Re: reposync:host key verification failed

2021-06-06 Thread Christian Weisgerber
On 2021-06-06, Avon Robertson  wrote:

> reposync: host key verification failed - see
> /var/db/reposync/known_hosts
>
> The same error was then recorded in my log on the 3rd, 4th, 5th, and
> 6th of June. The above known_hosts file does not exist on this machine.
> The FILES section of reposync(1) I have interpreted as meaning that the
> above known_hosts file, is not needed when the official keys exist in
> file /usr/local/share/reposync/ssh_known_hosts which they do on this
> machine.

So what are the fingerprints of the SSH keys in your ssh_known_hosts?

$ ssh-keygen -lf /usr/local/share/reposync/ssh_known_hosts

How do they compare against those given for anoncvs.au.openbsd.org on
https://www.openbsd.org/anoncvs.html
?

> Hints as to where the problem is would be very appreciated.

anoncvs.au.openbsd.org could have changed SSH keys, but that is not
the case.  The entries on anoncvs.html have not been updated recently
and they match the keys that I see from this host right now.
256 SHA256:kg2Zaqpd8ZuluPzlpFS9rEw0KR1UmxD9jSG6+2tr28A anoncvs.au.openbsd.org 
(ECDSA)
2048 SHA256:pPcBY4E33vwreETbz5KJUIzZpWWzaZPhrpnLaFa7WuQ anoncvs.au.openbsd.org 
(RSA)
256 SHA256:4CbDtzH/6mqQ/f6KDLz0rdqK2Thk4dQQtHXOxTONEvk anoncvs.au.openbsd.org 
(ED25519)

Your /usr/local/share/reposync/ssh_known_hosts could have become
corrupted.

Somebody could be hijacking your TCP connections and trying to
redirect them to a different machine.  That is what the SSH host
keys protect against.  THIS IS APPROXIMATELY NEVER THE CASE.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Firefox: glxteset:libpci missing

2021-05-04 Thread Christian Weisgerber
"Peter N. M. Hansteen":

> $ Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: libpci
> missing (t=0.395391) [GFX1-]: glxtest: libpci missing
> 
> firefox runs, so it's not fatal. I suspect it's a misclassified
> dependency in the package (build vs runtime).

FWIW, I see the same warning on FreeBSD.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-21 Thread Christian Weisgerber
Tom Smyth:

> if you were to have a 1MB file or  a database that needed to read 1MB
> of data,  i
> f the partitions are not aligned then
> your underlying storage system need to load 2 chunks  or write 2
> chunks for 1 MB of data, written,

You seem to assume that FFS2 would align a 1MB file on an 1MB border
within the filesystem.  That is not case.  That 1MB file will be
aligned on a blocksize border (16/32/64 kB, depending on filesystem
size).  Aligning the partition on n*blocksize has no effect on this.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-20 Thread Christian Weisgerber
Tom Smyth:

> just installing todays snapshot and the default offset on amd64 is 64,
>  (as it has been for as long as I can remember)

It was changed from 63 in 2010.

> Is it worth while updating the defaults so that OpenBSD partition
> layout will be optimal for SSD or other Virtualized RAID environments
> with 1MB  Chunks,

What are you trying to optimize with this?  FFS2 file systems reserve
64 kB at the start of a partition, and after that it's filesystem
blocks, which are 16/32/64 kB, depending on the size of the filesystem.
I can barely see an argument for aligning large partitions at 128
sectors, but what purpose would larger multiples serve?

> Is there a down side  to moving the default offset to 2048 ?

Not really.  It wastes a bit of space, but that is rather insignificant
for today's disk sizes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Another potential awk or xargs bug?

2021-04-15 Thread Christian Weisgerber
Jordan Geoghegan:

> --- /tmp/bad.txt  Wed Apr 14 21:06:51 2021
> +++ /tmp/good.txt  Wed Apr 14 21:06:41 2021

I'll note that no characters have been lost between the two files.
Only the order is different.

> The only thing that changed between these runs was me using either xargs -P 1 
> or -P 2.

What do you expect?  You run two processes in parallel that write
to the same file.  Obviously their output will be interspersed in
unpredictable order.

You seem to imagine that awk's output is line-buffered.  But when
it writes to a pipe or file, its output is block-buffered.  This
is default stdio behavior.  Output is written in block-size increments
(16 kB in practice) without regard to lines.  So, yes, you can end
up with a fragment from a line written by process #1, followed by
lines from process #2, followed by the remainder of the line from
#1, etc.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Help with ssh(1) between OpenBSD and iSH/Alpine on iOS

2021-02-06 Thread Christian Weisgerber
Erling Westenvik:

> I can ssh FROM any OpenBSD box INTO iSH on my iPhone, and once
> authenticated I can ssh back from there to the OpenBSD box or to any
> other OpenBSD or Linux box, but! -- From iSH itself (ie. "directly" from
> my iPhone) I can only successfully ssh to Linux boxes; if I ssh from the
> phone itself to any OpenBSD box I'm getting authenticated and receive a
> full shell prompt

Right here, I'd start ktrace(1)-ing the login shell on the OpenBSD
box to see...

> but the moment I hit Enter the client drops the connection.

... what this looks like at the OpenBSD end.

> ssh FAILS from iSH > to OpenBSD
> ssh WORKS from iSH > to Linux
> ssh WORKS from OpenBSD > to iSH (and from iSH (back) to Linux/OpenBSD)
> 
> I guess there must be something obvious I'm missing but for the life of
> me I cannot figure out what. Any help is appreciated.

I don't think it's anything obvious.  Smells like an interop problem
at a level above SSH to me.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: libreoffice package broken in -current 3.509

2021-01-17 Thread Christian Weisgerber
On 2021-01-17, "Nicola Dell'Uomo"  wrote:

> after upgarding packages from 3.507 to 3.509 in -current, libreoffice 
> crashes when it starts.

This should be fixed with the next amd64 packages snapshot, which
will appear sometime on Monday (UTC).

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: phonetics on OpenBSD: IPA transcription

2021-01-08 Thread Christian Weisgerber
On 2021-01-08, Jan Stary  wrote:

> How do I install a font that has glyphs for those symbols?
> Is there anything for that in ports?

The Dejavu font that is included by default covers IPA.  It's
unlikely that you need to install anything else.  And if you do,
just install the Noto fonts and be done with it.

Even the "fixed" font that xterm uses by default covers IPA for all
practical purposes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: help needed with httpd.conf and rewrite directive

2021-01-07 Thread Christian Weisgerber
On 2021-01-07, John McGuigan  wrote:

> httpd's regex is based on Lua's, the following site will help you figure it 
> out:

Or, you know, the patterns(7) man page.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: -current amd64 packages not updated? Impatient or broken?

2021-01-07 Thread Christian Weisgerber
Steve Williams:

> I hesitate to send this because perhaps I'm just too impatient, but then
> again, perhaps not.  This is not critical/time sensitive.
> 
> I just thought I'd check if there a problem with the current packages folder
> from the mirrors?

No, the amd64 package builds have been slightly delayed.  First by
a problem in lang/rust, which semarie@ fixed in admirably short
time.  Then the package build was cut short because the machine
running dpb(1) panicked with filesystem corruption.

A new build is running now and will take another 24h to complete
if all goes well.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: UNIX printing demystified

2020-10-24 Thread Christian Weisgerber
On 2020-10-24, Mihai Popescu  wrote:

> Is there a way to interface LPD directly with GUI apps like Chromium,
> mupdf, etc? I mean just to print from GUI menu Print.

Those print menus _should_ offer the option to print to lpr.  They
traditionally did.  If they don't now, then this is worth examining.
What GUI toolkit does the application use and what does this toolkit
do?

