Re: Mail delivery from Postfix to remote IMAP
Greg A. Woods wrote in : |At Tue, 23 Apr 2024 01:41:11 +0200, Steffen Nurpmeso \ |wrote: |Subject: Re: Mail delivery from Postfix to remote IMAP |> |> SPF should never have been introduced | |I agree _VERY_ much! It still does absolutely nothing to reduce SMTP |abuse or increase trust in any way whatsoever. Well -- there are people which disagree; and they seem to matter. I personally think the RFC as such is a true masterpiece, in my eyes (fwiw). A lot of thought and energy where used, to think the concept "to the last leaf" that noone normally uses. And if you have (a) fixed IP(s), and all that, then SPF can secure one hop. And if you are an organizational unit like some *bsd.org, or a university, or cpan.org, or any such, you can setup SRS or create permanent pseudo addresses the way dmarc.ietf.org does it, and rewrite the emails. Likewise any DKIM-will-be-broken thing can do the same "(temporary) shadow address)" when receiver DNS entries notify that this will cause trouble (aka DMARC etc). But i always say that all for one has to be done, increases the complexity massively, and that is surely one reason why so many little ones just give up. I say email should be easy. Reality is that most infrastructure do not do any of the above, and so basic concepts of email, like "simple forwarding by alias", or "mailing lists" "fail badly". Anyhow i used SPF from 2015 to 2024, i had "-all" and that seemed to be a good thing, until last year suddenly an email reply to an address behind a FreeBSD.org caused a bounce, and their postmaster just said it "works as designed" i think were his words. So i changed it to "~all" due to that, but what is a SPF record with "~all" worth? i said. So i said i write a DKIM signed, and have a cryptographically verifiable host-specific signature, and i give a shit how many hops or which mystic ways the emails take, as long as they end up where they should, and throw away the SPF DNS entry. Unfortunately the entire ecosystem is at least "from bug to fix", but sometimes all the time, grazy, and penaltizes messages without the glorified SPF, or with a message ID which contains the sender address plain, or which contains a Received: header with an "invalid IP" (even though that was inside a VPN and a follow-up Received: had the same domain name with one sub- lesser), and all that. I personally always (now) say that i do not understand any of that, i would go for only DKIM, and slightly redesign it (as already mentioned). You know, a TLS connection does not even establish, likewise SSH, why should email be any different given that the tool is there. And throw away all the others. The only thing is that the host key could be stolen, but effectively that has the same risk as any web- or mail- or etc server that uses server certificates; at times where most servers live in virtual boxes (somewhere in the clowd) total trust to the virtual (clowd) providers is anyway necessary, already. This still breaks mailing-lists then, at least those which modify the (covered) message (parts). There is no way out of that (i totally reject ARC), but if the mailing-list verifies DKIM, and creates a DKIM signature itself, i imagine, that is, email programs could offer the possibility to "trust this". Effectively the mailing-list creates a new message, then. It will produce the ugly "x via y" From:, or go the IETF "dmarc".ietf.org "pseudo subscriber address" way. Anyway that is my opinion. Throw away all this tremendously bloated infrastructure and keep only DKIM. SPF with the "~all" that a normal person needs who could possibly contact an alias that will then fail is a mess, that much is plain. By the way in practice most of the email spam i receive comes via Google, and these have all the weapons in place. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Mail delivery from Postfix to remote IMAP
Greg A. Woods wrote in : |First off let me second what Steffen says! SPF should never have been introduced as it breaks any mail forwarder; just spring last year i contacted postmaster@ of FreeBSD because i got bounces when i replied to some @freebsd.org that forwarded to @gmail. I mean, that is practically any university or project which offers permanent addresses to their (former) members as they live on. And it is so funny given how SMTP started hopping. Ditto DMARC that breaks any mailing-list. Well in fact the DKIM key breaks, of course, if a ML footer or subject tag is added. (If it would be me DMARC would be dropped and a minimally updated DKIM would take its part and signal the necessity of the presence of a DKIM signature through the existence of a "new" DNS entry. Ie, that *always* fails then.) (There is a possibility that is used for eg IETF lists: if you lookup the DMARC policy, and it announces that a modified email would cause failure, you can setup a permanent alias, here one of a well-known person who does 5322: From: Pete Re...ck ie real-address@dmarc. etc, so From: checks go for other DMARC entries etc. Well. |At Mon, 22 Apr 2024 21:15:08 +0200, Rhialto wrote: |Subject: Re: Mail delivery from Postfix to remote IMAP |> |> and neither can you change the |> envelope FROM address because bounces (as far as they happen) won't work. | |I haven't verified this works right with Postfix, but if you're doing |forwarding with ~/.forward files then this should happen automatically. | |It does of course mean bounces do end up going to the account on the |forwarding host, not the original sender, but this is (in theory) what |people using ~/.forward files want -- the forwarding itself caused the |bounce, not the initial delivery to the forwarded account, so sending |the message back to the original sender is arguably wrong. | |Maybe you can increase your storage capacity and simply run local IMAP |service for all your domains and users? Every modern IMAP client (MUA) |I've encountered has been able to easily handle multiple IMAP accounts, |and many of them have simple ways to aggregate all INBOXes, for example, |into one meta INBOX. If there really is not other way, the MUA i maintain speaks IMAP a bit; even though the new version is still not ready (and will change configuration), and v14.9.24 is very old (and has quite some bugs, and i have forgotten anything about it), it *could* be that scripting it to move all mails forward to another box on another server could be the solution. With v14.10 (that is still not what i long for) as of hopefully summer one could place your desire in a pipe even:
Re: Mail delivery from Postfix to remote IMAP
Rhialto wrote in : |On Mon 22 Apr 2024 at 11:20:59 -0700, Greg A. Woods wrote: |> Just keep doing what you're doing. Anything else _is_ more roundabout. |> Why complicate things? SMTP forwarding is the way to keep it working! | |I agree with you in spirit. Plain forwarding is a basic feature of SMTP. | |BUT. | |The trouble with plain forwarding is that my mail server's domain name |doesn't match the domain name in the From: header, and doesn't match the |envelope FROM domain, and it doesn't match the SPF policy of the sender |domain etc etc. Those are things that are checked by DKIM/DMARC/SPF. | |And you can't change the From: header because that is changing the mail |(and invalidates the DKIM signature), and neither can you change the |envelope FROM address because bounces (as far as they happen) won't work. | |> Of course fixing your mail server to do proper DKIM, or even just |> futzing with SPF (and PTR) records enough to get normal SMTP port#25 |> through, i.e. without heavier AUTH and use of the submission service, |> would be even simpler. I've done the latter, and hope to do more with |> DKIM soon (but _NOT_ with the milter mess!). | |Unfortunately DKIM is designed to break forwarding... I can't think of a That is SPF, which does not survive more than one hop. |way to change an email message to make it DKIM-compliant. Mailing lists That is DMARC. (DKIM default is to ignore failures.) |can get away with changing the From: header to something like |"l...@example.org (Rhialto via Example-List)" (and that's already an |ugly thing to do) but that's not an option for individual mails. For forwarding what you (UNFORTUNATELY) need is SRS aka https://github.com/roehling/postsrsd. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: IRC
pms-...@outlook.com wrote in : |Justin Parrott wrote: |> Anybody want to talk about an IRC client? | |Which one? |Most people use web-based interface nowadays AFIK. irssi. On the server it runs as a "boxed" proxy (for libera.chat via TLS and "SASL"), to which i connect via VPN. In my .irssi/startup i have LOAD perl SCRIPT LOAD adv_windowlist (only script in ~/.irssi/scripts) which is a great thing i could not live without. (Or, better, it should be part of the program as such.) --End of --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: IRC
Steffen Nurpmeso wrote in <20240410190923.scQRM5JN@steffen%sdaoden.eu>: |pms-...@outlook.com wrote in | : ||Justin Parrott wrote: ||> Anybody want to talk about an IRC client? || ||Which one? ||Most people use web-based interface nowadays AFIK. | |irssi. On the server it runs as a "boxed" proxy (for libera.chat |via TLS and "SASL"), to which i connect via VPN. |In my .irssi/startup i have | | LOAD perl | SCRIPT LOAD adv_windowlist | |(only script in ~/.irssi/scripts) which is a great thing i could |not live without. (Or, better, it should be part of the program |as such.) Ie: on the laptop. On the server it is "LOAD proxy", and 3153 root 0:00 /usr/bin/unshare --ipc --uts --pid --fork --mount --mount-proc /usr/sbin/chroot /tmp/.boxircp-steffen/root /init and with init being (all that build during service startup and dependent on the used unshare/(su(do)|doas|..) infrastructure): #!/bin/sh - [ -n "y" ] && /bin/mount -n -t proc -o nosuid,nodev,noexec proc /proc if [ -n "" ]; then arg1="-u steffen" arg2= else arg1='-p -c' arg2=steffen fi exec /usr/bin/su ${arg1} sh -c ' dtach -n /tmp/.steffen-irssi /usr/bin/irssi read x < /linger_control pkill -TERM /usr/bin/irssi sleep 1 pgrep /usr/bin/irssi && pkill -KILL /usr/bin/irssi echo done > /linger_control ' ${arg2} Yes it is hacky (but portable to busybox-only once i did it) and so, but i can even enter irssi on the server when i am there via ssh (but only windowlist, then). Works for four years i think. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
just a 10.0 installation comment
Hello. Thanks and congratulation for 10.0 (again). I installed it last week (VM) and it occurred to me that at one time it asked for a network mechanism, without any help or comment around. I ^D or ^Z, and tried to figure out in the manual (also online, thanks to VM-only), i could simply invoke dhcpcd and the interface was up and running, but after ^D and back at the install thing all bets were off. I have forgotten how i made that great, in the end the "mechanism" was just somehow, magically, "". Any hint for red flag waving idiots like myself would be very much appreciated (for 11.0, then). (I mean, sure, "Stander Z" aka red flag is forgotten German speaking for what female have to go through monthly. Bitter. And bloody.) Thank you. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: TOTP apps, and WebAuthn recommended devices?
