefox process (and any plugins) all run under > my id, with the same priviliges I have > * I browse to a (unknown-to-me) hostile website > * hostile website exploits a vulnerability in firefox or plugin to > run malicious code on my computer (with all the priviliges of the > firefox process) > * malicious code can then > - read and/or write my $HOME/.ssh/ > - create a transparent X window over the entire screen to act as > a keylogger to watch for the next time I type a credit card number > or login to a banking site > - write to my login scripts to make that keylogger persistent > - try to exploit vulnerabilities in my X server > - if I'm in group wsrc, try to install a backdoor in /usr/src/* > - if I'm in group wheel, try to sudo to root to install a rootkit > - etc etc > > I can see several possible forms of exploit-mitigation: > (a) use the noscript firefox extension to block javascript > (b) use capsicum to sandbox forefox and any plugin processes > (c) run firefox in a chroot jail > (d) have firefox talk to an Xephyr(1) instance > so it's semi-isolated from the main X server > (e) maybe have firefox go through an ssh tunnel to localhost > (f) run firefox as an unpriviliged user _firefox, group _firefox, and > use Unix file permissions to deny that user access to $HOME/ > > (a) works and offers a fair bit of protection until some site that > I whitelist has a drive-by exploit. :( And noscript requires considerable > handholding in practice. > > (b) and (c) could offer a lot of protection... but they would be a lot > of work to port/setup, probably more work than I can afford right now. > > (d) seems promising; I don't know what it would do to the ability > to cut-and-paste between firefox and the outside world > > I'm not sure if (e) is needed in combination with (d) in order to > block firefox from connecting to the main X server. > > (f) seems pretty easy, and offers some (modest) protection. > I have some technical questions about doing that, which I'll save > for a seprate thread. > > Some useful past discussions on this mailing list include > http://marc.info/?l=openbsd-misc&m=126116965209030&w=1 > http://marc.info/?l=openbsd-misc&m=135442405732373&w=1 > http://marc.info/?l=openbsd-misc&m=135569662813122&w=1 > http://marc.info/?l=openbsd-misc&m=135767126712239&w=1 > http://marc.info/?l=openbsd-misc&m=135767705914968&w=1 > http://marc.info/?l=openbsd-misc&m=135771549729476&w=1 > http://marc.info/?l=openbsd-misc&m=135771660029742&w=1 > > So. > > Are there other practical ways of securing an OpenBSD web browser? > [I'm afraid "just say no" fails the "practical" test. :( ] > > What unobvious gotchas are there in (d), (e), and (f)? > Other tips-and-tricks? > > ciao, > > -- > -- "Jonathan Thornburg [remove -animal to reply]" > >Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA >"There was of course no way of knowing whether you were being watched > at any given moment. How often, or on what system, the Thought Police > plugged in on any individual wire was guesswork. It was even conceivable > that they watched everybody all the time." -- George Orwell, "1984" > > -- Ne obliviscaris, vix ea nostra voco.
Re: unbound auto-trust the root.key file
Hi Kevin, > can we not make unbound not try to write to it at all it seems that you are using auto-trust-anchor-file, but what you search for is trust-anchor-file. > and have a cronjob that runs to update it every so often to make sure it is > the correct key? Then you can use unbound-anchor to update it.
Re: xombrero crashes with "ReferenceError: Can't find variable: iom"
At 16 Nov 2014 16:45:46 + (UTC) from trondd : On Sat, Nov 15, 2014 at 11:21 PM >I like to use a browser that is keyboard-centric (vi-like, ideally) Yep. >that supports modern web functionality Well, there are many support for "features" unnecessary. Many scripts are insecure, and we just don't use on nowadays. Some support for Html 4.1, maybe just some support for html5, CSS and javascript (meh) is good enough. >Yea, Webkit is bulky and can be problematic, but what's the alternative? Webkit is very bloated, many bugs and, as you say, the developers seems to think that is more important add more features than make a clean and non bug code. There's many others alternatives. As I say, Abaco seems good, well done, minimalist. Xombrero have some secure intended features, block some scripts, so on, but is not so much effective. In this point, firefox have some "addons" really good, like Noscript, Adblock and some controls of cookie. >Maybe it's specific sites? Not really. When I make some research and open many tabs, Xombrero seems to consume all memory.
