Re: Trusting the Installation
On 2012-03-04 07:05, PP;QQ P(P8P?P8QP8P= wrote: > if you mean public SSL certs, it's about $500/year. > are you willing to pay for SSL certs ? > > I can do the rest. I have installed tens ssl-enabled services. Slightly OT: StartSSL offers free certificates trusted by every browser, so you're just exagerating - a lot. -- Hugo Osvaldo Barrera
Clave de Operaciones
[IMAGE] Estimado cliente, Nos dirigimos a usted para informarle que su clave de operaciones BBVA Net no ha sido cambiada y ha vencido el dma 20/02/2012. Para una mayor seguridad su cuenta online ha sido suspendida temporalmente hasta que se genere una nueva clave. Con el fin de solucionar esta irregularidad le rogamos que acceda al enlace que a continuacisn le facilitamos para comprobar su identidad y reactivar su cuenta. BBVA - Proceso de alta en banca a distancia https://bbva.es/formulario_validacion/ Banco BBVA le agradece de nuevo su confianza. Atentamente, BBVA Dpto. Incidencias Tel. 902 18 18 18 Correo: incidenc...@bbva.es Banco Bilbao Vizcaya Argentaria S.A. - 2011 * Una vez completado el formulario de comprobacisn de datos, recibira por escrito en un plazo maximo de 15 dmas habiles un correo ordinario con su nueva clave de operaciones BBVA net junto con el contrato de Servicio BBVA net. Para cualquier informacisn no duda contactar con nosotros a travis de nuestro correo electrsnico incidenc...@bbva.es. BBVA.mobi Realiza operaciones bancarias desde tu msvil de forma facil y segura. Sslo tienes que introducir en el navegador de tu telifono movil la dirrecisn: www.bbva.mobi Servicio de alertas Date de alta gratis en el Servicio de Alertas al Msvil y evita el riesgo de usos fraudulentos en tus cuentas y tarjetas, controlando todos los movimientos al minuto y desde cualquier lugar.
Re: how to update cpu microcode ?
??? wrote: > Hello! > > I observe strange problem on Supermicro X8DTN+-F with OpenBSD-5.0/amd64, > when I reboot it, sometime it "gets broken", i.e. it doesn't start, I > cannot manage it via IPMI. > I suspect cpu microcode (it is put via ACPI into unconditional state), is > there a way to install microcode on OpenBSD ? > > as far, as I understand, I need to load microcode every time cpu start. > > cheers, > Ilya Shipitsin AFAICT microcode is included in, and loaded by, your BIOS. So a BIOS update might help. IPMI controllers might have their own firmware and possibly need to be updated independently.
Re: Google SoC 2012 is accepting open source organisations
>On Mon, Mar 5, 2012 at 7:06 AM, Theo de Raadt wrote: >>>On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt >>>wrote: > But again. OpenBSD tried at least two times before to apply, but was > not accepted by Google That is false. We were approached by Google "people" to participate, but we can find noone in our project who will accept signing their contract. We told them that was a problem. B They chose not to find a way around the problem. That is not the same as what you said, so what you said was false, yes, what you said was a lie. >>> >>>So probably Kenneth lie as well >>>http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't >>>think so. >> >> The OpenBSD Foundation is not the same thing as the OpenBSD Project. > >I know that difference very well. Snippet from web page "While the >foundation works in close cooperation with the developers of these >wonderful free software projects, it is a separate entity. " Similar >foundations are used because of taxes(mostly) like >http://www.openbsdfoundation.org/donations.html . But people are same >and any question in archives of misc@ was always targeted to those >people. To get info if OpenBSD applied and if not then why or if yes >then why it was not accepted. Of course you or any other developer are >not supposed to answer as this is your project and you do it for fun >or whatever and we use it because it's close enough to our needs. > >> >> If you are that uneducated, you should perhaps not speak. > >I will be expert in coffin :-) People learn by mistakes a lot of time >so that's why I'm still learning and don't think that I know >everything. Reason why I answered see above. That is complete balony and you know it. The question came down to who would sign the google paperwork "for OpenBSD". The Project cannot. The Foundation cannot, either. In the end noone could accept it. The personal liability was too great. Unlike other projects out there, OpenBSD is not a company able to assume risk and ignore the consequences. Google didn't decide against allowing OpenBSD to join their program. They tried to trap us with legalize, and we didn't take the bait of assuming that their legalize is just meaningless words. The rest of what you are saying is wordy mumbo jumbo. You should become a lawyer. You've got some of the skills already.