Martin Neitzel wrote in <20230323215020.d73d124...@marshlabs-mx.gaertner.de>: ... |# and if it's the last thing we ever do... The Cure fan? |# 2FA -- 2 Factor Audio, here's the 2nd factor: |# https://www.youtube.com/watch?v=lsuQO77n9SE I hope i have not to "say hello" to all this. --End of <20230323215020.d73d124...@marshlabs-mx.gaertner.de> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Used HDs
Aaron B. wrote in <2022215247.7526ed9a6e53fc72890d1...@zadzmo.org>: ... |I always thought of spinning-rust drives like cars: they don't last an |amount of time, they wear with use. Like cars lifespan has increased |over the years.[.] I do not follow this statement, at all. You maybe mean American cars still hand-built in Detroit by the poor who came in still drunk from the weekend, or already longing for the weekend, where Wednesday cars were reserved for those with connections (and/or bribe). (Compare Arthur Hailey, "Wheels".) Otherwise except for rust (unless it was avoided already fourty and more years ago): no. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: btrsf
Benny Siegert wrote in : |On Wed, Oct 19, 2022 at 1:55 PM Todd Gruhn wrote: Man did i get spam mails after sending the message. |> IS BTRFS in pkgsrc? Where? | |It's a Linux thing. On NetBSD, there is ZFS, which does the same thing |except it doesn't lose your data :) ZFS is much superior and much bigger. I think in FreeBSD they could end up with only one program for mounting, sharing, creating, etc., filesystems. Booting. It is not at all like this with BTRFS. (But you better adhere . "i have found a ML message from 2013 https://www.spinics.net/lists/linux-btrfs/msg25940.html and i will use cache=writeback for my qemu instances as long as i live on BTRFS. Thanks." ^ I also set do-not-copy-on-write on VM directories. So except one VM image that had a messed up last block because of this caching issue, which they should document prominently i think, but do not, i have not lost any data yet. . receiving snapshots that do not fit the device might be tracked as successful: < multicore> stenur: "btrfs sub list -R" check for the received uuid, if it's there then the send should've completed < multicore> stenur: if you don't see received uuid then the snap wasn't received successfully < stenur> multicore: ..ok.. hm; what is shown for non-successfully received snapshots? For "non-received" aka "local" snapshots it seems to be - < darkling> stenur: Then the received_uuid field will be empty. ^ I do not know whether they fixed _that_. (That is, their source code said it _cannot_ be empty, it is set to "-" then, and then you cannot differentiate in between a normal local snapshot and a bogus failed received one.) . Actually shrinking required many rounds regardless of defrag and whatever else i tried, until i ended where it should have ended at first. Some stale metadata seemed to be in the way. ) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Backing up "stuff"
Robert Elz wrote in <27074.1666095...@jacaranda.noi.kre.to>: |Date:Tue, 18 Oct 2022 07:03:08 -0400 |From:Todd Gruhn |Message-ID: | || DVD+DL? I have not heard this name. || What is DVD-DL? | |Dual Layer.Capacity about twice as much as a regular DVD (BluRay discs |hold much more however). | |Needs dual layer blank discs, and a dual layer capable writer. I used a (dump then BTRFS snapshot) ball splitter for years, in order to save backups to VFAT; the last incarnation was echo '== '$mydir': '$i' to '$target act mkdir -p "$target" act btrfs send $parent "$this" '|' \ zstd -zc -T0 $ZSTD_LEVEL '|' \ '('cd "$target" '&&' \ echo "$this" '>' .stamp '&&' \ split -a 4 -b 20 -d -')' echo '=== '$mydir': receiving snapshot of '$snaps' files' act cat "$ball"/"$mydir"/* '|' zstd -dc '|' btrfs receive . act btrfs filesystem sync . Worked just fine. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Growing sshd process count
Michael van Elst wrote in : |mayur...@acm.org (Mayuresh) writes: | |>On NetBSD 9.2 amd64 VPS I noticed system slowness and top showed too many |>ssh processes - 49 to be precise. | |>I have blacklistd enabled and approximately in every 2 to 3 minutes a new |>IP address is getting blocked. | |>Using console access I stopped ssh service, killed sshd processes and |>restarted. As of writing this the count of sshd processes is 10 again, |>when only 2 ssh sessions are shown in `who'. | |>What explains the count of these processes and what precautions shall I be |>taking? | |Someone is brute-forcing your account passwords. | |Easiest counter-measure is to use a different port for ssh. So far these |attacks go to the standard port (22). Yes. It will be found someday, but i found it will take time. |You can also restrict access to known IPs, either by configuring sshd |(for example using /etc/hosts.allow, /etc/hosts.deny) or by adding a |permanent IP filter to block access and cloud providers world-wide. I have a firewall rule change_chain i_sshorvpn # {{{ add_rule -m recent --name sshorvpn --rcheck --seconds XXX --reap \ --hitcount "${FWCORE_SSH_AND_VPN_CLIENT_HITCOUNT}" \ -m recent --name alien_super --set \ -j DROP add_rule -m limit --limit 1/m --limit-burst 3 -j LOG --log-prefix "SSH/VPN " add_rule -m recent --name sshorvpn --set -j f_m1 where FWCORE_SSH_AND_VPN_CLIENT_HITCOUNT=10, but that is now, it was 3 in the past. alien_super entries are denied further access for many hours. But mind you, there _are_ smart attackers which really find out the --seconds over months!! I have a port knocker # port_knock: input only server if [ -n "${SERVER}" ] && fwcore_has_i port_knock; then : ${FWCORE_PORT_KNOCK:?\ port_knock in FWCORE_IPROTOS needs FWCORE_PORT_KNOCK} if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then add_rule -p udp --dport ${port} \ -m recent --name port_knock --set \ -m recent --name port_knock --rcheck --seconds 60 --reap \ --hitcount 2 \ -m recent --name alien_super --set -j DROP add_rule -p udp --dport ${port} -j f_m1 fi fi It performs a white-listing (ie red, yellow, allow) operation. Just in case i bang the above, which i somewhat regular did with ssh, even though i was using ControlMaster. I am now using a WireGuard VPN regardless of its developer :-)), and ssh only sits in the VPN on its regular port. WireGuard now solely uses the above sshorvpn rule, but since it bypasses the firewall once a connection stands, i never locked myself out. (Yes i did, but only because i was too quick.) I have only 22 alien_super entries at the moment, whereas in earlier times we were always at the maximum of 250. (WG listens on strange ports.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Expanding email aliases
Steffen Nurpmeso wrote in <20220726221641.9swt-%stef...@sdaoden.eu>: |Steffen Nurpmeso wrote in | <20220726174554.l93yh%stef...@sdaoden.eu>: ||Martin Neitzel wrote in || <20220726172558.1760b34...@marshlabs-mx.gaertner.de>: |||SB> Is there a simple way of expanding an email alias, [...] ... | Unfortunately, while implementing it, i found a dictionary | iterator bug that makes `mtaalias' as released flaky as it will | potentially store the pointer to a wrong alias name in its | name<->expansion map (it stores the pointer into dict[*][0], not | to the actual node which is not necessarily [0] but could also | be [1..X-1]), which is why the test did not catch the bug. P.S.: the error is only in the visual output of `mtaalias', not when expanding MTA aliases when sending mails. ... --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Expanding email aliases
Steffen Nurpmeso wrote in <20220726174554.l93yh%stef...@sdaoden.eu>: |Martin Neitzel wrote in | <20220726172558.1760b34...@marshlabs-mx.gaertner.de>: ||SB> Is there a simple way of expanding an email alias, [...] ... |I was short of suggesting s-nail (the MUA i maintain), but for one |the package was not updated to the long current v14.9.24, then we |only support a subset of postfix aliases(5) ... |and then this mail made me realize that we support the desired |functionality for Mail aliases, but not for MTA aliases; the ... |I was in implementing it in the other window. So i did that (recursive resolve of a given MTA alias) for s-nail v14.10 and gave you credit with above name and email, i hope this is ok, please scream if not. Unfortunately, while implementing it, i found a dictionary iterator bug that makes `mtaalias' as released flaky as it will potentially store the pointer to a wrong alias name in its name<->expansion map (it stores the pointer into dict[*][0], not to the actual node which is not necessarily [0] but could also be [1..X-1]), which is why the test did not catch the bug. |(It is not _so_ trivial to implement postfix aliases(5).) That too. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Expanding email aliases
Martin Neitzel wrote in <20220726172558.1760b34...@marshlabs-mx.gaertner.de>: |SB> Is there a simple way of expanding an email alias, [...] | |The command | | sendmail -bv some_alias | |should help you. With the original sendmail(8) you get the result |on stdout while with Postfix' sendmail-compatibility-shim ends you |an email with a pseudo delivery report, listing all alias expansions |as "Final-Recipients". I was short of suggesting s-nail (the MUA i maintain), but for one the package was not updated to the long current v14.9.24, then we only support a subset of postfix aliases(5) mta-aliases [Option] If set to a path pointing to a text file in valid MTA (Postfix) aliases(5)[729] format, the file is loaded and cached (manageable with mtaaliases[236]), and henceforth plain ‘name’ (see expandaddr[417]) message receiver names are recursively expanded as a last expansion step, after the distribution lists which can be created with alias[144]. Constraints on aliases(5)[730] content support: only local addresses (names) which are valid usernames (‘[a-z_][a-z0-9_-]*[$]?’) are treated as expandable aliases, and [v15 behaviour may differ] ‘:include:/file/name’ directives are not supported. By including ‘-name’ in expandaddr[417] it can be asserted that only expanded names (mail addresses) are passed through to the MTA. and then this mail made me realize that we support the desired functionality for Mail aliases, but not for MTA aliases; the mtaaliases command only offers show aka list mode $ s-nail -RS mta-aliases=/tmp/test -X 'mtaa;x' root: steffen mltest: "|\"/usr/local/lib/s-ml/urunml send.sh testml /tmp\"" mailer-daemon: postmaster postmaster: root bin: root daemon: root ... and the output is wrapped to fit on the terminal. But what he wants is this: $ s-nail -# -X 'alias ich;x' alias ich 'Steffen Nurpmeso ' I was in implementing it in the other window. (It is not _so_ trivial to implement postfix aliases(5).) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: TrueType fonts not showing up
Martin Neitzel wrote in <20220523172301.59dd734...@marshlabs-mx.gaertner.de>: |Steve Blinkhorn: |> I would be grateful for a pointer to a description of how to ensure |> TrueType fonts in /usr/X11R7/lib/X11/fonts/TTF are available for use. |> I have some, but they don't show up with xlsfonts, so I imagine |> there's some misconfiguration or lack of configuration. I last |> tangled with X11 fonts a looong time ago. | |Scalable fonts get managed with "font-config", for example: | | fc-list | fc-list :scalable=true:spacing=mono: family | | xterm -fa 'Luxi Mono' -fs 24 I use $ cat /x/src/ttf-fonts/update.sh #!/bin/sh - doone() { echo $1.. cd $1 || exit 21 # xset +fp `pwd` mkfontscale mkfontdir rm -f .uuid fc-cache -f . } while [ $# -gt 0 ]; do doone $1 shift done #xset fp rehash #fc-cache -r And in /etc/fonts/fonts.conf (i did nothing) it says (among a lot of other things i do not understand -- i mean, XML, really) /usr/share/fonts /usr/local/share/fonts And basically i only have some fonts in /usr/share/fonts/X11/TTF/. That works (it is a Linux though i hope that does not matter). | HTH, Martin Neitzel --End of <20220523172301.59dd734...@marshlabs-mx.gaertner.de> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Option -p in apropos(1)
Rocky Hotas wrote in <20220517075839.k77w2qykeibhvrhc@delpotro>: |On mag 16 21:05, Steffen Nurpmeso wrote: |> |> I have no idea but does the program combo honour $LESS | |Sorry, I can understand what you are meaning. Variable $LESS in my shell |appears to be empty. Well it seems there are deeper issues than that. |> does it contain use of alternate screen and quit-at-eof? | |I don't know how to verify this. #?0|kent:$ alias v alias v='LESS= less -RIFe' #?0|kent:$ echo $LESS -IFe |> What does "LESS= apropos X" do? | |It prints the apropos(1) results in the default appearance, without a |pager, as `apropos X' would do. Well it is fixed now, is it. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Option -p in apropos(1)
