Re: Etnernal & infernal browser woes
On Fri, Apr 28, 2017 at 04:32:49PM +0200, Martin Pieuchot wrote: > On 28/04/17(Fri) 16:20, Anders Andersson wrote: > > [...] > > From what I read, it seems as if the problems are mostly from when you > > try websites which are heavy on javascript. > > If javascript was the problem others OSes would suffer as well. > > > Let me butt in as a grumpy > > not-so-old man and point out that there's nothing even remotely > > "secure by default" by even allowing javascript, considering its > > horrible track record. > > So better run javascript on your phone or any other OS, right? > > > Perhaps this is one of the reasons for the disinterest with browser > > performance? > > No. The reason is always the same: somebody has to do the work. It's > not easy, it takes time and we all have other things to do. > I've got to totally disagree that other OS's don't have a big problem with firefox. A while back I bought an old box with 4GB and windows 7 installed. I then took advantage of the free one year upgrade to Windows 10. I have EXACTLY the same problem in Windows as in OpenBSD! Suddenly firefox just crashes. I am right now using 6.1 stable. Firefox has changed in one way for the better. (Thanks to whoever, wherever for that!) It now takes a long period to actually finish crashing and always comes up clean or with a restore. Occasionally the last tab is lost. Which is probably a good thing. Watch top as it very slowly lets firefox crash. Or I should say as firefox crashes itself, not top. :-) Firefox has been reliably crashing for years on many different boxes I have had, so this is nothing new to me. I can't write anything except the most simple javascript, but having "form letter" javascript from 30-35 companies on a website and making all of that interact probably is just not up to the skills of the IT staff (or they would just write the code themselves without any extra junk in it.) As far as YouTube, except for that brief period where they went with Flash, I have had no trouble with watching videos for several years Frankly, trying to get more people to start using OpenBSD is a waste of time. I have tried repeatedly and failed. The correct users of OpenBSD are going to bring themselves to using it. Just like I brought myself. Crash! Chris Bennett
Re: Etnernal & infernal browser woes
On Sat, Apr 29, 2017 at 05:28:33PM +0200, Sebastien Marie wrote: > On Sat, Apr 29, 2017 at 11:21:25PM +0900, Bryan Linton wrote: > > On 2017-04-29 15:48:51, Ingo Schwarze wrote: > > > > > > Chris Bennett wrote on Sat, Apr 29, 2017 at 07:10:05AM -0500: > > > > > >> Firefox [...] takes a long period to actually finish crashing > > > > > > It dumps core. That takes a long time because firefox tends > > > to waste huge amounts of memory [...] > > > > > > > One hack I've done when I don't care about actually getting or > > using a corefile from large programs is to do the following: > > > > # rm progname.core > > # touch progname.core > > # chflags uchg progname.core > > > > Of course, I'd only recommend doing so if one is absolutely > > certain they don't want a corefile from said program ever again, > > and will remember to unset that flag should they ever change their > > mind. > > > > If you want to disable core dump for a program, you could (should ?) > configure your RLIMIT_CORE to 0. > > $ ulimit -c 0 > $ firefox > > -- > Sebastien Marie > That's great. I was traveling a few months ago and I had a box of hard drives I was using stolen. Temporarily, I really need to not have any of those huge core files eating up space. Saddest thing is I know they probably just opened the box and threw them away. Chris Bennett
Re: Beg for Atheros wifi driver
On Mon, Apr 16, 2018 at 07:43:09AM +, Antal Ispanovity wrote: > By the way, you just need to have a look at this page, click on a driver > and you can see a list of supported devices: > https://man.openbsd.org/?query=wireless&apropos=1 > This DOES NOT always work. I have bought several supported model numbers that had been replaced with new chipsets. I'm having the same problem and I am going to order one online today. Pretty frustrating buying one after the next only to fail. Chris Bennett P.S. I'm installing a snapshot first to see if that solves the problem since I have one to return to the store with me
Re: Owner and group of a newly created file
On Sun, Jul 01, 2018 at 04:01:16PM +, Philip Guenther wrote:
>
> This goes back to a split in behavior between the BSD-derived and
> USG-derived ("Unix Systems Group", spun off from AT&T) systems.
> BSD-derived systems always gave new files the group of the directory in
> which they were created, while USG-derived systems used the effective
> group-id of the process that created the file. Vendors realized the BSD
> behavior is more useful for actual groups of people, but they presumably
> didn't feel like they could change the behavior of their existing systems
> so they added this "setgid on the directory means follow BSD rules"
> behavior. Linux has always had a more USG/Sys5 flavor to it, so they
> followed that rule instead of just making the behavior the Right Thing.
>
Thank you for this information. I have been puzzled about the reason for
why certain groups were selected when I created new files. Usually this
has been ok, but a bit puzzling. This is very helpful to know.
Quick question. If I set the primary user group to or whatever group
the file has, will I still need to use rm -f on the file to delete it?
I'll figure this out for myself anyway, but seems like it might be good
to have an answer to on the list archives.
Chris Bennett
Installed current on top of FAT32 flash, Recover old filesystem??
I very carefully and surely tested which flash drive to use and then pulled out the wrong one. I stopped the install with halt and done nothing else. Should I have yanked it, halted it or just said goodbye? ddrescue or something else or nothing else? Thanks, I hope, Chris Bennett
Questions about crypto and USA laws, concerns today
I don't watch any news on TV and for the most part only read headlines that show up on my phone despite the fact I don't want them. What is going on overall with the US and cryptography? I recently joined an organization that has legitimate concerns about privacy, so I thought I'd ask those who know and have history with this issue. Get a lawyer doesn't seem like very useful advice, since all of this seems to be in the process of change at the upper levels of US government. How does the outlook appear to be right now? I was young when all the original BS was going on with exporting cryptography, so my memories aren't very useful. I haven't searched anywhere yet, since I wanted to know if the old topics about this on the lists are still good references or have things changed too much to be very useful? As a side note, the organization has just put up a new website running on software they own and are still in the process of getting completely working. They are using nginx and wordpress. I don't know any more than that. Thanks for any response. I do consider this on topic for OpenBSD since things are concerning here in the USA. Chris Bennett
Re: X desktop environment & system bus
You should note that spectrwm is keyboard driven. Not the programs you add, just spectrwm. If you like using the keyboard as much as the mouse or dont even want to use a mouse at all, it will work for you. But you do have to learn to use it,but that's not hard. Chris Bennett and just use startx to get fvwm when you first install. It's in base install and the pure console sucks.
Re: A problem from user
On Wed, Jul 25, 2018 at 02:00:15AM +, Ken M wrote: > I will beat others to the punch and say you were looking for Ubuntu not > OpenBSD. > Hmm. I am an OpenBSD user because of the horrible experiences with Linux years ago. > OpenBSD is plenty easy to use, but the type of easy to use you describe with a > full desktop environment is not the target. > My desktop seems fully functional. OK, I'm not a gamer, can run Netflix elsewhere, as well as YouTubeTV. But then Windows is an even worse experience than getting a choice of window manager. Did you notice I said "choice"? RTFM and read the FAQ are not what new users are expecting. They learn or leave. Nothing about any OS or set of programs is simple. But that is also the fun part, so much to learn and so much power once you know it. Chris Bennett
Re: wifi gui manager
On Wed, Aug 22, 2018 at 04:29:38PM +, ed...@pettijohn-web.com wrote: > > I'm curious why you have to be root to set up networking, but the operator > group can shut the machine off. > Well, there are probably additional reasons too, but my father happily runs OpenBSD. Of course, he needs to be able to turn the computer off. But he does not in any way understand networking. I've been places where ifconfig urtwn0 scan produces about 50 wifi connections. Which ones are safe? Which ones are evil, trick connections in order to screw over anybody that connects? Or perhaps to let all through safely but make the data rate "spamd slow". After all the years he has used OpenBSD, he still hasn't read the FAQ. Things work, dad happy. :-} Chris Bennett
Base httpd and addons like OpenSMTPD extras in ports?
Don't get mad, please!!! ;-} My work and mind has been elsewhere, so I'm not sure what people are really begging for and what is silly to include. Keeping the base small is great! But would it be reasonable to throw in some ports that addon some extra features that only a smaller number of people want? I know I will be using rewrites myself when I move over to base httpd when 6.4 comes out. I bought three E-books from Lucas, but every time I sit down and start reading, something pops up that tears me away. Small, clean and KISS are fully supported by me. Still Just a bit of curiosity if this might be a good idea or not. Thanks, Chris Bennett
Re: Base httpd and addons like OpenSMTPD extras in ports?
On Tue, Aug 28, 2018 at 03:08:46AM +, jungle Boogie wrote: > Chris, > > What are httpd add-ons? Umm, base http did not have rewrites before, now it does. That could have been does as an addon instead. Chris
Re: Base httpd and addons like OpenSMTPD extras in ports?
OK, that all makes sense. I probably made a poor subject line for this too. I was busy with other things when nginx was discarded from base and httpd was substituted in. I really didn't like a few things I read about nginx, but the whole discussion about httpd I missed out on reading up on. This seems like a good question to ask, since it might have been a useful method of having working, but low-priority modules separately out of the way, or not. Thanks, this answer also makes what's going on behind the scenes with many choices all over the base and the developers thought processes much clearer to me. I'm glad I asked this question. Totally forgetting about httpd, your answer helps with the bigger picture. Which is really more important than any particular program in base. Thanks, Chris
Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available
On Wed, Aug 29, 2018 at 06:09:39PM +, Z Ero wrote: > Hi Stuart, > > Thanks for the respectful reply. I am a little bewildered by the > degree of unwarranted hostility the original post met, but whatever, > when in Rome... I believe as of now most commercially available small > business or home LAN routers / WAN gateways are 32 bit MIPS or ARM > based (as opposed to enterprise, c.f. the 64 bit MIPS Octeon Edge > Router). I understand your comment about the larger 64 bit address > space being more secure because it is such a vaster space better able > to be randomised, but I am not sure how much this really matters > practically. For example, have journal studies shown that in the real > world 32 bit routers are actually hacked or 'pwned' at a higher rate > (after accounting for market share) than 64 bit based machines? > I highly recommend you read the full site at https://www.openbsd.org If the developers of OpenBSD say something about security, well you better believe it. Note: Two, not two thousand, bugs in more than 20 years that have resulted in remote access being possible. I sleep very well each night knowing that, unless someone has physically in person attacked my server, I have no problems. I also recommend that you pay close attention to the refusal to allow anyone who is, was or used to be part of the USA to contribute to anything related to cryptography. Look up and pay attention to all of the past and continuing attacks on cryptography that the USA continues. Finally, whether intended or not, your intention to try to SELL something on this list is extraordinarily rude. Move on and go learn about this on your own. The Internet is filled with useful information. The mailing list archives also have a tremendous amount of useful info. Perhaps reading the source code, which is freely available, deals with all of these issues. If you can't program C, learn it. Chris Bennett
Re: how to install perl modules w/ dependencies that mix packages & CPAN
On Sat, Sep 01, 2018 at 12:52:57AM +, Jonathan Thornburg wrote: > What's the "OpenBSD way" to install Perl modules which don't exist > as packages? > > The usual Perl idiom for "install module foo & all of its (recursive) > dependencies" is "cpan install foo", but this fetches all dependencies > from CPAN, ignoring any OpenBSD packages which may exist. What I'd like > is something like "cpan install foo", but with the semantics that for > each dependency, if there's OpenBSD package in /etc/installurl which > is the same module version as the latest CPAN version, then install > the OpenBSD package instead. Is there a utility already around which > does this? > Afraid not. I've only added or updated a very small number of Perl ports. I've found that some are very simple to do. Just learn how and submit it to ports@ (which is the correct list for this question, just remember that for the future,please). Others must have patches. Really, they need some minor but crucial patches to be "OpenBSDified". This isn't linux. And when you start to talk about recursively adding multiple dependencies, that's where disaster strikes. A big mess with wrong locations, wrong this, wrong that. And exactly how would you even figure out the nightmare of updating or removal? After all, you don't have any idea where anything is. Testing? Not gonna work out. Security? Oh yeah, that's not important, is it? Your clients or your own data getting processed or lost? Oops! This is why everything is moving as a solid unified system and packages. Everything is examined by multiple eyes. Some Perl modules don't and cannot ever work under OpenBSD. Our ports system works well, but is plagued by all of those screwy linuxisms. Now, if you really want to do this sort of thing without adding to and using the existing ports tree, feel free to. See the instructions for doing a fresh re-install. You might need it. Seriousness aside, it's a good question to ask and anyone coming from another OS usually wants (expects?) to be able to do this. Welcome to OpenBSD! It's a tight ship and those ships usually don't sink! ;>) Chris Bennett
Re: resize /usr
On Sun, Sep 02, 2018 at 04:16:57PM +, Ken M wrote: > OK so now that I have been saved from my stupidity, let's try to prevent more > stupidity. > > $ df -h > Filesystem SizeUsed Avail Capacity Mounted on > /dev/sd0a 1005M245M710M26%/ > /dev/sd0h 62.9G 21.7G 38.1G36%/home > /dev/sd0d 3.9G302K3.7G 0%/tmp > /dev/sd0f 14.8G 11.6G2.5G82%/usr > /dev/sd0g 19.7G1.1G 17.6G 6%/usr/ports > /dev/sd0e 11.2G 56.1M 10.6G 1%/var > > Above is my current disk setup, what I would like to do is shrink /usr/ports > to > grow /usr. > > So from what I get growfs will work if I have space after /usr. So can I > shrink > /usr/ports and move it back so there is space after /usr or do I need to > completely drop and recreate /usr/ports? > You can only do this if /usr/ports is directly after /usr. Use disklabel sd0 to get the positions. However, if /usr/ports is big enough and it's in the wrong spot, you can play games with switching them. I do this occasionally. If you can pull this off, use the n command in disklabel to rename /usr to something like /usr2 and /usr/ports as /usr/ports2, fiddle things around and then turn /usr2 into /usr/ports and /usr/ports2 into /usr. What I don't see is /usr/local and that makes things much harder unless you can pkg_delete everything and then re-install. You might find it much easier to ditch /usr/ports, add /usr/local to disklabel and another for /usr/ports that is much smaller. But we need to see your disklabel or any advice is hard to give. Also, by not having a /usr/local partition, your security is worse since that is the only partition that should use wxallowed in /etc/fstab. Basically, this is going to be really easy or really challenging. growfs works well. There is no such command as shrinkfs, but it can be done if well planned, usually. Or maybe not. Others may have different advice, but put up your disklabel sd0 here for sure. Just be glad you don't need to move /var. I've done it but ugh! Chris Bennett
Change Windows10 disk to OpenBSD, but not sure what disklabel and fdisk mean
