PF SMP
Does PF utilize multiple processors? One of my router/firewalls is a dual Pentium Pro 200. It also runs ftp-proxy, but that's it. Would a PII 400MHz be equivalent, better, or worse? Just curious. From what I understand, the network stack is not threaded, thus multiple processors would not be beneficial. - pachl
Re: Partitions
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Brahy Sent: Thursday, June 29, 2006 11:00 PM To: misc@openbsd.org Subject: [misc] Partitions At first I didn't understand the reason for all the partitions ( http://archives.neohapsis.com/archives/openbsd/2001-01/1654.ht ml) now I can't have enough partitions In my official OpenBSD CD sleeve it says to create these partitions: / swap /tmp /var /usr /home and over time I have learned to appreciate these, but lately I have been creating more partitions /usr/src /usr/obj are two of the ones that are suggested when rebuilding my system and I definitely like the speed of doing a newfs to /usr/obj I also have been putting mysql on it's own partition and then I got a little crazier and added more partitions and my list has grown to this: / /home /tmp /var /var/mysql /usr /usr/local /usr/src /usr/obj /usr/Xbld /usr/XF4 /usr/local /virtualhosts So am I going overboard? or am I missing any good partions. when I first posted Nick Holland replied with several reasons to have multiple partions. Those being security, fragmentation, protecting the filesystem from overfilling, organization and space tracking. does increasing the amount of partitions increase access to the files on that partition? Any feedback would be appreciated. Thanks, John well, from my point of view: if your setup or the things you load on the server needs it - have as many partitions as you want! you'll at latest will see if you went overboard, if it comes to upgrades, restores, etc... your environment has to fit your needs. i've seen machines with just / and swap, and i've seen machines where for example for the database itself have been more than 30 partitions as well. both setups were fine - for their respective needs. if it's manageable, secure and last but not least - FAST, it's fine ;-)
Re: PF SMP
I have the same understanding you have Pachl. I believe OpenBSD IP Stack is not multithreaded implemented. A core developer could deny/confirm such belief. /all the best. On 6/30/06, Clint Pachl [EMAIL PROTECTED] wrote: Does PF utilize multiple processors? One of my router/firewalls is a dual Pentium Pro 200. It also runs ftp-proxy, but that's it. Would a PII 400MHz be equivalent, better, or worse? Just curious. From what I understand, the network stack is not threaded, thus multiple processors would not be beneficial. - pachl
Re: PF SMP
OpenBSD SMP is based on BigLock, so only one processor at the time can execute kernel code, and IP Stack is kernel side only. As far as I remember. regards M.K. Gustavo Rios napisaE(a): I have the same understanding you have Pachl. I believe OpenBSD IP Stack is not multithreaded implemented. A core developer could deny/confirm such belief. /all the best. On 6/30/06, Clint Pachl [EMAIL PROTECTED] wrote: Does PF utilize multiple processors? One of my router/firewalls is a dual Pentium Pro 200. It also runs ftp-proxy, but that's it. Would a PII 400MHz be equivalent, better, or worse? Just curious. From what I understand, the network stack is not threaded, thus multiple processors would not be beneficial. - pachl
Re: isakmpd: Phase 2 Cisco PIX fun
On 29 jun 2006, at 22.33, Stephen Bosch wrote: I'm trying to set up a tunnel to a Cisco PIX. It seems to make it past Phase 1, the trouble starts at Phase 2. I've provided some tcpdump output below: ... So, at this point it looks like Phase 1 was successful. Phase 2 begins: 14:21:47.235581 OpenBSD.500 Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 56fe089d len: 284 payload: HASH len: 20 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x3147c4bd payload: TRANSFORM len: 28 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.49.10.0/255.255.255.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.50.0.0/255.255.254.0 [ttl 0] (id 1, len 312) First question -- does this look right? Yup, this is a normal first packet of a quick mode negotiation. isakmpd now expects the 2nd packet, but instead gets a new exchange ('TRANSACTION' type, or mode-config): 14:21:47.598650 Cisco_PIX.500 OpenBSD.500: [udp sum ok] isakmp v1.0 exchange TRANSACTION cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 76 payload: HASH len: 20 payload: ATTRIBUTE len: 20 type: CFG_REQUEST Id: 0 attribute INTERNAL_IP4_SUBNET = none attribute SUPPORTED_ATTRIBUTES = none attribute INTERNAL_IP6_SUBNET = none [ttl 0] (id 1, len 104) What does this mean? This response from the PIX doesn't make any sense to me. Is it asking for internal subnet info? Is it trying to provide it? Why would it be putting this in as an attribute? A guess would be the PIX regards the OpenBSD machine as (some kind of a Cisco-specific?) client and wants to know what configuration data it can accept. Typically that 'what are your SUPPORTED_ATTRIBUTES' part. 14:21:47.599642 OpenBSD.500 Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange TRANSACTION cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 123 payload: HASH len: 20 payload: ATTRIBUTE len: 75 type: CFG_REPLY Id: 0 attribute INTERNAL_IP6_SUBNET = ::/0 attribute SUPPORTED_ATTRIBUTES = 15 attributes RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED attribute INTERNAL_IP4_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 1, len 151) OpenBSD responds -- I don't get this either. No, and it shouldn't send this response. It's a bug. isakmpd does not support the client-side of mode-config, only the server side. The skeleton for the client-side code is there, but it was never implemented fully. (There's a lot of things that need to work together here, such as having the privilege separated isakmpd process being able to add/change IP and netmask of an interface etc. The need for client-side support has not been requested much, so we've not done anything more here yet.) 14:21:47.874961 Cisco_PIX.500 OpenBSD.500: [udp sum ok] isakmp v1.0 exchange TRANSACTION cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 68 payload: HASH len: 20 payload: ATTRIBUTE len: 12 type: CFG_SET Id: 0 attribute unknown = none [ttl 0] (id 1, len 96) Strange reply... Yes. Seems the PIX did not handle isakmpd's (nonsensical) reply wery well. :) Plus, isakmpd will not accept a CFG_SET here, as seen by the response: 14:21:47.876987 OpenBSD.500 Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 80603edb len: 60 payload: HASH len: 20 payload: NOTIFICATION len: 12 notification: PAYLOAD MALFORMED [ttl 0] (id 1, len 88) And this is where things grind to a halt. OpenBSD gives a PAYLOAD MALFORMED notification, the PIX retries the previous packet a few more times, then gives up and ignores all further requests. Any ideas? See if you can convince the PIX to regard the OpenBSD box as another gateway and not a client? Or perhaps tell it that the other machine is not to be considered a Cisco-box? Or disable mode-config (if possible)? I don't recall all the ins-and-outs of the PIX configuration (it's a
Re: Where to start studying OpenBSD networking code
The second volume of TCP/IP Illustrated is very interesting, it describes the BSD implementation of the TCP stack, walking you through the code. Although dated, the code still bears a lot of similarities with what you'll find in /usr/src.
