Re: Running another OS under OpenBSD

2008-12-11 Thread Scott Francis 
On Thu, Dec 11, 2008 at 10:30 AM, Jeff_1981  wrote:
> Dear All,
>
> Please can you indicate me how to run Windows or Linux under OpenBSD ?
> Under Linux for example there is possibility to virtualize another OS.

in theory, you could install the linux compatibility packages (see
compat_linux(8)) and run e.g. VMware Server as a platform for a
Windows VM. I haven't tried this myself yet (although it is on my list
of things to do the next time I'm bored).

> If the other OS is hacked from the web does it compromizes the security of
> OpenBSD ?

a guest OS is always vulnerable to flaws in the host (because the host
controls it), to varying degrees.

> Another question is if I run a server under OpenBSD is this impossible to
> hack it from the web ?

nothing's impossible. :) Even if your host OS (OpenBSD) is highly
secure, if your guest is less so and you expose it to the network, it
could be attacked over the same channels it uses to communicate with
the network. The only truly secure machine is one that is not
connected to any network and has no physical access.

> The standard install of OpenBSD has no security holes anymore if I
> understand, does this mean noone can hack it from the web ? what about an
> OpenBSD on which wa have activated one or more services, like mail server /
> web server and file sharing for within network (if used as NAS / server as
> example ?

clearly, you'd have to evaluate the security of any services or
applications you're running on the network independently of the OS
they're running on top of.
-- 
darkun...@{gmail.com,darkuncle.net} || 0x5537F527
  http://darkuncle.net/pubkey.asc for public key

Re: Running another OS under OpenBSD

2008-12-12 Thread Scott Francis 
2008/12/12 Aram Havarneanu :
> On Thu, Dec 11, 2008 at 9:47 PM, Scott Francis  wrote:
>> in theory, you could install the linux compatibility packages (see
>> compat_linux(8)) and run e.g. VMware Server as a platform for a
>> Windows VM. I haven't tried this myself yet (although it is on my list
>> of things to do the next time I'm bored).
>>
>
> It won't work. VMware needs to load Linux kernel modules.
> linux_compat(8) can run userspace applications only.

that makes sense (and it should have occurred to me, but it's been
about a year since I last installed VMware Server on Linux). Thanks
for the heads-up; you saved me at least a little bit of wasted time.
:)

cheers,
-- 
darkun...@{gmail.com,darkuncle.net} || 0x5537F527
  http://darkuncle.net/pubkey.asc for public key

Re: How to pass mount protocol traffic (mountd/NFS) using pf?

2006-06-23 Thread Scott Francis 

On 6/21/06, Clint Pachl <[EMAIL PROTECTED]> wrote:

Because portmap(8) dynamically assigns the mountd(8) port, how would
one write a pass rule in pf for mountd(8) traffic? My problem is that
every time mountd(8) is re/started, it operates on a different port and
my fixed pf rules block the mount protocol and, consequently, my
clients cannot mount an NFS share.

I read through RFC1094 "NFS: Network File System Protocol
Specification" and RFC1057 "RPC: Remote Procedure Call Protocol
Specification" looking for ways to statically bind the mount protocol
to a port number. It doesn't look possible.


http://www.freebsd.org/cgi/man.cgi?query=mountd

It's definitely possible (Free and Net both offer the -p option). I've
been wondering myself why that flag is not available in OpenBSD's
mountd(8) (for the same reason - filter issues), but hadn't gotten
around to asking. The archives didn't appear to have any threads
discussing why -p hasn't been imported (from what Theo said, I'm sure
there's a reason). In the meantime, I just settled for passing all
traffic from the couple of hosts that need to access NFS resources -
works for my small home LAN, YMMV.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: How to pass mount protocol traffic (mountd/NFS) using pf?

2006-06-23 Thread Scott Francis 

On 6/23/06, Theo de Raadt <[EMAIL PROTECTED]> wrote:
[snip]

> http://www.freebsd.org/cgi/man.cgi?query=mountd
>
> It's definitely possible (Free and Net both offer the -p option).

I think that is completely ridiculous.  Hardcoding RPC utilities
to non-random ports  to try to tie it to something else, to increase
your security.

Come on.  By the time you have to do that, please just compile your own
version of mountd with a diff.


