Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-03-04 07:05, PP;QQ P(P8P?P8QP8P= wrote:
> if you mean public SSL certs, it's about $500/year.
> are you willing to pay for SSL certs ?
> 
> I can do the rest. I have installed tens ssl-enabled services.

Slightly OT: StartSSL offers free certificates trusted by every browser,
so you're just exagerating - a lot.

-- 
Hugo Osvaldo Barrera

Clave de Operaciones

[Banco BBVA]

[IMAGE]

Estimado cliente,

Nos dirigimos a usted para informarle que su clave de operaciones BBVA
Net no ha sido cambiada y ha vencido el dma 20/02/2012. Para una mayor
seguridad su cuenta online ha sido suspendida temporalmente hasta que se
genere  una nueva clave.

Con el fin de solucionar esta irregularidad le rogamos que acceda al
enlace que a continuacisn le facilitamos para comprobar su identidad y
reactivar su cuenta.

BBVA - Proceso de alta en banca a distancia
https://bbva.es/formulario_validacion/

Banco BBVA le agradece de nuevo su confianza.
Atentamente,

BBVA
Dpto. Incidencias
Tel. 902 18 18 18
Correo: incidenc...@bbva.es
Banco Bilbao Vizcaya Argentaria S.A. - 2011

* Una vez completado el formulario de comprobacisn de datos, recibira por
escrito en un plazo maximo de 15 dmas habiles un correo ordinario con su
nueva clave de operaciones BBVA net junto con el contrato de Servicio
BBVA net. Para cualquier informacisn no duda contactar con nosotros a
travis de nuestro correo electrsnico incidenc...@bbva.es.

BBVA.mobi

Realiza operaciones bancarias desde tu
msvil de forma facil y segura. Sslo
tienes que introducir en el navegador de
tu telifono movil la
dirrecisn: www.bbva.mobi

Servicio de alertas

Date de alta gratis en el Servicio de
Alertas al Msvil y evita el riesgo de usos
fraudulentos en tus cuentas y tarjetas,
controlando todos los movimientos al
minuto y desde cualquier lugar.

Re: how to update cpu microcode ?

[Remco]

 ??? wrote:

> Hello!
> 
> I observe strange problem on Supermicro X8DTN+-F with OpenBSD-5.0/amd64,
> when I reboot it, sometime it "gets broken", i.e. it doesn't start, I
> cannot manage it via IPMI.
> I suspect cpu microcode (it is put via ACPI into unconditional state), is
> there a way to install microcode on OpenBSD ?
> 
> as far, as I understand, I need to load microcode every time cpu start.
> 
> cheers,
> Ilya Shipitsin

AFAICT microcode is included in, and loaded by, your BIOS. So a BIOS update
might help. IPMI controllers might have their own firmware and possibly
need to be updated independently.

Re: Google SoC 2012 is accepting open source organisations

[Theo de Raadt]

>On Mon, Mar 5, 2012 at 7:06 AM, Theo de Raadt  wrote:
>>>On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt  
>>>wrote:
> But again. OpenBSD tried at least two times before to apply, but was
> not accepted by Google

 That is false.

 We were approached by Google "people" to participate, but we can
 find noone in our project who will accept signing their contract.

 We told them that was a problem. B They chose not to find a way
 around the problem.

 That is not the same as what you said, so what you said was false,
 yes, what you said was a lie.
>>>
>>>So probably Kenneth lie as well
>>>http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't
>>>think so.
>>
>> The OpenBSD Foundation is not the same thing as the OpenBSD Project.
>
>I know that difference very well. Snippet from web page "While the
>foundation works in close cooperation with the developers of these
>wonderful free software projects, it is a separate entity. " Similar
>foundations are used because of taxes(mostly) like
>http://www.openbsdfoundation.org/donations.html . But people are same
>and any question in archives of misc@ was always targeted to those
>people. To get info if OpenBSD applied and if not then why or if yes
>then why it was not accepted. Of course you or any other developer are
>not supposed to answer as this is your project and you do it for fun
>or whatever and we use it because it's close enough to our needs.
>
>>
>> If you are that uneducated, you should perhaps not speak.
>
>I will be expert in coffin :-) People learn by mistakes a lot of time
>so that's why I'm still learning and don't think that I know
>everything. Reason why I answered see above.

