Re: Why isn't OpenBSD in Google Summer of Code 2017?...

Bring on the Flaming Theo! On Wed, Apr 5, 2017 at 3:55 PM Flipchan <flipc...@riseup.net> wrote: > Ping Theo, couldnt someone create a needs improvments list n put it on > like OpenBSD.org? > > Luke Small <lukensm...@gmail.com> skrev: (2 april 2017 16:54:39 CEST) >

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

org <owner-m...@openbsd.org> on behalf of Bob > Beck > > <b...@obtuse.com> > > Sent: April 2, 2017 10:16:21 PM > > To: Luke Small > > Cc: openbsd-misc > > Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?... > > > > We tried it fo

I can't connect to openbsd.org in most cases.

I have an openbsd vm on a windows 7 host, windows 7 asus, iPhone, and Android phone. Only the iPhone 7+ seems to be able to connect to openbsd.org correctly without getting a https validation error. they are all going through the same wifi router. I am running firefox on everything. Safari also

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

p especially if it > was a group effort/friendly competition. > > > From: owner-m...@openbsd.org <owner-m...@openbsd.org> on behalf of Bob > Beck <b...@obtuse.com> > Sent: April 2, 2017 10:16:21 PM > To: Luke Small > Cc: openbsd

Re: Topics for revised PF and networking tutorial

It might be a fun idea to share what a really locked down desktop system pf.conf would look like like if you are running a chain of DNS services (or something that would be good to tightly control) like local ntpd, unbound, and dnscrypt_proxy where you have local traffic locked down as well so

Why isn't OpenBSD in Google Summer of Code 2017?...

Is there something to replace zaurus?

I thought I read that there is an arm7 based mobile device, but I can't find anything about it.

Re: For the super paranoid

are.intel.com/en-us/blogs/2016/02/26/memory-encryption-an-intel-sgx-underpinning-technology > > The Intel SGX Memory Encryption Engine: > > > You just have to ask yourself, Intel, who has the keys to the Intel ME... > Paranoia^2 > There is no perfect security, especially when on

For the super paranoid

Is there a way to encrypt memory and keep the key on the CPU like a transparent partition so that if the ram cards are physically accessed, hey can't be read? Is it reasonable?

make pf allow out on lo per user

if I have: "pass out quick on lo0 from self port 6379 to \ any user luke block out quick on lo0 from self port 6379 to any pass quick on lo0 from any to any" a local connection to port 6379 will go to the last rule... isn't this a useful feature to allow one of the first two rules to take

Re: Pf on lo0

ut quick on lo0 inet proto udp from 127.0.0.1 port = 6380 to any label "Rule 1h" [ Evaluations: 0 Packets: 0 Bytes: 0States: 0 ] [ Inserted: uid 0 pid 89214 State Creations: 0 ] @28 block drop out quick on lo0 inet proto udp from 10.0.2.15 port = 638

Re: Pf on lo0

It doesn't. The "pass in quick on lo0 proto {tcp,udp}from any port 6379 to self port 6379 user luke" works. On Mon, Jan 16, 2017, 23:48 Sebastien Marie <sema...@online.fr> wrote: > On Mon, Jan 16, 2017 at 11:04:48PM +, Luke Small wrote: > > I'm trying to have pf

Pf on lo0

I'm trying to have pf limit sending TCP packets over lo0 from a specific user. I made some rules, but they seem to be ignored when I check on pfctl -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0 proto { tcp, udp } from self port 6379 to any port 6379 user luke" and "block

Re: Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

You could possibly make a separate "event" or "wait" pledge to register new events or NOTE_EXIT calls, but I suspect that that would complicate things, making the large presumption that that could be desired. On Thu, Jan 5, 2017, 15:42 Theo de Raadt wrote: > > I imagine

Re: Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

Registering a EVFILT_PROC, NOTE_EXIT kevent requires proc On Thu, Jan 5, 2017, 15:25 Ted Unangst <t...@tedunangst.com> wrote: > Theo de Raadt wrote: > > > Luke Small wrote: > > > > What if I want to prevent a process from forking while I want to > create ne