Hi, I've gotten tired and paranoid about having Windows 10 on my hard drive in a laptop, but I'm not sure what partitions to keep or ditch. I am running off of USB flash drives, which are pesky to keep in and slow. Thanks, Chris Bennett Here are some outputs: disklabel # /dev/rsd0c: type: SCSI disk: SCSI disk label: WDC WD10SPCX-24H duid: flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 boundstart: 0 boundend: 1953525168 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] c: 19535251680 unused i: 532480 2048 MSDOS j:32768 534528 unknown k: 1898479616 567296 MSDOS l: 52428800 1899046912 MSDOS m: 2048000 1951475712 unknown fdisk Disk: sd0 Usable LBA: 34 to 1953525134 [1953525168 Sectors] #: type [ start: size ] 0: EFI Sys [2048: 532480 ] 1: e3c9e316-0b5c-4db8-817d-f92df00215ae [ 534528:32768 ] 2: FAT12[ 567296: 1898479616 ] 3: FAT12[ 1899046912: 52428800 ] 4: Win Recovery [ 1951475712: 2048000 ] dmesg OpenBSD 6.4-beta (GENERIC.MP) #285: Sat Sep 1 12:51:52 MDT 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3774021632 (3599MB) avail mem = 3650387968 (3481MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xea8c0 (45 entries) bios0: vendor LENOVO version "5PCN20WW" date 01/15/2018 bios0: LENOVO 80XV acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP UEFI HPET APIC MCFG SBST MSDM BATB SSDT IVRS CRAT TPM2 SSDT SSDT SSDT SSDT FPDT SSDT BGRT UEFI acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP2(S4) GPP3(S4) GPP4(S4) GFX0(S4) GFX1(S4) GFX2(S4) GFX3(S4) GFX4(S4) XHC0(S3) EHC1(S3) SBAZ(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 16 (boot processor) cpu0: AMD A9-9420 RADEON R5, 5 COMPUTE CORES 2C+3G, 2994.74 MHz, 15-70-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,XSAVEOPT cpu0: 96KB 64b/line 3-way I-cache, 32KB 64b/line 8-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 17 (application processor) cpu1: AMD A9-9420 RADEON R5, 5 COMPUTE CORES 2C+3G, 2994.38 MHz, 15-70-00 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,XSAVEOPT cpu1: 96KB 64b/line 3-way I-cache, 32KB 64b/line 8-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 1, core 0, package 0 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins, remapped ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 21, 32 pins, remapped acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (GPP0) acpiprt2 at acpi0: bus -1 (GPP1) acpiprt3 at acpi0: bus 1 (GPP2) acpiprt4 at acpi0: bus 2 (GPP3) acpiprt5 at acpi0: bus -1 (GPP4) acpiprt6 at acpi0: bus -1 (GFX0) acpiprt7 at acpi0: bus -1 (GFX1) acpiprt8 at acpi0: bus -1 (GFX2) acpiprt9 at acpi0: bus -1 (GFX3) acpiprt10 at acpi0: bus -1 (GFX4) acpiec0 at acpi0 acpicpu0 at acpi0: C2(0@400 io@0x814), C1(@1 halt!), PSS acpicpu1 at acpi0: C2(0@400 io@0x814), C1(@1 halt!), PSS acpipwrres0 at acpi0: P0U3, resource for XHC0 acpipwrres1 at acpi0: P3U3, resource for XHC0 acpipw
Re: Change Windows10 disk to OpenBSD, but not sure what disklabel and fdisk mean
OK I see that i needed to use fdisk -v Any need to preserve any existing stuff? (and how if so?) Primary GPT: Disk: sd0 Usable LBA: 34 to 1953525134 [1953525168 Sectors] GUID: 0b27fac9-4c45-460c-b321-f6ba7ccacfb9 #: type [ start: size ] guid name 0: EFI Sys [2048: 532480 ] ea1f79db-2bee-4ade-9b7c-017de2787211 EFI system partition 1: e3c9e316-0b5c-4db8-817d-f92df00215ae [ 534528:32768 ] 4aeb925c-5204-441c-b69a-1c834c45f14a Microsoft reserved partition 2: FAT12[ 567296: 1898479616 ] 71338e9f-73de-47e5-af24-f4dd9ffe124a Basic data partition 3: FAT12[ 1899046912: 52428800 ] 2ed3bbc7-5870-4fc0-be04-ba6cfaf9284c Basic data partition 4: Win Recovery [ 1951475712: 2048000 ] 11ab734a-6c45-4b61-b15b-3fad264c92d2 Basic data partition Secondary GPT: Disk: sd0 Usable LBA: 34 to 1953525134 [1953525168 Sectors] GUID: 0b27fac9-4c45-460c-b321-f6ba7ccacfb9 #: type [ start: size ] guid name 0: EFI Sys [2048: 532480 ] ea1f79db-2bee-4ade-9b7c-017de2787211 EFI system partition 1: e3c9e316-0b5c-4db8-817d-f92df00215ae [ 534528:32768 ] 4aeb925c-5204-441c-b69a-1c834c45f14a Microsoft reserved partition 2: FAT12[ 567296: 1898479616 ] 71338e9f-73de-47e5-af24-f4dd9ffe124a Basic data partition 3: FAT12[ 1899046912: 52428800 ] 2ed3bbc7-5870-4fc0-be04-ba6cfaf9284c Basic data partition 4: Win Recovery [ 1951475712: 2048000 ] 11ab734a-6c45-4b61-b15b-3fad264c92d2 Basic data partition MBR: Disk: sd0 geometry: 121601/255/63 [1953525168 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: EE 0 0 2 - 267349 89 4 [ 1: 4294967295 ] EFI GPT 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused Microsoft reserved partition would be what? I just don't want to end up with a non-bootable drive. Windows 10 sticks it's fingers into changing BIOS settings, especially after a big update. And now I go searching for lot's of stuff on Gurgle.com. Which really get's me pretty worthless crap for about 2 years now. Thanks, Chris Bennett
Re: Lesser evil
On Tue, Sep 04, 2018 at 01:35:05PM +, Kevin Chadwick wrote: > Atleast with Windows you have a good idea before you install what risks > you are taking even in a bad case of some ancient sha1 signed file from > a http link. With OpenBSD, I hope that the packaging community is > security conscious. > > I tried OpenBSD with Linux for a work package but have found that > OpenBSD gives me great UNIX and security for most and all general tasks > and Windows gets best support, latest software features/options and > actually with Windows 10 a more secure kernel than Linux and with a > smart user, a reliable secure system. It also comes with native OpenSSH > and LibreSSL! by default in version 1803 and has the built-in option of > windows subsystem for linux. > > Windows updates do still take way too long though and perhaps they are > gathering usage information, not that I care much. I hear they are > working on the speed in insider previews. > Yes, not only do they take way too long, but each major update has failed about 15 times before success (for me at least) . That has cost me hours and hours of wasted time. Even working in the background, it uses up all of my bandwidth so completely that I am unable to even get any other work done, i.e. YouTubeTV through Chrome, forget it. More disturbing, I have absolutely no choice about when an update is actually started. Just turn it on and wait hours for access. Especially if I wanted to just start Putty, check email and fly out the door. Windows 10 does send a lot of usage data, but they still refuse to fully disclose what that exactly is or to whom they share it with. No, no, bad Microsoft! Plus, being closed source, why assume that they can't fully read and write ALL filesystems? They don't need to tell us that. That would, from a fully business point of view (not a paranoid view), possibly reduce Windows usage. More people, due to the file sharing problem, would be likely to just stay with Windows. That is good business and I don't blame them for that at all. But security-wise, it's also worrisome. I first heard about them working on speeding up updates, but that was a long time ago and still nothing done. So, both for financial (as in not a lot of disposable income) and really wanting the speed of the built-in hard drive in my laptop, I successfully ditched Windows 10 yesterday. I'm thrilled about how great OpenBSD -current is running. I'm also sad that I can't run things like Netflix, YouTubeTV, Amazon Prime Video and some other stuff now. But between my Android phone and Amazon Fire 5 tablet, I can do that stuff anyway, so not really a big loss. I'm a bit paranoid, too. I freely admit it. I also might be too paranoid. Oh well. But I also agree, if you need to run a particular OS for your software, go for it. We all need to get things done at home and at work. Use whatever works. Never forget, OpenBSD had two remote access bugs. What will number three turn out to be? Could be serious or still unknown right now. So, no OS is perfect and no hardware is perfect either. IMHO, I'm very happy with my choice, but you don't need to follow my choices at all. Good luck and have good success, Chris Bennett
Re: Running your own mail server
I have to absolutely agree that OpenBSD using OpenSMTPD is "the right solution" for this problem. It's secure and after a little bit of learning, not hard to use. Spamd is pretty effective for most spam. Not perfect, but what is now-a-days? You can monitor both sent and received emails. The delivery part raises the exact same questions for whatever you use, but dovecot is excellent and can work with whatever email programs you/they want to use on what devices. As far as privacy, others can give you help with that and scanning incoming and outgoing emails. Personally, I would send a copy to another user and scan without actually reading them yourself unless a "red light" shows up. That can be accomplished pretty easily and I did that myself when I had a set of mailing list emails processed before a script posted them to a forum board of received emails. i.e in from user joe, forwarded to joe2 and then scanning is done. IMHO, I would skip using partially insecure OS's like Linux. These are your kids! Chris Bennett
Ways to get PostgreSQL working with base httpd?
I know that PostgreSQL can be accessed via a socket or through 127.0.0.1. It's crucial since I've set it up for quite a lot of functionality on some of my websites. What are good and secure ways to accomplish this? And why is one or the other better? I learned all kinds of stuff about the operator group in an unrelated thread, which has changed me to not give that out to any users at all. I just couldn't google or DuckDuckGo anything at all about this. Plus I would also like to know a little bit more than just cut and paste if anyone has time to offer that up. OT? I am assuming that for perl, since I wanted a full and clean startup.pl for mod_perl, I already know what modules I need to add from studying each module back a while ago. Thanks, Chris Bennett
Re: Vultr hosting of OpenBSD
On Sat, Sep 08, 2018 at 06:55:16PM +, Ken M wrote: > 2. Is vultr a good place to host an openbsd box? If not interested in hearing > alternatives. > I have been using baremetal servers. They are cheap (please don't go too cheap!) You do need to make sure that they will allow you to use a KVM and that it's not one of the old kind that required Java. You shouldn't let them install, since you will need to be able to do this regularly, plus you need access to the BIOS to turn off hyper-threading. Right now I'm using one with an Intel and I'm not happy about that, so I'm going to look elsewhere next month. Also, make sure that they don't have blacklisted IP's. Otherwise your time and money are wasted. But I like having exclusive control of my server, short of them physically accessing it during maintenance, which leaves me just needing to keep good backups elsewhere. If you do this, make sure everything works under OpenBSD first. But this isn't the way a lot of people want to do things, so go with whatever you're comfortable with. You might want to try a couple of different ways for one or two months. Not that much money and keep what you like best of the bunch. :-} Chris Bennett
Re: Running your own mail server
On Sun, Sep 09, 2018 at 12:23:41PM +, Thomas Bohl wrote: > > But the second (far more important) point I want to make is please *THINK > > TWICE* if "running your own mail server" is something you are planning to > > do on your home internet connection. > > For all intents and purposes, sending emails from a private internet > connection directly to the receiving MX stopped working 15 years ago. > (People started blocking everything with "dial" or "dyn" in the reverse > DNS or HELO not being followed with the matching reverse DNS of the > connected IP.) It should be in all books and tutorials by now. > Word on the street has it that the IP networks of the cloud providers > are slowly getting burned too. > > To live hassle-free you want your MX to have a static IP from a good > "commercial neighbourhood", with a reverse DNS that matches the SPF > entry and with your server's HELO greeting. > Check whether your IP is listed on a DNSBL > https://mxtoolbox.com/blacklists.aspx > Demand a different one from your provider if it is *before* you > associate your domain with it! (Or let the IP idle for a year or two.) > Plus: Thanks to Let's Encrypt and the super easy acme-client in base > there are no more excuses not to have a valid certificate. I have to agree with this. When I signed up with Wikipedia as an editor, I found that my T-Mobile set of IP addresses for my hotspot were all blacklisted. I was able to get around the problem jumping around to access a form for special problems and now all is fine. This sort of problem will show up with any shared IP addresses. I was having my server text me the info from one of my contact pages until somebody sent me a spam set of comments. T-Mobile blocked it with their spam filters. So I dropped getting the texts. I am annoyed by this, but that's just the way it is. Chris Bennett
Re: Ways to get PostgreSQL working with base httpd?
On Sun, Sep 09, 2018 at 05:10:51AM +, Timo Myyrä wrote: > Chris Bennett writes: > > > I know that PostgreSQL can be accessed via a socket or through > > 127.0.0.1. > I read your mail and I still don't know what you are trying to accomplish. > Could you give a more specific questions so they are easier to answer. > OK, I am assuming that just working through 127.0.0.1 will be OK. I just want to be sure that there are not any special issues I need to know using base httpd. There may not be anything I need to know, so then this is more than anything else, just possibly "noise" as far as that. However, I have run into this weird problem. After starting up PostgreSQL while not using any network, or today when I am connected to WiFi though my phone hotspot, no problems However, yesterday when I was using my hotspot I got the following: /var/postgresql/logfile: 2018-09-08 12:34:45.209 PDT [32845] LOG: listening on IPv4 address "127.0.0.1", port 5432 2018-09-08 12:34:45.210 PDT [32845] LOG: listening on IPv6 address "::1", port 5432 2018-09-08 12:34:45.210 PDT [32845] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2018-09-08 12:34:45.282 PDT [6899] LOG: database system was shut down at 2018-09-08 12:34:30 PDT 2018-09-08 12:34:45.286 PDT [32845] LOG: database system is ready to accept connections 2018-09-08 17:26:18.201 PDT [32845] LOG: received fast shutdown request 2018-09-08 17:26:18.203 PDT [32845] LOG: aborting any active transactions 2018-09-08 17:26:18.208 PDT [32845] LOG: worker process: logical replication launcher (PID 48119) exited with exit code 1 2018-09-08 17:26:18.209 PDT [34232] LOG: shutting down 2018-09-08 17:26:18.230 PDT [32845] LOG: database system is shut down 2018-09-08 17:32:51.693 PDT [62478] LOG: listening on IPv4 address "127.0.0.1", port 5432 2018-09-08 17:32:51.711 PDT [62478] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2018-09-08 17:36:37.361 PDT [62478] LOG: received SIGHUP, reloading configuration files 2018-09-08 17:36:37.364 PDT [61376] LOG: database system was shut down at 2018-09-08 17:26:18 PDT 2018-09-08 17:36:37.420 PDT [62478] LOG: database system is ready to accept connections 2018-09-08 19:31:21.875 PDT [62478] LOG: received fast shutdown request 2018-09-08 19:31:21.878 PDT [62478] LOG: aborting any active transactions 2018-09-08 19:31:21.883 PDT [62478] LOG: worker process: logical replication launcher (PID 84341) exited with exit code 1 2018-09-08 19:31:21.883 PDT [96335] LOG: shutting down 2018-09-08 19:31:21.901 PDT [62478] LOG: database system is shut down 2018-09-09 01:13:49.070 PDT [11789] LOG: listening on IPv4 address "127.0.0.1", port 5432 2018-09-09 01:13:49.087 PDT [11789] LOG: listening on IPv6 address "::1", port 5432 2018-09-09 01:13:49.088 PDT [11789] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2018-09-09 01:13:49.272 PDT [60464] LOG: database system was shut down at 2018-09-08 19:31:21 PDT 2018-09-09 01:13:49.449 PDT [11789] LOG: database system is ready to accept connections 2018-09-09 01:13:49.862 PDT [11789] LOG: received SIGHUP, reloading configuration files 2018-09-09 01:15:55.172 PDT [11789] LOG: received fast shutdown request 2018-09-09 01:15:55.174 PDT [11789] LOG: aborting any active transactions 2018-09-09 01:15:55.177 PDT [11789] LOG: worker process: logical replication launcher (PID 71619) exited with exit code 1 2018-09-09 01:15:55.177 PDT [84731] LOG: shutting down 2018-09-09 01:15:55.235 PDT [11789] LOG: database system is shut down End of all OK, then this: 2018-09-09 05:39:00.886 PDT [1208] LOG: could not bind IPv4 address "198.105.244.104": Can't assign requested address 2018-09-09 05:39:00.886 PDT [1208] HINT: Is another postmaster already running on port 5432? If not, wait a few seconds and retry. 2018-09-09 05:39:00.902 PDT [1208] LOG: could not bind IPv4 address "198.105.254.104": Can't assign requested address 2018-09-09 05:39:00.902 PDT [1208] HINT: Is another postmaster already running on port 5432? If not, wait a few seconds and retry. 2018-09-09 05:39:00.902 PDT [1208] WARNING: could not create listen socket for "localhost" 2018-09-09 05:39:00.902 PDT [1208] FATAL: could not create any TCP/IP sockets 2018-09-09 05:39:00.903 PDT [1208] LOG: database system is shut down 2018-09-09 08:03:01.936 CDT [73639] LOG: could not bind IPv4 address "198.105.244.104": Can't assign requested address 2018-09-09 08:03:01.936 CDT [73639] HINT: Is another postmaster already running on port 5432? If not, wait a few seconds and retry. 2018-09-09 08:03:01.936 CDT [73639] LOG: could not bind IPv4 address "198.105.254.104": Can't assign requested address 2018-09-09 08:03:01.936 CDT [73639] HINT: Is another postmaster already running on port 5432? If not, wai
Re: Ways to get PostgreSQL working with base httpd?