Re: Where to start studying OpenBSD networking code
Hi Joakinen, On 2006.06.28, at 11:24 PM, joakinen wrote: Is there any diagram of how every piece of code retales to the others? I don't know how relevant it is to OpenBSD, if at all, but I seem to remember getting a BSD TCP/IP network stack diagram poster with the boxed set of TCP/IP Illustrated (1-3). Shane
Patent jeopardizes IETF syslog standard
Patent jeopardizes IETF syslog standard. Read here http://trends.newsforge.com/article.pl?sid=06/06/28/2320232
Re: Partitions
Hi, So am I going overboard? or am I missing any good partions. I never understood why putting /tmp on its own partition is good when nobody notices /var/tmp. In addition to /tmp I always put /var/tmp on its own partition too, so that I can mount it with nodev,noexec,nosuid. I also try to split things up in a way that I can mount many things with the ro option where there should be no changes to the filesystems unless you perform an update, patch something etc. regards, Tobias W.
Re: Mixing queues in pf
On Thu, Jun 29, 2006 at 05:26:30PM -0700, Lawrence Horvath wrote: Is it possible to mix queue types with pf, for instance all http traffic is sent to a hfsc queue while all ssh traffic is sent to a priq queue, or could you have a master priq queue and child cbq queues under it? thanks All queues but priq can have (arbitrary) child queues, as documented in pf.conf(5). Joachim
Re: Partitions
* Nick [EMAIL PROTECTED] [2006-06-30 03:33]: yes, I'd say you are going a bit overboard. very slightly, if at all. nor do I see any real-life benefit to a /usr/local partition. I do, a lot. prevent 3rd party crap shit from overflowing /usr. and, that way, you can even mount /usr RO unless you do upgrades. A long time ago, I had a nice little webserver set up, then my friend Henning said, Here, try this chroot'ed Apache patch...which absolutely hosed my grand plans, as my /var partition was too small, as all the web documents were served from /home/user directories. shalalalala... :) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: gcc support to stack-smashing attacks protection
Thanks folks . On 6/29/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Jun 29, 2006 at 04:48:24PM -0300, Jo?o Salvatti wrote: Hi all... I'd like to know if OpenBSD's gcc build binary files with built-in stack-smashing attacks protection. As Theo pointed out, yes. Be aware that there are still plenty of problems that can occur with less-than-perfectly written code; plus, in many cases only the program logic needs to be exploited (XSS and SQL injection are prime examples of this, as are most symlink attacks). Joachim -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: Partitions
On Fri, Jun 30, 2006 at 12:00:12PM +0200, Tobias Weisserth wrote: I never understood why putting /tmp on its own partition is good when nobody notices /var/tmp. In addition to /tmp I always put /var/tmp on its own partition too, so that I can mount it with nodev,noexec,nosuid. I always symlink /var/tmp to my /tmp partition and mount /tmp with: nodev,noexec,nosuid,noatime,async - as it gets wiped at boot anyway.
Re: premature end of script headers
On Fri, Jun 30, 2006 at 11:49:26AM +0700, riwanlky wrote: Hi All, I am trying to run TWiki on my OBSD 3.9 box. Installed using pkg_add TWiiki-20040903p0.tgz Include the following in my httpd.conf: apachectl restart. Try this: # apachectl stop # httpd -u - TWiki wont run in chroot without a few minutes work. [Fri Jun 30 11:31:04 2006] [error] [client 192.168.3.55] script not found or unable to stat: /cgi-bin/twiki/testenv I tried to change the chmod 755 testenv and chgrp www:www testenv On my box using the package: $ ls -lh /var/www/cgi-bin/twiki/testenv -r-xr-xr-x 1 root bin 39.2K Nov 9 2005 testenv Also check that your /var/www partition is not mounted noexec for this to work. -- Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
Re: Mixing queues in pf
Joachim Schipper wrote: On Thu, Jun 29, 2006 at 05:26:30PM -0700, Lawrence Horvath wrote: Is it possible to mix queue types with pf, for instance all http traffic is sent to a hfsc queue while all ssh traffic is sent to a priq queue, or could you have a master priq queue and child cbq queues under it? thanks All queues but priq can have (arbitrary) child queues, as documented in pf.conf(5). Joachim I think that what he meant was if you can have one type of queue mixed with another, for example, one cbq master queue, and some hfsc child queues. I've tried it, and pfctl complained that the queues had no parent. So i believe that it does not work the way you want. You can have any number of queues using cbq or hfsc, but, AFAIK, cant mix them. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: News From HiFn
Hi! On Thu, Jun 29, 2006 at 03:45:55PM -0700, J.C. Roberts wrote: [...] I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com Kudoes to you for your initiative and to HiFn for their decision. Kind regards, Hannah.