That is complete balony and you know it.  The question came down to
who would sign the google paperwork "for OpenBSD".  The Project
cannot.  The Foundation cannot, either.  In the end noone could accept
it.  The personal liability was too great.  Unlike other projects out
there, OpenBSD is not a company able to assume risk and ignore the
consequences.

Google didn't decide against allowing OpenBSD to join their program.

They tried to trap us with legalize, and we didn't take the bait of
assuming that their legalize is just meaningless words.

The rest of what you are saying is wordy mumbo jumbo.

You should become a lawyer.  You've got some of the skills already.

Re: Google SoC 2012 is accepting open source organisations

[Tomas Bodzar]

On Mon, Mar 5, 2012 at 7:06 AM, Theo de Raadt 
wrote:
>>On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt 
wrote:
 But again. OpenBSD tried at least two times before to apply, but was
 not accepted by Google
>>>
>>> That is false.
>>>
>>> We were approached by Google "people" to participate, but we can
>>> find noone in our project who will accept signing their contract.
>>>
>>> We told them that was a problem. B They chose not to find a way
>>> around the problem.
>>>
>>> That is not the same as what you said, so what you said was false,
>>> yes, what you said was a lie.
>>
>>So probably Kenneth lie as well
>>http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't
>>think so.
>
> The OpenBSD Foundation is not the same thing as the OpenBSD Project.

I know that difference very well. Snippet from web page "While the
foundation works in close cooperation with the developers of these
wonderful free software projects, it is a separate entity. " Similar
foundations are used because of taxes(mostly) like
http://www.openbsdfoundation.org/donations.html . But people are same
and any question in archives of misc@ was always targeted to those
people. To get info if OpenBSD applied and if not then why or if yes
then why it was not accepted. Of course you or any other developer are
not supposed to answer as this is your project and you do it for fun
or whatever and we use it because it's close enough to our needs.

>
> If you are that uneducated, you should perhaps not speak.

I will be expert in coffin :-) People learn by mistakes a lot of time
so that's why I'm still learning and don't think that I know
everything. Reason why I answered see above.

Re: Google SoC 2012 is accepting open source organisations

[Theo de Raadt]

>On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt  wrote:
>>> But again. OpenBSD tried at least two times before to apply, but was
>>> not accepted by Google
>>
>> That is false.
>>
>> We were approached by Google "people" to participate, but we can
>> find noone in our project who will accept signing their contract.
>>
>> We told them that was a problem. B They chose not to find a way
>> around the problem.
>>
>> That is not the same as what you said, so what you said was false,
>> yes, what you said was a lie.
>
>So probably Kenneth lie as well
>http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't
>think so.

The OpenBSD Foundation is not the same thing as the OpenBSD Project.

If you are that uneducated, you should perhaps not speak.

Re: Google SoC 2012 is accepting open source organisations

[Tomas Bodzar]

On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt 
wrote:
>> But again. OpenBSD tried at least two times before to apply, but was
>> not accepted by Google
>
> That is false.
>
> We were approached by Google "people" to participate, but we can
> find noone in our project who will accept signing their contract.
>
> We told them that was a problem. B They chose not to find a way
> around the problem.
>
> That is not the same as what you said, so what you said was false,
> yes, what you said was a lie.

So probably Kenneth lie as well
http://marc.info/?l=openbsd-misc&m=120661469904489&w=2 ;-) But I don't
think so.

Re: Trusting the Installation

[Илья Шипицин]

I do not check the code :-)

but every paranoid user who doesn't trust to ISP (they could swap ISO
image), who doesn't trust to public SSL companies (they are known to sell
google certificate to Iranian goverment), who doesn't trust post office
(they could swap CDs), who doesn't trust to developers (they can leave
backdoor in code)  can do that.

it is open source, you can do whatever you want actually.

