Re: Extremely bizarre using sysupgrade from May 6 -current

2021-05-07 Thread Chris Bennett
Ha! Sorry for the noise.
I needed to check a file from etc with the latest -current.
I untarred base69.tgz in the _sysupgrade directory.

Script choked on the existing wrong files.

+1 for good work on sysupgrade!
-1/2 for me not cleaning up!

ROFL at myself,
Chris Bennett




Extremely bizarre using sysupgrade from May 6 -current

2021-05-07 Thread Chris Bennett
I just ran sysupgrade -snk and got this:

CX ~ # sysupgrade -snk  
  
Fetching from https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/
SHA256.sig   100% 
||  2144
   00:00
Signature Verified
Verifying old sets.
rm: altroot: is a directory
rm: bin: is a directory
rm: dev: is a directory
rm: etc: is a directory
rm: home: is a directory
rm: mnt: is a directory
rm: root: is a directory
rm: sbin: is a directory
rm: tmp: is a directory
rm: usr: is a directory
rm: var: is a directory

CX ~ # ls /home/_sysupgrade/
  
total 200
drwxr-xr-x  13 root  wheel512 May  7 19:47 .
drwxr-xr-x  30 root  wheel   2560 May  6 07:09 ..
-rw-r--r--   1 root  wheel  43523 Feb 16 11:10 INSTALL.amd64
-rw-r--r--   1 root  wheel   1992 May  7 19:47 SHA256
drwxr-xr-x   2 root  wheel512 May  6 03:29 altroot
drwxr-xr-x   2 root  wheel   1024 May  6 03:29 bin
drwxr-xr-x   2 root  wheel512 May  6 03:29 dev
drwxr-xr-x  21 root  wheel   1024 May  6 03:30 etc
drwxr-xr-x   2 root  wheel512 May  6 03:29 home
drwxr-xr-x   2 root  wheel512 May  6 03:29 mnt
drwx--   3 root  wheel512 May  6 03:29 root
drwxr-xr-x   2 root  wheel   1536 May  6 03:29 sbin
drwxr-xr-x   2 root  wheel512 May  6 03:29 tmp
drwxr-xr-x  12 root  wheel512 May  6 03:29 usr
drwxr-xr-x  23 root  wheel512 May  6 03:29 var
CX ~ # ls /home/_sysupgrade/bin
total 20328
drwxr-xr-x   2 root  wheel1024 May  6 03:29 .
drwxr-xr-x  13 root  wheel 512 May  7 19:47 ..
-r-xr-xr-x   2 root  wheel  128232 May  6 03:29 [
-r-xr-xr-x   1 root  wheel  130680 May  6 03:29 cat
-r-xr-xr-x   3 root  wheel  281992 May  6 03:29 chgrp
-r-xr-xr-x   1 root  wheel  149304 May  6 03:29 chio
-r-xr-xr-x   3 root  wheel  281992 May  6 03:29 chmod
-r-xr-xr-x   5 root  wheel  184632 May  6 03:29 cksum
-r-xr-xr-x   1 root  wheel  159872 May  6 03:29 cp
[snip]

All mounts are correct and nothing unexpected from last.
After all of the "fun" about sysupgrade, I can almost believe this
is a joke. ROFL if it is!

Either way, I'll check out a fresh src.

Chris Bennett

OpenBSD 6.9-current (GENERIC.MP) #5: Thu May  6 02:53:29 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34289893376 (32701MB)
avail mem = 33235222528 (31695MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8f676000 (36 entries)
bios0: vendor American Megatrends Inc. version "2.2" date 05/23/2018
bios0: Supermicro X11SSD-F
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG HPET LPIT SSDT SSDT SSDT DBGP 
DBG2 SSDT PRAD SSDT UEFI SSDT DMAR EINJ ERST BERT HEST
acpi0: wakeup devices PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PEGP(S4) 
RP09(S4) PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) 
RP13(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz, 3801.19 MHz, 06-9e-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz, 3800.01 MHz, 06-9e-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz, 3800.01 MHz, 06-9e-09
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL

Re: Can I do 4-26 snapshot to 6.9-stable safely?

2021-05-02 Thread Chris Bennett
FWIW, I run a server with -current. That always has some small risks
(which I haven't run into at all for a long time! +1 developers!!!)

Because of those possibilities, I added a second bootable backup disk.
I intend to keep running -current. I will now put 6.9-stable on the
second disk. This gives me both worlds. The -current I need and the
6.9-stable for safety.

If you add a second disk, do a fresh install on it and copy over your
files from the original disk.

Now you have a working setup, no complications and a backup disk on the
same machine. Sure, the machine can brick and possibly take out both
disks, but a cron job can do backups to the old disk.

Why do you need to use the sysupgrade utility at all?
Sure, it's a handy-dandy helper, but you really shouldn't need to use it
for anything.
I have no doubt that you can figure out everything you need to do to
avoid using it. 

Buy a cheap USB stick and figure out how to break it and fix it every
possible way. I have little doubt that you can ask for help with that
process and get answers. After you make your best effort to figure
things out yourself.

$ man [lots and lots of commands]

Enjoy,
Chris Bennett




Re: sysupgrade failure logs

2021-02-15 Thread Chris Bennett
On Mon, Feb 15, 2021 at 12:21:11PM -0500, Judah Kocher wrote:
> Hello Theo,
> 
> I never for a moment intended to convey that anyone "owed" me support of any
> kind for my outside-the-box use of this tool.

You couldn't be bothered to even send a dmesg or a copy of the script
with the first email. OK, say you forgot. I do sometimes. Where was your
immediate reply with those missing and always required items?

>While I don't understand your
> vitriolic response to someone else's application of your software for their
> own personal use in a way you do not condone, you are certainly entitled to
> be as outraged as you please.

Read the tech@ archives. Such a simple script is constantly being
criticized, give it new features, etc...
This script was a gift. I ran systems for years without it. Don't like
the default script? Open it up and modify to meet your special needs.
Don't know how to write the code? Learn it.
If you don't understand what this script does, you REALLY need to learn
more about installs and upgrades.

> I remain grateful for the work you and others
> put into the OpenBSD operating system. It has been made clear on multiple
> occasions that use of sysupgrade with anything other than default responses
> is heretical and cancel-culture worthy

You appreciate the work, but you already know the default responses?
Then you are being rude. 

> but I don't mind breaking things
> while experimenting and do not blame anyone else when this happens, nor do I
> particularly care if anyone else is bothered by it as long as no actual harm
> is being done.

This is part of learning and a good attitude.

> 
> If anyone cares to read my original query from an intellectually honest
> perspective I think they would be hard pressed to respond as you have. I
> never claimed my "sysupgrade use was completely normal" nor did I blame the
> sysupgrade tool for the issue I am attempting to diagnose. I did not mention
> my usage of it because logically it does not seem to be relevant and I was
> concerned it would become an excuse for people to fly off the handle. I only
> had and still only have one question.
> 
> Does sysupgrade leave any kind of logging behind which could help me to
> pinpoint why it is failing on one system while working on another apparently
> identical system?

Read the script before posting the questions about logging.

> 
> If the answer is no, that's easy enough to say. If the answer is yes, that's
> also easy enough if anyone is willing to share where those logs would be
> found. If the answer is, "Maybe, but no one owes you that information" that
> is also perfectly true while kind of pointless to even bother saying,
> although a world where people only offer help to others when there is a
> financial obligation would be a dismal place indeed.
> 

Much of the world is indeed a dismal place. It's part of human nature.

> I did not and do not expect anyone else to solve my problem for me. If you
> have reason to believe that my "mis-"usage of sysupgrade has anything at all
> to do with this issue, I'd be curious to know how you would explain it
> working on 4 out of 6 systems. Since it seems unlikely that the exact same
> tool would work two different ways on two identical systems then logically I
> would assume that some subtle difference exists between them and was hopeful
> that any records of the sysupgrade process would help me identify that
> difference. I have been using this script on these and other less similar
> systems ever since the sysupgrade tool was released with no issues, and
> therefore I think it's reasonable to to conclude that using it this way,
> while not officially sanctioned, has nothing to do with what's going on in
> this particular case.

I really find your method puzzling. I ran into financial troubles and
had to drop a server running -current. So I added a second hard drive to
boot onto in case a new snapshot broke the system on the server running
-current.

I also do not understand while you are running -current and automating
installation on 6 systems. Does your script verify functionality on the
first system before moving on to the others? Are you caching both the
snapshot and package files on the first server? Then using those files
only to update the other 5 systems.
If not, then you are pretty much guaranteeing at some point that you
will have 6 different systems running different snapshots and packages.
That seems like a bad idea.
If all 6 systems go down, how will you fix that mess?

Please, please, please, format your messages to be readable!
Use some newlines.

Please leave the politically correct responses for elsewhere.
Read the different lists. Everyone gets told on or off list when they do
something stupid. Learn from it. When you know a helpful answer to
someone'

Failing to get installboot to work, cross-device install -> ERR M amd64 6.6-stable

2021-01-31 Thread Chris Bennett
Hi,

I'm stuck at 6.6-stable, trying many times in the past to use newer
-currents is partially to blame for how I'm in a bad situation.

I'll try to be clear as I can.
After the error below, booting gives ERR M.

What I'm using.

One USB2 flash drive. Booting / off of it. It works fine, but old.
One USB2/3 spinning hard drive. 2TB. Never setup to boot from. Using for
storage. The a partition has the files to get a boot started.
One Laptop spinning HD. The a partition used to boot, has the files but
won't boot.

I also have a powered USB hub to get enough power for the spinning HD.

I have tried using fdisk on laptop and USB2/3 HD. Not helpful.
I have tried using installboot on both of those two, but I get cross
device install error, which I see is only in i386 installboot in src.
I am following installboot manual page. I also read all of the
recommended see also man pages.
I also burned an install CD and took it just far enough into install to
get access to laptop HD, mount /mnt/usr and try installboot from there.
Same cross device install error.

I'm unsure if I should try a fresh install (backing everything up is a
little weird the way I'm running off of three disks. I can do that.)
I would like to understand what is causing me to end up at ERR M.
I read what causes that error, but I don't know how to fix that.

Any advice appreciated.
Chris Bennett




Re: relay email from users to per-user smtp servers

2021-01-24 Thread Chris Bennett
On Sun, Jan 24, 2021 at 04:52:13PM +0100, Rudolf Sykora wrote:
> 
> 
> In my case, my computer gathers mail from various mail services using
> mbsync. I want to be able to reply the mail, but have the reply use the
> mail server that is most suited for the reply. E.g., if I get an email
> from school (downloaded from the school service), I need that my answer
> is as if sent using the school service; similarly with my work mail,
> etc. (The people at work want me to use their address when dealing with
> work-related matters; it's then easily recognizable.) I thought the
> program used to create a message does not have to know how to send email
> (speak SMTP) but would just pass it to something that can (smtpd), to
> relay the mail further. But for this I'd need that the server to be used
> for sending be easily modified by user, as well as have some easy means
> to supply the needed credentials.
> 

It sounds to me that need to configure your email clients to do the
switcheroo about from addresses, etc.
I use neomutt, which might not be suitable since it's a text only.
But I login to my shell. Then I start neomutt and bind keys within my
neomuttrc, to then login to another IMAP server
(from a list I have setup) and then reply with the correct From address,
using either the local smtpd or one on another server.

Using smtpd to send really just means sending the right email
and credentials, so there is no real problem having many email addresses
for one user. I use Dovecot for IMAP and base smtpd.

This is assuming that I have understood your problem correctly.

Chris Bennett




Re: phonetics on OpenBSD: IPA transcription

2021-01-08 Thread Chris Bennett
On Fri, Jan 08, 2021 at 08:42:20PM +0100, Jan Stary wrote:
> Is there anyone doing phonetics on OpenBSD?
> 
> I suppose the first thing to figure out is transcription.
> I mostly use macOS for that now, having installed an IPA keyboard
> and the Charis and Doulos fonts (as recommended on the Praat page).
> Now I'm looking to do that on OpenBSD.
> 
> As far as I understand, I need a XKB keymap that describes a layout
> of the IPA symbols, and a font that has the glyphs for those symbols.
> Please bare with my ignorance of XKB internals.
> 

I am also interested in this. Fell in love with IPA once I saw it.
Nope, I don't have the skills. But I'd be happy to help.
Feel free to contact me off-list. I didn't know there were IPA
keyboards. My interests are personal and not professional.

Chris Bennett




Re: pf.conf parser/lint

2020-12-21 Thread Chris Bennett
On Mon, Dec 21, 2020 at 07:28:54PM -0800, Sean Kamath wrote:
> > On Dec 21, 2020, at 14:24, Aham Brahmasmi  wrote:
> > For the defaults, I try to explicitly write some of them sometimes. I
> > find this helpful because it is difficult for me to remember what the
> > defaults are. However, I do understand that I run the risk of being
> > caught unawares if the defaults are changed for some good reason.
> > Trade-offs :)
> 
> That is what I use comments for. ;-)
> 
> a) Tells me what I *think* the defaults are
> b) Reminds me I’m *using* the defaults
> c) When the defaults change, makes it easy to find out why things break (if 
> they break, which they haven’t in recent memory)
> 
> Sean

Which raises the question of knowing when the defaults change.
Waiting until things *obviously* break doesn't address the time that
things *silently* break.
Silent breakage seems like a pretty serious security problem.
Having the syntax pass OK is not the same thing as having what you need
or want.
I really don't see how any linter can accomplish such a complex question.
Is my conf REALLY doing the right thing? Seems to. But maybe not.

For a good example, a small mistake in smtpd.conf will run just fine,
but with truly disastrous results.

Chris Bennett




Re: Enhancing Privacy in 2020 attached screenshot

2020-12-16 Thread Chris Bennett
On Wed, Dec 16, 2020 at 09:04:30PM +, pipus wrote:
> Ah cool
> 
> Yes I have seen it in action it is real and apparently coming out in less 
> than a month.
> 
> But I hope that those on this list realise what it means.
> A commercial revolution for OpenBSD.
> It should not be for only us.
> 
> But then I am not their marketing team so will let them announce when it 
> comes.
> 

Whatever. please go away.
But read the website. You can sell OpenBSD freely. You can modify it,
release that as long as the copyright notices are kept.
We could care less what anyone else is doing. Go troll on some mailing
list for toilet innovations, because you are full of shit.



Re: How to whitelist a good IP coming in with a senderscore of 0?

2020-12-13 Thread Chris Bennett
On Sun, Dec 13, 2020 at 08:45:53PM +, gil...@poolp.org wrote:
> You should probably look into the bypass keyword, it lets you create a
> filter rule that will bypass a phase (ie: in phase connect, if ip addr
> is X, then bypass the phase).
> 
> Gilles
> 

Thanks!

Chris




How to whitelist a good IP coming in with a senderscore of 0?

2020-12-13 Thread Chris Bennett
I have run into a problem with an organization getting a senderscore of
0.
This is not at all a spam source, but a political organization which is
the kiss of death these days.

What's the right method to deal with this? I certainly don't want to
stop senderscore filtering, but I do want to receive emails from them.

Thanks,
Chris Bennett




Re: Default installurl and Package Source

2020-12-10 Thread Chris Bennett
On Thu, Dec 10, 2020 at 10:24:27PM -, Stuart Henderson wrote:
> > Please use https. Some ISP's insert crap into http.
> 
> Sounds a good reason to use a better ISP :)
> 

You're right about that and the CPU waste.
I had an ISP a few years ago at home that tampered with http.
Once burned, twice shy.

Chris

> Packages packing-lists are verified using signify signatures, and files
> inside the package using sha256 from the (signed) plist, so it will be
> very obvious if those files are changed.
> 
> And because pkg_add doesn't use persistent connections, https really
> slows it down as it has to make a new TLS handshake for every package
> you have installed (even if no update is needed).
> 
> > Certs are free, why doesn't a trusted source not have one?
> 
> Some mirror servers are not on especially new hardware and may not have
> loads of cpu to spare to encrypt everything. Also some may consider it a
> waste of cpu time if the files are signed anyway. (For file distribution
> where signature checks are not done automatically, I have a feeling
> that seeing something fetched over https might suggest to the user that
> things are safe and they don't need to bother to do a check manually -
> this is of course not the case as https does nothing to help if a server
> has been compromised, it only deals with the transport layer).
> 
> > IMHO, you really should run stable. Although you might look at the
> 
> Or -current :-)
> 
> > patches and decide not to. packages-stable may or may not have security
> > fixes you need. syspatch often, but not always, needs a reboot.
> >
> > But it's your system, do as you please. A security patch might not be
> > relevant to you.
> >
> > Chris Bennett
> >
> >
> >
> 



Re: Default installurl and Package Source

2020-12-09 Thread Chris Bennett
On Wed, Dec 09, 2020 at 11:22:58AM +0800, Tito Mari Francis Escaño wrote:
> Hi misc,
> I recently installed 6.8 on VM then applied errata patches.
> When I tried to install git, it complained that git is not in the
> packages-stable folder, I was pleasantly surprised. The
> /etc/installurl by default is http://cdn.openbsd.org/pub/OpenBSD, and
> I got error 503 on the site. Checking the default URL indicates it may
> be down, same goes for Cloudflare CDN, Verizon seems working alright.
> When I changed /etc/installurl to where I used to get packages:
> http://ftp.jaist.ac.jp/pub/OpenBSD, it worked as expected.
> This raised the following questions:
> Does this mean when we apply errata patches, we're now automatically
> using stable release and need to use stable packages?
> Is it advisable to keep the /etc/installurl automatically default to
> http://cdn.openbsd.org/pub/OpenBSD or should users be advised to
> select packages from package sources geographically near them?
> Please advise. Thanks and keep up the great work.
> 

There are two packages that might help.
dbip-city-lite
dbip-country-lite

If you find a good mirror, you can hard code the PKG_PATH
export PKG_PATH=...
it can use multiple servers separated by :
Be sure to change it to 6.9 later!

That's what I do when I have cdn problems.
Avoid the OpenBSD source, if possible.
Please use https. Some ISP's insert crap into http.
Certs are free, why doesn't a trusted source not have one?

IMHO, you really should run stable. Although you might look at the
patches and decide not to. packages-stable may or may not have security
fixes you need. syspatch often, but not always, needs a reboot.