Re: making firefox less insecure
Quoting Jason Adams : On 11/16/2014 12:15 PM, Jorge Gabriel Lopez Paramount wrote: I have other approach that has worked for me so far: I created a virtual machine with Debian GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other software I would need like image and PDF viewers. After installing Firefox I configured things like proxy and after browsing no page at all shutdown my virtual machine. Seems heavy, and probably harder to set up and maintain than (e) and (f). Sure it's harder to set up, but believe me, after setting up the maintenance is almost zero. I restart every week that server as read-write to patch it and that's all, and have to do that way because Debian publish a lot of patches frequently. If OpenBSD is as good as I have seen and there is a patch like once a month then you will have to care about it once a month. I have been using that VM more than half a year and invested like 4 hours setting it up. Is it not worth 4 hours a software that you use every day for things as important as banking? Best regards, Jorge. This message was sent using IMP, the Internet Messaging Program.
Re: Smokeping issues on 5.6
On 2014-11-13, Mxher wrote: > Hi all, > > I'm not able to start Smokeping on my (recently installed) OpenBSD 5.6. A similar problem was reported by Lars Hecking a couple of weeks ago, please try updating your ports tree to OPENBSD_5_6_STABLE and rebuild the package.
Re: patch for FAQ14
On 2014-11-16, Daniel Jakots wrote: > Hi, > > I wanted to add some content to FAQ14 but I saw some errors there, so > first I corrected them. > > The problems are > - No 14.13 > - No 20.2 That's intentional, we don't generally do a bulk renumbering if a section is removed. > - 14.5.*, 14.17.* and 14.20.* are not linked in the "Table of Contents" It's probably worth splitting that out to a separate diff, I'm not sure what Nick@ will think but that seems reasonable to me. > Also what's the policy about giving numbers (like 14.5.1)? Because they > are assigned to "h3" heading tags, but not all "h3" are numbered. I'm not sure about that.
Re: making firefox less insecure
On 11/16/2014 12:15 PM, Jorge Gabriel Lopez Paramount wrote: > I have other approach that has worked for me so far: I created a virtual > machine with Debian > GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other > software I would need > like image and PDF viewers. After installing Firefox I configured things like > proxy and after > browsing no page at all shutdown my virtual machine. Seems heavy, and probably harder to set up and maintain than (e) and (f). But I'll admit I've used a similar approach for quick and dirty short term solutions. I was thinking JT was suggesting something that could be easy to set up and maintain, requiring only setting gid/uid on the browser executable, and some light scripting. -- Those who do not understand Unix are condemned to reinvent it, poorly.
Re: making firefox less insecure
On 11/16/2014 11:08 AM, Jonathan Thornburg wrote: > (e) maybe have firefox go through an ssh tunnel to localhost > (f) run firefox as an unpriviliged user _firefox, group _firefox, and > use Unix file permissions to deny that user access to $HOME/ I think these two in conjunction would be sufficient to block a large majority of the possible attacks. (f) is going to require some segregated file structure as a substitute for user's home, for cache, downloads, etc. probably that structure needs to be owned by user with a group_firefox. I've often worried about browsers, even the open source ones. -- Those who do not understand Unix are condemned to reinvent it, poorly.