The GTK+ case is instructive.  Once upon a time, the GTK print menu
offered printing to lpr.  A number of years ago that disappeared.
Why?  Originally, GTK produced print output in PostScript.  The
assumption was that you could send this to any lpr printer, since
PostScript has effectively been the standard printer language in
Unix for decades.  The print menu changed, because GTK had switched
to producing print output in PDF.  The assumption was that random
lpr printers could not handle PDF, so the option of printing to lpr
was removed.  Fast-forward to the present.  Virtually all printers
that can handle PostScript also accept PDF directly and have been
able to do so for years.  Finally, two weeks ago (!) the GTK people
relented and have marked the lpr backend as capable of accepting
PDF.  This means that print-to-lpr is going to become available
again in GTK applications.  On OpenBSD that will most likely happen
with the next x11/gtk+3 update.

Are there still any GTK+2 applications with a print menu in the
ports tree?  Let me know, and I'll take a look at what's up there.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Router advertisements for dynamic IPv6 prefix

2020-10-15 Thread Christian Weisgerber
On 2020-10-14, Fernando Gont  wrote:

> Set the VL to 30', and the PL to 15'.  You could even set the VL to 15', 
> and the PL to 7.5', if necessary.

How does this influence the lifetime of privacy addresses?

Even with rad(8)'s defaults, I already need to specify an originating
non-privacy address for all long-running ssh sessions, otherwise
they die when the privacy address they're using is forcefully expired
after a week or so.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: time_t

2020-10-05 Thread Christian Weisgerber
On 2020-10-05, Roderick  wrote:

> The source of my confusion with FreeBSD:

> /usr/include/x86/_types.h contains:
>typedef __int32_t __time_t;
>typedef int __int32_t;

$ fgrep time_t /usr/include/x86/_types.h
typedef __int64_t   __time_t;   /* time()... */
typedef __int32_t   __time_t;

There's an #ifdef __LP64__ ...

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: time_t

2020-10-05 Thread Christian Weisgerber
On 2020-10-05, "Peter N. M. Hansteen"  wrote:

> I hadn't looked in a while, but it amazes me that FreeBSD still has
> 32-bit time_t.

Only on FreeBSD/i386.  On all other architectures, time_t is int64_t.
See src/sys/*/include/_types.h.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: iwm0: fatal firmware error on Dell Latitude E5570

2020-09-24 Thread Christian Weisgerber
On 2020-09-24, Jan Stary  wrote:

> This is 6.8-beta/amd64 on a Dell Latitude E5570 (dmesg below).
> iwm stopped working, saying
>
>   iwm0: hw rev 0x200, fw ver 34.0.1, address e4:a4:71:40:21:08
>   iwm0: fatal firmware error
>   iwm0: could not remove MAC context (error 35)

I've been getting a lot of those lately, but my iwm keeps recovering
from them eventually.

Frankly, I've mostly stopped paying attention.  I update my laptop
every other week or so, and the reliability of wi-fi keeps fluctuating
from kernel to kernel, sometimes it's better, sometimes it's worse,
and I don't think it correlates well with commits or firmware
updates.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Understanding of keydisk backup for FDE

2020-08-28 Thread Christian Weisgerber
On 2020-08-27, Andreas Menge  wrote:

> I try to wrap my head around why the FAQ 
> (https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk) says that one 
> should create a backup of the keydisk with bs=8192 and skip=1.
>
> From the FAQ:
>
> # dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img
> # dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a

This copies the relevant softraid meta data.

> My personal inclination was to just dd the whole disk (like dd if=/dev/rsd1c) 
> ...

That works, but it means the disks will now share the same disklabel
with the same size (even if the USB sticks differ in size), the
same label, the same "unique" disk ID.  That won't matter for their
use as keydisk, but if you ever re-use them for something else
later, you'll need to remember to recreate the disklabel or weird
things may happen.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: i386, parallel port permission error?

2020-08-20 Thread Christian Weisgerber
On 2020-08-19, Doug Moss  wrote:

> I think the problem in lcdproc is in the code from this file (port.h)
> https://github.com/lcdproc/lcdproc/blob/master/server/drivers/port.h
>
> I am out of my depth with this code. I have never even seen these
> calls 'outb' and 'inb'

You're saying this as if you never did any MS-DOS or CP/M programming.
Which is the mindset with which some of those "drivers" were written.

I've had to touch the lcdproc port a bunch of times, because it
keeps breaking, and we had to disable ever more of it.  It supports
a zillion LCD modules--virtually all of them vastly obsolete, I
assume--with userland "drivers" that frequently need direct hardware
access.  The concept is fundamentally broken on Unix.  I have no
idea if the fraction of functionality that is still available is
even useful, and I would be inclined to just remove the port.
Apparently there is some newer upstream code available, but there
is no port maintainer, nobody cares, it won't fix the fundamental
problems, and so the rotting carcass just languishes.

No, no, don't remove it, it might still work for somebody somewhere...
Oh well, then.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: gcc not on new OpenBSD 6.7 machine, clang problems

2020-08-17 Thread Christian Weisgerber
"Whiskey T.":

> My datacenter installed OpenBSD 6.7 on a new machine:
> 
> # uname -a
> OpenBSD machine name 6.7 GENERIC.MP#182 amd64
> 
> # which gcc
> which: gcc: Command not found.

> configure:3711: checking whether the C compiler works
> configure:3733: ccconftest.c  >&5
> ld: error: cannot open crt0.o: No such file or directory

Your OpenBSD installation is incomplete.  The "comp" set was not
installed.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: scp host:file* /tmp/nonexistent

2020-08-01 Thread Christian Weisgerber
On 2020-08-01, Roderick  wrote:

> It is not documented in 4.4BSD. I suppose this is not original BSD?

Public service announcement: The original BSD repository can be
browsed here (converted from SCCS):
https://svnweb.freebsd.org/csrg/

Wanna know what those hippies at Berkeley really did?
You can look it up.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Upgrade old 6.2 but 6.3 SHA256.sig on mirror different

2020-07-22 Thread Christian Weisgerber
"Theo de Raadt":

> Johan Mellberg  wrote:

> > and https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig
> > (Canada, as I like to take them from different sources). I then ran:
> 
> The format of the .sig files was changed in a very small way, intentionally,
> way back then.  You are hitting that issue. 

Sorry, no, the file is corrupted.  I just downloaded
https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig
and it contains only nul bytes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Cleaning system's old ibraries/files after update to next -release or -current

2020-07-14 Thread Christian Weisgerber
On 2020-07-14, Ottavio Caruso  wrote:

>> > After system update I found lots of 'old' libraries versions
>> > and possibly binaries from previous releases.
>>
>> If you need to ask, just don't remove them.  Those files eat no bread,
>> and in some situations, some of the libs may still be in use.
>
> What about if one compiles ports? If OpenBSD is anything similar to
> NetBSD, on the latter having multiple libs might cause build
> breakages.

Old versions of libraries are innocuous.  They will simply be
ignored.

Potential sources of trouble are old copies of libraries that no
longer exist and header files that no longer exist.  OpenBSD hasn't
retired a base library in a long time, so that isn't an issue.  I
recommend cleaning up /usr/include, though.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: hostname.pppoe0, !/bin/sh when reconnecting

2020-06-17 Thread Christian Weisgerber
On 2020-06-17, Lévai, Dániel  wrote:

> I'm trying to run a script whenever I get a new IP address from my ISP over 
> pppoe0. They disconnect me occasionally and the router reconnects then, eg.:
> /bsd: pppoe: GENERIC ERROR: RP-PPPoE: Child pppd process terminated
> /bsd: pppoe0: received unexpected PADO
> last message repeated 2 times
>
> I have this as the last line in /etc/hostname.pppoe0:
> !/bin/sh /etc/hostname.pppoe0.script pppoe0 0.0.0.1
>
> It doesn't seem to be executed when this happens, only when I reboot the 
> router.

/etc/hostname.* is only executed once when the system starts.

The PPP disconnect/reconnect is handled entirely by pppoe(4)--well,
sppp(4) really--in the kernel.  There is no callout to the userland
available.

It may be possible to use ifstated(8) for this.  I haven't tried
that, but it's where I would start looking.