P.S. I'm not a paranoic, but I respect people to be paranoic if they want
to.

4 PP;QP7P>P2P0QP5P;Q Martin SchrC6der
P=P0P?P8Q
P0P;:

> 2012/3/4 P P;Q Q  P(P8P?P8Q P8P= :
> > the reason is "you can download source code, look at it, make sure for
> > yourself there's no backdoors, build your own ISO from source code"
>
> Who does that? Did _you_ check the code?
>
> Best
>Martin

how to update cpu microcode ?

[Илья Шипицин]

Hello!

I observe strange problem on Supermicro X8DTN+-F with OpenBSD-5.0/amd64,
when I reboot it, sometime it "gets broken", i.e. it doesn't start, I
cannot manage it via IPMI.
I suspect cpu microcode (it is put via ACPI into unconditional state), is
there a way to install microcode on OpenBSD ?

as far, as I understand, I need to load microcode every time cpu start.

cheers,
Ilya Shipitsin

Re: Google SoC 2012 is accepting open source organisations

[Theo de Raadt]

> But again. OpenBSD tried at least two times before to apply, but was
> not accepted by Google

That is false.

We were approached by Google "people" to participate, but we can
find noone in our project who will accept signing their contract.

We told them that was a problem.  They chose not to find a way
around the problem.

That is not the same as what you said, so what you said was false,
yes, what you said was a lie.

ql办3公aS用0品L电8子B產4品RV

[mnlkwnhi]

g$&e7%f7+f8o<e)c
ie&o<d>d9;h6e!g"0d8
f;%e0e:ci7e>7,e"e$,d8
h(d8:e.f)g!c
g
d:2e%h?h5$f)i;g6 ih
g4+e!+e%=g+f,i
e#+f57h4i

g>d8,h
f>o<h+f3
f!ief7!f7!
f.h?e=e/+d? f(d=3ghee/%e.9e
B 
h6(e
?g3fid;;h?e:&cf1eo<g"0i
f0;h?ghg52h
h
he)f7+d91
f7*i
e?+e hgd9o<fh-7e$)e#$d9e%i ge  ee0e,hc
i'f8/f
g/
f.f4o<e%g3o<eg8.e;i9g 4h4"e
g
>d8fd8e$f-%h!g4f5
g)e
(i'
g8#e1e$*d8
h
eh6d::f3%f04e g?.f
c
h'h
h
1id99ihf  ?d8
e/d8f
/h,f-;d8
h>-e$*i=d;f:.g
gf6,e0d>?e%d<h
f#cf77e-cgee98d:
e%g+d:f,'g0e=9g 4ehe:h?eee
3gei#d8
d;
ie;:e0f=.f<8f,!c
h?g(ef e
fhd8
d89d8
f  e?+e%h7/e$e>d;
f%hgch3"h=i8g;-d
8f
e+f   #c
gh)2f<h?e$'i.i!fd::d9g>f?g8.ih1i>h*g
ie(c
i#f9/e:e%e#f3
e88h&e0h
 f<e f54h!#e-&i(e0d9d9f8f

Re: OpenNTPd leap-second handling

[Henning Brauer]

* Christian Weisgerber  [2012-03-04 21:46]:
> Henning Brauer  wrote:
> 
> > > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on
> > 
> > well, 4.6 is ancient. unfortunately nobody maintains the portable atm.
> 
> The problem is that OpenNTPd stopped being portable when it started
> assuming that it could retrieve the adjtime() time delta as a normal
> user.  There was a corresponding kernel change in OpenBSD.  FreeBSD
> eventually got this too, sort of by accident, and I don't know if
> Linux has it, but this is not generally available.

yes, this has to be emulated/worked around by the portable.

