CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: k...@cvs.openbsd.org2022/05/22 19:49:40 Modified files: net/tdesktop : Makefile distinfo Log message: Apply Debian's patch to build against Qt5 again tdesktop's mandatory update to Qt6 in v3.6.3beta introduced at least one regression: - opening videos/pictures worked only once, i.e. clicking on the first photo after startup would show it in Qt's media viewer, another attempt however would show nothing (video's audio would still be played) FreeBSD has also applied Debian's partial revert of upstream commits. Our current v3.7.5beta is still broken. Switching back to Qt5 fixes this.
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: n...@cvs.openbsd.org2022/05/22 18:24:58 Modified files: net/rsync : Makefile distinfo net/rsync/patches: patch-support_rrsync net/rsync/pkg : PLIST Added files: net/rsync/patches: patch-rsync_1_md patch-rsyncd_conf_5_md Removed files: net/rsync/patches: patch-compat_c patch-configure_sh patch-receiver_c patch-rsync_1 patch-rsyncd_conf_5 Log message: update net/rsync 3.2.4 NEWS: https://download.samba.org/pub/rsync/NEWS#3.2.4 originally from tj@ with tweaks by me: - --with-nobody-user=_rsync - remove compat.c (fixed) - remove configure.sh (use --with-nobody-user=_rsync instead) - remove receiver.c (upstreamed) - rrsync patch: churn and moves from perl to python3 - --with-rrsync and brings in python as BUILD_DEPENDS (not RUN_DEPENDS) and textproc/py-commonmark, needed to run ${WRKSRC}/md-convert. md-convert converts rsync.1.md --> rsync.1, so remove patches for man pages and patch markdown files instead. - When patching markdown files, mainly keep these two changes: /usr/bin --> ${PREFIX}/bin and nobody --> _rsync. - remove rsyncd.conf.5 from ${SUBST_CMD} - --enable-md5-asm only on amd64, as configure check fails on other platforms (from naddy@ to retain checking whether to enable MD5 ASM optimizations... yes (x86_64)) feedback from tj@ espie@ sthen@ naddy@ ok sthen@
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: n...@cvs.openbsd.org2022/05/22 17:59:19 Modified files: net/rsync : Tag: OPENBSD_7_1 Makefile Added files: net/rsync/patches: Tag: OPENBSD_7_1 patch-zlib_deflate_c patch-zlib_deflate_h patch-zlib_trees_c Log message: backport bundled zlib fix from rsync 3.2.4 for CVE-2018-25032 feedback from naddy@ sthen@ ok sthen@
Re: [update) math/arpack to arpack-ng 3.8.0
I have some small nits but easier to fix those afterwards. One thing that does need doing now is @pkgpath math/arpack added to the top of PLIST-main. Otherwise OK sthen@ On 2022/05/22 21:02, Martin Reindl wrote: > So after some discussion and only a tiny wee bit more back-and-forth between > options with Stuart and Landry we decided it is best to just update the > existing port. > The diff below aims to do just that, as initially sought by Volker. > > Sorry it took so long. > > - new mpi option > - builds fine with mlpack, armadillo, igraph, octave, ensmallen > - parpack is not picked by any of the above > - no quirks or conflict markers necessary > - tested on arm64, amd64, armv7, hickups possible on sparc64 and macppc, but > I cannot test the latter two > > OK? > > -m > > Index: Makefile > === > RCS file: /cvs/ports/math/arpack/Makefile,v > retrieving revision 1.21 > diff -u -p -u -p -r1.21 Makefile > --- Makefile 11 Mar 2022 19:36:12 - 1.21 > +++ Makefile 21 May 2022 16:23:31 - > @@ -1,43 +1,48 @@ > -COMMENT= solve large scale eigenvalue problems > +COMMENT-main = F77 subroutines for solving large scale eigenvalue > problems > +COMMENT-mpi =openmpi for arpack > > -DISTNAME=arpack96 > -PKGNAME= arpack-96 > -REVISION=8 > -SHARED_LIBS= arpack 1.0 > -CATEGORIES= math > - > -HOMEPAGE=http://www.caam.rice.edu/software/ARPACK/ > - > -# BSD license (not in distfile) > -PERMIT_PACKAGE= Yes > - > -MASTER_SITES=${HOMEPAGE}SRC/ > -DISTFILES= ${DISTNAME}.tar.gz patch.tar.gz ug.ps.gz > -DIST_SUBDIR= arpack > - > -MODULES= fortran > -MODFORTRAN_COMPILER =gfortran > -BUILD_DEPENDS= ${MODFORTRAN_BUILD_DEPENDS} > - > -LIB_DEPENDS =math/lapack \ > - math/blas > -WANTLIB =lapack>=1 blas>=1 m > - > -WRKDIST= ${WRKDIR}/ARPACK > -WRKSRC= ${WRKDIST}/SRC > -PICFLAG= -fPIC > -MAKE_FILE= ${FILESDIR}/Makefile > -MAKE_ENV=SHLIB_MAJOR=${LIBarpack_VERSION:R} \ > - SHLIB_MINOR=${LIBarpack_VERSION:E} \ > - FC="${MODFORTRAN_COMPILER} -cpp" \ > - CC=${MODFORTRAN_COMPILER} \ > - NOPROFILE=1 > -FAKE_FLAGS= LIBDIR=${LOCALBASE}/lib DEBUGLIBS=no > +GH_TAGNAME = 3.8.0 > +DISTNAME= arpack-ng-${GH_TAGNAME} > +PKGNAME=arpack-${GH_TAGNAME} > +GH_ACCOUNT = opencollab > +GH_PROJECT = arpack-ng > > -NO_TEST= Yes > +MULTI_PACKAGES = -main -mpi > +FLAVORS =no_mpi > +FLAVOR ?