Re: Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

ose it may be difficult to turn back now after pledging so much in a certain way. On Thu, Jan 5, 2017, 14:41 Ted Unangst <t...@tedunangst.com> wrote: Luke Small wrote: > What if I want to prevent a process from forking while I want to create new > EVFILT_PROC events? Say, to accept the pid

Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

What if I want to prevent a process from forking while I want to create new EVFILT_PROC events? Say, to accept the pid of a sibling fork from a pipe and load it into a kqueue. Is there a reason why waitpid() isn't beholden to this, or is there a reason that EVFILT_PROC is?

fresh install to i386 kde4 only has UTC on clock...

odd microsoft mouse mappings

Can I change usbhidctrl to change how it is mapped. the middle scroll moves the mouse up. the left-right movement on the mouse works, but the up and down seems to right click. I don't know what the rest does.

Re: might it be better to have three paths lists

, 04:41 ludovic coues <cou...@gmail.com> wrote: > 2016-09-03 11:04 GMT+02:00 Luke Small <lukensm...@gmail.com>: > > > > > > Sorry I was in the middle of something, but pledge can be a broad brush, > > unless you are dealing with one file, whether it is execut

Re: might it be better to have three paths lists

wrote: > What is the use case ? > > 2016-09-03 4:15 GMT+02:00 Luke Small <lukensm...@gmail.com>: > > wouldn't it be more secure to have a write, read, and execute capable > paths > > lists in pledge() > > > > > > -- > > Cordialement, Coues Ludovic > +336 148 743 42

might it be better to have three paths lists

wouldn't it be more secure to have a write, read, and execute capable paths lists in pledge()

Server compatibility list oracle x86?...

Best way to hardware AES.

I'm thinking about getting some intel or sparc system with AES hardware. What would be the cleanest way to access the Open Cryptographic Framework to access the hardware. I'm writing in C. I'd like to do 256 bit aes-ctr or preferably aes-gcm and use ultrasparc T2 and above, i7 or older Xeons. I'm

Best way to hardware AES.

I'm thinking about getting some intel or sparc system with AES hardware. What would be the cleanest way to access the Open Cryptographic Framework to access the hardware. I'm writing in C. I'd like to do 256 bit aes-ctr or preferably aes-gcm and use ultrasparc T2 and above, slightly older Xeons or

Re: fork w/o execv

, 05:58 Peter J. Philipp <p...@centroid.eu> wrote: > On Sun, Jul 31, 2016 at 09:05:52AM +0000, Luke Small wrote: > > I'm trying to do some operations in which I fork and the child closes and > > simplifies socketpair listings and sends the simpler list of malloced &

fork w/o execv

I'm trying to do some operations in which I fork and the child closes and simplifies socketpair listings and sends the simpler list of malloced file descriptors to a function and sends ioctl data after it opens a socket. The parent sends a short greeting to the child to show that it is ready. The

Re: Is it possible and not unadvisable to make /src with the -O3 option?...

Would it make it slower, more buggy or make the kernel not fit in the root partition? On Thu, Jun 16, 2016 at 9:07 AM Mike Burns <mike+open...@mike-burns.com> wrote: > On 2016-06-16 13.42.44 +0000, Luke Small wrote: > > Is it possible and not unadvisable to make /src with the

Re: Is it possible and not unadvisable to make /src with the -O3 option?...

break your system, you get to keep all the pieces. > > Short version: "if you had to ask, then the answer was no". > > > 2016-06-16 15:42 GMT+02:00 Luke Small <lukensm...@gmail.com>: > >> > > > -- > May the most significant bit of your life be positive.