David H. Gutteridge wrote in : |On Mon, 16 May 2022 at 21:05:59 +0200, Steffen Nurpmeso wrote: |>Rocky Hotas wrote in |> <20220516180129.gwvmvesgw4dxeage@delpotro>: |>|On mag 16 18:11, Rocky Hotas wrote: |>|> |>|> Am I doing something wrong? |> ... |>|perl5320delta (1) what is new for perl v5.32.0 |>|...Configure 4 For clang++, add "#include " to Configure's |>|probes for "futimes", "strtoll", "strtoul", "strtoull", "strtouq", |>|otherwise the probes would fail to compile. 4 Use a compile and run |>|test for "lchown" to satisfy clang++ which should more... |>| |>|--More--(byte 3792)myhostname$ |>| |>|Where `myhostname$' is my bash prompt. So, more(1) tries to start, |but |>|it immediately exits. |> ... |>I have no idea but does the program combo honour $LESS and if so |>does it contain use of alternate screen and quit-at-eof? |>What does "LESS= apropos X" do? |>And are there terminal controls somewhere in the one page. |>Other than that it gets more complicated. | |It does accept $PAGER as a definition of what tool to use for the |purpose, though that wasn't documented in the apropos(1) man page. I |just added it. | |Due to evidently historical reasons (as I understand it), interestingly |the man(1) code handles this rather differently than apropos(1) does, |with more considerations (about checking and sanitizing input), and a |different call to run the pager. It was quite heavily broken far beyond what i thought it seems. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Option -p in apropos(1)
Rocky Hotas wrote in <20220516180129.gwvmvesgw4dxeage@delpotro>: |On mag 16 18:11, Rocky Hotas wrote: |> |> Am I doing something wrong? ... |perl5320delta (1) what is new for perl v5.32.0 |...Configure 4 For clang++, add "#include " to Configure's |probes for "futimes", "strtoll", "strtoul", "strtoull", "strtouq", |otherwise the probes would fail to compile. 4 Use a compile and run |test for "lchown" to satisfy clang++ which should more... | |--More--(byte 3792)myhostname$ | |Where `myhostname$' is my bash prompt. So, more(1) tries to start, but |it immediately exits. ... I have no idea but does the program combo honour $LESS and if so does it contain use of alternate screen and quit-at-eof? What does "LESS= apropos X" do? And are there terminal controls somewhere in the one page. Other than that it gets more complicated. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Release
Greg A. Woods wrote in : |At Sun, 19 Dec 2021 20:23:20 -0500, Greg Troxel wrote: |Subject: Re: Release |> |> What's messy is the idea that when replying to the list one should send |> to *only* the list. That has some merit, but the standards are murkier |> (Mail-Followup-To:) and implementation of them somewhat sparse. | |Well, no, there's nothing murky about it _in_the_standards_, even going |all of the way back to RFC-822. It's called "Reply-To": | | 4.4.3. REPLY-TO / RESENT-REPLY-TO | |This field provides a general mechanism for indicating any |mailbox(es) to which responses are to be sent. ... |(To be even more pedantic, "Mail-Followup-To", and the even more bogus |"mail-reply-to" are stupid inventions by people who didn't understand |RFC 822 clearly enough, and were, in some part, clueless attempts to We now even have a standardized Author: field (RFC 9057). I like M-F-T: very much, unfortunately it never became a standard. M-F-T: is not the same as R-T:, unfortunately i used them as being equivalent and that is wrong. Still in the wild. RFC 9057 * Mediators might create a Reply-To: field with the original From: field email address. This facilitates getting replies back to the original author, but it does nothing to aid other processing or presentation done by the recipient's Mail User Agent (MUA) based on what it believes is the author's address or original display name. This Reply-To action represents another knock-on effect (e.g., collateral damage) by distorting the meaning of that header field, as well as creating an issue if the field already exists. |abuse Usenet headers that were somewhat over-specified again by people |who apparently didn't understand RFC 822 clearly enough. Of course some |of the problem was exacerbated by software that had been designed and |implemented by people who didn't understand (or maybe appreciate) RFC |822 clearly enough, which sadly included BSD mail and some mailing list |software.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Custom CD mixes
Todd Gruhn wrote in : |On Sat, Jul 10, 2021 at 6:42 AM Benny Siegert wrote: |>> Am 09.07.2021 um 21:45 schrieb Todd Gruhn : |>> |>> If I wanna pull the music off CDs and make a custom album, is there \ |>> a package |>> that would allow me to choose the songs, and play order? |> |> Rhythmbox is a good software for organizing your music collection \ |> and creating playlists. |> |> If you want to burn an audio CD, the way I used to do it is: |> |> 1. Convert to wav (not sure that rhythmbox can do it) |> 2. Write a cue file and burn the CD with cdrdao. The cue file format \ |> is easy enough to do by hand, and it allows you to control gaps and such. |> |> There are CD writing GUIs in pkgsrc if you prefer that. |Thanks Benny. I was hoping I would not have to write my own Hm, hmmm, well. I also have written some small tools. An info / audio extractor which works on all BSDs (DragonFly, Free, Net and Open tested) as well as Linux. It was not tested with mixed-mode CDs, but other than that it never left me in the lurch with the CDs i threw at it (with the drive i have). The extracted info can easily be grasped by shell scripts. s-cdda(1)[1] ball is ~18KB. Much earlier (~Y2K) i have written a script that rips CDs (now solely through s-cdda(1)), converts the extracted audio to several different formats (Opus support untested, but Ogg Vorbis (via oggenc(1), flac, mp4 (via faac(1), and mp3 (via lame) is, ogg and mp4 i use myself), by default after normalizing the volume across the tracks if applicable (via sox(1)), and stores them in per-CD directories under an umbrella path. Together with a music.db UTF-8 text file which describes the data (most of that also stored in the songs itself, but that needs extractor tools say). This (quite easily parsable= plain text format can deal with ("represent") classical music ("artist layout") much better than any other tool i know. It is easy to create symlink farms or whatever else is desired from the music.db as well as the songs, no shell quoting issues, for example. I have added MusicBrainz support last year, after the CDDB was turned off (but for the copy that GNU offers), so normally the fields are (somewhat) filled in automatically. Anyhow, it is a simple terminal program that asks for the tracks that should be ripped, and "guides" through the process. [2] is ~33KB. Caveats: it should be used with the perl(1) -C command line flag, a ~twenty years old habit of mine that was just recently changed after i have the according discussion in an OpenSSL ticket; i adjusted the code (of quite some scripts) to use setlocale(3) instead, but no release with that yet; [3] has it (server supports on-the-fly compression). Burning not from here. [1] https://ftp.sdaoden.eu/s-cdda-0.8.5.tar.gz [2] https://ftp.sdaoden.eu/s-cdda-to-db-0.7.0.tar.gz [3] https://git.sdaoden.eu/browse?p=s-toolbox.git;a=blob_plain;f=s-cdda-to-db.pl --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: XDG_RUNTIME_DIR
RVP wrote in : |On Mon, 26 Apr 2021, Steffen Nurpmeso wrote: | |> RVP wrote in |> : |> ... |>|There should be a removal of the dirs. on the user's final session |>|logout, I think. |> |> This is impossible to do with pam that i never liked (nor |> understood, in FreeBSD ~twenty years ago), |> | |Use POSIX shm_open+sem_open? That should let you do proper reference |counting w/o a server. You'll have to pull in -lrt on Linux & NetBSD |for this though... Well, that module had (file-locked file-based) reference counting. It will not work with programs backgrounding away, like tmux. Unless you PAMify them all. Even then. Any shell script can background away. You thus need a global authority collecting all per-user programs that execve(2) away from a (child of a) program who enabled a session, which was what i (who never looked into this, being a fan of runit or just nothing but SysV init or say OpenBSD, and who never touched FreeBSD PAM stuff but just used what shipped) would have expected .. it seems. Because i was surprised to find out that was not what was happening (and shouldn't it be nothing but a single bit and some kind of notification). I dislike all the people liking systemd for allowing exactly this. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: XDG_RUNTIME_DIR
RVP wrote in : |On Sat, 24 Apr 2021, Steffen Nurpmeso wrote: | |> If you run Linux you could also use the pam_xdg module i have |> written. For example my /etc/pam.d/common-session is |> |> session optional pam_xdg.so notroot |> |> session requiredpam_unix.so quiet |> |> and the stuff is as attached. It handles the other directories of |> the standard as well. |> | |This is, I presume, for Linux systems without systemd and pam_env.so? systemd yes, pam_env no. pam_env is pretty fat and does a lot of things which are not needed here. And of course it does not create directories. ... |There should be a removal of the dirs. on the user's final session |logout, I think. This is impossible to do with pam that i never liked (nor understood, in FreeBSD ~twenty years ago), but CRUX gained it with 3.6, and i was right when looking from the code side. 'Thing is, while doing this, i looked at code from login (of shadow) and all that, and it is a pity if you see all the construction sites ..the possibilities that have been buried there .. because of pam .. because of systemd. You rather look to some BSD with steady iterations and improvements on login.conf or another mechanism. I mean there is "finit", but that is a complicated mess also it seems. Yeah i mean, all this started because someone here was using a server (written in R or another new/strange language that came in as a depency) that was doing pam to do only the RUNDIR part of the game. But it is bitter, only the real unshare(1) with a new PID 1 can do real book keeping, from user space. I would have expected actual support for this, yes. Like it is, PAM sessions are a gracy thing (imho). I personally use my /run/user/UID only for unshare(1) box roots. I do not have graphical programs but st(1) and firefox-bin (with audacity still in the line to come). But the thing does it and is used. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: XDG_RUNTIME_DIR
RVP wrote in : |On Sat, 24 Apr 2021, RVP wrote: | |> 3. ~/.xinitrc |> if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}" ]; |> theneval $(dbus-launch --sh-syntax --exit-with-session) |> fi |> | |Correction: On NetBSD that would be: If you run Linux you could also use the pam_xdg module i have written. For example my /etc/pam.d/common-session is session optional pam_xdg.so notroot session requiredpam_unix.so quiet and the stuff is as attached. It handles the other directories of the standard as well. (Unfortunately i could not subscribe to the RedHat hosted PAM list for inclusion upstream, i gave up after trying several times.) Could be ported to NetBSD with little effort (unfortunately PAM is not really portable). --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) /*@ pam_xdg - manage XDG Base Directories (runtime dir life time, environment). *@ Create /run/user/`id -u` when the first session is opened. *@ It also creates according XDG_RUNTIME_DIR etc. environment variables in the *@ user sessions, except when given the "runtime" option, in which case it *@ only creates XDG_RUNTIME_DIR and not the others. *@ Place for example in /etc/pam.d/common-session one of the following: *@ session options pam_xdg.so [runtime] [notroot] *@ Notes: - according to XDG Base Directory Specification, v0.7. *@- Linux-only (i think). * * Copyright (c) 2021 Steffen Nurpmeso . * SPDX-License-Identifier: ISC * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* For these a leading \1 is replaced with struct passwd::pw_dir. * Be aware we use a stack buffer for storage */ #define a_XDG_DATA_HOME_DEF "\1/.local/share" #define a_XDG_CONFIG_HOME_DEF "\1/.config" #define a_XDG_DATA_DIRS_DEF "/usr/local/share:/usr/share" #define a_XDG_CONFIG_DIRS_DEF "/etc/xdg/" #define a_XDG_CACHE_HOME_DEF "\1/.cache" /* */ #define a_XDG "pam_xdg" #define a_RUNTIME_DIR_OUTER "/run" /* This must exist already */ #define a_RUNTIME_DIR_BASE "user" /* We create this as necessary, thus. */ #define a_RUNTIME_DIR_BASE_MODE 0755 /* 0711? */ /* >8 -- 8< */ /* #define _POSIX_C_SOURCE 200809L #define _ATFILE_SOURCE */ #define _GNU_SOURCE /* Always the same mess */ #include #include #include #include #include #include #include #include #include #include #include #include /* _XOPEN_PATH_MAX POSIX 2008/Cor 1-2013 */ #ifndef PATH_MAX # define PATH_MAX 1024 #endif static int a_xdg(int isopen, pam_handle_t *pamh, int flags, int argc, const char **argv); static int a_xdg(int isopen, pam_handle_t *pamh, int flags, int argc, const char **argv){ char uidbuf[sizeof "18446744073709551615"], wbuf[((sizeof("XDG_RUNTIME_DIR=") + sizeof(a_RUNTIME_DIR_OUTER) + sizeof(a_RUNTIME_DIR_BASE) + sizeof("18446744073709551615")) | (sizeof("XDG_CONFIG_DIRS=") + PATH_MAX) ) +1]; struct stat st; struct passwd *pwp; char const *emsg; int cwdfd, only_runtime, notroot, res, uidbuflen; char const *user; (void)flags; user = ""; cwdfd = -1; only_runtime = notroot = 0; /* Command line */ if(isopen){ for(; argc > 0; ++argv, --argc){ if(!strcmp(argv[0], "runtime")) only_runtime = 1; else if(!strcmp(argv[0], "notroot")) notroot = 1; else if(!(flags & PAM_SILENT)){ emsg = "command line"; errno = EINVAL; goto jerr; } } }else goto jok; /* No longer used, session counting does not work */ /* We need the user we go for */ if((res = pam_get_item(pamh, PAM_USER, (void const**)) ) != PAM_SUCCESS){ user = ""; emsg = "cannot query PAM_USER name"; goto jepam; } if((pwp = getpwnam(user)) == NULL){ emsg = "host machine does not know about user"; errno = EINVAL; goto jerr; } if(notr