= > > -post-extract: > - @cd ${WRKDIST}/UTIL && mv *.f ${WRKSRC} > +SHARED_LIBS += arpack 2.0 > +SHARED_LIBS += parpack 1.0 > + > +CATEGORIES = math > + > +HOMEPAGE = https://github.com/opencollab/arpack-ng > + > +# BSD 3-Clause > +PERMIT_PACKAGE = Yes > + > +MODULES =fortran \ > + devel/cmake > + > +CONFIGURE_ARGS +=-DBUILD_SHARED_LIBS:BOOL=ON \ > + -D ICB=ON > + > +LIB_DEPENDS-main = math/lapack \ > + math/blas > + > +WANTLIB += lapack blas m > + > +LIB_DEPENDS-mpi =devel/openmpi \ > + math/arpack,-main > + > +WANTLIB-mpi += ${WANTLIB} arpack execinfo pciaccess pthread util z > +WANTLIB-mpi += mpi mpi_mpifh mpi_usempi_ignore_tkr > +WANTLIB-mpi += mpi_usempif08 open-pal open-rte > + > +.include > +.if ${BUILD_PACKAGES:M-mpi} > +CONFIGURE_ARGS +=-D MPI=ON > +.endif > > post-install: > .for i in BAND COMPLEX NONSYM SIMPLE SVD SYM > @@ -49,7 +54,6 @@ post-install: > ${PREFIX}/share/examples/arpack > ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/arpack > ${INSTALL_DATA} ${WRKDIST}/DOCUMENTS/* ${PREFIX}/share/doc/arpack > - ${INSTALL_DATA} ${WRKDIR}/ug.ps ${PREFIX}/share/doc/arpack > - ${INSTALL_DATA} ${FILESDIR}/LICENSE ${PREFIX}/share/doc/arpack > + ${INSTALL_DATA} ${WRKDIST}/COPYING ${PREFIX}/share/doc/arpack > > .include > Index: distinfo > === > RCS file: /cvs/ports/math/arpack/distinfo,v > retrieving revision 1.4 > diff -u -p -u -p -r1.4 distinfo > --- distinfo 18 Jan 2015 03:14:26 - 1.4 > +++ distinfo 21 May 2022 16:23:31 - > @@ -1,6 +1,2 @@ > -SHA256 (arpack/arpack96.tar.gz) = > xqR+yjCiVsuuYOacYGJRuEtqDzUrpSey3L1Hic6F7Pw= > -SHA256 (arpack/patch.tar.gz) = r4kU1gr0fkn7rVWBLQpdCnBA+6kMk+XvGo2I0yAn060= > -SHA256 (arpack/ug.ps.gz) = /x+qx0v8QkQpVZBhMnVuzX8ANIA4mNUH29G8lg9vSrA= > -SIZE (arpack/arpack96.tar.gz) = 636865 > -SIZE (arpack/patch.tar.gz) = 226473 > -SIZE (arpack/ug.ps.gz) = 248543 > +SHA256 (arpack-ng-3.8.0.tar.gz) = > raWus4eIdDgzByOckjW3FqihcMbQlqZiW/1SmETfAD0= > +SIZE (arpack-ng-3.8.0.tar.gz) = 1014494 > Index: patches/patch-SRC_second_f > === > RCS file: patches/patch-SRC_second_f > diff -N patches/patch-SRC_second_f > --- patches/patch-SRC_second_f11
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: mar...@cvs.openbsd.org 2022/05/22 13:13:21 Modified files: devel/py-vulture: Makefile distinfo Log message: Update py-vulture to 2.4.
Re: [update) math/arpack to arpack-ng 3.8.0
So after some discussion and only a tiny wee bit more back-and-forth between options with Stuart and Landry we decided it is best to just update the existing port. The diff below aims to do just that, as initially sought by Volker. Sorry it took so long. - new mpi option - builds fine with mlpack, armadillo, igraph, octave, ensmallen - parpack is not picked by any of the above - no quirks or conflict markers necessary - tested on arm64, amd64, armv7, hickups possible on sparc64 and macppc, but I cannot test the latter two OK? -m Index: Makefile === RCS file: /cvs/ports/math/arpack/Makefile,v retrieving revision 1.21 diff -u -p -u -p -r1.21 Makefile --- Makefile11 Mar 2022 19:36:12 - 1.21 +++ Makefile21 May 2022 16:23:31 - @@ -1,43 +1,48 @@ -COMMENT= solve large scale eigenvalue problems +COMMENT-main = F77 subroutines for solving large scale eigenvalue problems +COMMENT-mpi = openmpi for arpack -DISTNAME= arpack96 -PKGNAME= arpack-96 -REVISION= 8 -SHARED_LIBS= arpack 1.0 -CATEGORIES=math - -HOMEPAGE= http://www.caam.rice.edu/software/ARPACK/ - -# BSD license (not in distfile) -PERMIT_PACKAGE=Yes - -MASTER_SITES= ${HOMEPAGE}SRC/ -DISTFILES= ${DISTNAME}.tar.gz patch.tar.gz ug.ps.gz -DIST_SUBDIR= arpack - -MODULES= fortran -MODFORTRAN_COMPILER = gfortran -BUILD_DEPENDS= ${MODFORTRAN_BUILD_DEPENDS} - -LIB_DEPENDS = math/lapack \ - math/blas -WANTLIB = lapack>=1 blas>=1 m - -WRKDIST= ${WRKDIR}/ARPACK -WRKSRC=${WRKDIST}/SRC -PICFLAG= -fPIC -MAKE_FILE= ${FILESDIR}/Makefile -MAKE_ENV= SHLIB_MAJOR=${LIBarpack_VERSION:R} \ - SHLIB_MINOR=${LIBarpack_VERSION:E} \ - FC="${MODFORTRAN_COMPILER} -cpp" \ - CC=${MODFORTRAN_COMPILER} \ - NOPROFILE=1 -FAKE_FLAGS=LIBDIR=${LOCALBASE}/lib DEBUGLIBS=no +GH_TAGNAME = 3.8.0 +DISTNAME= arpack-ng-${GH_TAGNAME} +PKGNAME=arpack-${GH_TAGNAME} +GH_ACCOUNT = opencollab +GH_PROJECT = arpack-ng -NO_TEST= Yes +MULTI_PACKAGES = -main -mpi +FLAVORS = no_mpi +FLAVOR ?= -post-extract: - @cd ${WRKDIST}/UTIL && mv *.f ${WRKSRC} +SHARED_LIBS += arpack 2.0 +SHARED_LIBS += parpack 1.0 + +CATEGORIES = math + +HOMEPAGE = https://github.com/opencollab/arpack-ng + +# BSD 3-Clause +PERMIT_PACKAGE = Yes + +MODULES = fortran \ + devel/cmake + +CONFIGURE_ARGS += -DBUILD_SHARED_LIBS:BOOL=ON \ + -D ICB=ON + +LIB_DEPENDS-main = math/lapack \ + math/blas + +WANTLIB += lapack blas m + +LIB_DEPENDS-mpi = devel/openmpi \ + math/arpack,-main + +WANTLIB-mpi += ${WANTLIB} arpack execinfo pciaccess pthread util z +WANTLIB-mpi += mpi mpi_mpifh mpi_usempi_ignore_tkr +WANTLIB-mpi += mpi_usempif08 open-pal open-rte + +.include +.if ${BUILD_PACKAGES:M-mpi} +CONFIGURE_ARGS += -D MPI=ON +.endif post-install: .for i in BAND COMPLEX NONSYM SIMPLE SVD SYM @@ -49,7 +54,6 @@ post-install: ${PREFIX}/share/examples/arpack ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/arpack ${INSTALL_DATA} ${WRKDIST}/DOCUMENTS/* ${PREFIX}/share/doc/arpack - ${INSTALL_DATA} ${WRKDIR}/ug.ps ${PREFIX}/share/doc/arpack - ${INSTALL_DATA} ${FILESDIR}/LICENSE ${PREFIX}/share/doc/arpack + ${INSTALL_DATA} ${WRKDIST}/COPYING ${PREFIX}/share/doc/arpack .include Index: distinfo === RCS file: /cvs/ports/math/arpack/distinfo,v retrieving revision 1.4 diff -u -p -u -p -r1.4 distinfo --- distinfo18 Jan 2015 03:14:26 - 1.4 +++ distinfo21 May 2022 16:23:31 - @@ -1,6 +1,2 @@ -SHA256 (arpack/arpack96.tar.gz) = xqR+yjCiVsuuYOacYGJRuEtqDzUrpSey3L1Hic6F7Pw= -SHA256 (arpack/patch.tar.gz) = r4kU1gr0fkn7rVWBLQpdCnBA+6kMk+XvGo2I0yAn060= -SHA256 (arpack/ug.ps.gz) = /x+qx0v8QkQpVZBhMnVuzX8ANIA4mNUH29G8lg9vSrA= -SIZE (arpack/arpack96.tar.gz) = 636865 -SIZE (arpack/patch.tar.gz) = 226473 -SIZE (arpack/ug.ps.gz) = 248543 +SHA256 (arpack-ng-3.8.0.tar.gz) = raWus4eIdDgzByOckjW3FqihcMbQlqZiW/1SmETfAD0= +SIZE (arpack-ng-3.8.0.tar.gz) = 1014494 Index: patches/patch-SRC_second_f === RCS file: patches/patch-SRC_second_f diff -N patches/patch-SRC_second_f --- patches/patch-SRC_second_f 11 Mar 2022 19:36:12 - 1.2 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,12 +0,0 @@ -Index: SRC/second.f SRC/second.f.orig -+++ SRC/second.f -@@ -21,7 +21,7 @@ - * .. - * .. External Functions .. - REAL ETIME -- EXTERNAL ETIME -+* EXTERNAL ETIME - * .. - * .. Executable Statements .. - * Index: pkg/DESCR-main === RCS file:
Re: firefox: pledge violation through pkcs11/smart card usage
Stuart Henderson wrote: > On 2022/05/22 08:58, Theo de Raadt wrote: > > The existing code uses mlock. It appears to be using mlock for a > > privacy reason. But mlock has no privacy reason. > > The mlock page does not make any privacy or security promises at all. > > OpenSC is used on Linux too, mlock there does give some guarantees: > >mlock(), mlock2(), and mlockall() lock part or all of the calling >process's virtual address space into RAM, preventing that memory >from being paged to the swap area. > > ... > >Memory locking has two main applications: real-time algorithms >and high-security data processing. Real-time applications >require deterministic timing, and, like scheduling, paging is one >major cause of unexpected program execution delays. Real-time >applications will usually also switch to a real-time scheduler >with sched_setscheduler(2). Cryptographic security software >often handles critical bytes like passwords or secret keys as >data structures. As a result of paging, these secrets could be >transferred onto a persistent swap store medium, where they might >be accessible to the enemy long after the security software has >erased the secrets in RAM and terminated. (But be aware that the >suspend mode on laptops and some desktop computers will save a >copy of the system's RAM to disk, regardless of memory locks.) POSIX has this to say on the matter: https://pubs.opengroup.org/onlinepubs/009696699/functions/mlock.html None of what Linux is doing here is in the spec, and I would argue it isn't even in the spirit of what mlock was for ("performance"). So maybe just #ifdef __linux__ that block, and submit back to upstream. I really think replacing this with calloc_conceal(3) is junk science. > > This library is used in a gigantic program which does a ton of other > > memory allocations, which uses a huge number of other libraries which > > do a ton of other memory allocations. Is it used in libcrypto? No. > It's used in smaller programs too. Like OpenSSH. openssh does not use mlock. We really never know when a 'secret' is going to be put into memory, because noone built for that model of strict object handling. And since openssh to a large degree uses libcrypto, it means there are 'un-mlocked secrets there also'. Even the bignum library used by asn1 doesn't do this. In some classes of software, it is keys at the bottom, and secrets above. It is junk science to secrecy-lock the keys without secrecy-locking the user's data, as the purpose of the keys is to provide a variety of security gaurantees to the various kinds of data. For this library, used in this application, to suddenly want this requirement fulfilled in such a narrow scope, is completely pointless. Maybe malloc -- and mmap for that matter -- should mlock all memory, just in case the user of that memory should be better protected than careful process memory management? In an abundance of caution of course, why show any concern for the downsides and consequences. /sarcasm.
Re: firefox: pledge violation through pkcs11/smart card usage
On 2022/05/22 08:58, Theo de Raadt wrote: > The existing code uses mlock. It appears to be using mlock for a > privacy reason. But mlock has no privacy reason. > The mlock page does not make any privacy or security promises at all. OpenSC is used on Linux too, mlock there does give some guarantees: mlock(), mlock2(), and mlockall() lock part or all of the calling process's virtual address space into RAM, preventing that memory from being paged to the swap area. ... Memory locking has two main applications: real-time algorithms and high-security data processing. Real-time applications require deterministic timing, and, like scheduling, paging is one major cause of unexpected program execution delays. Real-time applications will usually also switch to a real-time scheduler with sched_setscheduler(2). Cryptographic security software often handles critical bytes like passwords or secret keys as data structures. As a result of paging, these secrets could be transferred onto a persistent swap store medium, where they might be accessible to the enemy long after the security software has erased the secrets in RAM and terminated. (But be aware that the suspend mode on laptops and some desktop computers will save a copy of the system's RAM to disk, regardless of memory locks.) > This library is used in a gigantic program which does a ton of other > memory allocations, which uses a huge number of other libraries which > do a ton of other memory allocations. It's used in smaller programs too. Like OpenSSH.