> Is the culprit here something along the lines of not (re)configuring the 
> interface with ifconfig up/down (in which case the script would run),

Note that ifconfig down/up will not run /etc/hostname.* either.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Filling a 4TB Disk with Random Data

2020-06-05 Thread Christian Weisgerber
On 2020-06-05, Roderick  wrote:

>> I'd think that a degausser would also erase the servo tracks which will make
>> the disk irrevocably unusable. If that's what you want then just drill holes
>> through the disk - it's quicker.
>
> Or perhaps to put it on an induction cooktop?

I always keep a vat of molten steel at hand so I can easily dispose
of old disk drives, killer robots from the future, etc.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Issues expanding partition to grow disk

2020-06-02 Thread Christian Weisgerber
On 2020-06-02, "Darren S."  wrote:

> I'm dealing with a VPS on KVM with the disk having been recently
> expanded from 50 >> 80 GB.
>
> Disklabel shows reasonable total sectors:
>
> # disklabel sd0

> total sectors: 167772160
> boundstart: 64
> boundend: 115330635

The upper boundary is still set to 55G.
In the disklabel editor use b * to move it to the end of the disk.

> Is this something to do with it being a virtual disk in a certain
> configuration? And is this a case where I may need to set the disk
> boundaries in disklabel(8) as described (although I don't know if this
> fits description of "ports with fdisk(8) partition tables where..."):

It fits the unmentioned case of a labeled disk later growing.
Actual drives don't do that.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Filling a 4TB Disk with Random Data

2020-06-01 Thread Christian Weisgerber
On 2020-06-01, Justin Noor  wrote:

> Has anyone ever filled a 4TB disk with random data and/or zeros with
> OpenBSD?

Yes.

> How long did it take?

I don't remember.  Hours.
At a plausible 100 MB/s write speed it will take 11 hours.

> What did you use (dd, openssl)? Can you share the command that you used?

# dd if=/dev/random of=/dev/rsd1c bs=64k# random data
# dd if=/dev/zero of=/dev/rsd1c bs=64k  # zeros

Take care to pick the proper device corresponding to the drive you
want to overwrite.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Convert ffs1 to ffs2?

2020-05-20 Thread Christian Weisgerber
On 2020-05-20, Christer Solskogen  wrote:

> Is that possible?

umount, dump, newfs, mount, restore

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Christian Weisgerber
On 2020-05-11, Stuart Longland  wrote:

> BSD came from the US (University of California), but most of today's
> implementations have been very significantly changed since then.

BSD built on top of AT UNIX, which came from Bell Labs in New Jersey.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: More than 16 partitions

2020-04-24 Thread Christian Weisgerber
On 2020-04-23, Ian Darwin  wrote:

> So: I was able to newfs, mount, and use an OpenBSD partition which 
> disklabel called 'a' and which had no trace of an fdisk partition around it.
>
> As Allan pointed out, this is not for booting from - none of those
> fdisk partitions looks very healthy.

biosboot(8) has an MBR boot signature.  If the BIOS doesn't check
for a valid MBR partition table--some do, some don't--then it should
be able to directly run biosboot(8) from sector 0.

installboot(8) tries to prevent such a configuration, but it could
be tweaked, or you could try to tweak the disklabel and set the
type to floppy, because floppies don't have MBR partitions.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Wine for OpenBSD?

2020-04-11 Thread Christian Weisgerber
On 2020-04-11, Nikita Stepanov  wrote:

> Wine for OpenBSD?

At hackathons, we typically ask the French developers to pick out
a wine from the menu, but they are pretty reluctant to take on this
responsibility.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: riscv

2020-03-13 Thread Christian Weisgerber
On 2020-03-13, "Peter J. Philipp"  wrote:

> Any developer working on a riscv port and willing to share their unofficial
> work for possible future collaboration?

I think I'd have heard by now if somebody was, so I'll go out on a
limb and say no, nobody's working on a RISC-V port.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: man to render pure text? (or a pipe in vi macros ?)

2020-03-02 Thread Christian Weisgerber
On 2020-03-02, Marc Chantreux  wrote:

> i felt dumb reading this as i gave a try to the mandoc man. but i just
> double checked:
>
> man mandoc|col -b|grep -w col
>
> gives me nothing.

$ man mandoc|col -b|grep -w col
 to col(1) -b instead.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: man to render pure text? (or a pipe in vi macros ?)

2020-03-02 Thread Christian Weisgerber
Marc Chantreux:

> > > * is there a way to ask man to deliver pure (non-formatted) text ?
> > Pipe its output through "col -b".
> 
> what is the gain of using col over fmt ?

It's the designated tool for the job.  That fmt also happens to
replace sequences character1-backspace-character2 with character2
is more of a lucky coincidence.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: man to render pure text? (or a pipe in vi macros ?)

2020-03-02 Thread Christian Weisgerber
Marc Chantreux:

> * is there a way to ask man to deliver pure (non-formatted) text ?

Pipe its output through "col -b".

> * is there a way to introduce a | in vi macros?

Yes, by prefixing it with a ^V character.  To enter ^V in vi's input
mode, press control-V twice.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: setxkbmap cannot completely set compose key

2020-02-20 Thread Christian Weisgerber
Xianwen Chen (陈贤文):

> I forgot to report maybe an important piece of information. I use scim
> to type in Chinese. I use the default xdm. Here is my .xsession:
> 
> export LC_CTYPE=en_US.UTF-8
> 
> export XMODIFIERS=@im=SCIM
> export GTK_IM_MODULE="scim"
> export QT_IM_MODULE="scim"
> scim -d

I suspect it works as intended for xterm.  The compose key handling
is a simple input method built into libX11.  You are swapping out
this default IM for the SCIM one.

This area of X11 seems to be virtually undocumented.
See XSetLocaleModifiers(3).

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

2020-02-05 Thread Christian Weisgerber
On 2020-02-05, Janne Johansson  wrote:

>> # /etc/hostname.vlan101
>> description 'WLAN attached untrusted hosts'
>> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>
> VLANs and wifi sounds like a non-starter.

Yep, if you're building your access point with OpenBSD.

More generally, though, any AP in the business segment has support
for multiple SSIDs that can be assigned to different VLANs on the
Ethernet side.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

2020-02-05 Thread Christian Weisgerber
Denis, I suspect the fundamental problem is that you don't understand
what VLANs are.  There should be a lot of articles about this topic
on the net; maybe somebody here can recommend a good one.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

2020-02-04 Thread Christian Weisgerber
On 2020-02-03, Denis  wrote:

> Some hosts should be limited in internet access and/or local access or
> simply be restricted in some way because they are untrusted.
>
> I'm looking for a possibility to isolate untrusted inside LAN using any
> approach applicable. How do people isolate undesirable hosts in their
> networks?

Put hosts with different trust requirements into different networks
at the IP level, connected to a central gateway where you can easily
permit/deny traffic between them.  Use VLANs to separate the IP
networks.

For example, my home network is split into three networks:

* Trusted hosts.  These are allowed to initiate traffic to the
  Internet and to the other networks.

* Untrusted hosts with outside access.  These are allowed to initiate
  traffic to the Internet at large, but not to the other networks.
  This is mostly my wi-fi.  Also a RIPE Atlas probe.

* Untrusted hosts without outside access.  These cannot initiate
  traffic to any destination outside their network.  Includes my
  printer and the SIP phone[1] for my "landline".

That's three vlan(4) interfaces on my gateway, which provides basic
DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4)
ruleset to enforce the restrictions above about who can start talking
to whom.


[1] A SIP phone that is not allowed to talk to the outside may seem
surprising, but it only needs to talk to siproxd on the gateway,
and siproxd is required for NAT traversal anyway.
-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Low throughput with 1 GigE interface

2020-01-30 Thread Christian Weisgerber
On 2020-01-30, Jordan Geoghegan  wrote:

> All you're doing is benchmarking the speed of iperf on that machine.