Re: blocklistd: How to keep my dynamic IP from getting blocked
Mayuresh wrote in <20210331170102.GA1969@localhost>: |On Wed, Mar 31, 2021 at 09:42:45AM -0700, Greg A. Woods wrote: ... |> That becomes more complicated if it's the remote (client) side that has |> the changing address and you don't already have a pre-determined way to |> do these updates and actions based on a remote trigger or some other |> kind of locally initiated monitoring. | |I can arrange for a client side device to 'inform' the server when the IP |changes. When this happens, the server may whitelist it at npf level. But |if later, blocklistd tries to block it, what exactly happens. Is it |something like I have to put the whitelisting at the end of the filter |list or something so that it will have higher precedence than blocklistd? Btw i now use WireGuard VPN and use the same strict rules as for OpenSSH on the port. This works nice since once handshakes are done those ListenPort's are no longer beaten at. Despite having a port-knocker at hand to whitelist my IP for another try (i sometimes have _very_ bad internet connection and then a SSH handshakes did not complete, causing me (the dynamic IP that is "me" for the server) to become blacklisted, so i searched for a way out while keeping the strict rules), i have implemented a WireGuard specific watchdog which runs via cron every quarter of an hour i think. It looks at the "Endpoint", and whitelists it in an "i_good" chain that is inspected before after RELATED, ESTABLISHED but before i_alien, i_tcp_new aka i_udp and i_rejector. Like this the worst that can happen is that i am blacklisted for i think 15 minutes, after that we get through again. One bad effect is that i have multiple VPNs for different purposes, and so IP addresses may be whitelisted to beat at WireGuard ports (only!) which are long used by someone else. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: cvs better than git?
Greg A. Woods wrote in : |At Mon, 22 Jun 2020 09:37:30 +0200, a l3x wrote: |Subject: Re: cvs better than git? |> git follows a snapshot like approach to version control. but this view of |> history bites you as can be seen in "merge commits". requiring "rebasing" |> things and actually "rewriting history". this is what i dislike about \ |> the design |> of git. it is just a hash based object store. maybe that's the reason |> why the cli is |> cluttered with lots of details. merge commits call for trouble and for |> rebase, this is why i consider the design of git as VCS broken at best. | |I wouldn't call it broken, not by a long shot -- it's just an outgrowth |of our history of using lesser tools which provide a per-file snapshot. And i do not understand the reasoning given that people, including myself, directly hacked in CVS aka RCS backing store. You do not need to merge, or even are required to rebase, or whatever in git. Just do "git rm -rf '*'" and then dump whatever you wanna (for example "git archive NAME-OF-BRANCH|tar -xzf -", if that is how you configured it), then "git add .", "git commit -m happy", and it'll gobble up. Also, except for submodule stuff, you just cannot wreck git so that you have to reclone it, as has been said in this thread several times insistingly. You do not spend a day with three people to figure out what is wrong. You have local and external references (aka "git help remote"), and a commit history leading to those "heads", to use Mercurial speech (iirc). I never used the reflog, and i for myself have to deal with only one project which uses submodules, however. But noone said you have to use that. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: "hg clone https://anonhg.netbsd.org/src/" still aborts, but...
Chavdar Ivanov wrote in : |I've been watching the discussion with interest, as I am not |particularly verse in these topics; perhaps I've done something not |correctly, but on my 6 years old laptop (4c8t, 20GB memory, core-i7 |3820-qm) the full ' hg clone https://anonhg.netbsd.org/src/' (on a ZFS |placed on an mSATA device) took some 45-50 minutes; the resulting repo |takes about 5GB. I am cloning xsrc right now and will go through a More of that stuff please. This is for you who make their money with managing/creating internet infrastructure! And for all the bored black, white, yellow and red teenagers, their first world internet connection, consuming also while in their Upper East Side apartment. |full build. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: "hg clone https://anonhg.netbsd.org/src/" still aborts, but...
Greg A. Woods wrote in : |At Fri, 12 Jun 2020 00:26:26 -0700, "Greg A. Woods" \ |wrote: |Subject: Re: "hg clone https://anonhg.netbsd.org/src/; still aborts, but... |> |> I'll now fire up a new "git clone" next for a more up-to-date |> comparison. There will be another rsync && cvs start during this, just |> to be fair. :-) | |And it's done. The whole "git clone" completed far faster than just the |last "hg checkout trunk" step (i.e. in just under 1.5hrs, 36mins faster |than the HG checkout alone, and 3.5hrs faster than the whole "hg clone"): | |00:01 [685] $ time git clone https://github.com/NetBSD/src g-NetBSD-src-\ |test |Cloning into 'g-NetBSD-src-test'... |remote: Enumerating objects: 1274, done. |remote: Counting objects: 100% (1274/1274), done. |remote: Compressing objects: 100% (875/875), done. |remote: Total 5117234 (delta 642), reused 675 (delta 396), pack-reused \ |5115960 |Receiving objects: 100% (5117234/5117234), 1.87 GiB | 2.42 MiB/s, done. |Resolving deltas: 100% (3876350/3876350), done. |Checking out files: 100% (171999/171999), done. | 5061.00s real 510.15s user 409.84s system |01:26 [686] $ | |The last step, the checkout, took most of the time, at least an hour, so |on a local fast disk that wasn't otherwise being bombarded by background |activity, it would have been decently fast and arguably "usable", all |things considered. Fwiw, i also cloned NetBSD git from github again, just yesterday! I edited config (added netbsd-8 and netbsd-9 which i had not yet, in the old config i carried along): -rw-r- 1 steffen code 322 Jun 11 16:40 config then cloned: #?0|kent:net-src.git$ git fetch remote: Enumerating objects: 1586, done. remote: Counting objects: 100% (1586/1586), done. remote: Compressing objects: 100% (1090/1090), done. remote: Total 3139135 (delta 730), reused 717 (delta 494), pack-reused 3137549 Receiving objects: 100% (3139135/3139135), 1.27 GiB | 1.31 MiB/s, done. Resolving deltas: 100% (2458013/2458013), done. From https://github.com/NetBSD/src * [new branch] trunk -> origin/trunk * [new branch] netbsd-8 -> origin/netbsd-8 * [new branch] netbsd-9 -> origin/netbsd-9 #?0|kent:net-src.git$ ll .git/objects/pack/ total 1426248K drwxr-s--T 1 steffen code 16 Apr 27 2019 ../ (Had it all the time, but not cloned, restricted internet bandwidth, etc. etc. Old box could not handle such large repos at all. Now i am complete again.) (But 9front is missing, it uses Mercurial that everybody drops support for, i.e., even bitbucket.) -r--r- 1 steffen code 1372573771 Jun 11 16:58 pack-70bb3164693bdcc104ac5f8e57d93e28c63fd187.pack -r--r- 1 steffen code 87896852 Jun 11 16:58 pack-70bb3164693bdcc104ac5f8e57d93e28c63fd187.idx drwxr-s--T 1 steffen code198 Jun 11 16:58 ./ Sometimes 2 Mbit/s, really good connection i had. 18 Minutes!! #?0|kent:net-src.git$ git gcap Enumerating objects: 3139135, done. Counting objects: 100% (3139135/3139135), done. Delta compression using up to 4 threads Compressing objects: 100% (3105124/3105124), done. Writing objects: 100% (3139135/3139135), done. Total 3139135 (delta 2501467), reused 610835 (delta 0), pack-reused 0 Expanding reachable commits in commit graph: 280837, done. #?0|kent:net-src.git$ ll .git/objects/pack/ total 1188348K drwxr-s--T 1 steffen code 16 Apr 27 2019 ../ -r--r- 1 steffen code 1128965592 Jun 11 17:19 pack-4dba9b43ee8e134c8a884eed2356916d7f3aabdd.pack -r--r- 1 steffen code 87896852 Jun 11 17:19 pack-4dba9b43ee8e134c8a884eed2356916d7f3aabdd.idx drwxr-s--T 1 steffen code198 Jun 11 17:19 ./ Hell i am *so* happy to have this new (well, a 14 months) box with four processors and one of these unbelievable NVME SSDs which scrubes at 1.2 GB/s!! <20 Minutes to fully garbage collect and prune a repository of over three millions objects and over a Gigabyte of data, that is sheer grazy. In the past i had git dying after six and more hours, because it could not make its way through on the old 2 GB RAM machine. And it is always astonishing to see that only FreeBSD manages to create a garbage collected repository that is larger than the Linux kernel (of which i have linux-4.19.y and linux-5.4.y only). I have not used it yet, but git now offers partial checkouts, so with a shallow clone and a partial one-directory checkout the last point of criticism i had has finally vanished. I for one am so happy to have this version control system, it cannot be said. Really. About ten years now, and the feeling stays, and even gets better. Yes. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Securing DNS traffic