Re: isakmpd: Phase 2 Cisco PIX fun
Hekan Olsson wrote: On 29 jun 2006, at 22.33, Stephen Bosch wrote: I'm trying to set up a tunnel to a Cisco PIX. It seems to make it past Phase 1, the trouble starts at Phase 2. I've provided some tcpdump output below: ... So, at this point it looks like Phase 1 was successful. Phase 2 begins: 14:21:47.235581 OpenBSD.500 Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 56fe089d len: 284 payload: HASH len: 20 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x3147c4bd payload: TRANSFORM len: 28 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.49.10.0/255.255.255.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.50.0.0/255.255.254.0 [ttl 0] (id 1, len 312) First question -- does this look right? Yup, this is a normal first packet of a quick mode negotiation. isakmpd now expects the 2nd packet, but instead gets a new exchange ('TRANSACTION' type, or mode-config): 14:21:47.598650 Cisco_PIX.500 OpenBSD.500: [udp sum ok] isakmp v1.0 exchange TRANSACTION cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 76 payload: HASH len: 20 payload: ATTRIBUTE len: 20 type: CFG_REQUEST Id: 0 attribute INTERNAL_IP4_SUBNET = none attribute SUPPORTED_ATTRIBUTES = none attribute INTERNAL_IP6_SUBNET = none [ttl 0] (id 1, len 104) What does this mean? This response from the PIX doesn't make any sense to me. Is it asking for internal subnet info? Is it trying to provide it? Why would it be putting this in as an attribute? A guess would be the PIX regards the OpenBSD machine as (some kind of a Cisco-specific?) client and wants to know what configuration data it can accept. Typically that 'what are your SUPPORTED_ATTRIBUTES' part. 14:21:47.599642 OpenBSD.500 Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange TRANSACTION cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 123 payload: HASH len: 20 payload: ATTRIBUTE len: 75 type: CFG_REPLY Id: 0 attribute INTERNAL_IP6_SUBNET = ::/0 attribute SUPPORTED_ATTRIBUTES = 15 attributes RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED RESERVED attribute INTERNAL_IP4_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 1, len 151) OpenBSD responds -- I don't get this either. No, and it shouldn't send this response. It's a bug. isakmpd does not support the client-side of mode-config, only the server side. The skeleton for the client-side code is there, but it was never implemented fully. (There's a lot of things that need to work together here, such as having the privilege separated isakmpd process being able to add/change IP and netmask of an interface etc. The need for client-side support has not been requested much, so we've not done anything more here yet.) Sure enough, Haakan; this turned out to be the problem. We reconfigured the PIX not to use mode configuration for this connection and the SA came up. This means that Hans-Jvrg can spare himself the work of trying to sort it out :) Now, the next problem -- traffic isn't passing... but that's for another post :) -Stephen-
Re: News From HiFn
J.C. Roberts wrote: This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. This is good news. Thanks for your contribution! To all the nay-sayers out there: this proves that sometimes companies do 'get' their customers' wishes. Consumer action does work - as long as the consumer actually gets involved. While you might not always be able to get the attention of companies through consumer action, apathetically accepting the status quo guarantees that you never will. Thanks to everyone who got involved - you proved that somewhat open is no more acceptable than not at all open by bringing Hifn on board. Breeno PS - Someone who participates in editing vendorwatch.org might want to update the Hifn status page.
routing through IPsec tunnel with NAT: add routes?
Hi, everybody: Okay -- the good news is that we've got the SA up between these two sites, the bad news is that traffic isn't passing. The situation is complicated by some NAT that I need through the encryption interface. We have the following: HostA_private_IP HostA_private_NAT_IP RemoteB_private_subnets In the NAT section of my pf.conf, I have the following command: binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - $HostA_private_NAT_IP In the FILTER section, I have: pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP pass out on $enc_if from $HostA_private_NAT_IP to \ RemoteB_private_subnets Do I need to add routes to make this work? I thought that setting up SAs in isakmpd did this automatically, but when I traceroute from HostA_private_IP, it looks like the traffic is going out the public interface. Or is the problem with my NAT statement? -Stephen-
Re: routing through IPsec tunnel with NAT: add routes?
Stephen Bosch wrote: Hi, everybody: Okay -- the good news is that we've got the SA up between these two sites, the bad news is that traffic isn't passing. The situation is complicated by some NAT that I need through the encryption interface. We have the following: HostA_private_IP HostA_private_NAT_IP RemoteB_private_subnets In the NAT section of my pf.conf, I have the following command: binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - $HostA_private_NAT_IP In the FILTER section, I have: pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP pass out on $enc_if from $HostA_private_NAT_IP to \ RemoteB_private_subnets Do I need to add routes to make this work? I thought that setting up SAs in isakmpd did this automatically, but when I traceroute from HostA_private_IP, it looks like the traffic is going out the public interface. Maybe I do need that alias that Roy was suggesting. Apart from that binat line in pf.conf, that network is not configured on any interface on the device. I wouldn't even be able to build a route, because I have no interface to send it to. Where should I configure the alias? -s
Re: routing through IPsec tunnel with NAT: add routes?
