Re: Impossibility of cryptographic verification of downloads

Thu, 26 May 2016 04:37:04 +0200 arrowscr...@mail.com > I don't really understand the crypto theory behind it all, but I > didn't read any elaborated argument besides a big "NO" from openbsd The topic of the debate is incorrect, mostly the result of ignorance. signify - cryptographically sign and

Re: syslogd on 6.0-beta

On Wed, May 25, 2016 at 9:16 PM, Amit Kulkarni wrote: > On Wed, May 25, 2016 at 10:31 PM, Ted Unangst wrote: > >> Jeff Ross wrote: >> > jross@fw:/home/jross $ tail -10 /var/log/messages >> > May 21 04:00:01 fw syslogd: restart >> > May 25 15:53:58 fw

Re: syslogd on 6.0-beta

On Wed, May 25, 2016 at 10:31 PM, Ted Unangst wrote: > Jeff Ross wrote: > > jross@fw:/home/jross $ tail -10 /var/log/messages > > May 21 04:00:01 fw syslogd: restart > > May 25 15:53:58 fw syslogd: exiting on signal 15 > > May 25 15:53:58 fw syslogd: start > > May 25

Re: syslogd on 6.0-beta

Jeff Ross wrote: > jross@fw:/home/jross $ tail -10 /var/log/messages > May 21 04:00:01 fw syslogd: restart > May 25 15:53:58 fw syslogd: exiting on signal 15 > May 25 15:53:58 fw syslogd: start > May 25 15:53:58 fw syslogd: recvfrom unix: Connection reset by peer > May 25 15:56:00 fw syslogd:

Re: Impossibility of cryptographic verification of downloads

>Anything else, that has PGP keys and such. Good luck! It's curious you say this Theo, since OpenSSH already uses PGP to sign the releases... no? Web of Trust wouldn't minimize the probablity of corrupted packages? What makes you think that the main server (openbsd.org) cannot not be pwned?

Mirror downage: openbsd.cs.toronto.edu, obsdacvs.cs.toronto.edu, man.openbsd.org, cvsweb.openbsd.org

Hi. Due to a infrastructure upgrade, power to the mirror and other systems at University of Toronto, will be interrupted sometime Thursday, after 9:30pm Toronto time (EDT -- UTC-4), and should be restored Friday by 7:30am EDT. This will impact: * openbsd.cs.toronto.edu * obsdacvs.cs.toronto.edu

Re: Impossibility of cryptographic verification of downloads

On 25 May 2016 at 23:59, Rubén Llorente wrote: > Many people is just uding the TOFU model with the keys. > Because I didn't get it at first and had to google it: For the archives: is -> are (grammar) uding -> using (typo) TOFU -> Trust On First Use

Re: Impossibility of cryptographic verification of downloads

Eduard - Gabriel Munteanu: > Well, you could certainly put the key and signify sources on the > main website. As Theo said they're at the corresponding pages [s/http/https/g]: > You mean like here? > > http://www.openbsd.org/59.html > > and > > http://www.openbsd.org/58.html > > and > >

Re: Impossibility of cryptographic verification of downloads

On Wed, 2016-05-25 at 17:22 -0600, Theo de Raadt wrote: > > Well, you could certainly put the key and signify sources on the main > > website. The CVS thing doesn't seem to be HTTPS-enabled. > > You mean like here? [...] Oops, I completely missed those. I was looking at the download page and

Re: Impossibility of cryptographic verification of downloads

> By the same reasoning, you don't really need security fixes and > countermeasures either. So much for the security-oriented OS. I am glad we hit the point where you go run something else. Anything else, that has PGP keys and such. Good luck!