Sad Clouds wrote in <20200525152338.beed20b18e42642ec3403...@gmail.com>: |On Fri, 22 May 2020 22:38:19 +0100 |Sad Clouds wrote: | |> It seems there are two main security enhancements for DNS: |> |> 1. DNSSEC - digital signatures for DNS records to verify they haven't |> been tampered with. |> |> 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via |> port 853 and could be over TCP or UDP (DTLS), although it's not clear |> to me if both TCP and UDP are always supported, of if it's mainly TCP. | |I've been doing some more research and came across this article on DNS |hijacking | |https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijackin\ |g-campaign-dns-record-manipulation-at-scale.html | |Some of the techniques they describe seem to follow these steps: | |1. DNS account is compromised and either A or NS records are changed to | point to a bogus server. |2. User connects to "email.mydomain.com" which is sent to a bogus | server that acts as a "man in the middle", collecting credentials | and then forwarding everything to the real "email.mydomain.com" | |I think TLS was designed to avoid "main in the middle" attacks, but it |seems in this case a bogus server is using its own "valid" TLS |certificate and then proxying connections to the real server. | |I don't quite understand how this works. Is it the case of somebody |creating a second valid TLS certificate for "email.mydomain.com" in |order to masquerade as a genuine email server? So if different CAs can |issue such certificates, how do you mitigate such attacks? Isn't this a |flaw in the PKI design to have different CAs that can vouch for the same |domain? First TLS works with a local pool of trusted certificates. Any remote party who has a certificate that has been signed by one of the certificates in your local CA pool is automatically trusted. Then DNS is a decentralized datastore with some root servers (though in fact there are multiple "roots" as some countries do not like that most of those root servers are in fact USA). Then there are (local) stub resolvers (like in the C library, some of them fully caching answers, some reissuing each and every request), then recursive resolvers, which can fully handle DNS with redirects and data collection etc. unless a query (of a stub resolver or what) can be truly answered (or not, of course). Data is organized in zones, and servers/recursive resolvers can transfer entire zones, iirc most RFCs regarding DNS dealt with zone transfers (by then). This localizes data and effectively avoids lots of internet traffic. Iirc correctly you get authoritative results from recursive resolvers (servers) which got their data via zone transfer. And you simply trusted the "authoritative" bit in the response. DNSSEC extends this by offering zone administrators the possibility to sign their data, in theory these signatures are duplicated down and even arrive in stub resolvers, these can then verify that the actual data is correct. There is a tree/chain of trust among the DNS up to the root servers, so . signs .ORG signs ME.ORG. signs *.ME.ORG. Never did that, but think that is the thing. You can resolve that tree downwards, verifying data you get. The certificates and the mechanism is totally distinct from the CA pool of TLS. Which i personally totally dislike. But especially i dislike that CMS aka maybe x509 aka the certificates of TLS could be used for much more, their use is artifically restricted. I do not like that this crypto mess is torn apart and lots of different standards are involved, and have to be audited, where one would be sufficient. (Then you could for example just make a TLS handshake with root servers to get the necessary info to verify that your .ORG signature is correct, and ditto...) Also DNS/TLS and DNS/DTLS have been standardized twenty years to late, it should all have been designed as a unity, imho. The same is true for UTF-8 for hostnames instead of IDNA. All imho. You need to trust your DNS provider, twenty years ago just as well as today. It is just that for one no man-in-the-middle can look at the communication (TLS), and that you can cryptographically verify that the data is really correct ("DNSSEC"). The latter only if any parties that your DNS provider contacts ship the signatures down along with responses, of course. And there was EDNS ~20 years ago already, TCP should not be necessary for neither of DNSSEC nor TLS (regarding packet size). |Under the "Prevention Tactics" the article talks about "revoking |malicious certificates", but what tools/methods are there to tell you |which certificates are malicious? --End of <20200525152338.beed20b18e42642ec3403...@gmail.com> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: 9.0 amd64 install assertion
Martin Husemann wrote in <20200403174943.gj7...@mail.duskware.de>: |On Fri, Apr 03, 2020 at 07:37:40PM +0200, Steffen Nurpmeso wrote: |> Available disks |> |> ?>a: wd0 (8.0G) ? |> ? b: 6161d776-d99d-48fc-8c4f-f1534c64ffda (dk0@wd0) ? |> ? c: 4a12784d-6024-42a7-8f15-c50a4236933c (dk1@wd0) ? | |So you do have some GPT partitions on wd0 already - were they present |before, when you ran into the assertion? Just do it Martin, it will assert. I guess b and c above should not be part of this menu? It is just the waved through default. |To reproduce the issue I need full details of the disk, e.g. dmesg |fragment of wd0 attaching, plus (if the disk was not empty before) the |output of gpt show wd0 (not dk0). Ah, sorry, wd0. #?0|n-0900:steffen$ gpt show wd0 start size index contents 0 1 PMBR 1 1 Pri GPT header 232 Pri GPT table 3430 Unused 64 12713917 1 GPT part - NetBSD FFSv1/FFSv2 12713981 3 Unused 12713984 4063199 2 GPT part - NetBSD swap 1677718332 Sec GPT table 16777215 1 Sec GPT header --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: 9.0 amd64 install assertion
Hallo Martin. Sorry for the late response. Martin Husemann wrote in <20200402060344.ga2...@mail.duskware.de>: |Please describe the state of the disk before you started (empty, an old |installation with disklabel/MBR, ) and how exactly you got to the |point of failure (i.e. all menu selections). Just like i said, everything default nothing special. qemu with 8 GB disk, looked in custom partitioning but choose the NetBSD provided defaults, used default sizes etc. This means two partitions, one for / one for swap i think. So but then i just quit instead of installing. After four reboots, two from harddisk which booted but stopped because getty could not attach to /dev/console (one ISO boot in between to run MAKEDEV all which did not help) i gave up and headed towards installation via HTTP. So sure, let's repeat it. │>a: Installation messages in English keyboard: >a: unchanged >a: Install NetBSD to hard disk continue: >b: Yes Available disks │>a: wd0 (8.0G) │ │ b: 6161d776-d99d-48fc-8c4f-f1534c64ffda (dk0@wd0) │ │ c: 4a12784d-6024-42a7-8f15-c50a4236933c (dk1@wd0) │ │ d: Extended partitioning │ │ x: Exit - Choose b: >b: Use default partition sizes assertion I mean, i do not want that (b). That is, i wanted to install the sets to (b), yes. b and c are of course the result of the initial install that i aborted in the HTTP menu. Apropos menu. The yes/no switches are often very far below the actual question. >c: Re-install sets or install additional sets |Also helpfull would be the output of fdisk, disklabel and "gpt show" |for that disk (though it now will show the "after" state, not the one |that made you run into this issue). # gpt show /dev/dk0 GPT not found, displaying data from MBR. start size index contents 0 1 MBR 1 12713916 Unused All others give ioctl errors. Works nice otherwise, though would be nicer if (tar -cpf - | tar -xpf -) would save some download and count as installed. I also struggled because the e1000 was enabled=0 and unusable, dmesg however said "are you an emulator?" and so we are now virtio-net-pci based, which works very good. However, with qemu 4.2.0 i need to ping the VM before the network works. I had this with archlinux 2019.12, even worse, but there a kernel update fixed the behaviour. (That was qemu 4.0.0 by then i think.) I do not see the behaviour with other BSDs nor Linux, so i thought i mention it. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
9.0 amd64 install assertion
Hello. ┌───┐ │ What would you like to do?│ │ │ │ a: Set sizes of NetBSD partitions │ │assertion "info->nat_type != NULL" failed: file "/usr/src/ usr.sbin/sysinst/arch/amd64/../../mbr.c", line 2156, function "mbr_add_part" [1] Abort trap ${cmd} To return to the installer, quit this shell by typing 'exit' or ^D. But say, i came there after i tried a different thing. I have that one 62906398 Mar 24 15:33 nbsd-9.0-amd64.iso.zst -> 225648640 Apr 2 00:39 nbsd-9.0-amd64.iso and could not find any sets on it, even though it seems rather complete (except that usr/share/man* stuff is mysteriously populated), so i did tar -cpf - all the stuff but targetroot/ | (cd targetroot && tar -xpf -) and the thing boots but then hangs saying that getty comes back to fast while opening /dev/console or the like. So i reentered installation program and restarted everything, ┌───┐ │ Available disks │ │ │ │ a: wd0 (8.0G) │ │>b: 6161d776-d99d-48fc-8c4f-f1534c64ffda (dk0@wd0) │ ... and here i choose b not a, then "use default sizes", resulting in the above. Then, the terminal state is messed up and i need "stty echo" and "stty icanon" to get it more or less right. If i choose a then the crash does not happen. It would be nice if the mask would accept a once chosen nameserver the same as it does for hostname, address etc. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: How do you set $PS1 on /bin/ksh
Ottavio Caruso wrote in : |Hi, | |[hoping my post doesn't arrive duplicated or triplicated] | |How do you set the prompt in ksh? The man page doesn't seem to help. |OpenBSD ksh has a different manpage. Compare: |https://man.openbsd.org/ksh.1#PS1 |and |https://netbsd.gw.com/cgi-bin/man-cgi?ksh | |For example: |PS1="\u@\h:\w\$ " | |is not expanded. These things are totally non-portable. I setup a shell environment with some basics via ~/.profile (that is made to be found by all shells), and then interactive ~/.shrc (symlinked so to be found the way the shell(s) want it). And that uses the basic environment, for example $OSTYPE, $HOSTNAME etc., to create a shell prompt via variables. Somewhat heavily stripped (and embedded in a .profile environment) eval "___isinc=\$___SHRC$$" [ -z "${___isinc}" ] && { eval "___SHRC${$}=YES" export ___SHRC${$} case ${-} in *i*|*m*) ... # Determine shell type; aux while there ps1s= ps1S= ps1e= ps1W= case "${0}" in *ksh*) unset BASH_VERSION ___MKSH ___SHTYPE=ksh if [ "${KSH_VERSION}" != "${KSH_VERSION%%MIRBSD*}" ]; then export ___MKSH=YES eval "ps1s=\$'\e[31m' ps1S=\$'\e[38;5;203m' ps1e=\$'\e[0m'" # There were some problems in between.. if [ "${KSH_VERSION}" != "${KSH_VERSION%%R4[0-6]*}" ]; then trap 'echo; echo INTERRUPT' INT ___do_exit() { trap ___on_exit EXIT unalias exit exit } trap -- EXIT set -o ignoreeof alias exit=___do_exit fi bind ^O=delete-word-forward else ps1s="" ps1S="" ps1e="" # XXX \e <> OpenBSD? I think newer OpenBSD has support for \[..\], but i may be mistaken. This code is very (, very) old. fi ;; *bash*) unset KSH_VERSION ___MKSH ___SHTYPE=bash ps1s="\[\e[31m\]" ps1S="\[\e[38;5;203m\]" ps1e="\[\e[0m\]" shopt login_shell >/dev/null 2>&1 && trap -- EXIT ;; *yash*) unset BASH_VERSION KSH_VERSION ___MKSH ___SHTYPE=yash ps1s="\[\e[31m\]" ps1S="\[\e[38;5;203m\]" ps1e="\[\e[0m\]" set -o emacs ;; *) unset KSH_VERSION ___MKSH BASH_VERSION ___SHTYPE= # /bin/sh may be some BSD ash(1) if [ "${OSTYPE}" = freebsd ] || [ "${OSTYPE}" = dragonfly ]; then ps1W='\W' fi ;; esac export ___SHTYPE ... # Prompts are very complicated to get case "${TERM}" in *dumb*) ps1s= ps1S= ps1e=;; *256color*) ps1s=$ps1S;; *) if command -v tput >/dev/null 2>&1 && ( [ "`tput colors`" -ge 256 ] ); then ps1s=$ps1S fi ;; esac [ "${UID}" -eq 0 ] && PS1='#' || PS1='$' if ( [ "${HISTSIZE##84}" = 42 ] ) > /dev/null 2>&1 ; then # bash(1)/*ksh(1)? if [ -n "${___SHTYPE}" ]; then PS1="${ps1s}#?\$?|${HOSTNAME%%.*}:\${PWD##*/}${PS1}${ps1e} " else PS1="${ps1s}#${HOSTNAME%%.*}:${ps1W}${PS1}${ps1e} " fi else PS1="${ps1s}#${HOSTNAME}${PS1}${ps1e} " fi PS2='> ' export PS1 PS2 ... |Thanks What a mess. |-- |Ottavio Caruso --End of --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Letsencrypt certificates
Steve Blinkhorn wrote in <20191022172649.d5d52b36...@viking.prd.co.uk>: |Isn't it a strange idea to have packages named first for the language |they're written in and only second by a name that suggests their |function? Is Python a cult, I begin to wonder, forcing people to read |through lists of unwanted names in the hope of finding what they want. |Come back, L. Ron Hubbard, all is forgiven. | |Thanks, may give it a try if current approach fails. I use dehydrated from the very start (when it was named let's encrypt still). It just works ever since, with two short interrupts, because i use an old version which is <40KB. One patch to update to the new protocol that came in a few years back, and one bugfix related to HTTP/2 usage of curl (which then uses lowercase HTTP headers). It only needs bash, openssl, and curl. If you want the version i use, just send a mail. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: mailcap and Microsoft OOXML
