Re: Getting unswapped?
On Tue, May 27, 2014 at 08:04:54AM +0200, bodie wrote: Setting swappiness to 0 helps more, but then why is that parameter here at all? Why Linux is swapping most used pages even as there's plenty of free RAM and cache is total mystery. because it is doing exactly what you asked it to do. This isn't a linux list so I won't bother explaining why but it just goes to show if you play with things you don't understand you can end up shooting yourself in the foot and then amplify the effect by telling everyone. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.
Re: Request for Funding our Electricity
On Fri, Jan 17, 2014 at 07:33:01PM -0700, Theo de Raadt wrote: What other community has users who commonly run upstream software on 64-bit big-endian strict alignment platform with register windows adjusting the frames in odd ways, or 32-bit big-endian ones with mutex alignment requirements, or a pile of other requirements. NetBSD does but they also went down the path of making cross compilation easy so you can build all of NetBSD for, say, arm in about 20 minutes on a modern x86 machine. Quite frankly, I am not alone in being sick of people who don't use emulators, stepping in to tell we should use emulators. maybe doing a google search for netbsd anita will provide some hints on what can be done with emulators. They are valuable for some things even if it isn't as a build environment. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.
Re: Dual booting OpenBSD and Windows 8.1
On Fri, Nov 15, 2013 at 06:01:30AM +0100, za...@gmx.com wrote: I was thinking of dual booting OpenBSd and Windows 8.1. Has anyone managed to do that? I suppose I would have to install Windows first, and then OpenBSD. Does the OpenBSD installation include a boot manager such as GRUB? I have experience setting up dual booting with GRUB, when installing Linux. Is it ok if I follow the same procedure with OpenBSD? If not, how would you advise me to go about it? Get something called EasyBCD for windows. Use that to install their neogrub boot loader, in the configuration of that do something like: root (hd0,1) chainloader +1 the hd for root may be different depending on your machine configuration. This will set up a boot selection for you using the windows boot loader - you will get a chance to select what OS you want to boot, if you select the non-windows option then the machine will reboot into the OS you selected. Microsoft are sneaky and pre-load the windows while the timeout is counting down so it looks like windows boots instantly if you select that. Neogrub is just a port of grub for dos/windows, you can put standard grub commands in there including setting up a grub boot menu if you have more than one OS to boot. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Question about caching system
On Tue, Jun 25, 2013 at 10:33:23AM +0200, Ingo Schwarze wrote: Ioana b wrote on Mon, Jun 24, 2013 at 06:37:04AM -0700: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users password in case the authentication system is unavailable. Let's *not* do that. I experienced PITA many times on Linux because of outdated cache entries and users complaining thank you for changing/updating/fixing my account data, but somehow it still doesn't seem to work... - me: did you try on one of our OpenBSD hosts? - user: yes, it does work fine there. See the problem? Yup, lack of nscd -i by the sysadmin... -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Re : Tux cups
On Mon, May 13, 2013 at 11:58:08AM +0100, James Griffin wrote: I just use the base vi(1) and then fmt(1) to format the text. Same for mail(1) if use the command to write in an external editor. Why not: set editor=EXINIT=':set wrapmargin=8' vi %s in the muttrc? No need for fmt. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Google SoC 2012 is accepting open source organisations
On Tue, Mar 06, 2012 at 08:30:25AM -0700, Bob Beck wrote: I know of no such mailing list, and certainly Google didn't put me on to it when I had problems with their contract. *sigh* a search and a half a dozen click and I was here: http://groups.google.com/group/google-summer-of-code-mentors-list If you are planning to be a mentor you really need to be on the list anyway. If you guys want this so freaking badly wake up.. I'm right here. I'm willing to write the project proposals working with the other developers, and I'm willing to supervise and mentor a worthy few students. I'm not willing to put myself, or the OpenBSD foundation, in a nasty legal situation over this. If some proxy organization will deal with the damn google contract, then they need to talk to me. You guys want it, put people in touch with me. I really don't care if you do this or not. If you want help/guidance contact me off list - I have done GSoC as a mentor before though I have not been the admin for a project, I can/will not do the machinations for you - perhaps someone who is interested in making this happen for OpenBSD will. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Google SoC 2012 is accepting open source organisations