Stephen Bosch wrote: Hi, everybody: Okay -- the good news is that we've got the SA up between these two sites, the bad news is that traffic isn't passing. The situation is complicated by some NAT that I need through the encryption interface. We have the following: HostA_private_IP HostA_private_NAT_IP RemoteB_private_subnets In the NAT section of my pf.conf, I have the following command: binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - $HostA_private_NAT_IP Try binat pass ... In the FILTER section, I have: pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP pass out on $enc_if from $HostA_private_NAT_IP to \ RemoteB_private_subnets Remove the pass out ... rule. Do I need to add routes to make this work? I thought that setting up SAs in isakmpd did this automatically, but when I traceroute from HostA_private_IP, it looks like the traffic is going out the public interface. Or is the problem with my NAT statement? -Stephen- Just a trial and error suggestion. -pachl
Re: routing through IPsec tunnel with NAT: add routes?
Clint Pachl wrote: Stephen Bosch wrote: In the NAT section of my pf.conf, I have the following command: binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - $HostA_private_NAT_IP Try binat pass ... Done. In the FILTER section, I have: pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP pass out on $enc_if from $HostA_private_NAT_IP to \ RemoteB_private_subnets Remove the pass out ... rule. Done. Do I need to add routes to make this work? I thought that setting up SAs in isakmpd did this automatically, but when I traceroute from HostA_private_IP, it looks like the traffic is going out the public interface. Or is the problem with my NAT statement? -Stephen- Just a trial and error suggestion. Thanks. No joy yet. Traceroute traffic is still going out the public interface when I try to ping a host on RemoteB_private_subnets... -S
Re: routing through IPsec tunnel with NAT: add routes?
On 2006/06/30 10:51, Stephen Bosch wrote: Thanks. No joy yet. Traceroute traffic is still going out the public interface when I try to ping a host on RemoteB_private_subnets... If this traceroute is from the vpn gateway itself (rather than an endpoint) you'll need to either set the source address to an address in the vpn subnet (traceroute -s, ping -I), or add a static route pointing over the vpn.
Re: News From HiFn
On Thu, Jun 29, 2006 at 03:45:55PM -0700, J.C. Roberts wrote: I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: hi5. nicely done. Please check out the readme on the FTP. Basically it says if you wish to automatically get the HiFn updates/errata/notifications, you should probably sign up for the HiFn extranet thing. You don't have to but you can if you want. i am hoping this works out to be really exactly what was desired. in reading the software-api-tkip-applicationnote.pdf, it has a clause that says: === Hifn Confidential If you have signed a Hifn Confidential Disclosure Agreement that includes this document as part of its subject matter, please use this document in accordance with the terms of the agreement. If not, please destroy this document. === would it seem that this may just be the pdf contents being still out of synch with the spirit of open/anonymous documentation availability, or... maybe i should destroy it for now... ? -- jared [ openbsd 3.9-current GENERIC ( may 1 ) // i386 ]
Re: routing through IPsec tunnel with NAT: add routes?
Stuart Henderson wrote: On 2006/06/30 10:51, Stephen Bosch wrote: Thanks. No joy yet. Traceroute traffic is still going out the public interface when I try to ping a host on RemoteB_private_subnets... If this traceroute is from the vpn gateway itself (rather than an endpoint) you'll need to either set the source address to an address in the vpn subnet (traceroute -s, ping -I), or add a static route pointing over the vpn. Thanks. I should note also that this is a redundant configuration using carp. You can see this is getting pretty ugly. Assuming int_IPA: the real private IP of a host on my network nat_IPA: the IP I am translating int_IPA to before sending it to the remote endpoint remote_IPB: table of real private IP subnets on the remote network enc_if: the encryption interface 1. I have added nat_IPA as an alias to the internal carp interface on my gateway. 2. I have the following pertinent lines in my /etc/pf.conf: binat on $enc_if from $int_IPA to remote_IPB - $nat_IPA and later pass in on $enc_if from remote_IPB to $nat_IPA pass out on $enc_if from $nat_IPA to remote_IPB When I am on the gateway and I do: ping -i $nat_IPA to $remote_host_IPB I get replies. This is good. When I ping from the endpoint to $remote_host_IPB, I get nothing. So either there is something wrong with my filtering and natting, or I am not routing properly. Suggestions? -S
A little script to remove packages don't needed
I don't know how to explain it well (:P), the script finds which packages are not needed by others, so you can delete those you don't use. It's my first shell script, so feedback is apreciated, :) This is in public domain, blah blah blah blah. #!/bin/ksh function check_for_packages { for package in $(pkg_info | cut -f 1 -d \ ); { echo Checking if any package depends on $package if ! pkg_info -R $package | fgrep -q 'Required by:'; then tput up dl 0 echo No package depends on $package, would you like to delete it? YES/n while :; do read answer tput up dl 0 case $answer in YES ) sudo pkg_delete $package break ;; n ) break ;; * ) echo 'YES/n' ;; esac done else tput up dl 0 fi } } check_for_packages
Re: News From HiFn
On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote: J.C. Roberts wrote: This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. This is good news. Thanks for your contribution! To all the nay-sayers out there: this proves that sometimes companies do 'get' their customers' wishes. Consumer action does work - as long as the consumer actually gets involved. While you might not always be able to get the attention of companies through consumer action, apathetically accepting the status quo guarantees that you never will. Thanks to everyone who got involved - you proved that somewhat open is no more acceptable than not at all open by bringing Hifn on board. Breeno PS - Someone who participates in editing vendorwatch.org might want to update the Hifn status page. Done, but I've left their ranking as unfriendly on the front page because they've given no apology and they still seem to be shady. If someone could add the links to the slashdot/newsforge/whereverelse stories that would be helpful though. -Nick