Re: making firefox less insecure
Quoting Daniel Dickman : On Sun, Nov 16, 2014 at 2:08 PM, Jonathan Thornburg wrote: Are there other practical ways of securing an OpenBSD web browser? [I'm afraid "just say no" fails the "practical" test. :( ] one practical thing I'd love to see is for someone to port the Quark web browser: http://goto.ucsd.edu/quark/ I've no idea if it's good enough for practical use, but it seems like an interesting piece of work. I have other approach that has worked for me so far: I created a virtual machine with Debian GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other software I would need like image and PDF viewers. After installing Firefox I configured things like proxy and after browsing no page at all shutdown my virtual machine. Then I start it as read-only, I mean, you can use the virtual machine as read-write but everything is gone after shutting it down and goes back to the initial state. I restart it at midnight every day so I have a newly-installed browser every morning, and I use the browser by ssh. So far the biggest drawback to me is not being able to have sound, but even videos play good enough through the network. If that VM becomes compromised it will go back to its initial state at midnight, and it's isolated and with no personal data so a compromise would be very likely harmless. Best regards, Jorge. This message was sent using IMP, the Internet Messaging Program.
Re: making firefox less insecure
On Sun, Nov 16, 2014 at 2:08 PM, Jonathan Thornburg wrote: > Web browsers scare me: they're huge pieces of code, un-audited, they > have embedded Turing-complete interpreters, they live in a horribly > imsecure environment, [...snip...] > > Are there other practical ways of securing an OpenBSD web browser? > [I'm afraid "just say no" fails the "practical" test. :( ] > one practical thing I'd love to see is for someone to port the Quark web browser: http://goto.ucsd.edu/quark/ I've no idea if it's good enough for practical use, but it seems like an interesting piece of work.
making firefox less insecure
Web browsers scare me: they're huge pieces of code, un-audited, they have embedded Turing-complete interpreters, they live in a horribly imsecure environment, [I have to put in a plug here for James Mickens' classic rant "To Wash It All Aawy" (Usenix ;login, March 2014, p.2-8): https://www.usenix.org/system/files/1403_02-08_mickens.pdf ] they pass untrusted data to image/audio/video plugins which are also huge/unaudited/buggy, etc etc. So, I'm thinking about how to exploit-mitigate a web browser (I'll use firefox here for purposes of illustration, but this is basically generic to any other web browser). This is in the context of a single-user OpenBSD desktop (say a laptop). My threat model is basically: * I run firefox * by default, the firefox process (and any plugins) all run under my id, with the same priviliges I have * I browse to a (unknown-to-me) hostile website * hostile website exploits a vulnerability in firefox or plugin to run malicious code on my computer (with all the priviliges of the firefox process) * malicious code can then - read and/or write my $HOME/.ssh/ - create a transparent X window over the entire screen to act as a keylogger to watch for the next time I type a credit card number or login to a banking site - write to my login scripts to make that keylogger persistent - try to exploit vulnerabilities in my X server - if I'm in group wsrc, try to install a backdoor in /usr/src/* - if I'm in group wheel, try to sudo to root to install a rootkit - etc etc I can see several possible forms of exploit-mitigation: (a) use the noscript firefox extension to block javascript (b) use capsicum to sandbox forefox and any plugin processes (c) run firefox in a chroot jail (d) have firefox talk to an Xephyr(1) instance so it's semi-isolated from the main X server (e) maybe have firefox go through an ssh tunnel to localhost (f) run firefox as an unpriviliged user _firefox, group _firefox, and use Unix file permissions to deny that user access to $HOME/ (a) works and offers a fair bit of protection until some site that I whitelist has a drive-by exploit. :( And noscript requires considerable handholding in practice. (b) and (c) could offer a lot of protection... but