Is it possible and not unadvisable to make /src with the -O3 option?...

pledge and code profiling

Pledge does something odd, that I don't understand by reading the man page. It trips the system-call: SYS_PROFIL (44) when it ends its run in codeblocks IDE when profiling is enabled. Can I enable a pledge setting that enables this to complete? Is there a security reason that pledge is disabling

Re: ntpd commandline expansion

I used to be able to run ntpd -s in 5.8 Now I can't. Apparently sometimes security causes incompatibilities. I ran sendbug with my complaint. -Luke On Sat, May 7, 2016 at 7:06 PM, Philip Guenther <guent...@gmail.com> wrote: > On Sat, May 7, 2016 at 4:27 PM, Luke Small <lukensm.

Re: ntpd commandline expansion

:56 PM, Luke Small <lukensm...@gmail.com> wrote: > It is because I am saving the state in virtualbox, which is like putting > it in hibernate, except instead of refreshing the time, the time remains > the same as when it last ran, which can be some time ago. > > -Luke > >

Re: ntpd commandline expansion

t; On Sat, May 7, 2016 at 9:06 AM, Luke Small <lukensm...@gmail.com> wrote: > > I often use virtualbox to run openbsd-amd64 and lately I haven't been > able > > to "ntpd -s" and make it update the clock, which may have been after > > several days. > >

ntpd commandline expansion

I often use virtualbox to run openbsd-amd64 and lately I haven't been able to "ntpd -s" and make it update the clock, which may have been after several days. It often adversely affects my use of google products, as they update their keys often and if the clock is wrong, it says there is a security

I'm curious, why is queue() in style()

It seems to complicate things. Is there a security reason to use those functions?

Re: I have a program I wish to submit for the base

the program overwrites ONLY the installpath variable(s) in /etc/pkg.conf. The rest of the variables will remain. PKG_PATH environment variable takes precedence over any installpath initializations. I'm running 5.8. I don't know how to pledge it. I will make sure to, past the 5.9 release. I'm

Re: I have a program I wish to submit for the base

even more sloppy. The only problem is that the program is potentially subject to a man-in-the-middle attack from a non secured webpage. Manually setting the package mirror has the same problem too though. On Jan 30, 2016 06:50, <li...@wrant.com> wrote: > Fri, 29 Jan 2016 16:35:12 -0600

Re: I have a program I wish to submit for the base

I wanted to use kqueue. Name another script or programming language that offers it from the base install. NONE! Why should I write it in another language. I already did it in C. Is there another way other than kqueue that you can wait for the ftp call to quit, while being able to kill it if it

Re: bandwidth usage limits with pf, etc.

man pf.conf set limit

Re: if I were to make a pkg-add diff

even a big enough transfer to get TCP out of slow start. SHA256 is over 600 KB. -Luke On Wed, Jan 20, 2016 at 1:14 AM, Luke Small <thinkitdoitd...@gmail.com> wrote: > not knowing better... > > I always wanted to know the fastest mirrors for me, and at times it > cha

Re: if I were to make a pkg-add diff

here you go! Enjoy! -Luke On Tue, Jan 19, 2016 at 2:57 AM, Erling Westenvik < erling.westen...@gmail.com> wrote: > On Tue, Jan 19, 2016 at 01:26:15AM -0600, Luke Small wrote: > > I made a small 500 line program I call pkg_ping that calls uname -rm, > > ftp, sed, on

Re: if I were to make a pkg-add diff

Go to: *I have a mirror testing program for you.* in the tech mailing list. It copied there. -Luke On Tue, Jan 19, 2016 at 11:18 PM, Luke Small <thinkitdoitd...@gmail.com> wrote: > here you go! Enjoy! > > -Luke > > On Tue, Jan 19, 2016 at 2:57 AM, Erling Westen

Re: if I were to make a pkg-add diff

wrote: > On Tue, Jan 19, 2016 at 01:26:15AM -0600, Luke Small wrote: > > I made a small 500 line program I call pkg_ping that calls uname -rm, > > ftp, sed, on openbsd.org/ftp.html. > > A "program"? In what language? Is your code available somewhere? > >