But it's your system, do as you please. A security patch might not be
relevant to you.

Chris Bennett




Re: CIDR vs aliases with ifconfig/hostname.if

2020-12-02 Thread Chris Bennett
On Wed, Dec 02, 2020 at 10:51:34PM -0800, Greg Thomas wrote:
> Nope, as mentioned it's the network address, for every subnet you're going
> to get a network address and a broadcast address, and your usable IPs in
> between.
> 
OK, that's very clear the way you just said it. That explains really
well why CIDR is so important - clarity.

Thanks,
Chris



Re: CIDR vs aliases with ifconfig/hostname.if

2020-12-02 Thread Chris Bennett
On Wed, Dec 02, 2020 at 11:26:15PM -0500, Allan Streib wrote:
> Mike Coddington  writes:
> 
> > There was a useful tool that someone posted on misc a while back called
> > netcalc. I think this is its website:
> > https://jamsek.dev/posts/2019/Sep/21/ipv4-and-ipv6-cidr-subnet-calculator/
> > Check it out if you want to get a better grasp on CIDR notation.
> 
> There is also ipcalc in packages and that is one I use frequently,
> though it's only for IPv4.
> 
> $ ipcalc 104.149.1.112/28
> address   : 104.149.1.112
> netmask   : 255.255.255.240 (0xfff0)
> network   : 104.149.1.112   /28
> broadcast : 104.149.1.127
> host min  : 104.149.1.113
> host max  : 104.149.1.126
> 
> Allan
> 

So, what happens with 104.149.1.112? Does anybody get to actually use
it? Or is it just a placeholder?

I never really paid a lot of attention to CIDR until I started to need a
lot of IP addresses for websites, email, etc. for TLS/SSL certs.

I stumbled upon this server where I have my other two and I couldn't
pass up $31 a month. I can't reasonably backup properly at home, too
slow a connection.

Chris




CIDR vs aliases with ifconfig/hostname.if

2020-12-02 Thread Chris Bennett
Hi,
after seeing a post here using CIDR, I re-read some manual pages.
I have been using aliases, but it looks like using CIDR is the preferred
method.
Could someone explain that a little better than the manual pages do?
An example might help better to explain why aliases are used when
changing network numbers. Is it a short term fix?
Is there a downside to using aliases vs CIDR?

My other question is what to put for the address.
I have 104.149.1.112/28. Should I just put this?
113 is the gateway. What is 112? It doesn't ping.
113 pings even if the rest is inaccessible.
There was a mysterious problem that I had to get tech support to fix.
Signal not present. Whatever that meant.

This is a cheap clearance bare metal, so IPMI/KVM is Java based and I
can't work with that. I have an old version of OpenBSD that worked
somewhere for that, but it doesn't work here.
So I don't want to have tech support login.

I know, simple questions, but my search engine skills really don't work.

Thanks,
Chris Bennett




Re: Reinstall to upgrade

2020-11-27 Thread Chris Bennett
On Wed, Nov 25, 2020 at 10:10:03PM -, Stuart Henderson wrote:
> > It's not right. Use pkg_delete -cX first. There are package files in
> > many other places that need to go away.
> 
> Be very careful with -c! It may remove configuration files that you
> actually want to keep.
> 

You're right. Here be dragons!
I think you told me to use -c a good while back. But I
really did want to zap everything that time!

Chris Bennett




Re: Reinstall to upgrade

2020-11-25 Thread Chris Bennett
On Wed, Nov 25, 2020 at 02:26:42PM +0100, Manuel Giraud wrote:
> Hi,
> 
> I'd like to upgrade (on -current) and, in the process, remove some cruft
> accumulated over the years. I usually do sysupgrade and sysclean for
> system.
> 
> But for packages, I think I would be better to reinstall everything
> since "pkg_check -F" does not seems to complain and I can see I have,
> for example, some firefox-57 files left.
> 
> I think I could do the following but I don't know if it is safe:
> - sysupgrade (+ sysclean)
> - pkg_info -mz > mypkg
> - umount /usr/local
> - newfs partition_of_usr_local
> - mount /usr/local
> - pkg_add -l mypkg
> 

It's not right. Use pkg_delete -cX first. There are package files in
many other places that need to go away.
Then look in /usr/local. See if anything is leftover that shouldn't be
there. Look in /etc and /var/db/pkg and 

But I think that what you might want to do is a fresh install.
dump is a bit slow and will probably carry over some cruft.

I tar all of the pieces regularly.
tar ... /etc
tar ... /root
tar ... /home
etc.

Then you have copies of the new and old files to work with.
tar xzf .. into another place such as home. compare new and old files in
the necessary places and you are good.

Sometimes you just have to do tedious. upgrade vs install does not give
you the same system. I almost never do a fresh install, but every once
in a while, it's a good choice.
Hope this is helpful. Others may give different or better advice.
sysupgrade is a tool of convenience. I like it, but never had any
problems doing things manually.

Useful advice: Learn to use ed. It will save your butt during disasters!

Chris Bennett


> Or maybe, I should dump, do a complete reinstall, pkg_add -l mypkg,
> restore /home and, tediously, restore some /etc files.
> How would you do this?
> -- 
> Manuel Giraud
> 



Re: Conditions that can trigger a package upgrade?

2020-11-04 Thread Chris Bennett
On Mon, Nov 02, 2020 at 07:03:27AM -0500, Jeremy O'Brien wrote:
> Hey misc,
> 
> I'm trying to understand the various scenarios that can trigger a package 
> update in 'pkg_add -u'. I thought package updates were triggered only through 
> explicit version bumps, or signature changes. I'm seeing that that isn't 
> always the case however, as shown here:
> 
> 
> x1$ pkg_info -S colord ../colord/colord-1.3.5p2.tgz  
> Information for inst:colord-1.3.5p2
>  
> Signature: 
> colord-1.3.5p2,6,@consolekit2-1.2.1p9,@dbus-daemon-launch-helper-1.12.20,@dconf-0.36.0p0,@glib2-2.64.6,@lcms2-2.9p0,@polkit-0.118,@sqlite3-3.31.1p0,c.96.0,ffi.1.2,gio-2.0.4200.11,glib-2.0.4201.4,gmodule-2.0.4200.11,gobject-2.0.4200.11,gthread-2.0.4200.11,iconv.7.0,intl.7.0,lcms2.1.2,m.10.1,pcre.3.0,polkit-gobject-1.2.0,pthread.26.1,sqlite3.37.10,z.5.0
>  
> Information for file:../colord/colord-1.3.5p2.tgz
>  
> Signature: 
> colord-1.3.5p2,6,@consolekit2-1.2.1p9,@dbus-daemon-launch-helper-1.12.20,@dconf-0.36.0p0,@glib2-2.64.6,@lcms2-2.9p0,@polkit-0.118,@sqlite3-3.31.1p0,c.96.0,ffi.1.2,gio-2.0.4200.11,glib-2.0.4201.4,gmodule-2.0.4200.11,gobject-2.0.4200.11,gthread-2.0.4200.11,iconv.7.0,intl.7.0,lcms2.1.2,m.10.1,pcre.3.0,polkit-gobject-1.2.0,pthread.26.1,sqlite3.37.10,z.5.0
>  
> x1$ pkg_add -un colord
> quirks-3.471 signed on 2020-10-31T22:51:51Z
> colord-1.3.5p2->1.3.5p2: ok
> Running tags: ok
> --- -colord-1.3.5p2 ---
> You should also run rm -f /var/db/colord/mapping.db
> You should also run rm -f /var/db/colord/storage.db
> 
> 
> In the above example, I've downloaded the colord tarball from my chosen 
> mirror, and compared its signature to my currently installed version. The 
> signatures and version match exactly, however pkg_add still updates the 
> package. Does anyone know what scenario is triggering this update?
> 
> Thanks,
> Jeremy
> 

You haven't supplied any information for answering this question well.
Are you running -current and updating to a new snapshot?

Easy answer. System libraries that these packages were built with have
changed. Package is the same except for being rebuilt with newer
libraries.

Are you upgrading to a newer stable/release?
Same answer.

Are you getting this problem running pkg_add -u multiple times on the
same system without changing to a newer version or snapshot?

Then something is wrong. (Assumimg you are actually running the actual
pkg_add -u)
Check to make sure that you do not have any packages that have been
since dropped. gettext caused me problems a good while back

Please supply a little more info. That helps people to decide whether
they want to answer or not. Most likely you don't have any problem.
Have you read all of the relevant man pages? pkg_*
What is your PKG_PATH (if using). unset PKG_PATH is a quickie, temp fix
if it's wrong.
Have you changed /etc/installurl?

Look for relevant threads previously on the ports@ mailing list
especially.

Enjoy!
Chris Bennett




Re: Issue updating spidermonkey

2020-10-21 Thread Chris Bennett
On Tue, Oct 20, 2020 at 08:26:05PM -0400, Brennan Vincent wrote:
> Updated yesterday from 6.7 to a snapshot, and now:
> 
> $ doas pkg_add -u

doas pkg_add -u -Dsnap

You need to do some things different once you change to -current
snapshots.
Might also have to wait for -current packages to match the -current
snapshot sometimes.

Chris Bennett


> quirks-3.458 signed on 2020-10-18T13:56:14Z
> Can't update spidermonkey-60.9.0v1->spidermonkey78-78.3.1v1: no update found
> for spidermonkey-60.9.0v1
> Can't install polkit-0.116p1->0.118: can't resolve spidermonkey78-78.3.1v1
> 
> Is this expected soon after updating? Do I just need to wait for some
> inconsistency in the pkg repo to be resolved?
> 
> Thanks
> 
> 



Re: filters in OpenBSD in printing

2020-10-19 Thread Chris Bennett
On Mon, Oct 19, 2020 at 09:19:26PM -0600, Raymond, David wrote:
> Questions about lpr printing:
> 
> I tried putting a filter that drives an HP Deskjet printer (works with
> lprng on linux) as an output filter in printcap and it didn't work.

LPRng was removed a good while back.
What software besides the base lpr system are you using?
What commands are you using exactly?
Does it speak Postscript? That can be really helpful as a lot of
software speaks Postscript. I stopped getting printers that didn't speak
it.

apsfilter is pretty helpful for getting things working. You might give
it a try. Some of it's filters were astoundingly slow. But it helps fill
out printcap.

I haven't used lpr for a few years because my printer is in Mexico and
I'm in Washington state.

> Would it be more proper to put it as an input filter?  I am still on
> version 6.7 of the OS.  (I saw a recent post indicating that changes
> were made to the lpr system in 6.8.)

Someone else will probably be able to explain those changes.
Moving to 6.8 might be well worth it.

> 
> One of the problems was that I couldn't get rid of the banner page
> even though the appropriate flags were set.
> 
> I have looked for lpr documentation more informative than the
> lpr/lpd/printcap man pages, but I haven't found anything.  The
> printcap page describes some really archaic filters, but not much that
> is helpful in today's world.

I haven't looked at the code recently, but I think I know what filters
you are refering to. Super archaic.

> 
> I am currently using cups but would like to get rid of it, because if
> their set of filters doesn't do the job, you are stuck.  (Plus other
> hair-pulling frustrations.)
> 

Can't agree more!

--
Regards,
Chris Bennett



Re: fresh install

2020-10-19 Thread Chris Bennett
On Mon, Oct 19, 2020 at 05:55:59PM -0500, Hakan E. Duran wrote:
> Dear all,
> 
> Having been a linux user for quite a while, I am used to doing a fresh 
> install every few years, following a few upgrades. I usually set a separate 
> partition for the /home directory to be able to inherit my settings to the 
> fresh installation. This is the first time I did an upgrade in OpenBSD from 
> 6.7 to 6.8, which actually went flawless, but being a skeptical linux user, I 
> am wondering how I can do a fresh install if need be, by preserving my user 
> directory. I chose the auto-partitioning during the installation of OpenBSD 
> 6.7 but I don't know if that would be possible in a scenario like this, since 
> I am not sure if the installation algorithm would recognize the /home 
> directory or not. Your guidance will be greatly appreciated.
> 
> Hakan
> 

You can do a fresh install and preserve existing partitions with great
care and NOT using auto partition. Just don't add /home to the
partitions to be created and make absolutely sure that the area on the
disklabel doesn't include the space allocated for /home.
But only if this fresh install is after having done a fresh install
previously. Use Custom for the disklabel step, which will reflect the
already existing disklabel, except without the mount points. You will
need to delete the /home partition, finish the install, then use
disklabel to add the home partition, fsck -fp it, and mount it manually.
If OK, add to fstab if desired.

Be sure to backup the /home partition before doing this.
Since this is a bit complicated, practice this many times, read the
manual pages very well. Buy a USB drive to practice this on.
Be sure to do something wrong. Understanding this will really help you
if you somehow have a disaster, like a sudden power failure that messes
up a critical partition hopelessly.

This is not Linux. The rules are totally different. If you ask yourself
what you would do in Linux, you have failed in this task.

Auto-partition is really helpful for someone new to OpenBSD.
But I rarely partition across only a single disk and always partition
some special partitions like /var/postgresql, /home/vip-user, /var/www,
etc. /usr/src, /usr/obj are not needed by every user now that we have
syspatch.

Have fun,
Chris Bennett




Re: OpenSMTP - Wrong user for Dovecot LMTP

2020-10-19 Thread Chris Bennett
On Mon, Oct 19, 2020 at 06:24:47AM -0400, Aisha Tammy wrote:
> On 10/19/20 12:20 AM, Kastus Shchuka wrote:
> > On Sun, Oct 18, 2020 at 08:55:16PM -0400, Aisha Tammy wrote:
> > > Hi,
> > > 
> > >   I just upgraded to 6.8 and the upgrade process has been super cool and 
> > > simple :)
> > > 
> > > Unfortunately I seem to have hit some weird issue in OpenSMTPD where it 
> > > has stopped
> > > delivering the mail using Dovecots LMTP due to sending as wrong user.
> > > 
> > > osmtpd tries to send the mail as *_smtpd* even when configured to send as 
> > > a
> > > different user *excision*
> > 
> > 
> > Could it be this change: https://marc.info/?t=15878902902=1=2 ?
> > 
> 
> Well damn... That would indeed cause this error.
> I guess a simple fix would be to add _smtpd to the socket group or change 
> socket
> group to _smtpd.
> 
> Another fix would be to have the whole virtual user system also be done using
> _smtpd but I feel that keeping things with separate users is better.
> 
> Thanks a lot for the answer!
> 
> Aisha
> 

Are you using Maildir and IMAP from dovecot? I am.
I've setup using vmail as the user for dovecot. Something similar to
your virtual user files, except that I have three files:
vdomains, vaddr and vusers.

vusers has the table you are using, except moving to user vmail instead
of excision, which doesn't matter. vdomains are the domains getting
mail.
vaddr are just the plain addresses used.

action a01 lmtp "/var/dovecot/lmtp" rcpt-to alias 
action a02 lmtp "/var/dovecot/lmtp" rcpt-to virtual 

match from any for local action a01 
match from any for domain  rcpt-to  action a02

This works really well. I'm also using PostgreSQL for the users,
passwords and home folders for dovecot, which solves the upcoming
removal of bsdauth in dovecot.

However, unrelated I'm having trouble setting up auth for sending. There
are many conflicting examples which I can't sort out. I'll look over
what you've posted to see if that can work for me. I have four mail
domains on this server and I'm definitely missing some small piece of
the puzzle.

Regards,
Chris Bennett




Re: Microsoft's war on plain text email in open source

2020-08-26 Thread Chris Bennett
On Wed, Aug 26, 2020 at 09:47:24PM +0200, Pierre-Philipp Braun wrote:
> > Can't get your email to go plain text, attachments work.
> > If they don't, why not change providers?
> > It's a bit of work, but almost anyone can setup their own email server
> > for next to nearly free.
> 
> That is not as easy as it was, mainly because of IP reputation.  If you have
> your own MX and outbound MTA/MSA you will have to go through painful
> processes of getting out of blacklists, and even then your outgoing messages
> might end-up in users' spambox.  The game has changed, and it's for us
> old-timers that life is rough, already.

Bare metal servers often have cheap lower end servers. Yes, if it's not
in the cloud, some people think they aren't in the latest fad.

I've yet to end up on any blacklist except SpamRats which dropping a
message on their form page instantly clears up the problem. That is
usually because of some little thing that hasn't propagated yet thorugh
DNS.

Spam boxes are no longer very useful. Censorship is in full swing.
If I were to mention the last name of the founder of Windows, this email
would immediately go into the spam box of places like gmail.
If I were to send you an HTML email with that word in the text, same
thing.

Right now, us oldtimers are the only ones with much fundamental
knowledge and experience.

I was recently told by a youngster that I was a total idiot for working
my way through the new CSS to understand it well. I needed to go
straight over to some Framework that assumes I am stupid, which I
would be if I didn't take the time to understand what I'm really
accomplishing.

Setting up an email server for strictly personal use is not that big a
deal. For many users in a commercial setting, much harder.

All IPs can get blacklisted. Bad IPs, change ISP's. One month to set
things up and transfer over to a new server. Once everything is working,
drop the crappy corporate email service. No big rush.

My thoughts, for whatever they are worth.

Chris Bennett




Re: Microsoft's war on plain text email in open source

2020-08-26 Thread Chris Bennett
On Wed, Aug 26, 2020 at 12:28:00PM -0500, Mike Hammett wrote:
> Text-only was great in 1985. 
> 
> 

And it's still pretty badass in 2020.
I really love the way company networks are brought down by a little
helpful Javascript in an HTML email.

Can't get your email to go plain text, attachments work.
If they don't, why not change providers?
It's a bit of work, but almost anyone can setup their own email server
for next to nearly free.