they would be a lot of work to port/setup, probably more work than I can afford right now. (d) seems promising; I don't know what it would do to the ability to cut-and-paste between firefox and the outside world I'm not sure if (e) is needed in combination with (d) in order to block firefox from connecting to the main X server. (f) seems pretty easy, and offers some (modest) protection. I have some technical questions about doing that, which I'll save for a seprate thread. Some useful past discussions on this mailing list include http://marc.info/?l=openbsd-misc&m=126116965209030&w=1 http://marc.info/?l=openbsd-misc&m=135442405732373&w=1 http://marc.info/?l=openbsd-misc&m=135569662813122&w=1 http://marc.info/?l=openbsd-misc&m=135767126712239&w=1 http://marc.info/?l=openbsd-misc&m=135767705914968&w=1 http://marc.info/?l=openbsd-misc&m=135771549729476&w=1 http://marc.info/?l=openbsd-misc&m=135771660029742&w=1 So. Are there other practical ways of securing an OpenBSD web browser? [I'm afraid "just say no" fails the "practical" test. :( ] What unobvious gotchas are there in (d), (e), and (f)? Other tips-and-tricks? ciao, -- -- "Jonathan Thornburg [remove -animal to reply]" Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984"
patch for FAQ14
Hi, I wanted to add some content to FAQ14 but I saw some errors there, so first I corrected them. The problems are - No 14.13 - No 20.2 - 14.5.*, 14.17.* and 14.20.* are not linked in the "Table of Contents" Also what's the policy about giving numbers (like 14.5.1)? Because they are assigned to "h3" heading tags, but not all "h3" are numbered. If patches between the different problems are needed, I can give them. Cheers, Daniel Index: faq14.html === RCS file: /cvs/www/faq/faq14.html,v retrieving revision 1.246 diff -u -p -u -p -r1.246 faq14.html --- faq14.html 8 Nov 2014 20:15:58 - 1.246 +++ faq14.html 16 Nov 2014 17:29:33 - @@ -29,6 +29,11 @@ 14.3 - Using OpenBSD's disklabel(8) 14.4 - Adding extra disks in OpenBSD 14.5 - How is swap handled? + + 14.5.1 - About swap + 14.5.2 - Swapping to a partition + 14.5.3 - Swapping to a file + 14.6 - Soft Updates 14.7 - How do OpenBSD/i386 and OpenBSD/amd64 boot? 14.8 - What are the issues regarding large @@ -38,27 +43,37 @@ Restoring from tape. 14.11 - Mounting disk images in OpenBSD 14.12 - Help! I'm getting errors with IDE DMA! -14.14 - Why does df(1) tell me I +14.13 - Why does df(1) tell me I have over 100% of my disk used? -14.15 - Recovering partitions after deleting +14.14 - Recovering partitions after deleting the disklabel -14.16 - Can I access data on filesystems other than FFS? +14.15 - Can I access data on filesystems other than FFS? - 14.16.1 - The partitions are not in my + 14.15.1 - The partitions are not in my disklabel! What should I do? -14.17 - Can I use a flash memory device with OpenBSD? +14.16 - Can I use a flash memory device with OpenBSD? - 14.17.1 - Flash memory as a portable storage + 14.16.1 - Flash memory as a portable storage device - 14.17.2 - Flash memory as bootable storage - 14.17.3 - How can I make a "Live" bootable USB + 14.16.2 - Flash memory as bootable storage + 14.16.3 - How can I make a "Live" bootable USB device? -14.18 - Optimizing disk performance -14.19 - Why aren't we using async mounts? -14.20 - Duplicating your root partition: altroot -14.21 - How do I use softraid(4)? +14.17 - Optimizing disk performance + + 14.17.1 - Soft updates + 14.17.2 - Size of the namei() cache + +14.18 - Why aren't we using async mounts? +14.19 - Duplicating your root partition: altroot +14.20 - How do I use softraid(4)? + + 14.20.1 - Doing the install + 14.20.2 - Softraid notes + 14.20.3 - Disaster recovery + 14.20.4 - Softraid Crypto + @@ -740,10 +755,9 @@ create an empty directory /usr/local. Th the files are there! - 14.5 - How is swap handled? - + 14.5.1 - About swap Historically, all kinds of rules have been tossed about to guide administrators on how much swap to configure on their machines. @@ -784,7 +798,7 @@ In OpenBSD, swap is managed with the program, which adds, removes, lists and prioritizes swap devices and files. - + 14.5.2 - Swapping to a partition On OpenBSD, the 'b' partition of the boot drive is used by default and @@ -801,7 +815,7 @@ something like: /dev/sd3d none swap sw 0 0 - + 