Funky connection so I skipped this on purpose. dmesg: OpenBSD 6.4-beta (GENERIC.MP) #285: Sat Sep 1 12:51:52 MDT 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4077236224 (3888MB) avail mem = 3944423424 (3761MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xdbb33000 (45 entries) bios0: vendor LENOVO version "5PCN20WW" date 01/15/2018 bios0: LENOVO 80XV acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP UEFI HPET APIC MCFG SBST SSDT MSDM BATB SSDT SSDT IVRS CRAT VFCT SSDT FPDT SSDT BGRT UEFI acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP2(S4) GPP3(S4) GPP4(S4) GFX0(S4) GFX1(S4) GFX2(S4) GFX3(S4) GFX4(S4) XHC0(S3) EHC1(S3) SBAZ(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 16 (boot processor) cpu0: AMD A9-9420 RADEON R5, 5 COMPUTE CORES 2C+3G, 2994.72 MHz, 15-70-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,XSAVEOPT cpu0: 96KB 64b/line 3-way I-cache, 32KB 64b/line 8-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 17 (application processor) cpu1: AMD A9-9420 RADEON R5, 5 COMPUTE CORES 2C+3G, 2994.39 MHz, 15-70-00 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,XSAVEOPT cpu1: 96KB 64b/line 3-way I-cache, 32KB 64b/line 8-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 1, core 0, package 0 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins, remapped ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 21, 32 pins, remapped acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (GPP0) acpiprt2 at acpi0: bus -1 (GPP1) acpiprt3 at acpi0: bus 1 (GPP2) acpiprt4 at acpi0: bus 2 (GPP3) acpiprt5 at acpi0: bus -1 (GPP4) acpiprt6 at acpi0: bus -1 (GFX0) acpiprt7 at acpi0: bus -1 (GFX1) acpiprt8 at acpi0: bus -1 (GFX2) acpiprt9 at acpi0: bus -1 (GFX3) acpiprt10 at acpi0: bus -1 (GFX4) acpiec0 at acpi0 acpicpu0 at acpi0: C2(0@400 io@0x814), C1(@1 halt!), PSS acpicpu1 at acpi0: C2(0@400 io@0x814), C1(@1 halt!), PSS acpipwrres0 at acpi0: P0U3, resource for XHC0 acpipwrres1 at acpi0: P3U3, resource for XHC0 acpipwrres2 at acpi0: P0U2, resource for EHC1 acpipwrres3 at acpi0: P3U2, resource for EHC1 acpipwrres4 at acpi0: P0SD acpipwrres5 at acpi0: P3SD acpipwrres6 at acpi0: P0ST, resource for SATA acpipwrres7 at acpi0: P3ST, resource for SATA acpibtn0 at acpi0: PWRB acpicmos0 at acpi0 acpibat0 at acpi0: BAT0 model "L16L2PB2" serial 3458 type LiP oem "LGC" "VPC2004" at acpi0 not configured acpiac0 at acpi0: AC unit online acpibtn1 at acpi0: LID_ "PNP0C14" at acpi0 not configured "AMD0030" at acpi0 not configured "AMD0010" at acpi0 not configured "ELAN060C" at acpi0 not configured acpivideo0 at acpi0: VGA_ acpivideo1 at acpi0: VGA_ acpivideo2 at acpi0: VGA_ cpu0: 2994 MHz: speeds: 3000 2700 2400 2100 1800 1400 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "AMD AMD64 15h Root Complex" rev 0x00 "AMD AMD64 15h IOMMU" rev 0x00 at pci0 dev 0 function 2 not configured vendor "ATI", unknown product 0x98e4 (class display subclass VGA, rev 0xda) at pci0 dev 1 function 0 not configured azalia0 at pci0 dev 1 function 1 vendor "ATI", unknown product 0x15b3 rev 0x00: msi azalia0: no supported codecs pchb1 at pci0 dev 2 function 0 "AMD AMD64 15h Host" rev 0x00 ppb0 at pci0 dev 2 function 3 "AMD AMD64 15h PCIE" rev 0x00: msi pci1 at ppb0 bus 1 vendor "Atheros", unknown product 0x0042 (class network subclass miscellaneous, rev 0x31) at pci1 dev 0 function 0 not configured ppb1 at pci0 dev 2 function 4 "AMD AMD64 15h PCIE" rev 0x00: msi pci2 at ppb1 bus 2 re0 at pci2 dev 0 function 0 "Realtek 8101E" rev 0x07: RTL8106E (0x4480), msi, address 54:e1:ad:18:86:57 rlphy0 at re0 phy 7: RT
Re: Running your own mail server
On Sun, Sep 09, 2018 at 04:52:01PM +, Ken M wrote: > But frankly they go to a friends house in our red neck area with non tech > savvy > parents and who knows what happens. But frankly anywhere they are there is > always something that could happen. I feel like there is no winning the battle > of doing this, only losing. It is more important to teach them to make good > decisions than trying to invade on all of their bad ones before they can make > it. And frankly just like in science failure is a result so are the mistakes > we > all had to get to the point we learned from them. > > Ughh, sorry I opened what is more of a philosophical can of worms on the > mailing > list. Actually, you did not. s/kids/confused new users/g and we are having a completely appropriate conversation on dealing with problematic users that need some monitoring for IT safety and secrecy issues. And that IS an important topic every day! Chris Bennett
SSH extremely quickly dropped from T-Mobile phone hotspot
I am using my phone's hotspot, which may or may not be secure, but is not censoring my choice of sites to visit. Public WiFi in the USA does so all over the place. Worse, when I lived in Washington State, I was next to a Naval Air Station, which certainly eavesdrops, not OK, but this is the land of the free? Now I am living in the Capital of Texas, Austin which also leaves public WiFi under the same problems (legislature meets here). I cannot maintain an SSH connection unattended long enough to go to the bathroom and get a cup of coffee without the connection being dropped halfway through reading my email. Is autossh the right choice or is there a better way? The flow of data seems to be the problem. A static page disconnects. Thanks, Chris Bennett
Re: SSH extremely quickly dropped from T-Mobile phone hotspot
On Sat, Sep 15, 2018 at 08:38:26PM +, Stuart Henderson wrote: > Perhaps your carrier's NAT has a quick timeout. > > Try these sysctls: > > net.inet.tcp.always_keepalive=1 > net.inet.tcp.keepidle=60 > > There are ssh-specific keepalives too, but I bet it affects other > protocols too (ftp etc) so the general one is likely to be a better > choice. > Thanks, I will do this. The ssh advice worked. BUT, I am supposed to be getting 4GLTE for my hotspot versus 3G that others offer. I'm not at all happy with throughput in general. I will report back after some testing for a few days and locations. If I get a wham-bam huge difference, then I'll report back right away! Thanks everyone for the help. I'm already moving forward! Chris Bennett
Re: SSH extremely quickly dropped from T-Mobile phone hotspot
I get the same internal NAT'ed IP4 address every time, but my public IP4 address differs over time. I don't like the idea at all of keeping an open ssh session going on without having my equipment on and me nearby. See, I'm a US citizen in a country that has these nasty FISA courts and a variety of new-ish unconstitutional laws that allow the President and others to plant fake content on my server, snatch me up, deny me a lawyer, detain me forever and kill me without cause. Did I forget to mention that all the ISPs I have used, including T-Mobile take my search requests sent to https, yes https://google.com and know what those search terms were? I guess I'm just a paranoid without cause?? Nevertheless, I do appreciate all advice and will look into it anyway. I like to learn things and never ignore anything people teach me. Even if I disagree at the time, I often wish I had been wise enough to follow previous advice. I really don't know crap about IP6 and need to catch up with the times. As always, sometimes I come across as sounding rude or discourteous without intending to, so if I have, I apologize. I thank several people on tech@ for pointing that out to me a good while back. Thanks, Chris Bennett
Re: Pkg_add
If you are running a release/stable version, then you really ought to use a mirror versus openbsd.org. However, if you are running -current, you must be absolutely sure that the mirror is actually up to date. This bit me pretty hard a few years ago when I finally discovered the mirror I was using was not being updated properly. Annoyed with Google searches, I have tried DuckDuckGo and I am getting better results. There is a lot of good stuff about OpenBSD on the Internet, but be careful that it isn't too old. OpenBSD is racing forward with wonderful changes, so old info is often totally wrong. And don't despair if you don't get responses on the mailing lists. Sometimes people don't have the time, or are on vacation or your question could involve something that is being changed right at that time so that there really isn't an answer just yet. Chris Bennett
Re: SSH extremely quickly dropped from T-Mobile phone hotspot
Hmm, it doesn't matter about anything you just said. First tenet of security: If physical security cannot be maintained, all security is immediately compromised. Period. This server I am renting may not be under the control of whom I think I am paying. How could I possibly know? This server is Intel based. Possibly no more than a coincidence, but immediately after joining a pro-constitutional group, both my phone and laptop needed BIOS updates. Hardware flaws in both AMD and Intel that have NO software mitigations exist and that cannot be detected exist. This is just the world we live in. I'm not a criminal and I have no secrets whatsoever to hide. I use OpenBSD because I am a bit of a perfectionist myself. Pure, clean code earns my utter respect. That security is a by-product is superb. So, for my part, that's that. Unless anyone has some useful help beyond what I've already heard, this discussion is over on my part. Let's free up the list for other's needs Chris Bennett
Re: Running your own mail server
On Mon, Sep 17, 2018 at 06:33:52PM +, Mik J wrote: > > Really it will take time, here are the components I installed for this to > work: opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, > dovecot, let's encrypt, bind > > I'm using imapsync for the migration and plan to use openldap and bogofilter. Here is where my problem is. OpenSMTPD and Dovecot, yes. Then, everywhere I look, I see an endless combination of different spam solutions. Every guide I've seen online tends to be a little out of date, as the knobs have all changed. And I have yet to find an explanation as to why they selected a particular combination. It seems that I should move to IMAP, but then I have to ask myself if that is even justified. I don't really know. I don't mind throwing in PostgreSQL, but where are some good table/column examples? Every guide just jumps straight to you need to install: A -> B -> C -> D -> E -> F -> G -> H -> I Whoa. I'm on severe overload here. It's kept me from even installing Dovecot yet since I don't even know crap about B -> C -> D -> E I don't mind putting in the work. But can anyone recommend a slower solution? Say skip C -> D -> E for now, but add them in bit by bit which gives me time to actually study them? I really don't like cut and paste. I really want to get rid of as much spam as I can, but I'm patient. Also, other than the mailing lists, almost everything is starting to be HTML emails. > > Yes, this hostmaster work is more important for deliverability than the > *optional* TLS & DKIM stuff, which I still don't bother at all with... > > Along with correct DNS PTR records (and matching SMTP HELO hostname), > basic SPF & DMARC DNS records are almost essential to send. > > With almost all inbound connections being spam, fighting that is the > main task of the postmaster. Aggressive spamd settings are needed here. > > After that, the MTA needs to be able to check the DNS validity of the > sender's SMTP HELO hostname, and check their DNS PTR record is valid, > and both the mail's envelope and address from domains have MX records. > > Most spam is sent by infected consumer devices, which do not have valid > reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is > the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak. > > Following that, the sender's IP address needs to be checked against > multiple reliable DNS black and lists, and a cumulative score being > totalled up to decide to reject or pass on to the next stage of tests. > > TLS & DKIM have very little value. The postmaster instead needs to work > closely with the hostmaster and concentrate on good DNS practice/tests. Then there is this part. Umm, I'd like to get this all correct. Despite reading up on this that I've done, without seeing any correct examples, I feel a little like my DMARC is being put up my DKIM, to be a little graphic. I would like nothing more than an example of the whole ball of wax that I can use to cut and paste with my info substituted. This has got to be a lot simpler than what I've seen as far as explanations, which has left me very frustrated. Worse, I got stuck for months without a laptop/desktop to work from. Yeah, I know I said cut and paste here. Shrug. This email thing is kinda important. I feel like a little kid trying to make pancakes with a fork instead of a spatula in a pressure cooker. Right now is a good time for me to learn all this. I don't get or send much email. But I'm planning on trying to make a real living wage online. If that works, I better have this all figured out by then. Turns out that right hip problems are genetic from my father's side of the family. All I can say is Ouch! I need to figure this out. Hey, thanks for any help and a special thanks for those clever OpenSMTPD people. Wow, sendmail was a real bitch! Chris Bennett
Re: Keyboard repeats characters way to often
I has the same problem on a release version achihpet0 fixed the keyboard problem I am now running an earlier current and not specifying that. My time clock is way off. I'm going to need to re-add to my sysctl.conf So this is a common problem. Chris Bennett
Google abruptly accessed photos on memory card and MUCH more without permission
I travel frequently. Often outside of the US. I decided when in Mexico that I could possibly lose the tiny notepad so I took photos of my passwords on it. I did this on a Mexican phone and I have often used these photos when I couldn't remember rarely used passwords and my notepad wasn't with me. Seemed like a good idea at the time. I also use Google photos and drive since I download a lot of photos of different beards and moustaches since this is the one thing I can change to look different (hey it's fun). Suddenly, I discovered yesterday, basically by accident, that Google, on it's own, without asking permission, just decided that it should backup folders including my photos. Now Google has all of my usernames and account numbers and passwords that are in those photos. So today, I have to change every single password and username in those photos. Which means I have to drop every single forum, app info, etc. And sign up again. NOTE WELL: I also discovered that Google is not just storing passwords in Chrome, but is also monitoring ALL my app activities, passwords AND passing (selling most likely) my profile info and reviews to companies. Their wording is deliberately obscure as to what exactly is being stored and disclosed to others. I use JuiceSSH on my Android phone. I like it. Guess what. Now I can't use it or definitely I may or am getting my usernames and passwords stolen! I also do not want my actual activities showing up. You know, like database passwords,etc. I would really appreciate any advice on how to deal with this. Not being able to use SSH on my phone is a problem. Yet I see that this is no longer an option. Google is now very clearly out of control and violating, against our will, any level of privacy and not asking permission. Yet, they also offer some very alluring services such as YouTubeTV, which I both use and like. It's basically cheap cable that's portable and has DVR also included. I'm going to start another thread right now that is probably a better place to answer this in, instead of spread over two threads. Fahrenheit 451, Chris Bennett
Remiss on my personal and server security practices, offering server usage to outsiders
This is the thread that I wished to start that pertains to OpenBSD. If usage of an SSH app on anyone's phone to access an OpenBSD server isn't relevant from a security point of view, well, let's ignore the communication breach from a hardware/software issue and I ask forgiveness. I have not opened up my server before for full usage of email, web, database, etc. before. So I'm a total noob on really good security practices. Proper owner:group all over the place. Not covered in hier (7). For example, I read that httpd should not have it's Perl scripts owned by www:www. Well, what IS the right choice here? What about Perl modules I bring in? root:wheel seems wrong to me. If I bring in an outsider to also have a site under httpd, how should I deal with preventing them from getting into the other virtual server folders, which usually contain sensitive information? This would seem to be an owner:group and permission thing. But HOW do I do this right? Do I give them an outside folder to work in and then give them the ability to have my software copy it into the chroot? What about each servers logs? Should I have them written to their home folders? They need to see those but not anyone else's. Overall, What are the right and especially the wrong owner:group all over the general file system? I'm not really asking for a vague outline, I know very well that daemon is especially dangerous and needs to be used in some places and NOT in other's. Right now I just have a hodge-podge all over the place. Is there a manual page that covers this? If not, should there be? Hey, I grew up with DOS, BASIC and Windows. So I don't have any years of knowledge of "just how this obviously should be". (Thanks for the comments left in a project I gave a go at a while back, they were very educational about this topic. I may have failed at that project, but I do look at source code. I respect any requests not to reply to a personal email. I do not ignore such things, that would be extremely disrespectful.) Passwords in general. I'm familiar with the xkcd about password strength. But I see sites with password strength checkers that are clearly wrong now that I have this knowledge. Are there any correct password checkers that I can insert into the passwd routine to keep things safer? I can't prevent anyone for their own mistakes about leaving it out, but I at least want to prevent break-ins with lousy passwords from attackers. What else don't I know? This is one of those questions I have to ask since I don't know exactly what I don't know? There is an excellent pdf on a study about how people who are incompetent are unable to judge their own incompetence until they become more competent. Which is exactly my own problem. I am not competent enough to judge my own competence. I have not worked in IT. I do not know anyone who has, except over this list. I will ask stupid questions and not know it. Any help welcome, Chris Bennett
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 04:14:47PM +0200, Solene Rapenne wrote: > Chris Bennett wrote: > > I have not opened up my server before for full usage of email, web, > > database, etc. before. So I'm a total noob on really good security > > practices. > > > > Proper owner:group all over the place. Not covered in hier (7). > > look at security(8), especially the mtree part > Thank you. I used it a few times but I never opened the files in /etc/mtree. Very useful. Although that doesn't cover all of my owner:group questions, I can see a little better now. Chris Bennett
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 06:08:19PM +0100, Kevin Chadwick wrote: > On Wed, 19 Sep 2018 07:03:56 -0700 > > > > This is the thread that I wished to start that pertains to OpenBSD. > > If usage of an SSH app on anyone's phone to access an OpenBSD server > > isn't relevant from a security point of view, well, let's ignore the > > communication breach from a hardware/software issue and I ask > > forgiveness. > > Termux APP provides OpenSSH binaries but sadly built with OpenSSL not > Libressl but faster than an APP. Better still use usb/wifi tethering to > an OpenBSD laptop? > That's exactly what I'm doing right now. Using phone WiFi and ssh on laptop. My concerns mean that I will restrict using my phone's apps with anything that isn't fit to be spread anywhere. Oh well, I still like my phone but I have to just look at it like any hardware/software flaw. Chris Bennett
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 10:48:50AM -0600, Theo de Raadt wrote: > Surely this is off-topic for misc, your phone has nothing to do with openbsd. > Perhaps we have different perspectives due to our ability on *how* we access the internet and thus focus on this issue differently. Right now, I am not living at a fixed location anywhere. All of my internet access is not through a hard line, but by necessity through WiFi or tethering. If I have some kind of server emergency and I do not have my laptop with me, I am forced to access ssh directly from my phone or seek a public computer that actually allows Putty or ssh. I just left an area where there were NO public computers that allowed that. Why wouldn't I just bring my laptop? Because I am not allowed to drive due to a past history of seizures. Thus bringing my laptop while shopping for anything means one hand less to carry anything with. I actually thought very carefully whether to mark this OT or not. After considering my situation, this issue really does directly effect my secure access to OpenBSD. I am certainly not mad at your viewpoint. We are all here by choice and I am now completely satisfied with not speaking any further about anyone's phone. Chris Bennett > Chris Bennett wrote: > > > On Wed, Sep 19, 2018 at 06:08:19PM +0100, Kevin Chadwick wrote: > > > On Wed, 19 Sep 2018 07:03:56 -0700 > > > > > > > > > > This is the thread that I wished to start that pertains to OpenBSD. > > > > If usage of an SSH app on anyone's phone to access an OpenBSD server > > > > isn't relevant from a security point of view, well, let's ignore the > > > > communication breach from a hardware/software issue and I ask > > > > forgiveness. > > > > > > Termux APP provides OpenSSH binaries but sadly built with OpenSSL not > > > Libressl but faster than an APP. Better still use usb/wifi tethering to > > > an OpenBSD laptop? > > > > > That's exactly what I'm doing right now. Using phone WiFi and ssh on > > laptop. My concerns mean that I will restrict using my phone's apps with > > anything that isn't fit to be spread anywhere. Oh well, I still like my > > phone but I have to just look at it like any hardware/software flaw. > > > > Chris Bennett > > > > >