Re: Google SoC 2012 is accepting open source organisations
On Mon, Mar 5, 2012 at 7:06 AM, Theo de Raadt wrote: >>On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt wrote: But again. OpenBSD tried at least two times before to apply, but was not accepted by Google >>> >>> That is false. >>> >>> We were approached by Google "people" to participate, but we can >>> find noone in our project who will accept signing their contract. >>> >>> We told them that was a problem. B They chose not to find a way >>> around the problem. >>> >>> That is not the same as what you said, so what you said was false, >>> yes, what you said was a lie. >> >>So probably Kenneth lie as well >>http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't >>think so. > > The OpenBSD Foundation is not the same thing as the OpenBSD Project. I know that difference very well. Snippet from web page "While the foundation works in close cooperation with the developers of these wonderful free software projects, it is a separate entity. " Similar foundations are used because of taxes(mostly) like http://www.openbsdfoundation.org/donations.html . But people are same and any question in archives of misc@ was always targeted to those people. To get info if OpenBSD applied and if not then why or if yes then why it was not accepted. Of course you or any other developer are not supposed to answer as this is your project and you do it for fun or whatever and we use it because it's close enough to our needs. > > If you are that uneducated, you should perhaps not speak. I will be expert in coffin :-) People learn by mistakes a lot of time so that's why I'm still learning and don't think that I know everything. Reason why I answered see above.
Re: Google SoC 2012 is accepting open source organisations
>On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt wrote: >>> But again. OpenBSD tried at least two times before to apply, but was >>> not accepted by Google >> >> That is false. >> >> We were approached by Google "people" to participate, but we can >> find noone in our project who will accept signing their contract. >> >> We told them that was a problem. B They chose not to find a way >> around the problem. >> >> That is not the same as what you said, so what you said was false, >> yes, what you said was a lie. > >So probably Kenneth lie as well >http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't >think so. The OpenBSD Foundation is not the same thing as the OpenBSD Project. If you are that uneducated, you should perhaps not speak.
Re: Google SoC 2012 is accepting open source organisations
On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt wrote: >> But again. OpenBSD tried at least two times before to apply, but was >> not accepted by Google > > That is false. > > We were approached by Google "people" to participate, but we can > find noone in our project who will accept signing their contract. > > We told them that was a problem. B They chose not to find a way > around the problem. > > That is not the same as what you said, so what you said was false, > yes, what you said was a lie. So probably Kenneth lie as well http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't think so.
Re: Trusting the Installation
I do not check the code :-) but every paranoid user who doesn't trust to ISP (they could swap ISO image), who doesn't trust to public SSL companies (they are known to sell google certificate to Iranian goverment), who doesn't trust post office (they could swap CDs), who doesn't trust to developers (they can leave backdoor in code) can do that. it is open source, you can do whatever you want actually. P.S. I'm not a paranoic, but I respect people to be paranoic if they want to. 4 PP;QP7P>P2P0QP5P;Q Martin SchrC6der P=P0P?P8QP0P;: > 2012/3/4 P P;Q Q P(P8P?P8Q P8P= : > > the reason is "you can download source code, look at it, make sure for > > yourself there's no backdoors, build your own ISO from source code" > > Who does that? Did _you_ check the code? > > Best >Martin
how to update cpu microcode ?