Ye Olde Binary Patching Question
I've got a handful of OpenBSD boxes, and instead of keeping src on all of them, I'd like one box to follow stable and build patched programs which I could then distribute to my other boxes. I poked around the archives of this list, and it looks like this is a reacurring question. Has there been anything like a consensus on what's the best way to do this? I've tried make release, and it's OK, but it's a sledgehammer for killing a gnatt. If sendmail has a bug, I'd like to be able to distribute just the patched sendmail. I'm also nervious about a system with that many dependancies as my response to a known security hole. If there's a hole in a program, I want someing simple to help me distribute the fix. I also tried playing with setting DESTDIR, but that didn't work very well. After a lot of messing around, I got a useable tar file, but it sure wasn't elegant. (http://seattlecentral.edu/~dmartin/docs/binpatch.html for my notes on that experience). My next idea is to try building the patched program, touching some file, and then run find / -newer somefile | xargs tar -xvzf woot.tar. If there is a better or best way to do this, let me know! Thanks! -Dylan
Re: Ye Olde Binary Patching Question
From: [EMAIL PROTECTED] I also tried playing with setting DESTDIR, but that didn't work very well. After a lot of messing around, I got a useable tar file, but it sure wasn't elegant. (http://seattlecentral.edu/~dmartin/docs/binpatch.html for my notes on that experience). My next idea is to try building the patched program, touching some file, and then run find / -newer somefile | xargs tar -xvzf woot.tar. If there is a better or best way to do this, let me know! You could NFS export out the build directory from your build server and mount it on the clients that want to update. Then a 'make build' on them would grab the newest stuff, and you could be selective about portions of the tree and so forth. DS
Re: Ye Olde Binary Patching Question
On Fri, 30 Jun 2006, Dylan Martin wrote: If there is a better or best way to do this, let me know! You could try something like : #!/bin/sh DESTDIR=/tmp/sendmail mtree -qdef /etc/mtree/4.4BSD.dist -p ${DESTDIR}/ -u touch ${DESTDIR}/timestamp cd /path_to_sendmail_src env DESTDIR=${DESTDIR} make -f Makefile.bsd-wrapper install cd ${DESTDIR} find . \! -name plist -newer timestamp -type f plist cat plist | xargs tar czpf ${DESTDIR}/patch.tgz -- Antoine
Re: A little script to remove packages don't needed
It's going to get deleted if you choose that. It's not a fully automated script. Thanks for the feedback :) On 6/30/06, Wade, Daniel [EMAIL PROTECTED] wrote: That all good and well, but what happens when my package that I use has zero depends? It's going to get deleted.
Re: Ye Olde Binary Patching Question
Dylan Martin wrote on Fri, Jun 30, 2006 at 11:38:45AM -0700: I've got a handful of OpenBSD boxes, and instead of keeping src on all of them, I'd like one box to follow stable and build patched programs which I could then distribute to my other boxes. Two ways are officially supported: - building on each machine - making release A consensus on unsupported alternatives would be an oxymoron. OpenBSD binpatch by Gerardo Santana Gomez Garrido http://openbsdbinpatch.sourceforge.net/ may or may not help you. Make sure you understand the Makefile(s) before using it. I do use it at times, and it works for me. Be aware that you probably won't get support from the list. My next idea is to try building the patched program, touching some file, and then run find / -newer somefile | xargs tar -xvzf woot.tar. That's the basic idea implemented in the above program, except that it's done inside a dedicated fake root, not in /. You neither want /var/log/messages nor woot.tar itself inside woot.tar.
Fw: NFSd problem - solved!
Don't respond to this mail. Problem got solved, a powercut and a toasted exports file. On Thu, 29 Jun 2006 22:44:51 +0200 Rico Secada [EMAIL PROTECTED] wrote: Hi I am having problems with one of our NFS servers at our datacenter. I have just set it up. I have edited /etc/rc.conf and changes the portmap and nfs_server to YES. I have created the /var/db/mountdtab file. I have made an entry to /etc/exports When I reboot the machine and take a look with rpcinfo, I only get portmapper running. # rpcinfo -p program vers proto port 102 tcp111 portmapper 102 udp111 portmapper If I try manually to start nfsd, it won't start. Looking at the log of daemon I get: # cat /var/log/daemon Jun 30 00:27:11 nfsserver savecore: no core dump What could be wrong here? Best and kind regards, Rico
usb ralink RT2571 problem
i tried 2 usb ralink RT2571F usb with openbsd 3.9 and -current. ural0 at uhub0 port 1 ural0: ASUS 802.11g WLAN Drive, rev 2.00/0.01, addr 2 ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address 00:17:31:2e:ae:34 problem: this ifconfig works ifconfig ural0 192.168.2.2 netmask 255.255.255.0 nwid raltest mediaopt ibss but the throughput is very slow (90KB/s). if i use the options media ODFM54 or mode 11g the card becomes active, but i see only arp requests ... i saw that the firmware for this chip is not used. why ? when i use hostap mode with media or mode than i got on the client the mac from the hostap pc but only the same thing with no connection :-( i tried also the RT2561 miniPCI, that works great. has anyone an idea ? thanks Thomas
Re: Ye Olde Binary Patching Question
Spruell, Darren-Perot wrote: You could NFS export out the build directory from your build server and mount it on the clients that want to update. Then a 'make build' on them would grab the newest stuff, and you could be selective about portions of the tree and so forth. Good solution, but make sure the clocks run in sync. # Han
Re: News From HiFn
Nick Guenther [EMAIL PROTECTED] wrote: Done, but I've left their ranking as unfriendly on the front page because they've given no apology and they still seem to be shady. No worries, I just got word that they'll send a prostitute over to your house to fix that right up.