Re: Impossibility of cryptographic verification of downloads

> Well, you could certainly put the key and signify sources on the main > website. The CVS thing doesn't seem to be HTTPS-enabled. You mean like here? http://www.openbsd.org/59.html and http://www.openbsd.org/58.html and http://www.openbsd.org/57.html and http://www.openbsd.org/56.html

Re: Impossibility of cryptographic verification of downloads

On Wed, 2016-05-25 at 17:02 -0500, Chris Bennett wrote: > Get the SHA256.sig from a different server than the install files, after > all, using just one server could be a problem if it is compromised. > > And face the reality of things: > > 1. The small bad guys. They can put up compromised

Re: Impossibility of cryptographic verification of downloads

On Wed, 2016-05-25 at 16:18 -0600, Theo de Raadt wrote: > > It currently seems impossible to verify downloads from a computer > > without OpenBSD, for a few reasons: > > > > 1. No securely-distributed public key > > 2. Lack of signify packages in e.g. Linux distros, or > > securely-distributed

Re: syslogd on 6.0-beta

Hi Tim, I await with bated breath to see where the problem is--can't be because the version of OpenBSD is too old. Jeff On 5/25/16 4:54 PM, trondd wrote: On Wed, May 25, 2016 6:39 pm, Jeff Ross wrote: Hello again, syslogd doesn't actually work for me on 6.0-beta either. OpenBSD 6.0-beta

Re: syslogd on 6.0-beta

On Wed, May 25, 2016 6:39 pm, Jeff Ross wrote: > Hello again, > > syslogd doesn't actually work for me on 6.0-beta either. > > OpenBSD 6.0-beta (GENERIC.MP) #1768: Wed May 18 12:01:43 MDT 2016 > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP I had been running a May 16th

syslogd on 6.0-beta

Hello again, syslogd doesn't actually work for me on 6.0-beta either. jross@fw:/home/jross $ uname -a OpenBSD fw.openvistas.net 6.0 GENERIC.MP#1768 i386 jross@fw:/home/jross $ cat /etc/syslog.conf # $OpenBSD: syslog.conf,v 1.19 2015/11/26 15:25:14 deraadt Exp $ #

Re: Impossibility of cryptographic verification of downloads

Eduard - Gabriel Munteanu wrote: > Hi, > > It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or > securely-distributed sources

Re: Impossibility of cryptographic verification of downloads

On Wed, May 25, 2016 at 11:08:44PM +0300, Eduard - Gabriel Munteanu wrote: > Hi, > > It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or >

Re: Impossibility of cryptographic verification of downloads

> It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or > securely-distributed sources > > To keep things simple, I propose mirrorring SHA256SUM

Impossibility of cryptographic verification of downloads

Hi, It currently seems impossible to verify downloads from a computer without OpenBSD, for a few reasons: 1. No securely-distributed public key 2. Lack of signify packages in e.g. Linux distros, or securely-distributed sources To keep things simple, I propose mirrorring SHA256SUM files onto the

Re: syslog on 5.6

When you're this far behind, it might make more sense to grab a back up of all of your relevant config files, a list of third party packages you need, and such, and do a fresh install of the new version, then install missing packages and bring in your backed up config files for comparison and

Re: syslog on 5.6

On Wed, May 25, 2016, at 03:47 PM, Jeff Ross wrote: > Thank you, Theo. > > I know this is true. I was tempted to jump right to 5.9 but decided to > heed the directions on > > http://www.openbsd.org/faq/upgrade56.html > > " > > *Note: Upgrades are only supported from one release to the release

FYI - ftp5.usa.openbsd.org down tonight and tomorrow night

ftp5 is hosted here at RIT and they are doing work on the substation that supplies our electricity tonight (May 25th) and tomorrow night (May 26th). The power goes out at 5pm EDT so I'm shutting everything down starting at 4pm. Power comes back at 7am EDT tomorrow and Friday so it will be back up

Re: syslog on 5.6

Thank you, Theo. I know this is true. I was tempted to jump right to 5.9 but decided to heed the directions on http://www.openbsd.org/faq/upgrade56.html " *Note: Upgrades are only supported from one release to the release immediately following it. Do not skip releases. If you got lucky

isc-dhcp-server-4.3.4 - Can't create new lease file: Permission denied

Hi! I'm using isc-dhcp-server-4.3.4 (not /usr/sbin/dhcp) on OpenBSD-current, and I see that error in /var/log/daemon. But I think the warning is wrong. $ ls -l /var/db/dhcpd.leases -rw-r--r-- 1 _isc-dhcp _isc-dhcp 177444 May 25 21:38 /var/db/dhcpd.leases $ ps auxw | grep dhcp _isc-dhc 43337