*nod* I had not considered the random port allocation as a security
feature - makes sense though. In my case, I'm running pf on a host
that's already internal for some reporting (pfstat) and as an extra
layer of filtering in case something gets through the primary firewall
that shouldn't (belt + suspenders, etc.). It has since occurred to me
that this might be a good candidate for authpf, and that's probably
what I'll end up doing - hosts that need access to NFS can get it with
authpf and an extra pf rule.

Thanks for clearing up the why.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: starting Apache in SSL mode

2006-06-26 Thread Scott Francis 

On 6/26/06, FTP <[EMAIL PROTECTED]> wrote:

Hi there,

I was trying to start Apache in SSL mode and I did follow the 
http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued "apachectl 
startssl" and everything went fine.

Now, when I point to the https:// from my server I get an "unable to 
connect error"!

What did I do wrong?

In the ssl_engine_log I get: "Configuring server new.host.name:443 for SSL 
protocol". This server has no domain assigned. Did I do something wrong in the certs?


no, but you probably neglected to edit /var/www/conf/httpd.conf
appropriately (ServerName and NameVirtualHost come to mind, as well as
the appropriate name-specific parts of the SSL config in the same
file). ssl_engine_log probably won't give you the info you need here;
take a look at your access_log and error_log.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: Throughput Problem OpenBSD3.9 soekris 4801 isakmpd

2006-06-28 Thread Scott Francis 

On 6/28/06, Thomas Bvrnert <[EMAIL PROTECTED]> wrote:
[snip]

Has everyone an idea what's the problem.
Is there a way to get a higher throughput with encryption ?


yes. Buy a vpn1411 hardware crypto accelerator for your net4801. In
fact, you could have bought one when you purchased the soekris. It's a
miniPCI card that plugs right into the board and greatly increases
crypto performance.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: Where to start studying OpenBSD networking code

2006-06-28 Thread Scott Francis 

On 6/28/06, joakinen <[EMAIL PROTECTED]> wrote:

Greetings to all,

I'm a programmer and network administrator and want to study the code of
OpenBSD related to TCP/IP & Ethernet to understand networking from inside
and also to see if I can be of any help to the rest of developers.

I'm interested specifically in the following topics:

- Programming ethernet drivers
- Study and understand the API that TCP/IP offers to applications

I know the basics of C language so reading code I will refresh my knowledge of
it.

Where do you recommend me to start?
Perhaps reading src/sys/netinet?
Is there any "diagram" of how every piece of code retales to the others?


not to my knowledge. Starting with section 4 of the manual, and the
corresponding source files, is probably the way to go. style(9) may
also be enlightening.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: Open BSD commands

2006-06-29 Thread Scott Francis 

On 6/28/06, Ajith Kumar <[EMAIL PROTECTED]> wrote:

Hi,
I have two silly questions..

How to see the memoy details of a OpenBSD machine using commands ?

How to see the processor details of a OpenBSD machine using commands ?

[snip ridiculous boilerplate disclaimer]

the canonical answer is dmesg(8), although Andreas' response
definitely parses more easily (learn something new every day :)).
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: Zen of Chroot Apache + Perl

2006-08-18 Thread Scott Francis 

On 8/16/06, Jack J. Woehr <[EMAIL PROTECTED]> wrote:

I think I understand but want to check before I do something silly.

I have OBSD 3.9 + chrooted apache + mod_perl after apxs.

Now, to actually run perl cgi's I have to copy /usr/bin/perl and all
relevant libs over to /var/www?

Is there an automated tool for this?


dunno, but it's not hard to do by hand - `ldd /usr/bin/perl` and then
create the library paths and libs that perl wants inside /var/www.
Ditto for Perl modules that may call external things like RCS. Here's
how I did it for Kwiki (a Perl-based Wiki) and for MediaWiki+php+mysql
(the first doc may be somewhat out of date):
http://darkuncle.net/sysadmin/kwiki_in_chroot.txt
http://darkuncle.net/sysadmin/mysql_in_chroot.txt

(Note that placing executables like Perl and PHP inside your chroot()
may tend to reduce the effectiveness of the jail.)
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
   encrypted email to the latter address please
   http://darkuncle.net/pubkey.asc for public key