Re: Remiss on my personal and server security practices, offering server usage to outsiders
I would like to continue what this topic is actually about. Frankly, I only mentioned the phone thing on this topic BECAUSE of Theo's immediate response to my other topic. A mistake on my part. Please feel free to reply to me off the list. I will not post anything you send me to the list. I appreciate greatly those who have sent me some very helpful advice already off-list. But this topic is not about phones. I am asking for help with security on an OpenBSD server and I would still like more help. I still would like to know about httpd's owner:group and permissions on files not served to the public. Chris Bennett
Solved? permissions, httpd with sftp chroot directory
OK, I think I have this right now Files in /etc/mtree show proper owner:group mode everywhere. Files inside of httpd chroot have same as outside. Added an sftp chroot directory inside of httpd chroot for external user. Thus they can upload and download, but do the work elsewhere. Nologin. Right now, these directories for individual websites have ownership of root:daemon, is that correct? Thanks, Chris Bennett
Re: Solved? permissions, httpd with sftp chroot directory
On Wed, Sep 19, 2018 at 02:59:42PM -0700, Chris Bennett wrote: > OK, I think I have this right now > > Files in /etc/mtree show proper owner:group mode everywhere. > Files inside of httpd chroot have same as outside. > Added an sftp chroot directory inside of httpd chroot for external user. > Thus they can upload and download, but do the work elsewhere. Nologin. > Right now, these directories for individual websites have ownership > of root:daemon, is that correct? > Seems to be all OK, except that I had to create a subdir in order to get everything right with sftp chroot. I'm OK with that. I'll look through the threads I didn't read but saw to learn more. :-) Chris Bennett
Include all Perl inside httpd chroot, use mtree and pull out unused for security
I started manually to include Perl files one at a time to learn how things work at home on -current. Then I copied everything in. But why risk security for unused Perl? I would like to eliminate the unused files and then use mtree to watch and use that to inform me of any in particular that need replacement during updates or security breaches using mtree. What is the actual syntax for the mtree files in /etc/mtree? I use vim. Should I use sqlports-compact or pkg_mgr, neither of which have I used before when updating? Or use output from mtree when security is run for first time after updates? Thanks, Chris Bennett
Re: Include all Perl inside httpd chroot, use mtree and pull out unused for security
On Thu, Sep 20, 2018 at 06:54:07PM +0300, Lars Noodén wrote: > On 9/20/18, Chris Bennett wrote: > > I started manually to include Perl files one at a time to learn how > > things work at home on -current. Then I copied everything in. > > But why risk security for unused Perl? > > httpd(8) supports fastcgi so you can run outside the chroot and > communicate via a socket. > See httpd.conf(5) That way you can keep the chroot lean. > > /Lars > Thanks, I see what I need to learn about sockets. I have reading some manual pages and looking online to do. This will be very good to learn. Chris Bennett `
Re: phonetic alphabet on OpenBSD
I'm definitely reading this topic! When I last looked, apparently IPA had two fonts, neither of which worked for all the characters. Is this still true? I really like the IPA, it makes sounds that you either can or cannot pronounce correctly very clear as to what they are supposed to be. My interest is personal, not professional. Is there any information out there to help actually learn the sounds? I couldn't find anything and I don't want to take classes. I have to ask also, is the audio quality that comes out the speakers (in general) good enough to learn the proper sounds? Every device I have seems to have wildly varying qualities and characteristics. For example, (OK, not OpenBSD but somewhat relevant) if I wanted to listen to the speech coming out of Google Translate, would a native speaker of say Spanish, German or Russian consider the sounds "proper"? Is there any software that makes proper sounds available (to port, I'm too poor to buy non-free)? For example, I speak pretty good Mexican-Spanish, but since I'm self taught, I know I mispronounce some sounds. Frankly, it's a little embarrassing here and there. Haven't yet seen a class offering: "How to correct your pronunciation years later to sound normal" or "How to make sure you are really choosing the right words every time" Chris Bennett
Re: phonetic alphabet on OpenBSD
On Sat, Oct 20, 2018 at 12:04:44PM +1100, Alexis wrote: > > Chris Bennett writes: > > > Is there any information out there to help actually learn the sounds? > > I couldn't find anything and I don't want to take classes. > > https://en.wikipedia.org/wiki/Help:IPA Thank you so much! All of this was really lousy when I last looked and I was very disappointed. I hadn't looked back. :-) Much better now. Chris Bennett
Re: phonetic alphabet on OpenBSD
On Mon, Oct 22, 2018 at 07:15:03PM +0200, Christian Weisgerber wrote: > > I have to ask also, is the audio quality that comes out the speakers (in > > general) good enough to learn the proper sounds? Every device I have > > seems to have wildly varying qualities and characteristics. > > For example, (OK, not OpenBSD but somewhat relevant) if I wanted to > > listen to the speech coming out of Google Translate, would a native > > speaker of say Spanish, German or Russian consider the sounds "proper"? > > What a bizarre question. Listen to English dialog from your speaker > setup. Does it sound like "proper" English? Anything that plays > music in reasonable quality--so *anything*, really--will more than > do for human speech. Actually, despite seeming like a bizarre question, which seems to be true, it is not. One of the more difficult parts of learning to speak and hear a new language consists of adding the new neural pathways to actually be able to stop translating the new languages sounds into the closest English sounds. As we originally learn a language, our brains develop the ability to "only" be able to hear the native sounds of that language only. Our brains, etc. conveniently move what we hear or speak to the closest English sounds. This prevents us from hearing the new speech sounds at first until we train our brain to hear and make the brand new sounds. So asking only a native speaker if the sounds are proper or not is the only way to really be sure. Although I can vouch for quality in English, I simply do not, yet, have the ability to judge new sounds. Only a native speaker of that language can do this task. IMHO, I do think this is a reasonable question to ask. There are some languages with some very unusual sounds. As far as music, I can definitely hear that European played classical music tends to sound better than American played (Same piece). I have no idea what is different, but I can hear it. Chris Bennett
Re: phonetic alphabet on OpenBSD
My apologies for the noise. You are absolutely right. Chris Bennett
Re: colorls: How to make the blue bright for readability, and a note about its origins
On Mon, Nov 05, 2018 at 08:53:58AM +, Joseph Mayer wrote: > Hi, > > This is how to make OpenBSD's colorls show directories bright blue, > instead of dark blue which may be too dark to be readable on some > screens: > > export LSCOLORS="Ex" > > As pointed out elsewhere colorls is taken in use as default ls by: > > alias ls="colorls -G" > > > The colorls port [1] is interesting, its source [2] seems to be a fork > of the BSD codebase's ls dating back to 1980, the man page doesn't > mention any particular authorship, and its code was updated as > recently as this year. > > Best regards, > Joseph > > [1] https://cvsweb.openbsd.org/ports/sysutils/colorls/ > > [2] http://shell.uugrn.org/~naddy/ls-6.3.tar.gz > export LSCOLORS=Hxfxcxdxbxegedabagacad I also had problems reading that color on a black background. These will make directories white, if that is helpful. I don't remember any of the details. I think I saw this on a website somewhere. Not sure. Good Luck, Chris Bennett
Re: growfs(8) to lower offset
On Tue, Nov 06, 2018 at 09:18:27AM -0500, David Higgs wrote: > > As the FAQ entry states, you can use growfs(8) if the empty space > > is after the existing partition, not prior. You can only grow a > > partition "down", never "up". What you want to do would require the > > following steps: > > > > 1. Create a new partition on the free space > > 2. Move all data to the new partition > > 3. Remove the existing /project partition > > 4. Use growfs(8) on the new partition to include the space from the old > >/project partition > > You appear to be right - I see it now. I had not read closely enough, > and had focused more on what I could change with the 'm' disklabel(8) > command. It would be nice if this info were made explicit in the > growfs(8) man page as well. > > I had already successfully rearranged some partitions using the method > you propose, but unfortunately the amount of data in /project is > slightly too big to be easily shifted into my remaining free space. > I'll try to compress it or temporarily move the data off-system. > I use growfs a lot. I try to plan ahead of time to put partitions that I can sacrifice when I desperately need to possibly grow something like /usr/local or some other important partition. Sometimes I have a partition for the PKG_CACHE when I need to avoid downloading the packages twice for another computer. This is a partition, for me, that I can sacrifice and use to grow the preceding partition. Buy a bigger disk is not always a practical answer. If you haven't already done it, taking a picture of disklabel, fstab and df never hurt. Easier than writing it down. Well, I've been in your position pulling out hairs many times. Worst case is having a small useless partition stuck in the middle somewhere. Good Luck, Chris Bennett
Re: X won't start with latest snapshot as user (Solution provided)
On Sat, Nov 10, 2018 at 11:36:17PM +0100, Solene wrote: > This is normal. Look at 26th October https://www.openbsd.org/faq/current.html > > The suid was removed to prevent bad things to happen. Use xenodm instead of > startx. > I have switched to using xenodm. I am also think I screwed up something during installation. It happens. Shrug. I have found that I am stuck using fvwm, but I would like to use another wm. Not very important which one. But I really have no idea how to accomplish that. The reason I think I screwed up something else is that the performance across the board is terribly slow. Happy to reinstall from scratch. I'm happy to find the answers reading man pages, but man fvwm wasn't helpful for me. Which ones should I read? Running 6.4 stable amd64 Thank you, Chris Bennett
Re: X won't start with latest snapshot as user (Solution provided)
Thanks! I use spectrwm too. Now I know exactly what man pages to read, which I will do first, before any copy/paste crap. I have found the sheer size of X everything to be a bit intimidating. I think this whole xenodm thing will fill in crucial gaps for me. Happier, Chris Bennett
With all this CPU/hardware mess, any advice on what to use for an organization?
I am almost certainly going to be replacing with a new server for an organization I am a member of. With all of this mess with Meltdown, Spectre, insecure motherboard chips,etc. I am pretty clueless on exactly what is going to be a secure set of server hardware. Intel, well no. AMD? I have read about problems with non-CPU chips being compromised. Another architecture? I have never used anything other than Intel/AMD. The server will run httpd, mailserver, PostgreSQL and somehow a good way for well encrypted messaging at times. It is very likely to run out of Austin, Texas. I think that having a direct connection would be best, but would a proper setup make collocation OK? This isn't going to be my server, I will just be in charge. That's completely new for me. Any advice is really welcome, everywhere I read anything, hardware seems broken and insecure. Thanks a bunch for any help, Chris Bennett
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: > On 11/20/18 11:43, Chris Bennett wrote: > > I am almost certainly going to be replacing with a new server for an > > organization I am a member of. > > With all of this mess with Meltdown, Spectre, insecure motherboard > > chips,etc. > > I am pretty clueless on exactly what is going to be a secure set of > > server hardware. > > Intel, well no. > > AMD? I have read about problems with non-CPU chips being compromised. > > Another architecture? I have never used anything other than Intel/AMD. > > > > The server will run httpd, mailserver, PostgreSQL and somehow a good way > > for well encrypted messaging at times. > > all on one server? > > And as someone who has run a number of mail servers for a number of > companies ... don't. Just don't. Running your own mail server is a > good way to accomplish nothing except wasting a lot of time and making > people hate you. > The mail server is ONLY intended for members of the organization. You would have me use gmail or yahoo? The organization is suing another group for slander. > > It is very likely to run out of Austin, Texas. > > I think that having a direct connection would be best, but would a > > proper setup make collocation OK? > > You are using poorly defined buzzwords. What you mean by a "direct > connection", "proper setup", "collocation" and what I mean are likely > very different. > Well, then tell me some useful information. Correct my idiotic buzzwords. There was carefully noted in my message that I am facing new territory and need some advice. > > This isn't going to be my server, I will just be in charge. That's > > completely new for me. > > Any advice is really welcome, everywhere I read anything, hardware seems > > broken and insecure. > > Pretty much all new HW is optimized in ways that we are now learning > (and has been known for a long time) introduce security problems. > However, most of the problems boil down to having malicious software > running in the control of someone else on the same physical machine YOUR > code is running on. > > In short: No news. Really. > > If someone that wanted to do you evil lived in the same house as you, > you would not be comfortable, right? What if you put up walls > (virtualization) that have proven to to be about as robust as paper? > That make you feel any better? Probably not. Virtualization has been > proven -- over and over -- not terribly secure. Now we got > cross-virtualization platforms ways of stealing data from other > processes. Important? yes. But in the big picture, it's similar to Yet > Another buffer overflow. > To be quite frank, and I don't mean anything negative to others using virtualization, you couldn't pay me to even consider using something that idiotic for trying to make a "secure" setup. And using the "clouds" , to me, is getting just a little bit too "high". > So...split your tasks on different physical systems as much as possible. > If your webserver is serving static pages, it's probably pretty robust. > If it's running Wordpress or any other "any idiot can manage the web > page" apps or dynamic web pages for other reasons, it should be a > machine of its own and have no other important data on it. Yes, using that idiotic Wordpress crap is exactly one of many problems I am going to immediately fix. Whoever is in charge can't even make that work! > Your primary goal should be to keep the bad guys off your computer in > every sense. And again...nothing new here. > > But if security is your concern, you want real hw you control in every > sense. > Which is exactly what my silly buzzwords was trying to get a point of view on. I already assumed that having sole physical control was essential. But questions not asked are never answered. > Unfortunately, if you have performance requirements, your choices are > AMD and Intel. Older Intel and AMD chips aren't getting any support to > deal with these problems, so your choices are incredibly old chips which > are probably not in the most reliable hardware, and a whole bunch of > other old, unreliable, and slow hardware platforms. But be realistic. > Your bosses will probably mandate a VM on someone else's hw, a wordpress > website, one box for everything, and that you give him the root password > which he'll e-mail to himself to keep it "secure". Your most likely > breach points will be an easily guessed password (usually, a manager's), > a bug in a web content management system, or someone believing that > "secu
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Tue, Nov 20, 2018 at 08:31:14PM +, Kaya Saman wrote: > I don't think the response was assumed as such. It just is that there are so > many issues with corporate politics and higher ups thinking they know things > that gives OpenSource software a bad rep! Even once people didn't understand > what OpenSource was and asked me what I did while 'working at OpenSource' > lol > > > As to different H/W yes there are still some different systems around... > like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own UX > capable machines are dead now; though my info could be several years out of > date as I haven't dealt with this type of system in a long time. > > > Agreed that Cloud is a lot of corporate hype in many aspects as to lower > expenditure. > > > Will you be building just the mail server or the whole infrastructure?? > As of right now, I will have to take on everything, which is an extremely daunting task. There have been three times in the past year that staff and volunteers either left on their own or a few were found to be more troublesome than helpful. Things are a real mess right now, so my first task is just to get the website, which right now is a disaster, working good enough to keep both members and volunteers communicating and an inflow of donations coming in. WordPress was an awful decision made right before I joined. But it's hard to select the right software. Having a forum is a must, and due to both trolls and crazy people deliberately making destructive types of posts, the forum has now been removed to members only to allow for reasonable and private discussions. The website is dead slow right now and that has to be fixed quickly. I don't have all the details of exactly what is or isn't installed yet. A board meeting is about to happen and then I should be able to check out the mess. I'm planning on moving to just delivering the content and who cares if it's pretty or not. As long as it's much faster. I just need some guidance along the way. RTFM these 250 manual pages is the right way, except that actions need to happen fast. This really is a case of do things sorta the wrong way and fix it ASAP, or don't do anything and then the SHTF. I want everything done in the end really well and secure, but no donations, no volunteers and no new members or no renewing members equals no organization. That's bad. Thanks for your suggestions. I didn't think other architectures would be suitable, but it was worth asking. Chris Bennett > > Virtually what you want to do is a good firewall protecting everything. > OpenBSD excels at security so definitely recommended. As to mail server, I > really think you need to research the different components first that make > up the system. > > Firstly for power reasons what type of usage do you estimate? > > Will you be needing a separate external mail gateway? > > Does your ISP offer Reverse DNS? > > > After that the best thing to do would be to setup a small lab with a test > machine and try different setups out. Like say using Sendmail, Postfix > etc for SMTP. Many people here have different opinions and takes on this > but really it is up to you to decide what you like best and also what you > need it to do - you can only find that out by testing out different things. > > Then how your users will connect... IMAP, POP, HTTP?? In todays day and age > IMAP is the preferred protocol but there of course are others - please do > not ever mention M$ Exchange as it should be obliterated! > > > Once you understand the core components necessary then you will start to > formulate specific questions of how/why is (x) needed etc... then answers > can be more specific too but for now read a lot and test out different > things to see which one fits you best :-) > > > Regards, > > > Kaya > >
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Thu, Nov 22, 2018 at 10:50:38AM +, Kevin Chadwick wrote:
> On 11/20/18 4:43 PM, Chris Bennett wrote:
> > AMD? I have read about problems with non-CPU chips being compromised.