Re: syslog on 5.6

We only "support" the last release, and we only make errata available for the last two releases. We don't maintain old code because none of us run it. 5.6 is end-of-life, so you are on your own. > So far I haven't been able to get syslog to log anything other than it's > startup message. > >

syslog on 5.6

So far I haven't been able to get syslog to log anything other than it's startup message. I'm using the stock syslog.conf file. logger test message does nothing so I ktraced it. The interesting part is: 22461 logger RET sigprocmask ~0x10100 22461 logger CALL

Seeking working Xorg configurations for MacBook 5,1 under 5.9 -release

Hello, I'm new to OpenBSD. I've recently installed 5.9 -release on a MacBook 5,1. The default configuration of Xorg doesn't work for me: when I call startx, my screen goes black and the computer seems entirely unresponsive to keyboard input; I'm obliged to restart the computer by holding down

Re: Why overwrite first megabyte of encrypted disk?

On Wed, May 25, 2016 at 2:12 PM, Theo Buehler wrote: > From http://man.openbsd.org/bioctl.4: I think you meant http://man.openbsd.org/bioctl.8 Thanks, -- Raul

Re: Print-to-file crashes firefox and xombrero

Hi Stefan, On Wed 25/05/2016 18:24, Stefan Wollny wrote: > Hi there! > > Running the latest available amd64-snapshot I noticed that when trying > to print from a web-page to a local file (PDF) firefox (and xombrero) > reliably crash. > > This is the source: >

Re: Why overwrite first megabyte of encrypted disk?

On Wed, May 25, 2016 at 07:35:04PM +0200, Robert Campbell wrote: > https://www.openbsd.org/faq/faq14.html#softraid > > In the FAQ > Disk Setup > Full Disk Encryption section there are these > lines after the encrypted drive has been set up: > > > As in the previous example, we'll overwrite the

Why overwrite first megabyte of encrypted disk?

https://www.openbsd.org/faq/faq14.html#softraid In the FAQ > Disk Setup > Full Disk Encryption section there are these lines after the encrypted drive has been set up: > As in the previous example, we'll overwrite the first megabyte of our new pseudo-device. > > # dd if=/dev/zero

Errors in HylaFax package OpenBSD 5.9

I was installing HylaFax for a local charity. They are still required to use faxes to communicate with a government agency. /usr/local/sbin/faxsetup and /usr/local/sbin/faxaddmodem do not have execute permission and none of the files under /usr/local/libdata/hylafax/bin have execute

Print-to-file crashes firefox and xombrero

Hi there! Running the latest available amd64-snapshot I noticed that when trying to print from a web-page to a local file (PDF) firefox (and xombrero) reliably crash. This is the source:

Re: pf sanity check

On 25.05.2016 15:01, Jeff Ross wrote: > Hi all, > > I am incrementally bringing my server up to date. I was on 5.5-current so > following the instructions I upgraded to 5.6 stable. > > I re-wrote my pf.conf to remove the oldqueue rules and to simplify the > rule set. > > Checks okay for

Re: pf sanity check

On Wed, May 25, 2016 9:01 am, Jeff Ross wrote: > Hi all, > > I am incrementally bringing my server up to date. I was on 5.5-current so > following the instructions I upgraded to 5.6 stable. > > I re-wrote my pf.conf to remove the oldqueue rules and to simplify the > rule set. > > Checks okay for

Re: BL460c G1 issues

On 2016-05-24 16:02, Steve Shockley wrote: RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! Sorry, I need more practice

pf sanity check

Hi all, I am incrementally bringing my server up to date. I was on 5.5-current so following the instructions I upgraded to 5.6 stable. I re-wrote my pf.conf to remove the oldqueue rules and to simplify the rule set. Checks okay for syntax but it doesn't seem to be redirecting mail to spamd.