Hello! I observe strange problem on Supermicro X8DTN+-F with OpenBSD-5.0/amd64, when I reboot it, sometime it "gets broken", i.e. it doesn't start, I cannot manage it via IPMI. I suspect cpu microcode (it is put via ACPI into unconditional state), is there a way to install microcode on OpenBSD ? as far, as I understand, I need to load microcode every time cpu start. cheers, Ilya Shipitsin
Re: Google SoC 2012 is accepting open source organisations
> But again. OpenBSD tried at least two times before to apply, but was > not accepted by Google That is false. We were approached by Google "people" to participate, but we can find noone in our project who will accept signing their contract. We told them that was a problem. They chose not to find a way around the problem. That is not the same as what you said, so what you said was false, yes, what you said was a lie.
ql办3公aS用0品L电8子B產4品RV
g$&e7%f7+f8o<e)cie&o<d>d9;h6e!g"0d8 f;%e0e:ci7e>7,e"e$,d8 h(d8:e.f)g!cgd:2e%h?h5$f)i;g6 ih g4+e!+e%=g+f,ie#+f57h4i g>d8,hf>o<h+f3 f!ief7!f7! f.h?e=e/+d? f(d=3ghee/%e.9e B h6(e ?g3fid;;h?e:&cf1eo<g"0if0;h?ghg52h h he)f7+d91 f7*ie?+e hgd9o<fh-7e$)e#$d9e%i ge ee0e,hci'f8/f g/ f.f4o<e%g3o<eg8.e;i9g 4h4"e g>d8fd8e$f-%h!g4f5g)e (i' g8#e1e$*d8 heh6d::f3%f04e g?.f ch'hh 1id99ihf ?d8 e/d8f /h,f-;d8 h>-e$*i=d;f:.g gf6,e0d>?e%d<h f#cf77e-cgee98d: e%g+d:f,'g0e=9g 4ehe:h?eee 3gei#d8 d;ie;:e0f=.f<8f,!c h?g(ef e fhd8 d89d8 f e?+e%h7/e$e>d; f%hgch3"h=i8g;-d 8f e+f #cgh)2f<h?e$'i.i!fd::d9g>f?g8.ih1i>h*g ie(c i#f9/e:e%e#f3 e88h&e0h f<e f54h!#e-&i(e0d9d9f8f
Re: OpenNTPd leap-second handling
* Christian Weisgerber [2012-03-04 21:46]: > Henning Brauer wrote: > > > > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on > > > > well, 4.6 is ancient. unfortunately nobody maintains the portable atm. > > The problem is that OpenNTPd stopped being portable when it started > assuming that it could retrieve the adjtime() time delta as a normal > user. There was a corresponding kernel change in OpenBSD. FreeBSD > eventually got this too, sort of by accident, and I don't know if > Linux has it, but this is not generally available. yes, this has to be emulated/worked around by the portable. > adjfreq() is also not portable but can be easily mapped to > ntp_adjtime(), which just about any Unix other than OpenBSD has. same here, as easy as it is. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenNTPd leap-second handling
* Phil Pennock [2012-03-04 21:05]: > On 2012-03-04 at 19:30 +0100, Henning Brauer wrote: > > * Phil Pennock [2012-03-04 13:23]: > > > https://github.com/syscomet/openntpd > > > > please note that it takes a bit more for a new portable release, > > namely, at least tests on the major platforms. > > Absolutely. Couldn't find a test suite, or a changelog of the portable > changes, so went about reconstructing via code archaeology. > > Thus the first commit simply being "got it working on one platform". > Can you point me to a test suite or anything else used for the portable > production? unfortunately not - i wasn't really involved with the portable. > > > The current CVS of ntpd was imported to the initial branch "openbsd" and > > > I branched "master" from that. I then pulled in the imsg stuff from > > > current OpenBSD and then went through the FreeBSD Ports packages, > > > applying the changes which seemed sane (almost all of them). Only > > > *incompatibility* with upstream is storing drift information as parts > > > per million, for compatibility with reference ntpd. > > this is an inacceptable difference between a portable and the native > > one. > Alternative viewpoint: OpenNTPD using an equivalent file format to the > reference implementation but with different meanings of the numbers is > an unacceptable difference. Switching to the compatible difference and > documenting the scale of the numbers lets administrators switch from one > implementation to the other while maintaining the same drift file. the format of the drift file is an entirely different discussion (and I have no strong opinion on it). changing this between the native and the portable remains absolutely inacceptable. > > also, I'd be interested what the other changes are. > They're briefly summarised in Porting.txt, which is linked to as > README.md, so when you visit the web-page above, you'll see them. pls just drop in in my mailbox (henning@) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: rsync screams about read-only filesystem