> > Another architecture? I have never used anything other than Intel/AMD.
>
> I can't comment on SUN etc. but AMD would be the way to go if you can.
>
> Theo has said in a recent presentation something along the lines of that AMD
> are
> far more considerate and apply the security checks first whereas Intel do so
> at
> the end!!
>
> Many modern UEFI (bios) have very limited configuration enabled, however the
> configs the OEM has access to enable are larger than ever. It would be better
> if
> the functionality that caused them were not there by default but you may find
> these chip attacks can be mitigated for your scenario, quite easily with the
> right Vendor/OEM board?? Incidentally the Intel usb debug access has been
> there
> for years but it was a physical motherboard access only scenario until
> recently.
>
> I can't help with a good vendor unfortunately. I have no fairly new, off the
> shelf commercial HW to inspect the BIOS of.
>
Thanks.
After digging into many pages source and I use NoScript, which has an
irritating side effect of actually hiding some of the JavaScript
present, I now see that they are using cloud hosting and some naughty
Google stuff. So I will get much more information about everything
probably next week since this is Thanksgiving weekend here.
So I will be having to select hardware to purchase.
I was assuming that AMD was the right choice, but I wanted to be sure.
I saw the presentation about Intel and AMD on the website. Intel's
behaviour was surprisingly terrible.
I'm not sure exactly what load of users I will have to deal with.
A ton of long-time members have been furious about the WordPress mess
that got put up. As in most forums, more people just read than post.
I'm not at all concerned about govt. snooping. Politics and groups have
gotten extraordinarily weird, odd and even violent in the US.
Their previous setup (before this current one) was hacked at least once.
I'm completely open to any suggestions. I just don't have a budget or a
for sure location to work from yet.
Things are bad enough that anything I do can only be helpful.
So that's pretty bad! :-{
I also want to hear any don't do this or work with this ISP, etc.
Thanks,
Chris Bennett
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote: > Hello Chris, > > There is something extremely weird going on around lately. People are > easily take offense where no offense where intended (and hard to find > anyway). Nick was just telling you that (in his expert opinion) you > shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips", > but concentrate on the real security instead. Unfortunately the real > security takes years of learning and experience, and can't be "advised" in > a couple of emails, but he provided a lot of valuable (and valid) > information (which you where not ready to digest, I guess). > If you are allowing to run an arbitrary code on you server you are > screwed with or without Spectre, otherwise there is nothing to spy on you > on that server (even if it's technically possible). > If (any) government agency really want to access you server, you are > writing to the wrong list, otherwise government installed spying chips (if > any) wont really hurt you. On the other hand, crapware (like Superfish) > might. > > BTW, your boss doesn't need to be stupid to compromise your password (or > keys), just a "normal" human. Security isn't grokkable by "normal" people. I'm actually sorry, Nick. I've got a personal situation that has me very touchy right now. But that's another issue completely. Since there is a forum, and one has to stay, I have a few questions. I looked over a lot of forums, both for features and security. I realized that I couldn't properly judge security. If a forum has a lot of security patches, does that mean that problems are being swiftly dealt with or that the forum has serious problems? If a forum doesn't have reported security patches, does that mean that it is good or just not maintained? I never thought about this before. It seems to me that a login username should not be allowed to be the displayed forum username. The real username is also used for purchases, membership activities, etc. I also think that passwords need to be enforced to be changed occasionally. What sort of timing delay is okay with users? Nobody really likes changing passwords, but since so many people use the same one all over the place, it seems like a good idea since they would then be forced to have a different one from the rest. There is a need for pretty secure stuff, like the forum and membership, purchases, etc. But also very secure activities. Seems to me that 2 servers (or more) would be best to accomplish this. Any disagreement or other suggestions? The main website is probably the most important objective right now. It's what the public sees. And if (which means when, not if) I make a mistake, the world won't come tumbling down. Thanks all, Chris Bennett
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: > > all on one server? > > And as someone who has run a number of mail servers for a number of > companies ... don't. Just don't. Running your own mail server is a > good way to accomplish nothing except wasting a lot of time and making > people hate you. > I got mad before thinking. Bad habit I need to break. You are right. We wouldn't want any of the "evil empires" for that. That is a set policy already. So no Gmail, Yahoo, Microsoft, etc. Can't control where the mail goes to however. Outbound mail is going to be from forum topics, which I will change to only reference the post, no content. Requests for donations and about upcoming events. Asking for immediate help when disasters or other events occur. News topics. How do I pick some company to do this? I'll start looking up information now. Hadn't even occurred to me. But exactly how does that work from our servers to theirs and back? Thank you, Chris Bennett
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Thu, Nov 22, 2018 at 02:21:41PM -0800, Misc User wrote: > I'd look for software that has bug bounties. I'd also look at the CVEs for > each product and compare with the patch history. The delay between a flaw > being reported versus patched is going to be a much better indicator than Yes, that would be very true. Too slow could mean it's not being taken seriously enough. Which could mean the same for known, but unreported flaws. Good advice. > rate of patches. I'd also consider the seriousness of the flaw being > patched as well, like if it is due to a widespread issue (EG, Metldown, > heartbleed, etc) or if it is due to some basic programming error (Apple's > "enter a blank password for root enough times and you'll get root" or > Microsoft's "patching Windows 10 will obliterate your install because of a > typo in the patch code that is supposed to leave c:\users\ alone"). > Yes, Windows 10 got wiped out the first try after seeing three of their 6 month updates needing to try about 8 times eating up about days of time I wanted to use. > Also, look for something that could support external authentication, > especially something industry standard like LDAP, so you can use the > authentication database all your service can use while not relying on > whoever wrote the individual bits of software to have written something that > doesn't suck. Yeah, good plan. I've written fair amount of software that worked, but sucked. >Also look for something that will allow the admin pages to be > hosted on a different url from the user accessible stuff. > > If you are handling payment or financial information, outsource it to > something like paypal or another well-known payment processor. While they > aren't very secure, they are insured, so if they fuck something up, you > aren't holding the bag and are very unlikely to be blamed for it by your > users. > Yes, I have used PayPal for my business. Not very active now, but I really liked not being directly in the middle. "You are now being directed to PayPal, we do not ever have any of your credit card info." was very nice to say. Yes, they do fuck things up. Got me once when they just decided to change the phone number formatting without announcing it. > As for number of servers, more than one is going to be the better way. If > something has a port accessible by any old rando, you shouldn't be storing > anything secure on it. Especially if the server also stores something the > user can craft (EG, photos from the forum, arbitrary text, etc). > Dealing with that has had me really concerned. People really want to upload all kinds of stuff. That's a good idea. > As for ISPs, just assume they are all total shit (Most of them are anyway) > and treat them like you would an open wireless network. Don't use their DNS > and encrypt everything you can. Use static IPs if you can. Don't allow > passwords for ssh on anything public facing. Only allow admin pages to be > accessible from a private network (So that you'd need to use an ssh tunnel > to get to it remotely) Alright. Thanks. This is helpful. Someone suggested off-list that I make up a flow chart to plan out each step that needs to be taken. I'm getting good advice now to help me start that. It's tough to pull this off. But then, when is easy ever any real fun! :-} Chris Bennett
Confusing problem with CVS
I am running -current. On one server, src was empty. So I did a cvs checkout. On another server, src had older files. So I did a cvs up. Afterwards, inttypes.h had one size on the checkout, another size on the updated src. I rm'ed the updated src and did a checkout. Now both files are the same size and date. What has happened here? I thought that cvs up was the correct procedure. cvs -qd$CVSROOT checkout -P src inside of /usr or cvs -qd$CVSROOT up -Pd inside of /usr/src. Updating only changed some of the file dates and did not work correctly. Thanks, Chris Bennett
Re: Confusing problem with CVS
Thanks, that was helpful. I did not think of using info cvs. I do use info at times, just not that often. I'm just using CVS for porting. Since -current offers a tar file and I've made a partition for /usr/ports and another for /usr/ports/mystuff, so I'm just using that file to replace ports without changing my WIP. I ran into a rather good C book that runs along with my way of thinking, so I wanted to follow -current src for learning. I'll just checkout src again unless I start working on a diff to submit in the future. For other things, I'm using backups plus git because I can pass along changes to other boxes so easily. I didn't think it was a bug, just something I wasn't understanding. I appreciate the help. Thanks, Chris Bennett
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: > That's because filter-dkimsign doesn't support multiple domains, and > unless someone can give me a good reason to do so it probably is going > to stay that way. > > I know that some mail providers add an additional positive score to > your spam rating if you have DKIM, but I reckon this is BS, because > DKIM is nothing more than a glorified debugging tool to tell you which > server butchered the content of your mail if every server in the chain > adds a DKIM signature. To be precise: it only tells you that a > particular domain owner (d-option) knows what server(s) a particular key > (s-option) belongs to, so that if a signature fails it it could only > have happened before the last server which has a valid signature. > > Could you explain why you (think you) need to have multiple domain > support? > You (currently?) can't. If you want multiple conditions on different > filters you would need to create multiple listening sockets (e.g. > multiple ips or ports) and apply the correct match-rules based on the > socket. > > martijn@ > OK, thanks for clearing that up. I learned a lot using it. I would also like to use multiple domains, but I don't see any reason to ask you to do any more work than you want to. Thanks for your work. I appreciate it. And trying to use multiple domains was a good lesson in strange results. :-} Chris Bennett
Re: ports: pkg_add as root
On Sat, Mar 21, 2020 at 02:26:18PM +0530, putridsou...@gmail.com wrote: > I'm have never tried the ports system before. > I have read through the faq and the man pages, > but I get stuck at building dependencies. > I follow through the fetch,checksum steps and then > for 'make prepare' as local user, > I'm greeted with following message. > This is for the 'rsnapshot' package > > ===> Building package for rsync-3.1.3 > Create /usr/ports/packages/amd64/all/rsync-3.1.3.tgz > Creating package rsync-3.1.3 > Link to /usr/ports/packages/amd64/ftp/rsync-3.1.3.tgz > ===> Cleaning for rsync-3.1.3 > ===> Verifying specs: c > ===> found c.95.1 > ===> Installing rsync-3.1.3 from /usr/ports/packages/amd64/all/ > pkg_add: pkg_add must be run as root > *** Error 1 in /usr/ports/net/rsync > (/usr/ports/infrastructure/mk/bsd.port.mk:2028 > '/var/db/pkg/rsync-3.1.3/+CONTENTS': @/usr/bin/env -i PKG...) > *** Error 1 in /usr/ports/net/rsync > (/usr/ports/infrastructure/mk/bsd.port.mk:2451 'install') > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2135 > '/usr/ports/pobj/rsnapshot-1.4.2/.dep-net-rsync') > *** Error 1 in /usr/ports/net/rsnapshot > (/usr/ports/infrastructure/mk/bsd.port.mk:2451 'prepare') > > I have successfully installed programs > with no dependencies using command > 'doas make install' as the final step, > after fetch,patch,gen,configure,etc. > Is this the right way? > > Why doesn't a make install command as a local user > while in 'net/rsnapshot' call doas on it's own? > make install, make update, pkg_add are basically the same thing. doas will follow what is set as ok in /etc/doas.conf doas itself is a much improved version of sudo. sudo is in packages if you want it for some other port, but doas is better. /etc/mk.conf has SUDO=doas which reflects the past usage of sudo before doas was created. OpenBSD has a lot of distinguishing characteristics different than other OS's. One high priority is security. Installing software means that only a user given the right to do so, may do it. If you have no /etc/doas.conf allowing any user to act as root, then no one else except root can install programs. Having anything that overrides that is disastrous for security. evil_user $ make install my_erase_all_files_malware would really be a bit of a problem. evil_user $ doas pkg_add my_erase_all_files_malware will fail unless you have mistakenly given evil_user such broad powers. Please read and re-read all of the manual pages involved. doas doas.conf mk.conf bsd.port.mk pkg_add, pkg_create, pkg_ anything. The main site has a man page program that you can setup to give you the proper (base system) man pages online for whichever version of OpenBSD you are running. also, if you haven't, read all those links on the home page. Search the mailing list history too. https://marc.info and many other sites. Personally, I have found doing general searches about OpenBSD to not be very helpful. The information is often very old or not useful. Your reults may vary. You can do everything with any port except install it. Play around with building and testing and all the different make clean variations. When you hit a dependency that insn't installed, then you would need to use doas manually. Have fun! Chris Bennett
Re: MITM ?
On Wed, Mar 25, 2020 at 07:17:59PM +, Cord wrote: Go buy an ethernet cable. No WiFi. Use someone's phone hotspot. Use a fixed PKG_PATH instead of /etc/installurl Read a LOT of man pages and misc@ tech@ ports@ bugs@ Maybe even tell us which version of VAX your laptop runs on? Is it OpenBSD version 4.9? I'm annoyed that our hotel room is sharing electrical circuit with the room next to it and the power keeps tripping the circuit breaker. I feel better now. > Hi, > some months ago I sent some emails to misc (search my email on google) > because I believe my obsd laptop was been hacked. > Then I bought a new laptop because my suspicious were that some firmware or > the bios had some infected code. > Then I taken the new laptop and I went in two wifi point (in two different > days and in two different wifi spot) to install openbsd. I installed a basic > system and firefox, after that I come back to home. > At home I tried to complete the installation adding other packages. After one > hour between pkg_add and watching video on youtube my laptop was freezed. The > freeze was happen im the middle of a pkg_add. > After that I forced a reboot and I completed the installation. Then I start > to watch a video on youtube. Then after 15 or 20 minutes from the boot the > system again has been frezzed. Again forced reboot. And again watching a > youtube video, around 10-20 minutes again freeze. In total there was been 3 > freeze, one on pkg_add and two during watching a youtube video. > At the fourth boot, I left the system disconnected from the wifi to verify if > it was an hardware problem. After 15 minutes I connected to the wifi but > without doing anything. Then after other 10 minutes I opened youtube but the > system was pretty stable. Those freeze was happened maybe 10 days ago. But I > haven't had other freeze. > Now the "signs" of the previous hacking are appeared again in the new laptop > then most probably the laptop was been hacked again. > > What is your opinion ? > could be a MITM from my router and a kernel 0day on the tcp/ip stack > implementation ? > could be MITMed pkg_add ? > the encryption algorithm (AES_128_GCM) behind https is really secure ? > Can some code be injected in an encrypted stream ? > > Thank you. > Cord. > > >
Re: MITM ?
