Re: ffs and utf8

[Dmitrij D. Czarkoff]

Joel Rees said:
> Maybe it would be better just to not make those directories until they
> are needed by an application, and then ask the user to name them
> instead of providing standard names.

Actually, it is still workable if you carry your ~/.config/user-dirs.dir
around, so that you could install it before you first log into GNOME.  I
used this approach to sanitize structure of my home directory when I
needed a working GNOME desktop.

-- 
Dmitrij D. Czarkoff

Re: ffs and utf8

[Theo de Raadt]

>Joel Rees writes:
>> 2014/12/03 22:23 "Dmitrij D. Czarkoff" :
>> >
>> > First of all, I really don't believe that preservation of non-canonical
>> > form should be a consideration for any software.
>> 
>> There is no particular canonical form for some kinds of software.
>> 
>> Unix, in particular, happens to have file name limitations that are
>> compatible with all versions of Unicode past 2.0, at least, in UTF-8, but
>> it has no native encoding.
>
>To me, the current state of affairs--where filenames can contain
>anything and the same filename can and does get interpreted differently
>by different programs--feels extremely dangerous. Moving to a single,
>well-defined encoding for filenames would make things simpler and
>safer. Well, it might. That's why we're discussing this carefully, to
>figure out if something like this is actually workable.
>
>There are two kinds of features being discussed:
>
>1) Unicode normalization. This is analogous to case insensitivity:
>   multiple filenames map to the same (normalized) filename.
>
>2) Disallowing particular characters. 1-31 and invalid UTF-8 sequences
>   are popular examples.
>
>Maybe one is workable. Maybe both are, or neither.
>
>Say I have a hypothetical machine with the above two features
>(normalizing to NFC, disallowing 1-31/invalid UTF-8). Now I log into a
>typical Unix "anything but \0 or /" machine, via SFTP or whatever. What
>are the failure modes?
>
>The first kind is that I could type "get x" followed by "get y",
>where x and y are canonically the same in Unicode but represented
>differently because they're not normalized on the remote host. I would
>expect this to work smoothly: first I download x to NFC(x), and then
>b overwrites it.
>
>The second kind is that I could type "get z", where z contains an invalid
>character. How should my system handle this? Error as if I had asked for
>a filename that's too long? Come up with a new errno? I don't know, but
>in this hypothetical machine it should fail somehow.
>
>But creating new files is only part of the problem. If we still allow
>them in existing files, we lose all the security/robustness benefits
>and just annoy ourselves by adding restrictions with no point.
>
>So say I mount a filesystem containing the same files a, b, and c. What
>happens?
>
> - Fail to mount? (Simultaneously simplest, safest, and least useful)
> - Hide the files? (Seems potentially unsafe)
> - Try to escape the filenames? (Seems crazy)
>
>Is it currently possible to take a hex editor and add "/" to a filename
>(as opposed to a pathname) inside a disk image? If that's possible, how
>do systems currently deal with it? Because it's the same problem.
>
>FAT32 has both case insensitivity and disallowed characters. How well
>does OpenBSD handle those restrictions? If not optimally, then how can
>they be made better? If it already handles them with aplomb, then is
>it applicable to the above scenarios?

http://en.wikipedia.org/wiki/Where%27s_the_beef%3F

I mean, where's the diffs for all these issues?

Oh.  There is no beef.

This is idle chatter hoping someone supplies some secret sauce that
makes a disparate audience with different demands all happy.


Why don't you guys go write some code and prove your points?
Maybe this is simply a very hard problem, and not going to be satisfied
by people who simply talk about it?

Re: OT:Password strength

[Theo de Raadt]

>From owner-misc+M145030=deraadt=cvs.openbsd@openbsd.org Wed Dec  3 
>20:37:28 2014
>Delivered-To: dera...@cvs.openbsd.org
>DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.net; h= 
>message-id:x-sasl-enc:from:to:cc:mime-version 
>:content-transfer-encoding:content-type:subject:date:in-reply-to :references; 
>s=mesmtp; bh=N05hQ0kRdtamdXiI1uPUYYy4D/4=; b=iA54AY 
>ZyBQ3QX5T6ydBrioyWSy2EirHi4z0WRKUcPO8g1TG5UXqeODEtuA0N/7HR0Vfqpf 
>IxWfA/cECXnW2CRgxfbAuLyM5lC6/aNxeOYMQFWk4lvk2bG5OQ9LlI3YfD8t03aG 
>aGpj4kEdGlfRI82Ol9CYUc2K/x6LeqSGdRLZE=
>DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; 
>h=message-id:x-sasl-enc:from:to:cc 
>:mime-version:content-transfer-encoding:content-type:subject 
>:date:in-reply-to:references; s=smtpout; bh=N05hQ0kRdtamdXiI1uPU YYy4D/4=; 
>b=EmDvqWm+BO76xbaxG50X0DaOQVnloAlOTlWNz4FVQpekab134n7N 
>R2VEC9YywqMmdYI2nLDXYQ3eDh5yj0f+ordWvFaWPidz+GxTJ3EM1ZU30ywQVMPJ 
>CSbO/+h4Cw4xQklCxk602nePjo/RtEELvBXDOz1tflZDcDMoy83HG+Y=
>X-Sasl-Enc: MhT9Z3YiPDIsQoZKvCLrU99Bm5DjpuN8O7iVQLFa843l 1417664177
>From: Eric Furman 
>To: Brad Smith 
>Cc: Ted Unangst , OpenBSD Misc 
>MIME-Version: 1.0
>Content-Transfer-Encoding: 8bit
>Content-Type: text/plain
>X-Mailer: MessagingEngine.com Webmail Interface - html
>Subject: Re: OT:Password strength
>Date: Wed, 03 Dec 2014 22:36:17 -0500
>In-Reply-To: <547f0fb8.6070...@comstyle.com>
>References: 
><1417316824.2046833.196840165.39fa2...@webmail.messagingengine.com> 
><9ea3e8f9bed545a68834d6bd42a0a...@tedunangst.com> 
><547f0fb8.6070...@comstyle.com>
>List-Help: 
>List-ID: 
>List-Owner: 
>List-Post: 
>List-Subscribe: 
>List-Unsubscribe: 
>X-Loop: misc@openbsd.org
>Precedence: list
>Sender: owner-m...@openbsd.org
>
>On Wed, Dec 3, 2014, at 08:27 AM, Brad Smith wrote:
>> On 11/30/14 15:20, Ted Unangst wrote:
>> > Examples:
>> >
>> > treetykaveprethicooputhedu
>> > soonataviceenoopatecoge
>> > gootrozapiceelytrithunula
>> > preezypeendothanundipeesooka
>> 
>> That defeats the purpose of the second example in the OPs question.
>
>I think I like Schneier's scheme:
>So if you want your password to be hard to guess, you should choose
>something that this process will miss. My advice is to take a sentence
>and turn it into a password. Something like "This little piggy went to
>market" might become "tlpWENT2m". That nine-character password won't be
>in anyone's dictionary. Of course, don't use this one, because I've
>written about it. Choose your own sentence -- something personal.
>https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
>
>This scheme generates long hard passwords that are fairly easy to
>remember.
>And if I had read this article first I never would have asked my
>original question.
>Thanks to all who contributed, but I think we can kill this thread now.

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Vivek Vinod]

Sorry for speaking out of turn and adding a bit of noise. A non-techie mind 
like mine would like to think, "why not have a router which can work both as a 
home router and work router?"

We have been using Mikrotik routerboards‎ since 7 years and have been very 
happy with those. Wouldn't it be good to take a look at similar boards with 
multiple NICs? Costing ranges from 100 to 200 $

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Gene
Sent: Wednesday 3 December 2014 23:39
To: Alan McKay
Cc: misc@openbsd.org
Subject: Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

On Wed, Dec 3, 2014 at 9:49 AM, Alan McKay  wrote:

> This is very interesting - I've been looking at various small boxes
> like this to use as a home firewall.
> The only problem is that not many of them have 2 NICs, and the ones
> that do are very expensive (higher end Zotac)
>
> Does anyone know of a similar device with 2 NICs that might be
> suitable as a home firewall?
>

Look into the PC Engines ALIX and APU system boards. You can get kits for
under $200, or sometimes for less on eBay.

http://www.pcengines.ch

Great hardware. I have a couple of the ALIX boards. The APU series has
gigabit NICs and a lot more horse power. If you search the mailing list
you'll see several mentions for it.


> What about one of the Open Firmware firewalls like ASUS? Is there an
> OpenBSD load for those? Instead of Tomato or the likes ...
>

-Gene
(p.s. I'm bad at mailing lists and didn't reply all last time, I apologise
for emailing you twice, Alan).

Re: ffs and utf8

[Anthony J. Bentley]

Joel Rees writes:
> 2014/12/03 22:23 "Dmitrij D. Czarkoff" :
> >
> > First of all, I really don't believe that preservation of non-canonical
> > form should be a consideration for any software.
> 
> There is no particular canonical form for some kinds of software.
> 
> Unix, in particular, happens to have file name limitations that are
> compatible with all versions of Unicode past 2.0, at least, in UTF-8, but
> it has no native encoding.

To me, the current state of affairs--where filenames can contain
anything and the same filename can and does get interpreted differently
by different programs--feels extremely dangerous. Moving to a single,
well-defined encoding for filenames would make things simpler and
safer. Well, it might. That's why we're discussing this carefully, to
figure out if something like this is actually workable.

There are two kinds of features being discussed:

1) Unicode normalization. This is analogous to case insensitivity:
   multiple filenames map to the same (normalized) filename.

2) Disallowing particular characters. 1-31 and invalid UTF-8 sequences
   are popular examples.

Maybe one is workable. Maybe both are, or neither.

Say I have a hypothetical machine with the above two features
(normalizing to NFC, disallowing 1-31/invalid UTF-8). Now I log into a
typical Unix "anything but \0 or /" machine, via SFTP or whatever. What
are the failure modes?

The first kind is that I could type "get x" followed by "get y",
where x and y are canonically the same in Unicode but represented
differently because they're not normalized on the remote host. I would
expect this to work smoothly: first I download x to NFC(x), and then
b overwrites it.

The second kind is that I could type "get z", where z contains an invalid
character. How should my system handle this? Error as if I had asked for
a filename that's too long? Come up with a new errno? I don't know, but
in this hypothetical machine it should fail somehow.

But creating new files is only part of the problem. If we still allow
them in existing files, we lose all the security/robustness benefits
and just annoy ourselves by adding restrictions with no point.

So say I mount a filesystem containing the same files a, b, and c. What
happens?

 - Fail to mount? (Simultaneously simplest, safest, and least useful)
 - Hide the files? (Seems potentially unsafe)
 - Try to escape the filenames? (Seems crazy)

Is it currently possible to take a hex editor and add "/" to a filename
(as opposed to a pathname) inside a disk image? If that's possible, how
do systems currently deal with it? Because it's the same problem.

FAT32 has both case insensitivity and disallowed characters. How well
does OpenBSD handle those restrictions? If not optimally, then how can
they be made better? If it already handles them with aplomb, then is
it applicable to the above scenarios?

-- 
Anthony J. Bentley

Re: missing packages for SPARC

[Theo de Raadt]

>dev wrote:
>> It would be a waste of effort to look at anything previous to a
>> Sun Fire V890 or any UltraSPARC IV based server.  There are very
>> few out there running Solaris any more and only hobby types have
>> SPARC anywhere else.
>The first thing you forget is the fun factor. People devote time in 
>open-source also because of fun and  other "profit" from it. If 
>everything was for profit, a lot wouldn't exist.
>Otherwise just use Windows or RedHat on intel... and suffer with their bugs!
>
>You might find fun in driving your 1976 car and even learn how to steer, 
>how to drive without traction control. Perhaps you won't use it for 
>daily commuting, but to go to the lake in the weekends?
>
>Also, we are not speaking here of Solaris, but on OpenBSD. It can run on 
>slower stuff even.
>
>Last point, I develop (= code) open source software since many years. 
>Not only I take pride that it runs on lesser known architectures and 
>operating systems, but doing so helped me find so many bugs that make my 
>software more robust and reliable than the average program coded for 
>"Linux and x86".
>Buffer overflows, uninitialized variables.. especially structure members 
>are very sensitive on SPARC.
>
>My stuff is more desktop oriented, so perhaps of less use for some 
>people here, but still !
>
>Right below my SS20 there is a Fire, so don't worry, I'm working to get 
>my stuff working on Solaris and UltraSPARC too. If it runs on both, it 
>is a gain for the free software world.

Sorry Riccardo, but Dennis is a businessman.

He does not care if you love doing this.  He would prefer that you
work on what HE NEEDS.

If you want to find out more, you can reach him at:

Admin Name: CLARKE, DENNIS
Admin Organization: Corvidae Code Inc.
Admin Street: 153 Chatham Street
Admin City: Brantford
Admin State/Province: ON
Admin Postal Code: N3S 4G5
Admin Country: CA
Admin Phone: +1.5197717761

Not that you need to reach out to him.  People like him are very
common.  You could walk down the street and find a person with his
simplistic attitude.

They simply don't believe that good things are built by people who
love building good things.  After all, they are people of business.

They will never understand the magic that creates the effects that
have paid for their houses.  They think it is all build on modern
foundations, and that building on the stones of the past provides
no benefit.  Future, ho.  The past is just rubble, right.

But do say hi if you call him.  Again, I think there is no point in
bothering.  He is common.  You can find people with his simplistic
attitude be stepping outside.  (Except those people on your street
rarely arrive on a mailing list and preach that people should stop
loving what they love).  Of course I have far more reactionary private
mails from him exposing his character.  The waste of my time stops
here, so should the waste of your time -- work on the wonderful things
you want to.  We never know the fruits until we try.

Re: missing packages for SPARC

[Theo de Raadt]

>> > > You are speaking out of turn, basically insulting people who want
>> > > to make sure that older architectures do work.  The Sun Fire V890
>> > > and Niagara machines are not sparc architecture.  They are
>> > > sparc64.
>> > > 
>> > 
>> > Not sure where the anger is coming from. Regardless, there may be
>> > people
>> > that are interested in running OpenBSD on a DEC alphaserver or even
>> > a
>> > Sun SparcStation 20 from 1996 and that may just be entertainment.  I
>> > would hope that there was an interest in more modern architectures
>> > where
>> > OpenBSD may run very very well.
>> 
>> Oh just shut up.
>> 
>> I would hope you can keep your mouth shut when people talk about the
>> things they love to hack on.
>> 
>> Because otherwise, you know, you might come off looking like you are
>> a self-entitled prick who only wants them to work on things you want,
>> you know?
>
>
>Actually I was closely following the discussion on utf8 issues and found
>it interesting. OpenBSD is generally looked at as a serious and secure
>UNIX implementation and I was giving consideration to getting GCC 4.9.2
>built ansd tested on it.  I don't see results[1] in the GCC project for
>recent GCC and felt it would be of value to try.  With a recent GCC it
>may have been possible to then build Apache 2.4.x and some other things
>that would allow an up to date set of tools to exist.  These would allow
>a web site to run with great security and stability. Really that was my
>entire interest in OpenBSD.  Oh, that and the LibreSSL work and OpenSSH
>of course.
>
>You, however, seem to feel a need to crash into a room like a mad man
>off his meds.
>
>Not sure what your intent is.  What is it?  Really?



Let's be quite honest about this Dennis.

You aren't going to do shit because you don't have any skills.  You
are just a business person, not a programmer.


Thank you for adding the value of your words.

Re: Is there something seriously wrong ?

[Theo de Raadt]

Bye Dennis.

Not going to be influenced by you.  This is one of those rare
situations when I post a rebuke towards me from the "public".

This group does what it does.  We provide benefit to you.

You have no right to try to turn it around on us, on me.

The money and business you talk to is a complete lie, or I would have
heard of you before.

Admin Name: CLARKE, DENNIS
Admin Organization: Corvidae Code Inc.
Admin Street: 153 Chatham Street
Admin City: Brantford
Admin State/Province: ON
Admin Postal Code: N3S 4G5
Admin Country: CA
Admin Phone: +1.5197717761

>From d...@cor0.com Wed Dec  3 17:06:30 2014
>Delivered-To: dera...@cvs.openbsd.org
>Date: Wed, 3 Dec 2014 19:06:16 -0500 (EST)
>From: dev 
>Reply-To: dev 
>To: Theo de Raadt 
>In-Reply-To: <201412032359.sb3nxg6y026...@atl4mhib38.myregisteredsite.com>
>References: <201412032359.sb3nxg6y026...@atl4mhib38.myregisteredsite.com>
>Subject: Re: Is there something seriously wrong ?
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>Importance: Medium
>X-Mailer: Open-Xchange Mailer v7.4.2-Rev27
>
>
>
>> On December 3, 2014 at 6:59 PM Theo de Raadt 
>> wrote:
>> 
>> 
>> Oh thanks for the advice mr businessman!
>> 
>> Let's be honest.  You aren't going to do anything at the
>> source code level which affects anyone.  You won't contribute
>> anything except for words.
>> 
>> Get lost.  I don't have time for your type, and you don't have
>> time for my type.
>
>Actually I generally invest and then support in various ways. Money and
>marketing go a long way to getting valid work done. Someone who can
>invest for three years with a project plan that leads to a viable
>product tends to know what he is doing. Did it before. Am doing it now
>with other projects. However, for some obscure reason that only you
>know, you lash out in anger and hated at the drop of a hat. Any hat.
> That kills interest and drives people away. Interested people.
>
>At great risk of telling you something that may not be fully understood
>by you, source code is not the product or the project. Everything around
>the source code is the product and the project also. You seem to have a
>problem.  I don't think you fully know the damage that you are doing to
>yourself, to others and to your project.
>
>
>Dennis Clarke

intermittent problems compiling kdrive in xenocara

[STeve Andre']

So, I am dumb.  Problem is, I don't know what it is that I don't know.