On Mon, Mar 05, 2012 at 09:08:24AM -0700, Bob Beck wrote: I'm always willing to try again if this message is read by someone at Google who can untangle the bureaucracy... Actually, there are a couple of organisations that are willing to act as a proxy for the payments to organisations that are unable to deal with the legalities imposed by the US IRS - it is not just foreigners that have issues some projects inside the US just don't have the ability to deal with the tax monster. I cannot recall which ones they are at the moment, if asked they will take the money from google and hand it on. Just ask on the GSoC mentors mailing list. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Google SoC 2012 is accepting open source organisations
On Wed, Feb 29, 2012 at 08:35:03AM +0100, Tomas Bodzar wrote: Examples of outputs related to BSD are eg. here: http://blog.netbsd.org/tnf/entry/posix_spawn_syscall_added http://www.shiningsilence.com/dbsdlog/2011/09/15/8368.html but when testing those you can see that they are mostly not so stable as OpenBSD wants. Here something gets implemented when it's really ready and stable as much as possible. This doesn't seems to be same for GSoC results. Style is something like https://en.wikipedia.org/wiki/Release_early,_release_often Only if you don't look hard enough, wide curses support, lvm support, tcp pxe boot capability and postscript pdf output for mandoc were all GSoC projects that were quite successful, just to name a few. There are some very smart and capable people that participate in GSoC with the right guidance can produce some very good results - OTOH there are some that even with the best mentoring produce crap. The project gets money for taking on a student, the student gets paid to work full time and the mentor gets a t-shirt for their efforts. It can be very rewarding when it all goes right. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: enable MFS for RAMDISK_CD on amd64
On Tue, May 10, 2011 at 07:07:43PM -0700, Daniel C. Sinclair wrote: One situation that it would be useful is netbooting and using /sbin/restore to rebuild filesystems over the network. restore needs to write temporary data to /tmp but the ramdisks don't have enough space. It would be handy to be able to mount /tmp on mfs. I think it would be better it restore didn't write to /tmp, though. restore honours TMPDIR. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Wed, Mar 09, 2011 at 06:54:07PM +0100, Benny Lofgren wrote: I don't think the problem is so much with dump as it is with restore, and even there it's likely not more than a nuisance for the operator. Don't gamble any important data solely on that opinion, though... When I have seen this situation myself it has resulted in data loss. The backup is bad. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Wed, Mar 09, 2011 at 08:28:31AM -0700, Jeff Ross wrote: On 03/08/11 16:20, Brett Lymn wrote: Unlikely to be a bug more likely that you did a dump of a file system that was changing while the dump was in progress. This breaks the backup and produces the sort of symptoms you are seeing when trying to do a restore. That's not very likely since this is from my OpenBSD workstation at work taken in the middle of the night when I'm not there and httpd is only set up to listen on localhost. No log rotations? Changing directory entries seems to be the most likely culprit for having the problem. That's the bug I'm asking about, but if what you write above is correct my belief that dump is an adequate backup is now in question. No where in the dump man page does it say that and that certainly flies in the face of everything I thought I knew about how dump does its job. It is not likely to be a bug it is far more likely that your backup was broken by things changing under dump's feet. It was broken because you had an incomplete understanding of how dump works. Dump is fine to use when the system is in multiuser as long as you take care to ensure changes to meta-data is not done during the backup. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Wed, Mar 09, 2011 at 10:47:54PM -0700, Theo de Raadt wrote: Instead of helping a person who might have found a bug, I think you are talking out of your ass. If you say so Theo. Oddly, I have experienced exactly those systems with backups from an file system that was being actively changed while dump was doing its work. I am sure both myself and Jeff will be thrilled when you find the bug. thanks. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Thu, Mar 10, 2011 at 04:25:50PM +1030, Brett Lymn wrote: On Wed, Mar 09, 2011 at 10:47:54PM -0700, Theo de Raadt wrote: Instead of helping a person who might have found a bug, I think you are talking out of your ass. If you say so Theo. Oddly, I have experienced exactly those systems sorry... symptoms not systems. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Wed, Mar 09, 2011 at 10:59:45PM -0700, Theo de Raadt wrote: And when you did, did not file a bug report. Not on OpenBSD. And you did work on a patch. Not on OpenBSD So you suck. I am sure both myself and Jeff will be thrilled when you find the bug. thanks. You are a pathetic loser. And it is this sort of nasty backchannel sniping that ensures it won't be on OpenBSD. I don't care about your opinion Theo. Not one bit. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Wed, Mar 09, 2011 at 11:13:33PM -0700, Theo de Raadt wrote: If you feel so strongly about it that you feel it to forward private correspondence, then please leave our mailing lists. Only following your lead. I am sure others will feel the same; those of you who do, feel free to explain the concept to him. Ah the invitation for the brands and pitchforks. How nice to rally the troops to do your dirty work and muddy the thread with random flagellation attempts. I still think you are a loser. If you have endured a real bug for a long time, and not filed a bug report to have it fixed.. and then feel it is your right to scold people who attempt to explain the bug, then quite frankly, then YOU TOTALLY SUCK. Certainly not unusual on this list for people to scold people for real bugs, perhaps I am guilty of this now too.. Show us the code for this one, I would like to understand it. Certainly, ever since I have been a system admin the recommended way of running dump was in single user mode if you could to ensure a consistent backup. Maybe I have misunderstood what Pass III and Pass IV of the dump messages mean. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Tue, Mar 08, 2011 at 02:50:19PM -0700, Jeff Ross wrote: Is this worthy of a bug report or is there a peback afoot here? Unlikely to be a bug more likely that you did a dump of a file system that was changing while the dump was in progress. This breaks the backup and produces the sort of symptoms you are seeing when trying to do a restore. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: restore wants a new tape but none exists!
On Wed, Mar 09, 2011 at 01:49:04AM +0100, Benny Lofgren wrote: I don't know about the rest of you guys, but to me that sounds exactly like a bug... especially since nothing is mentioned of such behaviour in the dump man page. Well, you would have to totally redo the guts of dump if you want to fix this well known behaviour. Dump scans and writes the meta-data first and then writes the data for the files. If you have ever used restore you would note that it builds the directory structure first and then puts the data back. Dump comes unstuck when the file system meta data changes during the backup - when files are added or deleted. The safest way to do a dump is when the machine is in single user mode for this very reason but many people play fast and loose because they cannot wear the outage for a backup, in that case you must quiesce the file systems as best you can. Really, this is well known unix sys admin procedure. Have a go at fixing it, by all means, but note that people _like_ the interactive restore mode where you can select the files to restore by browsing and would find it unacceptable to wait for a full tape scan before they can perform this task. It will be interesting to see how you go about handling files appearing and disappearing during the backup. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Donations
On Sun, Dec 05, 2010 at 12:24:49PM -0700, Theo de Raadt wrote: Imagine I turned it around: Randal L. Schwartz, I believe you are involved in illegal activity. Too late - that has already been done to him in the past... -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: veriexec in OpenBSD?
On Wed, Sep 01, 2010 at 05:24:21PM -0400, Kenneth Gober wrote: it looks like an interesting idea, but I'm not sure what vulnerability it protects you from. Stupid things as dumb as someone diddling your path to run a trojan instead of ls, replacing a library file (or doing the same with LD_LIBRARY_PATH) or someone slipping trojans into system files. if you don't want users to replace system files, it seems like a better idea to prevent them from being replaced, rather than allowing replacement but then preventing access. Partially but veriexec will prevent unknown binaries running if you set the right flags so you are protected from running things that are not part of the validated file set. not that the 'preventing access' problem is much of an obstacle. the article I found via google didn't have a lot of details, but it seems like if you have rights to replace the files, you probably also have rights to write an updated signature to /dev/veriexec. The signatures are loaded at a low securelevel and once the securelevel is raised new signatures are not allowed to be loaded so you cannot just overwrite signatures. if you're not going to require the signatures to themselves be signed I really don't see the point. Sure, but this requires crypto in the kernel. There are not many respected crypto implementations with an acceptable licence for incorporating into the kernel. still, if some developer were interested enough to write a diff, there's nothing stopping them. Go look for openbsd stephanie, it existed but was never integrated. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: uvm_fault dump to DDB