Chris Bennett

> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> 
> Midwest Internet Exchange 
> 
> The Brothers WISP 
> 
> - Original Message -
> 
> From: "Frank Beuth"  
> To: misc@openbsd.org 
> Sent: Wednesday, August 26, 2020 3:28:50 AM 
> Subject: Microsoft's war on plain text email in open source 
> 
> "Linux kernel development which is driven by plain-text email 
> discussion needs better or alternative collaborative tooling "to bring 
> in new contributors and maintain and sustain Linux in the future," says 
> Sarah Novotny, Microsoft's representative on the Linux Foundation board. 
> 
> Said tooling could be "a text-based, email-based patch system that can 
> then also be represented in a way that developers who have grown up in 
> the last five or ten years are more familiar with," she added. 
> 
> ... 
> 
> Should it migrate toward something more like, say, issues and pull 
> requests on the Microsoft-owned GitHub? “I’m not saying that there will 
> be a move in any time that I can see my crystal ball’s broken but I do 
> think there needs to be expansions in the way people can enter that 
> workflow,” said Novotny. 
> 
> “It is a fairly specific workflow that is a challenge for some newer 
> developers to engage with. As an example, my partner submitted a patch 
> to OpenBSD a few weeks ago, and he had to set up an entirely new mail 
> client which didn’t mangle his email message to HTML-ise or do other 
> things to it, so he could even make that one patch. That’s a barrier to 
> entry that’s pretty high for somebody who may want to be a first-time 
> contributor.”" 
> 
> https://www.theregister.com/2020/08/25/linux_kernel_email/ 
> 
> 



Re: FireFox Browser 'Open File' error

2020-08-25 Thread Chris Bennett
On Tue, Aug 25, 2020 at 08:59:34PM +0300, Kihaguru Gathura wrote:
> Hi,
> 
> I have tested on a 64 bit version of the same ThinkPad T60 and error is
> consistent..
> 
> However Firefox opens files from any folder as root on these same machines
> running OpenBSD 6.5.

Please don't run such software as root, ever.
Especially on old code that isn't supported anymore.

If this is a disposable version for testing only, then nevermind.

Chris Bennett

> 
> Kind regards,
> 
> Kihaguru.
> 
> 
> 
> 
> On Sat, Aug 22, 2020 at 9:34 AM Kihaguru Gathura  wrote:
> 
> > Hi,
> >
> > Firefox fails to list files at 'File Open' with error message:
> >
> > (firefox:89328): dconf-WARNING **: 09:12:15.835: failed to commit changes
> > to dconf: The given address is empty
> >
> > Please advise
> >
> > Regards,
> >
> > Kihaguru.
> >
> >
> > #
> > OpenBSD 6.7 (GENERIC.MP) #169: Thu May  7 11:37:15 MDT 2020
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > real mem  = 2137341952 (2038MB)
> > avail mem = 2082598912 (1986MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 04/30/07, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev. 2.4
> > @ 0xe0010 (68 entries)
> > bios0: vendor LENOVO version "79ETD3WW (2.13 )" date 04/30/2007
> > bios0: LENOVO 195143U
> > acpi0 at bios0: ACPI 3.0
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT
> > SSDT SSDT
> > acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4) EXP1(S4) EXP2(S4)
> > EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpiec0 at acpi0
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> > GHz, 06-0e-08
> > cpu0:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 166MHz
> > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> > GHz, 06-0e-08
> > cpu1:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
> > acpimcfg0 at acpi0
> > acpimcfg0: addr 0xf000, bus 0-63
> > acpihpet0 at acpi0: 14318179 Hz
> > acpiprt0 at acpi0: bus 0 (PCI0)
> > acpiprt1 at acpi0: bus -1 (AGP_)
> > acpiprt2 at acpi0: bus 2 (EXP0)
> > acpiprt3 at acpi0: bus 3 (EXP1)
> > acpiprt4 at acpi0: bus 4 (EXP2)
> > acpiprt5 at acpi0: bus 12 (EXP3)
> > acpiprt6 at acpi0: bus 21 (PCI1)
> > acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> > halt), PSS
> > acpicpu1 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> > halt), PSS
> > acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7
> > acpitz0 at acpi0: critical temperature is 127 degC
> > acpitz1 at acpi0: critical temperature is 99 degC
> > acpibtn0 at acpi0: LID_
> > acpibtn1 at acpi0: SLPB
> > "PNP0A08" at acpi0 not configured
> > acpicmos0 at acpi0
> > "IBM0071" at acpi0 not configured
> > "ATM1200" at acpi0 not configured
> > acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial44 type LION oem
> > "SANYO"
> > acpiac0 at acpi0: AC unit online
> > acpithinkpad0 at acpi0: version 1.0
> > acpidock0 at acpi0: GDCK not docked (0)
> > acpivideo0 at acpi0: VID_
> > acpivout0 at acpivideo0: LCD0
> > acpivideo1 at acpi0: VID_
> > bios0: ROM list: 0xc/0xea00! 0xcf000/0x1000 0xd/0x1000
> > 0xdc000/0x4000! 0xe/0x1!
> > cpu0: Enhanced SpeedStep 1829 MHz: speeds: 1833, 1333, 1000 MHz
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> > inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
> > drm0 at inteldrm0
> > intagp0 at inteldrm0
> > agp0 at intagp0: aperture at 0xd000, size 0x1000
> 

Re: Keyboard knocks out while using special keys

2020-08-23 Thread Chris Bennett
On Sat, Aug 22, 2020 at 08:01:43PM -, Dimitri Karamazov wrote:
> I'm using a keyboard with some multimedia keys and sleep, poweroff buttons.
> I avoid using those, but accidently hitting any of those keys renders the
> keyboard to a freezed state, where only solution is to replug to use it again.
> This is the case on both X11 and vt, but the connection is never lost, when I
> hit the special keys, it just takes no input. Is there a solution to this?
> 
If you have a second keyboard, I would suggest attaching both.
There is a program that shows which keys are producing what output.
I would see what is actually being sent out with those keys.
The second keyboard would allow you to hopefully experiment a bit more
without having to re-attach the problem keyboard.

Did you have problems before with this keyboard?
I have a keyboard that frequently fails to attach at boot. unplugging
and reattaching it is often necessary after boot, but only sometimes.

Good luck,
Chris Bennett




Re: X11 VESA Driver Config Question

2020-08-11 Thread Chris Bennett
Oh, I'm "glad" someone else is having the same problem. (Sorry)
I had gotten to the point of assuming a hardware problem.
Being able to rule that out is nice.
At least there is hope in getting a fix.
I'm really not in a position to buy another one. $$ missing.

If any developer could get me a replacement, I will gladly send mine.
This is a pretty crappy laptop, so anything used and not very powerful
fits my needs. I'm doing my porting work off of my servers anyway.

Firefox, vim and lightweight use of something like gimp occasionally are
all I need

==
Thinking about it, my servers are i386 running amd64. Would that be OK
to run a build off of and install on the laptop?
I have one that I could interrupt that way.
======


Chris Bennett




Re: X11 VESA Driver Config Question

2020-08-11 Thread Chris Bennett
On Tue, Aug 11, 2020 at 08:17:01PM -0400, Jon Fineman wrote:
> I just upgraded from 6.6 to snapshot via sysupgrade -s
> 
> After reboot I get the various emails the upgrade goes fine, no errors,
> the firmware is upgraded.
> 
> About 30 seconds after I get the login prompt the laptop powers off.
> 
> I turned in on and at the boot prompt typed boot -c and disable amdgpu 
> Subjectively I got more than 30 seconds after the boot prompt. I was
> able to log in and look around a bit and it powered off.
> 
> Same thing with booting into single user mode.
> 
> Thoughts? Suggestions on how to get any data?
> 
> Jon
> 

sysctl.conf needs
machdep.allowaperture=2

if you can't mount from another computer, burn 6.6 onto a USB stick and
mount from that. Don't even try from running -current.
You can probably get /var/run/dmesg.boot. Plus /var/log/Xorg.0.log if
you manage to get to X. (Good luck with that :-{ )

I was given advice in the past to build with a certain change, but I was
unable to build that on my laptop due to very little memory.

There is newer firmware, X, etc.. Hopefully someone will chime in with
something to try for a build

Chris Bennett

> 
> 
> On Mon, 10 Aug 2020 20:28:34 -0500
> Chris Bennett  wrote:
> 
> > On Sun, Aug 09, 2020 at 10:02:24PM -0400, Jon Fineman wrote:
> > > I have an Acer Aspire A315 laptop that freezes every once in a
> > > while. I think it is GPU related, but have not been able to get any
> > > logs. In addition a while ago (roughly when 6.7 came out) I tried
> > > to upgrade from 6.6 to 6.7 and the laptop would turn off just after
> > > getting the log in prompt. Again no logs.
> > > 
> > > One thought was in my xorg.conf file to change the driver from
> > > AMDGPU to vesa. However that is producing an error. Log and dmesg
> > > below.
> > > 
> > > Any thoughts on how to proceed?
> > >   
> > 
> > There is an excellent chance that we have the same problem.
> > I was running -current for a long while, when I had the same problem
> > with sudden unexpected shutdown. This was a good while back.
> > I have 50GB of install66.iso from current back then. They are on one
> > of my servers. Unfortunately, I just don't have access to enough
> > bandwidth or data to download them to hopefully find the date that
> > there was a change that messed things up.
> > 
> > Try boot -c then disable amdgpu
> > Might help. Also try boot -s and wait. If it shuts down there too,
> > probably have the same problem. Or not. :-)
> > 
> > I'm stuck at 6.6 -stable for now.
> > 
> > Chris Bennett
> > 
> > 
> > > Thnaks.
> > > 
> > > Jon
> > > 
> > > 
> > > xorg.conf:
> > > Section "Device"
> > > Identifier "graphicsdriver"
> > > #Driver "AMDGPU"
> > > #Option "TearFree" "true"
> > > Driver "vesa"
> > > EndSection
> > > 
> > > 
> > > 
> > > Xorg.0.log:
> > > [124569.415] (--) checkDevMem: using aperture driver /dev/xf86
> > > [124569.425] (--) Using wscons driver on /dev/ttyC4
> > > [124569.446] 
> > > X.Org X Server 1.20.5
> > > X Protocol Version 11, Revision 0
> > > [124569.446] Build Operating System: OpenBSD 6.6 amd64 
> > > [124569.446] Current Operating System: OpenBSD laptop.jonjfineman.me
> > > 6.6 GENERIC.MP#3 amd64 [124569.447] Build Date: 30 July 2020
> > > 11:25:30AM [124569.447]  
> > > [124569.447] Current version of pixman: 0.38.4
> > > [124569.447]  Before reporting problems, check
> > > http://wiki.x.org to make sure that you have the latest version.
> > > [124569.447] Markers: (--) probed, (**) from config file, (==)
> > > default setting, (++) from command line, (!!) notice, (II)
> > > informational, (WW) warning, (EE) error, (NI) not implemented, (??)
> > > unknown. [124569.447] (==) Log file: "/var/log/Xorg.0.log", Time:
> > > Sun Aug  9 05:48:55 2020 [124569.447] (==) Using config file:
> > > "/etc/X11/xorg.conf" [124569.447] (==) Using system config directory
> > > "/usr/X11R6/share/X11/xorg.conf.d" [124569.447] (==) No Layout
> > > section. Using the first Screen section. [124569.447] (==) No
> > > screen section available. Using defaults. [124569.447] (**)
> > > |-->Screen "Default Screen Section" (0) [124569.447] (**) |
> > > |-->Monitor "" [124569.448] (==) No device
> > > specified for sc

Re: X11 VESA Driver Config Question

2020-08-10 Thread Chris Bennett
On Sun, Aug 09, 2020 at 10:02:24PM -0400, Jon Fineman wrote:
> I have an Acer Aspire A315 laptop that freezes every once in a while. I
> think it is GPU related, but have not been able to get any logs. In
> addition a while ago (roughly when 6.7 came out) I tried to upgrade
> from 6.6 to 6.7 and the laptop would turn off just after getting the
> log in prompt. Again no logs.
> 
> One thought was in my xorg.conf file to change the driver from AMDGPU
> to vesa. However that is producing an error. Log and dmesg below.
> 
> Any thoughts on how to proceed?
> 

There is an excellent chance that we have the same problem.
I was running -current for a long while, when I had the same problem
with sudden unexpected shutdown. This was a good while back.
I have 50GB of install66.iso from current back then. They are on one of
my servers. Unfortunately, I just don't have access to enough bandwidth
or data to download them to hopefully find the date that there was a
change that messed things up.

Try boot -c then disable amdgpu
Might help. Also try boot -s and wait. If it shuts down there too,
probably have the same problem. Or not. :-)

I'm stuck at 6.6 -stable for now.

Chris Bennett


> Thnaks.
> 
> Jon
> 
> 
> xorg.conf:
> Section "Device"
> Identifier "graphicsdriver"
> #Driver "AMDGPU"
> #Option "TearFree" "true"
> Driver "vesa"
> EndSection
> 
> 
> 
> Xorg.0.log:
> [124569.415] (--) checkDevMem: using aperture driver /dev/xf86
> [124569.425] (--) Using wscons driver on /dev/ttyC4
> [124569.446] 
> X.Org X Server 1.20.5
> X Protocol Version 11, Revision 0
> [124569.446] Build Operating System: OpenBSD 6.6 amd64 
> [124569.446] Current Operating System: OpenBSD laptop.jonjfineman.me
> 6.6 GENERIC.MP#3 amd64 [124569.447] Build Date: 30 July 2020  11:25:30AM
> [124569.447]  
> [124569.447] Current version of pixman: 0.38.4
> [124569.447]  Before reporting problems, check http://wiki.x.org
>   to make sure that you have the latest version.
> [124569.447] Markers: (--) probed, (**) from config file, (==) default
> setting, (++) from command line, (!!) notice, (II) informational,
>   (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
> [124569.447] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Aug  9
> 05:48:55 2020 [124569.447] (==) Using config file: "/etc/X11/xorg.conf"
> [124569.447] (==) Using system config directory
> "/usr/X11R6/share/X11/xorg.conf.d" [124569.447] (==) No Layout section.
>  Using the first Screen section. [124569.447] (==) No screen section
> available. Using defaults. [124569.447] (**) |-->Screen "Default Screen
> Section" (0) [124569.447] (**) |   |-->Monitor ""
> [124569.448] (==) No device specified for screen "Default Screen
> Section". Using the first device section listed.
> [124569.448] (**) |   |-->Device "graphicsdriver"
> [124569.448] (==) No monitor specified for screen "Default Screen
> Section". Using a default monitor configuration.
> [124569.448] (==) Automatically adding devices
> [124569.448] (==) Automatically enabling devices
> [124569.448] (==) Not automatically adding GPU devices
> [124569.448] (==) Max clients allowed: 256, resource mask: 0x1f
> [124569.448] (==) FontPath set to:
>   /usr/X11R6/lib/X11/fonts/misc/,
>   /usr/X11R6/lib/X11/fonts/TTF/,
>   /usr/X11R6/lib/X11/fonts/OTF/,
>   /usr/X11R6/lib/X11/fonts/Type1/,
>   /usr/X11R6/lib/X11/fonts/100dpi/,
>   /usr/X11R6/lib/X11/fonts/75dpi/
> [124569.448] (==) ModulePath set to "/usr/X11R6/lib/modules"
> [124569.448] (II) The server relies on wscons to provide the list of
> input devices. If no devices become available, reconfigure wscons or
> disable AutoAddDevices. [124569.448] (II) Loader magic: 0xc3982ca3000
> [124569.448] (II) Module ABI versions:
> [124569.448]  X.Org ANSI C Emulation: 0.4
> [124569.448]  X.Org Video Driver: 24.0
> [124569.448]  X.Org XInput driver : 24.1
> [124569.448]  X.Org Server Extension : 10.0
> [124569.448] (--) PCI:*(0@0:1:0) 1002:98e4:1025:1192 rev 218, Mem @
> 0xe000/268435456, 0xf000/8388608, 0xf0d0/262144, I/O @
> 0x3000/256, BIOS @ 0x/131072 [124569.448] (II) LoadModule:
> "glx" [124569.449] (II) Loading
> /usr/X11R6/lib/modules/extensions/libglx.so [124569.451] (II) Module
> glx: vendor="X.Org Foundation" [124569.451]   compiled for
> 1.20.5, module version = 1.0.0 [124569.451]   ABI class: X.Org
> Server Extension, version 10.0 [124569.451] (II) LoadModule: "vesa"
> [124569.452] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so
> [124569.452] 

Re: Suggestions re error: "USB read failed" accessing Infinite Noise TRNG?

2020-06-26 Thread Chris Bennett
On Thu, Jun 25, 2020 at 09:41:41PM +0200, Why 42? The lists account. wrote:
> 
> A quick search on the net didn't show much, apart from a suggestion that
> a USB keyboard won't work at this point because the USB subsystem hasn't
> yet been discovered (that was back in 2015 though). I'm using both a USB
> keyboard and mouse.

That is correct. Just to make sure everybody knows this. It is not
related to your problem.
Stuart's suggestion solves that problem. I have put that (for a
different problem) into my /etc/rc.shutdown. Which survives moving to a
newer snapshot or release.

Chris




Re: www unreachable

2020-06-15 Thread Chris Bennett
On Mon, Jun 15, 2020 at 12:19:09PM +0200, Anders Andersson wrote:
> 
> Are you saying it's working for you? Maybe you have a different route
> to the website because it seems to be down on the Canadian side. I
> presume you're in the US based on your domain name. :)

No, it's not working for me either.
I'm in Austin, TX and not working from my server in Chicago either.

Chris Bennett




Re: www unreachable

2020-06-15 Thread Chris Bennett
On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote:
> Hello,
> 
> http://www.openbsd.org is unreachable.
> 
> I wanted to know what's new in the current snapshots ?
> 

I'm not sure about the website. You might have local DNS problems.
Use dig to get the IP address (from a big nameserver like 8.8.8.8)
and skip that problem.

If you mean the current -release, yes the website is simplest in
general terms only.

If you mean -current, then the mailing lists and CVS are the right
places to look. misc@ isn't very helpful, but tech@, etc. are excellent.


DNS has problems in some places in the world. Usually just for hours.
Annoying, but sites like OpenBSD have stable IP's and knowing that
solves the problem quickly.
If the site has a problem, someone else can clarify that.

Chris Bennett




Re: Why isn't src included with OpenBSD? (documentation)

2020-05-20 Thread Chris Bennett
I keep seeing people not getting the idea that OpenBSD has more of a
philosophy of users needing to put out their own special efforts at
learning, vs. other OS's.

Do you think that mentioning this on the homepage/FAQ would be useful?

It took me quite a while to understand that myself. Realizing that
brought me a great relief and no longer feeling frustrated.
I found it a bit inspiring and more enthusiastic about the whole
project.