Every once in a while compiling xenocara, I get a fatal error when
dealing with kdrive.  I've looked for emails talking about this and
haven't found anything.  I've gone over release(8) and think I'm
OK.

What's frustrating is that this error comes and goes.  Sometimes
for months at a time things are OK.  I've resorted to getting a new
copy of xenocara when this happens, which is dumb.

I'm using the anoncvs server at spacehopper.org.

Since others aren't complaining about this it must be me.  So then,
how am I shooting myself (this time) ?  Clue sticks?  Error below.

tnx,  STeve Andre'

===> kdrive
cd /usr/xenocara/kdrive && exec make  -f Makefile.bsd-wrapper cleandir
cd /usr/xenocara/kdrive && exec make  -f Makefile.bsd-wrapper depend
no dependencies here yet
cd /usr/xenocara/kdrive && exec make  -f Makefile.bsd-wrapper all
PKG_CONFIG_LIBDIR="/usr/lib/pkgconfig:/usr/X11R6/lib/pkgconfig" 
CONFIG_SITE=/usr/xenocara/etc/config.site  CFLAGS="-O2 -pipe" 
MAKE="make" PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin  exec sh 
/usr/xenocara/kdrive/../xserver/configure --prefix=/usr/X11R6 
--sysconfdir=/etc  --mandir=/usr/X11R6/man 
--cache-file=/usr/xobj/xorg-config.cache.amd64  --localstatedir=/var 
--sysconfdir=/etc/X11  --with-xkb-path=/usr/X11R6/share/X11/xkb 
--with-xkb-output=/var/db/xkb  --with-default-xkb-rules=base 
--disable-xorg  --enable-xcsecurity  --enable-kdrive  --disable-dmx 
--disable-xnest  --disable-xvfb  --without-fop --without-xmlto 
--without-xsltproc --disable-silent-rules

configure: loading site script /usr/xenocara/etc/config.site
configure: creating cache /usr/xobj/xorg-config.cache.amd64
/usr/xenocara/kdrive/../xserver/configure[3569]: cannot create 
/usr/xobj/xorg-config.cache.amd64: No such file or directory

checking for a BSD-compatible install... (cached) /usr/bin/install -p
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... (cached) /bin/mkdir -p
checking for gawk... (cached) awk
checking whether make sets $(MAKE)... (cached) yes
configure: error: source directory already configured; run "make 
distclean" there first

*** Error 1 in kdrive (/usr/X11R6/share/mk/bsd.xorg.mk:179 'config.status')
*** Error 1 in kdrive (/usr/X11R6/share/mk/bsd.xorg.mk:211 'build')
*** Error 1 in . (:48 'realbuild')
*** Error 1 in /usr/xenocara (Makefile:36 'build')

Re: OT:Password strength

[Eric Furman]

On Wed, Dec 3, 2014, at 08:27 AM, Brad Smith wrote:
> On 11/30/14 15:20, Ted Unangst wrote:
> > Examples:
> >
> > treetykaveprethicooputhedu
> > soonataviceenoopatecoge
> > gootrozapiceelytrithunula
> > preezypeendothanundipeesooka
> 
> That defeats the purpose of the second example in the OPs question.

I think I like Schneier's scheme:
So if you want your password to be hard to guess, you should choose
something that this process will miss. My advice is to take a sentence
and turn it into a password. Something like "This little piggy went to
market" might become "tlpWENT2m". That nine-character password won't be
in anyone's dictionary. Of course, don't use this one, because I've
written about it. Choose your own sentence -- something personal.
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

This scheme generates long hard passwords that are fairly easy to
remember.
And if I had read this article first I never would have asked my
original question.
Thanks to all who contributed, but I think we can kill this thread now.

Re: Staying -current with cvsup or cvsync

[Stuart Henderson]

On 2014-12-02, Jungle Boogie  wrote:
> Dear Stuart,
> 
> From: Stuart Henderson 
> Sent:  Tue, 2 Dec 2014 10:40:22 + (UTC)
> To: misc@openbsd.org
> Subject: Re: Staying -current with cvsup or cvsync
> >
>> On 2014-11-28, Jungle Boogie  wrote:
>>> Hello All,
>>>
>>> For the last several updates I've applied to my system, I've used plain CVS:
>>> cvs -q up -Pd
>>>
>>> This is pretty slow for some reason, but I understand that's just how CVS 
>>> works.
>>
>> I just timed an update of /usr/ports on my laptop at 63 seconds. That's 
>> fetching
>> from a good anoncvs server, with /usr/ports on SSD and mounted like this
>>
>> /dev/sd1j on /usr/ports type ffs (local, noatime, nodev, nosuid, softdep)
>
> 63 seconds is quite impressive! I've got a pata drive with only:
> (local,  nodev)

softdep can help a lot with big cvs updates, especially on disks which are
slower to access. Lots of files involved in a ports or src cvs tree (especially
ports) so there are a large number of inode changes that need to be written
to disk,

> How often do you fetch/rebuild?

It varies, I probably update the entire ports tree on my laptop once or
twice a week, and smaller parts if I'm working on them or if I see an
update I want in the commit log. For base, the last full update I did
was about 10 days ago, but again I've updated smaller parts more often
and I often update the kernel every few days. There will be lots of
differences between people (and at different times depending on what
they're working on).

Re: OT:Password strength

[Brad Smith]

On 12/03/14 15:04, Ted Unangst wrote:

On Wed, Dec 03, 2014 at 08:27, Brad Smith wrote:

On 11/30/14 15:20, Ted Unangst wrote:

Examples:

treetykaveprethicooputhedu
soonataviceenoopatecoge
gootrozapiceelytrithunula
preezypeendothanundipeesooka


That defeats the purpose of the second example in the OPs question.



If you want strong, short passwords that look ridiculous:

dd if=/dev/random bs=1 count=9 | b64encode password


Still not getting it.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: missing packages for SPARC

[Hugo Villeneuve]

On Wed, Dec 03, 2014 at 09:46:04PM +0100, Christian Weisgerber wrote:
> patrick keshishian:
> 
> > how do you guys deal with disk space with sparc machines?
> > NFS?
> 
> Distfiles and packages on NFS, obj on local disk.

That works well. But I got tired of that especialy since I was down
to a 1G drive and I had to have /usr/{src,ports,obj,xenocara,xobj}
on NFS.

I put a new Seagate 73GB SCA drive in my SparcStation 20 (150MHz/224MB).
It works but I can only use part of it. 

After I got a few kmem_map out of space panic inside ufs_readdir.
I reduced my biggest partition from 25GB to 12GB and that seems to
have made them go away.

Although now, under heavy disk load, it cannot keep the clock
in time. I loose about 1 hours over a make build. (better than the
defunct mac68k port, annoying still.)


You may get different results with other SCA compatible Sparcs or
slower systems.


OpenBSD 5.6-stable (GENERIC) #2: Mon Dec  1 16:20:42 EST 2014
r...@ss20.eintr.net:/usr/src/sys/arch/sparc/compile/GENERIC
real mem = 234319872 (223MB)
avail mem = 225472512 (215MB)
mainbus0 at root: SUNW,SPARCstation-20
cpu0 at mainbus0: RT620/625 @ 150 MHz, on-chip FPU
cpu0: 512K byte write-back, 32 bytes/line, sw flush cache enabled
obio0 at mainbus0
clock0 at obio0 addr 0xf120: mk48t08 (eeprom)
timer0 at obio0 addr 0xf130: delay constant 48, frequency 200 Hz
zs0 at obio0 addr 0xf110 pri 12, softpri 6
zstty0 at zs0 channel 0: console
zstty1 at zs0 channel 1
zs1 at obio0 addr 0xf100 pri 12, softpri 6
zskbd0 at zs1 channel 0: no keyboard
zsms0 at zs1 channel 1
wsmouse0 at zsms0 mux 0
fdc0 at obio0 addr 0xf170 pri 11, softpri 4: chip 82077
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
auxreg0 at obio0 addr 0xf180
power0 at obio0 addr 0xf1a01000
cgfourteen0 at obio0 addr 0x9c00 pri 8: 8MB, rev 3.0, 1152x900
wsdisplay0 at cgfourteen0 mux 1
wsdisplay0: screen 0 added (std, sun emulation)
iommu0 at mainbus0 ioaddr 0xe000: version 0x1/0x1, page-size 4096, range 
64MB
sbus0 at iommu0: 25 MHz
dma0 at sbus0 slot 15 offset 0x40: rev 2
esp0 at dma0 offset 0x80 pri 4: ESP200, 40MHz
scsibus0 at esp0: 8 targets, initiator 7
sd0 at scsibus0 targ 3 lun 0:  SCSI3 0/direct fixed 
naa.5000
sd0: 70007MB, 512 bytes/sector, 143374744 sectors
cd0 at scsibus0 targ 6 lun 0:  SCSI2 5/cdrom 
removable
ledma0 at sbus0 slot 15 offset 0x400010: rev 2
le0 at ledma0 offset 0xc0 pri 6: address 08:00:20:23:6b:8e
le0: 16 receive buffers, 4 transmit buffers
bpp0 at sbus0 slot 15 offset 0x480: DMA2
"SUNW,DBRIe" at sbus0 slot 14 offset 0x1 not configured
cgsix0 at sbus0 slot 2 offset 0x0 pri 9: SUNW,501-2325, 1152x900, rev 11
wsdisplay1 at cgsix0 mux 1
wsdisplay1: screen 0 added (std, sun emulation)
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
bootpath: /iommu@f,e000/sbus@f,e0001000/espdma@f,40/esp@f,80/sd@3,0
root on sd0a (9794594d03d23d76.a) swap on sd0b dump on sd0b

Re: missing packages for SPARC

[Hugo Villeneuve]

On Wed, Dec 03, 2014 at 04:42:52PM +0100, Tobias Ulmer wrote:
> On Tue, Dec 02, 2014 at 10:35:43PM +0100, Riccardo Mottola wrote:
> > Hi,
> > 
> > I was pkg_add'ing some essential packages on a freshly installed SPARC
> > machine. I noticed that several packages are missing. I thought it was the
> > mirror, but they are missing on the master ftp too.
> > I know that some packages might not build on sparc or do not have sense on
> > that platform, however I was looking for pretty general stuff: libxmsl,
> > libxslt or subversion.
> 
> It looks like sparc 5.6 package were built without the modf fix :(
> 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/sparc/gen/modf.S
> 
> There isn't much that doesn't require python as a build-depends
> somewhere...

Ok, that fix made me able to build mutt, phyton 2.7.

> 
> You're welcome to help out. There is an open issue with bash and
> setjmp/longjmp (guessing) that breaks dbus (iirc). I've lost countless
> hours and gave up on that.

Yeah, I got blocked with "bash" dependent ports (ruby-2.0 for subversion). 


For a limited time, my small untrustworthy local sparc 5.6-stable
package collection:

http://vent.eintr.net:8040/pub/OpenBSD/5.6/packages/sparc/

Re: missing packages for SPARC

[Riccardo Mottola]

Hi,

dev wrote:

It would be a waste of effort to look at anything previous to a
Sun Fire V890 or any UltraSPARC IV based server.  There are very
few out there running Solaris any more and only hobby types have
SPARC anywhere else.
The first thing you forget is the fun factor. People devote time in 
open-source also because of fun and  other "profit" from it. If 
everything was for profit, a lot wouldn't exist.

Otherwise just use Windows or RedHat on intel... and suffer with their bugs!

You might find fun in driving your 1976 car and even learn how to steer, 
how to drive without traction control. Perhaps you won't use it for 
daily commuting, but to go to the lake in the weekends?


Also, we are not speaking here of Solaris, but on OpenBSD. It can run on 
slower stuff even.


Last point, I develop (= code) open source software since many years. 
Not only I take pride that it runs on lesser known architectures and 
operating systems, but doing so helped me find so many bugs that make my 
software more robust and reliable than the average program coded for 
"Linux and x86".
Buffer overflows, uninitialized variables.. especially structure members 
are very sensitive on SPARC.


My stuff is more desktop oriented, so perhaps of less use for some 
people here, but still !


Right below my SS20 there is a Fire, so don't worry, I'm working to get 
my stuff working on Solaris and UltraSPARC too. If it runs on both, it 
is a gain for the free software world.



Riccardo

Re: missing packages for SPARC

[System Administrator]

On 3 Dec 2014 at 18:36, dev wrote:

> > > > You are speaking out of turn, basically insulting people who
> want
> > > > to make sure that older architectures do work.  The Sun Fire
> V890
> > > > and Niagara machines are not sparc architecture.  They are
> > > > sparc64.
> > > > 
> > > 
> > > Not sure where the anger is coming from. Regardless, there may
> be
> > > people
> > > that are interested in running OpenBSD on a DEC alphaserver or
> even
> > > a
> > > Sun SparcStation 20 from 1996 and that may just be entertainment. 
> I
> > > would hope that there was an interest in more modern
> architectures
> > > where
> > > OpenBSD may run very very well.
> > 
> > Oh just shut up.
> > 
> > I would hope you can keep your mouth shut when people talk about
> the
> > things they love to hack on.
> > 
> > Because otherwise, you know, you might come off looking like you
> are
> > a self-entitled prick who only wants them to work on things you
> want,
> > you know?
> 
> 
> Actually I was closely following the discussion on utf8 issues and
> found
> it interesting. OpenBSD is generally looked at as a serious and
> secure
> UNIX implementation and I was giving consideration to getting GCC
> 4.9.2
> built ansd tested on it.  I don't see results[1] in the GCC project
> for
> recent GCC and felt it would be of value to try.  With a recent GCC
> it
> may have been possible to then build Apache 2.4.x and some other
> things
> that would allow an up to date set of tools to exist.  These would
> allow
> a web site to run with great security and stability. Really that was
> my
> entire interest in OpenBSD.  Oh, that and the LibreSSL work and
> OpenSSH
> of course.
> 
> You, however, seem to feel a need to crash into a room like a mad
> man
> off his meds.
> 
> Not sure what your intent is.  What is it?  Really?

Pot meet kettle. Of course the big difference is that kettle has been 
running the show (and very successully too) for the past two decades.

Now, let this thread die! All entertainment value has long evaporated.

> Dennis
> 
> 
> [1] https://gcc.gnu.org/gcc-4.9/buildstat.html

Re: missing packages for SPARC

[dev]

> > 
> > > I will dust off my ss20 this weekend see if it powers up.
> > > 
> > 
> > A SparcStation 20 is a relic for historical reference only. A cool
> > item and if it powers up I would be surprised. However it won't
> > make any more sense than to have a 1976 Ford truck as a daily
> > driver.
> > 
> > It would be a waste of effort to look at anything previous to a
> > Sun Fire V890 or any UltraSPARC IV based server.  There are very
> > few out there running Solaris any more and only hobby types have
> > SPARC anywhere else.
> > 
> > I ran OpenBSD 5.4 briefly on a small UltraSPARC Netra and it ran
> > very well. However I ran into issues trying to compile things.  I
> > may look at OpenBSD again but really anything less than a modern
> > Niagara class UltraSparc would be wasted efforts I think.
> 
> You are speaking out of turn, basically insulting people who want
> to make sure that older architectures do work.  The Sun Fire V890
> and Niagara machines are not sparc architecture.  They are sparc64.
> 

Not sure where the anger is coming from. Regardless, there may be people
that are interested in running OpenBSD on a DEC alphaserver or even a
Sun SparcStation 20 from 1996 and that may just be entertainment.  I
would hope that there was an interest in more modern architectures where
OpenBSD may run very very well.

Dennis

OT but reasonable

[dev]

I noticed this never was delivered to the list.

For whats its worth .. this was really what I was thinking.

Dennis


> -- Original Message --
> From: dev 
> To: Theo de Raadt 
> Cc: patrick keshishian ,
> Christian Weisgerber 
> Date: December 3, 2014 at 6:36 PM
> Subject: Re: missing packages for SPARC
> 
> 
> > > > You are speaking out of turn, basically insulting people who
> > > > want
> > > > to make sure that older architectures do work.  The Sun Fire
> > > > V890
> > > > and Niagara machines are not sparc architecture.  They are
> > > > sparc64.
> > > > 
> > > 
> > > Not sure where the anger is coming from. Regardless, there may be
> > > people
> > > that are interested in running OpenBSD on a DEC alphaserver or
> > > even
> > > a
> > > Sun SparcStation 20 from 1996 and that may just be entertainment.
> > >  I
> > > would hope that there was an interest in more modern architectures
> > > where
> > > OpenBSD may run very very well.
> > 
> > Oh just shut up.
> > 
> > I would hope you can keep your mouth shut when people talk about the
> > things they love to hack on.
> > 
> > Because otherwise, you know, you might come off looking like you are
> > a self-entitled prick who only wants them to work on things you
> > want,
> > you know?
> 
> 
> Actually I was closely following the discussion on utf8 issues and
> found
> it interesting. OpenBSD is generally looked at as a serious and secure
> UNIX implementation and I was giving consideration to getting GCC
> 4.9.2
> built ansd tested on it.  I don't see results[1] in the GCC project
> for
> recent GCC and felt it would be of value to try.  With a recent GCC it
> may have been possible to then build Apache 2.4.x and some other
> things
> that would allow an up to date set of tools to exist.  These would
> allow
> a web site to run with great security and stability. Really that was
> my
> entire interest in OpenBSD.  Oh, that and the LibreSSL work and
> OpenSSH
> of course.
> 
> You, however, seem to feel a need to crash into a room like a mad man
> off his meds.
> 
> Not sure what your intent is.  What is it?  Really?
> 
> Dennis
> 
> 
> [1] https://gcc.gnu.org/gcc-4.9/buildstat.html

Re: missing packages for SPARC

[dev]

> > > You are speaking out of turn, basically insulting people who want
> > > to make sure that older architectures do work.  The Sun Fire V890
> > > and Niagara machines are not sparc architecture.  They are
> > > sparc64.
> > > 
> > 
> > Not sure where the anger is coming from. Regardless, there may be
> > people
> > that are interested in running OpenBSD on a DEC alphaserver or even
> > a
> > Sun SparcStation 20 from 1996 and that may just be entertainment.  I
> > would hope that there was an interest in more modern architectures
> > where
> > OpenBSD may run very very well.
> 
> Oh just shut up.
> 
> I would hope you can keep your mouth shut when people talk about the
> things they love to hack on.
> 
> Because otherwise, you know, you might come off looking like you are
> a self-entitled prick who only wants them to work on things you want,
> you know?