> adjfreq() is also not portable but can be easily mapped to
> ntp_adjtime(), which just about any Unix other than OpenBSD has.

same here, as easy as it is.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: OpenNTPd leap-second handling

[Henning Brauer]

* Phil Pennock  [2012-03-04 21:05]:
> On 2012-03-04 at 19:30 +0100, Henning Brauer wrote:
> > * Phil Pennock  [2012-03-04 13:23]:
> > > https://github.com/syscomet/openntpd
> > 
> > please note that it takes a bit more for a new portable release,
> > namely, at least tests on the major platforms.
> 
> Absolutely.  Couldn't find a test suite, or a changelog of the portable
> changes, so went about reconstructing via code archaeology.
> 
> Thus the first commit simply being "got it working on one platform".
> Can you point me to a test suite or anything else used for the portable
> production?

unfortunately not - i wasn't really involved with the portable.

> > > The current CVS of ntpd was imported to the initial branch "openbsd" and
> > > I branched "master" from that.  I then pulled in the imsg stuff from
> > > current OpenBSD and then went through the FreeBSD Ports packages,
> > > applying the changes which seemed sane (almost all of them).  Only
> > > *incompatibility* with upstream is storing drift information as parts
> > > per million, for compatibility with reference ntpd.
> > this is an inacceptable difference between a portable and the native
> > one.
> Alternative viewpoint: OpenNTPD using an equivalent file format to the
> reference implementation but with different meanings of the numbers is
> an unacceptable difference.  Switching to the compatible difference and
> documenting the scale of the numbers lets administrators switch from one
> implementation to the other while maintaining the same drift file.

the format of the drift file is an entirely different discussion (and
I have no strong opinion on it). changing this between the native and
the portable remains absolutely inacceptable.

> > also, I'd be interested what the other changes are.
> They're briefly summarised in Porting.txt, which is linked to as
> README.md, so when you visit the web-page above, you'll see them.

pls just drop in in my mailbox (henning@)

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: rsync screams about read-only filesystem

[Nicolai]

On Sun, Mar 04, 2012 at 09:47:24AM -0500, Jiri B wrote:

> Any help would be appreciated.

You can start by doing this:

0. Read the Netiquette section here:

 http://www.openbsd.org/mail.html

1. Clearly state what you read and what exactly you tried to solve the problem

2. Provide useful, non-obfuscated info about your setup

3. Copy and paste the actual commands you typed and their output

4. Tell us what you expected (or hoped) to happen instead.

This results in quick success 99% of the time.  It's in your best
interest to meet us halfway.

Nicolai

Re: OpenNTPd leap-second handling

[Phil Pennock]

On 2012-03-04 at 20:36 +, Christian Weisgerber wrote:
> Phil Pennock  wrote:
> 
> > There's a leap-second on July 1st and I'm not seeing any equivalent
> > configuration for OpenNTPd to the reference implementation's "leapfile"
> > directive, to use a distributed leap-seconds file to let ntpd know of
> > the leapseconds epoch rollover.
> 
> Can anybody explain to me, or point me to an explanation, why leap
> seconds are a concern for ntpd at all rather than for zoneinfo?

Unix systems keep UTC (typically without 61-second-minute support)
rather than TAI.

See http://en.wikipedia.org/wiki/Unix_time and "Unix time across
midnight when a UTC leap second is inserted"

-Phil

Re: OpenBSD 5.0 Trunk with Netgear Managed Switch

[Christian Weisgerber]

Christian Weisgerber  wrote:

> Those vr's don't have hardware VLAN tagging support, but the em's do.
> That shouldn't matter, but maybe there is a bug in that area.
> Hmmm.

I created an LACP trunk(4) over a bge(4) and an em(4) interface and
put a vlan(4) on top, and testing this against a TP-Link L2-managed
switch doesn't show any problems.  I carefully checked, and correctly
tagged packets are going out over both physical interfaces.

(This is on 5.1.)
-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: OpenNTPd leap-second handling

[Christian Weisgerber]

Phil Pennock  wrote:

> There's a leap-second on July 1st and I'm not seeing any equivalent
> configuration for OpenNTPd to the reference implementation's "leapfile"
> directive, to use a distributed leap-seconds file to let ntpd know of
> the leapseconds epoch rollover.