Fwd: devel/help2man to 1.49.2
ping Forwarded Message Subject: devel/help2man to 1.49.2 Date: Sat, 14 May 2022 20:55:15 -0400 From: George Rosamond To: OpenBSD Ports Simple update to devel/help2man from 1.49.1 to 1.49.2 attached. According to ChangeLog, changes are only: * Add configure~ to mostlyclean target. * Add Romanian translations (thanks to Remus-Gabriel Chelu). Thanks gIndex: help2man//Makefile === RCS file: /cvs/ports/devel/help2man/Makefile,v retrieving revision 1.36 diff -u -p -r1.36 Makefile --- help2man//Makefile 11 Mar 2022 18:50:11 - 1.36 +++ help2man//Makefile 15 May 2022 00:50:52 - @@ -1,6 +1,6 @@ COMMENT= generates simple manual pages from program output -DISTNAME= help2man-1.49.1 +DISTNAME= help2man-1.49.2 EXTRACT_SUFX= .tar.xz CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_GNU:=help2man/} Index: help2man//distinfo === RCS file: /cvs/ports/devel/help2man/distinfo,v retrieving revision 1.24 diff -u -p -r1.24 distinfo --- help2man//distinfo 19 Feb 2022 07:53:13 - 1.24 +++ help2man//distinfo 15 May 2022 00:50:52 - @@ -1,2 +1,2 @@ -SHA256 (help2man-1.49.1.tar.xz) = /ZmmZOxL6ahqDdiXGZifFPNnqcB5110OHXHhinu1GwM= -SIZE (help2man-1.49.1.tar.xz) = 214504 +SHA256 (help2man-1.49.2.tar.xz) = ni4OITp+CjYkTu1iBNkCtlBGAqV4tuzRUmixRU3q3TY= +SIZE (help2man-1.49.2.tar.xz) = 225428
Re: firefox: pledge violation through pkcs11/smart card usage
Stuart Henderson wrote: > On 2022/05/22 13:49, Caspar Schutijser wrote: > > I haven't tested this but shouldn't this be HAVE_CALLOC_CONCEAL? I really don't understand the approach being taken here. The existing code uses mlock. It appears to be using mlock for a privacy reason. But mlock has no privacy reason. The mlock page does not make any privacy or security promises at all. At best it says "This region will be available in direct memory, without having to retrieve it from some (vague) slower memory" It does not say that a copy of this allocation won't go to swap. It also does not say that the contents won't land in coredump. mlock is a weird performance gaurantee system call which noone should actually use (and I want to remove) because it locks resources other processes might require. mlock is apparently being used for a reason that isn't specified or documented. But I want to understand what the goal here is. A subset of memory allocations in one library is being treated this way, for "secrecy" or "privacy". This library is used in a gigantic program which does a ton of other memory allocations, which uses a huge number of other libraries which do a ton of other memory allocations. Does that gigantic program keep track of any other secrets or privacy information in the other memory allocations it makes? Once this diff for this one library goes in, will that huge program and all the libraries it use receive the same attention? I would estimate it will require 10,000+ commits to the whole tree -- base and ports -- if we wanted to actually solve this problem. It won't happen. Unfortunately, our calloc_conceal() is in the same boat. Using it in a few corners of the tree ... feels so ineffective.
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 06:17:54 Modified files: textproc/py-feedparser: Makefile distinfo Log message: update to py3-feedparser-6.0.10
Re: firefox: pledge violation through pkcs11/smart card usage
On 2022/05/22 13:49, Caspar Schutijser wrote: > I haven't tested this but shouldn't this be HAVE_CALLOC_CONCEAL? thanks, good catch. Index: Makefile === RCS file: /cvs/ports/security/opensc/Makefile,v retrieving revision 1.60 diff -u -p -r1.60 Makefile --- Makefile16 Mar 2022 10:16:26 - 1.60 +++ Makefile22 May 2022 12:14:58 - @@ -1,7 +1,7 @@ COMMENT= set of libraries and utilities to access smart cards V= 0.22.0 -REVISION= 0 +REVISION= 1 DISTNAME= opensc-${V} SHARED_LIBS += opensc 7.3 # 8.0 Index: patches/patch-configure_ac === RCS file: patches/patch-configure_ac diff -N patches/patch-configure_ac --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-configure_ac 22 May 2022 12:14:58 - @@ -0,0 +1,12 @@ +Index: configure.ac +--- configure.ac.orig configure.ac +@@ -414,7 +414,7 @@ AC_FUNC_STAT + AC_FUNC_VPRINTF + AC_CHECK_FUNCS([ \ + getpass gettimeofday getline memset mkdir \ +- strdup strerror memset_s explicit_bzero \ ++ strdup strerror memset_s explicit_bzero calloc_conceal \ + strnlen sigaction + ]) + Index: patches/patch-src_libopensc_sc_c === RCS file: patches/patch-src_libopensc_sc_c diff -N patches/patch-src_libopensc_sc_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_libopensc_sc_c22 May 2022 12:14:58 - @@ -0,0 +1,30 @@ +Avoid mlock; not really useful unless non-default vm.swapencrypt.enable=0 +is used, and prevents opensc being used by pledge()'d callers. + +Belt and braces with calloc_conceal: upstream already uses explicit_bzero, +but we might as well use this which conceals secure allocations from dumps. + +Index: src/libopensc/sc.c +--- src/libopensc/sc.c.orig src/libopensc/sc.c +@@ -912,14 +912,18 @@ void *sc_mem_secure_alloc(size_t len) + len = pages * page_size; + } + ++#ifdef HAVE_CALLOC_CONCEAL ++ p = calloc_conceal(1, len); ++#else + p = calloc(1, len); + if (p == NULL) { + return NULL; + } +-#ifdef _WIN32 ++# ifdef _WIN32 + VirtualLock(p, len); +-#else ++# else + mlock(p, len); ++# endif + #endif + + return p; Index: patches/patch-src_pkcs11_Makefile_am === RCS file: /cvs/ports/security/opensc/patches/patch-src_pkcs11_Makefile_am,v retrieving revision 1.5 diff -u -p -r1.5 patch-src_pkcs11_Makefile_am --- patches/patch-src_pkcs11_Makefile_am10 Mar 2022 14:37:15 - 1.5 +++ patches/patch-src_pkcs11_Makefile_am22 May 2022 12:14:58 - @@ -1,7 +1,7 @@ Index: src/pkcs11/Makefile.am --- src/pkcs11/Makefile.am.orig +++ src/pkcs11/Makefile.am -@@ -1,7 +1,9 @@ +@@ -1,5 +1,7 @@ include $(top_srcdir)/win32/ltrc.inc +override libdir = $(prefix)/lib/pkcs11 @@ -9,8 +9,6 @@ Index: src/pkcs11/Makefile.am MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-pkcs11.rc $(srcdir)/versioninfo-pkcs11-spy.rc EXTRA_DIST = Makefile.mak versioninfo-pkcs11.rc.in versioninfo-pkcs11-spy.rc.in opensc-pkcs11.pc.in opensc-pkcs11.dll.manifest onepin-opensc-pkcs11.dll.manifest - lib_LTLIBRARIES = opensc-pkcs11.la pkcs11-spy.la onepin-opensc-pkcs11.la - if ENABLE_SHARED @@ -24,10 +26,6 @@ OPENSC_PKCS11_LIBS = \ $(top_builddir)/src/common/libcompat.la \ $(OPENPACE_LIBS) $(OPTIONAL_OPENSSL_LIBS) $(PTHREAD_LIBS)