Actually I was closely following the discussion on utf8 issues and found
it interesting. OpenBSD is generally looked at as a serious and secure
UNIX implementation and I was giving consideration to getting GCC 4.9.2
built ansd tested on it.  I don't see results[1] in the GCC project for
recent GCC and felt it would be of value to try.  With a recent GCC it
may have been possible to then build Apache 2.4.x and some other things
that would allow an up to date set of tools to exist.  These would allow
a web site to run with great security and stability. Really that was my
entire interest in OpenBSD.  Oh, that and the LibreSSL work and OpenSSH
of course.

You, however, seem to feel a need to crash into a room like a mad man
off his meds.

Not sure what your intent is.  What is it?  Really?

Dennis


[1] https://gcc.gnu.org/gcc-4.9/buildstat.html

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Alan McKay]

I see one of  these on my local kijiji but can't tell whether or not
it has a PCI slot.  It is not on the hardware list of that parkytowers
site

http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/12454-12454-321959-338927-5112717-5295294.html?dnr=2

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Mikkel C. Simonsen]

Alan McKay wrote:

This is very interesting - I've been looking at various small boxes
like this to use as a home firewall.
The only problem is that not many of them have 2 NICs, and the ones
that do are very expensive (higher end Zotac)

Does anyone know of a similar device with 2 NICs that might be
suitable as a home firewall?


As I have written many times - used thin clients are available in huge 
numbers as scrap. Many of them have a PCI or PCIe slot, so adding a 
second NIC is easy. I often use thin clients with a Compaq 2- or 4-port 
NIC. Total cost about 15-20 euros.


Best regards,

Mikkel C. Simonsen

Re: missing packages for SPARC

[Theo de Raadt]

> On Wed, Dec 03, 2014 at 05:54:14PM -0500, dev wrote:
> > > > We keep having this tail of zombie architectures.  Long obsolete
> > > > hardware, run by few people, with pitiful "best effort" package
> > > > builds happening each release and with luck once between.  They
> > > > slowly sink under the accumulating bitrot that nobody cares to fix,
> > > > but at the same time people can't bring themselves to completely
> > > > abandon those archs.  *shrug*
> > > 
> > 
> > > I will dust off my ss20 this weekend see if it powers up.
> > > 
> > 
> > A SparcStation 20 is a relic for historical reference only. A cool
> > item and if it powers up I would be surprised. However it won't
> > make any more sense than to have a 1976 Ford truck as a daily
> > driver.
> 
> What you miss is that running on these architectures expose bugs that
> would otherwise not be found. Endianness issues, timing differences
> due to slower CPUs, alignment bugs, etc... And those bugs sometimes
> turn out to be MI bugs that affect all architectures.

Mike, you are talking way over his head...

Re: missing packages for SPARC

[Mike Larkin]

On Wed, Dec 03, 2014 at 05:54:14PM -0500, dev wrote:
> > > We keep having this tail of zombie architectures.  Long obsolete
> > > hardware, run by few people, with pitiful "best effort" package
> > > builds happening each release and with luck once between.  They
> > > slowly sink under the accumulating bitrot that nobody cares to fix,
> > > but at the same time people can't bring themselves to completely
> > > abandon those archs.  *shrug*
> > 
> 
> > I will dust off my ss20 this weekend see if it powers up.
> > 
> 
> A SparcStation 20 is a relic for historical reference only. A cool
> item and if it powers up I would be surprised. However it won't
> make any more sense than to have a 1976 Ford truck as a daily
> driver.

What you miss is that running on these architectures expose bugs that
would otherwise not be found. Endianness issues, timing differences
due to slower CPUs, alignment bugs, etc... And those bugs sometimes
turn out to be MI bugs that affect all architectures.

> 
> It would be a waste of effort to look at anything previous to a
> Sun Fire V890 or any UltraSPARC IV based server.  There are very
> few out there running Solaris any more and only hobby types have
> SPARC anywhere else.
> 
> I ran OpenBSD 5.4 briefly on a small UltraSPARC Netra and it ran
> very well. However I ran into issues trying to compile things.  I
> may look at OpenBSD again but really anything less than a modern
> Niagara class UltraSparc would be wasted efforts I think.
> 
> Dennis

Re: missing packages for SPARC

[Theo de Raadt]

> > > > I will dust off my ss20 this weekend see if it powers up.
> > > > 
> > > 
> > > A SparcStation 20 is a relic for historical reference only. A cool
> > > item and if it powers up I would be surprised. However it won't
> > > make any more sense than to have a 1976 Ford truck as a daily
> > > driver.
> > > 
> > > It would be a waste of effort to look at anything previous to a
> > > Sun Fire V890 or any UltraSPARC IV based server.  There are very
> > > few out there running Solaris any more and only hobby types have
> > > SPARC anywhere else.
> > > 
> > > I ran OpenBSD 5.4 briefly on a small UltraSPARC Netra and it ran
> > > very well. However I ran into issues trying to compile things.  I
> > > may look at OpenBSD again but really anything less than a modern
> > > Niagara class UltraSparc would be wasted efforts I think.
> > 
> > You are speaking out of turn, basically insulting people who want
> > to make sure that older architectures do work.  The Sun Fire V890
> > and Niagara machines are not sparc architecture.  They are sparc64.
> > 
> 
> Not sure where the anger is coming from. Regardless, there may be people
> that are interested in running OpenBSD on a DEC alphaserver or even a
> Sun SparcStation 20 from 1996 and that may just be entertainment.  I
> would hope that there was an interest in more modern architectures where
> OpenBSD may run very very well.

Oh just shut up.

I would hope you can keep your mouth shut when people talk about the
things they love to hack on.

Because otherwise, you know, you might come off looking like you are
a self-entitled prick who only wants them to work on things you want,
you know?

Re: missing packages for SPARC

[Theo de Raadt]

> > > We keep having this tail of zombie architectures.  Long obsolete
> > > hardware, run by few people, with pitiful "best effort" package
> > > builds happening each release and with luck once between.  They
> > > slowly sink under the accumulating bitrot that nobody cares to fix,
> > > but at the same time people can't bring themselves to completely
> > > abandon those archs.  *shrug*
> > 
> 
> > I will dust off my ss20 this weekend see if it powers up.
> > 
> 
> A SparcStation 20 is a relic for historical reference only. A cool
> item and if it powers up I would be surprised. However it won't
> make any more sense than to have a 1976 Ford truck as a daily
> driver.
> 
> It would be a waste of effort to look at anything previous to a
> Sun Fire V890 or any UltraSPARC IV based server.  There are very
> few out there running Solaris any more and only hobby types have
> SPARC anywhere else.
> 
> I ran OpenBSD 5.4 briefly on a small UltraSPARC Netra and it ran
> very well. However I ran into issues trying to compile things.  I
> may look at OpenBSD again but really anything less than a modern
> Niagara class UltraSparc would be wasted efforts I think.

You are speaking out of turn, basically insulting people who want
to make sure that older architectures do work.  The Sun Fire V890
and Niagara machines are not sparc architecture.  They are sparc64.

Re: missing packages for SPARC

[dev]

> > We keep having this tail of zombie architectures.  Long obsolete
> > hardware, run by few people, with pitiful "best effort" package
> > builds happening each release and with luck once between.  They
> > slowly sink under the accumulating bitrot that nobody cares to fix,
> > but at the same time people can't bring themselves to completely
> > abandon those archs.  *shrug*
> 

> I will dust off my ss20 this weekend see if it powers up.
> 

A SparcStation 20 is a relic for historical reference only. A cool
item and if it powers up I would be surprised. However it won't
make any more sense than to have a 1976 Ford truck as a daily
driver.

It would be a waste of effort to look at anything previous to a
Sun Fire V890 or any UltraSPARC IV based server.  There are very
few out there running Solaris any more and only hobby types have
SPARC anywhere else.

I ran OpenBSD 5.4 briefly on a small UltraSPARC Netra and it ran
very well. However I ran into issues trying to compile things.  I
may look at OpenBSD again but really anything less than a modern
Niagara class UltraSparc would be wasted efforts I think.

Dennis

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Martin Schröder]

2014-12-03 18:49 GMT+01:00 Alan McKay :
> Does anyone know of a similar device with 2 NICs that might be
> suitable as a home firewall?

Yes. There are archives of this list.

ftp-proxy "pf operation failed: Device busy"

[Stuart Henderson]

Solved problem, but I'm mentioning it here for anyone searching the
list archives. If you use ftp-proxy and are having a failure to add
rules for the data-channel connections, with accompanying verbose
mode log entries like "pf operation failed: Device busy", check
the ftp-proxy command line and look for queues that no longer exist.

(Thanks phessler for a clue on this one :)

Re: [Bulk] Re: OT:Password strength

[Kevin Chadwick]

On Wed, 03 Dec 2014 22:53:22 +0100
Alexander Hall wrote:

> >> If you want strong, short passwords that look ridiculous:
> >>
> >> dd if=/dev/random bs=1 count=9 | b64encode password
> >>  
> >
> >And then try to remember that mess, or type it, especially into
> >a smartphone. Gaak! 8-O  
> 
> base64 ain't that bad, but might lack those special symbols which we all know 
> makes all the difference between a bad and a good password...

This is what I came up with

#!/bin/sh
n="$1"
max=500
rn=$(($RANDOM %max + 1 ))
[[ -n "$n" ]] || n=12
if [[ $n -lt 8 ]]; then
echo "Using 12 as the password length, a length of $n would be too weak"
fi
rn2=$rn
let rn2=$rn2+$n-1
p=$( /bin/dd if=/dev/urandom bs=2000 count=1 2>/dev/null | tr -cd 
"a-zA-Z0-9?.,!\"-()@/:_;+&%*=<>$[]{}/\~^#|" | cut -c "$rn"-"$rn2" )
echo "${p}"

Re: Disk /dev/X is user root, group wheel, permissions brw-r-----.

[Mike Burns]

On 2014-12-03 22.28.50 +, Ezequiel Garzon wrote:
> > It must be root.operator and the mode must NOT include user-readable,
> > user-writable, or group-readable.
> 
> Maybe I don't know what "operator" means in this context.

chgrp operator /dev/X

-Mike

Re: Disk /dev/X is user root, group wheel, permissions brw-r-----.

[Ezequiel Garzon]

> It must be root.operator and the mode must NOT include user-readable,
> user-writable, or group-readable.

Thanks, Mike, but isn't that achieved by chmod 600? And yet I get

Disk /dev/X is user root, group wheel, permissions brw---.

in the next daily insecurity output. Maybe I don't know what "operator" 
means in this context. Does it mean root user?

Thanks and cheers,

Ezequiel

Re: [Bulk] Generic Question: Floating point, MMU

[Kevin Chadwick]

On Thu, 04 Dec 2014 08:35:11 +1300
worik wrote:

> > For ones that lack MMU or floating-point, Linux is it.
> > 
> > Other ones that have MMU and FP can run OpenBSD, although significant
> > porting effort is required. And they have 8MB to 16MB flash, which means
> > you are running a ramdisk kernel and that's about it.  
> 
> Why is OpenBSD the choice only if you have a floating point?
> 
> And I would have thought Linux would not do well without a MMU.  I know
> people have ported Linux to all sorts of things, but no MMU?

Check out uclinux

They have come up with special memory handling to avoid memory
fragmentation but It's probably still far wide of the mark for reliable
or for that matter secure porting without great care.

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Alan McKay]

On Wed, Dec 3, 2014 at 4:54 PM, Mikkel C. Simonsen  wrote:
> As I have written many times - used thin clients are available in huge
> numbers as scrap. Many of them have a PCI or PCIe slot, so adding a second
> NIC is easy. I often use thin clients with a Compaq 2- or 4-port NIC. Total
> cost about 15-20 euros.

That's interesting - what soft of brand name or product name would I search for?
I'm not really familiar with any thin clients


-- 
"Don't eat anything you've ever seen advertised on TV"
 - Michael Pollan, author of "In Defense of Food"

Re: Disk /dev/X is user root, group wheel, permissions brw-r-----.

[Mike Burns]

On 2014-12-03 21.23.13 +, Ezequiel Garzon wrote:
> Disk /dev/X is user root, group wheel, permissions brw-r-.

It must be root.operator and the mode must NOT include user-readable,
user-writable, or group-readable.

-Mike

Re: OT:Password strength

[Alexander Hall]

On December 3, 2014 9:10:42 PM CET, Jason Adams  wrote:
>On 12/03/2014 12:04 PM, Ted Unangst wrote:
>> On Wed, Dec 03, 2014 at 08:27, Brad Smith wrote:
>>> On 11/30/14 15:20, Ted Unangst wrote:
 Examples:

 treetykaveprethicooputhedu
 soonataviceenoopatecoge
 gootrozapiceelytrithunula
 preezypeendothanundipeesooka
>>> That defeats the purpose of the second example in the OPs question.
>>>
>> If you want strong, short passwords that look ridiculous:
>>
>> dd if=/dev/random bs=1 count=9 | b64encode password
>>
>
>And then try to remember that mess, or type it, especially into
>a smartphone. Gaak! 8-O

base64 ain't that bad, but might lack those special symbols which we all know 
makes all the difference between a bad and a good password...

Re: Squid configuration

[sven falempin]

On Wed, Dec 3, 2014 at 4:11 PM, Einfach Jemand  wrote:
> Am 03.12.2014 12:59, schrieb sven falempin:
>> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
>>  wrote:
>>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>>
 Hmm, I checked on one of my boxen and there /etc/passwd has

 _squid
 ^! Note the underline.

 as account for this package, so you probably want
>>>
>>>
>>> According to the package README:
>>>
>>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>>> "${RCDIR}/squid start") the appropriately-named login class is used
>>> automatically.
>>>
>>> So, the underline shouldn't be necessary.
>>>
>>
>>  The login would be apply in a rc script ? I looked into that :
>>
>> is that why the _ goes away ?
>>
>> _name=$(basename $0)
>> [.. so name of the rc script is sed to get compiled login.conf info..]
>> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
>> [ but this only print stuff according to man page ]
>>
>>  There is a rcexec  that force the usage of the login class
>>
>> grep rcexec /etc/rc.d/*
>> unbound use it, but not squid.
>>
>> I guess my perl script would have to do a strlimit after dropping
>> privilege to open 4096 files.
>>
>>
>> On the other hand, the class is supposed to be in master.passwd or be
>> to default:
>>
>>
>> name User's login name.
>> password User's encrypted password.
>> uid User's login user ID.
>> gid User's login group ID.
>> class User's general classification (see login.conf(5)).
>> change Password change time.
>> expire Account expiration time.
>> gecos General information about the user.
>> home_dir User's home directory.
>> shell User's login shell.
>>
>>
>> _squid:*:515:515:daemon:0:0:Squid Account:
>> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
>>
>>
>> bgpd class is blank, squid is set to daemon.
>>
>> Is bgpd correctly configured ?
>
> Yes. It has an entry in /etc/login.conf
>
> man rc.subr explains it:
>
> -- quote --
> daemon_class  Login class to run the daemon with, using su(1).  This is
>   a read only variable that gets set by rc.subr itself.  It
>   searches login.conf(5) for a login class that has the
>   same name as the rc.d script itself and uses that.  If no
>   such login class exists then ``daemon'' will be used.
> -- end quote --
>
>> is squid using the daemon class ?
>
> Yes unless you have a stanze for squid in /etc/login.conf .
> (And the README for the package advises you to create one)
>
> A test _without_ a stanza for squid in /etc/login.conf and the first
> line of /etc/rc.d/squid set to
>
> #!/bin/sh -x
>
> results in
>
> root:/etc/rc.d:28# /etc/rc.d/squid start
> + daemon=/usr/local/sbin/squid
> + daemon_timeout=35
> + . /etc/rc.d/rc.subr
> + [ -n  ]
> + [ -n /usr/local/sbin/squid ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename /etc/rc.d/squid
> + _name=squid
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/squid
> + _rc_do _rc_parse_conf
> + eval _rcflags=${squid_flags}
> + _rcflags=
> + eval _rcuser=${squid_user}
> + _rcuser=
> + eval _rctimeout=${squid_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf squid
> + > /dev/null
> + 2>&1
> + [ -z  ]
> + daemon_class=daemon
> + [ -z  ]
> + daemon_user=root
> + [ -z 35 ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rcuser _rctimeout
> + pexp=/usr/local/sbin/squid
> + rcexec=su -l -c daemon -s /bin/sh root -c
> + rc_cmd start
> squid(ok)
>
> The same _with_ a stanza for squid in /etc/login.conf gives
>
> root:/etc/rc.d:34# /etc/rc.d/squid start
>
> + daemon=/usr/local/sbin/squid
> + daemon_timeout=35
> + . /etc/rc.d/rc.subr
> + [ -n  ]
> + [ -n /usr/local/sbin/squid ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename /etc/rc.d/squid
> + _name=squid
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/squid
> + _rc_do _rc_parse_conf
> + eval _rcflags=${squid_flags}
> + _rcflags=
> + eval _rcuser=${squid_user}
> + _rcuser=
> + eval _rctimeout=${squid_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf squid
> + > /dev/null
> + 2>&1
> + daemon_class=squid
> + [ -z squid ]
> + [ -z  ]
> + daemon_user=root
> + [ -z 35 ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rcuser _rctimeout
> + pexp=/usr/local/sbin/squid
> + rcexec=su -l -c squid -s /bin/sh root -c
> + rc_cmd start
> squid(ok)
>
>> am I forced to use BSD::resources to strlimit in the perl script to
>> validate this ?
>> is getcap doing something else than printing ?
>
> Yes, it returns $? which is used in rc.subr to set the login-class to
> daemon when there is no service-specific stanza in /etc/login.conf
>
> HTH
> rru
>

Ich verstehe jetzt

the answer to the BSD::resources is yes apparently

# su -l -c squid -s  /bin/sh root -c "perl /root/fds.pl"
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 2

Disk /dev/X is user root, group wheel, permissions brw-r-----.