On Tue, Jan 19, 2010 at 12:57:31PM +0100, Artur Grabowski wrote: Is this really the dmesg from the machine? Not manually copied or something? Because every strange error I see in it looks like one bit was flipped. E.g. com`at)bili4y: ` 0x60, should be p 0x70 ) 0x29, should be i 0x69 4 0x34, should be t 0x74 more likely a screwed up parity setting on a serial line. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: VPN suggestions and advise for clean sheet setup
On Fri, Feb 29, 2008 at 04:09:01PM -0500, Daniel Ouellet wrote: Requirements are to sadly connect Windows users back to a network and I want that box to be OpenBSD, or multiples OpenBSD boxes to get full network access from these connections. Multiple at once and I try to keep the management of the users as simple as possible. Have a look at the VPN client at http://www.shrew.net/, it is a standards compliant IPSEC VPN client that interoperates with open software IPSEC implementations - I have not tried it with OpenBSD but I imagine that it will Just Work(tm). The license is reasonably fair though restrictive and you can create an install bundle that will pretty much auto-configure the client with only a small amount of prep work which makes the window side deployment very simple. The only issue I have had was the dead peer detection was a little too aggressive for some of the people I was using this with - just turning this off on the client side fixed the problem. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote: Let me give you an engineering opinion: bwahahahahahaha this is retarded. Well, let me give you another engineering opinion based on actual experience working on a machine with a custom graphics system - it is not 100% reliable but DRAM can show a surprising amount of remanence even without power/refresh. We used to see parts of the display come up even after the machine had been down for hours. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 07:12:58PM -0600, Marco Peereboom wrote: And the power plug wasn't plugged in right? Correct. We are not talking PC DRAM here - this was custom hardware with a circuit breaker that really cut power to everything. Often when you powered it up before the firmware got around to forcing a clear on the display ram (yes, the display ram was DRAM) you could clearly see parts of the display. To be honest it surprised the hell out of me the first time I saw it too. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 08:04:07PM -0600, Marco Peereboom wrote: I really have a hard time buying this. Yes, I can understand that - I was the same until I saw the remnants of the display come up on the screen. I can see how you ended up with some crap in that memory upon reboot but I fail to see how that memory could retain its contents. Not knowing the situation you might have had some huge caps on that machine; or even battery backed up ram. Nup - no real power storage devices in the machine at all, seriously. Technically DRAM is really a capacitor connected to a transistor - the charge in the capacitor in the dram cell determines the 1 or 0. How long the cell can retain that charge depends a lot on the particular cell - some hold the charge better than others. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Authenticate squid in Active Directory
On Thu, Feb 07, 2008 at 11:42:38AM -, [EMAIL PROTECTED] wrote: Brett Lymn wrote: I did not. So, regarding these claims of interoperability, can you put LDAP+Kerberos+DNS services on an OpenBSD in a network of Windows clients and removed the need for any other machines running AD? That is from Lars - I have strong objections being implicated in being responsible for any of his drivel. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Authenticate squid in Active Directory
On Thu, Feb 07, 2008 at 11:26:09AM +0200, Lars Nood?n wrote: Pose the question again. You are, among other things, unclear. No. Look in the archives if you want it - I know you don't have any answers apart from some tired rhetoric. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Authenticate squid in Active Directory
On Wed, Feb 06, 2008 at 10:09:50AM +0200, Lars Nood?n wrote: Assuming a positive aspect to that, either you're confused about the meaning of word 'based' or unfamiliar with AD. Neither actually but you seem content. Never mind. AD is *not* Kerberos nor is it LDAP. AD may well be inspired by LDAP and Kerberos and DNS, but go back and read up on it. The added/missing/changed parts prevent or, at best, hinder interoperability. A tool that does not conform to the specification is, guess what, not a standard. Oddly this non-standard AD seems to interoperate with the Solaris ldap client, an openldap client and with MIT kerberos just fine. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Authenticate squid in Active Directory