Re: firefox: pledge violation through pkcs11/smart card usage
On Sun, May 22, 2022 at 12:02:23PM +0100, Stuart Henderson wrote: > On 2022/05/22 10:44, Stuart Henderson wrote: > > Oh, maybe that should switch to calloc_conceal > > i.e. > > Index: Makefile > === > RCS file: /cvs/ports/security/opensc/Makefile,v > retrieving revision 1.60 > diff -u -p -r1.60 Makefile > --- Makefile 16 Mar 2022 10:16:26 - 1.60 > +++ Makefile 22 May 2022 11:02:01 - > @@ -1,7 +1,7 @@ > COMMENT= set of libraries and utilities to access smart cards > > V= 0.22.0 > -REVISION=0 > +REVISION=1 > DISTNAME=opensc-${V} > > SHARED_LIBS += opensc 7.3 # 8.0 > Index: patches/patch-configure_ac > === > RCS file: patches/patch-configure_ac > diff -N patches/patch-configure_ac > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-configure_ac22 May 2022 11:02:01 - > @@ -0,0 +1,12 @@ > +Index: configure.ac > +--- configure.ac.orig > configure.ac > +@@ -414,7 +414,7 @@ AC_FUNC_STAT > + AC_FUNC_VPRINTF > + AC_CHECK_FUNCS([ \ > + getpass gettimeofday getline memset mkdir \ > +-strdup strerror memset_s explicit_bzero \ > ++strdup strerror memset_s explicit_bzero calloc_conceal \ > + strnlen sigaction > + ]) > + > Index: patches/patch-src_libopensc_sc_c > === > RCS file: patches/patch-src_libopensc_sc_c > diff -N patches/patch-src_libopensc_sc_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-src_libopensc_sc_c 22 May 2022 11:02:01 - > @@ -0,0 +1,30 @@ > +Avoid mlock; not really useful unless non-default vm.swapencrypt.enable=0 > +is used, and prevents opensc being used by pledge()'d callers. > + > +Belt and braces with calloc_conceal: upstream already uses explicit_bzero, > +but we might as well use this which conceals secure allocations from dumps. > + > +Index: src/libopensc/sc.c > +--- src/libopensc/sc.c.orig > src/libopensc/sc.c > +@@ -912,14 +912,18 @@ void *sc_mem_secure_alloc(size_t len) > + len = pages * page_size; > + } > + > ++#ifdef CALLOC_CONCEAL I haven't tested this but shouldn't this be HAVE_CALLOC_CONCEAL? > ++p = calloc_conceal(1, len); > ++#else > + p = calloc(1, len); > + if (p == NULL) { > + return NULL; > + } > +-#ifdef _WIN32 > ++# ifdef _WIN32 > + VirtualLock(p, len); > +-#else > ++# else > + mlock(p, len); > ++# endif > + #endif > + > + return p; >
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:33:52 Modified files: net/routinator : Makefile crates.inc distinfo Log message: update to routinator-0.11.2
Re: devel/cmake: allow file(DOWNLOAD, ...) for file://... URLs
This does seem sensible as long as it isn't some file which you might later need to patch to fix something quickly. I think this is OK but will defer to ${MAINTAINER} if opinions differ :) On 2022/05/22 04:29, Klemens Nanni wrote: > A new port wants to fetch from the internet at build time: > > > file( DOWNLOAD ${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json ) > > No problem, I fetch the file via DISTFILES. > > Now I'd like to pass in the fetched file via the same variable, > without patching, like so: > > CONFIGURE_ARGS += `-DCONFIG_URL=file://${DISTDIR}/config.json` > > but using an offline file:// URL pointing at an absoloute path does not > work here since out cmake cmake denies `file(DOWNLOAD, ...) completely. > > So now I have to patch the sources and add yet another hack, e.g. > > -> file( DOWNLOAD ${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json ) > +> configure_file(${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json > COPYONLY ) > > > This is more annoying than it could be, imho. > > Would it be sensible to allow DOWNLOAD'ing absoloute file:// URLs? > Then no patching would be required. > I have to patch four times in total now, in two new ports. > > I just gave this a shot and made cmake only bail out if the URL does not > begin with "file:///" (three slashes). > > > Feedback? Objection? OK? > > Index: Makefile > === > RCS file: /cvs/ports/devel/cmake/Makefile,v > retrieving revision 1.207 > diff -u -p -r1.207 Makefile > --- Makefile 26 Mar 2022 08:14:00 - 1.207 > +++ Makefile 22 May 2022 03:15:07 - > @@ -6,7 +6,7 @@ VER = 3.20.3 > EPOCH = 0 > DISTNAME = cmake-${VER} > CATEGORIES = devel > -REVISION = 6 > +REVISION = 7 > > HOMEPAGE = https://www.cmake.org/ > > Index: patches/patch-Source_cmFileCommand_cxx > === > RCS file: /cvs/ports/devel/cmake/patches/patch-Source_cmFileCommand_cxx,v > retrieving revision 1.6 > diff -u -p -r1.6 patch-Source_cmFileCommand_cxx > --- patches/patch-Source_cmFileCommand_cxx11 Mar 2022 18:49:50 - > 1.6 > +++ patches/patch-Source_cmFileCommand_cxx22 May 2022 04:28:41 - > @@ -1,19 +1,19 @@ > Index: Source/cmFileCommand.cxx > --- Source/cmFileCommand.cxx.orig > +++ Source/cmFileCommand.cxx > -@@ -1599,6 +1599,12 @@ bool HandleDownloadCommand(std::vector co > -cmExecutionStatus& status) > - { > - #if !defined(CMAKE_BOOTSTRAP) > +@@ -1609,6 +1609,12 @@ bool HandleDownloadCommand(std::vector co > + ++i; > + std::string file; > + > + std::string openbsd_build; > + if ((cmSystemTools::GetEnv("MODCMAKE_PORT_BUILD", openbsd_build) && > -+ openbsd_build == std::string("yes"))) { > ++ openbsd_build == std::string("yes")) && !cmHasPrefix(url, "file:///")) > { > +status.SetError("DOWNLOAD not supported in OpenBSD ports builds."); > +return false; > + } > - auto i = args.begin(); > - if (args.size() < 2) { > - status.SetError("DOWNLOAD must be called with at least two arguments."); > + long timeout = 0; > + long inactivity_timeout = 0; > + std::string logVar; > @@ -1985,6 +1991,12 @@ bool HandleUploadCommand(std::vector cons >cmExecutionStatus& status) > {
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:16:34 Modified files: security/sqlmap: Makefile distinfo security/sqlmap/pkg: PLIST Log message: update to sqlmap-1.6.5, from portno12 a protonmail.com
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:15:49 Modified files: lang/erlang/21 : Makefile Log message: tweak PORTROACH, looks like it wants an OTP- prefix. may need further change after an actual portroach run.