[Ezequiel Garzon]

Greetings! I'm trying to take care of the warnings I get in my daily 
insecurity output, and the one persisting is:

Disk /dev/X is user root, group wheel, permissions brw-r-.

where X is basically all of fd[0-9]*, rd*, sd*, vnd* and wd*. I tried 
chmod 600, as suggested somewhere on the Internet, but I simply got

Disk /dev/X is user root, group wheel, permissions brw---.

Any suggestions as to what this message is telling me? More 
generally, is it normal to get these warnings from a fresh install? I'm 
on 5.6-release, having simply enabled the nsd, httpd and spamd flags 
under /etc/rc.local.config. I ran

chown root:kmem /dev/mem
chown root:kmem /dev/kmem

to comply with the warnings

Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
dev/kmem: 
gid (2, 0)
dev/mem: 
gid (2, 0)
mtree special: exit code 2

I'm using an i386 virtual machine with KVM. Below is my dmesg output. 
Thanks in advance for any pointers.

Best regards,

Ezequiel

OpenBSD 5.6 (GENERIC) #274: Fri Aug  8 00:05:13 MDT 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: QEMU Virtual CPU version (cpu64-rhel6) ("GenuineIntel" 686-class) 3.31 GHz
cpu0: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,LONG,SSE3,CX16,LAHF,PERF
real mem  = 267927552 (255MB)
avail mem = 251097088 (239MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, SMBIOS 
rev. 2.4 @ 0xec0 (10 entries)
bios0: vendor Seabios version "0.5.1" date 01/01/2007
bios0: Red Hat KVM
acpi0 at bios0: rev 0
acpi0: sleep states S5
acpi0: tables DSDT FACP SSDT APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
bios0: ROM list: 0xc/0x8c00 0xc9000/0x800 0xc9800/0x2200
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 8192MB, 16777216 sectors
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
iic0: addr 0x1c 0f=00 words 00=2978 01=2978 02=2978 03=2978 04=2978 05=2978 
06=2978 07=2978
iic0: addr 0x1d 0f=00 words 00=2978 01=2978 02=2978 03=2978 04=2978 05=2978 
06=2978 07=2978
iic0: addr 0x4c 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 words 
00=2978 01=2978 02=2978 03=2978 04=2978 05=2978 06=2978 07=2978
iic0: addr 0x4d 3e=d1 48=d1 4a=d1 4e=d1 fc=d1 fe=d1 words 00=2978 01=2978 
02=2978 03=2978 04=2978 05=2978 06=2978 07=2978
iic0: addr 0x4e 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 3e=d1 
48=d1 4a=d1 4e=d1 fc=d1 fe=d1 words 00=2978 01=2978 02=2978 03=2978 04=2978 
05=2978 06=2978 07=2978
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00: Virtio 
Network Device
vio0 at virtio0: address 00:16:3c:0e:65:13
virtio0: apic 0 int 11
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Memory" rev 0x00: Virtio 
Memory Balloon Device
viomb0 at virtio1
virtio1: apic 0 int 11
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU 0.12.1 QEMU USB 
Tablet" rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
uhid0 at uhidev0: input=6, output=0, feature=0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (cfadc

Re: Squid configuration

[Einfach Jemand]

Am 03.12.2014 12:59, schrieb sven falempin:
> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
>  wrote:
>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>
>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>
>>> _squid
>>> ^! Note the underline.
>>>
>>> as account for this package, so you probably want
>>
>>
>> According to the package README:
>>
>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>> "${RCDIR}/squid start") the appropriately-named login class is used
>> automatically.
>>
>> So, the underline shouldn't be necessary.
>>
> 
>  The login would be apply in a rc script ? I looked into that :
> 
> is that why the _ goes away ?
> 
> _name=$(basename $0)
> [.. so name of the rc script is sed to get compiled login.conf info..]
> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
> [ but this only print stuff according to man page ]
> 
>  There is a rcexec  that force the usage of the login class
> 
> grep rcexec /etc/rc.d/*
> unbound use it, but not squid.
> 
> I guess my perl script would have to do a strlimit after dropping
> privilege to open 4096 files.
> 
> 
> On the other hand, the class is supposed to be in master.passwd or be
> to default:
> 
> 
> name User's login name.
> password User's encrypted password.
> uid User's login user ID.
> gid User's login group ID.
> class User's general classification (see login.conf(5)).
> change Password change time.
> expire Account expiration time.
> gecos General information about the user.
> home_dir User's home directory.
> shell User's login shell.
> 
> 
> _squid:*:515:515:daemon:0:0:Squid Account:
> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
> 
> 
> bgpd class is blank, squid is set to daemon.
> 
> Is bgpd correctly configured ? 

Yes. It has an entry in /etc/login.conf

man rc.subr explains it:

-- quote --
daemon_class  Login class to run the daemon with, using su(1).  This is
  a read only variable that gets set by rc.subr itself.  It
  searches login.conf(5) for a login class that has the
  same name as the rc.d script itself and uses that.  If no
  such login class exists then ``daemon'' will be used.
-- end quote --

> is squid using the daemon class ?

Yes unless you have a stanze for squid in /etc/login.conf .
(And the README for the package advises you to create one)

A test _without_ a stanza for squid in /etc/login.conf and the first
line of /etc/rc.d/squid set to

#!/bin/sh -x

results in

root:/etc/rc.d:28# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n  ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ > /dev/null
+ 2>&1
+ [ -z  ]
+ daemon_class=daemon
+ [ -z  ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ rc_cmd start
squid(ok)

The same _with_ a stanza for squid in /etc/login.conf gives

root:/etc/rc.d:34# /etc/rc.d/squid start

+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n  ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ > /dev/null
+ 2>&1
+ daemon_class=squid
+ [ -z squid ]
+ [ -z  ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c squid -s /bin/sh root -c
+ rc_cmd start
squid(ok)

> am I forced to use BSD::resources to strlimit in the perl script to
> validate this ?
> is getcap doing something else than printing ?

Yes, it returns $? which is used in rc.subr to set the login-class to
daemon when there is no service-specific stanza in /etc/login.conf

HTH
rru

Re: missing packages for SPARC

[Christian Weisgerber]

patrick keshishian:

> how do you guys deal with disk space with sparc machines?
> NFS?

Distfiles and packages on NFS, obj on local disk.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: OT:Password strength

[Jason Adams]

On 12/03/2014 12:04 PM, Ted Unangst wrote:
> On Wed, Dec 03, 2014 at 08:27, Brad Smith wrote:
>> On 11/30/14 15:20, Ted Unangst wrote:
>>> Examples:
>>>
>>> treetykaveprethicooputhedu
>>> soonataviceenoopatecoge
>>> gootrozapiceelytrithunula
>>> preezypeendothanundipeesooka
>> That defeats the purpose of the second example in the OPs question.
>>
> If you want strong, short passwords that look ridiculous:
>
> dd if=/dev/random bs=1 count=9 | b64encode password
>

And then try to remember that mess, or type it, especially into
a smartphone. Gaak! 8-O



-- 
Those who do not understand Unix are condemned to reinvent it, poorly.

Re: OT:Password strength

[Ted Unangst]

On Wed, Dec 03, 2014 at 08:27, Brad Smith wrote:
> On 11/30/14 15:20, Ted Unangst wrote:
>> Examples:
>>
>> treetykaveprethicooputhedu
>> soonataviceenoopatecoge
>> gootrozapiceelytrithunula
>> preezypeendothanundipeesooka
> 
> That defeats the purpose of the second example in the OPs question.
> 

If you want strong, short passwords that look ridiculous:

dd if=/dev/random bs=1 count=9 | b64encode password

Re: missing packages for SPARC

[patrick keshishian]

On 12/3/14, Christian Weisgerber  wrote:
> On 2014-12-02, Riccardo Mottola  wrote:
>
>> I was pkg_add'ing some essential packages on a freshly installed SPARC
>> machine. I noticed that several packages are missing. I thought it was
>> the mirror, but they are missing on the master ftp too.
>> I know that some packages might not build on sparc or do not have sense
>> on that platform, however I was looking for pretty general stuff:
>> libxmsl, libxslt or subversion.
>
> They didn't build.  I can't tell whether that's due to the package
> building process (the sparc build machines are very unstable) or
> problems with the ports themselves.  Peter Hessler may be able to
> comment.
>
> Unfortunately, that's the usual course when an architecture becomes
> less and less common.  Build failures pile up, compounded by slowness
> and general reliability problems, and the set of available packages
> keeps shrinking.
>
> Somebody needs to care.
>
> There is no magic bullet.  If, say, two hundred ports fail to build
> and take out thousands more for which they serve as dependencies,
> then the only way to fix this is for somebody to sit down and examine
> and fix the failing ports.  One by one.
>
> If nobody steps up to do this, then it won't happen.
>
> We keep having this tail of zombie architectures.  Long obsolete
> hardware, run by few people, with pitiful "best effort" package
> builds happening each release and with luck once between.  They
> slowly sink under the accumulating bitrot that nobody cares to fix,
> but at the same time people can't bring themselves to completely
> abandon those archs.  *shrug*

how do you guys deal with disk space with sparc machines?
NFS?

I will dust off my ss20 this weekend see if it powers up.

--patrick

Re: Generic Question: Floating point, MMU

[Simon Mages]

Maybe this helps, http://www.uclinux.org
Am 03.12.2014 20:36 schrieb "worik" :

> On the thread: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS
> Chromebox)
>
> ch...@nmedia.net commented:
>
> > For ones that lack MMU or floating-point, Linux is it.
> >
> > Other ones that have MMU and FP can run OpenBSD, although significant
> > porting effort is required. And they have 8MB to 16MB flash, which means
> > you are running a ramdisk kernel and that's about it.
>
> Why is OpenBSD the choice only if you have a floating point?
>
> And I would have thought Linux would not do well without a MMU.  I know
> people have ported Linux to all sorts of things, but no MMU?
>
> cheers
> Worik
> --
> Why is the legal status of chardonnay different to that of cannabis?
>worik.stan...@gmail.com 021-1680650, (03) 4821804
>   Aotearoa (New Zealand)
>  I voted for love

Re: isakmpd quits out after running ipsec on CURRENT

[Christian Weisgerber]

On 2014-12-03, Josh Grosse  wrote:

>> This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
>> Check your system logs for "isakmpd: backwards memcpy".
>
> It may not be that change, since it was only committed two days ago.  
> I've
> seen the same symptoms in i386 snapshots from Nov 26 and 30.

Exactly, that change _fixes_ it.  In recent snapshots, memcpy()
checks for overlap and aborts.

For some background, see
http://www.tedunangst.com/flak/post/memcpy-vs-memmove

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Generic Question: Floating point, MMU

[worik]

On the thread: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS
Chromebox)

ch...@nmedia.net commented:

> For ones that lack MMU or floating-point, Linux is it.
> 
> Other ones that have MMU and FP can run OpenBSD, although significant
> porting effort is required. And they have 8MB to 16MB flash, which means
> you are running a ramdisk kernel and that's about it.

Why is OpenBSD the choice only if you have a floating point?

And I would have thought Linux would not do well without a MMU.  I know
people have ported Linux to all sorts of things, but no MMU?

cheers
Worik
-- 
Why is the legal status of chardonnay different to that of cannabis?
   worik.stan...@gmail.com 021-1680650, (03) 4821804
  Aotearoa (New Zealand)
 I voted for love

Re: isakmpd quits out after running ipsec on CURRENT

[Josh Grosse]

On 2014-12-03 13:59, Josh Grosse wrote:

On 2014-12-03 12:47, Christian Weisgerber wrote:

...

This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for "isakmpd: backwards memcpy".


It may not be that change, since it was only committed two days ago.  
I've
seen the same symptoms in i386 snapshots from Nov 26 and 30. I had 
planned
to spend a few hours this next weekend trying to isolate the 
regression, and
to date have not done any more than reproduce the problem with older 
kernels.


Ack.  Never mind.  This could be the *fix*.  Sorry for the noise.  My 
apologies.

I seem to have way too much blood in my caffeine system.

Re: isakmpd quits out after running ipsec on CURRENT

[Josh Grosse]

On 2014-12-03 12:47, Christian Weisgerber wrote:

On 2014-12-03, Zé Loff  wrote:

for some reason, this seems to have been for a while now; isakmpd 
will

simply quit running after initiating: ipsecctl -f /etc/ipsec.conf


I am seeing the same behaviour (apparently a clean exit, no message
whatsoever nor core file) on -current, with an ipsec.conf as simple as
this:


This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for "isakmpd: backwards memcpy".


It may not be that change, since it was only committed two days ago.  
I've
seen the same symptoms in i386 snapshots from Nov 26 and 30. I had 
planned
to spend a few hours this next weekend trying to isolate the regression, 
and
to date have not done any more than reproduce the problem with older 
kernels.

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Jason Adams]

On 12/03/2014 09:49 AM, Alan McKay wrote:
> This is very interesting - I've been looking at various small boxes
> like this to use as a home firewall.
> The only problem is that not many of them have 2 NICs, and the ones
> that do are very expensive (higher end Zotac)
>
> Does anyone know of a similar device with 2 NICs that might be
> suitable as a home firewall?
>
> What about one of the Open Firmware firewalls like ASUS?  Is there an
> OpenBSD load for those?  Instead of Tomato or the likes ...
>

I've been looking at this one http://amzn.com/B00M8MNF4G
Its overkill, because I want it to handle other tasks (email) as well as a 
firewall.

I've not purchased or installed it yet.


-- 
Those who do not understand Unix are condemned to reinvent it, poorly.

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Chris Cappuccio]

Alan McKay [alan.mc...@gmail.com] wrote:
> This is very interesting - I've been looking at various small boxes
> like this to use as a home firewall.
> The only problem is that not many of them have 2 NICs, and the ones
> that do are very expensive (higher end Zotac)
> 
> Does anyone know of a similar device with 2 NICs that might be
> suitable as a home firewall?
> 
> What about one of the Open Firmware firewalls like ASUS?  Is there an
> OpenBSD load for those?  Instead of Tomato or the likes ...

A lot of these $40 routers are based on some kind of MIPS CPU.

For ones that lack MMU or floating-point, Linux is it.

Other ones that have MMU and FP can run OpenBSD, although significant
porting effort is required. And they have 8MB to 16MB flash, which means
you are running a ramdisk kernel and that's about it.

The Octeon port supports the Ubiquiti $99 USD model but you don't get
local storage until USB is finished. That is a more ideal platform
for a complete OpenBSD environment.

Chris

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Gene]

I have one of those.  Ran pfSense on it for 9 months and worked great,
until one of the built-in NICs died.

I've since repurposed the system as a Xen host, the last NIC hasn't died
yet, but I can't really recommend it.

-Gene

On Wed, Dec 3, 2014 at 10:30 AM, Chester T. Field <
chester.t.fi...@hushmail.com> wrote:

> The lovable scamp Ted Unangst posted about a box with dual broadcoms, Atom
> CPU, DDR3 RAM, etc for $129 on his blog:
>
> http://www.tedunangst.com/flak/post/new-home-router
>
> -Chester
>
> "Enjoy those tacos now, for in a thousand years they will be illegal! Ha
> ha ha ha-I think we all know why."  - Benjamin Franklin
>
> On 12/3/2014 at 11:09 AM, "Gene"  wrote:
> >
> >On Wed, Dec 3, 2014 at 9:49 AM, Alan McKay 
> >wrote:
> >
> >> This is very interesting - I've been looking at various small
> >boxes
> >> like this to use as a home firewall.
> >> The only problem is that not many of them have 2 NICs, and the
> >ones
> >> that do are very expensive (higher end Zotac)
> >>
> >> Does anyone know of a similar device with 2 NICs that might be
> >> suitable as a home firewall?
> >>
> >
> >Look into the PC Engines ALIX and APU system boards. You can get
> >kits for
> >under $200, or sometimes for less on eBay.
> >
> >http://www.pcengines.ch
> >
> >Great hardware.  I have a couple of the ALIX boards.  The APU
> >series has
> >gigabit NICs and a lot more horse power.  If you search the
> >mailing list
> >you'll see several mentions for it.
> >
> >
> >> What about one of the Open Firmware firewalls like ASUS?  Is
> >there an
> >> OpenBSD load for those?  Instead of Tomato or the likes ...
> >>
> >
> >-Gene
> >(p.s. I'm bad at mailing lists and didn't reply all last time, I
> >apologise
> >for emailing you twice, Alan).