I vaguely remember a thread somewhere that concluded that one of
these network benchmark tools degenerated into a benchmark of
gettimeofday(2), which apparently is very cheap on Linux and not
cheap on OpenBSD.  So you end up measuring the performance of this
system call.

I don't remember whether it was iperf...

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Low throughput with 1 GigE interface

2020-01-30 Thread Christian Weisgerber
On 2020-01-30, livio  wrote:

> I am unable to achieve decent throughput with a 1 GigE interface
> (Intel I210) on OpenBSD 6.6. When running iperf3 I get around 145Mbit/s.

I get more than 30 Mbytes/s over SSH (!) to an APU2.

$ scp -caes128-...@openssh.com 
/usr/ports/distfiles/texlive-20190410-texmf.tar.xz partoc:/dev/null
texlive-20190410-texmf.tar.xz 100% 2714MB  31.8MB/s   01:25

I can't help you, I'm just posting this in the service of squashing
rumors.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Odd /tmp behavior

2020-01-08 Thread Christian Weisgerber
On 2020-01-08, Nick Holland  wrote:

> Weird stuff happens when Softdeps are working as designed.

To put it simply: Meta-data writes are delayed.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: possible SSH algorithm issues?

2020-01-08 Thread Christian Weisgerber
On 2020-01-08, "lu hu"  wrote:

> are these real issues?

No.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: thank you for 6.6 and bsd.rd

2019-12-20 Thread Christian Weisgerber
On 2019-12-20, "Theo de Raadt"  wrote:

> well you missed out
>
> for 6.5 onwards, all you had to was type
>
> sysmerge
> sysupgrade

I think that was intended to read

  syspatch
  sysupgrade

> for 6.6 onwards you'll only need sysupgrade

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: What happened to 6.6/sgi?

2019-12-08 Thread Christian Weisgerber
On 2019-12-08, Stefan Hagen  wrote:

> I was browsing around and noticed that there are no files for the SGI 
> platform on the mirrors.

OpenBSD/sgi has been discontinued.  No 6.6 release was built.
The mips64 CPU architecture remains alive on the octeon platform.

> SGI is mentioned in the 6.6/README,

That was an oversight.

> (snapshot/sgi exists)

A several-months-old snapshot that simply hasn't been removed.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: LibreSSL vs. OpenSSL enc command

2019-12-04 Thread Christian Weisgerber
Dieter Rauschenberger:

> This was serveral years ago before Libressl was invented. Now I wanted
> to decrypt the docs with:
> 
> openssl enc -aes-256-cbc -d < FOO.aes256 > FOO
> 
> This did not work. The password did not work anymore.

The default message digest function used for key derivation changed
from MD5 to SHA256 in OpenSSL 1.1.0 and LibreSSL followed suit.

  openssl enc -aes-256-cbc -d -md md5 < FOO.aes256 > FOO

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: iPXE and UEFI boot

2019-12-01 Thread Christian Weisgerber
Christer Solskogen:

> > With UEFI and PXE I have successfully netbooted
> > * amd64 (Thinkpad X1C5) with BOOTX64.EFI after bluhm@'s recent
> >   bootdev_dip fix
> 
> Is that already in current?

Yes, it was committed five days ago.

> I now tried having bsd.rd in tftp root
> directory, and BOOTX.EFI does find it (renamed bsd.rd to bsd, just to use
> the default settings)
> It loads the kernel but I only get a black screen. No kernel messages, what
> so ever.

I guess there are more bugs waiting to be found. :-(

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: iPXE and UEFI boot

2019-12-01 Thread Christian Weisgerber
On 2019-12-01, Christer Solskogen  wrote:

> I've tried sanboot for iso, but it fails. I *can* get BOOTX64.EFI to start,
> but it cant find bsd.rd (perhaps BOOTX64.EFI requires tftpd?),

No "perhaps". BOOTX64.EFI uses TFTP to load the kernel, just like
pxeboot does.

With UEFI and PXE I have successfully netbooted
* arm64 (OverDrive 1000) with BOOTAA64.EFI
* amd64 (Thinkpad X1C5) with BOOTX64.EFI after bluhm@'s recent
  bootdev_dip fix

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: vi in ramdisk?

2019-11-15 Thread Christian Weisgerber
On 2019-11-15, Roderick  wrote:

>> ed is included in the ramdisk, but if your use case is using vi to fix a
>
> I imagine, it is there for using it in scripts.

Interestingly enough, the installer itself does not use ed, as far
as I can tell.

* I pretty regularly use ed to perform some configuration tweaks
  before rebooting a freshly installed system.
* I have, rarely, used ed to recover a system from errors in
  /etc/fstab.
* Since the installer itself is just a script, it can be modified
  with ed in the install environment and then re-run.  From time
  to time I do this when debugging the installer or working on some
  feature there.

If you have some passing familiarity with sed, then ed will feel
very familiar.  It's just an interactive sed.  (Historically, it's
the other way around, of course.)

> I think, for editing config files, there are sure editors that
> are simpler, smaller, not so powerful, but easier to use than ed.

By all means, do not keep us in suspense and tell us the names of
these editors.

How large is a C implementation of TECO?

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Requesting vi tips

2019-10-18 Thread Christian Weisgerber
On 2019-10-18, Nam Nguyen  wrote:

>> Since 'q' is unused in nvi, I have this in my .nexrc:
>> map q !}fmt
>
> I just wanted to add that you can Ctrl-v Enter to produce the ^M at the end.
> This way it inputs and executes the command for you.
> 
> It could be like this if you want it to press Enter for you:
> map q !}fmt^M

And upon closer inspection I see that's what I actually have in my
.nexrc; less(1) didn't show the ^M and I had forgotten about it.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Requesting vi tips

2019-10-18 Thread Christian Weisgerber
On 2019-10-18, cho...@jtan.com  wrote:

> I didn't know [how] ! took movement commands. Thanks. I'll have a play
> with that one.
>
> It's not quite M-q (it's M not C) but I'm using vi after all.

Since 'q' is unused in nvi, I have this in my .nexrc:

map q !}fmt

Close enough to emacs's M-q.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Why regex doesn't work in while loop's condition?

2019-09-06 Thread Christian Weisgerber
On 2019-09-06, Andreas Kusalananda Kähäri  wrote:

>> read x; while [ "$x" != [abc] ]; do echo "Not a, b or c"; break; done
>
> The shells in the OpenBSD base system do not support matching regular
> expressions with that syntax.  You may have been thinking of bash,

Just to head off crazy rumors: bash doesn't either.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: openrsync out of memory

2019-08-16 Thread Christian Weisgerber
On 2019-08-16, Jan Stary  wrote:

>> Does that mean openrsync tries to mmap() the entire file?
>> The machine only has 256MB of memory, but it does transfer
>> a test file of 300MB, so that can't be it.
>
> I forgot about 1GB swap, so that's why it works
> for files up to around 1.2G, but not larger.

Why would the size of physical memory + swap matter?
mmap() doesn't copy a file into memory, it maps it into the address
space.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Postscript printer recommendations

2019-07-13 Thread Christian Weisgerber
On 2019-07-13, "Jonathan Drews"  wrote:

> Hi Folks:  I need some recommendations on what brand of printers will
> work
> with Ghostscript (Postscript). The cartridges for my 15 year old HP
> Deskjet have gotten too expensive. I know Xerox makes some
> Postscript printers. Are there any other manufactureres of Postscript
> printers?

Your question is confused and self-contradictory.

A "Postscript printer" processes Postscript itself.

By contrast, Ghostscript is used to process Postscript on the host
computer and send the raster data to a dumb printer that cannot
handle Postscript by itself.

So which type of printer are you asking about?

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: When will OpenBSD become a friendly place for bug reporters?

2019-07-12 Thread Christian Weisgerber
On 2019-07-11, Ingo Schwarze  wrote:

> Quite likely.  I'm so clueless that right now, i can't even seem to get
> Compose to work even though i'm sure i had it working in the past.