Greg Troxel wrote in : |st...@prd.co.uk (Steve Blinkhorn) writes: |> Can a mailcap entry make an attachment with these headers: |> |> Content-Type: application/octet-stream |> Content-Transfer-Encoding: base64 |> Content-Description: Microsoft OOXML |> Content-Disposition: attachment; filename="acctkey.xlsx" |> |> be read with scalc? More generally, is there a way of parsing the |> Content-Description header along with the Content-Type to cope with |> application/octet-stream attachyments? I get a lot of spreadsheet |> attachments, some of which start up scalc and some don't and have to |> be manually saved and opened outside the mail reader. | |My impression is that | | it's common but technically buggy of the sender to use octet-stream | instead of the actual content type ..which must be known, of course. And it depends on the type itself, whether it is text/ or application/ / image/ etc. | it is highly normal for MUAs to look at the filename and intuit a | replacement content-type and use that When preparing the message, yes. When looking at the message i think the *mime-counter-evidence* is unique to the mailer i maintain, but i may be mistaken. | I am unaware of the use of the content-description field for automated | processing by MUAs. | | Just looking at ~/.mailcap, it's about content-types, so presumably | the extension->content-type mapping is not part of mailcap | |You didn't mention which ancient mailreader you are using, but the |solution for you probably lies in MUA-specific configuration, or perhaps |a few lines of code. | |Either that or you can get everyone you know to send you .ods instead |with the right mime-type :-) RFC 1524 mentions [.]Finally, named parameters from the Content-type field may be placed in the command execution line using "%{" followed by the parameter name and a closing "}" character. The entire parameter should appear as a single command line argument, regardless of embedded spaces. Thus, if the message has a Content- type line of: Content-type: multipart/mixed; boundary=42 and the mailcap file has a line of: multipart/*; /usr/local/bin/showmulti \ %t %{boundary} then the equivalent of the following command should be executed: /usr/local/bin/showmulti multipart/mixed 42 So this could get you going. --End of --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Fwd: Re: mutt wants sasl
I hit the false button. --- Forwarded from Steffen Nurpmeso --- Date: Tue, 05 Mar 2019 02:11:08 +0100 From: Steffen Nurpmeso To: Jeff_W Subject: Re: mutt wants sasl Message-ID: <20190305011108.rqqe1%stef...@sdaoden.eu> OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt Jeff_W wrote in <5c7da7cf.88gaajgh4cwfk60k%...@sdf.org>: |Bob Bernstein wrote: |> .. |> No authenticators |> mutt needs sasl |> |> Well, I'm stumped. I don't know anything about sasl. I |> have the following packages installed: |> .. | |Can't help with mutt but thought I'd point out that you can use |the native postfix to do the interacting with your provider's |SMTP server: | |Postfix MTA on NetBSD 6.x: |https://sdf.org/?tutorials/smtpauth#postfix-netbsd6 | |It uses a native sasl library so perhaps you can figure out how |to build nutt against that instead of using postfix. Funnily last week i read -- i was peeking around because i haven't heard anything of msmtp for a long time, to find out ML is no longer used, and i think he it was who wrote it -- that today with that crypto everywhere plain authentication is good enough, and therefore sasl is not really needed no more. (I for one have no idea, i never had to connect to a Microsoft server for example (is that .. "ntlm"), i have never used anything else but X/TLS and thus plain. Except for testing purposes against a self-setup (sic) dovecot instance.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- End forward <20190305011108.rqqe1%stef...@sdaoden.eu> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: choosing a lightweight database
r...@reedmedia.net wrote in : |Any recommendations on a lightweight database (no extra server process) |to use with dynamic website? I have written a LMDB backend for bogofilter, and am using it since about mid of July 2018. (It is not yet released, but done.) It took a week to learn using LMDB and having implemented that backend (actually two in one, choosable by preprocessor). It could have been shorter if i would have accepted that one error was on LMDB side (it resulted in the second optional implementation, but which i do not use, actually, because the other one is nice, especially compared to how postfix does it). It is very fast, and very small. If Berkeley DB is enough for you, LMDB could be a good option! As it comes from the OpenLDAP project, it should be enterprisable: #?0|essex:nail.git$ apk info lmdb|grep -A1 size lmdb-0.9.23-r0 installed size: 94208 #?0|essex:nail.git$ apk info db|grep -A1 size db-5.3.28-r1 installed size: 1572864 #?0|essex:nail.git$ ll /usr/lib/liblmdb.so.0.0.0 -rwxr-xr-x 1 root root 79576 Nov 29 11:36 /usr/lib/liblmdb.so.0.0.0* #?0|essex:nail.git$ ll /usr/lib/libdb-5.3.so -rwxr-xr-x 1 root root 1558496 Nov 21 17:45 /usr/lib/libdb-5.3.so* It has one "problem" which may be none for you: it grows as it touches pages; i usually dump my DB once a month, and reload it thereafter, which saves ~50% or something like that: #?0|essex:.bogofilter$ ll ... -rw-r- 1 steffen steffen 136531968 Jan 16 21:18 wordlist.lmdb ... #?0|essex:.bogofilter$ zstd -l ...spam.db.zst Frames Skips Compressed Uncompressed Ratio Check Filename 1 015.64 MB 53.05 MB 3.391 XXH64 ...spam.db.zst |Any thoughts on lightweight no database server ideas? I may just use |sqlite. Minimal dependencies would be great. None thereof. |Thanks Well i can send you the implementation (or look at the bogofilter file at sourceforge [1]): as i learned while i did it, you will find comments which get you going. [1] https://sourceforge.net/p/bogofilter/code/HEAD/tree/trunk/bogofilter/src/datastore_lmdb.c Ciao, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Mailing list manager on NetBSD
Julian H. Stacey wrote in <201901101322.x0adlrgi006...@fire.js.berklix.net>: |Steffen Nurpmeso wrote: |> Mayuresh wrote in <20190109131516.GA25962@localhost>: |>|On Wed, Jan 09, 2019 at 12:03:46PM +0100, Julian H. Stacey wrote: ... |>|Thanks for a comprehensive reply. I am currently tending towards \ |>|mlmmj due |>|to the claims of smaller footprint as I'll be using a VPS to host this. |> |> It cannot do MIME out of the box, and it also had some problems ... |Back when BSD users were on my only mail list using 7 bit, it was easy. | |Then I added lists for sports & social locals. they mostly used |Microsoft, then their client software `enhanced' so they could |excrete font & size of the day, in colour, with national character |set extensions beyond Ascii, using MIME, then MS MUA providers left |MIME on by default & users didnt know to turn it off for lists, or |how to turn off, or to what advantages. HTML there is, too. But it is not that easy i would say, i have seen people using emoji and such Unicode characters on lists of established Unix people. And even more people use native language in the "xy wrote" quotation reference, which requires MIME for even premium-first world languages. (It depends however.) |Majordomo was not MIME aware, & MIME obscured the How To Unsubscribe |etc list footers majordomo appended (& of course users were too |dumb to look in list headers) so more admin time was wasted, so Yes. That was true for ml-something- mlmmj, too. |majordomo was abandoned. Mailman supports MIME. If there's a |possibility a mail list server might have to later support non tech |users, avoid server software that don't support MIME. | |Cheers, |Julian |-- |Julian Stacey, Computer Consultant Sys.Eng. BSD Linux Unix, Munich \ |Aachen Kent Mind you, down there im Weißwurscht Land, but here i would insist that it is München. Or at least Muenchen. Because the Föhn bläst so heiß. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Mailing list manager on NetBSD
Niels Dettenbach wrote in <2942379.yeRLTPdYb4@gongo>: |Am Donnerstag, 10. Januar 2019, 04:21:38 CET schrieb Mayuresh: ... |> - I do need a web archiver with thread view etc. (and ability to write |just enable "list archive" by click in mailman admin gui. | |> text pattern searches of my own on the mail texts), for which there |> might be alternatives that do just that - archiving. (E.g. HyperKitty |> which mailman uses, which can be used standalone also.) |You may use grep or similiar on the archive files, but these are just raw. That is surprisingly complicated if you want the correct order however (due to the way date based names are used). That is, i could donate a simply AWK/Unix tools (thus line) based CGI script which searches in the text archives of Mailman in case of interest. I call it brutesearch.sh. It works pretty fine, especially for Unix people who are used to linewise searching. One thing i really dislike here is that you need to manually adjust the HTML templates each and every time to include the search form. (Again there may be a mechanism which avoids that.) |There are many types of existing setups with some search / indexer \ |software |to advance mailmans archive with search functionality. | |or just (if it's a public archive): |https://wiki.list.org/DOC/How%20do%20I%20make%20the%20archives%20searchable Well, i am just saving MBOX in addition to the normal Mailman "pipermail" text dump for archiving purposes (for hopefully a better future), and use this simple shell script i have mentioned for searching. It works pretty well. Just ask if you want it. It has no dependencies but awk, printf, find, sort and xargs. It can surely be improved too, but well. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Mailing list manager on NetBSD
Mayuresh wrote in <20190110020002.GB10716@localhost>: |On Wed, Jan 09, 2019 at 05:54:49PM +0100, Steffen Nurpmeso wrote: |> when i used it. (There should be posts on their ML on that, |> a couple of years back.) If your users use MIME you have to hook |> in scripts, and then it becomes more expensive... Having said |> that, AlpineLinux seems to use it for their MLs, and it seems to |> work. But there all people use 7-bit clean text mails only. | |Plain text restriction is suitable (in fact better from storage point of |view) for my purpose but can't "fix" everybody's mail client. Most people |won't do that. So, yes, if I have to process (such as throw away MIME and |retain only text) it will add up. And/or do not use footer or such injections otherwise, it will render the message invalid. (Therefore i heave only injected header fields, because i definitely did not want to add some MIME wrapper. "Retain only text" means there are only natively american speaking people i will assume.) |BTW I am not too sure whether mlmmj's mailing list is active. 2018 is |conspicuously absent in the archives[1]. (At least archives are not being |produced, but how can it remain in that state.) I see. Ah, i was posting in February 2016. Ah, yes, do not set memorymailsize but to 0 if you want identical behaviour for messages which fit it and those which do not. Do set moderators otherwise it crashes. I seem to recall that my moderator did not get some messages somehow, which was the final reason why i have switched to mailman (later on). These (but the last, which definetely could have been postfix misconfiguration also, but i do not think so) are all corner cases, however. |I enquired about this on their list and hardly drew any response - except |from 1 user who echoed similar concern. I have to assume their ML to be |deeply dormant if not dead. Maybe your message simply was not "meaningful" enough. Mr. Schmitt seems to make fine differentiations (citing his last response to the other thread in February 2016), maybe not only for me, but also for you! You could start your messages with "i am _not_ a friend of .." to get yourself started. ;) It could help! Other than that, on my VM i see GNU mailman processing messages to list members in intervals of two seconds (two seconds/one message), which is possibly also a misconfiguration however (as it is hard to believe other lists could be driven with it like that). A nice day i wish, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Mailing list manager on NetBSD
Mayuresh wrote in <20190109131516.GA25962@localhost>: |On Wed, Jan 09, 2019 at 12:03:46PM +0100, Julian H. Stacey wrote: |> But I gradually ran more public lists for non techs, including some |> self admitted completely clueless & some other immeasurably lazy |> users, many of whom cant think or refuse to think, love to argue, |> & freak at command line etc, so the support load on unpaid volunteer |> admin time became intolerable, & I was depserate for a list manager |> with graphical clickey support to seperate myself from user support. |> (Though mailman can be CLI driven too I recall) | |Thanks for a comprehensive reply. I am currently tending towards mlmmj due |to the claims of smaller footprint as I'll be using a VPS to host this. It cannot do MIME out of the box, and it also had some problems when i used it. (There should be posts on their ML on that, a couple of years back.) If your users use MIME you have to hook in scripts, and then it becomes more expensive... Having said that, AlpineLinux seems to use it for their MLs, and it seems to work. But there all people use 7-bit clean text mails only. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Recommended desktop environment?