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Chester T. Field]

The lovable scamp Ted Unangst posted about a box with dual broadcoms, Atom CPU, 
DDR3 RAM, etc for $129 on his blog:

http://www.tedunangst.com/flak/post/new-home-router

-Chester 

"Enjoy those tacos now, for in a thousand years they will be illegal! Ha ha ha 
ha-I think we all know why."  - Benjamin Franklin

On 12/3/2014 at 11:09 AM, "Gene"  wrote:
>
>On Wed, Dec 3, 2014 at 9:49 AM, Alan McKay  
>wrote:
>
>> This is very interesting - I've been looking at various small 
>boxes
>> like this to use as a home firewall.
>> The only problem is that not many of them have 2 NICs, and the 
>ones
>> that do are very expensive (higher end Zotac)
>>
>> Does anyone know of a similar device with 2 NICs that might be
>> suitable as a home firewall?
>>
>
>Look into the PC Engines ALIX and APU system boards. You can get 
>kits for
>under $200, or sometimes for less on eBay.
>
>http://www.pcengines.ch
>
>Great hardware.  I have a couple of the ALIX boards.  The APU 
>series has
>gigabit NICs and a lot more horse power.  If you search the 
>mailing list
>you'll see several mentions for it.
>
>
>> What about one of the Open Firmware firewalls like ASUS?  Is 
>there an
>> OpenBSD load for those?  Instead of Tomato or the likes ...
>>
>
>-Gene
>(p.s. I'm bad at mailing lists and didn't reply all last time, I 
>apologise
>for emailing you twice, Alan).

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Gene]

On Wed, Dec 3, 2014 at 9:49 AM, Alan McKay  wrote:

> This is very interesting - I've been looking at various small boxes
> like this to use as a home firewall.
> The only problem is that not many of them have 2 NICs, and the ones
> that do are very expensive (higher end Zotac)
>
> Does anyone know of a similar device with 2 NICs that might be
> suitable as a home firewall?
>

Look into the PC Engines ALIX and APU system boards. You can get kits for
under $200, or sometimes for less on eBay.

http://www.pcengines.ch

Great hardware.  I have a couple of the ALIX boards.  The APU series has
gigabit NICs and a lot more horse power.  If you search the mailing list
you'll see several mentions for it.


> What about one of the Open Firmware firewalls like ASUS?  Is there an
> OpenBSD load for those?  Instead of Tomato or the likes ...
>

-Gene
(p.s. I'm bad at mailing lists and didn't reply all last time, I apologise
for emailing you twice, Alan).

OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Alan McKay]

This is very interesting - I've been looking at various small boxes
like this to use as a home firewall.
The only problem is that not many of them have 2 NICs, and the ones
that do are very expensive (higher end Zotac)

Does anyone know of a similar device with 2 NICs that might be
suitable as a home firewall?

What about one of the Open Firmware firewalls like ASUS?  Is there an
OpenBSD load for those?  Instead of Tomato or the likes ...

Re: isakmpd quits out after running ipsec on CURRENT

[Christian Weisgerber]

On 2014-12-03, Zé Loff  wrote:

>> for some reason, this seems to have been for a while now; isakmpd will 
>> simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
>
> I am seeing the same behaviour (apparently a clean exit, no message
> whatsoever nor core file) on -current, with an ipsec.conf as simple as
> this:

This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for "isakmpd: backwards memcpy".

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

OpenBSD 5.6-current on ASUS Chromebox

[Gene]

I'm a fan of the ASUS Chromebox hardware, specifically the M004U with the
Celeron 2955U processor.  Comes with 2 GB of RAM, and 16GB SSD.  It
typically retails for $160 USD.  I have a couple running Linux (HTPC and a
desktop for my kids).

I picked up a third one on black friday for $110 just to play with, was
specifically interested in loading OpenBSD on it.  5.6-stable doesn't work
because of the lack of USB 3.0 (xhci) support, but 5.6-current installed
without issue.  The wireless adapter wasn't detected, but the Realtek
ethernet device works.  I have it driving a 1920x1200 display over HDMI.

It's been a long time since I've used OpenBSD as a desktop so I've got a
bit to figure out, but thus far this little system is running very nicely.


Just in case anyone else is interested in it I'm including dmesg output.
Also, if you do try just be aware that the Chromebox has to be put into
developer mode and the default BIOS will need to be replaced with
coreboot.  The Kodi (XBMC) wiki has a good document on doing that.

http://kodi.wiki/view/ASUS_Chromebox

dmesg output:

OpenBSD 5.6-current (RAMDISK_CD) #584: Mon Dec  1 00:41:23 MST 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 4215820288 (4020MB)
avail mem = 4102762496 (3912MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7f69f020 (7 entries)
bios0: vendor coreboot version "4.0-7445-ge0d42b6-dirty" date 12/02/2014
bios0: Google Panther
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT MCFG APIC HPET SSDT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) 2955U @ 1.40GHz, 1397.00 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,
RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 99MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus -1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x09
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
"Intel Core 4G HD Audio" rev 0x09 at pci0 dev 3 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x04: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel 8 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
"Intel 8 Series HD Audio" rev 0x04 at pci0 dev 27 function 0 not configured
ppb0 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xe4
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G
(0x4c00), msi, address c4:54:44:4d:be:ab
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb1 at pci0 dev 28 function 1 "Intel 8 Series PCIE" rev 0xe4
pci2 at ppb1 bus 2
"Atheros AR9462" rev 0x01 at pci2 dev 0 function 0 not configured
ppb2 at pci0 dev 28 function 2 "Intel 8 Series PCIE" rev 0xe4
pci3 at ppb2 bus 3
"Intel 8 Series LPC" rev 0x04 at pci0 dev 31 function 0 not configured
ahci0 at pci0 dev 31 function 2 "Intel 8 Series AHCI" rev 0x04: msi, AHCI
1.3
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
fixed naa.5001b44bed91e41e
sd0: 15272MB, 512 bytes/sector, 31277232 sectors, thin
"Intel 8 Series SMBus" rev 0x04 at pci0 dev 31 function 3 not configured
vendor "Intel", unknown product 0x9c24 (class DASP subclass miscellaneous,
rev 0x04) at pci0 dev 31 function 6 not configured
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
uhidev0 at uhub0 port 2 configuration 1 interface 0 "Logitech USB Receiver"
rev 2.00/29.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub0 port 2 configuration 1 interface 1 "Logitech USB Receiver"
rev 2.00/29.00 addr 2
uhidev1: iclass 3/1, 17 report ids
uhid at uhidev1 reportid 2 not configured
uhid at uhidev1 reportid 3 not configured
uhid at uhidev1 reportid 4 not configured
uhid at uhidev1 reportid 16 not configured
uhid at uhidev1 reportid 17 not configured
"\M-1???\^D??\^A??\^P??@\^A?? \M-1???\^D??\^A??\^P??@\^A??"
rev 1.10/0.01 addr 3 at uhub0 port 4 not configured
umass0 at uhub0 port 7 configuration 1 interface 0 "Generic USB Storage"
rev 2.00/2.60 addr 4
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
sd1 at scsibus1 targ 1 lun 0:  SCSI0
0/direct removable serial.05e30727000

Re: -current hangs during boot from xhci controller on MacbookAir6,1

[Scott Bonds]

Sorry, I compiled that custom kernel based on stable instead of current.
I have now compiled a version based on current @ 2014-12-03. I get the
same panic when booting in xhci mode using the kernel based on current
as I did with the kernel based on stable. Same behavior with ehci mode
as well--it boots fine and I can get a dmesg. Here is the dmesg from my
boot to the custom kernel based on *current* using *ehci* mode:

OpenBSD 5.6-current (SCOTT.MP) #1: Wed Dec  3 08:23:40 PST 2014
root@foo.localdomain:/usr/src/sys/arch/amd64/compile/SCOTT.MP
RTC BIOS diagnostic error 
ff
real mem = 8511332352 (8117MB)
avail mem = 8280907776 (7897MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe (42 entries)
bios0: vendor Apple Inc. version "MBA61.88Z.0099.B16.1408291503" date 08/29/2014
bios0: Apple Inc. MacBookAir6,1
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC SBST ECDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT 
SSDT MCFG DMAR
acpi0: wakeup devices P0P2(S3) EC__(S3) HDEF(S3) RP01(S3) RP02(S3) RP03(S3) 
ARPT(S4) RP05(S3) RP06(S3) SPIT(S3) XHC1(S3) ADP1(S3) LID0(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, 1600.27 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, 1600.01 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, 1600.01 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, 1600.01 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpiec0 at acpi0
acpimcfg0 at acpi0 addr 0xe000, bus 0-155
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P2)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus 3 (RP03)
acpiprt5 at acpi0: bus 5 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpicpu0 at acpi0: C3, C1, PSS
acpicpu1 at acpi0: C3, C1, PSS
acpicpu2 at acpi0: C3, C1, PSS
acpicpu3 at acpi0: C3, C1, PSS
acpibat0 at acpi0: BAT0 model "3545797981023400290" type 3545797981528607052 
oem "3545797981528608836"
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
acpivideo0 at acpi0: IGPU
acpivout0 at acpivideo0: DD01
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 2301, 2300, 2200, 2100, 2000, 1900, 
1800, 1700, 1600, 1500, 1400, 1300, 1200, 1100, 1000, 900, 800, 759 MHz
memory map conflict 0xe00f8000/0x1000
memory map conflict 0xfed1c000/0x4000
memory map conflict 0xffe1/0x3
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 5000" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
drm: Memory usable by graphics device = 2048M
error: [drm:pid0:i915_write32] *ERROR* Unknown unclaimed register before 
writing to 10
error: [drm:pid0:intel_dp_set_link_train] *ERROR* Timed out waiting for DP idle 
patterns
error: [drm:pid0:i915_w

Re: segmentation fault during package build

[Christian Weisgerber]

On 2014-12-03, Riccardo Mottola  wrote:

> install -c -o root -g bin -m 555 bzgrep bzmore bzdiff 
> /usr/ports/pobj/bzip2-1.0.6/fake-sparc/usr/local/bin
> install -c -o root -g bin -m 444 bzip2.1 bzgrep.1 bzmore.1 bzdiff.1 
> /usr/ports/pobj/bzip2-1.0.6/fake-sparc/usr/local/man/man1
> Segmentation fault (core dumped)
> *** Error 139 in /usr/ports/pobj/bzip2-1.0.6/bzip2-1.0.6 (Makefile:105 
> 'install': @cd /usr/ports/pobj/bzip2-1.0.6/fake-sparc/usr/local/man/m...)
>
> I wanted to look for the core file, but can't find it. Where could it be?

Somewhere under the work directory.

$ find /usr/ports/pobj/bzip2-1.0.6 -name \*.core

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: missing packages for SPARC

[Christian Weisgerber]

On 2014-12-02, Riccardo Mottola  wrote:

> I was pkg_add'ing some essential packages on a freshly installed SPARC 
> machine. I noticed that several packages are missing. I thought it was 
> the mirror, but they are missing on the master ftp too.
> I know that some packages might not build on sparc or do not have sense 
> on that platform, however I was looking for pretty general stuff: 
> libxmsl, libxslt or subversion.

They didn't build.  I can't tell whether that's due to the package
building process (the sparc build machines are very unstable) or
problems with the ports themselves.  Peter Hessler may be able to
comment.

Unfortunately, that's the usual course when an architecture becomes
less and less common.  Build failures pile up, compounded by slowness
and general reliability problems, and the set of available packages
keeps shrinking.

Somebody needs to care.

There is no magic bullet.  If, say, two hundred ports fail to build
and take out thousands more for which they serve as dependencies,
then the only way to fix this is for somebody to sit down and examine
and fix the failing ports.  One by one.

If nobody steps up to do this, then it won't happen.

We keep having this tail of zombie architectures.  Long obsolete
hardware, run by few people, with pitiful "best effort" package
builds happening each release and with luck once between.  They
slowly sink under the accumulating bitrot that nobody cares to fix,
but at the same time people can't bring themselves to completely
abandon those archs.  *shrug*

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

dialog (probably OT)

[Gregory Edigarov]

Hello,

I need a little bit of help with 'dialog'.
I am working on the script to add a developer to our system:

shell=""
groups=""
user=""
home=""

exec 3>&1

# Store data to $VALUES variable
VALUES=$(dialog --ok-label "Add" \
  --backtitle "Add a developer" \
  --title "Useradd" \
  --form "Create a new developer" \
15 70 0 \
"Username:"1 1"login name" 1 10 20 0 \
"Realname:"   2 1 "real name"2 10 30 100 \
"E-Mail:" 3 1"e-mail"  3 10 30 100 \
"Project:"  4 1 "project"   4 10 30 100 \
"GIT Url:" 5 1"url of git repository"  5 10 30 
100 \
"DB dump:"  6 1"url of database dump" 6 10 
40 100 \

"Ssh privkey:"7 1"ssh private key"7 10 40 2048 \
"Ssh pubkey:"8 1"ssh public key"8 10 40 2048 \
2>&1 1>&3)

# close fd
exec 3>&-

echo $VALUES
# display values just entered
user=$(echo $VALUES |cut -f1 -d' ')
rname=$(echo $VALUES |cut -f2 -d' ')
email=$(echo $VALUES |cut -f3 -d' ')
git=$(echo $VALUES | cut -f4 -d' ')
dburl=$(echo $VALUES |cut -f5 -d' ')
privkey=$(echo $VALUES |cut -f6 -d' ')
pubkey=$(echo $VALUES |cut -f7 -d' ')

(it's a test to look at the possibilities offered).

now, I want some of the fields (for example the later 2) to be of a 
different type from just the plain inputfield, for example, inputbox. 
from what I see,  I have to split the form into three steps,  like: ask 
the first 5 fields at once, store values, then have  two separate forms 
for keys.


but that is not the way I want it to be like.
I know that zenity can easily do what i want, but it is an X 
application, and I need it to be terminal/(n)curses application.


do i have any more options rather then split dialogue into two or more 
steps?


--
With best regards,
Gregory Edigarov

Re: segmentation fault during package build

[Tobias Ulmer]

On Wed, Dec 03, 2014 at 09:38:17AM +0100, Riccardo Mottola wrote:
> Hi,
> 
> I am running OpenBSD 5.6 on Sparc [1]
> 
> Since I did not find several packages available, I got ports (5.6 tar.gz
> version), unpacked it and started building.
> 
> 
> While I attempt to install libxml I get, while installing bzip2 dependency:
> 
> install -c -o root -g bin -m 555 bzgrep bzmore bzdiff
> /usr/ports/pobj/bzip2-1.0.6/fake-sparc/usr/local/bin
> install -c -o root -g bin -m 444 bzip2.1 bzgrep.1 bzmore.1 bzdiff.1
> /usr/ports/pobj/bzip2-1.0.6/fake-sparc/usr/local/man/man1
> Segmentation fault (core dumped)
> *** Error 139 in /usr/ports/pobj/bzip2-1.0.6/bzip2-1.0.6 (Makefile:105
> 'install': @cd /usr/ports/pobj/bzip2-1.0.6/fake-sparc/usr/local/man/m...)
> *** Error 1 in /usr/ports/archivers/bzip2
> (/usr/ports/infrastructure/mk/bsd.port.mk:2807
> '/usr/ports/pobj/bzip2-1.0.6/fake-sparc/.fake_done')
> 
> 
> If I just type "make install" again, it happens again, thus I would exclude
> a memory issue which makes thins more random, but it repeats in the same
> place. Perhaps a bad generated binary or a function call causing problems?
> 
> I wanted to look for the core file, but can't find it. Where could it be?
> 
> Cheers,
> Riccardo
> 
> [1] OpenBSD 5.6 (GENERIC) #94: Wed Aug 13 13:54:32 GMT 2014
> m...@credogne.gentiane.org:/usr/src/sys/arch/sparc/compile/GENERIC
> 

full dmesg please

Re: missing packages for SPARC

[Tobias Ulmer]

On Tue, Dec 02, 2014 at 10:35:43PM +0100, Riccardo Mottola wrote:
> Hi,
> 
> I was pkg_add'ing some essential packages on a freshly installed SPARC
> machine. I noticed that several packages are missing. I thought it was the
> mirror, but they are missing on the master ftp too.
> I know that some packages might not build on sparc or do not have sense on
> that platform, however I was looking for pretty general stuff: libxmsl,
> libxslt or subversion.

It looks like sparc 5.6 package were built without the modf fix :(

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/sparc/gen/modf.S

There isn't much that doesn't require python as a build-depends
somewhere...

You're welcome to help out. There is an open issue with bash and
setjmp/longjmp (guessing) that breaks dbus (iirc). I've lost countless
hours and gave up on that.

> 
> Is this a problem? or is it deliberate? Sebastian, I know you used to stress
> your SPARCs :)
> 
> Thank you,
> Riccardo

Re: isakmpd quits out after running ipsec on CURRENT

[Zé Loff]

On Wed, Dec 03, 2014 at 03:24:06PM +, Zé Loff wrote:
> On Wed, Dec 03, 2014 at 04:09:02PM +0100, Sebastian Reitenbach wrote:
> > I run this kernel from beginning of November:
> > 
> > OpenBSD 5.6-current (GENERIC) #492: Fri Nov  7 10:21:36 MST 2014
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> > cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 
> > 586-class) 267 MHz
> > cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
> > 
> > on my soekris box. Isakmpd is just started with: "-4 -K"
> > my ipsec.conf looks similar to this one (only IP addresses changed):
> > 
> > localip="1.1.1.1"
> > peerip="2.2.2.2"
> > ike esp from 3.3.3.0/24 to 4.4.0.0/16 \
> > local $localip peer $peerip \
> > main auth hmac-sha1 enc aes-128 group modp1024 \
> > quick auth hmac-sha1 enc aes-128 group modp1024 \
> > psk "top secret"
> >  
> > 
> > and it "just works".
> > 
> > does a higher debug level i.e. -D A=90 show something, or logging the 
> > packets isakmpd sees with -L give more hints?
> 
> No packets are transferred, AFAICT.
> 
> Running isakmpd -Kdv -D A=90 yields a single line after ipsecctl is run:
> 
> uiconfig: "C set [General]:Check-interval=30 force"
> 
> isakmpd then quits with exit code 0.