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:12:51 Modified files: net/lldpd : Makefile distinfo Log message: update to lldpd-1.0.14
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:11:17 Modified files: net/librenms : Makefile distinfo net/librenms/patches: patch-LibreNMS_Config_php patch-misc_config_definitions_json net/librenms/pkg: PLIST Log message: update to librenms-22.5.0
mips64 bulk build report
bulk build on octeon.ports.openbsd.org started on Sun May 15 08:25:45 UTC 2022 finished at Sun May 22 06:21:20 UTC 2022 lasted 07D21h55m done with kern.version=OpenBSD 7.1-current (GENERIC.MP) #932: Sat May 14 18:56:38 MDT 2022 built packages:8739 May 15:2553 May 16:678 May 17:629 May 18:606 May 19:744 May 20:897 May 21:1344 May 22:1287 build failures: 73 http://build-failures.rhaalovely.net/mips64/2022-05-15/chinese/libpinyin.log http://build-failures.rhaalovely.net/mips64/2022-05-15/databases/postgresql-pllua.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/clang-tools-extra.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/coccinelle.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/go-sys.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/promu.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/protobuf.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/py-unicorn,python3.log http://build-failures.rhaalovely.net/mips64/2022-05-15/devel/sdcc.log http://build-failures.rhaalovely.net/mips64/2022-05-15/editors/micro.log http://build-failures.rhaalovely.net/mips64/2022-05-15/emulators/openmsx.log http://build-failures.rhaalovely.net/mips64/2022-05-15/emulators/spike.log http://build-failures.rhaalovely.net/mips64/2022-05-15/games/astromenace.log http://build-failures.rhaalovely.net/mips64/2022-05-15/games/hyperrogue.log http://build-failures.rhaalovely.net/mips64/2022-05-15/games/unknown-horizons.log http://build-failures.rhaalovely.net/mips64/2022-05-15/games/wesnoth.log http://build-failures.rhaalovely.net/mips64/2022-05-15/games/witchblast.log http://build-failures.rhaalovely.net/mips64/2022-05-15/geo/gpstk.log http://build-failures.rhaalovely.net/mips64/2022-05-15/graphics/asymptote.log http://build-failures.rhaalovely.net/mips64/2022-05-15/graphics/enblend-enfuse.log http://build-failures.rhaalovely.net/mips64/2022-05-15/graphics/openvdb.log http://build-failures.rhaalovely.net/mips64/2022-05-15/lang/STk.log http://build-failures.rhaalovely.net/mips64/2022-05-15/lang/gambit.log http://build-failures.rhaalovely.net/mips64/2022-05-15/lang/gforth.log http://build-failures.rhaalovely.net/mips64/2022-05-15/lang/librep.log http://build-failures.rhaalovely.net/mips64/2022-05-15/lang/pfe.log http://build-failures.rhaalovely.net/mips64/2022-05-15/lang/php/8.1.log http://build-failures.rhaalovely.net/mips64/2022-05-15/mail/opensmtpd-filters/rspamd.log http://build-failures.rhaalovely.net/mips64/2022-05-15/math/gbc.log http://build-failures.rhaalovely.net/mips64/2022-05-15/math/lean.log http://build-failures.rhaalovely.net/mips64/2022-05-15/math/lrs.log http://build-failures.rhaalovely.net/mips64/2022-05-15/math/mlpack,-main.log http://build-failures.rhaalovely.net/mips64/2022-05-15/math/ntl.log http://build-failures.rhaalovely.net/mips64/2022-05-15/misc/remind.log http://build-failures.rhaalovely.net/mips64/2022-05-15/multimedia/assimp.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/gortr.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/gtk-gnutella.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/icinga/core2.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/minio/client.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/minio/server.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/powerdns_recursor.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/syncthing.log http://build-failures.rhaalovely.net/mips64/2022-05-15/net/utox.log http://build-failures.rhaalovely.net/mips64/2022-05-15/plan9/drawterm.log http://build-failures.rhaalovely.net/mips64/2022-05-15/print/ghostscript/gnu,no_x11.log http://build-failures.rhaalovely.net/mips64/2022-05-15/security/botan2.log http://build-failures.rhaalovely.net/mips64/2022-05-15/security/go-siphash.log http://build-failures.rhaalovely.net/mips64/2022-05-15/security/gobuster.log http://build-failures.rhaalovely.net/mips64/2022-05-15/security/vault.log http://build-failures.rhaalovely.net/mips64/2022-05-15/shells/elvish.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/amazon-ecs-cli.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/beats/filebeat.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/beats/heartbeat.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/beats/metricbeat.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/beats/packetbeat.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/dep.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/direnv.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/gitlab-runner.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/kubectl.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/libvirt.log http://build-failures.rhaalovely.net/mips64/2022-05-15/sysutils/nomad.log
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:07:58 Modified files: converters/p5-Convert-Color: Makefile distinfo Log message: update to p5-Convert-Color-0.12
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:07:27 Modified files: converters/p5-JSON: Makefile distinfo Log message: update to p5-JSON-4.06
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:07:15 Modified files: devel/py-puremagic: Makefile distinfo Log message: update to py3-puremagic-1.14
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:06:09 Modified files: devel/py-pip : Makefile distinfo Log message: update to py3-pip-22.1.1
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 05:04:44 Modified files: lang/erlang/21 : Makefile Log message: erlang21: add portroach limit
Re: firefox: pledge violation through pkcs11/smart card usage
On 2022/05/22 10:44, Stuart Henderson wrote: > Oh, maybe that should switch to calloc_conceal i.e. Index: Makefile === RCS file: /cvs/ports/security/opensc/Makefile,v retrieving revision 1.60 diff -u -p -r1.60 Makefile --- Makefile16 Mar 2022 10:16:26 - 1.60 +++ Makefile22 May 2022 11:02:01 - @@ -1,7 +1,7 @@ COMMENT= set of libraries and utilities to access smart cards V= 0.22.0 -REVISION= 0 +REVISION= 1 DISTNAME= opensc-${V} SHARED_LIBS += opensc 7.3 # 8.0 Index: patches/patch-configure_ac === RCS file: patches/patch-configure_ac diff -N patches/patch-configure_ac --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-configure_ac 22 May 2022 11:02:01 - @@ -0,0 +1,12 @@ +Index: configure.ac +--- configure.ac.orig configure.ac +@@ -414,7 +414,7 @@ AC_FUNC_STAT + AC_FUNC_VPRINTF + AC_CHECK_FUNCS([ \ + getpass gettimeofday getline memset mkdir \ +- strdup strerror memset_s explicit_bzero \ ++ strdup strerror memset_s explicit_bzero calloc_conceal \ + strnlen sigaction + ]) + Index: patches/patch-src_libopensc_sc_c === RCS file: patches/patch-src_libopensc_sc_c diff -N patches/patch-src_libopensc_sc_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_libopensc_sc_c22 May 2022 11:02:01 - @@ -0,0 +1,30 @@ +Avoid mlock; not really useful unless non-default vm.swapencrypt.enable=0 +is used, and prevents opensc being used by pledge()'d callers. + +Belt and braces with calloc_conceal: upstream already uses explicit_bzero, +but we might as well use this which conceals secure allocations from dumps. + +Index: src/libopensc/sc.c +--- src/libopensc/sc.c.orig src/libopensc/sc.c +@@ -912,14 +912,18 @@ void *sc_mem_secure_alloc(size_t len) + len = pages * page_size; + } + ++#ifdef CALLOC_CONCEAL ++ p = calloc_conceal(1, len); ++#else + p = calloc(1, len); + if (p == NULL) { + return NULL; + } +-#ifdef _WIN32 ++# ifdef _WIN32 + VirtualLock(p, len); +-#else ++# else + mlock(p, len); ++# endif + #endif + + return p;
aarch64 bulk build report
bulk build on arm64.ports.openbsd.org started on Fri May 20 01:08:16 MDT 2022 finished at Sun May 22 04:58:33 MDT 2022 lasted 2D03h50m done with kern.version=OpenBSD 7.1-current (GENERIC.MP) #1669: Thu May 19 11:17:04 MDT 2022 built packages:11156 May 20:4041 May 21:3193 May 22:3921 critical path missing pkgs: http://build-failures.rhaalovely.net/aarch64/2022-05-20/summary.log build failures: 2 http://build-failures.rhaalovely.net/aarch64/2022-05-20/net/minio/server.log http://build-failures.rhaalovely.net/aarch64/2022-05-20/www/gotosocial.log recurrent failures failures/net/minio/server.log new failures +++ ls-failures Sun May 22 04:58:44 2022 +failures/www/gotosocial.log resolved failures --- ../old/aarch64/last//ls-failuresMon May 16 06:05:42 2022 -failures/inputmethods/fcitx-chinese-addons.log -failures/mail/gmime30.log -failures/multimedia/handbrake.log -failures/net/tdlib.log -failures/net/weechat,-lua.log
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2022/05/22 03:50:44 Modified files: www/w3m: Makefile Log message: w3m: use ports-gcc rather than base-gcc. Suggested by Yozo TODA to fix build.