On Wed, Mar 25, 2020 at 11:06:57PM +, Cord wrote: > > > Read a LOT of man pages and misc@ tech@ ports@ bugs@ > > > > Maybe even tell us which version of VAX your laptop runs on? > > VAX ??? > > > Is it OpenBSD version 4.9? > > > > 4.9 ??? > > I'm sorry, I'm in the future. But, my joking aside, you haven't provided much info for giving advice. They have now found out that a huge number of commercial VPN companies are both running tracker software and selling your data. Worse, many are running session recording which could be making your passwords stealable. In the USA, ISP's like Comcast have opened up all customers rented routers to the full public without the need for a password. If that is your case, your private network isn't private. If your laptop is Intel based, turn off HT/SMT. Run syspatch and pkg_add -u. Look at all of your logs in detail. Use NoScript and Ghostery plugins for Firefox. Assume that someone might be physically accessing your laptop. The laws in the USA since 9/11 allow this to be done without you being told. Good luck, hopefully you are not having this problem, but paranoia is a good thing in today's world. Chris Bennett
Re: Faking the same LAN over the Internet
On Wed, Apr 01, 2020 at 07:01:15AM -0600, Diana Eichert wrote: > have you considered looking at native OpenBSD tools? > > https://man.openbsd.org/egre.4 > Wow! I had no idea about this. The manual page seems to be very clear, too. I have 2 servers at different ISPs and from home I almost always connect over my phone's hotspot. I will definitely be learning this! Thanks! Chris Bennett
Re: X start failure - OpenGL Version
On Mon, Apr 06, 2020 at 02:23:20PM +0200, Riccardo Mottola wrote: > Hi Marcus, > > Marcus MERIGHI wrote: > > Hello Riccardo, > > > > startx(1) had it's setuid bit removed. I think in the timeframe you are > > upgrading over. The canonical advice is to use xenodm(1). > > > > Marcus > > > > exactly, that was it... the error message wasn't that helpful. > > xenodm works.. but since I prefer to run X11 "when I need it" on that > machine, I just +s startx and it works fine too. > Uh, no. When you need it. doas rcctl -f start xenodm -f is to force it without enabling it in /etc/rc.conf.local You can also turn it off when done with X, but not going to shutdown. Chris
Re: More than 16 partitions
On Thu, Apr 23, 2020 at 10:29:01PM +0200, Francois Pussault wrote: > I agree ; Using more than 10 partitions is rare but in case of NFS or other > network shares of course. > 16 is really enough in my point of view. > I've got to disgree with this one. I'm doing porting work. I yank out all of the directories except /usr/ports itself, using mk.conf. I then also make another partition /usr/ports/mystuff umount /usr/ports/mystuff umount /usr/ports newfs /usr/ports, etc. remount /usr/ports, mkdir /usr/ports/mystuff, remount /usr/ports/mystuff tar xzvf ports.tar.gz into /usr/ports and I can continue on working, without having lost any work I'm still examining. Working with retail equipment at home for a normal desktop. 16 OK Power often fails or hardware fails. Working on a server. Power almost never fails, nor the hardware. At home I run built-in HD, USB flash and USB HD. 16 is no problem with three HD's. I can ro lots of stuff and I need to. I'm not doing any porting at home, only on server hardware. Too tired of reliability issues at home. That's just what I(me)thinks. |-} There be-is-are some very good, cheap, rugged and waterproof USB HD's out there. Very portable(s). Bye, Chris
Re: Comments in source code
On Thu, Apr 23, 2020 at 05:38:40PM -0400, Aisha Tammy wrote: > Thanks a lot for responding, I've had some food so am feeling a lot less > frustrated :D > > > On 4/23/20 12:10 PM, Stuart Henderson wrote: > > > > It's often considered better if code is clear enough to stand by itself, > > keeping comments for the less common cases which can't be figured out > > from reading the code. And that way you aren't at risk of assuming > > But like, not all code is simple enough to understand by just reading it. > Comments can do more than just explain api, they can help explain > how the code itself is working. > I have been reading diff, sdiff diff3 and other string algorithms to > understand > how to make it as fast as their GNU counterparts and they are not the > simplest > to read, even when knowing the actual string algorithms pretty well. > If reading the code isn't enough and you see parts you don't understand, then break those parts. See what happens. Find out why it was done. You might find out that the code at that spot doesn't even work correctly. You might figure out a way to fix it or eliminate it. Perhaps submit a diff. >From your work, you may be able to ask a very specific question. Specific questions are more likely to be answered. If someone knows the answer AND also has the time and desire to help. You may also find that the old way was great back in older versions of OpenBSD, but no longer the best way due to changes in the OS. > > If you aren't already, you should be looking at commit messages from > > where the relevant code was touched. That is often where you'll find the > > explanations you seek. > > > I have been reading them, Commit messages don't explain algorithms very > clearly. > I agree this is a very specific use case but definitely something that could > be improved. > Some of the things I've been considering useful (in this specific scenario > for diff3) > - explanation for merge function, what it does > - in merge function, explain how empty for loop is used, as this is a very > big loop > with a lot of cases > Are you reading commit messages far enough back in time? OpenBSD is a fork of NetBSD. Maybe you will need to go back much further in time to find the commit message or discussion that lead up to today. I strongly support comments, very strongly. But only when needed. Explanations are better coming from someone who can discuss with you or might only be available from you working it out for yourself. This is a volunteer project. Comments don't get compiled, but they do take up space, disk space and bandwidth space. Have fun, work hard and enjoy yourself. There are some excellent threads about these topics in the mailing lists. Chris Bennett
Re: UNIX crash course
On Tue, Apr 28, 2020 at 06:48:37PM -, Stuart Henderson wrote: > Outside of certain network infrastructure (RIRs and DNS software > vendors) and TLDs offering incentives (.se and .nl, maybe others) DNSSEC > is still very rare. Do a lookup of a couple of dozen randomly chosen > general purpose domains - I think you'll be lucky to find more than 1 or > 2 signed. > I moved my domains from Godaddy to namecheap since they offer DNSSEC. Very happy. They have free service, no DNSSEC, and paid service with DNSSEC. And yes, they really are cheap. :-) You do have to transfer in your domain for DNSSEC. Chris Bennett
Re: boot drive hide and seek on new notebook
Some BIOS's require you to select legacy boot and legacy boot before UEFI in order to boot off of a USB. Also might need to turn off boot security option, too. A lot of BIOS's suck nowadays. Who woulda thought that examining the BIOS would become a purchasing decision? A future BIOS update might make things better, or impossible. Good news is that you got it to work. Chris Bennett
loading DBD-Pg under base httpd, works but it's wrong way
I've had a hell of a time getting Pg.so to load under base httpd. env LD_DEBUG=1 chroot /var/www script.pl gives errors about DynaLoader not being able to load due to a missing library. After looking at Postgresql libraries loaded using pg_config --libs I moved just those libs under /var/www. Still no luck. However I did get barely enough of a hint with searches to figure out that it wasn't finding libpq.a and libpq.so.6.11 But those are located under /usr/local/lib. I couldn't figure out how to push over that directory into the search paths. So I moved a copy of those under /var/www/usr/lib/ vs /var/www/usr/local/lib/ Works just fine. I know that this is the wrong solution, but I'm clueless where and how to add the right search path. Any clues would be extremely appreciated! Chris Bennett
Re: pkg_add can't resolve package - bad major
.1 pinentry-1.1.0p0 gettext-runtime-0.20.1p0 libassuan-2.5.1p0 > python-3.7.4 xz-5.2.4 sqlite3-3.27.2p0 > Full dependency tree is libnettle-3.4.1p0 python-3.7.4 libassuan-2.5.1p0 > p11-kit-0.23.18.1 nghttp2-1.37.0 sqlite3-3.27.2p0 xz-5.2.4 npth-1.6 > libidn2-2.0.0p0 gmp-6.1.2p3 curl-7.64.1 pinentry-1.1.0p0 > libunbound-1.9.1 gnutls-3.6.7 blas-3.7.1p0 gettext-runtime-0.20.1p0 > libsecret-0.18.8p0 libgcrypt-1.8.4p0 libgpg-error-1.36p0 > libusb1-1.0.21p1 lua-5.1.5p6 p5-Error-0.17025 glib2-2.60.7p0 > libksba-1.3.5p2 gcc-libs-4.9.4p18 libiconv-1.14p3 pcre-8.41p2 > libmagic-5.35 libtasn1-4.13p0 bzip2-1.0.6p9 icu4c-63.1 lapack-3.7.1p0 > luajit-2.0.5p1 libffi-3.2.1p5 cvsps-2.1p2 libunistring-0.9.7 > Can't install w3m-0.5.3p8: can't resolve gettext-runtime-0.20.1p0 > Couldn't find updates for gettext-0.19.8.1p3 git-2.21.0 glib2-2.58.3p8 > gnupg-2.2.12 libgpg-error-1.36 libksba-1.3.5p1 p11-kit-0.23.15p0 > python-2.7.16 python-3.6.8p0 rspamd-1.9.0 vim-8.1.1048-no_x11 > Couldn't install gettext-runtime-0.20.1p0 git-2.24.2 glib2-2.60.7p0 > gnupg-2.2.12p0 libgpg-error-1.36p0 libksba-1.3.5p2 p11-kit-0.23.18.1 > python-2.7.16p1 python-3.6.9 python-3.7.4 rspamd-1.9.4 > vim-8.1.2061-no_x11 w3m-0.5.3p8 > > At this stage, I am not sure what should I do to fix this, any idea? > > Installed package: > dkimproxy-1.4.1p1 SMTP proxy to verify or add DKIM signatures > dovecot-2.3.5.1 compact IMAP/POP3 server > dovecot-pigeonhole-0.5.5v0 Sieve mail filtering for Dovecot > git-2.21.0 GIT - Tree History Storage Tool > gnupg-2.2.12 GNU privacy guard - a free PGP replacement > htop-2.2.0p8 interactive process viewer > intel-firmware-20190918v0 microcode update binaries for Intel CPUs > mosh-1.3.2p2 mobile shell > opensmtpd-extras-6.4.0v0 extras for smtpd > quirks-3.185 exceptions to pkg_add rules > rspamd-1.9.0 event-driven spam filtering system in C/Lua > vim-8.1.1048-no_x11 vi clone, many additional features > > $ cat > /etc/installurl > > > https://cdn.openbsd.org/pub/OpenBSD I have had this exact same problem before pkg_info -q > packages_installed pkg_delete gettext. pkg_add gettext-runtime pkg_add -u pkg_add -zl packages_installed The gettext changeover always screwed up my pkg_add -u pkg_delete gettext will uninstall quite a few packages That will get fixed by using the packages_installed file. Read man pkg_add first, of course. Chris Bennett
Re: pkg_add can't resolve package - bad major
On Mon, May 04, 2020 at 08:23:10AM +0200, Marc Espie wrote: > On Sun, May 03, 2020 at 12:58:41PM -0400, Chris Bennett wrote: > > I have had this exact same problem before > > > > pkg_info -q > packages_installed > > pkg_delete gettext. > > pkg_add gettext-runtime > > pkg_add -u > > pkg_add -zl packages_installed > > > Update your procedures, use pkg_info -z and not pkg_add -z. > It's been there for ages. > My bad. Thanks. That also gives me info I was finding hard to understand about stems. Time to sit down and re-read man pages again. Chris Bennett
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Tue, May 12, 2020 at 07:17:44AM +0200, i...@aulix.com wrote: > I would prefer to begin from grsecurity, but it is not available up to date > for my budget. > What exactly does your budget mean? These are all free, open source operating system. You may sell both OpenBSD and any installations and consulting. That could improve your income for your budget. > I would also try HardenedBSD, but it is only amd64 now? And how many active > developers there are? one or two? > I run two intel based servers with OpenBSD amd64. They run flawlessly. > OpenBSD looks as the only viable option for me right now, may be one another > is a systemd free distro like Devuan with a hardened kernel like by @anthrax, > but I am too unskilled even to understand what are improvements of @anthrax > kernel for me without a good doc for it in the existence, and on the other > hand OpenBSD is famous with its very good documentation. Open source means that most developers work for free and fun or to obtain something they in particular want. Convince some developers to work on your own desires, whether with OpenBSD or elsewhere. > > I guess it is a huge work to harden Linux installation to a level compared to > OpenBSD, there is some interesting work which is by Whonix but unfortunately > with systemd, and it seems someone from that community is referring to > isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, > excuse me if I am wrong. > Linus actively discourages security work. OpenBSD is thrilled to actively work on security. A major compenent that brings security benefits is simple auditing of code, not for security but for correctness. If you are seeking perfect security, YOU CAN'T HAVE IT! It is impossible. Not even agencies such as the NSA, etc have it. Remember Edward Snowden? All systems can be breached. Period. My suggestion is to stop taking a confrontational attitude ( you may not even realize you are doing it) and try to take a congenial attitude. It will always produce more good results than confrontation. Chris Bennett PS. Please format your emails to 80 or 72 character width. Your long lines are mildly irritating and non-standard in the Unix-like world. Or just hit enter more often.
Re: OpenBSD sysupgrade rocks
It is a great tool. This is a good example of something that anyone witha will can come up with. Propose an idea that *YOU* are capable of doing. Ask if such a thing is actually desirable, it might not be. That's OK. Do the work, a WIP is OK and submit a diff. Keep doing the work until usable and see what happens. You wouldn't have to be a top-notch C or Perl, etc. programmer. Anyone can help the project. Please do. Please don't beg for features. That's very irritating and wastes everyone's time. Please don't ask for features, once again. Really, I mean it. Don't ask for features! :-) Chris Bennett
Re: Why isn't src included with OpenBSD? (documentation)
I keep seeing people not getting the idea that OpenBSD has more of a philosophy of users needing to put out their own special efforts at learning, vs. other OS's. Do you think that mentioning this on the homepage/FAQ would be useful? It took me quite a while to understand that myself. Realizing that brought me a great relief and no longer feeling frustrated. I found it a bit inspiring and more enthusiastic about the whole project. Read the code because you MUST versus because you ought to. I find that as a path to follow, pridefully. Chris Bennett
Re: www unreachable
On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote: > Hello, > > http://www.openbsd.org is unreachable. > > I wanted to know what's new in the current snapshots ? > I'm not sure about the website. You might have local DNS problems. Use dig to get the IP address (from a big nameserver like 8.8.8.8) and skip that problem. If you mean the current -release, yes the website is simplest in general terms only. If you mean -current, then the mailing lists and CVS are the right places to look. misc@ isn't very helpful, but tech@, etc. are excellent. DNS has problems in some places in the world. Usually just for hours. Annoying, but sites like OpenBSD have stable IP's and knowing that solves the problem quickly. If the site has a problem, someone else can clarify that. Chris Bennett
Re: www unreachable
On Mon, Jun 15, 2020 at 12:19:09PM +0200, Anders Andersson wrote: > > Are you saying it's working for you? Maybe you have a different route > to the website because it seems to be down on the Canadian side. I > presume you're in the US based on your domain name. :) No, it's not working for me either. I'm in Austin, TX and not working from my server in Chicago either. Chris Bennett
Re: Suggestions re error: "USB read failed" accessing Infinite Noise TRNG?