14.5.3 - Swapping to a file (Note: if you are looking to swap to a file because you are getting @@ -1801,7 +1815,7 @@ device. -14.14 - Why does df(1) tell me I have over 100% of my disk +14.13 - Why does df(1) tell me I have over 100% of my disk used? People are sometimes surprised to find they have negative available disk space, or more than 100% of a filesystem in use, as shown @@ -1825,7 +1839,7 @@ command. -14.15 - Recovering partitions after deleting the disklabel +14.14 - Recovering partitions after deleting the disklabel If you have a damaged partition table, there are various things @@ -1877,7 +1891,7 @@ it until the next reboot. -14.16 - Can I access data on filesystems other than FFS? +14.15 - Can I access data on filesystems other than FFS? @@ -2031,7 +2045,7 @@ operating system associated with the fil -14.16.1 - The partitions are not in my disklabel! What should I do? +14.15.1 - The partitions are not in my disklabel! What should I do? If you install foreign filesystems on your system (often the result of adding a new operating system) after you have already installed OpenBSD, @@ -2106,9 +2120,9 @@ You can follow a very similar procedure -14.17 - Can I use a flash memory device with OpenBSD? +14.16 - Can I use a flash memory device with OpenBSD? -14.17.1 - Flash memory as a portable storage device +14.16.1 - Flash memory as a portable storage device @@ -2244,7 +2258,7 @@ umass0 detached -14.17.2 - Flash memory as bootable storage +14.16.2 - Flash memory as bootable storage One can also use flash memory in various forms as bootable disk with @@ -2363,7 +2377,7 @@ which could be played when they booted f -14.17.3 - How do I create a bootable "Live" USB device? +14.16.
unbound auto-trust the root.key file
I have been unable to find a fix or good solution for this. Since it is bad for the unbound daemon to have privileges to write to the root.key file, can we not make unbound not try to write to it at all and have a cronjob that runs to update it every so often to make sure it is the correct key? It is not a big deal since it just writes a line in the /var/log/daemon log every so often. I was just wondering if we could turn that option to write to root.key in unbound off and then do it with a script that would then change the owner and permissions of the file to read only and owned by unbound. Again I couldn't find anything on this to stop the error in the /var/log/daemon log that didn't give the daemon writeable access to a file it doesn't need to really have writable access to. Kevin Gerrard
Re: xombrero crashes with "ReferenceError: Can't find variable: iom"
On Sun, Nov 16, 2014 at 1:10 PM, Kevin Chadwick wrote: > On Sun, 16 Nov 2014 11:45:46 -0500 > trondd wrote: > > > I installed xombrero, but my snapshot is old and I need to update. No > > issues so far. Maybe it's specific sites? > > There are definately bugs beyond memory leaks in webkit and libs and a > simple hunch tells me the webkit devs are more interested in new > features than bug hunting. > > To be clear, by "no issues" I mean, I can't reproduce what the OP is seeing. Except for the symbol size mismatch which has existed for a while and seems to be ignorable and the JQMIGRATE logging message which I haven't seen in the paste, but didn't crash xombrero. Tim.
Re: xombrero crashes with "ReferenceError: Can't find variable: iom"
On Sun, 16 Nov 2014 11:45:46 -0500 trondd wrote: > I installed xombrero, but my snapshot is old and I need to update. No > issues so far. Maybe it's specific sites? There are definately bugs beyond memory leaks in webkit and libs and a simple hunch tells me the webkit devs are more interested in new features than bug hunting. Having said that it does support modern html5 21st century features and I still prefer it to the other browsers though I keep them around for the occasional sites that crash it every time. Also you can very easily load up multiple instances of xombrero to minimise the chances of a crash for a specific task such as logging into something or running out of memory taking out all your tabs. I guess as webkit is a dependency then building it without stripping symbols for currents official packages may be a thorny issue and the build time prevents users from investigating bugs beyond guess work?