Can anybody explain to me, or point me to an explanation, why leap
seconds are a concern for ntpd at all rather than for zoneinfo?

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: OpenNTPd leap-second handling

[Christian Weisgerber]

Henning Brauer  wrote:

> > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on
> 
> well, 4.6 is ancient. unfortunately nobody maintains the portable atm.

The problem is that OpenNTPd stopped being portable when it started
assuming that it could retrieve the adjtime() time delta as a normal
user.  There was a corresponding kernel change in OpenBSD.  FreeBSD
eventually got this too, sort of by accident, and I don't know if
Linux has it, but this is not generally available.

adjfreq() is also not portable but can be easily mapped to
ntp_adjtime(), which just about any Unix other than OpenBSD has.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: OpenBSD 5.0 Trunk with Netgear Managed Switch

[Peter Erickson]

If it is a bug, I wouldn't know where to begin to try and solve it,  
but am willing to do whatever to help figure it out.


On Sat Mar  3 19:05:39 2012, Christian Weisgerber  wrote:


Peter Erickson  wrote:


without any problems when using a trunk so I'm pretty confident that the
switch is configured properly, but am confused about why the trunk
interface will work on a net5501 and not a net6501. The only thing I can
thing of at this point is the net6501 is using the em driver with 4x
Intel 82574IT Gigabit Ethernet ports and the net5501 is using the vr
driver with 4 VIA VT6105M 10/100 Mbit Ethernet ports, but not sure why
it would matter.


Those vr's don't have hardware VLAN tagging support, but the em's do.
That shouldn't matter, but maybe there is a bug in that area.
Hmmm.

--
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: OpenNTPd leap-second handling

[Phil Pennock]

On 2012-03-04 at 19:30 +0100, Henning Brauer wrote:
> * Phil Pennock  [2012-03-04 13:23]:
> > https://github.com/syscomet/openntpd
> 
> please note that it takes a bit more for a new portable release,
> namely, at least tests on the major platforms.

Absolutely.  Couldn't find a test suite, or a changelog of the portable
changes, so went about reconstructing via code archaeology.

Thus the first commit simply being "got it working on one platform".
Can you point me to a test suite or anything else used for the portable
production?

> > The current CVS of ntpd was imported to the initial branch "openbsd" and
> > I branched "master" from that.  I then pulled in the imsg stuff from
> > current OpenBSD and then went through the FreeBSD Ports packages,
> > applying the changes which seemed sane (almost all of them).  Only
> > *incompatibility* with upstream is storing drift information as parts
> > per million, for compatibility with reference ntpd.
> 
> this is an inacceptable difference between a portable and the native
> one.

Alternative viewpoint: OpenNTPD using an equivalent file format to the
reference implementation but with different meanings of the numbers is
an unacceptable difference.  Switching to the compatible difference and
documenting the scale of the numbers lets administrators switch from one
implementation to the other while maintaining the same drift file.

Lower barriers to switching increases the ability of a sysadmin to try
alternatives.  That lets them move to us and, equally important, move
away again.  Sysadmins will not be an expert and will likely resent
learning that they experienced problems when trying to switch because
the file contents needed to be massaged.

If you want to use a different meaning on a platform where you're the
base system ntpd, that's questionable but fine.  Doing so where you're a
third-party addition means you should be renaming the default filename
for the drift-file to make it clear that it's "openntpd.drift".

I'm keeping this change in.

> also, I'd be interested what the other changes are.

They're briefly summarised in Porting.txt, which is linked to as
README.md, so when you visit the web-page above, you'll see them.