Re: Encryption and Compression with ipsecctl?
On Tuesday 20 June 2006 21:00, Clint Pachl wrote: Is IP compression/ipcomp flows implemented in ipsecctl(8)? I am trying to perform encryption (enc) and compression (ipcomp) between two OBSD3.9 hosts. IPcomp is known broken for at least two years, perhaps longer. Do not use it. ipcomp(4) states, Currently, IPCA can be created using the ipsecadm(8) tool, with no mention of ipsecctl. Here is my simple setup: sysctl net.inet.ipcomp.enable=1 # ipsec.conf flow esp from 192.168.2.2 to 192.168.2.1 ipcomp from 192.168.2.2 to 192.168.2.1 spi 0x1000:0x1001 comp deflate esp from 192.168.2.2 to 192.168.2.1 spi 0x1000:0x1001 \ authkey 0x:0x \ enckey 0x:0x The IP addresses and spi values are swapped on the other host's ipsec.conf. I also tried using different spi values for ipcomp and esp. I performed many ftp and scp transfers, checking for ipcomp packets using tcpdump and netstat, but no ipcomp traffic. Encryption between the hosts is working properly. -pachl -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: News From HiFn
On Fri, 30 Jun 2006 14:27:53 -0400, Nick Guenther [EMAIL PROTECTED] wrote: On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote: J.C. Roberts wrote: This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. This is good news. Thanks for your contribution! To all the nay-sayers out there: this proves that sometimes companies do 'get' their customers' wishes. Consumer action does work - as long as the consumer actually gets involved. While you might not always be able to get the attention of companies through consumer action, apathetically accepting the status quo guarantees that you never will. Thanks to everyone who got involved - you proved that somewhat open is no more acceptable than not at all open by bringing Hifn on board. Breeno PS - Someone who participates in editing vendorwatch.org might want to update the Hifn status page. Done, but I've left their ranking as unfriendly on the front page because they've given no apology and they still seem to be shady. If someone could add the links to the slashdot/newsforge/whereverelse stories that would be helpful though. -Nick Hi Nick, Sure, with the help of many people, we were able to get a policy change made to open documentation at HiFn. It was not a solo effort, so I should not get all the credit. I just happened to be the person the vendor contacted regarding their changes. I'd like to request that you change the HiFn status to at least Somewhat Friendly on the www.vendorwatch.org site. Yes, I have created an account on the site and may be able to make the change myself, but due to my involvement, I can't be considered unbiased and should not editing the status. I've also submitted stories about the change of policy at HiFn to both slashdot and undeadly, but obviously, I have no control over whether or not they ever get published. I'm sure many may wonder why I would try to help out HiFn but personally, I think it's just a matter of being fair. Just as a bad policy should be condemned, I think a change to a good policy should be celebrated. You may want to note that opinions differ around here and not everyone involved with the project agrees with the way I see it but personally, I'd rather let water under the bridge be past and move on to trying to solve the next problem. Kind Regards, JCR -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: News From HiFn
On Fri, Jun 30, 2006 at 02:27:53PM -0400, Nick Guenther wrote: On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote: PS - Someone who participates in editing vendorwatch.org might want to update the Hifn status page. Done, but I've left their ranking as unfriendly on the front page because they've given no apology and they still seem to be shady. If someone could add the links to the slashdot/newsforge/whereverelse stories that would be helpful though. It seems to me that if people are going to make a huge fuss about a company's documentation not being open enough or not available or what have you, and then following the fuss, they make their documentation available, they should at a minimum be considered somewhat friendly. Wasn't the whole point of all the back-and-forth about the documentation? Now that we can get the docs, who cares if they don't apologize? Do businesses now have to be careful not to hurt our feelings in order to be considered friendly? Do we want apologies and proof of non-shadiness, or do we want documentation to be made available? This is also not to mention that being pig-headed about the matter is a great way to prevent other companies from complying with requests for documentation - if a business thinks we're going to demand it kiss our collective ass before we give it credit for cooperating, they're simply not going to cooperate. P.S. - I just read J.C.'s reply along these lines, and this is intended to be in the same vein. bc -- Benjamin Collins [EMAIL PROTECTED] [demime 1.01d removed an attachment of type application/pgp-signature]
Re: News From HiFn
J.C. Roberts wrote: On Fri, 30 Jun 2006 14:27:53 -0400, Nick Guenther [EMAIL PROTECTED] wrote: On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote: J.C. Roberts wrote: This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. This is good news. Thanks for your contribution! To all the nay-sayers out there: this proves that sometimes companies do 'get' their customers' wishes. Consumer action does work - as long as the consumer actually gets involved. While you might not always be able to get the attention of companies through consumer action, apathetically accepting the status quo guarantees that you never will. Thanks to everyone who got involved - you proved that somewhat open is no more acceptable than not at all open by bringing Hifn on board. Breeno PS - Someone who participates in editing vendorwatch.org might want to update the Hifn status page. Done, but I've left their ranking as unfriendly on the front page because they've given no apology and they still seem to be shady. If someone could add the links to the slashdot/newsforge/whereverelse stories that would be helpful though. -Nick Hi Nick, Sure, with the help of many people, we were able to get a policy change made to open documentation at HiFn. It was not a solo effort, so I should not get all the credit. I just happened to be the person the vendor contacted regarding their changes. But you sure deserve good credit regardless how it was done. You finally make it possible. Many have express their point of view, I sure did too. To see the end results is a nice turn of event and does show that in the end, may be it took a long time, but HiFn finally got the point and does see the benefit for them as well as us. I'd like to request that you change the HiFn status to at least Somewhat Friendly on the www.vendorwatch.org site. Yes, I have created an account on the site and may be able to make the change myself, but due to my involvement, I can't be considered unbiased and should not editing the status. I've also submitted stories about the change of policy at HiFn to both slashdot and undeadly, but obviously, I have no control over whether or not they ever get published. I'm sure many may wonder why I would try to help out HiFn but personally, I think it's just a matter of being fair. Just as a bad policy should be condemned, I think a change to a good policy should be celebrated. Agreed as well. It's just fair to see them presented as it is. Somewhat Friendly is really where they are now, so would be fair to do that. You may want to note that opinions differ around here and not everyone involved with the project agrees with the way I see it but personally, I'd rather let water under the bridge be past and move on to trying to solve the next problem. I am sure there is many, but we all share the same goal I think. Getting good documentations is the end goal, however we get there. Kind Regards, JCR Thanks for your positive involvements! Daniel.