On Wed, Feb 06, 2008 at 02:42:02PM +0200, Lars Nood?n wrote: Brett Lymn wrote: Oddly this non-standard AD seems to interoperate with the Solaris ldap client, an openldap client and with MIT kerberos just fine. Seems to, or actually does? Or can be be pounded in after agreeing to non-Open licenses? Alright. I am Australian and we are renowned for understating things. Just to make it crystal clear for you Lars, I have used squid integrated with Active Directory authentication using purely open source tools (samba winbindd, MIT kerberos 5, openldap) for _years_. It works - no ifs no buts, it just goes. I can bind our Solaris machines to the AD domain using samba, the AD management shows those machines as valid clients in the AD forest. Point me to some more recent articles or documentation (without NDA requirements) which counter the following: Lars, you are an idiot. You are throwing up 8 year old articles describing problems with operating systems that are now obsolete. As others have pointed out, what you are pointing at are non-issues and MS has followed the RFC's. What I am saying is that without careful planning, injudicious use of the patch leads to further entrenchment of an unsound service and the unsound system in which it is embedded rather than as a transition to a more stable, secure and maintainable infrastructure. Ah - you actually failed to answer that bit from my initial message. I am wondering what this mythical infrastructure you write of is. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Authenticate squid in Active Directory
On Tue, Feb 05, 2008 at 05:32:48PM +0200, Lars Nood?n wrote: Obviously you've had no contact with AD or the cruftware it is infesting. Looks like you have not had much either. So what standards-based authentication service would you propose besides LDAP+Kerberos? Hesiod? Shibboleth? AD is based on standards. They use LDAP+kerberos plus a bit of DNS to allow the kerberos to locate the kerberos infrastructure automatically - something that the non-windows world sadly lacks. The database is automatically replicated with tombstoning of records - again something the non-windows world lacks. MS may have bastardised some parts of kerberos and DNS to get AD working but it mostly works pretty much automatically and can scale up without requiring too much extra admin, something I have yet to see happen in the opensource world. I don't like AD but, big picture wise, it does have some attributes that would be good to adopt (attributes, not implimentation). Bagging it without offering a solid alternative is just pointless rhetoric. But given the domain you appear to be posting from I guess there is already somewhat of a mindset going on anyway. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Remove escape characters from file
On Fri, Oct 26, 2007 at 03:45:39PM +0200, Pieter Verberne wrote: does OpenBSD have a program/script to remove control characters (escape sequence) from text files? Try col -b -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: expansion of FAQ# 1.10 re OpenBSD as a desktop system
On Thu, Oct 11, 2007 at 10:56:38PM -0400, Kevin Stam wrote: Or perhaps you're being quite legitimate here. I just haven't heard of that problem before, it's always been about 3d acceleration. http://en.wikipedia.org/wiki/X_video_extension It makes a big difference. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: That whole Linux stealing our code thing
On Tue, Sep 04, 2007 at 06:16:35PM -0600, Theo de Raadt wrote: As far as I know the 3-term BSD license is totally dead, except in NetBSD, where their group still pushes developers to place new code under a full 4-term license. Sometimes we reluctantly include such code, hoping that one day this situation can be improved. The 4 term licence in NetBSD is mostly dead too. It is not pushed as desirable at all, it is up to the individual developer to use the licence they feel appropriate and that seems, more often than not, to be the 3 term licence. Not that it matters much but I think the advertising clause is a waste of time and does make life far more difficult for the people who do want to comply with the licence conditions - they have to trawl through all the code and pull out all the individuals that want their names mentioned. It made a little more sense when the sources were under the BSD umbrella but now it's just silly having to list a cast of thousands in any advertising. -- Brett Lymn
Re: Mapping disk sector to file name
On Fri, Mar 09, 2007 at 09:40:40AM -0800, Ted Unangst wrote: then i'd modify fsck (or maybe write your own, it may be simpler) tool to start at the filesystem root and scan ahead until it finds an inode pointing to the bad block. If the bad blocks produce read errors then tar will tell you the file: tar cf /dev/null /bad_blocks_mount on a read error tar will print out the affected file name. -- Brett Lymn