-Phil

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
lead me to:

pass quick proto carp no state


it did the job (I still do not understand how forewall passed 6 interfaces
and blocked 7th, need to have a closer look, but after that rule everything
became ok,
pf stopped blocking carp announces)

2 MARTA 2012 G. 21:31 POLXZOWATELX favar <889...@gmail.com> NAPISAL:

> hi list, we have same problem with carp. (with 45 ip addresses)
> and after reboot, host with advskew 200 became master, and with
> advskew 1 - slave.
>
> 2012/3/2 iLXQ {IPICIN :
> > no, I copied hostname.carpXX, just added "advskew 200"
> > parameters are the same.
> >
> > 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek 
> NAPISAL:
> >
> >> On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
> >>
> >> > hello!
> >> >
> >> > we are running CARP-ed load balancers (carp over different vlans).
> >> > it was running just great with 6 carp addresses.
> >> >
> >> > when we added 7th, randomly we get MASTERs on both server for certain
> >> carp
> >> > interface. After reboot we can get different carp interface on dual
> >> MASTER
> >> > state, and so on.
> >> > carp negotiations are ok, tcpdump shows them all. both peers see each
> >> other.
> >> >
> >> > if I put one interface to BACKUP state, it goes to mASTER soon.
> >> >
> >> > we are runnung 5.0/amd64
> >> >
> >> > Cheers,
> >> > Ilya Shipitsin
> >>
> >> Carefully compare the address lists (including masks) on both
> >> machines. Likely they are not the same.
> >>
> >>-Otto

Re: OpenNTPd leap-second handling

[Henning Brauer]

* Phil Pennock  [2012-03-04 13:23]:
> On 2012-03-03 at 12:24 +0100, Henning Brauer wrote:
> > * Phil Pennock  [2012-03-02 16:32]:
> > > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on
> > well, 4.6 is ancient. unfortunately nobody maintains the portable atm.
> > that said, otoh there we no changes regarding leap seconds afterwards.
> I've created a git repo and shoved it to github (since it's free and
> more reliable than any single box I have available to throw at this, and
> someone else is paid to maintain security updates).
> 
> https://github.com/syscomet/openntpd

please note that it takes a bit more for a new portable release,
namely, at least tests on the major platforms.

> The current CVS of ntpd was imported to the initial branch "openbsd" and
> I branched "master" from that.  I then pulled in the imsg stuff from
> current OpenBSD and then went through the FreeBSD Ports packages,
> applying the changes which seemed sane (almost all of them).  Only
> *incompatibility* with upstream is storing drift information as parts
> per million, for compatibility with reference ntpd.

this is an inacceptable difference between a portable and the native
one.
also, I'd be interested what the other changes are.


> I'm thinking of in-memory state to track if we did see the leap-second
> from that server, and keep it for two days, and lose the state if
> someone restarts ntpd, so that we then need to rely upon normal voting
> rules.

seems sane.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: rsync screams about read-only filesystem

[Marc Espie]

On Sun, Mar 04, 2012 at 09:47:24AM -0500, Jiri B wrote:
> Hello,
> 
> I have a script which mount read-write a filesystem and then
> runs rsync to synchronize. The strange thing is, that although
> the filesystem is read-write for the OS, rsync still has some
> problem with that.
> 
> %>---
> 
> + mount
> + grep /dev/sd0f
> /dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid, read-only)
> + mount -uw /dev/sd0f
> + mount
> + grep /dev/sd0f
> /dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid)
> + printf Synchronizing in memory /var/log to /log backup ... 
> Synchronizing in memory /var/log to /log backup ... + /usr/local/bin/rsync 
> -vhaz /var/log/ /mfs/log/
> sending incremental file list
> pflog
> rsync: mkstemp "/mfs/log/.pflog.czoYN2" failed: Read-only file system (30)
> 
> sent 5.96K bytes  received 34 bytes  11.99K bytes/sec
> total size is 2.62M  speedup is 437.81
> rsync error: some files/attrs were not transferred (see previous errors) 
> (code 23) at main.c(1052) [sender=3.0.9]
> + mount -ur /dev/sd0f

Cardinal mistake: you're showing us what you think is happening, not the
real shit.

The only way to know if you can write to /mfs/log is to try to write
something there, with touch, for instance.