Read the code because you MUST versus because you ought to.
I find that as a path to follow, pridefully.

Chris Bennett




Re: OpenBSD sysupgrade rocks

2020-05-20 Thread Chris Bennett
It is a great tool.

This is a good example of something that anyone witha will can come up
with.

Propose an idea that *YOU* are capable of doing.
Ask if such a thing is actually desirable, it might not be. That's OK.
Do the work, a WIP is OK and submit a diff.
Keep doing the work until usable and see what happens.
You wouldn't have to be a top-notch C or Perl, etc. programmer.

Anyone can help the project. Please do.

Please don't beg for features.
That's very irritating and wastes everyone's time.

Please don't ask for features, once again.
Really, I mean it. Don't ask for features!

:-)

Chris Bennett




Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-12 Thread Chris Bennett
On Tue, May 12, 2020 at 07:17:44AM +0200, i...@aulix.com wrote:
> I would prefer to begin from grsecurity, but it is not available up to date 
> for my budget.
> 
What exactly does your budget mean? These are all free, open source
operating system. You may sell both OpenBSD and any installations and
consulting. That could improve your income for your budget.

> I would also try HardenedBSD, but it is only amd64 now? And how many active 
> developers there are? one or two?
> 

I run two intel based servers with OpenBSD amd64. They run flawlessly.

> OpenBSD looks as the only viable option for me right now, may be one another 
> is a systemd free distro like Devuan with a hardened kernel like by @anthrax, 
> but I am too unskilled even to understand what are improvements of @anthrax 
> kernel for me without a good doc for it in the existence, and on the other 
> hand OpenBSD is famous with its very good documentation. 

Open source means that most developers work for free and fun or to
obtain something they in particular want. Convince some developers to
work on your own desires, whether with OpenBSD or elsewhere.

> 
> I guess it is a huge work to harden Linux installation to a level compared to 
> OpenBSD, there is some interesting work which is by Whonix but unfortunately 
> with systemd, and it seems someone from that community is referring to 
> isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, 
> excuse me if I am wrong.
>

Linus actively discourages security work. OpenBSD is thrilled to
actively work on security. A major compenent that brings security
benefits is simple auditing of code, not for security but for
correctness.
If you are seeking perfect security, YOU CAN'T HAVE IT!
It is impossible. Not even agencies such as the NSA, etc have it.
Remember Edward Snowden? All systems can be breached. Period.

My suggestion is to stop taking a confrontational attitude ( you may not
even realize you are doing it) and try to take a congenial attitude. It
will always produce more good results than confrontation.

Chris Bennett

PS. Please format your emails to 80 or 72 character width.
Your long lines are mildly irritating and non-standard in the Unix-like
world. Or just hit enter more often.




Re: pkg_add can't resolve package - bad major

2020-05-04 Thread Chris Bennett
On Mon, May 04, 2020 at 08:23:10AM +0200, Marc Espie wrote:
> On Sun, May 03, 2020 at 12:58:41PM -0400, Chris Bennett wrote:
> > I have had this exact same problem before
> > 
> > pkg_info -q > packages_installed
> > pkg_delete gettext.
> > pkg_add gettext-runtime
> > pkg_add -u
> > pkg_add -zl packages_installed
> > 
> Update your procedures, use pkg_info -z and not pkg_add -z.
> It's been there for ages.
> 

My bad. Thanks. That also gives me info I was finding hard to understand
about stems.
Time to sit down and re-read man pages again.

Chris Bennett




Re: pkg_add can't resolve package - bad major

2020-05-03 Thread Chris Bennett
.2.4 sqlite3-3.27.2p0
> Full dependency tree is libnettle-3.4.1p0 python-3.7.4 libassuan-2.5.1p0
> p11-kit-0.23.18.1 nghttp2-1.37.0 sqlite3-3.27.2p0 xz-5.2.4 npth-1.6
> libidn2-2.0.0p0 gmp-6.1.2p3 curl-7.64.1 pinentry-1.1.0p0
> libunbound-1.9.1 gnutls-3.6.7 blas-3.7.1p0 gettext-runtime-0.20.1p0
> libsecret-0.18.8p0 libgcrypt-1.8.4p0 libgpg-error-1.36p0
> libusb1-1.0.21p1 lua-5.1.5p6 p5-Error-0.17025 glib2-2.60.7p0
> libksba-1.3.5p2 gcc-libs-4.9.4p18 libiconv-1.14p3 pcre-8.41p2
> libmagic-5.35 libtasn1-4.13p0 bzip2-1.0.6p9 icu4c-63.1 lapack-3.7.1p0
> luajit-2.0.5p1 libffi-3.2.1p5 cvsps-2.1p2 libunistring-0.9.7
> Can't install w3m-0.5.3p8: can't resolve gettext-runtime-0.20.1p0
> Couldn't find updates for gettext-0.19.8.1p3 git-2.21.0 glib2-2.58.3p8
> gnupg-2.2.12 libgpg-error-1.36 libksba-1.3.5p1 p11-kit-0.23.15p0
> python-2.7.16 python-3.6.8p0 rspamd-1.9.0 vim-8.1.1048-no_x11
> Couldn't install gettext-runtime-0.20.1p0 git-2.24.2 glib2-2.60.7p0
> gnupg-2.2.12p0 libgpg-error-1.36p0 libksba-1.3.5p2 p11-kit-0.23.18.1
> python-2.7.16p1 python-3.6.9 python-3.7.4 rspamd-1.9.4
> vim-8.1.2061-no_x11 w3m-0.5.3p8
> 
> At this stage, I am not sure what should I do to fix this, any idea?
> 
> Installed package:
> dkimproxy-1.4.1p1   SMTP proxy to verify or add DKIM signatures
> dovecot-2.3.5.1 compact IMAP/POP3 server
> dovecot-pigeonhole-0.5.5v0 Sieve mail filtering for Dovecot
> git-2.21.0  GIT - Tree History Storage Tool
> gnupg-2.2.12    GNU privacy guard - a free PGP replacement
> htop-2.2.0p8    interactive process viewer
> intel-firmware-20190918v0 microcode update binaries for Intel CPUs
> mosh-1.3.2p2    mobile shell
> opensmtpd-extras-6.4.0v0 extras for smtpd
> quirks-3.185    exceptions to pkg_add rules
> rspamd-1.9.0    event-driven spam filtering system in C/Lua
> vim-8.1.1048-no_x11 vi clone, many additional features
> 
> $ cat
> /etc/installurl   
>      
> 
> https://cdn.openbsd.org/pub/OpenBSD

I have had this exact same problem before

pkg_info -q > packages_installed
pkg_delete gettext.
pkg_add gettext-runtime
pkg_add -u
pkg_add -zl packages_installed

The gettext changeover always screwed up my pkg_add -u
pkg_delete gettext will uninstall quite a few packages
That will get fixed by using the packages_installed file.
Read man pkg_add first, of course.

Chris Bennett




loading DBD-Pg under base httpd, works but it's wrong way

2020-04-30 Thread Chris Bennett
I've had a hell of a time getting Pg.so to load under base httpd.

env LD_DEBUG=1 chroot /var/www script.pl
gives errors about DynaLoader not being able to load due to a missing
library.

After looking at Postgresql libraries loaded using pg_config --libs
I moved just those libs under /var/www.

Still no luck. However I did get barely enough of a hint with searches
to figure out that it wasn't finding libpq.a and libpq.so.6.11
But those are located under /usr/local/lib. I couldn't figure out how to
push over that directory into the search paths.
So I moved a copy of those under /var/www/usr/lib/ vs
/var/www/usr/local/lib/
Works just fine.

I know that this is the wrong solution, but I'm clueless where and how
to add the right search path.
Any clues would be extremely appreciated!

Chris Bennett




Re: boot drive hide and seek on new notebook

2020-04-28 Thread Chris Bennett
Some BIOS's require you to select legacy boot and legacy boot before
UEFI in order to boot off of a USB. Also might need to turn off boot
security option, too.

A lot of BIOS's suck nowadays. Who woulda thought that examining the
BIOS would become a purchasing decision?

A future BIOS update might make things better, or impossible.
Good news is that you got it to work.

Chris Bennett




Re: UNIX crash course

2020-04-28 Thread Chris Bennett
On Tue, Apr 28, 2020 at 06:48:37PM -, Stuart Henderson wrote:
> Outside of certain network infrastructure (RIRs and DNS software
> vendors) and TLDs offering incentives (.se and .nl, maybe others) DNSSEC
> is still very rare. Do a lookup of a couple of dozen randomly chosen
> general purpose domains - I think you'll be lucky to find more than 1 or
> 2 signed.
> 

I moved my domains from Godaddy to namecheap since they offer DNSSEC.
Very happy. They have free service, no DNSSEC, and paid service with
DNSSEC. And yes, they really are cheap. :-)
You do have to transfer in your domain for DNSSEC.

Chris Bennett




Re: Comments in source code

2020-04-23 Thread Chris Bennett
On Thu, Apr 23, 2020 at 05:38:40PM -0400, Aisha Tammy wrote:
> Thanks a lot for responding, I've had some food so am feeling a lot less
> frustrated :D
> 
> > On 4/23/20 12:10 PM, Stuart Henderson wrote:
> > 
> > It's often considered better if code is clear enough to stand by itself,
> > keeping comments for the less common cases which can't be figured out
> > from reading the code. And that way you aren't at risk of assuming
> 
> But like, not all code is simple enough to understand by just reading it.
> Comments can do more than just explain api, they can help explain 
> how the code itself is working.
> I have been reading diff, sdiff diff3 and other string algorithms to 
> understand
> how to make it as fast as their GNU counterparts and they are not the 
> simplest 
> to read, even when knowing the actual string algorithms pretty well.
> 

If reading the code isn't enough and you see parts you don't understand,
then break those parts. See what happens. Find out why it was done.
You might find out that the code at that spot doesn't even work
correctly. You might figure out a way to fix it or eliminate it.
Perhaps submit a diff.
>From your work, you may be able to ask a very specific question.
Specific questions are more likely to be answered. If someone knows the
answer AND also has the time and desire to help.

You may also find that the old way was great back in older versions of
OpenBSD, but no longer the best way due to changes in the OS.

> > If you aren't already, you should be looking at commit messages from
> > where the relevant code was touched. That is often where you'll find the
> > explanations you seek.
> > 
> I have been reading them, Commit messages don't explain algorithms very 
> clearly.
> I agree this is a very specific use case but definitely something that could 
> be improved.
> Some of the things I've been considering useful (in this specific scenario 
> for diff3)
> - explanation for merge function, what it does
> - in merge function, explain how empty for loop is used, as this is a very 
> big loop
>   with a lot of cases
> 

Are you reading commit messages far enough back in time? OpenBSD is a
fork of NetBSD. Maybe you will need to go back much further in time to
find the commit message or discussion that lead up to today.

I strongly support comments, very strongly. But only when needed.
Explanations are better coming from someone who can discuss with you or
might only be available from you working it out for yourself.
This is a volunteer project. Comments don't get compiled, but they do
take up space, disk space and bandwidth space.

Have fun, work hard and enjoy yourself.
There are some excellent threads about these topics in the mailing
lists.

Chris Bennett




Re: More than 16 partitions

2020-04-23 Thread Chris Bennett
On Thu, Apr 23, 2020 at 10:29:01PM +0200, Francois Pussault wrote:
> I agree ; Using more than 10 partitions is rare  but in case of NFS or other 
> network shares of course.
> 16 is really enough in my point of view.
> 

I've got to disgree with this one. I'm doing porting work.
I yank out all of the directories except /usr/ports itself,
using mk.conf. I then also make another partition /usr/ports/mystuff

umount /usr/ports/mystuff
umount /usr/ports
newfs /usr/ports, etc.
remount /usr/ports, mkdir /usr/ports/mystuff, remount /usr/ports/mystuff
tar xzvf ports.tar.gz into /usr/ports
and I can continue on working, without having lost any work I'm still
examining.

Working with retail equipment at home for a normal desktop. 16 OK
Power often fails or hardware fails.

Working on a server. Power almost never fails, nor the hardware.

At home I run built-in HD, USB flash and USB HD. 16 is no problem with
three HD's. I can ro lots of stuff and I need to.

I'm not doing any porting at home, only on server hardware. Too tired of
reliability issues at home.

That's just what I(me)thinks. |-}

There be-is-are some very good, cheap, rugged and waterproof USB HD's out
there. Very portable(s).

Bye,
Chris




Re: X start failure - OpenGL Version

2020-04-06 Thread Chris Bennett
On Mon, Apr 06, 2020 at 02:23:20PM +0200, Riccardo Mottola wrote:
> Hi Marcus,
> 
> Marcus MERIGHI wrote:
> > Hello Riccardo, 
> >
> > startx(1) had it's setuid bit removed. I think in the timeframe you are
> > upgrading over. The canonical advice is to use xenodm(1).
> >
> > Marcus
> >
> 
> exactly, that was it... the error message wasn't that helpful.
> 
> xenodm works.. but since I prefer to run X11 "when I need it" on that
> machine, I just +s startx and it works fine too.
> 

Uh, no.

When you need it.
doas rcctl -f start xenodm
-f is to force it without enabling it in /etc/rc.conf.local

You can also turn it off when done with X, but not going to shutdown.

Chris




Re: Faking the same LAN over the Internet

2020-04-01 Thread Chris Bennett
On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote:
> have you considered looking at native OpenBSD tools?
> 
> https://man.openbsd.org/egre.4
> 

Wow! I had no idea about this.
The manual page seems to be very clear, too.

I have 2 servers at different ISPs and from home I almost always connect
over my phone's hotspot.

I will definitely be learning this!

Thanks!

Chris Bennett




Re: MITM ?

2020-03-26 Thread Chris Bennett
On Wed, Mar 25, 2020 at 11:06:57PM +, Cord wrote:
> 
> > Read a LOT of man pages and misc@ tech@ ports@ bugs@
> >
> > Maybe even tell us which version of VAX your laptop runs on?
> 
> VAX ???
> 
> > Is it OpenBSD version 4.9?
> >
> 
> 4.9 ???
> 
> I'm sorry, I'm in the future.

But, my joking aside, you haven't provided much info for giving advice.

They have now found out that a huge number of commercial VPN companies
are both running tracker software and selling your data.
Worse, many are running session recording which could be making your
passwords stealable.

In the USA, ISP's like Comcast have opened up all customers rented
routers to the full public without the need for a password.
If that is your case, your private network isn't private.

If your laptop is Intel based, turn off HT/SMT.
Run syspatch and pkg_add -u.
Look at all of your logs in detail.

Use NoScript and Ghostery plugins for Firefox.
Assume that someone might be physically accessing your laptop.
The laws in the USA since 9/11 allow this to be done without you being
told.

Good luck, hopefully you are not having this problem, but paranoia is a
good thing in today's world.

Chris Bennett




Re: MITM ?

2020-03-25 Thread Chris Bennett
On Wed, Mar 25, 2020 at 07:17:59PM +, Cord wrote:

Go buy an ethernet cable. No WiFi.
Use someone's phone hotspot.
Use a fixed PKG_PATH instead of /etc/installurl

Read a LOT of man pages and misc@ tech@ ports@ bugs@

Maybe even tell us which version of VAX your laptop runs on?
Is it OpenBSD version 4.9?

I'm annoyed that our hotel room is sharing electrical circuit with the
room next to it and the power keeps tripping the circuit breaker.

I feel better now.

> Hi,
> some months ago I sent some emails to misc (search my email on google) 
> because I believe my obsd laptop was been hacked.
> Then I bought a new laptop because my suspicious were that some firmware or 
> the bios had some infected code.
> Then I taken the new laptop and I went in two wifi point (in two different 
> days and in two different wifi spot) to install openbsd. I installed a basic 
> system and firefox, after that I come back to home.
> At home I tried to complete the installation adding other packages. After one 
> hour between pkg_add and watching video on youtube my laptop was freezed. The 
> freeze was happen im the middle of a pkg_add.
> After that I forced a reboot and I completed the installation. Then I start 
> to watch a video on youtube. Then after 15 or 20 minutes from the boot the 
> system again has been frezzed. Again forced reboot. And again watching a 
> youtube video, around 10-20 minutes again freeze. In total there was been 3 
> freeze, one on pkg_add and two during watching a youtube video.
> At the fourth boot, I left the system disconnected from the wifi to verify if 
> it was an hardware problem. After 15 minutes I connected to the wifi but 
> without doing anything. Then after other 10 minutes I opened youtube but the 
> system was pretty stable. Those freeze was happened maybe 10 days ago. But I 
> haven't had other freeze.
> Now the "signs" of the previous hacking are appeared again in the new laptop 
> then most probably the laptop was been hacked again.
> 
> What is your opinion ?
> could be a MITM from my router and a kernel 0day on the tcp/ip stack 
> implementation ?
> could be MITMed pkg_add ?
> the encryption algorithm (AES_128_GCM) behind https is really secure ?
> Can some code be injected in an encrypted stream ?
> 
> Thank you.
> Cord.
> 
> 
> 



Re: ports: pkg_add as root

2020-03-21 Thread Chris Bennett
On Sat, Mar 21, 2020 at 02:26:18PM +0530, putridsou...@gmail.com wrote:
> I'm have never tried the ports system before. 
> I have read through the faq and the man pages, 
> but I get stuck at building dependencies. 
> I follow through the fetch,checksum steps and then
> for 'make prepare' as local user, 
> I'm greeted with following message. 
> This is for the 'rsnapshot' package
> 
> ===>  Building package for rsync-3.1.3
> Create /usr/ports/packages/amd64/all/rsync-3.1.3.tgz
> Creating package rsync-3.1.3
> Link to /usr/ports/packages/amd64/ftp/rsync-3.1.3.tgz
> ===>  Cleaning for rsync-3.1.3
> ===>  Verifying specs: c
> ===>  found c.95.1
> ===>  Installing rsync-3.1.3 from /usr/ports/packages/amd64/all/
> pkg_add: pkg_add must be run as root
> *** Error 1 in /usr/ports/net/rsync 
> (/usr/ports/infrastructure/mk/bsd.port.mk:2028 
> '/var/db/pkg/rsync-3.1.3/+CONTENTS': @/usr/bin/env -i PKG...)
> *** Error 1 in /usr/ports/net/rsync 
> (/usr/ports/infrastructure/mk/bsd.port.mk:2451 'install')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2135 
> '/usr/ports/pobj/rsnapshot-1.4.2/.dep-net-rsync')
> *** Error 1 in /usr/ports/net/rsnapshot 
> (/usr/ports/infrastructure/mk/bsd.port.mk:2451 'prepare')
> 
> I have successfully installed programs 
> with no dependencies using command
> 'doas make install' as the final step, 
> after fetch,patch,gen,configure,etc.
> Is this the right way?
> 
> Why doesn't a make install command as a local user
> while in 'net/rsnapshot' call doas on it's own?
> 

make install, make update, pkg_add are basically the same thing.
doas will follow what is set as ok in /etc/doas.conf

doas itself is a much improved version of sudo.
sudo is in packages if you want it for some other port, but doas is
better.