Re: The future of NetBSD
On Sat, Sep 02, 2006 at 05:30:23PM +0200, Timo Schoeler wrote: please stop this thread. you're like a whining child that didn't... Weinen? Ich hast weinen nicht, aber du, du hast weinen ins eine Deutsche liste schreibt. Danke, du hast mir lachen gemachen. there is black and white. you can promote open source and demand open documentation, or even open hardware (which would be best; projects of this character do exist). Timo, if you just would shut up and hack you would fit in even better. -- Brett Lymn
Re: The future of NetBSD
On Sat, Sep 02, 2006 at 01:47:59PM +0200, Timo Schoeler wrote: it's one of the most important issues that ever came up in the recent months on NetBSD MLs, and it's being ignored. No, Timo, it's not being ignored. You just cannot accept the answer is something different to what you want. You'll probably be happier here. -- Brett Lymn
Re: Static functions in C code
On Tue, May 30, 2006 at 04:55:14PM +0300, Denis Doroshenko wrote: why would you even want that (moreover in opensource)? hide for what reason? It's called lexical scoping - it has nothing really to do with security more to do with preventing namespace pollution. Clearly you have never written a library. By scoping functions static you are indicating that the functions are private and are not part of the interface available for use. You do this actually to protect the users of your code - you don't need to care about namespace clashes e.g. you can call the internal function next_one() without fear, if the function is not statically scoped then you would have to prefix the function with __mylib_next_one() or suchlike otherwise a consumer of your library would get a duplicate symbol if they created their own function next_one(), or even worse the consumer's function will be called by the library internals... no doubt doing the wrong thing. Secondly it means that you, as the library creator, are able to change the internal interfaces at whim without needing to be concerned about the impact on the consumers of your library. Sure, people can modify the source and remove the static from the function but that this point they are lining a gun up on their foot with their finger on the trigger - if they happen to put a bullet through their foot they have noone to blame but themselves. Again, it's not a security issue - it's a usuability/api issue. -- Brett Lymn
Re: Magic numbers, signed binaries (Re: Compilers make a system less secure?)
On Fri, May 05, 2006 at 08:37:41PM +1000, Jonathan Gray wrote: Not to mention the whole perl/sh/etc deal which will have to exist to allow the system to function, and can run whatever. Not under a correctly configured veriexec. Otto is correct about exploiting a buffer overflow to run code (certainly veriexec won't stop that trick) but I do wonder if it would be possible to enforce a restriction that any executable page must be backed by an on-disk object and how much pain/lossage that would entail. -- Brett Lymn
Re: Why /bin/[
On Mon, Feb 06, 2006 at 09:00:59PM -0800, [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Ever wondered why: if [ -x some/file ] then echo file executable fi works in /bin/sh? -- Brett Lymn
Re: Regarding a SPARCSTATION 1+
On Sun, Jan 29, 2006 at 02:14:38PM +0200, Gabriel George POPA wrote: And another problem: it seems to have AUI ethernet. What kind of adapter (if any) can I find in order to use it's interface (AUI) The thing you are looking for is called a medium access unit (MAU), it converts the AUI into either 10base-2 or 10base-T depending on the unit you get. They may be rare beasties now as most were probably thrown out as old junk years ago. with a common 100BaseT switch? The network interface in a 1+ is 10Mbit/s only. Make sure your switch can handle that. -- Brett Lymn
Re: Still stuck with this assembly stuff (amd64)
On Thu, Jul 21, 2005 at 11:17:31AM +0200, Artur Grabowski wrote: Never mind that the way that code does syscalls is unsupported even on i386. Never mind that the calling conventions on amd64 are different. Never mind that you're using 32-bit pointers on a 64-bit architecture. Never mind that the syscall entry point you're using shouldn't even be there. Of course Art is right here... what you should be doing is trawling the web with Google looking for the amd64 ABI specification so you can understand how embarressing that code really is. One also wonders why, if you are determined to do this, you don't just compile a hello_world.c and disassemble the output (or just make the compiler output the .s file for you...) -- Brett Lymn
Re: Cross-Compiling OpenBSD