Re: Testing 3.6 problems w/ snapshot

2005-07-05 Thread Scott Francis 
On Thu, Apr 28, 2005 at 10:15:07AM -0500, [EMAIL PROTECTED] said:

[ 2+ month TTL due in part to combing through the archives for reports of
umass problems with recent snapshots brought this to mind, and I realized I
didn't reply back then. Please forgive the severe latency. :)]

> On a related subject, it's painful waiting 20 minutes for the RAID 1 array

20 minutes? Is that all? :) Waiting for parity to rebuild the last time my
RAID5 array (4x160GB IDE 5400RPM disks on a PCI IDE controller; very ghetto)
took ~14 hours. *sigh*

> to rebuild parity after a crash - I vaguely recall it being mentioned last
> year, but I can't find it in the archives or any mention in the man pages -
> is there a sane way to postpone the parity check?

This is what I did - as memory serves, it works, but I haven't tested it on
my live system. Not sure how sane this is (I wanted parity to rebuild, in
background, on a filesystem that's _not_ automounted, while the rest
of the boot process continues and the system comes up):

--- /etc/rc Wed May 18 16:54:07 2005
+++ /etc/rc.raidfix Tue Jul  5 23:13:08 2005
@@ -77,8 +77,10 @@
fi
 done

-# Check parity on raid devices.
-raidctl -P all
+# Check parity on raid devices (but do it in background, so if it needs to
+# rebuild, it can do so while the rest of the system comes up. Our RAID fs
is
+# not automounted at boot, so this should not present a problem).
+raidctl -P all &

 swapctl -A -t blk

If this is a Really Bad Idea, I'd appreciate a heads-up to that effect.

re-lurking,
--
   Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527
Less and less is done
 until non-action is achieved
 when nothing is done, nothing is left undone.
-- the Tao of Sysadmin

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: raidctl -P all in /etc/rc

2005-07-08 Thread Scott Francis 
On Thu, Jul 07, 2005 at 03:02:52PM +0600, [EMAIL PROTECTED] said:
> Hi.
>
>  Since "raidctl -P all" in /etc/rc parity is verified/reconstructed
> _before_ system runs. This lead to bad effect for me, while I have
> "root on RAID", as described in http://www.nomoa.com/bsd/raid_ide.htm
> - when machine has lost power, before mounting there are parity
> checks. This is so long with my more that 150G on RAID.
>
>  I want ask, what will occur if not do "raidctl -P all" in /etc/rc,
> but set it in /etc/rc.local, after daemons started?
>  What can fsck with such "uncleaned/unreconstructed" RAID?

if your parity isn't clean, you don't HAVE a filesystem to write to, so
there's no point in mounting it until parity is clean. See raid(4) for more
on why this is important. with root on raid, you're basically out of luck -
you have no choice but to wait.

If (as in my case), the RAID filesystem is only used for data storage (not
for the OS), you can run raidctl -P all in background and have your RAID
filesystem set "noauto" in /etc/fstab. If there's been a crash, you will
presumably know about it, and can manually mount the filesystem later after
parity is fixed. I posted about this a few days ago; check the archives.

(as I said earlier, my method may turn out to be a Bad Idea for some reason
that hasn't occurred to me yet; if this is the case, I'd appreciate a
heads-up. Thanks.)
--
   Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527
Less and less is done
 until non-action is achieved
 when nothing is done, nothing is left undone.
-- the Tao of Sysadmin

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: chroot sftp/sftp-server help needed...

2005-08-02 Thread Scott Francis 
On 8/1/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
[snip]
> I am currently migrating/upgrading an entire farm of servers from
> RedHat Linux & Solaris to current and one of the roadblocks I am
> encountering is setting a chrooted sftp.  I am aware of chroot.sf, but
> am looking for a solution that won't break upon an update/upgrade.
> I've tried many things such as massaging login.conf to include what
> would work under a chrooted ftp, etc, but no chroot for me :-(  Google
> shows nothing positive and I am wondering if perhaps I am missing
> something?  Thanks all in advance.

scponly + chroot on individual users, unless you require anon sftp.
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: chroot sftp/sftp-server help needed...