I use "setxkbmap -option compose:ralt" and compose works as expected
for me in xterm.

Zwölf Boxkämpfer jagen Viktor quer über den großen Sylter Deich.

Dès Noël où un zéphyr haï me vêt de glaçons würmiens je dîne d'exquis
rôtis de bœuf au kir à l'aÿ d'age mûr & cætera !

Pójdźże, kiń tę chmurność w głąb flaszy!

(Yes, I entered those in an OpenBSD xterm.)

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: ssh-keygen specify max keysize for ed25519

2019-07-04 Thread Christian Weisgerber
On 2019-07-03, jungle boogie  wrote:

> $ ssh-keygen -t ed25519 -b 1000
> Bits has bad value 1000 (too large)

That's fine, that's a generic argument parsing error.

> $ ssh-keygen -t ed25519 -b 2
> key bits exceeds maximum 16384

That error makes no sense.  ED25519 keys have a fixed length, and
16384 is the limit for RSA keys.  Looks like an error path that
dates back to when only DSA and RSA were supported and that wasn't
updated when additional key types were added.

I'll send a tweak to tech@.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: The su manual doesn't mention use root account by default

2019-06-13 Thread Christian Weisgerber
On 2019-06-13, "Theo de Raadt"  wrote:

>> I always considered that su is coming from _s_uper _u_ser. But maybe I
>> am wrong, I am not from old UNIX days.
>
> incorrect.
>
> NAME
>  su - substitute user identity

Well, that's V7, which appears to have engaged in a bit of revisionism
together with the then newly expanded functionality.

Earlier in V6 it was "su - become privileged user" and "Su allows
one to become the super-user, who has all sorts of marvelous (and
correspondingly dangerous) powers".

http://man.cat-v.org/unix-6th/8/su

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: IPsec bandwidth perf on APU4C4

2019-06-11 Thread Christian Weisgerber
mabi:

> Last question hopefully... Reading the iked.conf man page I conclude that all 
> I need for that is to add to my ikev2 config is the following additional 
> parameter:
> 
> childsa enc aes-128-gcm

Correct.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: IPsec bandwidth perf on APU4C4

2019-06-10 Thread Christian Weisgerber
mabi:

> > enc aes-128-gcm etc.
> 
> That part for the "enc" parameter makes sense to me but what about the "auth" 
> parameter?

No "auth".  AES-GCM is an authenticated encryption algorithm, i.e.,
it handles both encryption and authentication at the same time.
Specifying an additional "auth" algorithm doesn't make sense.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: IPsec bandwidth perf on APU4C4

2019-06-10 Thread Christian Weisgerber
mabi:

> Thanks for the tip regarding the cpu cost of the authentication algorithm. 
> Now I was wondering how do you use the AES-GCM combo? I  can't find any auth 
> or enc parameters mentioning that combo.

enc aes-128-gcm etc.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: IPsec bandwidth perf on APU4C4

2019-06-10 Thread Christian Weisgerber
On 2019-06-10, mabi  wrote:

> Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput 
> which is quite satisfying. The bandwidth throughput over my IPsec tunnel 
> achieves a max of 80 Mbit/s which I was sort of expecting with the default 
> encryption settings (auth hmac-sha2-256 enc aes-256).

It helps to understand that the authentication algorithm can require
as much or more CPU than the encryption.  HMAC-SHA2 is expensive.
On hardware that has AES-NI support, like the APU2 family, AES-GCM
is generally the fastest encryption/authentication combo.

> In order to increase bandwidth throughput over my IPsec tunnel I wanted to 
> know what you guys think is a good compromise between performance and 
> security? I was thinking for example of changing the encryption cipher to 
> aes-128 instead of aes-256 and maybe blowfish? What would you recommend?

AES-128 is good enough, although on the APU2 family with AES-NI it
seems to be only marginally faster than AES-256.

Don't use Blowfish.  It's obsolete.  And its reputation for speed
precedes the introduction of AES.

> Anything else I should be looking at? maybe like a hardware crypto 
> accellerator miniPCI card compatible with the APU4 and OpenBSD?

No, that was 15 years ago.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Behaviour of eval in sh(1) and ksh(1) in AND-OR list with set -e

2019-06-06 Thread Christian Weisgerber
On 2019-06-05, Andreas Kusalananda Kähäri  wrote:

> When running under set -e, why does
> eval false || echo ok
> terminate the script with the execution of eval?

I think that's a bug.

> then why does the below behave differently?
> eval ! true || echo ok

That's actually the documented, POSIX-specified behavior.  Somewhat
bizarrely, ! disables errexit.  The eval doesn't matter here.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Lenovo w/ AMD Ryzen CPU

2019-06-04 Thread Christian Weisgerber
On 2019-06-04, Patrick Wildt  wrote:

> I'd love to have one as well...

I hadn't intended to buy a new laptop anytime soon, but the Thinkpad
X395 is tempting...

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: amd64 snapshot very broken (Jun 1 02:24:13)

2019-06-03 Thread Christian Weisgerber
On 2019-06-01, Christian Weisgerber  wrote:

> The amd64 snapshot with BUILDINFO
> Build date: 1559355853 - Sat Jun  1 02:24:13 UTC 2019
> is very broken.  Specifically, the boot loader is broken.

Sorry, I forgot to follow up: This has been fixed for more than a
day now.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



amd64 snapshot very broken (Jun 1 02:24:13)

2019-06-01 Thread Christian Weisgerber
The amd64 snapshot with BUILDINFO

Build date: 1559355853 - Sat Jun  1 02:24:13 UTC 2019

is very broken.  Specifically, the boot loader is broken.  If you
upgrade and the new boot(8) is installed, you may no longer be able
to boot the machine.  Recovering from this will require booting
from a different medium.

i386 may also be affected.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Blind OpenBSD users

2019-05-14 Thread Christian Weisgerber
On 2019-05-14, Marc Espie  wrote:

> We also have (had?) a speech synthesis system in
> audio/festival

We deleted that.  Somebody would need to create a new port for a
more recent release.

> I don't think we have any other speech synthesis open source
> software in the ports tree.

There's audio/espeak, but I can't comment on it.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: 6.5 PowerPC Packages

2019-05-12 Thread Christian Weisgerber
On 2019-05-09, Christian Weisgerber  wrote:

> The build has been running for 25 days so far, across two machines,
> and the packages will be uploaded once they are finished.

I just signed the packages.  They'll become available in a day or so.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: 6.5 PowerPC Packages

2019-05-09 Thread Christian Weisgerber
On 2019-05-09, Henry Bonath  wrote:

> I figured that was the case, I suppose I was a little afraid that they
> weren't coming!

Each release, XY.html (so 65.html now) has a paragraph

  Many pre-built packages for each architecture:

listing the architectures and the respective package count.  If it says
  : 
that means we are building and there WILL be packages for that arch.

I think we've only broken that promise once.  (No hppa for 6.3.)

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: 6.5 PowerPC Packages

2019-05-09 Thread Christian Weisgerber
On 2019-05-09, Henry Bonath  wrote:

> I'm not sure how many folks out there are PowerPC users, but I was
> just curious if anyone had an idea on if or when we might see those
> out in the mirrors.

The build has been running for 25 days so far, across two machines,
and the packages will be uploaded once they are finished.

There are two ways to go about this: We can delay the release until
all architectures have finished building, or we can start releasing
once the fast & popular archs are ready and the others will catch
up eventually.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: headphone volume levels cannot be manipulated by mixerctl

2019-04-28 Thread Christian Weisgerber
On 2019-04-27, Christian Weisgerber  wrote:

> It is my theoretical understanding that USB audio gadgets typically
> come with a uhid(4) device, as does yours above, and you would use
> usbhidctl(1) to list and manipulate the available controls.

No, that is wrong.

Looking over uaudio.c, I now see that mixer controls are an inherent
part of the USB audio spec and that the driver automatically provides
them.