Re: if I were to make a pkg-add diff

I made a small 500 line program I call pkg_ping that calls uname -rm, ftp, sed, on openbsd.org/ftp.html. then it changes all the parsed http and ftp mirrors into http and ftp downloads and changes them to non redundant http mirrors (it has to to easily call ftp on it). It takes them and downloads

Re: if I were to make a pkg-add diff

I am realistically thinking more along the lines of less than once a release cycle. More like whenever it comes upon a user that their mirror of choice chooses to no longer be a mirror. I had that happen to me. It would be convenient to have a program that can easily compare mirror latencies and

Re: if I were to make a pkg-add diff

t; wrote: > All of the functionality you are requesting is already provided. > > look at finish_up() in src/distrib/miniroot/install.sub. > > There is no reason at all to modify pkg_add. Just setup /etc/pkg.conf. > > > On 2016 Jan 04 (Mon) at 04:02:07 -0600 (-0600), Luke Small wr

Re: if I were to make a pkg-add diff

that on a specific file, whether the results may be skewed by inconsistent squid or similar program caching often downloaded files on mirrors. On Dec 27, 2015 18:17, "Luke Small" <lukensm...@gmail.com> wrote: > Even though I don't have an internet connection for my laptop I >

Re: if I were to make a pkg-add diff

What I meant is, if a program sends a handful of pings to each mirror, would it think it is being spammed and shutdown any further connections. I didn't mean to say that I want to connect the pkg_ping program to a of anchor. I tried an initial localhost pinging, pkg_ping program in virtualbox

Re: if I were to make a pkg-add diff

I guess I didn't really answer your question. It wouldn't rely upon the ramdisk. It is meant to run after install. So it would presumably have all the firmware. I was thinking about running it similarly to the install output though. I setup a local mirror once and it crapped out after a while and

Re: if I were to make a pkg-add diff

You could do that if you want to have noobs connect to one of the mirrors into perpituty that brings down the server like a ddos every release! > I think the best that can be done relatively easily would be to have >pkg_add fetch ftplist.cgi and pick the first result as a default if neither

Re: if I were to make a pkg-add diff

Even though I don't have an internet connection for my laptop I started the C program that pipes an execl call from ftp, to sed, (like the suggestions offered earlier in the thread, and back to the parent and it will use kqueue to test the pipe buffer capacities to a local buffer (I love

Re: if I were to make a pkg-add diff

Come to think about it, it might to be good to do tiny standalone program called pkg_ping and then I could make it in C like I'd prefer. I'd hope to make a port maybe, but then it would functionally defeat the intent. On 12/26/15, Luke Small <lukensm...@gmail.com> wrote: > I ju

Re: if I were to make a pkg-add diff

I just figure that adding a little complexity that doesn't adversely affect security, to ease initial entry into the system for new users could be good. pkg_add initialization and mirror selection can be automated in a way to not discourage someone from picking up a fresh install and running with

Re: if I were to make a pkg-add diff

I suspect that if you did, it wouldn't check whether there was an astronaut ready to control the on-board computer and would sit there continuously trying to rev the rocket engines with no jet fuel. That is the way pkg-add acts right now. I felt pretty ridiculous wondering why pkg-add wasn't

Re: if I were to make a pkg-add diff

of messages delivered by pkg-add itself to rm folder contents at the end of a run. On 12/25/15, Luke Small <lukensm...@gmail.com> wrote: > I suspect that if you did, it wouldn't check whether there was an > astronaut ready to control the on-board computer and would sit there > continuousl

if I were to make a pkg-add diff

I can't type underscore on this device. Assuming i could do it: If I were to make a sloppy perl-based pkg-add program that used c and the installer code to (re)set the PKG-PATH environment variable using the "http" settings that are available for installing the modules from mirrors, if I made

Re: if I were to make a pkg-add diff

I wanna make a c program that checks for a PKG_PATH that exists and connects to a workable link for pkg_add(). If you ever upgraded using http mirrors on the install disk, it offers list# which links directly to numbered mirrors. It would likely ease the initial startup for whomever uses it while