/etc/mk.conf has SUDO=doas
which reflects the past usage of sudo before doas was created.

OpenBSD has a lot of distinguishing characteristics different than other
OS's. One high priority is security.
Installing software means that only a user given the right to do so, may
do it.

If you have no /etc/doas.conf allowing any user to act as root, then no
one else except root can install programs.
Having anything that overrides that is disastrous for security.

evil_user $ make install my_erase_all_files_malware
would really be a bit of a problem.

evil_user $ doas pkg_add my_erase_all_files_malware
will fail unless you have mistakenly given evil_user such broad powers.

Please read and re-read all of the manual pages involved.
doas
doas.conf
mk.conf
bsd.port.mk
pkg_add, pkg_create, pkg_ anything.

The main site has a man page program that you can setup to give you the
proper (base system) man pages online for whichever version of OpenBSD
you are running.

also, if you haven't, read all those links on the home page.

Search the mailing list history too. https://marc.info and many
other sites.

Personally, I have found doing general searches about OpenBSD to not be
very helpful. The information is often very old or not useful. Your
reults may vary.

You can do everything with any port except install it. Play around with
building and testing and all the different make clean variations.
When you hit a dependency that insn't installed, then you would need to
use doas manually.

Have fun!
Chris Bennett




Re: Multi-domain DKIM signature with OpenSMTPd

2020-03-19 Thread Chris Bennett
On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote:
> That's because filter-dkimsign doesn't support multiple domains, and
> unless someone can give me a good reason to do so it probably is going
> to stay that way.
> 
> I know that some mail providers add an additional positive score to
> your spam rating if you have DKIM, but I reckon this is BS, because
> DKIM is nothing more than a glorified debugging tool to tell you which
> server butchered the content of your mail if every server in the chain
> adds a DKIM signature. To be precise: it only tells you that a
> particular domain owner (d-option) knows what server(s) a particular key
> (s-option) belongs to, so that if a signature fails it it could only
> have happened before the last server which has a valid signature.
> 
> Could you explain why you (think you) need to have multiple domain
> support?
> You (currently?) can't. If you want multiple conditions on different
> filters you would need to create multiple listening sockets (e.g.
> multiple ips or ports) and apply the correct match-rules based on the
> socket.
> 
> martijn@
> 

OK, thanks for clearing that up. I learned a lot using it. I would also
like to use multiple domains, but I don't see any reason to ask you to
do any more work than you want to.
Thanks for your work. I appreciate it. And trying to use multiple
domains was a good lesson in strange results. :-}

Chris Bennett




Re: Confusing problem with CVS

2020-03-13 Thread Chris Bennett
Thanks, that was helpful.
I did not think of using info cvs. I do use info at times, just not that
often.

I'm just using CVS for porting. Since -current offers a tar file and
I've made a partition for /usr/ports and another for /usr/ports/mystuff,
so I'm just using that file to replace ports without changing my WIP.

I ran into a rather good C book that runs along with my way of thinking,
so I wanted to follow -current src for learning. I'll just checkout src
again unless I start working on a diff to submit in the future.

For other things, I'm using backups plus git because I can pass along
changes to other boxes so easily.

I didn't think it was a bug, just something I wasn't understanding.

I appreciate the help.
Thanks,
Chris Bennett




Confusing problem with CVS

2020-03-13 Thread Chris Bennett
I am running -current.

On one server, src was empty. So I did a cvs checkout.
On another server, src had older files. So I did a cvs up.

Afterwards, inttypes.h had one size on the checkout, another size on the
updated src.
I rm'ed the updated src and did a checkout. Now both files are the same
size and date.

What has happened here? I thought that cvs up was the correct procedure.

cvs -qd$CVSROOT checkout -P src inside of /usr or
cvs -qd$CVSROOT up -Pd inside of /usr/src.

Updating only changed some of the file dates and did not work correctly.

Thanks,
Chris Bennett




Re: suggestions for USB printer (maybe even with scanner)?

2020-02-05 Thread Chris Bennett
A lot of people are mentioning the need to deal with the new lpr tools
being at /usr/local/bin.
I found that adding a symmlink from /usr/bin/lpr to /usr/local/bin/lpr,
etc. to help with programs that expect to find lpr at that exact
location.

Using a symlink will make life much easier with a few programs, since
everything finds what it needs at either location. You will need to
refresh the symlink after each upgrade. Backup the /usr/bin files just
in case you really do need them later.

Good luck! Printing is so damned easy or so brutally hard. ;-{)>

--
Chris




Re: Question about marketability of OpenBSD Laptops

2020-01-25 Thread Chris Bennett
On Sat, Jan 25, 2020 at 05:49:04PM -0500, Michael G Workman wrote:
> I have read many stories about small business owners waking up one day and
> their bank accounts are empty, due to banking malware like Zeus, others are
> victimized by ransomware and have to pay a fee to get their files back.
> 
> It seems like most of the victims were using windows computers when these
> attacks happened, as far as I know Zeus only works on Microsoft Windows,
> not Unix or Linux.
> 
> I was thinking of offering some refurbished older Dell Laptops for sale
> with OpenBSD installed, to use specifically with online banking, $149 for
> Dell Vostro 1500 with 120 GB SSD and 2 GB RAM, and $249 for Dell Latitude
> e6400 with 240 GB SSD, and 8 GB of RAM, and for a an extra fee, make 240 GB
> and 480 GB or 1 TB or 2 TB SSD an upgrade option for them. Since they are
> laptops, they can easily be moved around and are portable and people can
> even travel with them and use them while traveling for their banking
> transactions.
> 
> I was not able to get wifi to work on the Dell Vostro, but that is ok,
> since wifi can be an attack vector, I think they will be more secure with
> only a hardwire Lan connection.
> 
> While it is true that some small business owners have some good IT skills
> and could install OpenBSD themselves, I am thinking of it as a product for
> the small business owner who has minimal IT skills.
> 
> Someone, most likely an open source puirist, criticized this idea on IRC
> but I think it is actually a really good idea for the small business owner
> with minimal IT skills.
> 
> I just wanted to know everyone's opinion of this idea? and also would I be
> able to advertise my contact information on the commercial section of
> OpenBSD.org for these specialty laptops?
> 
> Thanks.
> 
> *Michael G. Workman*
> (321) 432-9295
> michael.g.work...@gmail.com

First, there is no commercial section of OpenBSD to advertise on.

As far as your seemingly brilliant idea, it won't work.

Try this. Put OpenBSD on a USB stick. Then try to get ANYONE to boot it
on their laptop/desktop. I gave up after about 25 tries over the years.

Next, try this. Give away a few laptops with OpenBSD already installed
for free. Check back with these people 3 months later. You won't find a
single one with OpenBSD still installed unless they just stuffed it in a
closet.

Nobody wants to do what is necessary for security. It's just "too hard".
We will continue to see security breaches ad infinutum.
That's just the way it "Just doesn't works".

When I was a kid and we had some new type of food that was really tasty.
I would offer a taste to my other friends who were kids too.
"I don't like that!" was always the response. They refused to even taste it.
I would say, but you've never ever even tried this before!
"I don't care. I just don't like the way it tastes".

That, sadly is the way the real world works.
It's nonsense. But that's just the way it is.

Good luck, hopefully you can make it work. Please don't put any serious
money into it before trying my two above suggestions.

--
Chris Bennett




Re: Boot fail using internal SATA port, success using USB port.

2020-01-05 Thread Chris Bennett
HyperThread must be off! Danger!
Probably shouldn't enable virtualization unless using it.
Secure boot is off, that is correct.

Do you have the latest BIOS?
Will the disk boot if you skip UEFI completely and run in legacy mode?

Are you dual-booting with Windows? It hates everything and can mess up
BIOS settings to make you love Windows even more.

Do you get to the boot> prompt?
Then try booting the different hard drives listed above it manually.

Good Luck,
Chris Bennett




Re: perl popularity inside openbsd community? (Re: Suggestion: Replace Perl ...)

2020-01-02 Thread Chris Bennett
I don't speak Python, but from what I've read, it has some serious
encoding problems compared to Perl.
This is a real problem in today's world of multiple encodings.

Apparently the guy writing about this is pretty hated for bringing up
this serious flaw. If the problem is true, he has examples, then it
needs to get fixed.

Perl also has problems, but screwing up encodings is pretty fundamental.

mod_perl, from reading the mailing list, looks like it will die off
before long. Lack of developers and funding and interest given all the
newer replacements.

Remove Perl? No way.
Perl is very Unixy. Perl is full of automagically. C isn't.
I think they make for a good combo.

Think this way -> use C
Think other way-> use Perl
Think really screwball -> use both

OK, enough of my BS, but this is an interesting thread.
I do think discussing many languages that can be used is relevant to
both misc@ and ports@

Bye Y'all,
Chris Bennett




Re: Adaptive main page for openbsd website.

2019-12-22 Thread Chris Bennett
On Sun, Dec 22, 2019 at 04:44:11PM -0500, Steve Litt wrote:
> On Sun, 22 Dec 2019 19:25:00 +0300
> v...@vtsoft.dev wrote:
> 
> > Hello everyone,
> > 
> > The main page of openbsd.org is currently not responsive. It looks
> > bad when I access it from
> > my mobile phone. I offer my version of the home page. My CSS file is
> > 4 times smaller than it
> > is now and adapts to the screen size of the device. Please, check it: 
> > https://vttv.xyz. Also,
> > you can directly download archive with sources: 
> > https://vttv.xyz./openbsd.tar.gz.
> 
> Your page is very nicely adaptive, without the horrible jumps often
> seen with media queries. I'm not a fan of "mobile devices" but at this
> point in history I think websites need to accommodate to them. Most of
> my newest Troubleshooters.Com pages are at least moderately adaptive.
> 
> I'd suggest you make the horrible, blood red graphic 1/2 size. It looks
> awful on the current page, and because it's full size on yours, it
> looks even awfuller.
> 
> The font on the current OpenBSD web page is nice and readable. On your
> adaptive, it's thin, reedy, ugly, pixellated, and hard to read. If
> you're setting a specific font, I suggest you refrain from that and let
> the user's browser settings rule. That way, your page is comfortable
> for the guy with 20/10 vision or the guy with 20/60 vision. If you're
> not declaring a font, something's going wrong.
> 
> The blue sidecar navigator in the original website is handy, good
> looking, and gives the reader the confidence to go where he wants. At
> the expense of one more user click, you could put a "navigation links"
> link or button, which refers to your box array, right under the red
> graphic. 
> 
> What I'd prefer, if it doesn't require a media query or too much
> javascript, would be to retain the sidecar at big screen sizes, but at
> a certain point collapse it and replace with something else: Perhaps
> your current bottom array of boxes with a link to them on top.
> 
> What's going to be a bigger challenge is doing this to pages containing
>  or . I've never been able to get those to fold, and even if
> they did, the code would then become misleading.
> 
> SteveT
> 
> Steve Litt 
> December 2019 featured book: Rapid Learning for the 21st Century
> http://www.troubleshooters.com/rl21
> 

If it won't work with a text browser such as lynx, it's not OK.
You can't ^Z chrome or firefox.
You can't use Javascript with text browsers.
Once you walk away from text browsers, script snippets to read pages,
etc., too much is lost.
I'm genuinely only interested in content, not appearance.
I frequently need a text browser over SSH. As in many times a month.
Please just patch content, not good looks.

Thanks,
Chris Bennett




Re: What do you use to generate invoices on OpenBSD?

2019-12-22 Thread Chris Bennett
On Sat, Dec 21, 2019 at 11:57:07PM +, Mikolaj Kucharski wrote:
> Hi,
> 
> Do you generate invoices on OpenBSD? What do you recommend? If you have
> experience in more than one app, why did you chose one over the other?
> If you use something open-source on other OS, let me know as well. If
> you use some own written app, for generating invoices, I'm also
> interested to hear, just to get an idea, which way people decide to go.
> 
> Please carbon-copy me in the replies, thanks!
> 
> -- 
> Regards,
>  Mikolaj
> 

I am working on bringing in LedgerSMB, which is accounting software for
small to medium size businesses. That might be overkill for just
invoices if you don't need the rest.
I had it working on OpenBSD previously but not in ports.
It needs quite a few Perl modules imported, but I don't see any
obstacles except that manual labor. It uses PostgreSQL.
Also uses Apache or Nginx or Perl's Starman server.

I'll plug my cause here. :-}
I'm far from anything but an amateur porter, so if anyone wants to help
either with porting or testing, I'd deeply appreciate it. So would
anyone else who might want to run the software.
I can test on i386 and amd64. But I do make quite a few mistakes before
getting things correct.

Chris Bennett




Re: resolving addresses in smtpd and T-mobile addresses I login on with SSH being used

2019-12-03 Thread Chris Bennett
After digging through logs on laptop for the same time as errors, I
found that the two errors did indeed match.

Sorry for the noise. Rebooting the server and reconnecting with a new IP
left me perplexed.

Chris Bennett




Re: resolving addresses in smtpd and T-mobile addresses I login on with SSH being used

2019-12-03 Thread Chris Bennett
On Tue, Dec 03, 2019 at 06:16:06PM +, Raf Czlonka wrote:
> On Tue, Dec 03, 2019 at 04:41:27PM GMT, Chris Bennett wrote:
> > 
> > [...]
> > Dec  2 22:36:28 freedomforlife smtpd[78001]: cd3e9bc4ab696630 smtp 
> > connected address=172.58.46.253 host=
> > Dec  2 22:36:28 freedomforlife smtpd[78001]: cd3e9bc4ab696630 smtp 
> > failed-command command="" result="550 no rDNS is so 80s"
> > Dec  2 22:36:28 freedomforlife smtpd[78001]: cd3e9bc4ab696630 smtp 
> > disconnected reason=quit
> > [...]
> > 
> On Tue, Dec 03, 2019 at 05:57:24PM GMT, Chris Bennett wrote:
> > 
> > [...]
> >  filter check_rdns phase connect match !rdns \
> >  disconnect "550 no rDNS is so 80s"
> > [...]
> > 
> 
> Chris,
> 
> That'd be it.
> 
> You're using a filter which disconnects a session with a message
> "550 no rDNS is so 80s", for every IP address which doesn't resolve
> to a reverse DNS.
> 
> Regards,
> 
> Raf

Except that I'm not sending the messages to or from my phone. Only the
SSH session.
I can send messages from my laptop through the phone successfully.
Only they are now rejected as no rDNS from jackass.my.domain. To be
expected and they worked without the filter before (which made some
testing nice).

These messages are from smtpd on one server to smtpd on another.
Only the SSH is from the phone. But all of the IP's which did this came
from previous, not the current session, from my phone's IP's in authlog.
But only previous IP's. 

OK, I'm guessing here, but was the server grabbing the phone's IP to do
lookup's with? How do I test for that? If that's the case, then this
will be educational about something I don't know. :)

Thanks,
Chris Bennett




Re: resolving addresses in smtpd and T-mobile addresses I login on with SSH being used

2019-12-03 Thread Chris Bennett
I've got to leave where I'm at right now, I'll respond more later. In a
rush now.

Thanks,
Chris



Re: resolving addresses in smtpd and T-mobile addresses I login on with SSH being used

2019-12-03 Thread Chris Bennett
On Tue, Dec 03, 2019 at 05:05:15PM +, Raf Czlonka wrote:
> 
> Hi Chris,
> 
> Is rdns anywhere in your smtpd.conf? You forgot to attach, so only
> guessing here...
> 
> Regards,
> 
> Raf

Sorry. This is for the server with the problem.
I can't guarantee that it was exactly like this, since I've been
fiddling.