Re: firefox: pledge violation through pkcs11/smart card usage
Oh, maybe that should switch to calloc_conceal -- Sent from a phone, apologies for poor formatting. On 22 May 2022 07:44:45 Landry Breuil wrote: Le Sat, May 21, 2022 at 07:22:02AM -0600, Theo de Raadt a écrit : Theo de Raadt wrote: > Stuart Henderson wrote: > > > On 2022/05/19 08:54, Theo de Raadt wrote: > > > I have argued in the past that mlock() in our kernel should probably be > > > a NOOP, return success all the time, and doing nothing. > > > > Would it make any sense to do that rather than abort if pledged > > (say under stdio)? > > > > Well I am talking about > > int > sys_mlock(...) > { >return 0; > } > > and deleting everything related to the concept of "locking physical memory > resources", because everytime I see mlock() used, it is for the wrong > reasons. I mean, step back. Why is this library underneath firefox calling mlock? The reason why it calls mlock() is not mentioned in the mlock manual page, not even once. not 100% sure but i guess that code is https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc.c#L916 klemens, does it work if you neuter those mlock/munlock calls in the opensc port ? i think it already came up before.. or that was for gnupg ? Landry
www/w3m on sparc64 (Re: sparc64 bulk build report)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > Bulk build on sparc64-0a.ports.openbsd.org > > Started : Sun May 15 00:05:48 MDT 2022 > Finished: Tue May 17 11:30:21 MDT 2022 > Duration: 2 Days 11 hours 25 minutes > http://build-failures.rhaalovely.net/sparc64/2022-05-15/www/w3m.log the error is cc1: error: unrecognized command line option "-Wnull-dereference" it looks coming from gcc4, the base compiler for sparc64 I suppose. (see below) gcc provides "-Wnull-dereference" option since gcc6, so, how about adding COMPILER? COMPILER = base-clang ports-gcc [from http://build-failures.rhaalovely.net/sparc64/2022-05-15/www/w3m.log] >>> Building on sparc64-2b under www/w3m BDEPENDS = [archivers/xz;devel/boehm-gc;devel/gettext,-tools;devel/gettext,-runtime] DIST = [www/w3m:w3m_0.5.3+git20220429.orig.tar.xz] FULLPKGNAME = w3m-0.5.3pl20220429 RDEPENDS = [devel/gettext,-runtime;devel/boehm-gc] ===> Extracting for w3m-0.5.3pl20220429 ===> Patching for w3m-0.5.3pl20220429 ===> Compiler link: cc -> /usr/bin/cc ===> Compiler link: c++ -> /usr/bin/c++ ===> Building for w3m-0.5.3pl20220429 cc -Wall -Wnull-dereference -I. -I. -O2 -pipe -I./libwc -I/usr/local/include -DHAVE_CONFIG_H -DAUXBIN_DIR=\"/usr/local/libexec/w3m\" -DCGIBIN_DIR=\"/usr/local/libexec/w3m/cgi-bin\" -DHELP_DIR=\"/usr/local/share/w3m\" -DETC_DIR=\"/etc\" -DCONF_DIR=\"/etc/w3m\" -DRC_DIR=\"~/.w3m\" -DLOCALEDIR=\"/usr/local/share/locale\" -I/usr/local/include -c main.c cc1: error: unrecognized command line option "-Wnull-dereference" *** Error 1 in /usr/obj/ports/w3m-0.5.3pl20220429/w3m-0.5.3+git20220429 (:87 'main.o') -- yozo. -BEGIN PGP SIGNATURE- iQHJBAEBCAAzFiEEXaBuNN3EAffFuoZQoSJsq/akOnEFAmKJ4/EVHHlvem9AdjAw Ny52YWlvLm5lLmpwAAoJEKEibKv2pDpxaHEL/2YwqB/32cGSLnYEtAdFEg5M2Vx9 5vz+/vlQq1YjArcFryJr8vPfC9bBJ6rzzrw5QdolJiVEEYbpmbrL4Vps8l1Zhosx 5f3mMRbZn9mWdKE049KQkyIT0WrwArF8KoxHxNX/iUCHjus6HZYOdnyM3rjsbNnM 9/sEcxolSNSr6N0CKLS34vciGJsxWr1w3lsVuGP1+9zYEvQTwmp9qG6o0J/3d5Ld iOnWpFplPm2fWSWdUDKsNvY8duEfxtWhGyjfUWIgG59SNEAwROcoLcx5of/BILaZ YNzyeBGfVnw4brQR9g9cNlAnjudRdrlhu+/eweLbsMUaVZ82ZKs6iLLYmpef0cfm 9o9dZK3ch1LPCKLL2oEggj8GloG7sbJWR/V/gMhd43r4SxX9xP9MAW4qyowk4bBd UEPfok3VOAWEAt6Rp2tIjnWLAc3CwCYYwebAcRvth2Kjnjv+aZS7izn6IkiHc1Jj oivFYBq7ZrV5/4y9Yf1COMe49LDMUBHSHG1UqA== =KRIl -END PGP SIGNATURE-
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: ajacou...@cvs.openbsd.org 2022/05/22 01:56:25 Modified files: devel/spidermonkey91: Makefile distinfo Log message: Update to spidermonkey91-91.9.1.