2005-08-02 Thread Scott Francis 
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
> Hi Scott;
> 
> Ran across this one yesterday, just wasn't sure how secure it is as
> sftp-only.  So far it looks like this will be what I may use, throwing
> in tcp-wrappers.

not a lot of difference between scp and sftp (aside from sftp being a
separate subsystem); if you trust the security of OpenSSH as a whole,
either of them should be a viable option for you. Rather than
tcp-wrappers, I'd advise using pf(4) to do filtering (given that this
is OpenBSD and all).

cheers,
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: chroot sftp/sftp-server help needed...

2005-08-04 Thread Scott Francis 
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
> Just ran into a wall with the scponly option:
> 
> "If you do use chroot(), your binary will need to be setuid."
> 
> I'll pass on that one for now...

systrace could probably mitigate most of the risk here ... (privsep,
if you're good enough to hack in support to the source. I'm not. :))
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: Soekris & OBSD as servers

2005-08-04 Thread Scott Francis 
On 8/4/05, Gustavo Rios <[EMAIL PROTECTED]> wrote:
> I would like to set a obsd and soekris boxes as a server for about 100 users.
> This box is supposed to handle NIS + Kerberos.
> 
> Does such configuration can handle the task ? I mean on a performance matter.
> Does anybody have such configuration?

the default config on OpenBSD can easily handle 100 users. Whether or
not a Soekris is the right _hardware_ platform is another matter
altogether. If you're handling users, as opposed to just packets, you
will probably want some kind of disk-based storage for their home
directories, NIS+ databases, etc. But then, you could do this with a
Soekris too with the right adapter, but you might as well use a
generic x86 machine at that point.

Remember: OpenBSD is software, and runs on many platforms. Soekris is
x86 hardware, geared towards specific tasks (typically networking, not
user management, databases, web serving, etc. etc.), and can run
OpenBSD or other operating systems.

If you have this firmly in mind already and I'm just misparsing your
English, my apologies.
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: software testing

2005-08-04 Thread Scott Francis 
On 8/4/05, Gustavo Rios <[EMAIL PROTECTED]> wrote:
> I asked to see how the box would behave in terms of performance.

go grab the oldest PC you can find and you'll probably have roughly
equivalent CPU and RAM performance. I hope you're not considering disk
I/O as part of "performance", because Soekris boxes don't come with
disks. The hardware specs on Soekris gear are clearly listed on the
website - you should be able to make rough estimates based on the
performance of your software on the hardware you have available.
You're also likely to get more useful responses if you include _any_
details about what your software does, what it's written in, or even a
URL to the source (if you really want useful comments).
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: How to patch a physically weak system & recommended use of sudo?

2005-08-18 Thread Scott Francis 
On 8/18/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
[snip]
> > 2. Alot of you seem to use sudo instead of su - when you want to do
> > something that requires privileges. Why is this? What settings are
> > you using for sudo?
> 
> Various reasons .. if you use sudo on each command you want to execute
> as root, you get a useful audit trail in the system log (or by mail, if
> wanted). (if you sudo -s, or use sudo to run a shell, this bypasses
> it). Also you can control which commands can be run by which users. You
> can have it ask for the (user's) password every time, or you can have
> it ask no more than every XX minutes. See sudoers(5) for more options.

Using sudo is a good habit to get into, because when/if you admin
multi-user systems, it allows you to grant fine-grained privileges to
users without having to give anyone root's password. Even on
single-user systems, it allows you to perform certain (very specific)
actions as root (e.g. mount/umount on removeable storage from gkrellm)
without being prompted for a password. As Stuart noted, you also get
an audit trail, and if you're using sudosh (which, last I checked,
runs on most modern UNIX-like systems except BSD - doh), you get
complete record/playback functionality, with timing, for everything
typed during a session. See http://sf.net/projects/sudosh/ for more. I
have heard rumors that work is underway to merge sudosh functionality
into sudo, but Todd Miller (or the sudo mailing list) would be the one
to ask about that.
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: twiki

2005-08-22 Thread Scott Francis 
On 8/21/05, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote:
> I would like to co-write an installation guide for twiki (it's in
> packages) for us less seasoned obsd monglers, I am finding it
> not-so-straight-forward and would like to help every one else on their
> way, does anyone know whom I may contact about this matter or do you
> feel the spotlight?
> 
> I am more then willing to supply "first line support" for this package
> if it would come to that.