Please note that are hosted here for website.
no-seas-necio.ninja
strengthcouragewisdom.rocks
capuchado.com

/etc/hosts for here
127.0.0.1   localhost
::1 localhost

162.255.139.10  no-seas-necio.ninja
162.255.139.11  bennettconstruction.us 
162.255.139.12  capuchado.com   
162.255.139.13  strengthcouragewisdom.rocks
162.255.139.14  mail.freedomforlife.rocks



cowboyup.xyz and bennettconstruction.us are (just as of a few days ago)
using a CNAME for mail. and www.
bennettconstruction.us has not used a CNAME for years.

mail is on 172.107.202.138/29

/etc/hosts for there (where problem showed up)

127.0.0.1   localhost
::1 localhost

172.107.202.138 freedomforlife.rocks
172.107.202.139 mail.no-seas-necio.ninja
172.107.202.140 cowboyup.xyz
172.107.202.141 mail.strengthcouragewisdom.rocks
172.107.202.142 mail.capuchado.com

Everything signed with Let's Encrypt correctly

 pki mail.no-seas-necio.ninja cert 
"/etc/ssl/mail.no-seas-necio.ninja.fullchain.pem"
 pki mail.no-seas-necio.ninja key 
"/etc/ssl/private/mail.no-seas-necio.ninja.key"

 pki cowboyup.xyz cert "/etc/ssl/cowboyup.xyz.fullchain.pem"
 pki cowboyup.xyz key "/etc/ssl/private/cowboyup.xyz.key"

 pki mail.strengthcouragewisdom.rocks cert 
"/etc/ssl/mail.strengthcouragewisdom.rocks.fullchain.pem"
 pki mail.strengthcouragewisdom.rocks key 
"/etc/ssl/private/mail.strengthcouragewisdom.rocks.key"

 pki mail.capuchado.com   cert 
"/etc/ssl/mail.capuchado.com.fullchain.pem"
 pki mail.capuchado.com   key 
"/etc/ssl/private/mail.capuchado.com.key"

 filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
'.*\.dsl\..*' } \
 disconnect "550 no residential connections"

 filter check_rdns phase connect match !rdns \
 disconnect "550 no rDNS is so 80s"

 filter check_fcrdns phase connect match !fcrdns \
 disconnect "550 no FCrDNS is so 80s"

 filter senderscore \
 proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 
5000"

filter "dkimsignNSNN" proc-exec "filter-dkimsign -d mail.no-seas-necio.ninja -s 
20191006 -k /etc/mail/dkim/mail.no-seas-necio.ninja.dkim.key" user _dkimsign 
group _dkimsign

filter "dkimsignSCWR" proc-exec "filter-dkimsign -d 
mail.strengthcouragewisdom.rocks -s 10312019scwr -k 
/etc/mail/dkim/mail.strengthcouragewisdom.rocks.dkim.key" user _dkimsign group 
_dkimsign


 table aliases  file:/etc/mail/aliases
 table addrnamesfile:/etc/mail/addrnames


 action "maildir"  maildir alias 

 action "outbound" relay helo-src 

 listen on lo0


listen on socket filter { check_dyndns, check_rdns, check_fcrdns, senderscore, 
dkimsignNSNN, dkimsignSCWR }

 listen on 172.107.202.139 hostname "no-seas-necio.ninja" tls pki 
mail.no-seas-necio.ninja \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore, dkimsignNSNN }

 listen on 172.107.202.140 hostname "cowboyup.xyz" tls pki cowboyup.xyz \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore }
 listen on 172.107.202.141 hostname "strengthcouragewisdom.rocks" tls pki 
mail.strengthcouragewisdom.rocks \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore, dkimsignSCWR }

 listen on 172.107.202.142 hostname "capuchado.com"   tls pki 
mail.capuchado.com \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore }

 match from any   for domain "no-seas-necio.ninja" action "maildir"
 match from any   for domain "strengthcouragewisdom.rocks" action "maildir"
 match from any   for domain "capuchado.com"   action "maildir"
 match from any   for domain "cowboyup.xyz"action "maildir"

 match from local for any action "outbound"

table /etc/mail/addrnames (for problem server) is:

172.107.202.139 no-seas-necio.ninja
172.107.202.141 strengthcouragewisdom.rocks
172.107.202.142 capuchado.com


I can also send maillogs for here and there.
Also smtpd.conf for here too. Which I also have been fiddling with.
Obviously I need to get git on this to keep track of my changes
properly. My mistake.

Chris Bennett




resolving addresses in smtpd and T-mobile addresses I login on with SSH being used

2019-12-03 Thread Chris Bennett
I have been fixing some problems with emails between two of my servers.
At the time I had /etc/hosts file empty except for localhost.

While sending emails, I got several of errors in maillog like these:

Dec  2 22:36:28 freedomforlife smtpd[78001]: cd3e9bc4ab696630 smtp connected 
address=172.58.46.253 host=
Dec  2 22:36:28 freedomforlife smtpd[78001]: cd3e9bc4ab696630 smtp 
failed-command command="" result="550 no rDNS is so 80s"
Dec  2 22:36:28 freedomforlife smtpd[78001]: cd3e9bc4ab696630 smtp disconnected 
reason=quit

172.58.46.253 is an IP for T-mobile. Which I use the WiFi hotspot to use SSH 
from.
This was a previous IP I had used before, not on the session in progress.
I found several other T-Mobile addresses being used in maillog that were not 
current sessions.

I don't know what to make of this. I rebooted both servers after emptying 
/etc/hosts.

resolv.conf has:

lookup file bind
nameserver 8.8.8.8
nameserver 8.8.4.4

on this server.

What is going on here? How could this possibly be happening?

Chris Bennett




Re: vi in ramdisk?

2019-11-15 Thread Chris Bennett
On Fri, Nov 15, 2019 at 06:02:16PM +, Roderick wrote:
> 
> On Fri, 15 Nov 2019, Theo de Raadt wrote:
> 
> > Christian Weisgerber  wrote:
> 
> > > How large is a C implementation of TECO?
> > 
> > he probably means cat plus the shell's redirection capability.
> 
> I think, TECO is much more powerfull that ed and vi.
> 
> But perhaps DEC 10s SOS?
> 
> I do not know if it runs in unix or if there is a C implementation.
> But I remember it as much simpler than ed, but more comfortable,
> and for manually editing enough.
> 
> Isn't really in unix nothing simpler than ed?
> 
> Well, the advantage of ed is, that it is the standard unix editor.
> 
> Rod.
> 

Yes, but ed also allows one to easily work with only 1-3 lines of
screen. Screen size can matter. I have always fallen back to using ed
when running single user. If I'm running off of my phone in landscape,
one line is all I can see. With ed, that is enough. With vi plus making
a mistake, it's harder to see. Vi is more powerful than ed, but I'm used
to using vim, so I keep hitting keys that don't work in vi (which is my
problem, not vi's).
I have never used teco or sos.

I'm neutral overall on this, but the number of screen lines used does
matter to me.

Forgive me if the date is wrong, I can't find the cause. Going to do a
new snapshot right now.

Chris Bennett




Re: Tools for writers

2019-11-05 Thread Chris Bennett
On Tue, Nov 05, 2019 at 07:56:03PM +0100, Marc Chantreux wrote:
> 
> there is no problem with other formats but can't you admit that for many
> people, something like
> 
> * denis
> * brian
> * doug
> 
> is easier to write, read and edit than << ?
> 
> 
> denis
> brian
> doug
> 
> 
> also:
> 
> * transpiling is always a good thing to catch and avoid errors. for
>   exemple: did you realize that the "brian" item is broken? this will
>   not happen using a markdown as source
> * the "proper" way to serialize an html/xml that is not intended to be
>   edited isn't the way i write above but this below instead. and frankly
>   i don't want to edit those kind of stuff
> 
> denisbriandoug
> 
> > The fact that pandoc appears to not support the most important
> > documentation language, mdoc(7), at all, neither for input nor for
> > output, already makes me raise an eyebrow or two

Vim has many useful HTML plugins (or write your own)
The above list require two keystrokes and a number of list items wanted
in one plugin I have barely started to use.

A print CSS file can do a tremendous amount of formatting useful for
printed documents.

* brian
Has no formatting. Once again, we are talking ed(1). Followed by a
formatter. I use vim on my laptop and ed(1) on my phone. It works.
I detest Libreoffice. I have never yet gotten it to do anything I
needed. 

But to each their own. Overall, this thread has been very enlightening
for me. I do need to learn some other methods. TeX and LaTeX keep coming
up everywhere I look.

Have fun,
Chris Bennett




Re: Following current - pkg_add update forward depedencies don't match question

2019-11-03 Thread Chris Bennett
I also found twice that removed (from ports permanently) packages I had
installed would throw things into a loop that once caused me to run out
of memory or things just kept looping.

^C followed by pkg_delete -i "the offending package" then resuming
pkg_add -u made things much easier.

Overall the pkg_ tools have been great and always improving.
Thank you for the hard work!
Overall, following -current locally and remotely has become so
incredibly easy now that I am running -current everywhere and really
happy! (and resuming work on porting because of it)

Thanks again!
Chris Bennett




Re: Tools for writers

2019-11-02 Thread Chris Bennett
On Sat, Nov 02, 2019 at 03:16:22PM -0400, STeve Andre' wrote:
> 
> 
> On 2019-11-02 15:07, Antoine Jacoutot wrote:
> > You obviously never wrote a book.
> > At least not with the requirements OP asked for. >
> 
> Actually, I am, right now.  I've found that "formatting" is an
> annoyance, when writing material.  Get it written, *then* worry
> about how it looks.  I've done this for more than 40 years when
> creating documents, reports and such for work.
> 
> --STeve Andre'
> 
> 

Actually the OP said that not necessarily the same application.
I have to agree that writing the content and doing the formatting to be
two separate processes. I write in a furious stream of conciousness.
Looking at the formatting, etc. just impedes my work.
Spout out the thoughts. Then review content. Then work on formatting and
editing content.

/bin/ed

Then do the delicate work of editing and formatting after the creative
stream ends. Or creativity may be lost. Forever. Over seeing some
misspelled word or wrong punctuation.

Two or three different tools. Since there are really about three
processes being done that are quite different. For me, multitasking
sucks.

But, please, what is good for formatting? I don't have an answer for
that myself. I am considering writing as a new direction for myself.
Getting old sucks.

Chris Bennett




Re: Following current - pkg_add update forward depedencies don't match question

2019-11-02 Thread Chris Bennett
On Sat, Nov 02, 2019 at 09:24:05AM -, Stuart Henderson wrote:
> On 2019-11-01, Chris Bennett  wrote:
> > NO. You need to use pkg_add -u -Dsnap.
> 
> Normally when pkg_add doesn't have a full path to the package directory
> (e.g. PKG_PATH=http://mirror/pub/OpenBSD/6.6/packages/amd64/)
> it constructs it from a hostname in PKG_PATH or a partial path in
> /etc/installurl. To do that it has to add e.g. 6.6/packages/amd64
> to the partial path.
> 
> It decides whether to use 6.6/ (or other version number) or snapshots/
> based on whether the current version is a snapshot or not (from the
> "sysctl kern.version" output).
> 
> All that -Dsnap does is say "use snapshots/ even if this looks like
> it's a release (no suffix after "6.6"). You only ever need it if you're
> a) running snapshota and b) are in the brief period in the run-up to
> release where the version number has no suffix.
> 
> > Occasionally you might need to use sysupgrade -s. That happened to me
> > from one -current to another.
> 
> sysupgrade -s is sysupgrade's equivalent to pkg_add -Dsnap. So again you
> would only ever need it directly in the run-up to release.
> 
> 

This happened to me with a snapshot from before -release and getting a
snapshot right after -release. Perhaps this should be mentioned in man
sysupgrade(8)? The error message ftp something was not intuitive.
sysupgrade -s is logical and reasonable, but wasn't at all obvious from
the error message. I have had the same error message when a connection
was a problem.
In any case, I was able to fix the problem.

Thanks,
Chris Bennett




Re: Following current - pkg_add update forward depedencies don't match question

2019-11-01 Thread Chris Bennett
On Thu, Oct 31, 2019 at 07:09:49PM -0500, Theodore Wynnychenko wrote:
> Hello 
> 
> I just updated a system to current the other day. 
> 
> OpenBSD 6.6 GENERIC.MP#411 amd64 
> When I check: 
> # pkg_info  | grep gettext 
> gettext-0.19.8.1p3  GNU gettext runtime libraries and programs 
> 
> And the mirror shows: 
> gettext-runtime-0.20.1p0.tgz 
> 
> Or (another example), with similar notices about forward dependencies not
> matching: 
> # pkg_info  | grep php-7 
> php-7.1.27  server-side HTML-embedded scripting language 
> 
> And the mirror shows: 
> php-7.1.32.tgz 
> 
> I see that I can "force" the update with "pkg_add -u -D updatedepends". 
> 

NO. You need to use pkg_add -u -Dsnap.
Or, the packages really don't match yet. Then wait a little. -Dsnap is a
must. Some snapshots are also "defective" as in trying some new stuff
that will get changed more later. Upgrade again.

Occasionally you might need to use sysupgrade -s. That happened to me
from one -current to another.

If you genuinely need stability, then run -stable.

-current makes changes to the C libraries and headers and then
recompiles the packages. The packages are the same but C, etc. has
changed. Thus the packages have changed on that level. Thus they keep
the same Makefiles, but the resulting package binaries are different.

Chris Bennett


> It seems like this should be safe to do, but it's not something I have done
> before. 
> 
> While my system isn't "production" for a large multi-national, I do use it
> as a file server and stuff, and it is working right now, and I don't want to
> make it not work.
> 
> So, before I did this, I was wondering if there was anything I should
> consider/do to address this issue, other than just "forcing" the update?
> 
> I guess, when at its core, I don't really completely understand what the
> notice means, and how and why it happened. 
> 
> Thanks 
> Ted 
> 
> 
> 



Re: How can I contribute code to openbsd

2019-10-30 Thread Chris Bennett
On Wed, Oct 30, 2019 at 12:28:35PM -0400, Jeff wrote:
> P.S. Are there any urgent areas where the OpenBSD operating system
> project is short-handed?
> 

Yes! Just look under /usr/src, /usr/xenocara and /usr/ports
Can't go wrong with that plan. :-)

Chris Bennett




Re: When will be created a great desktop experience for OpenBSD?

2019-10-28 Thread Chris Bennett
On Mon, Oct 28, 2019 at 04:17:00PM +0100, Marc Espie wrote:
> 
> You got to figure out the missing features, and rewrite them "from scratch".
> 
> You can't actually borrow the code, because the licence makes it impossible.
> 
> Either that, or you convince the xorg project to go back on their choice
> to change the licence, which is going to be more or less impossible.

Yes, it is old!

Would finding work say on web archive from the time of writing the
current code and earlier from the FVWM group be something useable?

Just nothing dated later than that?

Chris Bennett




Re: When will be created a great desktop experience for OpenBSD?

2019-10-28 Thread Chris Bennett
On Mon, Oct 28, 2019 at 09:38:20AM +0100, Marc Espie wrote:
> On Fri, Oct 25, 2019 at 05:35:27PM +, flauenroth wrote:
> > Apparently not just theo is using fvwm after all. :) 
> 
> Considering all the people using it, it would be great if someone were to
> look at the enhancements of fvwm2 (wrong license, so not base) and backport
> some of these to our elderly fvwm.
> 
> Specifically, fvwm in base does NOT deal well with multi-screen setups, among
> other things.  It's missing all kinds of extensions that the X server provides
> these days.
> 
> Very much less than perfect experience.
> 
> I have fvwm2 from ports on every machine that runs OpenBSD. No choice about
> that.
> 
> (and I stick with fvwm* because the configuration options for mixing keyboard
> keys with mouse behavior do NOT exist anywhere else)
> 

MASTER_SITES=   ftp://ftp.fvwm.org/pub/fvwm/version-2/ isn't valid now.

Now on github:

https://github.com/fvwmorg/fvwm/releases

How is backporting done correctly in a case like this?
I assume in order to add it to base?
Or is that not possible?

Seems like a good question maybe for other base software too.
Is there already a thread talking about this?

Thanks,
Chris Bennett




Re: A promotional idea (related to quantum computing / hacking)

2019-10-26 Thread Chris Bennett
On Sat, Oct 26, 2019 at 12:29:41PM +0200, Peter J. Philipp wrote:
> 
> On 2019-10-26 12:03, Frank Beuth wrote:
> > On Sat, Oct 26, 2019 at 02:53:42PM +0800, Jyri Hovila [Turvamies.fi]
> > wrote:
> > > Maybe OpenBSD could profile itself as *the* OS with all crypto
> > > related stuff is handled using post-quantum cryptography?
> > 
> > I don't think OpenBSD wants to "profile itself" as anything.
> > 
> > Are post-quantum algorithms well reviewed and stable enough to be worth
> > using as defaults for OpenBSD full disk encryption, OpenSSH,
> > LibreSSL...?
> > 
> > Do you or anyone else have the expertise to implement them?
> 
> 
> In no way I'm an authority on the subject.  I have been interested by this
> though and have bought two books on post-quantum cryptography (one is not
> delivered yet, it will be published in November).  The one book written by
> DJB has a table on page 16 which I'd like to share:
> 
> RSA->broken, Diffie Helman->broken, Elliptic curve->broken,
> Buchman-Williams->broken,Algebraic Homomorphic->broken by quantum systems
> 
> This leaves McEliece public key, NTRU public key and Lattice based public
> keys as unbroken by quantum systems.
> 
> All in theory as this book was written in 2010.  I'm opening my eyes though
> to the quantum threat.
> 
> The unbroken systems may have behaviour much different from RSA (as an
> example) and the OpenSSH code would perhaps need huge refactoring in
> protocol exchange than before.
> 
> Maybe someone should be sponsored to do the grunt work with some of the
> donation money that OpenBSD is showered with, or maybe someone will do it
> for free.  Good luck to all the programmers involved!  One day it will have
> to be done, let's hope before the break-ins to important hosts.
> 

I see a whole lot of assumptions here.

First, mathmeticians have recently solved with "ordinary" computers one
of the "only a quantum computer" can solve proposed computations.
Perhaps they will keep solving such problems as more mathematical
theories develop. The ideas behind quantum computing itself may serve as
inspirations.

Second, that we will actually be able to get an actual functioning
quantum computer that works. So far the need to deal with errors is a
major obstacle. Even this may prove to be an unsolvable downfall. We
keep discovering new physics. Maybe this is a dead end idea?
Too much vinegar and not enough honey to catch the flies?

Third, that such a computer proves far to expensive to actually build at
a usable level. A 300 trillion dollar unit. Who would fork over that
much?

Fourth, that perhaps we may find ways to vastly empower regular
computers far beyond today's level. A quantum computer itself may become
seen as a waste of time and never leave the laboratories.


Science, math, physics, etc. are an always moving target.
I have a hunch that things are not going to end up where we are guessing
they will. We have "phasers", we don't have transporters. We do have the
Internet. Nobody saw that one coming except as a vague sorta weak idea.

For now, no hardware = no software = no developers.

Tomorrow, who knows? Could be pretty cool.
Today, genuine work needs to get done. Please help.

Best regards,
Chris Bennett




Re: When will be created a great desktop experience for OpenBSD?

2019-10-25 Thread Chris Bennett
On Fri, Oct 25, 2019 at 05:35:27PM +, flauenroth wrote:
> Apparently not just theo is using fvwm after all. :) 
> 

I have been using it about half the time now.
But that was only after copying a config posted here and then modifying
it.
I have had a really hard time getting accurate information about config
options. Many of the options from FVWM site/lists just don't work.
However, it's mostly reliable, except that I do have to restart it
occasionally.

I will ask if the default config could perhaps be slightly changed?
I find the font size just too small for my eyesight now.
No big changes, though. We do have to learn.