Benny Siegert wrote in : |On Mon, Sep 10, 2018 at 5:17 PM Steffen Nurpmeso \ |wrote: |> |> Nothing to continue in my eyes; you can always have more and |> iterate over the code of course. No drag'n drop, of course. But |> copy, that is enough for me. It used to use GNU autoconf; |> i have patches and last i compiled it (a few months ago) it |> compiled smoothly (with default CC flags). I can give you the |> patch if you want, just ask. | |Might be worth throwing the code with your patches onto github and |become the new upstream. Then we can also add it to pkgsrc. Well Alex Hioreanu is himself on github now (hioreanu), and offers ahwm in a slightly adjusted version. He offered me maintainership once i wanted to create an OpenBSD package for ahwm (must have been 2011, then), but i am no way classified for being the "upstream" of a X11 window manager. Nonetheless i have spent some time to get the thing done with -W -Wall -pedantic -O2 with gcc(1) 6.4.0, and applied some more fixes that i seem to have applied manually whenever i compiled it in the last six years, but which did not happen all too often. It is browsable [1] and cloneable[2] at my VM (for) now. It would benefit from some love, as can be seen from looking at the code, but luckily i have never done that for real. So if you want to test it, a snapshot of the master branch[3] should be usable. [1] https://git.sdaoden.eu/cgit/ahwm.git [2] https://git.sdaoden.eu/scm/ahwm.git [3] https://git.sdaoden.eu/cgit/ahwm.git/snapshot/ahwm-master.tar.xz I can even append a shortened version of my ~/.ahwmrc to make it even easier. Ciao. # ~/.ahwmrc # ... # CapsLock, ScrollLock, etc. are ignored when reading keystrokes. BindKey "Control | Alt | Shift | t" Launch("$_TSMALL"); BindKey "Control | Alt | Shift | b" Launch("HOME=$HOME/traffic; opera /dev/null 2>&1"); BindKey "Control | Alt | Escape" KillNicely(); # While moving or resizing, you can use the arrow keys and the keys w, # a, s, d. Use Shift with one of those keys to move to an edge or # resize in larger increments. Hit Enter to accept the move/resize, # hit Escape to cancel it, hit Control to toggle between a move and a # resize, and hit Space during a resize to constrain the direction. BindKey "Control | Alt | Shift | m" MoveInteractively(); BindKey "Control | Alt | Shift | r" ResizeInteractively(); # Sun X server doesn't grok this key combination, throws me off BindKey "Control | Alt | BackSpace" Quit(); BindKey "Control | Alt | Shift | q" Quit(); BindKey "Control | Alt | Shift | r" Restart(); BindKey "Alt | Tab" CycleNext(); BindKey "Alt | Shift | Tab" CyclePrevious(); BindKey "Shift | Alt | F4" SendToWorkspace(4); BindKey "Shift | Alt | F3" SendToWorkspace(3); BindKey "Shift | Alt | F2" SendToWorkspace(2); BindKey "Shift | Alt | F1" SendToWorkspace(1); # Binding to button clicks is similar to binding to keys, but you have # to specify the location for the click. The location is one of # "Titlebar" or "Frame". You can use the same modifiers as # with BindKey and the buttons are Button1 through Button5: # Button1 = left button, Button2 = middle button, Button3 = right # button, Button4 = wheel up, Button5 = wheel down BindButton Titlebar "Button3" Maximize(); BindDrag Frame "Alt | Button1" MoveInteractively(); BindDrag Titlebar "Alt | Button1" MoveInteractively(); BindDrag Frame "Alt | Button3" ResizeInteractively(); BindDrag Titlebar "Alt | Button3" ResizeInteractively(); # Sometimes you may want to bind more than one function # to the same action. To do this, you need to define # your own function and use the "Invoke()" function. # Here's an example: Define "Focus-and-Move" { Focus(); MoveInteractively(); } BindDrag Titlebar "Button1" Invoke("Focus-and-Move"); Define "f1" { GotoWorkspace(1); } BindKey "Alt | F1" Invoke("f1"); Define "f2" { GotoWorkspace(2); } BindKey "Alt | F2" Invoke("f2"); Define "f3" { GotoWorkspace(3); } BindKey "Alt | F3" Invoke("f3"); Define "f4" { GotoWorkspace(4); } BindKey "Alt | F4" Invoke("f4"); DisplayTitlebar = True; FocusPolicy = ClickToFocus; #SloppyFocus; RaiseDelay = 750; PassFocusClick = True; TitlePosition = DisplayLeft; KeepTransientsOnTop = True; TitlebarFont = "-*-helvetica-*-r-*-*-9-*-*-*-*-*-*-*"; NumberOfWorkspaces = 4; ColorTitlebarText = "#D8D8D8"; ColorTitlebarTextFocused = "#E0E0E0"; InWorkspace 1 { ColorTitlebar = "#282828"; ColorTitlebarFocused = "#404040"; } InWorkspace 2 { ColorTitlebar = "#193939&qu
Re: Recommended desktop environment?
Thomas Mueller wrote in <20180909071938.644bfa7...@mail.duskware.de>: .. |I didn't know about i3-gaps but now see it in FreeBSD ports but not pkgsrc. Thing is also, you seem to have super-duper boxes whereas i am happy to have tinyc in order to develop my little MUA and not more than that until now, unfortunately. I cannot quickly generate a new XY port for port system YZ and get it going, with all the ML stuff that is involved there. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Recommended desktop environment?
Thomas Mueller wrote in <20180908132956.6a9dea7...@mail.duskware.de>: |from Pedro Pinho: | |> Here's a complete list of WM's for *nix systems |> https://www.gilesorr.com/wm/table.html | |> What exactly do you mean with " I tried awesome some years ago, but the |> "awesome" decoration/artwork just got in the way and confused me"? |> Don't take me wrong, I would just like to know what was so confusing. |> Awesome user here ;-) | |I looked through that list of WMs web page, found i3 but not i3w. | |Steffen Nurpmeso's preferred ahwm was listed as discontinued; is also \ |not in FreeBSD ports (category x11-wm). So I might not be able to \ |try it even if I wanted. Nothing to continue in my eyes; you can always have more and iterate over the code of course. No drag'n drop, of course. But copy, that is enough for me. It used to use GNU autoconf; i have patches and last i compiled it (a few months ago) it compiled smoothly (with default CC flags). I can give you the patch if you want, just ask. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Recommended desktop environment?