Right now, I would tend to think your setup is bogus.
or maybe it's a  bug in rsync ?
There's no simple way for us to know, but it is incredibly easy for you to
check.

Second mistake: not giving all the information.
What's the sense of doing mount|grep ? you're afraid we're going to poke fun
at you because you do strange things ?

rsync screams about read-only filesystem

[Jiri B]

Hello,

I have a script which mount read-write a filesystem and then
runs rsync to synchronize. The strange thing is, that although
the filesystem is read-write for the OS, rsync still has some
problem with that.

%>---

+ mount
+ grep /dev/sd0f
/dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid, read-only)
+ mount -uw /dev/sd0f
+ mount
+ grep /dev/sd0f
/dev/sd0f on /mfs/log type ffs (local, nodev, noexec, nosuid)
+ printf Synchronizing in memory /var/log to /log backup ... 
Synchronizing in memory /var/log to /log backup ... + /usr/local/bin/rsync 
-vhaz /var/log/ /mfs/log/
sending incremental file list
pflog
rsync: mkstemp "/mfs/log/.pflog.czoYN2" failed: Read-only file system (30)

sent 5.96K bytes  received 34 bytes  11.99K bytes/sec
total size is 2.62M  speedup is 437.81
rsync error: some files/attrs were not transferred (see previous errors) (code 
23) at main.c(1052) [sender=3.0.9]
+ mount -ur /dev/sd0f

---<%

Any help would be appreciated.

jirib

Re: Trusting the Installation

[Renzo Fabriek]

On Sunday 04 March 2012 12:12:19 Anonymous Remailer (austria) wrote:
> > the reason is "you can download source code, look at it, make sure for
> > yourself there's no backdoors, build your own ISO from source code"
> 
> You can but nobody does. If the entire OpenBSD team can't finish a complete
> audit of OpenBSD in one release cycle how long do you suppose it would take
> one person to do that? Not very practical.
> 
> 

If someone thinks he has to audit the whole tree, he is not practical already. 
It is not difficult to get a trusted source rep and compare the downloaded 
source with that and investigate the differences if they think it is needed. If 
they don't even trust the source code on the DVD, they have bigger problems 
than just secure downloads.

Re: OpenNTPd leap-second handling

[Phil Pennock]

On 2012-03-03 at 12:24 +0100, Henning Brauer wrote:
> * Phil Pennock  [2012-03-02 16:32]:
> > A brief skim of the source (4.6p1) suggests that OpenNTPd passes on
> 
> well, 4.6 is ancient. unfortunately nobody maintains the portable atm.
> 
> that said, otoh there we no changes regarding leap seconds afterwards.

Noted; I'd also checked the cvsweb source and didn't see anything.

I've created a git repo and shoved it to github (since it's free and
more reliable than any single box I have available to throw at this, and
someone else is paid to maintain security updates).

https://github.com/syscomet/openntpd

The current CVS of ntpd was imported to the initial branch "openbsd" and
I branched "master" from that.  I then pulled in the imsg stuff from
current OpenBSD and then went through the FreeBSD Ports packages,
applying the changes which seemed sane (almost all of them).  Only
*incompatibility* with upstream is storing drift information as parts
per million, for compatibility with reference ntpd.

I made the routing table support conditional upon a compat.h #define
which currently defaults undef, because my dev box is in need of a major
OS upgrade and I don't have multiple routing table support on my FreeBSD
box.

Seems to work for me.  Is a starting point for being able to hack other
stuff in.  I only care about leap-seconds.

I'm thinking leap-second support should come in two modes:

 * Pause system time for one second, per reference ntpd.
 * Smear time, for a little while before and after the leap-second, so
   that adjtime takes care of it; I know at least one large install does
   this, to avoid major issues

I do not see any need to support:

 * Standards compliant, non-monotonic time, repeat a second

For smearing, since adjtime stuff is a 10% variance and we need to
handle 1 second, 10 seconds at max frequency skew should do it.  Double
that, so we're not at max and can account for pre-existing need for
adjustment, and that's a 20 second window centered on the leap-second.