> I heard from many people that fvwm is clunky, old and should not be used. But 
> I personally like fvwm a lot. It's like using ed or vi over MS or Libre 
> Office. I like to have "simple" software in the means of the software or more 
> precise its authors don't anticipate what I want to do.  
> 

As far as ed(1) goes, I'm thrilled to say that I am now using it on my
phone to edit files. The keyboard takes up a ton of space and with ed I
can crank up the font size and work really nice!

> ___
> Always exit with 42 to return the answer.

42 bytes makes up some badass quotes or script! :D

Chris Bennett




Re: auto_upgrade.conf et al man pages or documentation?

2019-10-17 Thread Chris Bennett
On Fri, Oct 18, 2019 at 10:56:07AM +1300, Shane Lazarus wrote:
> 
> So, I just ran sysupgrade with no options to see what would happen.
> 
> Unsurprisingly, it proceeded to install ALL of the sets, without bothering
> to prompt me, or apparently taking note of what was previously selected
> during the initial install of 6.5.
> 
> This is an undesirable trait, with neither apparent documentation or what I
> would consider to be sane defaults.
> 
> If someone would be so kind as to point me in the right direction for how
> to prevent sysupgrade from being unsane, it would be much appreciated.
> 

I can't comment on the documentaion issues of those files.

But sysupgrade is meant for a quick and easy upgrade. No hand holding.
No special treatment.

If you need an upgrade that is not like the way sysupgrade does it,
then you will need to simply do the steps yourself manually. Just as
all of us have been doing for years. All of those steps are extensively
documented both in the man pages and the mailing lists.

It is a tool to do one specific set of tasks.
rm -r and rmdir can both remove a directory. But they are not the same
tool.

This topic has already been extensively and frustratingly dealt with on
the list. Please don't ask for changes to sysupgrade.

The questions about the documentation are relevant however.

Chris Bennett




Re: What is you motivational to use OpenBSD

2019-08-29 Thread Chris Bennett
I decided to move away from Windows and I needed to setup a web and
email server. Trying many different versions of Linux left me
unsatisfied. Then I accidentally ran into OpenBSD website.
That was exactly what I wanted.
As a totally inexperienced guy, I found a server company that could
pre-install it. I never looked backed and learned almost everything
remotely. I dual booted at home for a while and I use OpenBSD only for
a long time now.

I have found two intersting things about the mailing lists.
1. Here is what you need to know, how else can I help.
2. RTFM and read the source code yourself.

I found read the source code a little frustrating at first.
But I have realized that the OpenBSD community is NOT about holding your
hand. There is an expectation that you need to put out the effort
necessary to at least try to figure it out yourself. If that means
learning some C or Perl or other languages, then you will have to do
that.
I now heartily agree with this. Why should a developer waste time when
there are truly more important things that constantly change as the
world moves forward. I have never been concerned about missing a few
months without checking up on a server. Problems are very very rare!
And fixed really really fast!

Thanks for giving me a fantastic system and the chance to laugh at the
other OS's that think security and bug fixing is an optional concern!

Chris Bennett




Re: Ergonomic USB wired mouse

2019-08-19 Thread Chris Bennett
I am using the Logitech wireless with the trackball on the LEFT side.
I would really like to use a second mouse at the same time for my left
hand with a trackball on the RIGHT side. I don't like center ball mice.
Anyone know of one of these? I like using a mouse for each hand.

Chris Bennett




Re: question about man starttls and linking to cert.pem

2019-08-11 Thread Chris Bennett
Thanks, that had me confused when I read it, so I just ignored it.
Glad to know I did, as in didn't, do what it suggested except once.

Chris Bennett




Re: Correct pexp variable for a shell script

2019-06-25 Thread Chris Bennett
On Sat, Jun 22, 2019 at 02:14:12PM -0400, Jacob Adams wrote:
> 
> rukey# ps | grep authmail
> 17035 p0  Ip  0:00.01 /bin/sh /usr/local/bin/authmail
> 25162 p0  R+p 0:00.01 grep authmail
> rukey#
> 
ps | grep authmail | grep -v grep  ??

Chris Bennett




Re: What are the operating systems that ship without blobs?

2019-04-13 Thread Chris Bennett
On Sat, Apr 13, 2019 at 01:55:21AM -0300, Quantum Robin wrote:
> Are there operating
> systems that ship without blobs?
> 
> If yes, what are the operating
> systems that ship without blobs?

OpenBSD does not ship with blobs. Ever.
That was a major theme s number of years ago.

Firmware is not considered a blob since this is strictly hardware
related code. No firmware, device won't work.

Nvidia is an excellent example of a company 100% hostile to Open Source
code. They refuse to release anything needed to even allow someone to
write the necessary firmware/software.

So, anything that fully supports Nvidia is running proprietary secret
blobs. Yuck. These blobs may be harmless, but who knows?

So if you are shopping for an OS, you can put a checkmark for OpenBSD in
the no blobs list.

Beyond that, the list may or may not want to discuss other OS's.
Probably not.

Since this topic has come up and it's personally useful to me to reply
elsewhere about security elsewhere right now, could someone reply to
both of us off-list about this topic?

Otherwise, we are getting into other OS junk that IMHO is not
appropriate here.

Chris Bennett




Support for Nvidia chipsets, never running X

2019-03-07 Thread Chris Bennett
I've avoided anything with Nvidia like the plague.
But it just occurred to me to ask, ignoring X completely and never
running it, are the rest of the Nvidia parts supported or is Nvidia
anything a total no-go?

Thanks,
Chris Bennett




Re: tar: Access/modification time set failed on: .: Operation not permitted

2019-03-06 Thread Chris Bennett
On Tue, Mar 05, 2019 at 01:02:08PM +0200, Mihai Popescu wrote:
> Hello,
> 
> I am trying to decompress xenocara.tar.gz into /usr/xenocara.
> I did all pre setup explained in FAQ, but I get this error from tar
> and I can see files inside /usr/xenocara.  tar: access/modification
> time set failed on: .: Operation not permitted
> 
> Is it safe to ignore this?
> Is there a reason v parameter is not used in tar xzf sequence for a
> visual feedback?
> 

tar has lots of problems, most of which don't matter.
You cannot tar really long path->filenames that some webpages produce.
These are OK for the filesystem, but not tar (should that be fixed?)
I just don't like to use it for duplication of disks unless I'm sure it
will work, because of that problem. Finding out that barely managing to
tar up a failing disk, only to lose important files taught me that one!

Does gtar have that problem too?

I get that error frequently, sometimes because I use -p, or not.
I've yet to see it as anything more than an annoyance with having
current time used. When that matters I just rm the files and use -p.

Enough of me rambling on.
Chris Bennett




Re: setup authoritative DNS for myself with nsd + unbound

2019-01-19 Thread Chris Bennett
On Sat, Jan 19, 2019 at 01:43:44PM +, Craig Skinner wrote:
> Congratulations Chris on starting to learn the trade of a hostmaster.
> 
> Being a hostmaster is a specialist skill, like being a webmaster, or
> sysadmin, or postmaster - each is a vastly different skill set.
> 

I'm happy to be taking this step. Thanks for the book recommendations!
I'm also liking the aspect of not having to worry about whether when
there is a problem if it's my fault or their fault. It then will clearly
be my fault if things aren't right and I can discover what I'm doing
wrong and not second guessing who is to blame.
I'm also concerned that Godaddy may very well be at fault in order to
push people to host with them instead of on their own. $$ speak volumes!
They also charge hefty fees if you want to change registrars.

I already bought ebooks on SSH Mastery, Httpd and relayd, and DNSSEC by
M. Lucas. Bad side is that I prefer real books. Somehow I get delayed
reading ebooks vs. real books.

I definitely have a lot to learn! At this point it seems best for me to
cut out the possibility of someone else being the problem. Then I know
exactly who to blame: me

I will not just jump off the bridge without learning a lot more first.
That would be stupid on my part!

Chris Bennett


> On Fri, 18 Jan 2019 10:38:12 -0800 Chris Bennett wrote:
> > I have had problems with setting up DNS for myself and I need it to be
> > authoritative.
> 
> Configure NSD.
> 
> 
> > I have my domains registered with Godaddy and they do not support for
> > domains not hosted on their servers.
> 
> Move the domains to a different registrar.
> 
> 
> > I have been using their DNS without big problems, except that I'm
> > not getting proper results with regards to email.
> 
> Eh
> 
> 
> > I've got a pretty bad problem with spam.
> 
> 
> Eh? DNS is not SMTP. For postmaster problems, learn spamd, etc.
> 
> 
> > I now have 2 servers, each with a different company.
> > 
> > Will that then solve the problems with PTR, DKIM and DMARC?
> 
> Have you taken the time to learn about these records, then create them?
> 
> 
> > I also particularly hate the web GUI that Godaddy uses
> 
> Move the domains to a different registrar.
> 
> 
> > and its SOA record is much too long timewise.
> 
> A hostmaster creates the SOA record however he likes.
> 
> 
> > Should I set it up with just one of my servers or both?
> 
> Create the zone files on your master NSD server,
> and have your slave NSD server(s) AXFR the zones over.
> 
> 
> > One is in Los Angeles and the other is in Miami.
> 
> Cool.
> 
> 
> > Do I need to use a different one to cover the other server or can I
> > just use the same one to cover the email stuff like DKIM and DMARC?
> 
> 
> Eh Dask sa9ik 2pw0xsl ald0damdn doa. OK? Ace!
> 
> 
> > 
> > Since I'm having problems from the ground up, this seems like a good
> > idea to start at.
> > 
> 
> Reading at least 1 book about DNS and learning seems way better to me.
> 
> 
> 
> For a beginner hostmaster, the book "DNS and BIND" by Nicolai Langfeldt
> is a good place to start the subject.
> 
> On from there, "DNS and BIND" by Cricket Liu & Paul Albitz is a good
> next read.
> 
> Zytrax publish their DNS book online: http://www.Zytrax.Com/books/dns/
> 
> 
> As you'll be using NSD, translate the ideas into NSD's configuration
> style. You need to step back from implementation details and learn why
> before how. Learn the difference between masters and slaves and their
> transfers, A records and CNAMES, and why a hostmaster would use each
> for various circumstances - before getting into DKIM & DMARC.
> 
> 
> Cheers!
> -- 
> Craig Skinner | http://linkd.in/yGqkv7
> 



setup authoritative DNS for myself with nsd + unbound

2019-01-18 Thread Chris Bennett
I have had problems with setting up DNS for myself and I need it to be
authoritative.
I have my domains registered with Godaddy and they do not support for
domains not hosted on their servers. I have been using their DNS without
big problems, except that I'm not getting proper results with regards to
email. I've got a pretty bad problem with spam. I now have two servers,
each with a different company.

Will that then solve the problems with PTR, DKIM and DMARC?
I also particularly hate the web GUI that Godaddy uses and it's SOA
record is much too long timewise.

Should I set it up with just one of my servers or both?
One is in Los Angeles and the other is in Miami.
Do I need to use a different one to cover the other server or can I just
use the same one to cover the email stuff like DKIM and DMARC?

Since I'm having problems from the ground up, this seems like a good
idea to start at.

I'm also seeing conflicting advice on whether I should use multiple A
records for subdomains, like www. smtp. etc. or CNAME.
Plus it's not clear to me whether to use records like _smtp.tcp or not
bother with those.

I have spent a lot of time reading pages on all of these subjects but I
have yet to find a complete example of all DNS records for a site.
Would anyone care to share one with me?

Thanks,
Chris Bennett




Re: browser security in OpenBSD

2019-01-05 Thread Chris Bennett
On Sat, Jan 05, 2019 at 03:38:16PM +0200, Mihai Popescu wrote:
> Hello,
> 
> I see there is some work in Chromium to implement secure browsing. I
> was using both Chromium and Firefox over the past years. If I got it
> right, here is a summary of implementations:
> Chromium: W^X, pledge, unveil
> Firefox: W^X
> 

I'm going to throw in the question of how is upstream itself a question
of security.
These are very big moving targets.
Are they proceeding cautiously forward or hell burnt for leather at any
cost?
I guess a good metaphor would be OpenBSD constantly breaking httpd and
pf in order to make them more secure. And releasing broken versions.
Is upstream doing this sort of thing as they develop?

I also agree, no browser war. I have to use both. Each one fails at
something important I do.

Chris Bennett




Re: Request for testing

2019-01-04 Thread Chris Bennett
On Fri, Jan 04, 2019 at 02:23:19PM +0100, Otto Moerbeek wrote:
> I'm looking for tests that cover a variety of use-cases. So use
> whatever multi-threaded applications you would normally use. Play with
> the options mentioned in the test request and report your findings.
> 
>   -Otto
> 

Sorry I didn't get back to you. Some things came up ... and out.
Ate the wrong thing at a party.

I will update -current and try to get something out. Pun intended.

Could you actually name some applications that are right for what you
need. Or explain how to get that out of ports?

Thanks,
Chris Bennett




Re: patch: ps(1) broaden 'TT' field by 2 chars

2018-12-26 Thread Chris Bennett
On Wed, Dec 26, 2018 at 08:30:42PM -0700, Theo de Raadt wrote:
> I am sick of getting emails like this from the community.
> 
> When I get them, I'm going to forward them to public lists.
> 
> >From: 
> >
> >Leo here. zeur's asleep and I am honestly sick of your attitude. 
> >
> >Why don't YOU give up maintaining shit if you're going to be an arrogant 
> >dick. 
> >
> >Your community reminds me of many that I encountered myself, with "open" or 
> >"semi-open"
> >projects. What you're displaying is the opposite of openness, asshole!
> > 
> >>3 character tty names isn't going to be commited. You may as well give it 
> >>up.
> >>

I'm afraid that you are being extremely discourteous, to put it kindly.
Do you have any idea how many scripts have been written to expect that
this output will not change?
Did you consider how many log scripts I decided to just throw away when
I changed from Apache 1 to Apache 2? Too much work to fix. Too much work
just to get by, much less rewrite scripts!

Pay attention. Look at undeadly.org. A big change backed out.
Your diff may be the greatest change in the history of mankind. But that
doesn't guarantee it will be accepted. In other words, don't take it
personally. You did. Get over it. And keep working and submit more and
different diff's. Diff's are ALWAYS welcome. They aren't always
feasible.

Chris Bennett




Re: Automated remote install

2018-12-21 Thread Chris Bennett
On Fri, Dec 21, 2018 at 04:39:07PM +0545, Frank Beuth wrote:
> 
> (No, switching to Vultr/Linode/etc is not an option)
> 

NO Vultr is definitely NOT an option.

>From a thread I started in m...@opensmtpd.org

Vultr has started offering baremetal servers. I made the big mistake
of using one.
They are only buying completely burned class C blocks of spam
blacklisted of IP addresses. Their staff is not competent and whoever is
trying to save a few pennies by buying burned IP blocks is a sure sign
of problems ahead.

You could get good service as a cloud provider, but with middle
management this idiotic, you will see problems later.

Using Vultr has cost me two domains that are now blacklisted even after
dropping Vultr. They lie and say that they will try to unblacklist the
IP address that is in an un-blacklistable list.

I rate them negative 5 stars and get a lawyer.

Pissed,
Chris Bennett




Re: radeon driver bug?

2018-12-06 Thread Chris Bennett
On Thu, Dec 06, 2018 at 01:26:12PM +0900, 岡本健二 wrote:
> in-current means stable 6.4?
> 

No. Look in the FAQ. Look at the running -current page
Look at what release -> stable is.

Run -current only if you need something new, are developing base/ports
or wish to help test the software/hardware being developed.
It is not always stable. It could have new security problems temporarily
before those changes are fixed or pulled out.

However, OpenBSD runs ports and base code as a unit. You cannot run
current without making your current up to date and using the latest
version of ports/packages. Unless you find a nice spot and just stay
there.

OpenBSD is not a jumbled mess of code all over the place. It's one of
many reasons that it has fewer bugs -> better security. Also, security
specific methods are always under active development.

Please read the entire FAQ and PF Guide. Please read all of the man
pages for any commands you need to use or are interested in.

Please learn what you can do with boot -s or boot -c. You will at some
point need to use them. Search the mailing list archives for interesting
topics. Figure out how to handle the filesystem when it gets hosed
during a power failure. Figure out how to arrange your disklabel at
install to let you use growfs.

I also suggest that you learn to use ed. It's not hard to use, but it's
really, really old. It's still actively maintained because it's 100%
worth having.

The command line is so powerful once you learn to use it. We don't want
GUI interfaces for this stuff because we expect you to truly learn what
to do and why.

Have a good day,
Chris Bennett




[OT?] I have 4 IPs. How is outbound IP selected, say run lynx URL on server?

2018-11-30 Thread Chris Bennett
I'm just curious. Is there a default method to select on this? Random?
Can I control this somehow?
It's clear how everything else selects IP, but I just wanted to know in
case that ever mattered, say one of my IPs were blocked.
And I wanted to be sure which IP outbound is or is not used for running
something like lynx, etc.

Not terribly important, but at least interesting question for me.

Thanks,
Chris Bennett




Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-22 Thread Chris Bennett
On Thu, Nov 22, 2018 at 02:21:41PM -0800, Misc User wrote:
> I'd look for software that has bug bounties.  I'd also look at the CVEs for
> each product and compare with the patch history.  The delay between a flaw
> being reported versus patched is going to be a much better indicator than

Yes, that would be very true. Too slow could mean it's not being taken
seriously enough. Which could mean the same for known, but unreported
flaws. Good advice.

> rate of patches.  I'd also consider the seriousness of the flaw being
> patched as well, like if it is due to a widespread issue (EG, Metldown,
> heartbleed, etc) or if it is due to some basic programming error (Apple's
> "enter a blank password for root enough times and you'll get root" or
> Microsoft's "patching Windows 10 will obliterate your install because of a
> typo in the patch code that is supposed to leave c:\users\ alone").
> 

Yes, Windows 10 got wiped out the first try after seeing three of their
6 month updates needing to try about 8 times eating up about days of
time I wanted to use.

> Also, look for something that could support external authentication,
> especially something industry standard like LDAP, so you can use the
> authentication database all your service can use while not relying on
> whoever wrote the individual bits of software to have written something that
> doesn't suck.

Yeah, good plan.
I've written fair amount of software that worked, but sucked.