interupt mapping
On a Toshiba Satellite a35-s1593, without a PC-card currently plugged in, I get a mapping error for the CardBus (cbb). I intend to purchase a wireless PC-Card (I haven't decided on model yet), and wish to ensure it will work with the cardbus before doing so. OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 770154496 (752104K) avail mem = 695263232 (678968K) using 4278 buffers containing 38608896 bytes (37704K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ca) BIOS, date 10/31/03, BIOS32 rev. 0 @ 0xfd750 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd750/0x8b0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xce00 0xcd000/0x1000 0xdf000/0x1000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02 Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 0xe800, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x03: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x03: irq 9 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x03: irq 9 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x03: irq 9 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x83 pci1 at ppb0 bus 1 rl0 at pci1 dev 1 function 0 Realtek 8139 rev 0x10: irq 9, address 00:02:3f:ce:8c:30 rlphy0 at rl0 phy 0: RTL internal PHY cbb0 at pci1 dev 4 function 0 ENE CB-1410 CardBus rev 0x01pci_intr_map: no mapping for pin A : couldn't map interrupt ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x03: SpeedStep pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC25N040ATMR04-0 wd0: 16-sector PIO, LBA48, 38154MB, 78140160 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-R2412, 1015 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x03: irq 10 iic0 at ichiic0 unknown at iic0 addr 0x18 not configured auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x03: irq 10, ICH4 AC97 ac97: codec id 0x414c4740 (Avance Logic ALC202) ac97: codec features headphone, 20 bit DAC, 18 bit ADC, Realtek 3D audio0 at auich0 Intel 82801DB Modem rev 0x03 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384 pcic0 controller 0: Intel 82365SL rev 2 has socket A only pcmcia0 at pcic0 controller 0 socket 0 pcic0: irq 3, polling enabled biomask ef75 netmask ef75 ttymask pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 -- D. E. Evans [EMAIL PROTECTED]
Re: interupt mapping
D. E. Evans wrote: On a Toshiba Satellite a35-s1593, without a PC-card currently plugged in, I get a mapping error for the CardBus (cbb). I intend to purchase a wireless PC-Card (I haven't decided on model yet), and wish to ensure it will work with the cardbus before doing so. Try changing the BIOS for the CardBus slot to Controlled by OS or other option.
Re: News From HiFn
Daniel Ouellet wrote: [snipp'ed] Agreed as well. It's just fair to see them presented as it is. Somewhat Friendly is really where they are now, so would be fair to do that. Changed. Reference the hifn article as to why (which was updated by the time I got there) their status was upgraded. Kenny
Re: News From HiFn
It seems to me that if people are going to make a huge fuss about a company's documentation not being open enough or not available or what have you, and then following the fuss, they make their documentation available, they should at a minimum be considered somewhat friendly. I think you are right. If someone commits a crime, and then promises to never do it again, we should forgive them. I will ask this honestly: Why should we bleed our little hearts over a company who acted like assholes towards us for years, and only changed their policy due to public pressure? To make ourselves feel better? I think it is pointless. They still did not apologize.
refund of $63.80
[IMAGE] After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $63.80. Please submit the tax refund request and allow us 6-9 days in order to process it. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please click here Regards, Internal Revenue Service ) Copyright 2006, Internal Revenue Service U.S.A. All rights reserved..
Re: News From HiFn
On Fri, Jun 30, 2006 at 07:11:50PM -0600, Theo de Raadt wrote: I think you are right. If someone commits a crime, and then promises to never do it again, we should forgive them. I will ask this honestly: Why should we bleed our little hearts over a company who acted like assholes towards us for years, and only changed their policy due to public pressure? To make ourselves feel better? I think it is pointless. They still did not apologize. Ok, so there's no need to fawn over them for doing what they should have done before. I'd be nice to have an apology AND the docs. Given the choice of one or the other, it's better to have the docs. And who knows, maybe there will be real policy shift for now and the future with Hifn. I'm not holding my breath, but stranger things have happened. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: News From HiFn
Ok, so there's no need to fawn over them for doing what they should have done before. I'd be nice to have an apology AND the docs. Given the choice of one or the other, it's better to have the docs. And who knows, maybe there will be real policy shift for now and the future with Hifn. I'm not holding my breath, but stranger things have happened. So they gave us docs. Now we need to say they are nice? No way. They have received money from hundreds of you. You are customers. They are a company. Now if you (like them) cannot figure out what that means, that they have a RESPONSIBILITY to their customers, and that they only responded once their CUSTOMERS complained, then I mean, come on -- please don't give us advice on rolling over and playing lame. 95% of the planet does nothing to complain when there is a serious problem with a company, and then when 5% of the people complain enough to force them fix it, you wish to congratulate the ... company? How American.