So the correct answer is this: If your USB audio gadget attaches
as audioN, use "mixerctl -f /dev/mixerN" to access the corresponding
controls.  If you don't specify a device, mixerctl uses /dev/mixer,
which by default is a symlink to /dev/mixer0.  You can point this
symlink to a different unit.  Alternatively, you can set MIXERDEVICE
in the enironment.

(Personally, I have only used USB audio dongles to add an S/PDIF
output to machines that lacked one, so the mixer didn't really come
up.)

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: headphone volume levels cannot be manipulated by mixerctl

2019-04-27 Thread Christian Weisgerber
On 2019-04-27, Levente  wrote:

> The headphone in question is the Platronics RIG 500 HD, which connects 
> through the USB port (instead of 3.5mm jacks).

> mixerctl output is provided below along with dmesg.

Your headphones, which are really a USB audio adapter with attached
headphones, are a separate audio device.  Here are the relevant
parts from your dmesg:

> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
> pci1 at ppb0 bus 2

That's the built-in azalia(4) audio of the laptop that supplies the
speakers and the headphone jack.

> uaudio0 at uhub3 port 2 configuration 1 interface 1 "Plantronics Plantronics 
> HD1" rev 2.00/1.14 addr 3
> uaudio0: class v1, full-speed, sync, channels: 2 play, 2 rec, 9 ctls
> audio1 at uaudio0
> uhidev0 at uhub3 port 2 configuration 1 interface 3 "Plantronics Plantronics 
> HD1" rev 2.00/1.14 addr 3
> uhidev0: iclass 3/0, 1 report id
> uhid0 at uhidev0 reportid 1: input=15, output=15, feature=0

And these are your uaudio(4) headphones.

By default, mixerctl accesses /dev/mixer -> /dev/mixer0, which is
the built-in audio.  You can access the mixer associated with your
USB headphones by choosing the appropriate device:

$ mixerctl -f /dev/mixer1 
outputs.play=0,0
outputs.play_loud=on
outputs.play_mute=off
record.enable=sysctl

However, as in this example, I think you will only get a few generic
controls.

It is my theoretical understanding that USB audio gadgets typically
come with a uhid(4) device, as does yours above, and you would use
usbhidctl(1) to list and manipulate the available controls.

In practice, I only get some variant of

usbhidctl: USB_GET_REPORT (probably not supported by device): Input/output error

when I try this.  So either I'm mistaken or there is a problem
somewhere.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: One-shot upgrade script

2019-04-27 Thread Christian Weisgerber
On 2019-04-27, Kevin Chadwick  wrote:

> How difficult would it be to have a sysupgrade flag to

What sysupgrade and the unattended upgrade do is they automate an
upgrade with ALL DEFAULT settings.  Like only pressing enter in the
installer's (U)pgrade mode.

If you want non-defaults, then you need to run a manual upgrade.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: One-shot upgrade script

2019-04-25 Thread Christian Weisgerber
On 2019-04-24, Christian Weisgerber  wrote:

> With florian@'s additions in -current, I have now extended the
> script to download the sets and kick off an unattended upgrade.

... and this has now been supplanted by /usr/sbin/sysupgrade.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: One-shot upgrade script

2019-04-25 Thread Christian Weisgerber
Vijay Sankar:

> Tested it on a system running

I'm not asking for tests.

It's just a little script I find helpful to make use of the unattended
upgrade functionality that was added to -current.  I posted the
script because somebody else might find it useful, too.  Or use it
as a starting point or an inspiration for something that better
fits their needs.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



One-shot upgrade script

2019-04-24 Thread Christian Weisgerber
I don't remember if I ever posted it, but I've been using an "upgrade"
script to download bsd.rd, verify it, move it to /bsd, and reboot.
With florian@'s additions in -current, I have now extended the
script to download the sets and kick off an unattended upgrade.

In the best case, you simply run
# ./upgrade
and the machine will upgrade itself without any further intervention.


#!/bin/sh -e

case $# in
0)  installurl=$(sed 's/#.*//;/^$/d' /etc/installurl) 2>/dev/null ||
installurl=https://ftp.openbsd.org/pub/OpenBSD
;;
1)  installurl=$1
;;
*)  echo "usage: ${0##*/} [server_URL]" >&2 ; exit 1 ;;
esac

arch=$(sysctl -n hw.machine)
urlbase=$installurl/snapshots/$arch

mkdir -p /home/upgrade
cd /home/upgrade
ftp "$urlbase/SHA256.sig"

version=$(sed -n 's/^SHA256 (base\([0-9]\{2,3\}\)\.tgz) .*/\1/p' SHA256.sig)
test -n "$version"
pubkey=/etc/signify/openbsd-$version-base.pub
signify -V -p "$pubkey" -x SHA256.sig -e -m /dev/null

sets=$(sed -e 's/^SHA256 (\(.*\)) .*/\1/' \
-e "/^INSTALL.$arch\$/p;/^bsd/p;/$version\.tgz\$/p;d" SHA256.sig)
ftp $(for i in $sets; do echo "$urlbase/$i"; done)
signify -C -p "$pubkey" -x SHA256.sig $sets
cp bsd.rd /bsd.upgrade
reboot


-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: ssh-keygen(1) fingerprint hashes

2019-03-31 Thread Christian Weisgerber
On 2019-03-31, randy.hart...@gmail.com  wrote:

> ssh-keygen's available hashes are md5, sha1, sha256, sha384, and
> sha512 (See digest-{openssl,libc}.c).  ssh-keygen(1)'s man page
> shows valid fingerprint hashes as only md5 and sha256.  All these
> hashes[1] were available when the man page declared only the subset
> as valid.  I'm able to use the others with the -E option but is
> there a reason to not consider them valid?

It's an implementation artifact and the other hash algorithms don't
add any value.

MD5 hashes were historically used, but MD5 is broken.  SHA256 is
the modern replacement for this purpose.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



xhci isochronous transfers (was: Re: CVS: cvs.openbsd.org: src)

2019-03-16 Thread Christian Weisgerber
On 2019-03-15, Patrick Wildt  wrote:

> CVSROOT:  /cvs
> Module name:  src
> Changes by:   patr...@cvs.openbsd.org 2019/03/15 17:20:35
>
> Modified files:
>   sys/dev/usb: xhci.c 
>
> Log message:
> Improve and enable isochronous transfers in xhci(4). [...]

Wow, that appears to be the crucial step many people have been
waiting for.  With this, I can now play sound through my USB audio
dongle connected to a "new" (~5-year old) machine:

usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
...
uaudio0 at uhub0 port 9 configuration 1 interface 1 "C-Media INC. USB Sound 
Device" rev 1.10/0.10 addr 4
uaudio0: class v1, full-speed, sync, channels: 2 play, 0 rec, 4 ctls audio1 at 
uaudio0

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Meinberg Funkuhren DCF77 clocks

2019-03-13 Thread Christian Weisgerber
Peter J. Philipp:

> Thanks for your reply.  I mailed meinberg whether they give out datasheets to
> their products so that I can modify the driver.  If I don't manage to make the
> new one working, is there interest by german or european developers to take
> on the hardware or money to buy their own device?

I'm geographically well-positioned for DCF77.  Not sure I'm any
better qualified for driver work, though.

> I don't know if the original umbg(4) driver author is still at
> OpenBSD...

No, he is not.  Except for nmea(4), I don't think any other developer
has any of the devices for which he added timedelta drivers.  I doubt
any users do either.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: How to make X listen tcp again?

2019-03-09 Thread Christian Weisgerber
On 2019-03-09, Roderick  wrote:

> The default changed, X does not receive Tcp connections.

In addition, the default /etc/pf.conf blocks connections to the
X11 server:

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Meinberg Funkuhren DCF77 clocks

2019-03-08 Thread Christian Weisgerber
On 2019-03-08, "Peter J. Philipp"  wrote:

> I'm wondering if this particular USB clock is supported in OpenBSD.
> https://www.meinbergglobal.com/english/products/usb-dcf77-clock.htm
> it's predecessor is the USB5131 model, which is supported under the
> umbg(4) driver.

