Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
Hi, On Thu, 30.04.2009 at 11:21:50 -0600, Bob Beck b...@openbsd.org wrote: The best place to get OpenBSD is from an official CD set, produced in a secured location FWIW, I have what I think are official CDs, and they contain OS code dated 2009-02-28 22:41 UTC. This means the official code was produced two months before the release date. -- Kind regards, --Toni++
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/ I'll make a bulk check of the mirrors that haven't got 4.5 yet sometime soon and remind them to update their rsync inclusion lists. I'll give it a bit longer because some are probably still trying to fetch the release. And there is a big difference between a mirror that is behind, and a mirror that is providing you with something that is not what it purports to be.
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me
rembrandt rembra...@jpberlin.de writes: :words: Here's a nickel, kid. Buy yourself a better tinfoil hat. //art
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
Mike Belopuhov wrote: C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6. Can you just stop bashing Wim? It doesn't make anyone happier (except Theo probably). +1 Or maybe we should rush searching the whole fscking internet for the incorrect OpenBSD mirrors? e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/ -Lars
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
On 2009-05-05, Lars Nooden lars.cura...@gmail.com wrote: Mike Belopuhov wrote: Or maybe we should rush searching the whole fscking internet for the incorrect OpenBSD mirrors? e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/ I'll make a bulk check of the mirrors that haven't got 4.5 yet sometime soon and remind them to update their rsync inclusion lists. I'll give it a bit longer because some are probably still trying to fetch the release.
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote: Look dude, that ftp site made something available before any of the second level mirrors were even opened up to other sites to retreive it. Deliberate action was taken to release something early without mirroring it from a credible source. Judging by the contents, not all of it was exactly 4.5. This is cause for concern to anyone using the mirror. How many unofficial ftp servers are there on this dangerous internet which are or might or could be having wrong packages? This is what ftp.html is all about right? Why is there a list of official mirrors anyway? It's not like the operator of the site could have done this *accidentally* - This showed some kind of deliberate intent to release something early, and they obviously didn't seem too concerned if it was 100% correct. I don't know the reason, and I don't care to. All I know is that when we see it, that says danger. This is the german coast gard. We are thinking... That's ridiculous. Mirroring is based upon trust. Whoever's running that site obviously decided to go rogue and do something goofy. I don't care who mirrors openbsd, but I expect them to actually mirror it through authorized channels, not put something up early that is deceptive to the users and potentially harmful. When we *SEE* evidence of this being done, not telling the user community is simply irresponsible. great reasoning. Now I get it! The word I was missing is trust. I almost forgot: In god we trust. Thanks for the reminder. * Mike Belopuhov mi...@lucifier.net [2009-05-04 04:55]: C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6. Can you just stop bashing Wim? It doesn't make anyone happier (except Theo probably). Or maybe we should rush searching the whole fscking internet for the incorrect OpenBSD mirrors? Chill out, dudes. On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote: Users are cautioned about rogue ftp sites claiming to have OpenBSD. The best place to get OpenBSD is from an official CD set, produced in a secured location It has come to our attention that some ftp sites (ftp.kd85.com) which are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5 at this time. We have noted that what is actually present in the 4.5 directory is not 4.5, but rather a late development cycle snapshot which they have moved into place claiming it is 4.5. While we have no problem with anyone mirroring OpenBSD for the good of the user community, we do believe that people who offer up the wrong thing are being deceptive and will hurt the userbase - particularly when the packages being offered up are not the release versions. please ensure you look at http://www.openbsd.org/ftp.html when choosing to do an ftp install, and don't be fooled by someone phishing for your ftp traffic. -- #!/usr/bin/perl if ((not 0 not 1) != (! 0 ! 1)) { print Larry and Tom must smoke some really primo stuff...\n; } -- Eigentum verpflichtet. Sein Gebrauch soll zugleich dem Wohle der Allgemeinheit dienen. (Art. 14 II GG)
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote: Look dude, that ftp site made something available before any of the second level mirrors were even opened up to other sites to retreive it. Deliberate action was taken to release something early without mirroring it from a credible source. Judging by the contents, not all of it was exactly 4.5. This is cause for concern to anyone using the mirror. How many unofficial ftp servers are there on this dangerous internet which are or might or could be having wrong packages? This is what ftp.html is all about right? Why is there a list of official mirrors anyway? We provide a service out of the goodness of our hearts. You accept how we do it, and you will shut up, or less service will be provided in the future. If you don't like it, run something else.