On Mon, Jul 11, 2005 at 03:09:42PM -0401, Nick Holland wrote: Let's see...what possibly fanless, low-power platforms do we have? ... i386..ok, but you can native build on on Really Fast Stuff. Uh huh... unless your Really Fast Stuff happens to be an amd64 box in which case you are no longer doing a native build. Working on an old, slow machine is not a necessity anymore. If you aren't doing it for fun, move on. If you can't laugh at release time when someone hands you the SECOND after the last minute security fix for an app requiring a rebuild and re-release, you are using the wrong platform. Yes, I have been there and done that too - the problem you have is when the cut off date for getting the CD master out for duplication is looming and you can see you won't have enough time to get a complete build done. That means you have the tough choice of pushing back the release date or not shipping that architecture (this leaves out the microsoft answer of just shipping with the bug of course...) Pretending for a moment your argument had merit, what if the cross build works but the native build does not? What if your slow platform has a platform-specific instability that shows itself on native building? Been there, done that, too. Isn't that called a bug? It's really no different to tracking a bug in the native build system... though it may be a lot faster due to the faster iteration times. We've seen what cross-building means for other projects. We've seen what native building does for OpenBSD. We rather like our choice. We have seen what it does for quality. Sure, fine. As I said before, this really impacts the developers more than the user community - your choice, you live with it. -- Brett Lymn
Re: Cross-Compiling OpenBSD
On Tue, Jul 12, 2005 at 07:10:02AM -0400, Nick Holland wrote: a bit of a disconnect with reality. You need your build done in half an hour rather than an hour? This argument line is nonsense. If you bought an amd64 to back up your Soekris box, you blew it. That statement assumes too much - the fact remains that you may only have a couple of machines of different architecture, one may be of vastly superior capability but you are unable to use that capability to bootstrap the slower machine. ASSUMING YOU EVER SEE IT. If you don't see a bug, you ship crap. That applies for both native and cross-built. THERE IS NO DIFFERENCE AN UNSEEN BUG MAY BE THERE REGARDLESS. It has happened in the past to OpenBSD and it may just happen again. I think you just said something about NetBSD's goals...wow. I said nothing about NetBSD's goals. You are imagining things. -- Brett Lymn
Re: Cross-Compiling OpenBSD
On Sun, Jul 10, 2005 at 03:38:29PM -0400, Nick Holland wrote: If your machine is too slow to do what you need it to do, you need a faster machine. Cross compiling is not the answer to your problem. Not so Nick. There may be some cases where you deliberately have a slow machine for reasons of power consumption/heat disappation, perhaps a fanless machine, you want to update. Or just that the fastest machine in the architecture you are targeting falls way behind current machines (SPARC vs current P4, say). Telling someone to use a faster machine is a trite answer but, in some cases, it is simply infeasible. Which would you rather have developers doing...adding new features, cleaning up code, improving existing operation...or helping insert adjective here users do silly things with no value added to the project? improving existing operation you just said it there. Cross building means that you are not bound by the limitations of the target hardware. This actually impacts the developers more than anyone else, especially during the release cycle. Imagine having to restart a build that takes literally days to complete because what seemed to be a benign change that fixes a bug causes an architecture specific build error. In a cross build environment the impact could be as little as a hour or two instead of days. It means developers can do more stuff because they are not waiting for the slower processors to grind through a compile. -- Brett Lymn
Re: Cross-Compiling OpenBSD
On Mon, Jul 11, 2005 at 02:09:14PM +0200, Artur Grabowski wrote: People with special needs also have the budgets to hire people who solve the problem for them. If you can't afford it - don't get yourself special needs. and don't become a developer for one of the slower architectures... Not cross compiling and actively discouraging cross compilation is why all OpenBSD architectures are constantly stress tested and therefore relatively stable while some other projects that shall not be named don't even have working boot blocks for the architectures they support. tsk... others are not allowed to make errors? How is that related to cross building anyway? Are you saying the boot blocks get reinstalled on the build servers every time? And _all_ supported boot methods including network booting are tested? -- Brett Lymn
Re: Cross-Compiling OpenBSD
On Sun, Jul 10, 2005 at 10:54:45AM +0100, Tom Cosgrove wrote: BSD (whether OpenBSD or any other flavor) is not Linux or anything else like that. It is a complete operating system, in use in production in many places. No need to go to Hurd. NetBSD is able to be built on a foreign operating system and/or can cross build to most of the architectures that NetBSD supports. -- Brett Lymn
Re: OpenBSD in commercial firewalls?