(I hate "I don't know either" replies, but in this case I doubt
you'll get a definitive answer.)

I took a quick look at Meinberg's Linux driver package...
https://www.meinbergglobal.com/download/drivers/mbgtools-lx-4.2.2.tar.gz
... but I got lost in the ifdef and abstraction maze.

The DCF600USB will definitely not work out of the box, since it has
a different product ID from the USB5131.  Beyond that, I can't tell.
The DCF600USB has a "v2" USB interface as opposed to the USB5131,
but while a flag for this is passed around, I couldn't see where
it's used.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: does crypto softraid implies disk integrity check?

2019-02-13 Thread Christian Weisgerber
Solene Rapenne:

> When using a bioctl crypto softraid, as blocks are encrypted
> on the disk, does it mean the system can detect if disk has
> been altered when reading a block?

No.  Crypto softraid uses AES-XTS, which does not include any sort
of integrity or authentication check.  (This would require a
significant change to the storage layout: Where would the checksums
go?)  Malleability is limited: Flipping a bit in the encrypted data
will randomize a 16-byte chunk in the decrypted data.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Modern CPUs AES-NI enabling system wide

2019-02-03 Thread Christian Weisgerber
On 2019-02-03, Stuart Henderson  wrote:

>> If your CPU supports AES-NI, the kernel and base software will use it by
>> default.
>
> You do need to pick suitable ciphers though. And it is only supported
> on OpenBSD/amd64 not OpenBSD/i386.

Only the kernel support (IPsec, softraid crypto) is limited to
amd64.  The userland can still use AES-NI on i386; specifically,
LibreSSL does.  Of course all CPUs that support AES-NI can also run
amd64.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Slow VPN Performance

2019-01-21 Thread Christian Weisgerber
On 2019-01-21, Radek  wrote:

> ikev2 quick active esp from $local_gw to $remote_gw \
> from $local_lan to $remote_lan peer $remote_gw \
> ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
> childsa enc aes-128-ctr \
> psk "pass"
>
> That increased VPN throughput up to 750KB/s but it is still too slow.

A net5501 is very slow by today's standards.  I don't remember if
that speed is expected.  Assuming that encryption/decryption is the
actual bottleneck:

The phase 1 negotiation (ikesa) is only used when the encrypted
channel is set up.  Tweaking the parameters there has no effect on
the performance of the actual data transfer, which is instead
determined by the phase 2 (childsa) algorithms.

The Geode LX CPU in the net5501 offers hardware acceleration for
AES-128-CBC and nothing else. Not AES-192 or -256, not CTR mode.
You can combine this with the cheapest authentication available,
which is HMAC-MD5. The HMAC construction is not affected by the
known vulnerabilities of MD5.

In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum
throughput on this hardware.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: console radeondrm default font change

2019-01-04 Thread Christian Weisgerber
On 2019-01-04, Mihai Popescu  wrote:

> Can someone tell me a font close to this to use for xterm in X?

ports/fonts/spleen

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Error output from ndp -an

2018-12-28 Thread Christian Weisgerber
On 2018-12-28, Denis Fondras  wrote:

>> I'm using OpenBSD 6.4 on a pcengines apu2 box as a router/firewall for a
>> CenturyLink DSL (pppoe) connection.
>> 
>> [aaron@apu2] ~$ ndp -an
>> Neighbor Linklayer Address   Netif ExpireS
>> Flags
>> ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
>> ndp: failed to get neighbor information
>
> Are you sure ndp and the kernel are in sync ?

It's a problem with pppoe interfaces.

# ndp -an
...
ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
ndp: failed to get neighbor information
fe80::100:100:3e9b:f6ab%pppoe0   (incomplete)   pppoe0   
...

OpenBSD 6.4-current (GENERIC.MP) #0: Tue Dec 11 17:26:50 CET 2018

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: pkg_add source code modification

2018-12-15 Thread Christian Weisgerber
On 2018-12-15, Mihai Popescu  wrote:

> I want to modify the char used for pkg_add (and other pkg_ suite)
> progress bar from "*" to "|" but i am unable to figure out where is
> the actual code for this. I managed to found /usr/sbin/pkg_add but
> there are another links in there, and perl for me is a no idea
> language.

Well, you need to understand that the code for the pkg tools is
mostly found in numerous Perl modules--the files in the OpenBSD
directory under src/usr.sbin/pkg_add.

>From there it's a reasonable guess that this asterisk probably shows
up as some sort of string or character constant, i.e., something
like '*' or "*", so with the proper shell quoting you run a recursive
grep for this... Bingo, there it is.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: undefined symbol tgetent

2018-11-12 Thread Christian Weisgerber
On 2018-11-12, Michael Steeves  wrote:

> I've updated my system to the latest snapshot, and then upgraded all the
> packages (and rebooted for good measure), but I still see these errors. I
> assume there's no simple fix for this, and I'd need to either file bugs (and
> wait until they're fixed), or else build the ports myself?

The problem is known and understood.  It's now a matter of either
(1) pushing for a general solution in base or (2) fixing all 30+
potentially affected ports individually.  We'll just have to wait
until somebody gets around to doing either.

Building the port yourself will just reproduce the problem.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: No mips64el in 6.4 package

2018-11-11 Thread Christian Weisgerber
On 2018-11-11, Lingyun Zheng  wrote:

> There is no "mips64el" directory under
> https://cdn.openbsd.org/pub/OpenBSD/6.4/packages/
> Do we have any plan to add it?

Once the packages have finished building, yes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Easiest way to automatically run a script after reboot

2018-11-10 Thread Christian Weisgerber
On 2018-11-10, Steve Williams  wrote:

> I have a script that I would like run after all the network is 
> configured, daemons started, etc.
>
> I looked at rc.local, but am not sure what is actually started after the 
> rc.local runs.

Let's take a look at /etc/rc:

...
  [[ -f /etc/rc.local ]] && sh /etc/rc.local

  # Disable carp interlock.
  ifconfig -g carp -carpdemote 128

  mixerctl_conf

  echo -n 'starting local daemons:'
  start_daemon apmd sensorsd hotplugd watchdogd cron wsmoused xenodm
  echo '.'
...

Also, as you can see, cron(8) is started late, and you can put a
@reboot entry into crontab(5).

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: colorls: How to make the blue bright for readability, and a note about its origins

2018-11-05 Thread Christian Weisgerber
On 2018-11-05, Joseph Mayer  wrote:

> This is how to make OpenBSD's colorls show directories bright blue,
> instead of dark blue which may be too dark to be readable on some
> screens:

This is a general problem with the primitive 8/16-color system from
ECMA-48 ("ANSI colors").  Some text colors only work well with a
light background, some only with a dark background.

> The colorls port [1] is interesting, its source [2] seems to be a fork
> of the BSD codebase's ls dating back to 1980, the man page doesn't
> mention any particular authorship, and its code was updated as
> recently as this year.

It's simply OpenBSD's src/bin/ls with a color patch from FreeBSD
on top.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Which key shortcuts are safe to bind and some Q:s about history and OS diffs Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?

2018-11-01 Thread Christian Weisgerber
On 2018-11-01, Tinker  wrote:

>> > No idea how ^4 is mapped to ^\, but for some reason it is,
>>
>> See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in
>> the VT220 Programmer Reference Manual:
>> https://vt100.net/docs/vt220-rm/table3-5.html
>
> Historial reasons, a ha.

And I'll venture a guess why DEC added those combinations:  In order
to type ^[ ^\ ^] to produce the ESC, FS, GS characters, you need
keys for [ \ ].  If you look at non-English keyboard layouts, you'll
see that the corresponding keys have been re-purposed for other
characters.  In the old days of national ASCII variants, even the
characters [ \ ] didn't exist in many national encodings.  Later,
when extended 8-bit character sets were introduced, [ \ ] were only
made available in a secondary mapping reachable with an extra
modifier key (AltGr or such).  And that's the situation right into
the present.