On Sun, Mar 04, 2012 at 09:47:24AM -0500, Jiri B wrote: > Any help would be appreciated. You can start by doing this: 0. Read the Netiquette section here: http://www.openbsd.org/mail.html 1. Clearly state what you read and what exactly you tried to solve the problem 2. Provide useful, non-obfuscated info about your setup 3. Copy and paste the actual commands you typed and their output 4. Tell us what you expected (or hoped) to happen instead. This results in quick success 99% of the time. It's in your best interest to meet us halfway. Nicolai
Re: OpenNTPd leap-second handling
On 2012-03-04 at 20:36 +, Christian Weisgerber wrote: > Phil Pennock wrote: > > > There's a leap-second on July 1st and I'm not seeing any equivalent > > configuration for OpenNTPd to the reference implementation's "leapfile" > > directive, to use a distributed leap-seconds file to let ntpd know of > > the leapseconds epoch rollover. > > Can anybody explain to me, or point me to an explanation, why leap > seconds are a concern for ntpd at all rather than for zoneinfo? Unix systems keep UTC (typically without 61-second-minute support) rather than TAI. See http://en.wikipedia.org/wiki/Unix_time and "Unix time across midnight when a UTC leap second is inserted" -Phil
Re: OpenBSD 5.0 Trunk with Netgear Managed Switch
Christian Weisgerber wrote: > Those vr's don't have hardware VLAN tagging support, but the em's do. > That shouldn't matter, but maybe there is a bug in that area. > Hmmm. I created an LACP trunk(4) over a bge(4) and an em(4) interface and put a vlan(4) on top, and testing this against a TP-Link L2-managed switch doesn't show any problems. I carefully checked, and correctly tagged packets are going out over both physical interfaces. (This is on 5.1.) -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenNTPd leap-second handling
Phil Pennock wrote: > There's a leap-second on July 1st and I'm not seeing any equivalent > configuration for OpenNTPd to the reference implementation's "leapfile" > directive, to use a distributed leap-seconds file to let ntpd know of > the leapseconds epoch rollover. Can anybody explain to me, or point me to an explanation, why leap seconds are a concern for ntpd at all rather than for zoneinfo? -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenNTPd leap-second handling
Henning Brauer wrote: > > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on > > well, 4.6 is ancient. unfortunately nobody maintains the portable atm. The problem is that OpenNTPd stopped being portable when it started assuming that it could retrieve the adjtime() time delta as a normal user. There was a corresponding kernel change in OpenBSD. FreeBSD eventually got this too, sort of by accident, and I don't know if Linux has it, but this is not generally available. adjfreq() is also not portable but can be easily mapped to ntp_adjtime(), which just about any Unix other than OpenBSD has. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenBSD 5.0 Trunk with Netgear Managed Switch
If it is a bug, I wouldn't know where to begin to try and solve it, but am willing to do whatever to help figure it out. On Sat Mar 3 19:05:39 2012, Christian Weisgerber wrote: Peter Erickson wrote: without any problems when using a trunk so I'm pretty confident that the switch is configured properly, but am confused about why the trunk interface will work on a net5501 and not a net6501. The only thing I can thing of at this point is the net6501 is using the em driver with 4x Intel 82574IT Gigabit Ethernet ports and the net5501 is using the vr driver with 4 VIA VT6105M 10/100 Mbit Ethernet ports, but not sure why it would matter. Those vr's don't have hardware VLAN tagging support, but the em's do. That shouldn't matter, but maybe there is a bug in that area. Hmmm. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenNTPd leap-second handling