Actually, A=99 yields an extra line:

Misc 95 conf_set_now: [General]:Check-interval->30

> 
> > 
> > cheers,
> > Sebastian
> > 
> > On Wednesday, December 3, 2014 15:53 CET, Zé Loff  
> > wrote: 
> >  
> > > On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote:
> > > > Hi,
> > > > 
> > > > for some reason, this seems to have been for a while now; isakmpd will 
> > > > simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
> > > > 
> > > > Starting isakmpd manually with flags -Kdv doesn't give any indication 
> > > > as 
> > > > to what might be causing the service to crash or segfault and nothing 
> > > > is 
> > > > reported in the logs - I checked both daemon and messages.
> > > > 
> > > > ipsec.conf consists of standard config:
> > > > 
> > > > ike passive esp transport \
> > > >  proto udp from 212.159.80.17 to any port 1701 \
> > > >  main auth "hmac-sha" enc "aes" group modp1024 \
> > > >  quick auth "hmac-sha" enc "aes" \
> > > >  psk "Sclr11XP99"
> > > > 
> > > > ike passive esp transport \
> > > >  proto udp from  to any port 1701 \
> > > >  main auth "hmac-sha" enc "aes" group modp1024 \
> > > >  quick auth "hmac-sha" enc "aes" \
> > > >  psk ""
> > > > 
> > > > Basically the setup used to work fine a few upgrades ago while I was on 
> > > > 5.5 but then something seems to have changed and it stopped.
> > > > 
> > > > Along with the above I'm running npppd for ipsec/l2tp so I can run the 
> > > > native Android VPN client. I do run OpenVPN in addition but their seems 
> > > > to be some issue with routing on some apps so to get round that the 
> > > > choice is either: add default route manually when using OpenVPN / or 
> > > > use 
> > > > native client.
> > > > 
> > > > 
> > > > I managed to find this thread from the list:
> > > > 
> > > > http://comments.gmane.org/gmane.os.openbsd.misc/209636
> > > > 
> > > > and managed to pretty much validate my config in comparison but for 
> > > > some 
> > > > reason I cannot work this one out.
> > > > 
> > > > System is up to date as per last night and build is:
> > > > 
> > > > 5.6 GENERIC.MP#633 amd64
> > > > 
> > > > 5.6 GENERIC.MP#633 amd64
> > > > 
> > > > 
> > > > Would anyone be able to suggest anything?
> > > > 
> > > > 
> > > > Thanks.
> > > > 
> > > > 
> > > > Kaya
> > > > 
> > > 
> > > 
> > > I am seeing the same behaviour (apparently a clean exit, no message
> > > whatsoever nor core file) on -current, with an ipsec.conf as simple as
> > > this:
> > > 
> > > ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \
> > > peer vpn.foo.bar \
> > >   srcid peer1.foo.bar dstid vpn.foo.bar
> > > 
> > > 
> > > I have upgraded -current several times since I last used IPSec, so I
> > > can't tell for sure when it started...
> > > 
> > > 
> > > 
> > > OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec  1 10:11:11 MST 2014
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > > real mem = 8357658624 (7970MB)
> > > avail mem = 8131330048 (7754MB)
> > > mpath0 at root
> > > scsibus0 at mpath0: 256 targets
> > > mainbus0 at root
> > > bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
> > > bios0: vendor LENOVO version "6QET70WW (1.40 )" date 10/11/2012
> > > bios0: LENOVO 3680WE9
> > > acpi0 at bios0: rev 2
> > > acpi0: sleep states S0 S3 S4 S5
> > > acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR 
> > > SSDT SSDT SSDT
> > > acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) 
> > > EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
> > > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > > acpiec0 at acpi0
> > > acpimadt0 a

Re: ffs and utf8

[Joel Rees]

2014/12/03 22:23 "Dmitrij D. Czarkoff" :
>
> First of all, I really don't believe that preservation of non-canonical
> form should be a consideration for any software.

There is no particular canonical form for some kinds of software.

Unix, in particular, happens to have file name limitations that are
compatible with all versions of Unicode past 2.0, at least, in UTF-8, but
it has no native encoding. Most of the tools support ASCII, many now
support Unicode. But there is no native encoding. That's one of the
strengths of Unix.

> There is no single
> reason to allow non-canonical forms to exist at all,

non-canonical forms in what context?

> while there are
> several reasons to avoid them.

Which non-canonical forms?

> More so for foreign encodings in
> filenames -

Define foreign encoding, too. Make sure your definition works for my
context.

Now, if you don't mind keeping my data away from your machine, maybe it's
okay if your definition doesn't work for my context. For some 7 billion
definitons of "me".

> if you are trying to store UTF-16 names on a system with
> UTF-8 locale, you should be converting, not escaping.

Not much argument with that. Many things that can be done should not
necessarily be done.

Most of the time, anyway. There may be some special cases, but you are
talking about file names, and I don't think of any, right off the bat.

> Doing otherwise
> is just asking for troubles.

Oh, I just thought of a couple of exceptions. Theoretical at this point,
but definitely exceptions.

There's no rule that an OS has to use byte-string file names. (And you
don't have to do the stupid things a certain well-known OS does, that uses
UCS-16 as its native transform and Unicode as its native encoding.) But you
know that.

> Next, I assume that ability to enter filenames trumps ability to
> preserve original filename on Unix-like systems.

Entering file names is a function of the tools, not of the OS. And if you
want tools that are limited to NFD, you are free to build and use them.

> In most cases right
> now these two values don't clash, because user input is normalized from
> the very beginning in IME.

Choice, function, and construction of the input stack (and output stack) is
nearly completely independent of the OS (for any decent OS).

> That said, there may be exceptions.  Eg.
> several mail clients won't normalize filename if input encoding matches
> encoding of attachement.

Mail clients are also pretty independent of the OS.

> Thus, having recieved a file with non-ASCII
> filename from Mac, you'll end up being unable to address it from shell
> even if it was typed using exactly the same keyboard layout you use.

Keyboard layout is independent of the OS. And it is actually possible to
set up an openbsd keyboard and input method that closely mimics a Macintosh.

> I
> don't see how this situation may be justified.

Doesn't need to be. Only needs to be worked around.

> The rare cases when
> original filenames must be preserved byte to byte warrant some special
> handling (eg. storing filenames elsewhere separately or preserving the
> whole files with names and attributes in some archive or other form of
> special database).

Actually, the contexts in which data handling should be orthogonal to
filename encodings are the more common contexts. The OS has to do a lot
that the user never sees, and those internal functions just start fighting
each other when they start making assumptions like encodings.

> Finally, provided that both ends of network communication use canonical
> forms for Unicode, the matter of storing file remotely and then
> recieving it back with filename intact is simply a matter of
> normalization on reciever's side.

As long as you don't drop bytes somehow on the way from here to there.

> That is: if you prefer your local
> files in NFD, and your NAS uses NFC, you should simply normalize
> filenames when you recieve files back.

Not OS issues. Application issues. Maybe tool issues, for a limited subset
of tools.

> The only potential problem here
> is "compatibility" normalizations, but these are already problematic
> enough to be avoided in all cases where NFD or NFC do the job.

Broken compatibility normalizations get invented precisely because OS
architects think an OS needs a native encoding.

Remember, the Universal TransForms were invented independently of Unicode.
They were adopted by the Unicode Consortium about the time the Consortium
finally became convinced that there really are more than 65,536
character-like objects that need a code point in a modern information
encoding scheme.

UTF-8 and Unicode are not equivalent.

Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Re: isakmpd quits out after running ipsec on CURRENT

[Zé Loff]

On Wed, Dec 03, 2014 at 04:09:02PM +0100, Sebastian Reitenbach wrote:
> I run this kernel from beginning of November:
> 
> OpenBSD 5.6-current (GENERIC) #492: Fri Nov  7 10:21:36 MST 2014
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 
> 586-class) 267 MHz
> cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
> 
> on my soekris box. Isakmpd is just started with: "-4 -K"
> my ipsec.conf looks similar to this one (only IP addresses changed):
> 
> localip="1.1.1.1"
> peerip="2.2.2.2"
> ike esp from 3.3.3.0/24 to 4.4.0.0/16 \
> local $localip peer $peerip \
> main auth hmac-sha1 enc aes-128 group modp1024 \
> quick auth hmac-sha1 enc aes-128 group modp1024 \
> psk "top secret"
>  
> 
> and it "just works".
> 
> does a higher debug level i.e. -D A=90 show something, or logging the 
> packets isakmpd sees with -L give more hints?

No packets are transferred, AFAICT.

Running isakmpd -Kdv -D A=90 yields a single line after ipsecctl is run:

uiconfig: "C set [General]:Check-interval=30 force"

isakmpd then quits with exit code 0.

> 
> cheers,
> Sebastian
> 
> On Wednesday, December 3, 2014 15:53 CET, Zé Loff  wrote: 
>  
> > On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote:
> > > Hi,
> > > 
> > > for some reason, this seems to have been for a while now; isakmpd will 
> > > simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
> > > 
> > > Starting isakmpd manually with flags -Kdv doesn't give any indication as 
> > > to what might be causing the service to crash or segfault and nothing is 
> > > reported in the logs - I checked both daemon and messages.
> > > 
> > > ipsec.conf consists of standard config:
> > > 
> > > ike passive esp transport \
> > >  proto udp from 212.159.80.17 to any port 1701 \
> > >  main auth "hmac-sha" enc "aes" group modp1024 \
> > >  quick auth "hmac-sha" enc "aes" \
> > >  psk "Sclr11XP99"
> > > 
> > > ike passive esp transport \
> > >  proto udp from  to any port 1701 \
> > >  main auth "hmac-sha" enc "aes" group modp1024 \
> > >  quick auth "hmac-sha" enc "aes" \
> > >  psk ""
> > > 
> > > Basically the setup used to work fine a few upgrades ago while I was on 
> > > 5.5 but then something seems to have changed and it stopped.
> > > 
> > > Along with the above I'm running npppd for ipsec/l2tp so I can run the 
> > > native Android VPN client. I do run OpenVPN in addition but their seems 
> > > to be some issue with routing on some apps so to get round that the 
> > > choice is either: add default route manually when using OpenVPN / or use 
> > > native client.
> > > 
> > > 
> > > I managed to find this thread from the list:
> > > 
> > > http://comments.gmane.org/gmane.os.openbsd.misc/209636
> > > 
> > > and managed to pretty much validate my config in comparison but for some 
> > > reason I cannot work this one out.
> > > 
> > > System is up to date as per last night and build is:
> > > 
> > > 5.6 GENERIC.MP#633 amd64
> > > 
> > > 5.6 GENERIC.MP#633 amd64
> > > 
> > > 
> > > Would anyone be able to suggest anything?
> > > 
> > > 
> > > Thanks.
> > > 
> > > 
> > > Kaya
> > > 
> > 
> > 
> > I am seeing the same behaviour (apparently a clean exit, no message
> > whatsoever nor core file) on -current, with an ipsec.conf as simple as
> > this:
> > 
> > ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \
> > peer vpn.foo.bar \
> > srcid peer1.foo.bar dstid vpn.foo.bar
> > 
> > 
> > I have upgraded -current several times since I last used IPSec, so I
> > can't tell for sure when it started...
> > 
> > 
> > 
> > OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec  1 10:11:11 MST 2014
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > real mem = 8357658624 (7970MB)
> > avail mem = 8131330048 (7754MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
> > bios0: vendor LENOVO version "6QET70WW (1.40 )" date 10/11/2012
> > bios0: LENOVO 3680WE9
> > acpi0 at bios0: rev 2
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR 
> > SSDT SSDT SSDT
> > acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) 
> > EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpiec0 at acpi0
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz
> > cpu0: 
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
> > cpu0: 256KB 64b/line 8-way L2 cache
> > cpu0: smt 0, core 0, pack

Re: isakmpd quits out after running ipsec on CURRENT

[Sebastian Reitenbach]

I run this kernel from beginning of November:

OpenBSD 5.6-current (GENERIC) #492: Fri Nov  7 10:21:36 MST 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 
586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX

on my soekris box. Isakmpd is just started with: "-4 -K"
my ipsec.conf looks similar to this one (only IP addresses changed):

localip="1.1.1.1"
peerip="2.2.2.2"
ike esp from 3.3.3.0/24 to 4.4.0.0/16 \
local $localip peer $peerip \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
psk "top secret"
 

and it "just works".

does a higher debug level i.e. -D A=90 show something, or logging the 
packets isakmpd sees with -L give more hints?

cheers,
Sebastian

On Wednesday, December 3, 2014 15:53 CET, Zé Loff  wrote: 
 
> On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote:
> > Hi,
> > 
> > for some reason, this seems to have been for a while now; isakmpd will 
> > simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
> > 
> > Starting isakmpd manually with flags -Kdv doesn't give any indication as 
> > to what might be causing the service to crash or segfault and nothing is 
> > reported in the logs - I checked both daemon and messages.
> > 
> > ipsec.conf consists of standard config:
> > 
> > ike passive esp transport \
> >  proto udp from 212.159.80.17 to any port 1701 \
> >  main auth "hmac-sha" enc "aes" group modp1024 \
> >  quick auth "hmac-sha" enc "aes" \
> >  psk "Sclr11XP99"
> > 
> > ike passive esp transport \
> >  proto udp from  to any port 1701 \
> >  main auth "hmac-sha" enc "aes" group modp1024 \
> >  quick auth "hmac-sha" enc "aes" \
> >  psk ""
> > 
> > Basically the setup used to work fine a few upgrades ago while I was on 
> > 5.5 but then something seems to have changed and it stopped.
> > 
> > Along with the above I'm running npppd for ipsec/l2tp so I can run the 
> > native Android VPN client. I do run OpenVPN in addition but their seems 
> > to be some issue with routing on some apps so to get round that the 
> > choice is either: add default route manually when using OpenVPN / or use 
> > native client.
> > 
> > 
> > I managed to find this thread from the list:
> > 
> > http://comments.gmane.org/gmane.os.openbsd.misc/209636
> > 
> > and managed to pretty much validate my config in comparison but for some 
> > reason I cannot work this one out.
> > 
> > System is up to date as per last night and build is:
> > 
> > 5.6 GENERIC.MP#633 amd64
> > 
> > 5.6 GENERIC.MP#633 amd64
> > 
> > 
> > Would anyone be able to suggest anything?
> > 
> > 
> > Thanks.
> > 
> > 
> > Kaya
> > 
> 
> 
> I am seeing the same behaviour (apparently a clean exit, no message
> whatsoever nor core file) on -current, with an ipsec.conf as simple as
> this:
> 
> ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \
> peer vpn.foo.bar \
>   srcid peer1.foo.bar dstid vpn.foo.bar
> 
> 
> I have upgraded -current several times since I last used IPSec, so I
> can't tell for sure when it started...
> 
> 
> 
> OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec  1 10:11:11 MST 2014
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8357658624 (7970MB)
> avail mem = 8131330048 (7754MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
> bios0: vendor LENOVO version "6QET70WW (1.40 )" date 10/11/2012
> bios0: LENOVO 3680WE9
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR 
> SSDT SSDT SSDT
> acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) 
> EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiec0 at acpi0
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 133MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 1, core 0, 

Re: isakmpd quits out after running ipsec on CURRENT

[Zé Loff]

On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote:
> Hi,
> 
> for some reason, this seems to have been for a while now; isakmpd will 
> simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
> 
> Starting isakmpd manually with flags -Kdv doesn't give any indication as 
> to what might be causing the service to crash or segfault and nothing is 
> reported in the logs - I checked both daemon and messages.
> 
> ipsec.conf consists of standard config:
> 
> ike passive esp transport \
>  proto udp from 212.159.80.17 to any port 1701 \
>  main auth "hmac-sha" enc "aes" group modp1024 \
>  quick auth "hmac-sha" enc "aes" \
>  psk "Sclr11XP99"
> 
> ike passive esp transport \
>  proto udp from  to any port 1701 \
>  main auth "hmac-sha" enc "aes" group modp1024 \
>  quick auth "hmac-sha" enc "aes" \
>  psk ""
> 
> Basically the setup used to work fine a few upgrades ago while I was on 
> 5.5 but then something seems to have changed and it stopped.
> 
> Along with the above I'm running npppd for ipsec/l2tp so I can run the 
> native Android VPN client. I do run OpenVPN in addition but their seems 
> to be some issue with routing on some apps so to get round that the 
> choice is either: add default route manually when using OpenVPN / or use 
> native client.
> 
> 
> I managed to find this thread from the list:
> 
> http://comments.gmane.org/gmane.os.openbsd.misc/209636
> 
> and managed to pretty much validate my config in comparison but for some 
> reason I cannot work this one out.
> 
> System is up to date as per last night and build is:
> 
> 5.6 GENERIC.MP#633 amd64
> 
> 5.6 GENERIC.MP#633 amd64
> 
> 
> Would anyone be able to suggest anything?
> 
> 
> Thanks.
> 
> 
> Kaya
> 


I am seeing the same behaviour (apparently a clean exit, no message
whatsoever nor core file) on -current, with an ipsec.conf as simple as
this:

ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \
peer vpn.foo.bar \
srcid peer1.foo.bar dstid vpn.foo.bar


I have upgraded -current several times since I last used IPSec, so I
can't tell for sure when it started...



OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec  1 10:11:11 MST 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8357658624 (7970MB)
avail mem = 8131330048 (7754MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
bios0: vendor LENOVO version "6QET70WW (1.40 )" date 10/11/2012
bios0: LENOVO 3680WE9
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR SSDT 
SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) 
EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpi

isakmpd quits out after running ipsec on CURRENT

[Kaya Saman]

Hi,

for some reason, this seems to have been for a while now; isakmpd will 
simply quit running after initiating: ipsecctl -f /etc/ipsec.conf

Starting isakmpd manually with flags -Kdv doesn't give any indication as 
to what might be causing the service to crash or segfault and nothing is 
reported in the logs - I checked both daemon and messages.

ipsec.conf consists of standard config:

ike passive esp transport \
 proto udp from 212.159.80.17 to any port 1701 \
 main auth "hmac-sha" enc "aes" group modp1024 \
 quick auth "hmac-sha" enc "aes" \
 psk "Sclr11XP99"

ike passive esp transport \
 proto udp from  to any port 1701 \
 main auth "hmac-sha" enc "aes" group modp1024 \
 quick auth "hmac-sha" enc "aes" \
 psk ""

Basically the setup used to work fine a few upgrades ago while I was on 
5.5 but then something seems to have changed and it stopped.

Along with the above I'm running npppd for ipsec/l2tp so I can run the 
native Android VPN client. I do run OpenVPN in addition but their seems 
to be some issue with routing on some apps so to get round that the 
choice is either: add default route manually when using OpenVPN / or use 
native client.


I managed to find this thread from the list:

http://comments.gmane.org/gmane.os.openbsd.misc/209636

and managed to pretty much validate my config in comparison but for some 
reason I cannot work this one out.

System is up to date as per last night and build is:

5.6 GENERIC.MP#633 amd64

5.6 GENERIC.MP#633 amd64


Would anyone be able to suggest anything?


Thanks.


Kaya

Re: OT:Password strength

[Brad Smith]

On 11/30/14 15:20, Ted Unangst wrote:

Examples:

treetykaveprethicooputhedu
soonataviceenoopatecoge
gootrozapiceelytrithunula
preezypeendothanundipeesooka


That defeats the purpose of the second example in the OPs question.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: ffs and utf8

[Dmitrij D. Czarkoff]

First of all, I really don't believe that preservation of non-canonical
form should be a consideration for any software.  There is no single
reason to allow non-canonical forms to exist at all, while there are
several reasons to avoid them.  More so for foreign encodings in
filenames - if you are trying to store UTF-16 names on a system with
UTF-8 locale, you should be converting, not escaping.  Doing otherwise
is just asking for troubles.

Next, I assume that ability to enter filenames trumps ability to
preserve original filename on Unix-like systems.  In most cases right
now these two values don't clash, because user input is normalized from
the very beginning in IME.  That said, there may be exceptions.  Eg.
several mail clients won't normalize filename if input encoding matches
encoding of attachement.  Thus, having recieved a file with non-ASCII
filename from Mac, you'll end up being unable to address it from shell
even if it was typed using exactly the same keyboard layout you use.  I
don't see how this situation may be justified.  The rare cases when
original filenames must be preserved byte to byte warrant some special
handling (eg. storing filenames elsewhere separately or preserving the
whole files with names and attributes in some archive or other form of
special database).

Finally, provided that both ends of network communication use canonical
forms for Unicode, the matter of storing file remotely and then
recieving it back with filename intact is simply a matter of
normalization on reciever's side.  That is: if you prefer your local
files in NFD, and your NAS uses NFC, you should simply normalize
filenames when you recieve files back.  The only potential problem here
is "compatibility" normalizations, but these are already problematic
enough to be avoided in all cases where NFD or NFC do the job.

-- 
Dmitrij D. Czarkoff

Re: OT:Password strength

[Tor Houghton]

On Sun, Nov 30, 2014 at 04:21:50PM -0500, Ted Unangst wrote:
> On Sun, Nov 30, 2014 at 15:37, thornton.rich...@gmail.com wrote:
> > Where do you store these passwords? On a napkin?
> 
> Wherever you like. A shorter password with all the o's turned into 0's
> is hardly more secure.
> 

I'd say "on a napkin" until you remember it; which doesn't take long if you
use it several times a day.

Tor

Re: ffs and utf8

[Joel Rees]

On Wed, Dec 3, 2014 at 9:09 PM, Dmitrij D. Czarkoff  wrote:
> Anthony J. Bentley said:
>> > I haven't used Apple OSses since around 10.4, but Mac OS X was doing a
>> > thing where certain well-known directory names were aliased according to
>> > the current locale. For instance, the user's  "music" directory was shown
>> > as 「音楽」 when the locale was set to ja_JP.UTF-8.
>>
>> IMO this is totally crazy behavior and unrelated to the Unicode issue.
>
> GNOME does this too.  It goes even further - proposes to rename XDG
> directories if locale changes.  Most amusingly, if you happen run GNOME
> and Firefox with English locale and then switch to non-English locale,
> your GNOME will rename XDG directories to new locale defaults, and
> Firefox will re-create "~/Desktop".  I rarely have to deal with systems
> with non-English locales, but each and every time I have to, I get
> terrified with the changes since the last time.

8-/

One of the reasons I quit using gnome.

If there were a way of specifying the initial locale when you create a
new login id, that locale could specify the language to create these
directory names in, and then they should never change. My memory is
that you have to log in once to do that, however.

Maybe it would be better just to not make those directories until they
are needed by an application, and then ask the user to name them
instead of providing standard names.

-- 
Joel Rees

Be careful when you look at conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself, as well.

Re: ffs and utf8

[Dmitrij D. Czarkoff]

Anthony J. Bentley said:
> > I haven't used Apple OSses since around 10.4, but Mac OS X was doing a
> > thing where certain well-known directory names were aliased according to
> > the current locale. For instance, the user's  "music" directory was shown
> > as 「音楽」 when the locale was set to ja_JP.UTF-8.
> 
> IMO this is totally crazy behavior and unrelated to the Unicode issue.

GNOME does this too.  It goes even further - proposes to rename XDG
directories if locale changes.  Most amusingly, if you happen run GNOME
and Firefox with English locale and then switch to non-English locale,
your GNOME will rename XDG directories to new locale defaults, and
Firefox will re-create "~/Desktop".  I rarely have to deal with systems
with non-English locales, but each and every time I have to, I get
terrified with the changes since the last time.

-- 
Dmitrij D. Czarkoff

Re: USB printer not working with CUPS 2.0.1 (in -current)

[Aurélien DESBRIÈRES]

Alessandro DE LAURENZIS  writes:

> Dear @misc reader,
>
> my HP Deskjet F4280 USB printer is (again!) not working after CUPS
> update to v2.0.1 in current.
>
> ulpt* is of course disabled, devices' permissions seem ok and the
> printer is correctly recognized:
>
> Console log for poseidon.atlantide.net
> ugen1 at uhub8 port 4 "HP Deskjet F4200 series" rev 2.00/1.00 addr 7
>
> just22@poseidon:[~]> ls -la /dev/ugen1.*
> crw-rw  1 _cups  _saned   63,  16 Nov 28 22:22 /dev/ugen1.00
> crw-rw  1 _cups  _saned   63,  17 Nov 28 22:22 /dev/ugen1.01
> crw-rw  1 _cups  _saned   63,  18 Nov 28 22:22 /dev/ugen1.02
> crw-rw  1 _cups  _saned   63,  19 Nov 28 22:22 /dev/ugen1.03
> crw-rw  1 _cups  _saned   63,  20 Nov 28 22:22 /dev/ugen1.04
> crw-rw  1 _cups  _saned   63,  21 Nov 28 22:22 /dev/ugen1.05
> crw-rw  1 _cups  _saned   63,  22 Nov 28 22:22 /dev/ugen1.06
> crw-rw  1 _cups  _saned   63,  23 Nov 28 22:22 /dev/ugen1.07
> crw-rw  1 _cups  _saned   63,  24 Nov 28 22:22 /dev/ugen1.08
> crw-rw  1 _cups  _saned   63,  25 Nov 28 22:22 /dev/ugen1.09
> crw-rw  1 _cups  _saned   63,  26 Nov 28 22:22 /dev/ugen1.10
> crw-rw  1 _cups  _saned   63,  27 Nov 28 22:22 /dev/ugen1.11
> crw-rw  1 _cups  _saned   63,  28 Nov 28 22:22 /dev/ugen1.12
> crw-rw  1 _cups  _saned   63,  29 Nov 28 22:22 /dev/ugen1.13
> crw-rw  1 _cups  _saned   63,  30 Nov 28 22:22 /dev/ugen1.14
> crw-rw  1 _cups  _saned   63,  31 Nov 28 22:22 /dev/ugen1.15
>
> just22@poseidon:[~]> ls -la /dev/usb*
> crw-rw  1 root   wheel61,   0 Nov 28 22:22 /dev/usb0
> crw-rw  1 _cups  _saned   61,   1 Nov 28 22:22 /dev/usb1
> crw-rw  1 root   wheel61,   2 Nov 28 22:22 /dev/usb2
> crw-rw  1 root   wheel61,   3 Nov 28 22:22 /dev/usb3
> crw-rw  1 root   wheel61,   4 Nov 28 22:22 /dev/usb4
> crw-rw  1 root   wheel61,   5 Nov 28 22:22 /dev/usb5
> crw-rw  1 root   wheel61,   6 Nov 28 22:22 /dev/usb6
> crw-rw  1 root   wheel61,   7 Nov 28 22:22 /dev/usb7
>
> just22@poseidon:[~]> lsusb
> Bus 000 Device 001: ID 8086: Intel Corp. 
> Bus 001 Device 001: ID 8086: Intel Corp. 
> Bus 001 Device 002: ID 05e3:0608 Genesys Logic, Inc. USB-2.0 4-Port HUB
> Bus 001 Device 003: ID 05e3:0608 Genesys Logic, Inc. USB-2.0 4-Port HUB
> Bus 001 Device 004: ID 03f0:0024 Hewlett-Packard KU-0316 Keyboard
> Bus 001 Device 005: ID 046d:c050 Logitech, Inc. RX 250 Optical Mouse
> Bus 001 Device 006: ID 046d:089d Logitech, Inc. QuickCam E2500 series
> Bus 001 Device 007: ID 03f0:2504 Hewlett-Packard DeskJet F4200 series
> Bus 002 Device 001: ID 8086: Intel Corp. 
> Bus 003 Device 001: ID 8086: Intel Corp. 
> Bus 004 Device 001: ID 8086: Intel Corp. 
> Bus 004 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver
> Bus 005 Device 001: ID 8086: Intel Corp. 
> Bus 006 Device 001: ID 8086: Intel Corp. 
>
> just22@poseidon:[~]> sudo /usr/local/libexec/cups/backend/usb
> DEBUG: Loading USB quirks from "/usr/local/share/cups/usb".
> DEBUG: Loaded 71 quirks.
> DEBUG: list_devices
> DEBUG: libusb_get_device_list=14
> DEBUG2: Printer found with device ID: MFG:HP;MDL:Deskjet F4200
> series;CMD:MLC,PCL,PML,DW-PCL,DESKJET,DYN;1284.4DL:4d,4e,1;CLS:PRINTER;DES:CB656B;SN:CN8C54F12J05BR;S:038000C486001021002c1f0002ac000;J:
> ;Z:0102,0503b60800,0600,0c0,0e,0f,100202,12000,147,150;
> Device URI:
> usb://HP/Deskjet%20F4200%20series?serial=CN8C54F12J05BR&interface=1
> direct
> usb://HP/Deskjet%20F4200%20series?serial=CN8C54F12J05BR&interface=1 "HP
> Deskjet F4200 series" "HP Deskjet F4200 series" "MFG:HP;MDL:Deskjet
> F4200
> series;CMD:MLC,PCL,PML,DW-PCL,DESKJET,DYN;1284.4DL:4d,4e,1;CLS:PRINTER;DES:CB656B;SN:CN8C54F12J05BR;S:038000C486001021002c1f0002ac000;J:
> ;Z:0102,0503b60800,0600,0c0,0e,0f,100202,12000,147,150;"
> ""
>
> Since I was not able to print, I tried to delete and reinstall the
> printer from the CUPS web interface (and from HPLIP GUI too), but, even
> if the operation seems to complete flawlessly and the
> /etc/cups/printer.conf is written correctly, the printer isn't listed
> among the available devices in CUPS.
>
> After enabling "Save debugging information for troubleshooting" in CUPS,
> this is the relevant content of /var/log/cups/error_log
>
>
> D [03/Dec/2014:08:57:49 +0100] CUPS-Add-Modify-Printer
> ipp://localhost/printers/HP_Deskjet_F4280
> D [03/Dec/2014:08:57:49 +0100] cupsdIsAuthorized: username=""
> D [03/Dec/2014:08:57:49 +0100] [Client 84] Returning HTTP Unauthorized
> for CUPS-Add-Modify-Printer
> (ipp://localhost/printers/HP_Deskjet_F4280) from localhost
> D [03/Dec/2014:08:57:49 +0100] [Client 84] cupsdSendHeader: code=401,
> type="text/html", auth_type=1
> D [03/Dec/2014:08:57:49 +0100] [Client 84] WWW-Authenticate: Basic 
> realm="CUPS", trc="y"
> D [03/Dec/2014:08:57:49 +0100] [Client 85] Accepted from localhost (Domain)
> D [03/Dec/2014:08:57:49 +0100] [Client 85] Waiting

Re: KDE4 crashes in 5.6

[Federico Giannici]

Of course, I had already done that.

Thanks.


On 12/03/14 12:58, Vadim Zhukov wrote:

Also, make sure that you have your openfiles (for user) and
kern.maxfiles (sysctl) limits bumped.

--
Vadim Zhukov

03 дек. 2014 г. 13:14 пользователь "Federico Giannici"
mailto:giann...@neomedia.it>> написал:

Hi!
I'd like to know if I'm the only one that have experiences crashes
with KDE4 under 5.6-release amd64.

Often, during the startup or shutdown of KDE4, the bug report window
appears saying that "Plasma Desktop Shell closed unexpectedly"
(Executable "plasma-desktop", Signal "Segmentation fault(11)").

Moreover, once every 3-4 times the startup of KDE get stuck after
the final big KDE logo appears in the startup page (maybe this is
related to the first problem).

It happens in both my PCs where I installed KDE. I'd like to know if
this happens only to me (to my hardware/software configuration), or
is a common and known problem (and if there is any solution).

Thanks.

Re: Squid configuration

[sven falempin]

On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
 wrote:
> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>
>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>
>> _squid
>> ^! Note the underline.
>>
>> as account for this package, so you probably want
>
>
> According to the package README:
>
> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
> "${RCDIR}/squid start") the appropriately-named login class is used
> automatically.
>
> So, the underline shouldn't be necessary.
>

 The login would be apply in a rc script ? I looked into that :

is that why the _ goes away ?

_name=$(basename $0)
[.. so name of the rc script is sed to get compiled login.conf info..]
getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
[ but this only print stuff according to man page ]

 There is a rcexec  that force the usage of the login class

grep rcexec /etc/rc.d/*
unbound use it, but not squid.

I guess my perl script would have to do a strlimit after dropping
privilege to open 4096 files.


On the other hand, the class is supposed to be in master.passwd or be
to default:


name User's login name.
password User's encrypted password.
uid User's login user ID.
gid User's login group ID.
class User's general classification (see login.conf(5)).
change Password change time.
expire Account expiration time.
gecos General information about the user.
home_dir User's home directory.
shell User's login shell.


_squid:*:515:515:daemon:0:0:Squid Account:
_bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin


bgpd class is blank, squid is set to daemon.

Is bgpd correctly configured ? is squid using the daemon class ? am I
forced to use BSD::resources to strlimit in the perl script to
validate this ? is getcap doing something else than printing ?



-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: KDE4 crashes in 5.6

[Vadim Zhukov]

Also, make sure that you have your openfiles (for user) and kern.maxfiles
(sysctl) limits bumped.

--
Vadim Zhukov
03 дек. 2014 г. 13:14 пользователь "Federico Giannici"

написал:

> Hi!
> I'd like to know if I'm the only one that have experiences crashes with
> KDE4 under 5.6-release amd64.
>
> Often, during the startup or shutdown of KDE4, the bug report window
> appears saying that "Plasma Desktop Shell closed unexpectedly" (Executable
> "plasma-desktop", Signal "Segmentation fault(11)").
>
> Moreover, once every 3-4 times the startup of KDE get stuck after the
> final big KDE logo appears in the startup page (maybe this is related to
> the first problem).
>
> It happens in both my PCs where I installed KDE. I'd like to know if this
> happens only to me (to my hardware/software configuration), or is a common
> and known problem (and if there is any solution).
>
> Thanks.