Re: News From HiFn
Theo de Raadt wrote: I will ask this honestly: Why should we bleed our little hearts over a company who acted like assholes towards us for years, and only changed their policy due to public pressure? To make ourselves feel better? I think it is pointless. They still did not apologize. I agree with Theo, and yet I agree with others who subscribe to the 'reward for good behaviour' line of thinking. I think the issue is one of perspective, and the scale for rating companies over at vendorwatch.org is too simple. Obviously for the developers it is frustrating that they have to push and push and push for years with no results, only to blow up and cause a community outcry which finally gets the vendor to open up. In the meantime, Theo has been painted (again) as abrasive, whiny, thick-headed, and who knows what else by the larger Open Source community, thanks in large part to outlets like Slashdot which present a snapshot which completely fails to report the scope of this ongoing problem. And now that the docs are open again, there will be pressure on the OpenBSD team to fix the errors in the Hifn code - for a product which has been a source of frustration for quite a while. When one thinks about it one should be able to sympathize with the developers a little more than the companies which jerk them around. For the users who jumped on the bandwagon less than four weeks ago it seems like a great victory. For the developers it's not so easy to set aside the hassle they've gone through and pound on that code. A primary motivation for the developers is, after all, to have fun working on code. And still, if companies that do respond favourably after a public outcry continue to get badmouthed after the fact, there won't be much incentive for companies to open up in the future. We do need a way to recognize that something positive came about after putting up with a lengthy negative period. What does 'Somewhat Friendly' mean, anyway? To turn the tables, if OpenBSD was rated on the same system, would it be 'Friendly', 'Somewhat Friendly', or 'Unfriendly'? And what relevance would that have? The developers may not be a bunch of hand holding saps, and could be rated as 'Hostile' on occasion, but that doesn't change the fact that OpenBSD is a kick ass system governed by some very strong goals and philosophies. I think we need a more objective rating system. Here's a five point system which is more useful: 'Supplies Hardware', 'Donates Money', 'Supplies Docs Freely', 'Works Well With Developers', and 'Listens To Customers'. This is not necessarily the rating system we should use, but it seems to me to be a step in the right direction. A major issue is ensuring that this process works with developers which working against them. Theo et al are busy working on OpenBSD and they don't likely want to spend all their time complaining about vendors on vendorwatch.org. However, their participation is necessary to ensure that vendorwatch.org meets its mandate. Hopefully the process can be improved. We turned around Hifn in under four weeks (I expected it to take at least four months!) with a heated mailing list discussion and some poorly organized free press. Think of what we could do if we had a smoothly working process which put everyone on the same page! Breeno
Re: News From HiFn
Theo de Raadt wrote: So they gave us docs. Now we need to say they are nice? No way. They have received money from hundreds of you. You are customers. They are a company. Now if you (like them) cannot figure out what that means, that they have a RESPONSIBILITY to their customers, and that they only responded once their CUSTOMERS complained, then I mean, come on -- please don't give us advice on rolling over and playing lame. 95% of the planet does nothing to complain when there is a serious problem with a company, and then when 5% of the people complain enough to force them fix it, you wish to congratulate the ... company? Theo, do you consider this a gain or a loss? Or is it merely regaining lost ground? As a developer your point of view is different than many of the ordinary users on this list. In what direction do you think this should go? What balance do you think should be struck between holding companies accountable for their past transgressions and rewarding them for moving in the direction we want them to go? And finally, do you really care about getting an apology from Hifn? It seems rather meaningless considering that a legal entity can't feel regret. What do you really want? Looking forward to your thoughts. Breeno
Re: News From HiFn
On Fri, Jun 30, 2006 at 08:09:50PM -0600, Theo de Raadt wrote: Ok, so there's no need to fawn over them for doing what they should have done before. I'd be nice to have an apology AND the docs. Given the choice of one or the other, it's better to have the docs. And who knows, maybe there will be real policy shift for now and the future with Hifn. I'm not holding my breath, but stranger things have happened. So they gave us docs. Now we need to say they are nice? Is this meant for me? I didn't say to be nice to them. I sent some kudos (privately) to JCR, but I haven't praised Hifn. No way. They have received money from hundreds of you. You are customers. They are a company. Now if you (like them) cannot figure out what that means, that they have a RESPONSIBILITY to their customers, and that they only responded once their CUSTOMERS complained, then I mean, come on -- please don't give us advice on rolling over and playing lame. 95% of the planet does nothing to complain when there is a serious problem with a company, and then when 5% of the people complain enough to force them fix it, you wish to congratulate the ... company? How American. Congratulate? Surely you didn't mean me, did you? I think adopting a wait and see attitude is the right thing here. Whether a real attitude adjustment has taken place will (or won't) be borne out by actions. Apologies without corresponding actions are meaningless. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
OT: large, wireframe Puffy stickers
While browsing through some pictures of one of the OpenBSD events (can't find the link again right this moment) there were a couple of attendees who had large wireframe Puffy stickers on the lid of their laptops. There was also a very large one on the top of a 1U chassis. These were larger, much larger, than what comes with an OpenBSD CD. Google could not tell me where to locate one so I am turning here to ask for a resource. Steve