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
2009/5/5 Mischa Diehm m...@mailq.de: On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote: Look dude, that ftp site made something available before any of the second level mirrors were even opened up to other sites to retreive it. Deliberate action was taken to release something early without mirroring it from a credible source. Judging by the contents, not all of it was exactly 4.5. This is cause for concern to anyone using the mirror. How many unofficial ftp servers are there on this dangerous internet which are or might or could be having wrong packages? This is what ftp.html is all about right? Why is there a list of official mirrors anyway? This was a special case though, since kd85.com was previously listed as hosting a second level mirror. Surely it deserves special mention, since so many people would have developed a lot of trust in that mirror.
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6. Can you just stop bashing Wim? It doesn't make anyone happier (except Theo probably). Or maybe we should rush searching the whole fscking internet for the incorrect OpenBSD mirrors? Chill out, dudes. On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote: Users are cautioned about rogue ftp sites claiming to have OpenBSD. The best place to get OpenBSD is from an official CD set, produced in a secured location It has come to our attention that some ftp sites (ftp.kd85.com) which are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5 at this time. We have noted that what is actually present in the 4.5 directory is not 4.5, but rather a late development cycle snapshot which they have moved into place claiming it is 4.5. While we have no problem with anyone mirroring OpenBSD for the good of the user community, we do believe that people who offer up the wrong thing are being deceptive and will hurt the userbase - particularly when the packages being offered up are not the release versions. please ensure you look at http://www.openbsd.org/ftp.html when choosing to do an ftp install, and don't be fooled by someone phishing for your ftp traffic.
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
Look dude, that ftp site made something available before any of the second level mirrors were even opened up to other sites to retreive it. Deliberate action was taken to release something early without mirroring it from a credible source. Judging by the contents, not all of it was exactly 4.5. This is cause for concern to anyone using the mirror. It's not like the operator of the site could have done this *accidentally* - This showed some kind of deliberate intent to release something early, and they obviously didn't seem too concerned if it was 100% correct. I don't know the reason, and I don't care to. All I know is that when we see it, that says danger. Mirroring is based upon trust. Whoever's running that site obviously decided to go rogue and do something goofy. I don't care who mirrors openbsd, but I expect them to actually mirror it through authorized channels, not put something up early that is deceptive to the users and potentially harmful. When we *SEE* evidence of this being done, not telling the user community is simply irresponsible. -Bob * Mike Belopuhov mi...@lucifier.net [2009-05-04 04:55]: C'mon, ftp.kd86.com was delisted from the ftp.html page on Mon Apr 6. Can you just stop bashing Wim? It doesn't make anyone happier (except Theo probably). Or maybe we should rush searching the whole fscking internet for the incorrect OpenBSD mirrors? Chill out, dudes. On Thu, Apr 30, 2009 at 11:21 -0600, Bob Beck wrote: Users are cautioned about rogue ftp sites claiming to have OpenBSD. The best place to get OpenBSD is from an official CD set, produced in a secured location It has come to our attention that some ftp sites (ftp.kd85.com) which are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5 at this time. We have noted that what is actually present in the 4.5 directory is not 4.5, but rather a late development cycle snapshot which they have moved into place claiming it is 4.5. While we have no problem with anyone mirroring OpenBSD for the good of the user community, we do believe that people who offer up the wrong thing are being deceptive and will hurt the userbase - particularly when the packages being offered up are not the release versions. please ensure you look at http://www.openbsd.org/ftp.html when choosing to do an ftp install, and don't be fooled by someone phishing for your ftp traffic. -- #!/usr/bin/perl if ((not 0 not 1) != (! 0 ! 1)) { print Larry and Tom must smoke some really primo stuff...\n; }