To deal with all the brokenness detailed at:
  http://members.iinet.net.au/~nathanael/ntpd/leap-second.html
I'm pondering options.

I suspect that for one day before the cut-over, if a server appears to
be a second off in the direction indicated by the leapsecond, and the
server hasn't set the leap flag, then auto-add/subtract the implicit
second to/from its time, to get the effective time for calculations.

*After* the cut-over is more awkward, as the leap flag is cleared after
the leap-second, so we can't implicitly tell if the server never knew of
the leap-second and is wrong, or if the server has adjusted but its time
is legitimately different.

I'm thinking of in-memory state to track if we did see the leap-second
from that server, and keep it for two days, and lose the state if
someone restarts ntpd, so that we then need to rely upon normal voting
rules.

Informed feedback very welcome.  For now, I'm going to be a slacker and
go to bed.
-Phil

Re: Trusting the Installation

[etechlist]

On Sun, Mar 04, 2012 at 12:12:19PM +0100, Anonymous Remailer (austria) wrote:
> > the reason is "you can download source code, look at it, make sure for
> > yourself there's no backdoors, build your own ISO from source code"
> 
> You can but nobody does. If the entire OpenBSD team can't finish a complete
> audit of OpenBSD in one release cycle how long do you suppose it would take
> one person to do that? Not very practical.

He obviously is not providing any useful input but pretending to be a
pro. 

Re: Trusting the Installation

[Martin Schröder]

2012/3/4 PP;QQ P(P8P?P8QP8P= :
> the reason is "you can download source code, look at it, make sure for
> yourself there's no backdoors, build your own ISO from source code"

Who does that? Did _you_ check the code?

Best
   Martin

Re: Trusting the Installation

[Anonymous Remailer (austria)]

> the reason is "you can download source code, look at it, make sure for
> yourself there's no backdoors, build your own ISO from source code"

You can but nobody does. If the entire OpenBSD team can't finish a complete
audit of OpenBSD in one release cycle how long do you suppose it would take
one person to do that? Not very practical.

Re: Trusting the Installation

[Илья Шипицин]

29 FEWRALQ 2012 G. 8:44 POLXZOWATELX Nathan Stiles
NAPISAL:

> Hello,
> I've recently installed 5.0 and based upon my experience
> I expected a checksum to be posted for the ISO.
> Also I've noticed that HTTPS isn't implemented on openbsd.org.
> I was also expecting the checksum to be served over HTTPS.
>

if you mean public SSL certs, it's about $500/year.
are you willing to pay for SSL certs ?

I can do the rest. I have installed tens ssl-enabled services.



> I'm sure theres a good reason why this isn't necessary?
>

the reason is "you can download source code, look at it, make sure for
yourself there's no backdoors, build your own ISO from source code"

I wonder why you are not doing that with every ISO (which you prefer to
download via torrent).


> I want to check the files I've downloaded against something?
> Obviously I can check a few random mirrors to ensure
> that files are identical.  What are others doing?
>

other are doing what they want :-)
it's an opensource. you can also do what you want.


>
> Thanks,
> Nathan

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-02-29 01:13, Nico Kadel-Garcia wrote:
> This just came up in the Scientific Linux mailing list. While checksums are
> useful, they're not helpful if both the checksum and the file itself are
> corrupted. Someone (namely me!) also pointed out the possibility of
> manipulating the FTP or HTTP transmission en route, and I pointed out the
> risk of a Trojan infested mirror, Bittorrent, or other popular network
> access source. It's why I'm happy to use Bittorrent to get ISO's in a
> speedy fashion, but *ALWAYS* check the checksums against the original
> source when download is complete.

I had never though of this.  Using torrents for the file itself, and
HTTP for the checksum seems to be quite secure (at least compared to the
alternatives).  Especially if the torrent file have hundeds of seeders.

-- 
Hugo Osvaldo Barrera