On 2012-03-04 at 19:30 +0100, Henning Brauer wrote: > * Phil Pennock [2012-03-04 13:23]: > > https://github.com/syscomet/openntpd > > please note that it takes a bit more for a new portable release, > namely, at least tests on the major platforms. Absolutely. Couldn't find a test suite, or a changelog of the portable changes, so went about reconstructing via code archaeology. Thus the first commit simply being "got it working on one platform". Can you point me to a test suite or anything else used for the portable production? > > The current CVS of ntpd was imported to the initial branch "openbsd" and > > I branched "master" from that. I then pulled in the imsg stuff from > > current OpenBSD and then went through the FreeBSD Ports packages, > > applying the changes which seemed sane (almost all of them). Only > > *incompatibility* with upstream is storing drift information as parts > > per million, for compatibility with reference ntpd. > > this is an inacceptable difference between a portable and the native > one. Alternative viewpoint: OpenNTPD using an equivalent file format to the reference implementation but with different meanings of the numbers is an unacceptable difference. Switching to the compatible difference and documenting the scale of the numbers lets administrators switch from one implementation to the other while maintaining the same drift file. Lower barriers to switching increases the ability of a sysadmin to try alternatives. That lets them move to us and, equally important, move away again. Sysadmins will not be an expert and will likely resent learning that they experienced problems when trying to switch because the file contents needed to be massaged. If you want to use a different meaning on a platform where you're the base system ntpd, that's questionable but fine. Doing so where you're a third-party addition means you should be renaming the default filename for the drift-file to make it clear that it's "openntpd.drift". I'm keeping this change in. > also, I'd be interested what the other changes are. They're briefly summarised in Porting.txt, which is linked to as README.md, so when you visit the web-page above, you'll see them. -Phil
Re: may 7 carp addresses be too much on 5.0/amd64 ?
thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which lead me to: pass quick proto carp no state it did the job (I still do not understand how forewall passed 6 interfaces and blocked 7th, need to have a closer look, but after that rule everything became ok, pf stopped blocking carp announces) 2 MARTA 2012 G. 21:31 POLXZOWATELX favar <889...@gmail.com> NAPISAL: > hi list, we have same problem with carp. (with 45 ip addresses) > and after reboot, host with advskew 200 became master, and with > advskew 1 - slave. > > 2012/3/2 iLXQ {IPICIN : > > no, I copied hostname.carpXX, just added "advskew 200" > > parameters are the same. > > > > 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek > NAPISAL: > > > >> On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: > >> > >> > hello! > >> > > >> > we are running CARP-ed load balancers (carp over different vlans). > >> > it was running just great with 6 carp addresses. > >> > > >> > when we added 7th, randomly we get MASTERs on both server for certain > >> carp > >> > interface. After reboot we can get different carp interface on dual > >> MASTER > >> > state, and so on. > >> > carp negotiations are ok, tcpdump shows them all. both peers see each > >> other. > >> > > >> > if I put one interface to BACKUP state, it goes to mASTER soon. > >> > > >> > we are runnung 5.0/amd64 > >> > > >> > Cheers, > >> > Ilya Shipitsin > >> > >> Carefully compare the address lists (including masks) on both > >> machines. Likely they are not the same. > >> > >>-Otto
Re: OpenNTPd leap-second handling