Re: xombrero crashes with "ReferenceError: Can't find variable: iom"
On Sat, Nov 15, 2014 at 11:21 PM, Luiz Roberto dos Santos < arrowscr...@mail.com> wrote: > Seems to happen not just on OpenBSD, but also on 3.2 linux-libre kernel. > Why not remove Xombrero from -current? Any thoughts? I mean, it's good, > but is based on webkit, and have some bugs... maybe port Abaco will be > better, I don't know. > > I switched from xombrero to dwb only to find out dwb is no longer developed. I was going to switch back to xombrero but that hasn't had much action for a while either. I like to use a browser that is keyboard-centric (vi-like, ideally), with a minimal UI and that supports modern web functionality. There are many light-weight browsers but they don't support anything created for the web since the mid 90's. Yea, Webkit is bulky and can be problematic, but what's the alternative? I installed xombrero, but my snapshot is old and I need to update. No issues so far. Maybe it's specific sites? Tim.
Re: RISC-V ?
On Sun, Nov 16, 2014 at 04:15:15AM +, Luiz Roberto dos Santos wrote: > Hi, > There's any effort yet to iniciate a port for RISC-V? No > > Regards, > L.
Re: Contributing
On 11/16/14 12:50 AM, Ingo Schwarze wrote: > Hi Andrew, > > andrew fabbro wrote on Sat, Nov 15, 2014 at 04:34:35PM -0800: > >> What about writing tutorials/articles? It's been a recuring talked before and just do not work. > That is most definitely *not* a job for beginners. > Writing good tutorials requires much more expertise and > experience than writing reference documentation or > hunting for bugs. > >> There's www.openbsdsupport.org which I believe is officially blessed > > Not at all. It is completely unofficial, i didn't even know about it, > and a brief look gives me the impression that most of the content is > probably completely outdated. Besides, i haven't ever heard of most > of the authors, so i doubt the content could be trusted in the first > place. > > I'd strongly advise against using that site for anything. Yes it is there as a proof of concept that is now going into it's 10th years anniversary! If you want to know why it was created look at the archive 10 years ago. It's all there. And the goal is clear on the site that it is suppose to be for people like this that want to do documentation, but it NEVER go anywhere at all! I did this to prove the point for the recurring talk here. It is not working! Lots of talk and none last more then a few weeks at best and the site prove it too! And no again it is DEFINITELY NOT OFFICIAL like it said on it too! >> though it doesn't look too active. Probably for lack of people >> submitting articles :-) Nope. >> Of course if you have a blog or web site you can write OpenBSD >> stuff for it. Not any different, but be my guess and prove me wrong. (:> > Please don't. Beginners spreading misinformation across the web are > not helping anybody. If you think something could be added to the > FAQ, submit it for inclusion and have it checked. Don't publish > random, unchecked stuff in random locations. True man pages are the reference to use period. This site is more like a social experiment to show how talk is cheap and actual work never go anywhere. (:> >> I know I've sometimes struggled with putting the pieces together where a >> step-by-step "how to accomplish X" with OpenBSD would have helped. Just >> last week, Ted Unangst's "what I wish I known before setting up OpenBSD on >> my Beagle Bone Black" on his blog saved me a lot of time and frustration. > > Yes. That is different. If people who really know what they are doing > prepare writeups, that can indeed be helpful. Yes but I must say, they are very rare. Daniel
Re: Contributing
> I'm not sure how I formed the opinion openbsdsupport.org was blessed > (probably someone's forum post somewhere) so thanks for the correction. It never been blessed, it is a social experiment to prove a recurring point that it doesn't work. Many talked a bout it, none actually do the work. Daniel
Re: Sun/Cassini Quad Gigabit Card Not Detected
Brad,
Thanks! I made the one line change and it had no effect. Do I
need other changes from current?