>Also look for something that will allow the admin pages to be
> hosted on a different url from the user accessible stuff.
> 
> If you are handling payment or financial information, outsource it to
> something like paypal or another well-known payment processor.  While they
> aren't very secure, they are insured, so if they fuck something up, you
> aren't holding the bag and are very unlikely to be blamed for it by your
> users.
> 

Yes, I have used PayPal for my business. Not very active now, but I
really liked not being directly in the middle. "You are now being
directed to PayPal, we do not ever have any of your credit card info."
was very nice to say.
Yes, they do fuck things up. Got me once when they just decided to
change the phone number formatting without announcing it.

> As for number of servers, more than one is going to be the better way. If
> something has a port accessible by any old rando, you shouldn't be storing
> anything secure on it.  Especially if the server also stores something the
> user can craft (EG, photos from the forum, arbitrary text, etc).
> 

Dealing with that has had me really concerned. People really want to
upload all kinds of stuff. That's a good idea.

> As for ISPs, just assume they are all total shit (Most of them are anyway)
> and treat them like you would an open wireless network.  Don't use their DNS
> and encrypt everything you can.  Use static IPs if you can.  Don't allow
> passwords for ssh on anything public facing.  Only allow admin pages to be
> accessible from a private network (So that you'd need to use an ssh tunnel
> to get to it remotely)

Alright. Thanks.
This is helpful. Someone suggested off-list that I make up a flow chart
to plan out each step that needs to be taken. I'm getting good advice
now to help me start that. It's tough to pull this off.
But then, when is easy ever any real fun! :-}

Chris Bennett




Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-22 Thread Chris Bennett
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:
> 
> all on one server?
> 
> And as someone who has run a number of mail servers for a number of
> companies ... don't.  Just don't.  Running your own mail server is a
> good way to accomplish nothing except wasting a lot of time and making
> people hate you.
> 

I got mad before thinking. Bad habit I need to break.
You are right.

We wouldn't want any of the "evil empires" for that.
That is a set policy already. So no Gmail, Yahoo, Microsoft, etc.
Can't control where the mail goes to however.

Outbound mail is going to be from forum topics, which I will change to
only reference the post, no content.
Requests for donations and about upcoming events.
Asking for immediate help when disasters or other events occur.
News topics.

How do I pick some company to do this?
I'll start looking up information now. Hadn't even occurred to me.
But exactly how does that work from our servers to theirs and back?

Thank you,
Chris Bennett




Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-22 Thread Chris Bennett
On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote:
> Hello Chris,
> 
>   There is something extremely weird going on around lately. People are
> easily take offense where no offense where intended (and hard to find
> anyway). Nick was just telling you that (in his expert opinion) you
> shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
> but concentrate on the real security instead. Unfortunately the real
> security takes years of learning and experience, and can't be "advised" in
> a couple of emails, but he provided a lot of valuable (and valid)
> information (which you where not ready to digest, I guess).
>   If you are allowing to run an arbitrary code on you server you are
> screwed with or without Spectre, otherwise there is nothing to spy on you
> on that server (even if it's technically possible).
>   If (any) government agency really want to access you server, you are
> writing to the wrong list, otherwise government installed spying chips (if
> any) wont really hurt you. On the other hand, crapware (like Superfish)
> might.
> 
> BTW, your boss doesn't need to be stupid to compromise your password (or
> keys), just a "normal" human. Security isn't grokkable by "normal" people.

I'm actually sorry, Nick.
I've got a personal situation that has me very touchy right now.
But that's another issue completely.

Since there is a forum, and one has to stay, I have a few questions.
I looked over a lot of forums, both for features and security.
I realized that I couldn't properly judge security.
If a forum has a lot of security patches, does that mean that problems
are being swiftly dealt with or that the forum has serious problems?
If a forum doesn't have reported security patches, does that mean that
it is good or just not maintained? I never thought about this before.

It seems to me that a login username should not be allowed to be the
displayed forum username. The real username is also used for purchases,
membership activities, etc.


I also think that passwords need to be enforced to be changed
occasionally. What sort of timing delay is okay with users?
Nobody really likes changing passwords, but since so many people use the
same one all over the place, it seems like a good idea since they would
then be forced to have a different one from the rest.


There is a need for pretty secure stuff, like the forum and membership,
purchases, etc.
But also very secure activities. Seems to me that 2 servers (or more)
would be best to accomplish this. Any disagreement or other suggestions?
The main website is probably the most important objective right now.
It's what the public sees. And if (which means when, not if) I make a
mistake, the world won't come tumbling down.

Thanks all,
Chris Bennett




Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-22 Thread Chris Bennett
On Thu, Nov 22, 2018 at 10:50:38AM +, Kevin Chadwick wrote:
> On 11/20/18 4:43 PM, Chris Bennett wrote:
> > AMD? I have read about problems with non-CPU chips being compromised.
> > Another architecture? I have never used anything other than Intel/AMD.
> 
> I can't comment on SUN etc. but AMD would be the way to go if you can.
> 
> Theo has said in a recent presentation something along the lines of that AMD 
> are
> far more considerate and apply the security checks first whereas Intel do so 
> at
> the end!!
> 
> Many modern UEFI (bios) have very limited configuration enabled, however the
> configs the OEM has access to enable are larger than ever. It would be better 
> if
> the functionality that caused them were not there by default but you may find
> these chip attacks can be mitigated for your scenario, quite easily with the
> right Vendor/OEM board?? Incidentally the Intel usb debug access has been 
> there
> for years but it was a physical motherboard access only scenario until 
> recently.
> 
> I can't help with a good vendor unfortunately. I have no fairly new, off the
> shelf commercial HW to inspect the BIOS of.
> 

Thanks.

After digging into many pages source and I use NoScript, which has an
irritating side effect of actually hiding some of the JavaScript
present, I now see that they are using cloud hosting and some naughty
Google stuff. So I will get much more information about everything
probably next week since this is Thanksgiving weekend here.

So I will be having to select hardware to purchase.
I was assuming that AMD was the right choice, but I wanted to be sure.
I saw the presentation about Intel and AMD on the website. Intel's
behaviour was surprisingly terrible.

I'm not sure exactly what load of users I will have to deal with.
A ton of long-time members have been furious about the WordPress mess
that got put up. As in most forums, more people just read than post.

I'm not at all concerned about govt. snooping. Politics and groups have
gotten extraordinarily weird, odd and even violent in the US.
Their previous setup (before this current one) was hacked at least once.

I'm completely open to any suggestions. I just don't have a budget or a
for sure location to work from yet.
Things are bad enough that anything I do can only be helpful.
So that's pretty bad! :-{
I also want to hear any don't do this or work with this ISP, etc.

Thanks,
Chris Bennett




Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-20 Thread Chris Bennett
On Tue, Nov 20, 2018 at 08:31:14PM +, Kaya Saman wrote:
> I don't think the response was assumed as such. It just is that there are so
> many issues with corporate politics and higher ups thinking they know things
> that gives OpenSource software a bad rep! Even once people didn't understand
> what OpenSource was and asked me what I did while 'working at OpenSource'
> lol
> 
> 
> As to different H/W yes there are still some different systems around...
> like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own UX
> capable machines are dead now; though my info could be several years out of
> date as I haven't dealt with this type of system in a long time.
> 
> 
> Agreed that Cloud is a lot of corporate hype in many aspects as to lower
> expenditure.
> 
> 
> Will you be building just the mail server or the whole infrastructure??
> 

As of right now, I will have to take on everything, which is an
extremely daunting task. There have been three times in the past year
that staff and volunteers either left on their own or a few were found
to be more troublesome than helpful.
Things are a real mess right now, so my first task is just to get the
website, which right now is a disaster, working good enough to keep both
members and volunteers communicating and an inflow of donations coming
in.

WordPress was an awful decision made right before I joined.
But it's hard to select the right software. Having a forum is a must,
and due to both trolls and crazy people deliberately making destructive
types of posts, the forum has now been removed to members only to allow
for reasonable and private discussions.

The website is dead slow right now and that has to be fixed quickly.
I don't have all the details of exactly what is or isn't installed yet.
A board meeting is about to happen and then I should be able to check
out the mess.

I'm planning on moving to just delivering the content and who cares if
it's pretty or not. As long as it's much faster.

I just need some guidance along the way.
RTFM these 250 manual pages is the right way, except that actions need to
happen fast. This really is a case of do things sorta the wrong way and
fix it ASAP, or don't do anything and then the SHTF.

I want everything done in the end really well and secure, but no
donations, no volunteers and no new members or no renewing members
equals no organization. That's bad.

Thanks for your suggestions. I didn't think other architectures would be
suitable, but it was worth asking.

Chris Bennett




> 
> Virtually what you want to do is a good firewall protecting everything.
> OpenBSD excels at security so definitely recommended. As to mail server, I
> really think you need to research the different components first that make
> up the system.
> 
> Firstly for power reasons what type of usage do you estimate?
> 
> Will you be needing a separate external mail gateway?
> 
> Does your ISP offer Reverse DNS?
> 
> 
> After that the best thing to do would be to setup a small lab with a test
> machine and try different setups out. Like say using Sendmail, Postfix
> etc for SMTP. Many people here have different opinions and takes on this
> but really it is up to you to decide what you like best and also what you
> need it to do - you can only find that out by testing out different things.
> 
> Then how your users will connect... IMAP, POP, HTTP?? In todays day and age
> IMAP is the preferred protocol but there of course are others - please do
> not ever mention M$ Exchange as it should be obliterated!
> 
> 
> Once you understand the core components necessary then you will start to
> formulate specific questions of how/why is (x) needed etc... then answers
> can be more specific too but for now read a lot and test out different
> things to see which one fits you best :-)
> 
> 
> Regards,
> 
> 
> Kaya
> 
> 



Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-20 Thread Chris Bennett
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:
> On 11/20/18 11:43, Chris Bennett wrote:
> > I am almost certainly going to be replacing with a new server for an
> > organization I am a member of.
> > With all of this mess with Meltdown, Spectre, insecure motherboard
> > chips,etc.
> > I am pretty clueless on exactly what is going to be a secure set of
> > server hardware.
> > Intel, well no.
> > AMD? I have read about problems with non-CPU chips being compromised.
> > Another architecture? I have never used anything other than Intel/AMD.
> > 
> > The server will run httpd, mailserver, PostgreSQL and somehow a good way
> > for well encrypted messaging at times.
> 
> all on one server?
> 
> And as someone who has run a number of mail servers for a number of
> companies ... don't.  Just don't.  Running your own mail server is a
> good way to accomplish nothing except wasting a lot of time and making
> people hate you.
> 

The mail server is ONLY intended for members of the organization.
You would have me use gmail or yahoo?
The organization is suing another group for slander.

> > It is very likely to run out of Austin, Texas.
> > I think that having a direct connection would be best, but would a
> > proper setup make collocation OK?
> 
> You are using poorly defined buzzwords.  What you mean by a "direct
> connection", "proper setup", "collocation" and what I mean are likely
> very different.
> 

Well, then tell me some useful information. Correct my idiotic
buzzwords. There was carefully noted in my message that I am facing new
territory and need some advice.


> > This isn't going to be my server, I will just be in charge. That's
> > completely new for me.
> > Any advice is really welcome, everywhere I read anything, hardware seems
> > broken and insecure.
> 
> Pretty much all new HW is optimized in ways that we are now learning
> (and has been known for a long time) introduce security problems.
> However, most of the problems boil down to having malicious software
> running in the control of someone else on the same physical machine YOUR
> code is running on.
> 
> In short: No news.  Really.
> 
> If someone that wanted to do you evil lived in the same house as you,
> you would not be comfortable, right?  What if you put up walls
> (virtualization) that have proven to to be about as robust as paper?
> That make you feel any better?  Probably not.  Virtualization has been
> proven -- over and over -- not terribly secure.  Now we got
> cross-virtualization platforms ways of stealing data from other
> processes.  Important? yes.  But in the big picture, it's similar to Yet
> Another buffer overflow.
> 

To be quite frank, and I don't mean anything negative to others using
virtualization, you couldn't pay me to even consider using something
that idiotic for trying to make a "secure" setup. And using the "clouds"
, to me, is getting just a little bit too "high".

> So...split your tasks on different physical systems as much as possible.
>  If your webserver is serving static pages, it's probably pretty robust.
>  If it's running Wordpress or any other "any idiot can manage the web
> page" apps or dynamic web pages for other reasons, it should be a
> machine of its own and have no other important data on it.

Yes, using that idiotic Wordpress crap is exactly one of many problems I
am going to immediately fix. Whoever is in charge can't even make that
work!

> Your primary goal should be to keep the bad guys off your computer in
> every sense.  And again...nothing new here.
> 
> But if security is your concern, you want real hw you control in every
> sense.
> 

Which is exactly what my silly buzzwords was trying to get a point of
view on. I already assumed that having sole physical control was
essential. But questions not asked are never answered.

> Unfortunately, if you have performance requirements, your choices are
> AMD and Intel.  Older Intel and AMD chips aren't getting any support to
> deal with these problems, so your choices are incredibly old chips which
> are probably not in the most reliable hardware, and a whole bunch of
> other old, unreliable, and slow hardware platforms.  But be realistic.
> Your bosses will probably mandate a VM on someone else's hw, a wordpress
> website, one box for everything, and that you give him the root password
> which he'll e-mail to himself to keep it "secure".  Your most likely
> breach points will be an easily guessed password (usually, a manager's),
> a bug in a web content management system, or someone believing that
> "secure e-mail" is a thing.  In other words, Same Old Shit.  It p

With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-20 Thread Chris Bennett
I am almost certainly going to be replacing with a new server for an
organization I am a member of.
With all of this mess with Meltdown, Spectre, insecure motherboard
chips,etc.
I am pretty clueless on exactly what is going to be a secure set of
server hardware.
Intel, well no.
AMD? I have read about problems with non-CPU chips being compromised.
Another architecture? I have never used anything other than Intel/AMD.

The server will run httpd, mailserver, PostgreSQL and somehow a good way
for well encrypted messaging at times.
It is very likely to run out of Austin, Texas.
I think that having a direct connection would be best, but would a
proper setup make collocation OK?

This isn't going to be my server, I will just be in charge. That's
completely new for me.
Any advice is really welcome, everywhere I read anything, hardware seems
broken and insecure.

Thanks a bunch for any help,
Chris Bennett




Re: X won't start with latest snapshot as user (Solution provided)

2018-11-11 Thread Chris Bennett
Thanks!
I use spectrwm too.
Now I know exactly what man pages to read, which I will do first, before
any copy/paste crap.
I have found the sheer size of X everything to be a bit intimidating. I
think this whole xenodm thing will fill in crucial gaps for me.

Happier,
Chris Bennett




Re: X won't start with latest snapshot as user (Solution provided)

2018-11-10 Thread Chris Bennett
On Sat, Nov 10, 2018 at 11:36:17PM +0100, Solene wrote:
> This is normal. Look at 26th October https://www.openbsd.org/faq/current.html
> 
> The suid was removed to prevent bad things to happen. Use xenodm instead of 
> startx.
> 

I have switched to using xenodm. I am also think I screwed up something
during installation. It happens. Shrug.
I have found that I am stuck using fvwm, but I would like to use another
wm. Not very important which one. But I really have no idea how to
accomplish that.
The reason I think I screwed up something else is that the performance
across the board is terribly slow. Happy to reinstall from scratch.

I'm happy to find the  answers reading man pages, but man fvwm wasn't
helpful for me. Which ones should I read?

Running 6.4 stable amd64

Thank you,
Chris Bennett




Re: growfs(8) to lower offset

2018-11-06 Thread Chris Bennett
On Tue, Nov 06, 2018 at 09:18:27AM -0500, David Higgs wrote:
> > As the FAQ entry states, you can use growfs(8) if the empty space
> > is after the existing partition, not prior. You can only grow a
> > partition "down", never "up". What you want to do would require the
> > following steps:
> >
> > 1. Create a new partition on the free space
> > 2. Move all data to the new partition
> > 3. Remove the existing /project partition
> > 4. Use growfs(8) on the new partition to include the space from the old
> >/project partition
> 
> You appear to be right - I see it now.  I had not read closely enough,
> and had focused more on what I could change with the 'm' disklabel(8)
> command.  It would be nice if this info were made explicit in the
> growfs(8) man page as well.
> 
> I had already successfully rearranged some partitions using the method
> you propose, but unfortunately the amount of data in /project is
> slightly too big to be easily shifted into my remaining free space.
> I'll try to compress it or temporarily move the data off-system.
> 

I use growfs a lot. I try to plan ahead of time to put partitions that I
can sacrifice when I desperately need to possibly grow something like
/usr/local or some other important partition. Sometimes I have a
partition for the PKG_CACHE when I need to avoid downloading the
packages twice for another computer. This is a partition, for me, that I
can sacrifice and use to grow the preceding partition.
Buy a bigger disk is not always a practical answer.

If you haven't already done it, taking a picture of disklabel, fstab and
df never hurt. Easier than writing it down.

Well, I've been in your position pulling out hairs many times. Worst
case is having a small useless partition stuck in the middle somewhere.

Good Luck,
Chris Bennett




Re: colorls: How to make the blue bright for readability, and a note about its origins

2018-11-05 Thread Chris Bennett
On Mon, Nov 05, 2018 at 08:53:58AM +, Joseph Mayer wrote:
> Hi,
> 
> This is how to make OpenBSD's colorls show directories bright blue,
> instead of dark blue which may be too dark to be readable on some
> screens:
> 
>  export LSCOLORS="Ex"
> 
> As pointed out elsewhere colorls is taken in use as default ls by:
> 
>  alias ls="colorls -G"
> 
> 
> The colorls port [1] is interesting, its source [2] seems to be a fork
> of the BSD codebase's ls dating back to 1980, the man page doesn't
> mention any particular authorship, and its code was updated as
> recently as this year.
> 
> Best regards,
> Joseph
> 
> [1] https://cvsweb.openbsd.org/ports/sysutils/colorls/
> 
> [2] http://shell.uugrn.org/~naddy/ls-6.3.tar.gz
> 

export LSCOLORS=Hxfxcxdxbxegedabagacad

I also had problems reading that color on a black background.
These will make directories white, if that is helpful.
I don't remember any of the details. I think I saw this on a website
somewhere. Not sure.

Good Luck,
Chris Bennett




  1   2   3   4   5   6   7   >