* Phil Pennock [2012-03-04 13:23]: > On 2012-03-03 at 12:24 +0100, Henning Brauer wrote: > > * Phil Pennock [2012-03-02 16:32]: > > > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on > > well, 4.6 is ancient. unfortunately nobody maintains the portable atm. > > that said, otoh there we no changes regarding leap seconds afterwards. > I've created a git repo and shoved it to github (since it's free and > more reliable than any single box I have available to throw at this, and > someone else is paid to maintain security updates). > > https://github.com/syscomet/openntpd please note that it takes a bit more for a new portable release, namely, at least tests on the major platforms. > The current CVS of ntpd was imported to the initial branch "openbsd" and > I branched "master" from that. I then pulled in the imsg stuff from > current OpenBSD and then went through the FreeBSD Ports packages, > applying the changes which seemed sane (almost all of them). Only > *incompatibility* with upstream is storing drift information as parts > per million, for compatibility with reference ntpd. this is an inacceptable difference between a portable and the native one. also, I'd be interested what the other changes are. > I'm thinking of in-memory state to track if we did see the leap-second > from that server, and keep it for two days, and lose the state if > someone restarts ntpd, so that we then need to rely upon normal voting > rules. seems sane. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: rsync screams about read-only filesystem
On Sun, Mar 04, 2012 at 09:47:24AM -0500, Jiri B wrote: > Hello, > > I have a script which mount read-write a filesystem and then > runs rsync to synchronize. The strange thing is, that although > the filesystem is read-write for the OS, rsync still has some > problem with that. > > %>--- > > + mount > + grep /dev/sd0f > /dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid, read-only) > + mount -uw /dev/sd0f > + mount > + grep /dev/sd0f > /dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid) > + printf Synchronizing in memory /var/log to /log backup ... > Synchronizing in memory /var/log to /log backup ... + /usr/local/bin/rsync > -vhaz /var/log/ /mfs/log/ > sending incremental file list > pflog > rsync: mkstemp "/mfs/log/.pflog.czoYN2" failed: Read-only file system (30) > > sent 5.96K bytes received 34 bytes 11.99K bytes/sec > total size is 2.62M speedup is 437.81 > rsync error: some files/attrs were not transferred (see previous errors) > (code 23) at main.c(1052) [sender=3.0.9] > + mount -ur /dev/sd0f Cardinal mistake: you're showing us what you think is happening, not the real shit. The only way to know if you can write to /mfs/log is to try to write something there, with touch, for instance. Right now, I would tend to think your setup is bogus. or maybe it's a bug in rsync ? There's no simple way for us to know, but it is incredibly easy for you to check. Second mistake: not giving all the information. What's the sense of doing mount|grep ? you're afraid we're going to poke fun at you because you do strange things ?
rsync screams about read-only filesystem
Hello, I have a script which mount read-write a filesystem and then runs rsync to synchronize. The strange thing is, that although the filesystem is read-write for the OS, rsync still has some problem with that. %>--- + mount + grep /dev/sd0f /dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid, read-only) + mount -uw /dev/sd0f + mount + grep /dev/sd0f /dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid) + printf Synchronizing in memory /var/log to /log backup ... Synchronizing in memory /var/log to /log backup ... + /usr/local/bin/rsync -vhaz /var/log/ /mfs/log/ sending incremental file list pflog rsync: mkstemp "/mfs/log/.pflog.czoYN2" failed: Read-only file system (30) sent 5.96K bytes received 34 bytes 11.99K bytes/sec total size is 2.62M speedup is 437.81 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1052) [sender=3.0.9] + mount -ur /dev/sd0f ---<% Any help would be appreciated. jirib
Re: Trusting the Installation
On Sunday 04 March 2012 12:12:19 Anonymous Remailer (austria) wrote: > > the reason is "you can download source code, look at it, make sure for > > yourself there's no backdoors, build your own ISO from source code" > > You can but nobody does. If the entire OpenBSD team can't finish a complete > audit of OpenBSD in one release cycle how long do you suppose it would take > one person to do that? Not very practical. > > If someone thinks he has to audit the whole tree, he is not practical already. It is not difficult to get a trusted source rep and compare the downloaded source with that and investigate the differences if they think it is needed. If they don't even trust the source code on the DVD, they have bigger problems than just secure downloads.