USB printer not working with CUPS 2.0.1 (in -current)

[Alessandro DE LAURENZIS]

Dear @misc reader,

my HP Deskjet F4280 USB printer is (again!) not working after CUPS
update to v2.0.1 in current.

ulpt* is of course disabled, devices' permissions seem ok and the
printer is correctly recognized:

Console log for poseidon.atlantide.net
ugen1 at uhub8 port 4 "HP Deskjet F4200 series" rev 2.00/1.00 addr 7

just22@poseidon:[~]> ls -la /dev/ugen1.*
crw-rw  1 _cups  _saned   63,  16 Nov 28 22:22 /dev/ugen1.00
crw-rw  1 _cups  _saned   63,  17 Nov 28 22:22 /dev/ugen1.01
crw-rw  1 _cups  _saned   63,  18 Nov 28 22:22 /dev/ugen1.02
crw-rw  1 _cups  _saned   63,  19 Nov 28 22:22 /dev/ugen1.03
crw-rw  1 _cups  _saned   63,  20 Nov 28 22:22 /dev/ugen1.04
crw-rw  1 _cups  _saned   63,  21 Nov 28 22:22 /dev/ugen1.05
crw-rw  1 _cups  _saned   63,  22 Nov 28 22:22 /dev/ugen1.06
crw-rw  1 _cups  _saned   63,  23 Nov 28 22:22 /dev/ugen1.07
crw-rw  1 _cups  _saned   63,  24 Nov 28 22:22 /dev/ugen1.08
crw-rw  1 _cups  _saned   63,  25 Nov 28 22:22 /dev/ugen1.09
crw-rw  1 _cups  _saned   63,  26 Nov 28 22:22 /dev/ugen1.10
crw-rw  1 _cups  _saned   63,  27 Nov 28 22:22 /dev/ugen1.11
crw-rw  1 _cups  _saned   63,  28 Nov 28 22:22 /dev/ugen1.12
crw-rw  1 _cups  _saned   63,  29 Nov 28 22:22 /dev/ugen1.13
crw-rw  1 _cups  _saned   63,  30 Nov 28 22:22 /dev/ugen1.14
crw-rw  1 _cups  _saned   63,  31 Nov 28 22:22 /dev/ugen1.15

just22@poseidon:[~]> ls -la /dev/usb*
crw-rw  1 root   wheel61,   0 Nov 28 22:22 /dev/usb0
crw-rw  1 _cups  _saned   61,   1 Nov 28 22:22 /dev/usb1
crw-rw  1 root   wheel61,   2 Nov 28 22:22 /dev/usb2
crw-rw  1 root   wheel61,   3 Nov 28 22:22 /dev/usb3
crw-rw  1 root   wheel61,   4 Nov 28 22:22 /dev/usb4
crw-rw  1 root   wheel61,   5 Nov 28 22:22 /dev/usb5
crw-rw  1 root   wheel61,   6 Nov 28 22:22 /dev/usb6
crw-rw  1 root   wheel61,   7 Nov 28 22:22 /dev/usb7

just22@poseidon:[~]> lsusb
Bus 000 Device 001: ID 8086: Intel Corp. 
Bus 001 Device 001: ID 8086: Intel Corp. 
Bus 001 Device 002: ID 05e3:0608 Genesys Logic, Inc. USB-2.0 4-Port HUB
Bus 001 Device 003: ID 05e3:0608 Genesys Logic, Inc. USB-2.0 4-Port HUB
Bus 001 Device 004: ID 03f0:0024 Hewlett-Packard KU-0316 Keyboard
Bus 001 Device 005: ID 046d:c050 Logitech, Inc. RX 250 Optical Mouse
Bus 001 Device 006: ID 046d:089d Logitech, Inc. QuickCam E2500 series
Bus 001 Device 007: ID 03f0:2504 Hewlett-Packard DeskJet F4200 series
Bus 002 Device 001: ID 8086: Intel Corp. 
Bus 003 Device 001: ID 8086: Intel Corp. 
Bus 004 Device 001: ID 8086: Intel Corp. 
Bus 004 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 005 Device 001: ID 8086: Intel Corp. 
Bus 006 Device 001: ID 8086: Intel Corp. 

just22@poseidon:[~]> sudo /usr/local/libexec/cups/backend/usb
DEBUG: Loading USB quirks from "/usr/local/share/cups/usb".
DEBUG: Loaded 71 quirks.
DEBUG: list_devices
DEBUG: libusb_get_device_list=14
DEBUG2: Printer found with device ID: MFG:HP;MDL:Deskjet F4200
series;CMD:MLC,PCL,PML,DW-PCL,DESKJET,DYN;1284.4DL:4d,4e,1;CLS:PRINTER;DES:CB656B;SN:CN8C54F12J05BR;S:038000C486001021002c1f0002ac000;J:
;Z:0102,0503b60800,0600,0c0,0e,0f,100202,12000,147,150;
Device URI:
usb://HP/Deskjet%20F4200%20series?serial=CN8C54F12J05BR&interface=1
direct
usb://HP/Deskjet%20F4200%20series?serial=CN8C54F12J05BR&interface=1 "HP
Deskjet F4200 series" "HP Deskjet F4200 series" "MFG:HP;MDL:Deskjet
F4200
series;CMD:MLC,PCL,PML,DW-PCL,DESKJET,DYN;1284.4DL:4d,4e,1;CLS:PRINTER;DES:CB656B;SN:CN8C54F12J05BR;S:038000C486001021002c1f0002ac000;J:
;Z:0102,0503b60800,0600,0c0,0e,0f,100202,12000,147,150;"
""

Since I was not able to print, I tried to delete and reinstall the
printer from the CUPS web interface (and from HPLIP GUI too), but, even
if the operation seems to complete flawlessly and the
/etc/cups/printer.conf is written correctly, the printer isn't listed
among the available devices in CUPS.

After enabling "Save debugging information for troubleshooting" in CUPS,
this is the relevant content of /var/log/cups/error_log


D [03/Dec/2014:08:57:49 +0100] CUPS-Add-Modify-Printer 
ipp://localhost/printers/HP_Deskjet_F4280
D [03/Dec/2014:08:57:49 +0100] cupsdIsAuthorized: username=""
D [03/Dec/2014:08:57:49 +0100] [Client 84] Returning HTTP Unauthorized for 
CUPS-Add-Modify-Printer (ipp://localhost/printers/HP_Deskjet_F4280) from 
localhost
D [03/Dec/2014:08:57:49 +0100] [Client 84] cupsdSendHeader: code=401, 
type="text/html", auth_type=1
D [03/Dec/2014:08:57:49 +0100] [Client 84] WWW-Authenticate: Basic 
realm="CUPS", trc="y"
D [03/Dec/2014:08:57:49 +0100] [Client 85] Accepted from localhost (Domain)
D [03/Dec/2014:08:57:49 +0100] [Client 85] Waiting for request.
D [03/Dec/2014:08:57:49 +0100] [Client 86] Accepted from localhost (Domain)
D [03/Dec/2014:08:57:49 +0100] [Client 86] Waiting for request.
D [03/Dec/2014:08:57:49 +0100] [Client 85] HTTP_STATE_W

Re: KDE4 crashes in 5.6

[Paolo Aglialoro]

It looks that the problem lays in systray when items get added to it:

http://forum.siduction.org/index.php?topic=5203.msg42603#msg42603

Re: Squid configuration

[sven falempin]

On Wed, Dec 3, 2014 at 4:56 AM, mxb  wrote:
> echo "max_filedescriptors 4096” >> /etc/squid/squid.conf

Thanks mxb, but squid got that by default , squidclient mgr:cache
answer 4096 to me

>
>> On 3 dec 2014, at 04:07, Einfach Jemand  wrote:
>>
>> Am 03.12.2014 03:55, schrieb Steve Shockley:
>>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>>
 Hmm, I checked on one of my boxen and there /etc/passwd has

 _squid
 ^! Note the underline.

 as account for this package, so you probably want
>>>
>>> According to the package README:
>>>
>>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>>> "${RCDIR}/squid start") the appropriately-named login class is used
>>> automatically.
>>>
>>> So, the underline shouldn't be necessary.
>>
>> Yes, I have rechecked and that is correct, no underline/underscore needed.
>>
>> Directing someone looking for a solution into the wrong direction is no
>> good, please accept my apologies.
>>
>> Bye,
>> rru
>



-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Squid configuration

[sven falempin]

On Tue, Dec 2, 2014 at 8:49 PM, Einfach Jemand  wrote:
>
> Hi,
>
> Am 02.12.2014 22:46, schrieb sven falempin:
> > Hello,
> >
> > I am more or less forced to test Squid.
> > OpenBSD test.my.domain 5.6 GENERIC.MP#333 amd64
> >
> > I have two problems:
> >
> > <<
> > WARNING! Your cache is running out of filedescriptors
> >>>
> >
> > And probably have to read more about ICAP
> > <<
> > suspending ICAP service for too many failures
> >>>
> >
> >
> > My question is about the fds,
> > i tried to add
> >
> > squid:\
> > :openfiles-cur=4096:\
> > :tc=daemon:
> >
> > into login.conf and did not forget to 'push' it
> >
> > # cap_mkdb /etc/login.conf
> > # echo $?
> > 0
>
> Hmm, I checked on one of my boxen and there /etc/passwd has
>
> _squid
> ^! Note the underline.
>
> as account for this package, so you probably want
>
> _squid:\
> :openfiles-cur=4096:\
> :tc=daemon:
>
> in /etc/login.conf
>
> > It looks like it has no effect. Is this the way to go ? have I to change a
> > limit somewhere else ?
> >
> > Best regards,
> > Sven
> >
>
> HTH
> rru
>

about _ :

$ grep bgpd /etc/passwd /etc/login.conf

/etc/passwd:_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin

/etc/login.conf:bgpd:\

Other test:

 Using ulimit -n 4096
my perl script open <1025> file


# cat /root/fds.pl #!/usr/bin/perl

use warnings;

use strict;

use v5.10;

use POSIX;

use File::Temp qw/tempfile/;

if (defined $ARGV[0] and $ARGV[0] =~ /^\d+$/) {

setuid ($ARGV[0]);

} else {

setuid ( 515 );

}

system('id');

my @fds = ();

while (0xBAD) {

my($fh, $filename) = tempfile();

last unless $fh; #but tempfile croak

push @fds, { fd=>$fh,n=>$filename};

}



END{

say 'Count:'.($#fds+1);

foreach my $fd (@fds) {

close $fd->{fd};

unlink $fd->{n};

}

}

Re: KDE4 crashes in 5.6

[Paolo Aglialoro]

It looks like a KDE bug.

Exactly the same happens on recent Debian sid, odds are it could be
something tied to system tray, i.e. when items in system tray get
added/changed.

If you wipe .kde/ away the desktop restarts, but it is clearly unacceptable.

This bug is still under investigation, dunno if it has been uploaded
upstream to KDE developers.
Il 03/dic/2014 11:13 "Federico Giannici"  ha scritto:

> Hi!
> I'd like to know if I'm the only one that have experiences crashes with
> KDE4 under 5.6-release amd64.
>
> Often, during the startup or shutdown of KDE4, the bug report window
> appears saying that "Plasma Desktop Shell closed unexpectedly" (Executable
> "plasma-desktop", Signal "Segmentation fault(11)").
>
> Moreover, once every 3-4 times the startup of KDE get stuck after the
> final big KDE logo appears in the startup page (maybe this is related to
> the first problem).
>
> It happens in both my PCs where I installed KDE. I'd like to know if this
> happens only to me (to my hardware/software configuration), or is a common
> and known problem (and if there is any solution).
>
> Thanks.

KDE4 crashes in 5.6

[Federico Giannici]

Hi!
I'd like to know if I'm the only one that have experiences crashes with 
KDE4 under 5.6-release amd64.


Often, during the startup or shutdown of KDE4, the bug report window 
appears saying that "Plasma Desktop Shell closed unexpectedly" 
(Executable "plasma-desktop", Signal "Segmentation fault(11)").


Moreover, once every 3-4 times the startup of KDE get stuck after the 
final big KDE logo appears in the startup page (maybe this is related to 
the first problem).


It happens in both my PCs where I installed KDE. I'd like to know if 
this happens only to me (to my hardware/software configuration), or is a 
common and known problem (and if there is any solution).


Thanks.

Re: Squid configuration

[mxb]

echo "max_filedescriptors 4096” >> /etc/squid/squid.conf

> On 3 dec 2014, at 04:07, Einfach Jemand  wrote:
> 
> Am 03.12.2014 03:55, schrieb Steve Shockley:
>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>> 
>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>> 
>>> _squid
>>> ^! Note the underline.
>>> 
>>> as account for this package, so you probably want
>> 
>> According to the package README:
>> 
>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>> "${RCDIR}/squid start") the appropriately-named login class is used
>> automatically.
>> 
>> So, the underline shouldn't be necessary.
> 
> Yes, I have rechecked and that is correct, no underline/underscore needed.
> 
> Directing someone looking for a solution into the wrong direction is no
> good, please accept my apologies.
> 
> Bye,
> rru

Re: ffs and utf8

[Anthony J. Bentley]

Joel Rees writes:
> You can even handle broken UTF-8 and unconverted UTF-16/32 of whatever byte
> order spit into the file name as a sequence of bytes if and only if you
> escape NUL, slash, and your escape character properly, restoring the
> escaped characters when putting the file names on the network.

This is just asking for security issues. It's the same kind of thinking
that caused the designers of Java to allow embedding NUL in strings as
0xc0 0x80, or CESU-8 where you can encode astral characters with surrogate
pairs instead of just writing the character directly. The kinds of things
that make people think "Unicode is complex and prone to security issues,"
even though neither of them are allowed by the UTF-8 spec!

> Normalization alone does not know how to restore a potentially normalized
> name. It needs some sort of flag character that says "this name was
> normalized", and a way to choose between de-normalized forms when more than
> one denormalized form maps to one particular normal form.

Once you start stacking multiple accents this becomes unworkable.

> I haven't used Apple OSses since around 10.4, but Mac OS X was doing a
> thing where certain well-known directory names were aliased according to
> the current locale. For instance, the user's  "music" directory was shown
> as 「音楽」 when the locale was set to ja_JP.UTF-8.

IMO this is totally crazy behavior and unrelated to the Unicode issue.

-- 
Anthony J. Bentley

Re: ffs and utf8

[Joel Rees]

Dmitrij had some questions about my intent, I'll try to clarify.

2014/12/02 18:57 "Joel Rees" :
>
> (apologies for the html.)
>
> 2014/12/02 9:52 "Dmitrij D. Czarkoff" :
[ ... and others
Snipped context:
  There was some discussion of what kind of file names should be allowed to
be stored.
  There was something I read as a suggestion for using a normal form based
in Unicode as a target for enforced file name conversion.
  There were some attempts to discuss reasons why file names should not be
forceably converted.

  And then communication seemed to really break down when I tried to
present a semi-obvious example of why seemingly innocuous conversions turn
out to be not so innocuous after all.]

And, since that didn't work, I tried with an example closer to the
suggested normal form:

> > Joel Rees said:
> > > Now, what would you do with this?
> > >
> > > ジョエル
> > >
> > > Why not decompose it to the following?
> > >
> > > ｼﾞｮｴﾙ

Which didn't communicate the problem, either.

> > Because it is not what Unicode normalization is.
>
> Well, it definitely isn't Unicode normalization. And there is a reason,
it isn't, even though there
> were many who thought the Unicode standard shouldn't include code points
for wide form glyphs.
>
> Let's try one more. I think you have said enough that I can infer that
your preferred normal form is
> the decomposit form. So, given that your normalization has resulted in a
file named
>
> シ゛ョエルの歌
>
> and

given

> the necessity to send it back where it came from, how do you know whether
or not it should
> be restored to
>
> ジョエルの歌
>
> before you send it back?
>
> > [...]

But normalization is a red herring in this context.

You may personally have no problems with filename conversions improperly
done, but I am not willing to take them lightly where my data is concerned.
I may have a NAS device that I'm using for backup without
compression/amalgamation (i. e., tar/zip), and If I have a file with a
decomposit name backed up on the NAS, I don't want it automatically
converted to composit when it is restored, the existence of normal forms
notwithstanding.

Unix file names can handle UTF-8 encoded Unicode file names without losing
data because no conversion is necessary. There may be issues with
displaying them, but the file name itself is safe, because '/' is always
'/' and '\0' is always '\0'.

You can even handle broken UTF-8 and unconverted UTF-16/32 of whatever byte
order spit into the file name as a sequence of bytes if and only if you
escape NUL, slash, and your escape character properly, restoring the
escaped characters when putting the file names on the network.

Normalization alone does not know how to restore a potentially normalized
name. It needs some sort of flag character that says "this name was
normalized", and a way to choose between de-normalized forms when more than
one denormalized form maps to one particular normal form.

The last time I looked, the Unicode standard itself stated that this was
the case, and that normalized forms were not recomended for such purposes.
The craziness currently infecting the entire industry leaves me with no
confidence that such is still the case.

I haven't used Apple OSses since around 10.4, but Mac OS X was doing a
thing where certain well-known directory names were aliased according to
the current locale. For instance, the user's  "music" directory was shown
as 「音楽」 when the locale was set to ja_JP.UTF-8. This is useful to
desktop
users, but is sometimes confusing when you log in via ssh from a terminal
that does not display Japanese and fails to declare itself as such. It's
convenient, but even this can cause problems when backing up the entire
home or user directory, if the backup software doesn't know to ask for the
OS canonical name.

Again, apologies for using my (erk) Android device and spitting html at the
list.

Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Re: PF rules loading bug on OpenBSD 5.6

[David Dahlberg]

Am Mittwoch, den 03.12.2014, 11:08 +0800 schrieb Cosmo Wu:

> > and it parsed correctly using
> command " pfctl -nf /etc/pf.conf.test"
> > 
> > when I loaded it from the
> command " pfctl -f /etc/pf.conf.test "
> > 
> > it grumbled:
> > 
> > pfctl:
> DIOCXCOMMIT: Invalid argument

Happens usually, if the pf.conf is indeed correct if read
on it's own, but something else in the current state of pf 
leads to a different result of a line than you might expect.

In my case, usually flushing the queues before reloading them from
pf.conf helps.

-dd
-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277