Re: firefox: pledge violation through pkcs11/smart card usage
On Sun, May 22, 2022 at 08:44:27AM +0200, Landry Breuil wrote: > Le Sat, May 21, 2022 at 07:22:02AM -0600, Theo de Raadt a écrit : > > Theo de Raadt wrote: > > > > > Stuart Henderson wrote: > > > > > > > On 2022/05/19 08:54, Theo de Raadt wrote: > > > > > I have argued in the past that mlock() in our kernel should probably > > > > > be > > > > > a NOOP, return success all the time, and doing nothing. > > > > > > > > Would it make any sense to do that rather than abort if pledged > > > > (say under stdio)? > > > > > > > > > > Well I am talking about > > > > > > int > > > sys_mlock(...) > > > { > > > return 0; > > > } > > > > > > and deleting everything related to the concept of "locking physical memory > > > resources", because everytime I see mlock() used, it is for the wrong > > > reasons. > > > > > > I mean, step back. Why is this library underneath firefox calling mlock? > > > > The reason why it calls mlock() is not mentioned in the mlock manual page, > > not even once. > > not 100% sure but i guess that code is > https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc.c#L916 > > klemens, does it work if you neuter those mlock/munlock calls in the > opensc port ? i think it already came up before.. or that was for gnupg ? Thanks everyone, that works, I can now use my smart card in Firefox. Feedback? Objection? OK? Index: Makefile === RCS file: /cvs/ports/security/opensc/Makefile,v retrieving revision 1.60 diff -u -p -r1.60 Makefile --- Makefile16 Mar 2022 10:16:26 - 1.60 +++ Makefile22 May 2022 06:55:05 - @@ -1,7 +1,7 @@ COMMENT= set of libraries and utilities to access smart cards V= 0.22.0 -REVISION= 0 +REVISION= 1 DISTNAME= opensc-${V} SHARED_LIBS += opensc 7.3 # 8.0 Index: patches/patch-src_libopensc_sc_c === RCS file: patches/patch-src_libopensc_sc_c diff -N patches/patch-src_libopensc_sc_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_libopensc_sc_c22 May 2022 06:57:41 - @@ -0,0 +1,22 @@ +Neuter mlock(2)/munlock(2) calls to avoid pledge violations in Firefox +when using OpenSC's PKCS11 module. + +Index: src/libopensc/sc.c +--- src/libopensc/sc.c.orig src/libopensc/sc.c +@@ -919,7 +919,6 @@ void *sc_mem_secure_alloc(size_t len) + #ifdef _WIN32 + VirtualLock(p, len); + #else +- mlock(p, len); + #endif + + return p; +@@ -930,7 +929,6 @@ void sc_mem_secure_free(void *ptr, size_t len) + #ifdef _WIN32 + VirtualUnlock(ptr, len); + #else +- munlock(ptr, len); + #endif + free(ptr); + } Index: patches/patch-src_pkcs11_Makefile_am === RCS file: /cvs/ports/security/opensc/patches/patch-src_pkcs11_Makefile_am,v retrieving revision 1.5 diff -u -p -r1.5 patch-src_pkcs11_Makefile_am --- patches/patch-src_pkcs11_Makefile_am10 Mar 2022 14:37:15 - 1.5 +++ patches/patch-src_pkcs11_Makefile_am22 May 2022 06:56:21 - @@ -1,7 +1,7 @@ Index: src/pkcs11/Makefile.am --- src/pkcs11/Makefile.am.orig +++ src/pkcs11/Makefile.am -@@ -1,7 +1,9 @@ +@@ -1,5 +1,7 @@ include $(top_srcdir)/win32/ltrc.inc +override libdir = $(prefix)/lib/pkcs11 @@ -9,8 +9,6 @@ Index: src/pkcs11/Makefile.am MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-pkcs11.rc $(srcdir)/versioninfo-pkcs11-spy.rc EXTRA_DIST = Makefile.mak versioninfo-pkcs11.rc.in versioninfo-pkcs11-spy.rc.in opensc-pkcs11.pc.in opensc-pkcs11.dll.manifest onepin-opensc-pkcs11.dll.manifest - lib_LTLIBRARIES = opensc-pkcs11.la pkcs11-spy.la onepin-opensc-pkcs11.la - if ENABLE_SHARED @@ -24,10 +26,6 @@ OPENSC_PKCS11_LIBS = \ $(top_builddir)/src/common/libcompat.la \ $(OPENPACE_LIBS) $(OPTIONAL_OPENSSL_LIBS) $(PTHREAD_LIBS)
Re: firefox: pledge violation through pkcs11/smart card usage
Le Sat, May 21, 2022 at 07:22:02AM -0600, Theo de Raadt a écrit : > Theo de Raadt wrote: > > > Stuart Henderson wrote: > > > > > On 2022/05/19 08:54, Theo de Raadt wrote: > > > > I have argued in the past that mlock() in our kernel should probably be > > > > a NOOP, return success all the time, and doing nothing. > > > > > > Would it make any sense to do that rather than abort if pledged > > > (say under stdio)? > > > > > > > Well I am talking about > > > > int > > sys_mlock(...) > > { > > return 0; > > } > > > > and deleting everything related to the concept of "locking physical memory > > resources", because everytime I see mlock() used, it is for the wrong > > reasons. > > > I mean, step back. Why is this library underneath firefox calling mlock? > > The reason why it calls mlock() is not mentioned in the mlock manual page, > not even once. not 100% sure but i guess that code is https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc.c#L916 klemens, does it work if you neuter those mlock/munlock calls in the opensc port ? i think it already came up before.. or that was for gnupg ? Landry
Re: [patch] www/firefox-esr: add suffix - ESR to NAME in .desktop
Le Sun, May 22, 2022 at 03:00:33AM -0300, Juan Picca a écrit : > Hi all! > (Maybe a nitpick request.) > > > When installing `firefox` and `firefox-esr` packages, the items under > the *Applications > Internet* menu shows two entries with the text > `Firefox Web Browser`. > > A proposed solution (patch attached) is the addition of the suffix > ` - ESR` for the `Name` key in the `.desktop` file to diferentiate > between the two menu items. agreed, this totally makes sense. I'm just wondering if it wouldnt be simpler to just append the ESR suffix in post-patch with a sed construct instead of having a large patch that could be annoying to update if a new translation is added/dropped, but then the patch is still needed anyway for the other chunks. > Besides the patch a question: > > Only in the first `Exec=` the `firefox` string is replaced with > `${MOZILLA_PROJECT}`. What about the `Exec=` in the `[Desktop Action > NewWindow]` and `[Desktop Action NewPrivateWindow]` section? that's probably just something that never occured to me, but you're totally right that those should be replaced too. Landry
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: de...@cvs.openbsd.org 2022/05/22 00:16:12 Modified files: databases/victoriametrics: Makefile distinfo Log message: update to 1.77.2 Changelog: https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.77.2