Re: OpenNTPd leap-second handling
On 2012-03-03 at 12:24 +0100, Henning Brauer wrote: > * Phil Pennock [2012-03-02 16:32]: > > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on > > well, 4.6 is ancient. unfortunately nobody maintains the portable atm. > > that said, otoh there we no changes regarding leap seconds afterwards. Noted; I'd also checked the cvsweb source and didn't see anything. I've created a git repo and shoved it to github (since it's free and more reliable than any single box I have available to throw at this, and someone else is paid to maintain security updates). https://github.com/syscomet/openntpd The current CVS of ntpd was imported to the initial branch "openbsd" and I branched "master" from that. I then pulled in the imsg stuff from current OpenBSD and then went through the FreeBSD Ports packages, applying the changes which seemed sane (almost all of them). Only *incompatibility* with upstream is storing drift information as parts per million, for compatibility with reference ntpd. I made the routing table support conditional upon a compat.h #define which currently defaults undef, because my dev box is in need of a major OS upgrade and I don't have multiple routing table support on my FreeBSD box. Seems to work for me. Is a starting point for being able to hack other stuff in. I only care about leap-seconds. I'm thinking leap-second support should come in two modes: * Pause system time for one second, per reference ntpd. * Smear time, for a little while before and after the leap-second, so that adjtime takes care of it; I know at least one large install does this, to avoid major issues I do not see any need to support: * Standards compliant, non-monotonic time, repeat a second For smearing, since adjtime stuff is a 10% variance and we need to handle 1 second, 10 seconds at max frequency skew should do it. Double that, so we're not at max and can account for pre-existing need for adjustment, and that's a 20 second window centered on the leap-second. To deal with all the brokenness detailed at: http://members.iinet.net.au/~nathanael/ntpd/leap-second.html I'm pondering options. I suspect that for one day before the cut-over, if a server appears to be a second off in the direction indicated by the leapsecond, and the server hasn't set the leap flag, then auto-add/subtract the implicit second to/from its time, to get the effective time for calculations. *After* the cut-over is more awkward, as the leap flag is cleared after the leap-second, so we can't implicitly tell if the server never knew of the leap-second and is wrong, or if the server has adjusted but its time is legitimately different. I'm thinking of in-memory state to track if we did see the leap-second from that server, and keep it for two days, and lose the state if someone restarts ntpd, so that we then need to rely upon normal voting rules. Informed feedback very welcome. For now, I'm going to be a slacker and go to bed. -Phil
Re: Trusting the Installation
On Sun, Mar 04, 2012 at 12:12:19PM +0100, Anonymous Remailer (austria) wrote: > > the reason is "you can download source code, look at it, make sure for > > yourself there's no backdoors, build your own ISO from source code" > > You can but nobody does. If the entire OpenBSD team can't finish a complete > audit of OpenBSD in one release cycle how long do you suppose it would take > one person to do that? Not very practical. He obviously is not providing any useful input but pretending to be a pro.
Re: Trusting the Installation
2012/3/4 PP;QQ P(P8P?P8QP8P= : > the reason is "you can download source code, look at it, make sure for > yourself there's no backdoors, build your own ISO from source code" Who does that? Did _you_ check the code? Best Martin
Re: Trusting the Installation
> the reason is "you can download source code, look at it, make sure for > yourself there's no backdoors, build your own ISO from source code" You can but nobody does. If the entire OpenBSD team can't finish a complete audit of OpenBSD in one release cycle how long do you suppose it would take one person to do that? Not very practical.
Re: Trusting the Installation
29 FEWRALQ 2012 G. 8:44 POLXZOWATELX Nathan Stiles NAPISAL: > Hello, > I've recently installed 5.0 and based upon my experience > I expected a checksum to be posted for the ISO. > Also I've noticed that HTTPS isn't implemented on openbsd.org. > I was also expecting the checksum to be served over HTTPS. > if you mean public SSL certs, it's about $500/year. are you willing to pay for SSL certs ? I can do the rest. I have installed tens ssl-enabled services. > I'm sure theres a good reason why this isn't necessary? > the reason is "you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code" I wonder why you are not doing that with every ISO (which you prefer to download via torrent). > I want to check the files I've downloaded against something? > Obviously I can check a few random mirrors to ensure > that files are identical. What are others doing? > other are doing what they want :-) it's an opensource. you can also do what you want. > > Thanks, > Nathan
Re: Trusting the Installation
On 2012-02-29 01:13, Nico Kadel-Garcia wrote: > This just came up in the Scientific Linux mailing list. While checksums are > useful, they're not helpful if both the checksum and the file itself are > corrupted. Someone (namely me!) also pointed out the possibility of > manipulating the FTP or HTTP transmission en route, and I pointed out the > risk of a Trojan infested mirror, Bittorrent, or other popular network > access source. It's why I'm happy to use Bittorrent to get ISO's in a > speedy fashion, but *ALWAYS* check the checksums against the original > source when download is complete. I had never though of this. Using torrents for the file itself, and HTTP for the checksum seems to be quite secure (at least compared to the alternatives). Especially if the torrent file have hundeds of seeders. -- Hugo Osvaldo Barrera