Pedro Pinho wrote in : |Here's a complete list of WM's for *nix systems [1]https://www.gilesorr.\ |com/wm/table.html[/1] | | [1] https://www.gilesorr.com/wm/table.html ahwm, only ahwm, since 2002. The original v0.9.0 ball with some compiler fixes on top, not the github stuff. The "as close to perfect" i can agree with, totally! icewm only as last resort unless i find time to set myself up. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: combining /var/mail files
Rhialto wrote in <20180824224701.gj5...@falu.nl>: |On Fri 24 Aug 2018 at 19:11:56 +0200, Steffen Nurpmeso wrote: |> But for now we unfortunately only use the most basic and only |> truly portable form of the traditional "From " quoting mechanism, |> and prepend a ">" to any "^From " that happens to exist inside |> a message body. | |I've seen MIME mail that has the F from /^From / replaced with =46 in |quoted-printable encoding. A neat trick. (Although it seemed it was |applied a bit more often than strictly necessary.) This is indeed the common way MIME aware mailers do it. (Though we, in the sense of the MLs i am subscribed to/track, had a trend to encode anything in base64 some time ago.) About strictly necessary, well, the POSIX standard and many simple tools, including "all" traditional BSD Mail / Unix mail go for the plain "^From " sequence, and even though RFC 4155 is much more specific about the "From_" line content, and all MTAs i have seen honour this, i think it is for the better to create message entries which the old tools and simple shell and awk scripts cannot get wrong, and this is what we do. (I can only speak for my little thing here.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Reading older disks
John Nemeth wrote in <201808241936.w7OJa3Oa008396@server.cornerstoneserv\ ice.ca>: |On Aug 24, 8:40am, Steve Blinkhorn wrote: |} You [D'Arcy J.M. Cain] wrote: |}> On 2018-08-23 09:03 PM, John Nemeth wrote: |}>> On Aug 23, 5:36pm, st...@prd.co.uk wrote: |}>>} I cheated - I found a memory medule that fitted and got the system to |}>>} boot. Did we really once find 356MBytes adequate? |}>> |}>> 365MB?!? My first hard drive was 40MB and that was considered |}>> fairly large for the day. |}> |}> My first HD was 5MB. Later the systems came with 11MB. Then one day I |}> scored a brand new 20MB drive. I had to patch the CP/M binary in order |}> to access it. |} |} This could rapidly become the "Four Yorkshiremen" sketch from Monty |} Python. I had an early IBM PC with *two* floppy drives, but the |} first Unix box I ran rather than just used was an NCR Tower which |} started off with 512KBytes of RAM, later upgraded to a whole MByte, |} with a 40MByte drive. Eventually I ran twelve dumb terminals off it, |} and it worked, but that was 35 years ago. But then I go back to the |} time when dropping your deck of punch cards was tantamonnt to a "short |} sharp shock" jail sentence. | | When I was in Grade 10, I did a "work experience" thing (only |a week or two). One of the places, I "worked" at was ComputerLand. |At that time, the IBM PC was brand new. One of my tasks was to |unbox IBM PCs and install floppy drives. For those that have never |seen an original IBM PC, or forgotten the details of them, there |were two five-pin DIN plugs on the back. One was for the keyboard |(not something you wanted to drop on your toes -- it was heavy) |and the other was for connecting to an ordinary portable audio |cassette recorder (not exactly the most reliable storage medium). |Yes, IBM actually put out a business computer with the idea that |people would store data on audio cassettes. It was a rather absurd |idea. Even most people using the Apple ][+ (at home or work), |which was four years old at the time, used floppy drives. I had a Datasette for C64 for backups and such. Sometimes it was fun to listen to the sounds. (But only sometimes.) I do not remember any problems beside speed! But that was 36 years ago, and i can prowdly state that my floppies for the 1541 worked on both sides, which saved a lot of real hard money. Of course these where good German tapes from BASF; not too far in the south of where i life, and when you have to deal with the stink, you wanna get something out of it. (Though Merck is right in town and stank very very much.) |}-- End of excerpt from Steve Blinkhorn --End of <201808241936.w7oja3oa008...@server.cornerstoneservice.ca> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: combining /var/mail files
Izaac wrote in <20180824T144830Z@localhost>: |On Fri, Aug 24, 2018 at 01:43:58AM +0200, Steffen Nurpmeso wrote: |> Yes. This may of course an empty line to a message which did not |> have one, but it is unlikely anyone would really care for that. | |Indeed. And a particularly pedantic mail client may bark about |Content-Length: and/or Lines: being incorrect. Again, easily remedied |by removing that extra newline character. That is true, it still holds that "I'm not saying that the BSD Mailbox format is good. Just that the Content-Length variant of that format is worse."[1] [1] https://www.jwz.org/doc/content-length.html |But given the choice between potentially "losing" one piece of mail or |potentially having another issue a warning, I'd throw down the printf. Unfortunately my MUA still mangles the "From " lines instead of performing a full MIME reencode, so i would follow you here :). --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: combining /var/mail files
Izaac wrote in <20180823T201131Z@localhost>: |On Thu, Aug 23, 2018 at 05:41:37PM +, st...@prd.co.uk wrote: |> During a change of ISPs this week, I had to run mail service on a |> remote VPS, and access emails there. There must be gotchas if I |> simply append the mail files from the VPS to the existing |> corresponding files on our usual mail machine now it's got it Internet |> connection restored. There are always gotchas. Can someone identify |> them for me? | |The mbox format is pretty forgiving. The record separator is literally |'\n\nFrom '. So if you're going to do something like: | | cat /var/mail/foo /var/mail/bar > /var/mail/foobar | |Make sure that there's at least two newlines at the end of /var/mail/foo |so that the first email of /var/mail/bar doesn't get absorbed by the |last email of /var/mail/foo. | |Easily accomplished by: | | cp /var/mail/foo /var/mail/foobar | printf '\n' >> /var/mail/foobar | cat /var/mail/bar >> /var/mail/foobar Yes. This may of course an empty line to a message which did not have one, but it is unlikely anyone would really care for that. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: combining /var/mail files
st...@prd.co.uk wrote in <20180823174137.6b0ef46...@monroe.prd.co.uk>: |During a change of ISPs this week, I had to run mail service on a |remote VPS, and access emails there. There must be gotchas if I |simply append the mail files from the VPS to the existing |corresponding files on our usual mail machine now it's got it Internet |connection restored. There are always gotchas. Can someone identify |them for me? If MBOX files are used it could happen that "From " lines are messed up, or that the Mailbox does not end with a newline. For example, DMA (DragonFly Mail Agent) (can) generate(s) mailboxes with an invalid (according to RFC 4155 etc.) last message. So, if the former is not an issue "(cat f1 && echo && cat f2) > newfile" may be sufficient. Otherwise you could my BSD Mail clone which also tries to get the former right -- the POSIX standard and Unix traditional only use "From xy", whereas the standard RFC 4155 is more strict, and that can cause misinterpretations by some software. Long story short, if we see such lines we complain, and for these cases i have a macro define mboxfix { \localopts yes; \wysh set mbox-rfc4155;\ \wysh File "${1}"; \copy * "${2}" } (which is devel sauce for define mboxfix { localopts yes set mbox-rfc4155 wysh File "${1}" # or eval File ${1} copy * "${2}" }) to be used like "call mboxfix oldfile newfile". This works with v14.9.11, before you had to say eval copy * "$2" --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: FQDNs for netbooted hosts via DHCP?
Roy Marples wrote in <932e6a45-c917-666c-bd70-b52fb0d92...@marples.name>: |On 15/07/2018 11:18, Roy Marples wrote: |> On 15/07/2018 03:37, Robert Elz wrote: .. |>> Lastly, for this, I wonder[...] ... |> The actual change required is a bit more invasive than that line change |> though, but it suffices for this discussion. | |Patch here: |http://www.netbsd.org/~roy/dhcpcd-hostname-promotion.diff | |Please test and let me know if it works for you! I seem to recall a conversion of yours and Robert Elz where he stated that reverse solidus at line endings is not necessary to continue open and-or lists after && ||, after keywords etc. I guessed this is why the patch contains them. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
I'm unable to install NetBSD-6.1.4-amd64-install.img
Hello, trying to dig into an error i had with S-nail that failed on several versions of NetBSD (6.0.?, 6.99.24 amd64, 6.99.40 i386) i wanted to install the most current shipout version for testing purposes and downloaded the mentioned image. It was an error anyway (i always use ISOs for saving them on bootable CD, too), but now it turns out i'm too stupid to make that image work in QEMU! I've tried -fda, -hdc, and whatever, but at best i get NetBSD MBR found (or similar), but that happy message then ends up with no operating system found, which both, surprising and frustrating for an operating system. ..thankful for any hint, Ciao, --steffen
Re: tmux messes up my backspace character
Rhialto rhia...@falu.nl wrote: | Can't you simply `bind-key' over that? | |I don't think so. bind-key looks to be for commands only, not a general |translation mechanism. I now see tmux has also has a terminal-overrides.. oops, but mind you, i still was registered to tmux-users@ once the thread you have been pointed to was current, so i'm sorry i didn't remember that. But i have e.g. `bind a eval copy stuff \002' in my .screenrc -- `stuff' is a very powerful tool, too. | But i'm out of ideas if not; i switched back to screen(1) due to | it's charset conversion capabilities (i'm still using ISO-8859-x | on all BSD VMs),o | |Yes, so do I, and I noticed that if I happen to access my systems from |Linux, then tmux won't translate characters for use in utf8 terminals. So with screen i can stay in a single session, with tmux i couldn't: simply setting an UTF-8 flag on some window doesn't help to deal with different character sets. Though most is english, German Umlauts can well be transformed, even round-trip. I _really_ was surprised once i saw that this feature was missing, my guess is that administrators still live in a heterogeneous environment: all english. | requires significantly less CPU time and after | |I am also surprised by the high cpu time usage of tmux. I wonder what it |is doing in all that time? The FAQ mentions something about automatic |window renaming or somesuch - I'm going to try turning that off and see |if that helps. Worse, for 1.6 to compile on Snow Leopard i even had to adjust its usage of `struct bsdinfo', if i recall correctly, so i even had to blame myself? Ok, sometimes i wish screen would always display a status line with all currently open windows or at least had an option to always display the current one so that there would be no need to ^A-w (windows) or ^A-W (windowlist), but having one more line is a great thing. | And i guess your problem could be easily fixed with it's `term*' commands. | |I used screen before, and there the problem doesn't exist at all. It |took a while to discover it in tmux because many programs can use |whatever is set for the erase character, including bash. I noticed it in |mutt, where ^H scrolls back a single line in a mail message. | |I have also mailed to the tmux-users mailing list, and I have discovered |which code seems to be responsible for the translation: | |/* | * Check for backspace key using termios VERASE - the terminfo | * kbs entry is extremely unreliable, so cannot be safely | * used. termios should have a better idea. | */ |bspace = tty-tio.c_cc[VERASE]; |if (bspace != _POSIX_VDISABLE key == bspace) |key = KEYC_BSPACE; | |in cvs/src/external/bsd/tmux/dist/tty-keys.c. Note that KEYC_BSPACE is |'\177' or ASCII DEL, not backspace. So i hope for you that tmux(1) gets fixed (you wrote which shows to my mind a misunderstanding), back in February the thread ended with anyway try running stty verase ^? in tmux, at least from the developer side. Now that i know it but am back to screen, all i miss is `bind-key set-window-option force-width 80' (and ditto ` 0'), which was very nice to have when reviewing code, but i can still use `wc -L'. --steffen
Re: tmux messes up my backspace character
Rhialto rhia...@falu.nl wrote: |It seems that tmux translates the erase character, but it should not do |that. | |In my xterms I have set the option Backarrow key which causes the key |labeled backspace to generate an actual backspace (control-H) |character. Correspondingly, I have set stty erase ^H. | |Inside tmux, if I hit Backspace, I get a DEL character (^?). And somehow |it has set stty erase ^? as well. So apparently it translates the |external erase character to an internal one. | |All is good and well, but this means I can't type ^H any more! And there |are several programs where I would want that, such as mutt and vim. | |The manual doesn't contain the word erase... is there any less obvious |way to stop tmux doing this annoying thing? I simply want my internal |erase character the same as the external one, and no messing about with |translating backspace. Can't you simply `bind-key' over that? But i'm out of ideas if not; i switched back to screen(1) due to it's charset conversion capabilities (i'm still using ISO-8859-x on all BSD VMs), requires significantly less CPU time and after a week of work with full history (42000) it's ~50 MB, which is a 40% of tmux. All that matters to me. And i guess your problem could be easily fixed with it's `term*' commands. --steffen