On Thu, Jun 25, 2020 at 09:41:41PM +0200, Why 42? The lists account. wrote: > > A quick search on the net didn't show much, apart from a suggestion that > a USB keyboard won't work at this point because the USB subsystem hasn't > yet been discovered (that was back in 2015 though). I'm using both a USB > keyboard and mouse. That is correct. Just to make sure everybody knows this. It is not related to your problem. Stuart's suggestion solves that problem. I have put that (for a different problem) into my /etc/rc.shutdown. Which survives moving to a newer snapshot or release. Chris
Re: X11 VESA Driver Config Question
On Sun, Aug 09, 2020 at 10:02:24PM -0400, Jon Fineman wrote: > I have an Acer Aspire A315 laptop that freezes every once in a while. I > think it is GPU related, but have not been able to get any logs. In > addition a while ago (roughly when 6.7 came out) I tried to upgrade > from 6.6 to 6.7 and the laptop would turn off just after getting the > log in prompt. Again no logs. > > One thought was in my xorg.conf file to change the driver from AMDGPU > to vesa. However that is producing an error. Log and dmesg below. > > Any thoughts on how to proceed? > There is an excellent chance that we have the same problem. I was running -current for a long while, when I had the same problem with sudden unexpected shutdown. This was a good while back. I have 50GB of install66.iso from current back then. They are on one of my servers. Unfortunately, I just don't have access to enough bandwidth or data to download them to hopefully find the date that there was a change that messed things up. Try boot -c then disable amdgpu Might help. Also try boot -s and wait. If it shuts down there too, probably have the same problem. Or not. :-) I'm stuck at 6.6 -stable for now. Chris Bennett > Thnaks. > > Jon > > > xorg.conf: > Section "Device" > Identifier "graphicsdriver" > #Driver "AMDGPU" > #Option "TearFree" "true" > Driver "vesa" > EndSection > > > > Xorg.0.log: > [124569.415] (--) checkDevMem: using aperture driver /dev/xf86 > [124569.425] (--) Using wscons driver on /dev/ttyC4 > [124569.446] > X.Org X Server 1.20.5 > X Protocol Version 11, Revision 0 > [124569.446] Build Operating System: OpenBSD 6.6 amd64 > [124569.446] Current Operating System: OpenBSD laptop.jonjfineman.me > 6.6 GENERIC.MP#3 amd64 [124569.447] Build Date: 30 July 2020 11:25:30AM > [124569.447] > [124569.447] Current version of pixman: 0.38.4 > [124569.447] Before reporting problems, check http://wiki.x.org > to make sure that you have the latest version. > [124569.447] Markers: (--) probed, (**) from config file, (==) default > setting, (++) from command line, (!!) notice, (II) informational, > (WW) warning, (EE) error, (NI) not implemented, (??) unknown. > [124569.447] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Aug 9 > 05:48:55 2020 [124569.447] (==) Using config file: "/etc/X11/xorg.conf" > [124569.447] (==) Using system config directory > "/usr/X11R6/share/X11/xorg.conf.d" [124569.447] (==) No Layout section. > Using the first Screen section. [124569.447] (==) No screen section > available. Using defaults. [124569.447] (**) |-->Screen "Default Screen > Section" (0) [124569.447] (**) | |-->Monitor "" > [124569.448] (==) No device specified for screen "Default Screen > Section". Using the first device section listed. > [124569.448] (**) | |-->Device "graphicsdriver" > [124569.448] (==) No monitor specified for screen "Default Screen > Section". Using a default monitor configuration. > [124569.448] (==) Automatically adding devices > [124569.448] (==) Automatically enabling devices > [124569.448] (==) Not automatically adding GPU devices > [124569.448] (==) Max clients allowed: 256, resource mask: 0x1f > [124569.448] (==) FontPath set to: > /usr/X11R6/lib/X11/fonts/misc/, > /usr/X11R6/lib/X11/fonts/TTF/, > /usr/X11R6/lib/X11/fonts/OTF/, > /usr/X11R6/lib/X11/fonts/Type1/, > /usr/X11R6/lib/X11/fonts/100dpi/, > /usr/X11R6/lib/X11/fonts/75dpi/ > [124569.448] (==) ModulePath set to "/usr/X11R6/lib/modules" > [124569.448] (II) The server relies on wscons to provide the list of > input devices. If no devices become available, reconfigure wscons or > disable AutoAddDevices. [124569.448] (II) Loader magic: 0xc3982ca3000 > [124569.448] (II) Module ABI versions: > [124569.448] X.Org ANSI C Emulation: 0.4 > [124569.448] X.Org Video Driver: 24.0 > [124569.448] X.Org XInput driver : 24.1 > [124569.448] X.Org Server Extension : 10.0 > [124569.448] (--) PCI:*(0@0:1:0) 1002:98e4:1025:1192 rev 218, Mem @ > 0xe000/268435456, 0xf000/8388608, 0xf0d0/262144, I/O @ > 0x3000/256, BIOS @ 0x/131072 [124569.448] (II) LoadModule: > "glx" [124569.449] (II) Loading > /usr/X11R6/lib/modules/extensions/libglx.so [124569.451] (II) Module > glx: vendor="X.Org Foundation" [124569.451] compiled for > 1.20.5, module version = 1.0.0 [124569.451] ABI class: X.Org > Server Extension, version 10.0 [124569.451] (II) LoadModule: "vesa" > [124569.452] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so > [12
Re: X11 VESA Driver Config Question
On Tue, Aug 11, 2020 at 08:17:01PM -0400, Jon Fineman wrote:
> I just upgraded from 6.6 to snapshot via sysupgrade -s
>
> After reboot I get the various emails the upgrade goes fine, no errors,
> the firmware is upgraded.
>
> About 30 seconds after I get the login prompt the laptop powers off.
>
> I turned in on and at the boot prompt typed boot -c and disable amdgpu
> Subjectively I got more than 30 seconds after the boot prompt. I was
> able to log in and look around a bit and it powered off.
>
> Same thing with booting into single user mode.
>
> Thoughts? Suggestions on how to get any data?
>
> Jon
>
sysctl.conf needs
machdep.allowaperture=2
if you can't mount from another computer, burn 6.6 onto a USB stick and
mount from that. Don't even try from running -current.
You can probably get /var/run/dmesg.boot. Plus /var/log/Xorg.0.log if
you manage to get to X. (Good luck with that :-{ )
I was given advice in the past to build with a certain change, but I was
unable to build that on my laptop due to very little memory.
There is newer firmware, X, etc.. Hopefully someone will chime in with
something to try for a build
Chris Bennett
>
>
> On Mon, 10 Aug 2020 20:28:34 -0500
> Chris Bennett wrote:
>
> > On Sun, Aug 09, 2020 at 10:02:24PM -0400, Jon Fineman wrote:
> > > I have an Acer Aspire A315 laptop that freezes every once in a
> > > while. I think it is GPU related, but have not been able to get any
> > > logs. In addition a while ago (roughly when 6.7 came out) I tried
> > > to upgrade from 6.6 to 6.7 and the laptop would turn off just after
> > > getting the log in prompt. Again no logs.
> > >
> > > One thought was in my xorg.conf file to change the driver from
> > > AMDGPU to vesa. However that is producing an error. Log and dmesg
> > > below.
> > >
> > > Any thoughts on how to proceed?
> > >
> >
> > There is an excellent chance that we have the same problem.
> > I was running -current for a long while, when I had the same problem
> > with sudden unexpected shutdown. This was a good while back.
> > I have 50GB of install66.iso from current back then. They are on one
> > of my servers. Unfortunately, I just don't have access to enough
> > bandwidth or data to download them to hopefully find the date that
> > there was a change that messed things up.
> >
> > Try boot -c then disable amdgpu
> > Might help. Also try boot -s and wait. If it shuts down there too,
> > probably have the same problem. Or not. :-)
> >
> > I'm stuck at 6.6 -stable for now.
> >
> > Chris Bennett
> >
> >
> > > Thnaks.
> > >
> > > Jon
> > >
> > >
> > > xorg.conf:
> > > Section "Device"
> > > Identifier "graphicsdriver"
> > > #Driver "AMDGPU"
> > > #Option "TearFree" "true"
> > > Driver "vesa"
> > > EndSection
> > >
> > >
> > >
> > > Xorg.0.log:
> > > [124569.415] (--) checkDevMem: using aperture driver /dev/xf86
> > > [124569.425] (--) Using wscons driver on /dev/ttyC4
> > > [124569.446]
> > > X.Org X Server 1.20.5
> > > X Protocol Version 11, Revision 0
> > > [124569.446] Build Operating System: OpenBSD 6.6 amd64
> > > [124569.446] Current Operating System: OpenBSD laptop.jonjfineman.me
> > > 6.6 GENERIC.MP#3 amd64 [124569.447] Build Date: 30 July 2020
> > > 11:25:30AM [124569.447]
> > > [124569.447] Current version of pixman: 0.38.4
> > > [124569.447] Before reporting problems, check
> > > http://wiki.x.org to make sure that you have the latest version.
> > > [124569.447] Markers: (--) probed, (**) from config file, (==)
> > > default setting, (++) from command line, (!!) notice, (II)
> > > informational, (WW) warning, (EE) error, (NI) not implemented, (??)
> > > unknown. [124569.447] (==) Log file: "/var/log/Xorg.0.log", Time:
> > > Sun Aug 9 05:48:55 2020 [124569.447] (==) Using config file:
> > > "/etc/X11/xorg.conf" [124569.447] (==) Using system config directory
> > > "/usr/X11R6/share/X11/xorg.conf.d" [124569.447] (==) No Layout
> > > section. Using the first Screen section. [124569.447] (==) No
> > > screen section available. Using defaults. [124569.447] (**)
> > > |-->Screen "Default Screen Section" (0) [124569.447] (**) |
> > > |-->Monitor "" [124569.448] (==) No device
> > &
Re: X11 VESA Driver Config Question
Oh, I'm "glad" someone else is having the same problem. (Sorry) I had gotten to the point of assuming a hardware problem. Being able to rule that out is nice. At least there is hope in getting a fix. I'm really not in a position to buy another one. $$ missing. If any developer could get me a replacement, I will gladly send mine. This is a pretty crappy laptop, so anything used and not very powerful fits my needs. I'm doing my porting work off of my servers anyway. Firefox, vim and lightweight use of something like gimp occasionally are all I need == Thinking about it, my servers are i386 running amd64. Would that be OK to run a build off of and install on the laptop? I have one that I could interrupt that way. ====== Chris Bennett
Re: Keyboard knocks out while using special keys
On Sat, Aug 22, 2020 at 08:01:43PM -, Dimitri Karamazov wrote: > I'm using a keyboard with some multimedia keys and sleep, poweroff buttons. > I avoid using those, but accidently hitting any of those keys renders the > keyboard to a freezed state, where only solution is to replug to use it again. > This is the case on both X11 and vt, but the connection is never lost, when I > hit the special keys, it just takes no input. Is there a solution to this? > If you have a second keyboard, I would suggest attaching both. There is a program that shows which keys are producing what output. I would see what is actually being sent out with those keys. The second keyboard would allow you to hopefully experiment a bit more without having to re-attach the problem keyboard. Did you have problems before with this keyboard? I have a keyboard that frequently fails to attach at boot. unplugging and reattaching it is often necessary after boot, but only sometimes. Good luck, Chris Bennett
Re: FireFox Browser 'Open File' error
On Tue, Aug 25, 2020 at 08:59:34PM +0300, Kihaguru Gathura wrote:
> Hi,
>
> I have tested on a 64 bit version of the same ThinkPad T60 and error is
> consistent..
>
> However Firefox opens files from any folder as root on these same machines
> running OpenBSD 6.5.
Please don't run such software as root, ever.
Especially on old code that isn't supported anymore.
If this is a disposable version for testing only, then nevermind.
Chris Bennett
>
> Kind regards,
>
> Kihaguru.
>
>
>
>
> On Sat, Aug 22, 2020 at 9:34 AM Kihaguru Gathura wrote:
>
> > Hi,
> >
> > Firefox fails to list files at 'File Open' with error message:
> >
> > (firefox:89328): dconf-WARNING **: 09:12:15.835: failed to commit changes
> > to dconf: The given address is empty
> >
> > Please advise
> >
> > Regards,
> >
> > Kihaguru.
> >
> >
> > #
> > OpenBSD 6.7 (GENERIC.MP) #169: Thu May 7 11:37:15 MDT 2020
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > real mem = 2137341952 (2038MB)
> > avail mem = 2082598912 (1986MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 04/30/07, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev. 2.4
> > @ 0xe0010 (68 entries)
> > bios0: vendor LENOVO version "79ETD3WW (2.13 )" date 04/30/2007
> > bios0: LENOVO 195143U
> > acpi0 at bios0: ACPI 3.0
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT
> > SSDT SSDT
> > acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4) EXP1(S4) EXP2(S4)
> > EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpiec0 at acpi0
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> > GHz, 06-0e-08
> > cpu0:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 166MHz
> > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> > GHz, 06-0e-08
> > cpu1:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
> > acpimcfg0 at acpi0
> > acpimcfg0: addr 0xf000, bus 0-63
> > acpihpet0 at acpi0: 14318179 Hz
> > acpiprt0 at acpi0: bus 0 (PCI0)
> > acpiprt1 at acpi0: bus -1 (AGP_)
> > acpiprt2 at acpi0: bus 2 (EXP0)
> > acpiprt3 at acpi0: bus 3 (EXP1)
> > acpiprt4 at acpi0: bus 4 (EXP2)
> > acpiprt5 at acpi0: bus 12 (EXP3)
> > acpiprt6 at acpi0: bus 21 (PCI1)
> > acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> > halt), PSS
> > acpicpu1 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> > halt), PSS
> > acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7
> > acpitz0 at acpi0: critical temperature is 127 degC
> > acpitz1 at acpi0: critical temperature is 99 degC
> > acpibtn0 at acpi0: LID_
> > acpibtn1 at acpi0: SLPB
> > "PNP0A08" at acpi0 not configured
> > acpicmos0 at acpi0
> > "IBM0071" at acpi0 not configured
> > "ATM1200" at acpi0 not configured
> > acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial44 type LION oem
> > "SANYO"
> > acpiac0 at acpi0: AC unit online
> > acpithinkpad0 at acpi0: version 1.0
> > acpidock0 at acpi0: GDCK not docked (0)
> > acpivideo0 at acpi0: VID_
> > acpivout0 at acpivideo0: LCD0
> > acpivideo1 at acpi0: VID_
> > bios0: ROM list: 0xc/0xea00! 0xcf000/0x1000 0xd/0x1000
> > 0xdc000/0x4000! 0xe/0x1!