Re: text-mode gui

Ha Ha. I got Theo to call me a whiny prick! I'm getting the t-shirt. >You play absolutely no part in the decisions that got OpenBSD to where it is. At least somebody is listening, even if they are ignoring everything. What point is there to having an automated machine, when you have to do

Re: text-mode gui

You are a normal user and have full disk encryption. You must have read the man page on how to do that? Found the installer option did you. I have read several books on openbsd and all the man pages I could find and didn't find out how to do it anywhere else other that how to webpages. On Dec 21,

Re: text-mode gui

they want to run a two nic gateway, let them read the man-pages. -Luke On Sun, Dec 20, 2015 at 7:45 PM, Dmitrij D. Czarkoff <czark...@gmail.com> wrote: > Luke Small said: > > There are other features that inexperienced users could benefit from, > like > > selecting

Re: text-mode gui

I suspect that there could be a number of minor implementation tweaks that could be addressed that would be convenient to avoid presumably to streamline the install process for folks that would prefer to avoid an incessant procession of questions. There are other features that inexperienced users

Re: text-mode gui

the user and doesn't self-destruct any time it needs to fsck: By Default. On 12/21/15, li...@wrant.com <li...@wrant.com> wrote: >> Luke Small <lukensm...@gmail.com> >> >[...] It would be very easy to write a C >> >program to parse and edit fstab to mak

Re: text-mode gui

> On 2015-12-20 17.25.14 -0600, Luke Small wrote: > >It would be very easy to write a C > >program to parse and edit fstab to make all the partitions softdep. > > Can we see your patch?

Re: text-mode gui

to fix the problem, when it can merely be an install option. -Luke On Sun, Dec 20, 2015 at 3:33 PM, <li...@wrant.com> wrote: > On Sun, 20 Dec 2015 14:03:18 -0600 Luke Small <lukensm...@gmail.com> > wrote: > > > I don't know the best way, but I like how there are &qu

Re: text-mode gui

00, li...@wrant.com wrote: > >> On Sun, 20 Dec 2015 10:51:20 + Tati Chevron <chev...@swabsit.com> >> wrote: >> >> On Sat, Dec 19, 2015 at 05:34:59PM -0600, Luke Small >>> <lukensm...@gmail.com> wrote: >>> > >>> >If installer

text-mode gui

If installer GUIs are bad, maybe features like full-disk encryption could be accomplished via lynx-like text -based HTML and/or JavaScript that could write to cookies that the installer could parse into commands? -Luke

Xscreensaver gets interrupted with no inputs

I am not on the web with my 5.8 virtualbox guest and it never blanks unless it is set to 1 minute and when it is locked, it is interrupted. Is it a bug, or is it possibly a virus? My windows host goes into the screensaver and stays just fine.

Re: "# systrace -c1000:1000 kate" for privilege escalated editing?

>I can't quite figure out what you're trying to do, but running big GUI >programs and libraries with root privileges (whether that's from systrace or >doas or sudo or su or whatever) is usually not a good idea. Thinking about it now, I guess if you add root write privileges to writing files, you

Re: "# systrace -c1000:1000 kate" for privilege escalated editing?

that doesn't suid but can open a privileged socket under systrace -c 1000:1000 ./server On Dec 2, 2015 19:44, "Vadim Zhukov" <persg...@gmail.com> wrote: > 03 дек. 2015 г. 4:27 пользователь "Luke Small" <lukensm...@gmail.com> > написал: >

"# systrace -c1000:1000 kate" for privilege escalated editing?

I want to be able to use systrace for privilege escalation for kompare for sysmerge diffs and kate. Why isn't systrace able to do this? -Luke

Fwd: Re: pledge() enhancement

-- Forwarded message -- From: "Ingo Schwarze" <schwa...@usta.de> Date: Nov 13, 2015 7:32 PM Subject: Re: pledge() enhancement To: "Luke Small" <lukensm...@gmail.com> Cc: <b...@openbsd.org> Hi Luke, Luke Small wrote on Fri, Nov 13, 2015 at

<    1   2