By contrast, combinations like ^3, ^4, ^5 were readily available
on keyboards.

https://en.wikipedia.org/wiki/ISO/IEC_646#ISO_646_national_variants

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?

2018-10-31 Thread Christian Weisgerber
On 2018-10-31, Stuart Henderson  wrote:

> No idea how ^4 is mapped to ^\, but for some reason it is,

This goes back to the VT220, if not older terminals.  Ctrl-3 for
ESC aka ^[ is particularly handy if the Esc key is in some inconvenient
place as on most PC keyboards.

See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in
the VT220 Programmer Reference Manual:
https://vt100.net/docs/vt220-rm/table3-5.html

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: phonetic alphabet on OpenBSD

2018-10-22 Thread Christian Weisgerber
Chris Bennett:

> When I last looked, apparently IPA had two fonts, neither of which
> worked for all the characters. Is this still true?

You don't need extra fonts.  IPA is covered both by Deja Vu that
OpenBSD ships as the default TrueType font, as well as xterm's
default bitmap font.

> I have to ask also, is the audio quality that comes out the speakers (in
> general) good enough to learn the proper sounds? Every device I have
> seems to have wildly varying qualities and characteristics.
> For example, (OK, not OpenBSD but somewhat relevant) if I wanted to
> listen to the speech coming out of Google Translate, would a native
> speaker of say Spanish, German or Russian consider the sounds "proper"?

What a bizarre question.  Listen to English dialog from your speaker
setup.  Does it sound like "proper" English?  Anything that plays
music in reasonable quality--so *anything*, really--will more than
do for human speech.

Google Translate's audio is machine-generated text-to-speech output.
Again, check what it does for English.

> Is there any software that makes proper sounds available (to port, I'm
> too poor to buy non-free)?

You might find this interactive IPA chart useful:
http://www.ipachart.com/

> Haven't yet seen a class offering:
> "How to correct your pronunciation years later to sound normal"

That's the work of speech therapists and dialect coaches.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: phonetic alphabet on OpenBSD

2018-10-14 Thread Christian Weisgerber
On 2018-10-14, Jan Stary  wrote:

> Are there any phoneticians running on OpenBSD?

I still haven't read Ladefoged yet, but I use IPA somewhat regularly.

> How do you type the phonetic alphabet in vim?
> Is there a standard keyboard layout for the English part of IPA?

I don't use vim, but the sad answer is that I copy and paste,
principally from Wikipedia's IPA page.  If you're only dealing with
English, the Help:IPA/English page is more convenient.

In general, I use the X11 compose key to enter special characters.
See /usr/X11R6/share/X11/locale/en_US.UTF-8/Compose for the available
combinations.  That's sufficient for entering the letters and
diacritics used in all European languages that use the Latin alphabet.
However, it does not cover IPA.

Vim comes with its own "digraph" system, which uses the RFC1345
digraphs by default.  They cover a wide range, including Greek and
Cyrillic, but alas, there's another big hole in the Unicode range
where the IPA block (U+0250..02AF) is.

> but I am looking for a "standard" way.

I suspect people use an on-screen keyboard / character picker.

In fact, googling for  immediately finds a
bunch of web-based ones.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: autri(4) disabled by default

2018-07-31 Thread Christian Weisgerber
On 2018-07-31, Janne Johansson  wrote:

>> I see autri(4) is disabled by default in an amd64 kernel, probably
>> others too, and has been for a very long time.
>
> Seems like it came over with the initial amd64 port from i386, and noone
> tested it on amd64, so it never got enabled but remained commented out.

It worked on sparc64, where it is enabled by default, back when I
still had a Blade 100.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: supported Audio card with SPDIF input

2018-07-25 Thread Christian Weisgerber
On 2018-07-24, Diana Eichert  wrote:

> I'm trying to connect to an audio system that only has SPDIF output.
> I looked at man pages but nothing obvious regarding supported audio
> devices with SPDIF input support.
>
> Anyone have recommendations?  Or is it supported?

Your best bet is azalia(4), i.e, it needs to be supported by the
motherboard.

There are uaudio(4) devices with SPDIF output, however there you
may run into issues with our USB support and audio devices.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: ISDN Card /PRI Card support on OpenBSD

2018-07-11 Thread Christian Weisgerber
On 2018-07-11, Tom Smyth  wrote:

> this is an odd one but I have a client that needs to
> migrate some legacy services
> Is there support for ISDN type interfaces in OpenBSD ?

No.

(Once upon a time there was something called isdn4bsd, but I don't
think it was ever officially integrated into OpenBSD, and that's
from, oh, twenty years ago.)

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Status of mips64el packages for 6.3

2018-05-11 Thread Christian Weisgerber
On 2018-05-10, Xiyue Deng  wrote:

> I noticed that a few days ago (maybe around Monday) the 6.3 release
> page[1] has updated mips64el package count:
>
> mips64el: 8254

Sorry, these are indeed ready, but they haven't been uploaded to
the release directory yet.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Check if fsck will be run on a partition

2018-04-01 Thread Christian Weisgerber
On 2018-04-01, Mik J  wrote:

> How can I know if the partition needs to be checked by fsck, I'd like to test 
> that.

Check the output of dumpfs.  clean=0 means that the filesystem is
dirty and fsck should be run.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: minor too small - pkg_add

2018-03-19 Thread Christian Weisgerber
Patrick Marchand:

> I updated to the latest snapshot yesterday and when I run 
> pkg_add -Dsnap -u a bunch of pkg will not upgrade because it cant find
> ssl.44.9
> 
> It does find 44.8 and 45 but not that specific version, last week I had

You updated from a base snapshot that had libssl.so.44.8 to one that
has 45.0, but skipped the intervening 44.9 one.  Unfortunately, the
package snapshot had been built against 44.9.

> a similar issue with libm. Now I can get around the error by building
> the packages in ports, but I was wondering if there was an easy fix.

Wait a few hours until the next packages, built against 45.0, hit
the mirrors.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Meltdown workaround enabled?

2018-03-14 Thread Christian Weisgerber
On 2018-03-14, "Robert Paschedag"  wrote:

> Errdo I get it right, that a possibly vulnerable CPU
> (from 2016) is still vulnerable to MELTDOWN but a newer
> BIOS *fakes* the CPU flags so the MELTDOWN "detection code"
> says, "this CPU is NOT vulnerable"
>
> Is that right?

The newer BIOS includes new microcode.  As reported by the cpuid 7
edx return, this microcode adds:

- IBRS/IBPB speculation control
- STIBP speculation control
  These can be used by the operating system to mitigate Spectre
  V2 vulnerabilities.

- IA32_ARCH_CAPABILITIES model-specific register
  - RDCL_NO indicator
  This indicates that the CPU is not vulnerable to Meltdown (V3).

The gracious assumption is that the CPU (Apollo Lake/Goldmont)
either wasn't vulnerable to Meltdown in the first place or that it
could be fixed by the new microcode.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



Re: Meltdown workaround enabled?

2018-03-13 Thread Christian Weisgerber
On 2018-03-13, Brian Camp  wrote:

> Non-working (Celeron J3455) -
>
> bcamp@nuc6cayh:~ (OpenBSD 6.2)
> $ cpuid 0x0
> eax = 0x001521""
> ebx = 0x756e65471970169159"Genu"
> ecx = 0x6c65746e1818588270"ntel"
> edx = 0x49656e691231384169"ineI"
> bcamp@nuc6cayh:~ (OpenBSD 6.2)
> $ cpuid 0x7
> eax = 0x 0""
> ebx = 0x2294e283 580182659"???""
> ecx = 0x 0""
> edx = 0x2c00 738197504"???,"
  ^

It appears the CPU explicitly claims that it is not vulnerable to
Meltdown, i.e., it indicates that it has support for the
IA32_ARCH_CAPABILITIES register and there the RDCL_NO bit must be
set.

I find this surprising.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de



  1   2   3   4   5   6   7   8   >