> > cpu0: Enhanced SpeedStep 1829 MHz: speeds: 1833, 1333, 1000 MHz
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> > inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
> > drm0 at inteldrm0
> > intagp0 at inteldrm0
> > agp0 at intagp0: aperture at 0xd000, s
Re: Microsoft's war on plain text email in open source
On Wed, Aug 26, 2020 at 12:28:00PM -0500, Mike Hammett wrote: > Text-only was great in 1985. > > And it's still pretty badass in 2020. I really love the way company networks are brought down by a little helpful Javascript in an HTML email. Can't get your email to go plain text, attachments work. If they don't, why not change providers? It's a bit of work, but almost anyone can setup their own email server for next to nearly free. Chris Bennett > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > - Original Message - > > From: "Frank Beuth" > To: misc@openbsd.org > Sent: Wednesday, August 26, 2020 3:28:50 AM > Subject: Microsoft's war on plain text email in open source > > "Linux kernel development which is driven by plain-text email > discussion needs better or alternative collaborative tooling "to bring > in new contributors and maintain and sustain Linux in the future," says > Sarah Novotny, Microsoft's representative on the Linux Foundation board. > > Said tooling could be "a text-based, email-based patch system that can > then also be represented in a way that developers who have grown up in > the last five or ten years are more familiar with," she added. > > ... > > Should it migrate toward something more like, say, issues and pull > requests on the Microsoft-owned GitHub? “I’m not saying that there will > be a move in any time that I can see my crystal ball’s broken but I do > think there needs to be expansions in the way people can enter that > workflow,” said Novotny. > > “It is a fairly specific workflow that is a challenge for some newer > developers to engage with. As an example, my partner submitted a patch > to OpenBSD a few weeks ago, and he had to set up an entirely new mail > client which didn’t mangle his email message to HTML-ise or do other > things to it, so he could even make that one patch. That’s a barrier to > entry that’s pretty high for somebody who may want to be a first-time > contributor.”" > > https://www.theregister.com/2020/08/25/linux_kernel_email/ > >
Re: Microsoft's war on plain text email in open source
On Wed, Aug 26, 2020 at 09:47:24PM +0200, Pierre-Philipp Braun wrote: > > Can't get your email to go plain text, attachments work. > > If they don't, why not change providers? > > It's a bit of work, but almost anyone can setup their own email server > > for next to nearly free. > > That is not as easy as it was, mainly because of IP reputation. If you have > your own MX and outbound MTA/MSA you will have to go through painful > processes of getting out of blacklists, and even then your outgoing messages > might end-up in users' spambox. The game has changed, and it's for us > old-timers that life is rough, already. Bare metal servers often have cheap lower end servers. Yes, if it's not in the cloud, some people think they aren't in the latest fad. I've yet to end up on any blacklist except SpamRats which dropping a message on their form page instantly clears up the problem. That is usually because of some little thing that hasn't propagated yet thorugh DNS. Spam boxes are no longer very useful. Censorship is in full swing. If I were to mention the last name of the founder of Windows, this email would immediately go into the spam box of places like gmail. If I were to send you an HTML email with that word in the text, same thing. Right now, us oldtimers are the only ones with much fundamental knowledge and experience. I was recently told by a youngster that I was a total idiot for working my way through the new CSS to understand it well. I needed to go straight over to some Framework that assumes I am stupid, which I would be if I didn't take the time to understand what I'm really accomplishing. Setting up an email server for strictly personal use is not that big a deal. For many users in a commercial setting, much harder. All IPs can get blacklisted. Bad IPs, change ISP's. One month to set things up and transfer over to a new server. Once everything is working, drop the crappy corporate email service. No big rush. My thoughts, for whatever they are worth. Chris Bennett
Re: OpenSMTP - Wrong user for Dovecot LMTP
On Mon, Oct 19, 2020 at 06:24:47AM -0400, Aisha Tammy wrote: > On 10/19/20 12:20 AM, Kastus Shchuka wrote: > > On Sun, Oct 18, 2020 at 08:55:16PM -0400, Aisha Tammy wrote: > > > Hi, > > > > > > I just upgraded to 6.8 and the upgrade process has been super cool and > > > simple :) > > > > > > Unfortunately I seem to have hit some weird issue in OpenSMTPD where it > > > has stopped > > > delivering the mail using Dovecots LMTP due to sending as wrong user. > > > > > > osmtpd tries to send the mail as *_smtpd* even when configured to send as > > > a > > > different user *excision* > > > > > > Could it be this change: https://marc.info/?t=15878902902&r=1&w=2 ? > > > > Well damn... That would indeed cause this error. > I guess a simple fix would be to add _smtpd to the socket group or change > socket > group to _smtpd. > > Another fix would be to have the whole virtual user system also be done using > _smtpd but I feel that keeping things with separate users is better. > > Thanks a lot for the answer! > > Aisha > Are you using Maildir and IMAP from dovecot? I am. I've setup using vmail as the user for dovecot. Something similar to your virtual user files, except that I have three files: vdomains, vaddr and vusers. vusers has the table you are using, except moving to user vmail instead of excision, which doesn't matter. vdomains are the domains getting mail. vaddr are just the plain addresses used. action a01 lmtp "/var/dovecot/lmtp" rcpt-to alias action a02 lmtp "/var/dovecot/lmtp" rcpt-to virtual match from any for local action a01 match from any for domain rcpt-to action a02 This works really well. I'm also using PostgreSQL for the users, passwords and home folders for dovecot, which solves the upcoming removal of bsdauth in dovecot. However, unrelated I'm having trouble setting up auth for sending. There are many conflicting examples which I can't sort out. I'll look over what you've posted to see if that can work for me. I have four mail domains on this server and I'm definitely missing some small piece of the puzzle. Regards, Chris Bennett
Re: fresh install
On Mon, Oct 19, 2020 at 05:55:59PM -0500, Hakan E. Duran wrote: > Dear all, > > Having been a linux user for quite a while, I am used to doing a fresh > install every few years, following a few upgrades. I usually set a separate > partition for the /home directory to be able to inherit my settings to the > fresh installation. This is the first time I did an upgrade in OpenBSD from > 6.7 to 6.8, which actually went flawless, but being a skeptical linux user, I > am wondering how I can do a fresh install if need be, by preserving my user > directory. I chose the auto-partitioning during the installation of OpenBSD > 6.7 but I don't know if that would be possible in a scenario like this, since > I am not sure if the installation algorithm would recognize the /home > directory or not. Your guidance will be greatly appreciated. > > Hakan > You can do a fresh install and preserve existing partitions with great care and NOT using auto partition. Just don't add /home to the partitions to be created and make absolutely sure that the area on the disklabel doesn't include the space allocated for /home. But only if this fresh install is after having done a fresh install previously. Use Custom for the disklabel step, which will reflect the already existing disklabel, except without the mount points. You will need to delete the /home partition, finish the install, then use disklabel to add the home partition, fsck -fp it, and mount it manually. If OK, add to fstab if desired. Be sure to backup the /home partition before doing this. Since this is a bit complicated, practice this many times, read the manual pages very well. Buy a USB drive to practice this on. Be sure to do something wrong. Understanding this will really help you if you somehow have a disaster, like a sudden power failure that messes up a critical partition hopelessly. This is not Linux. The rules are totally different. If you ask yourself what you would do in Linux, you have failed in this task. Auto-partition is really helpful for someone new to OpenBSD. But I rarely partition across only a single disk and always partition some special partitions like /var/postgresql, /home/vip-user, /var/www, etc. /usr/src, /usr/obj are not needed by every user now that we have syspatch. Have fun, Chris Bennett
Re: filters in OpenBSD in printing
On Mon, Oct 19, 2020 at 09:19:26PM -0600, Raymond, David wrote: > Questions about lpr printing: > > I tried putting a filter that drives an HP Deskjet printer (works with > lprng on linux) as an output filter in printcap and it didn't work. LPRng was removed a good while back. What software besides the base lpr system are you using? What commands are you using exactly? Does it speak Postscript? That can be really helpful as a lot of software speaks Postscript. I stopped getting printers that didn't speak it. apsfilter is pretty helpful for getting things working. You might give it a try. Some of it's filters were astoundingly slow. But it helps fill out printcap. I haven't used lpr for a few years because my printer is in Mexico and I'm in Washington state. > Would it be more proper to put it as an input filter? I am still on > version 6.7 of the OS. (I saw a recent post indicating that changes > were made to the lpr system in 6.8.) Someone else will probably be able to explain those changes. Moving to 6.8 might be well worth it. > > One of the problems was that I couldn't get rid of the banner page > even though the appropriate flags were set. > > I have looked for lpr documentation more informative than the > lpr/lpd/printcap man pages, but I haven't found anything. The > printcap page describes some really archaic filters, but not much that > is helpful in today's world. I haven't looked at the code recently, but I think I know what filters you are refering to. Super archaic. > > I am currently using cups but would like to get rid of it, because if > their set of filters doesn't do the job, you are stuck. (Plus other > hair-pulling frustrations.) > Can't agree more! -- Regards, Chris Bennett
Re: Issue updating spidermonkey
On Tue, Oct 20, 2020 at 08:26:05PM -0400, Brennan Vincent wrote: > Updated yesterday from 6.7 to a snapshot, and now: > > $ doas pkg_add -u doas pkg_add -u -Dsnap You need to do some things different once you change to -current snapshots. Might also have to wait for -current packages to match the -current snapshot sometimes. Chris Bennett > quirks-3.458 signed on 2020-10-18T13:56:14Z > Can't update spidermonkey-60.9.0v1->spidermonkey78-78.3.1v1: no update found > for spidermonkey-60.9.0v1 > Can't install polkit-0.116p1->0.118: can't resolve spidermonkey78-78.3.1v1 > > Is this expected soon after updating? Do I just need to wait for some > inconsistency in the pkg repo to be resolved? > > Thanks > >
Re: question about man starttls and linking to cert.pem
Thanks, that had me confused when I read it, so I just ignored it. Glad to know I did, as in didn't, do what it suggested except once. Chris Bennett
Re: Ergonomic USB wired mouse
I am using the Logitech wireless with the trackball on the LEFT side. I would really like to use a second mouse at the same time for my left hand with a trackball on the RIGHT side. I don't like center ball mice. Anyone know of one of these? I like using a mouse for each hand. Chris Bennett
Re: What is you motivational to use OpenBSD
I decided to move away from Windows and I needed to setup a web and email server. Trying many different versions of Linux left me unsatisfied. Then I accidentally ran into OpenBSD website. That was exactly what I wanted. As a totally inexperienced guy, I found a server company that could pre-install it. I never looked backed and learned almost everything remotely. I dual booted at home for a while and I use OpenBSD only for a long time now. I have found two intersting things about the mailing lists. 1. Here is what you need to know, how else can I help. 2. RTFM and read the source code yourself. I found read the source code a little frustrating at first. But I have realized that the OpenBSD community is NOT about holding your hand. There is an expectation that you need to put out the effort necessary to at least try to figure it out yourself. If that means learning some C or Perl or other languages, then you will have to do that. I now heartily agree with this. Why should a developer waste time when there are truly more important things that constantly change as the world moves forward. I have never been concerned about missing a few months without checking up on a server. Problems are very very rare! And fixed really really fast! Thanks for giving me a fantastic system and the chance to laugh at the other OS's that think security and bug fixing is an optional concern! Chris Bennett
Re: auto_upgrade.conf et al man pages or documentation?
On Fri, Oct 18, 2019 at 10:56:07AM +1300, Shane Lazarus wrote: > > So, I just ran sysupgrade with no options to see what would happen. > > Unsurprisingly, it proceeded to install ALL of the sets, without bothering > to prompt me, or apparently taking note of what was previously selected > during the initial install of 6.5. > > This is an undesirable trait, with neither apparent documentation or what I > would consider to be sane defaults. > > If someone would be so kind as to point me in the right direction for how > to prevent sysupgrade from being unsane, it would be much appreciated. > I can't comment on the documentaion issues of those files. But sysupgrade is meant for a quick and easy upgrade. No hand holding. No special treatment. If you need an upgrade that is not like the way sysupgrade does it, then you will need to simply do the steps yourself manually. Just as all of us have been doing for years. All of those steps are extensively documented both in the man pages and the mailing lists. It is a tool to do one specific set of tasks. rm -r and rmdir can both remove a directory. But they are not the same tool. This topic has already been extensively and frustratingly dealt with on the list. Please don't ask for changes to sysupgrade. The questions about the documentation are relevant however. Chris Bennett
Re: When will be created a great desktop experience for OpenBSD?
On Fri, Oct 25, 2019 at 05:35:27PM +, flauenroth wrote: > Apparently not just theo is using fvwm after all. :) > I have been using it about half the time now. But that was only after copying a config posted here and then modifying it. I have had a really hard time getting accurate information about config options. Many of the options from FVWM site/lists just don't work. However, it's mostly reliable, except that I do have to restart it occasionally. I will ask if the default config could perhaps be slightly changed? I find the font size just too small for my eyesight now. No big changes, though. We do have to learn. > I heard from many people that fvwm is clunky, old and should not be used. But > I personally like fvwm a lot. It's like using ed or vi over MS or Libre > Office. I like to have "simple" software in the means of the software or more > precise its authors don't anticipate what I want to do. > As far as ed(1) goes, I'm thrilled to say that I am now using it on my phone to edit files. The keyboard takes up a ton of space and with ed I can crank up the font size and work really nice! > ___ > Always exit with 42 to return the answer. 42 bytes makes up some badass quotes or script! :D Chris Bennett
Re: A promotional idea (related to quantum computing / hacking)
On Sat, Oct 26, 2019 at 12:29:41PM +0200, Peter J. Philipp wrote: > > On 2019-10-26 12:03, Frank Beuth wrote: > > On Sat, Oct 26, 2019 at 02:53:42PM +0800, Jyri Hovila [Turvamies.fi] > > wrote: > > > Maybe OpenBSD could profile itself as *the* OS with all crypto > > > related stuff is handled using post-quantum cryptography? > > > > I don't think OpenBSD wants to "profile itself" as anything. > > > > Are post-quantum algorithms well reviewed and stable enough to be worth > > using as defaults for OpenBSD full disk encryption, OpenSSH, > > LibreSSL...? > > > > Do you or anyone else have the expertise to implement them? > > > In no way I'm an authority on the subject. I have been interested by this > though and have bought two books on post-quantum cryptography (one is not > delivered yet, it will be published in November). The one book written by > DJB has a table on page 16 which I'd like to share: > > RSA->broken, Diffie Helman->broken, Elliptic curve->broken, > Buchman-Williams->broken,Algebraic Homomorphic->broken by quantum systems > > This leaves McEliece public key, NTRU public key and Lattice based public > keys as unbroken by quantum systems. > > All in theory as this book was written in 2010. I'm opening my eyes though > to the quantum threat. > > The unbroken systems may have behaviour much different from RSA (as an > example) and the OpenSSH code would perhaps need huge refactoring in > protocol exchange than before. > > Maybe someone should be sponsored to do the grunt work with some of the > donation money that OpenBSD is showered with, or maybe someone will do it > for free. Good luck to all the programmers involved! One day it will have > to be done, let's hope before the break-ins to important hosts. > I see a whole lot of assumptions here. First, mathmeticians have recently solved with "ordinary" computers one of the "only a quantum computer" can solve proposed computations. Perhaps they will keep solving such problems as more mathematical theories develop. The ideas behind quantum computing itself may serve as inspirations. Second, that we will actually be able to get an actual functioning quantum computer that works. So far the need to deal with errors is a major obstacle. Even this may prove to be an unsolvable downfall. We keep discovering new physics. Maybe this is a dead end idea? Too much vinegar and not enough honey to catch the flies? Third, that such a computer proves far to expensive to actually build at a usable level. A 300 trillion dollar unit. Who would fork over that much? Fourth, that perhaps we may find ways to vastly empower regular computers far beyond today's level. A quantum computer itself may become seen as a waste of time and never leave the laboratories. Science, math, physics, etc. are an always moving target. I have a hunch that things are not going to end up where we are guessing they will. We have "phasers", we don't have transporters. We do have the Internet. Nobody saw that one coming except as a vague sorta weak idea. For now, no hardware = no software = no developers. Tomorrow, who knows? Could be pretty cool. Today, genuine work needs to get done. Please help. Best regards, Chris Bennett
Re: When will be created a great desktop experience for OpenBSD?
On Mon, Oct 28, 2019 at 09:38:20AM +0100, Marc Espie wrote: > On Fri, Oct 25, 2019 at 05:35:27PM +, flauenroth wrote: > > Apparently not just theo is using fvwm after all. :) > > Considering all the people using it, it would be great if someone were to > look at the enhancements of fvwm2 (wrong license, so not base) and backport > some of these to our elderly fvwm. > > Specifically, fvwm in base does NOT deal well with multi-screen setups, among > other things. It's missing all kinds of extensions that the X server provides > these days. > > Very much less than perfect experience. > > I have fvwm2 from ports on every machine that runs OpenBSD. No choice about > that. > > (and I stick with fvwm* because the configuration options for mixing keyboard > keys with mouse behavior do NOT exist anywhere else) > MASTER_SITES= ftp://ftp.fvwm.org/pub/fvwm/version-2/ isn't valid now. Now on github: https://github.com/fvwmorg/fvwm/releases How is backporting done correctly in a case like this? I assume in order to add it to base? Or is that not possible? Seems like a good question maybe for other base software too. Is there already a thread talking about this? Thanks, Chris Bennett
Re: When will be created a great desktop experience for OpenBSD?
On Mon, Oct 28, 2019 at 04:17:00PM +0100, Marc Espie wrote: > > You got to figure out the missing features, and rewrite them "from scratch". > > You can't actually borrow the code, because the licence makes it impossible. > > Either that, or you convince the xorg project to go back on their choice > to change the licence, which is going to be more or less impossible. Yes, it is old! Would finding work say on web archive from the time of writing the current code and earlier from the FVWM group be something useable? Just nothing dated later than that? Chris Bennett
Re: How can I contribute code to openbsd
On Wed, Oct 30, 2019 at 12:28:35PM -0400, Jeff wrote: > P.S. Are there any urgent areas where the OpenBSD operating system > project is short-handed? > Yes! Just look under /usr/src, /usr/xenocara and /usr/ports Can't go wrong with that plan. :-) Chris Bennett
Re: Following current - pkg_add update forward depedencies don't match question
On Thu, Oct 31, 2019 at 07:09:49PM -0500, Theodore Wynnychenko wrote: > Hello > > I just updated a system to current the other day. > > OpenBSD 6.6 GENERIC.MP#411 amd64 > When I check: > # pkg_info | grep gettext > gettext-0.19.8.1p3 GNU gettext runtime libraries and programs > > And the mirror shows: > gettext-runtime-0.20.1p0.tgz > > Or (another example), with similar notices about forward dependencies not > matching: > # pkg_info | grep php-7 > php-7.1.27 server-side HTML-embedded scripting language > > And the mirror shows: > php-7.1.32.tgz > > I see that I can "force" the update with "pkg_add -u -D updatedepends". > NO. You need to use pkg_add -u -Dsnap. Or, the packages really don't match yet. Then wait a little. -Dsnap is a must. Some snapshots are also "defective" as in trying some new stuff that will get changed more later. Upgrade again. Occasionally you might need to use sysupgrade -s. That happened to me from one -current to another. If you genuinely need stability, then run -stable. -current makes changes to the C libraries and headers and then recompiles the packages. The packages are the same but C, etc. has changed. Thus the packages have changed on that level. Thus they keep the same Makefiles, but the resulting package binaries are different. Chris Bennett > It seems like this should be safe to do, but it's not something I have done > before. > > While my system isn't "production" for a large multi-national, I do use it > as a file server and stuff, and it is working right now, and I don't want to > make it not work. > > So, before I did this, I was wondering if there was anything I should > consider/do to address this issue, other than just "forcing" the update? > > I guess, when at its core, I don't really completely understand what the > notice means, and how and why it happened. > > Thanks > Ted > > >
Re: Following current - pkg_add update forward depedencies don't match question
On Sat, Nov 02, 2019 at 09:24:05AM -, Stuart Henderson wrote: > On 2019-11-01, Chris Bennett wrote: > > NO. You need to use pkg_add -u -Dsnap. > > Normally when pkg_add doesn't have a full path to the package directory > (e.g. PKG_PATH=http://mirror/pub/OpenBSD/6.6/packages/amd64/) > it constructs it from a hostname in PKG_PATH or a partial path in > /etc/installurl. To do that it has to add e.g. 6.6/packages/amd64 > to the partial path. > > It decides whether to use 6.6/ (or other version number) or snapshots/ > based on whether the current version is a snapshot or not (from the > "sysctl kern.version" output). > > All that -Dsnap does is say "use snapshots/ even if this looks like > it's a release (no suffix after "6.6"). You only ever need it if you're > a) running snapshota and b) are in the brief period in the run-up to > release where the version number has no suffix. > > > Occasionally you might need to use sysupgrade -s. That happened to me > > from one -current to another. > > sysupgrade -s is sysupgrade's equivalent to pkg_add -Dsnap. So again you > would only ever need it directly in the run-up to release. > > This happened to me with a snapshot from before -release and getting a snapshot right after -release. Perhaps this should be mentioned in man sysupgrade(8)? The error message ftp something was not intuitive. sysupgrade -s is logical and reasonable, but wasn't at all obvious from the error message. I have had the same error message when a connection was a problem. In any case, I was able to fix the problem. Thanks, Chris Bennett