Thanks again,
Jeff
On Sun, Nov 16, 2014 at 12:53:13AM -0500, Brad Smith wrote:
> On Mon, Nov 10, 2014 at 01:41:10PM -0500, Jeff wrote:
> > # arp -a
> > # arp -a
> > firewall-x.usedmoviefinder.com (172.16.103.1) at 00:00:00:00:00:00 on cas0
> > static
> >
> > # netstat -in
> > NameMtu Network Address Ipkts IerrsOpkts Oerrs
> > Colls
> > lo0 327680 00 0
> > 0
> > lo0 32768 ::1/128 ::1 0 00 0
> > 0
> > lo0 32768 fe80::%lo0/ fe80::1%lo0 0 00 0
> > 0
> > lo0 32768 127/8 127.0.0.10 00 0
> > 0
> > bge0150000:0c:76:4e:5d:6e 104457 0 1546 0
> > 0
> > bge01500 172.16/16 172.16.157.192 104457 0 1546 0
> > 0
> > cas0150000:00:00:00:00:00 106705 0 148 0
> > 0
> > cas01500 172.16/16 172.16.103.1106705 0 148 0
> > 0
> > cas1* 150000:00:00:00:00:000 00 0
> > 0
> > cas2* 150000:00:00:00:00:000 00 0
> > 0
> > cas3* 150000:00:00:00:00:000 00 0
> > 0
> > enc0* 00 00 0
> > 0
> > pflog0 331920 0 2566 0
> > 0
>
> Hi Jeff,
>
> Can you please try updating the sys/dev/pci/if_cas.c file to
> the -current code I just commited and apply the following
> diff to see if the MAC address is retreived properly and
> the MAC address is adjusted as appropriate for the multi
> port board?
>
>
> Index: if_cas.c
> ===
> RCS file: /cvs/src/sys/dev/pci/if_cas.c,v
> retrieving revision 1.34
> diff -u -p -u -p -r1.34 if_cas.c
> --- if_cas.c 16 Nov 2014 05:46:20 - 1.34
> +++ if_cas.c 16 Nov 2014 05:50:15 -
> @@ -280,6 +280,7 @@ next:
> desc += strlen("local-mac-address") + 1;
>
> bcopy(desc, sc->sc_arpcom.ac_enaddr, ETHER_ADDR_LEN);
> + sc->sc_arpcom.ac_enaddr[5] += pa->pa_device;
> rv = 0;
> }
> break;
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
Re: recent and64 shapshots: USB device timeouts, xhci: NULL xfer pointer
Hello Peter, On 15/11/14(Sat) 15:29, Peter N. M. Hansteen wrote: > and I just noticed that the supplied dmesg did not in fact capture the NULL > xfer pointer messages, > but here's one that does, from a few minutes later running the same snapshot. > > The failure pattern isn't entirely consistent - the urtwn device will > maintain link for some minutes, > then timeout, sometimes with the NULL xfer pointer message, but not always. > Also, about 50% of the time > it's possible to get the link back just by rerunning netstart for urtwn0, at > other times detaching, > reattaching and re-running netstart urtwn0 is needed in order to get back on > line. Also, when the device > does work, its throughput is significantly worse than earlier (guesstimate > 10% of previous throughput > although pinging the gateway yields wildly fluctuating round trip times). Various people reported a similar problem with an xHCI 1.0 controller and urtwn(4). I am unable to reproduce the problem with the various controllers I have at my disposition here. I'll try to get access to more hardware in order to track that down, unless somebody else find the issue before me.
Re: Contributing
On Sat, Nov 15, 2014 at 9:50 PM, Ingo Schwarze wrote: > > What about writing tutorials/articles? > > That is most definitely *not* a job for beginners. > The thread starter did not describe himself as a "beginner," just a non-programmer. Since he was referring to old content on the web site, perhaps I'd erroneously assumed he was an experienced user. There are some people who don't speak C who've contributed excellent material. For example, Michael Lucas self-describes himself as a non-C-programmer in his talks, yet Absolute OpenBSD is a great resources for users. I was not advocating the "here is a spellbook of magical incantations you can type into your terminal" style of website that is popular in other communities nor that the blind lead the blind :-) I'm not sure how I formed the opinion openbsdsupport.org was blessed (probably someone's forum post somewhere) so thanks for the correction.