On Wed, Jun 15, 2005 at 04:11:45PM +0200, Teemu Schaabl wrote: IPSO derived from FreeBSD as a engineer employed at nokia told me; In the version of IPSO I once used you didn't need to guess, the names of the FreeBSD developers were still in some of the files on the system. IPSO is a heavily modified version of FreeBSD, that is well known within the IPSO user community. -- Brett Lymn
Re: OpenBSD on the desktop
On Tue, Sep 07, 2004 at 09:58:42PM -0400, Aaron Suen wrote: If 3D gaming is a priority for you, you might want to try FreeBSD. It's only a stone's throw from OpenBSD (at least considerably closer than any Linux I've ever seen) and XFree86 has DRI and native support for many vidcards. I have 3D accel working great on my Radeon 7500 using the native (not written by ATI) drivers. If 3D gaming is a priority then that is unlikely to be good enough for todays games. The native DRI driver only handles older cards, to get 3D acceleration support for later cards you have to used the closed source vendor driver which pretty much forces you down the Linux path unless you can bear to run windows. Good luck getting ATI cards and Linux to play nicely... the ATI drivers for Linux are not the best, it's a bit hit or miss as to if they work or not in a particular machine. -- Brett Lymn
Re: Sun ELC?
On Thu, Jun 02, 2005 at 06:31:58PM -0400, Nick Holland wrote: A little googling showed the specs. 33MHz, maximum of 64MHz. Probably in the neighborhood of a Mac 68040-based machine. Probably a bit faster than my SS2, which won't impress anyone. Actually, the ELC is not faster than the SS2, the ELC processor does not have as many context registers as a SS2 (maybe some other differences) so the SS2 will generally feel faster. The ELC is a monochrome only all in one box you are very very lucky if: a) you have one with a working nvram after all this time b) you have one with a working screen - the ELC had a few problems with the video components aging that would lead to the screen fading or (if I recall correctly) losing vertical sync. If you are hardware inclined you could just rip the processor board out of the back (hidden under the clip off grille at the back of the machine on the ELC) and use the board for something, it's not exactly the smallest SBC you can get but everything is on the board. The form factor is a standard 6U board so if you have a 6U card cage you could possibly mount it ... or just mount it in some other case. -- Brett Lymn
Re: Sun ELC?
On Thu, Jun 02, 2005 at 09:31:07PM -0400, Nick Holland wrote: The feel part is in reference to the mac68k systems. The mac68k machines are NOT multi-user systems by design, they really feel sluggish beyond the limitations of their processor. Heh - from memory a mac68k system was not meant to be used for more than a few hours between reboots because the OS did not handle fragmentation in the heap well at all and applications would start failing because they could not allocate a large enough chunk of contiguous memory on the heap. On the other hand, there is no question that the 80386 is a much slower processor than the 68040 -- do anything involving crypto, you will know that, no question. Or compression. Or ... Yes. Must be something to do with having an orthoganal intruction set and a decent number of registers to work with (amongst other things). -- Brett Lymn
Re: Getting Yesterday's Date (Repost due to error)
On Mon, May 30, 2005 at 11:48:49PM +, Christian Weisgerber wrote:
I don't think there is a reliable solution without something like
FreeBSD's -v or GNU's -d extensions.
If you only want yesterday then this should do (it is ugly but it has
been tested on Solaris/Linux/NetBSD):
#!/bin/sh
#
# A way of working out what the date was yesterday - portably.
#
isleapyear()
{
#
# Determining leap years is easy (sortof).
# returns 0(true) if leapyear, 1 otherwise
#
if [ `expr $1 % 4` -eq 0 ]
then
if [ `expr $1 % 100` -eq 0 ]
then
if [ `expr $1 % 400` -eq 0 ]
then
return 0
fi
else
return 0
fi
fi
return 1
}
#
# Return the last day of the month taking into account leap years, $1
# is the month
#
ldom() {
case $1 in
1|3|5|7|8|10|12)
day=31
;;
2)
if isleapyear $year
then
day=29
else
day=28
fi
;;
*)
day=30
;;
esac
return $day
}
#
# Calculate the date for yesterday. Takes three parameters, $1 is the day
# $2 is the month and $3 is the year
#
yesterday() {
day=$1
month=$2
year=$3
if [ $day -ne 1 ]
then
day=`expr $day - 1`
else
if [ $month -ne 1 ]
then
month=`expr $month - 1`
ldom $month
else
year=`expr $year - 1`
month=12
day=31
fi
fi
}
#
# This is just for testing...
#
while read day month year
do
yesterday $day $month $year
echo Yesterday was $day/$month/$year
done
--
Brett Lymn