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
On Thu, 30 Apr 2009 11:21:50 -0600 Bob Beck b...@openbsd.org wrote: Users are cautioned about rogue ftp sites claiming to have OpenBSD. The best place to get OpenBSD is from an official CD set, produced in a secured location It has come to our attention that some ftp sites (ftp.kd85.com) which are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5 at this time. We have noted that what is actually present in the 4.5 directory is not 4.5, but rather a late development cycle snapshot which they have moved into place claiming it is 4.5. While we have no problem with anyone mirroring OpenBSD for the good of the user community, we do believe that people who offer up the wrong thing are being deceptive and will hurt the userbase - particularly when the packages being offered up are not the release versions. please ensure you look at http://www.openbsd.org/ftp.html when choosing to do an ftp install, and don't be fooled by someone phishing for your ftp traffic. Wow! The depths that these scumbags will go is amazing, but I kinda figured something might be wrong when I logged into FTP and saw: . . . . . . . . . . . . . . NOTICE: NSFW! . . . . . . . . . . . . 331 Guest login ok, send your email address as password. 230- 230- _ _ __ _ _ _ 230- / ___ \ | _ \| ___|/ __ \| | / |/ | ___| 230- / / / /___ ___ | |_) | |_ | | )_| |/ /| (___ | |_ 230-/ / / / __ \/ _ \/ __ \| _ | |_| | | __| | \___ \| |_| 230- / /__/ / /_/ / __/ / / /| |_) | |___| |__) | |\ \ ) | |___ 230- \_/ .___/\___/_/ /_/ |/|_|\/|_| \_|_/|_| 230-/_/ 230- / \ \ /\ \ The proactively insecure Anus-like 230- | `. || : \ Orifice System. 230- `| || | | Please visit the OpenBECKSE web site 230- \| // \\\ \ : | at http://www.openbeckse.org/ 230- `\/ -~~ ~--__| \.' | 230- \\-~V ~-_\| / All transfers are logged, if you don't 230- \_ \ _.-.\| : like this policy, disconnect now! 230-\\// _ __ (___ \ | 230- \ . __)_ ___ (_ | / 230- \ |___)/ \ (_|_/ OpenBECKSE 4.5 is available for order! 230- /\| )| (___ /\ You can order a CD of OpenBECKSE from 230- | ( _)\__/ // _/ / \ http://www.openbeckse.org/orders.html 230- | \ |_ \\__//(__/ | CD sales are important to support the 230- |\ \___) `--- --' /| continued development of the project. 230- '.__\/_ _.' 230- \ / | | \/ 230- || /\ | | Hearing him scream like a 230- : / | | \ : little girl when he had to hack 230- | : \_/\_/ : | in NFS was priceless --phessler 230- VK. | | | | | | 230- 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp -- J.C. Roberts
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
2009/5/1 Bob Beck b...@openbsd.org: Print Pro forma invoice Date: 01.05.2009 For GANDI SAS 15, place de la Nation F-75011 Paris France RCS Paris B. 423 093 459 SIRET 423 093 459 00034 APE 6311Z - Capital de 7.622EUR NTVA FR 81 423 093 459 fact...@gandi.net Customer Bob Beck XX Alberta Edmonton Canada Telephone : XX Email : b...@obtuse.com Product Description Owner Amount openbeckse.org Create (3 years) Bob Beck$45.00 Price excl. tax $45.00 Price Incl. tax $45.00 Your FTP server is currently offline. As of this writing, it doesn't even get as far as the welcome banner: $ ftp ftp.openbeckse.org ftp: ftp.openbeckse.org: Unknown host ftp quit $ ftp openbeckse.org ftp: connect: Connection timed out ftp quit regards, --ropers
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
On Thu, Apr 30, 2009 at 6:21 PM, Bob Beck b...@openbsd.org wrote: The best place to get OpenBSD is from an official CD set, produced in a secured location Received my official CD set today, thank you all for your hard work! Steph