I haven't installed Twiki myself, but I would imagine it's probably
fairly similar to Kwiki , and you may be
interested in a write-up I did on installing Kwiki inside OpenBSD's
chrooted Apache.
http://darkuncle.net/sysadmin/kwiki_in_chroot.txt
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: Volume based internet restrictions

2005-09-09 Thread Scott Francis 
On 9/5/05, Fletch <[EMAIL PROTECTED]> wrote:
> Greets
> 
> I am setting up an openbsd router to manage a companies intenet access,
> and would like to  deploy volume based internet usage.  I have setup
> squid, but it doesn't seem to have any options to limit a user by volume
> of traffic, only bandwidth.
> 
> Is there any solution to do this?  I pretty much want to limit volume to
> may 50mb a day per user and have it refresh each day.  I don;t care what
> they look at or how fast they get it, only that its no more that 50mb
> per day.

don't know if anybody has replied to you privately or not, but you
probably want to take a look at the pf(4) man page, specifically the
bits about queueing. I'm sure you can probably get pf(4) to do what
you want with a little time, thought and testing.
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: dual boot XP , Openbsd

2005-10-12 Thread Scott Francis 
On 10/8/05, Roelof Wobben <[EMAIL PROTECTED]> wrote:
> Hello,
>
> On this moment I have XP on my system.
> Now i want a dual boot XP and Openbsd.
>
> XP has now the first 20 GB of total 40 GB.
> When install Openbsd after XP i get a problem regarding the install
> instructions.
> But when i first install Openbsd and then XP i think XP is not working well
> because i heard that XP wants to have the first partition.
>
> How can i solve this problem ??

http://darkuncle.net/OpenBSD/OpenBSD_dualboot.txt

comments/errata welcome
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Anonym.OS - OpenBSD-based live CD

2006-01-18 Thread Scott Francis 
Surprisingly, nobody else has mentioned this on-list yet (perhaps
because it's been all over the news elsewhere):
http://news.google.com/news?hl=en&ned=us&q=anonym.os&btnG=Search+News

I'm not in the least surprised that OpenBSD was chosen as the base for
a live CD focused on privacy, anonymity and security - in fact, I
can't really imagine doing what they did with any other platform
(certainly not doing it as well).

Sourceforge links have been flaky for me the past few days, but the
torrent worked just fine. I'm sure the dev team would appreciate
feedback ...
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: Anonym.OS - OpenBSD-based live CD

2006-01-22 Thread Scott Francis 
On 1/19/06, NetNeanderthal <[EMAIL PROTECTED]> wrote:
[snip]
> I'm less than impressed with it after mounting the iso and viewing the
> contents.  Their documentation is poor, if not void of content
> altogether.

you mean, aside from including man38.tgz? What else are you looking
for? There's some docs on their website, but why would you need
anything beyond what ships with OpenBSD? There's a man page for
everything, and while they don't include a "we did the following steps
in this order, and here's why we have privoxy and pf and how they're
configured", it's easy enough to just read the config files and the
relevant man pages. Keep in mind also that this is, at best, a beta
release (if not alpha).

> Call Anonym.OS what it is, a coagulated lump of untrusted packages and
> scripts conveniently bundled for those who are unwilling or unable to
> use OpenBSD in its native form.

the packages are from the ports tree - are you saying they're somehow
less trusted because you didn't install/build them yourself? The boot
script is there for anybody to peruse who wants to; no "trust" is
required - or at least, no more than is required for, say, flashdist
or any other project based on a modified OpenBSD install. There's no
secret sauce, no binary blobs, no closed source or NDAs.

As far as "unwilling or unable to use OpenBSD in its native form",
keep in mind the purpose of the project and their target audience. Not
everybody has the luxury of their own laptop, and it's always nice to
have something relatively secure to fall back on when stuck with a
less-than-sanitary public-use PC.

Let's not denigrate unnecessarily; we should be encouraging wider uses
and derivative projects, not biting the heads off of developers when
they release new OpenBSD-based projects. If it's a waste of time,
nobody will use it and it will disappear with no need for vitriol. On
the other hand, if it's a good project, well, that kind of development
is always a Good Thing.

This:

> It reeks of a clumsily-staged publicity stunt.

definitely comes off more like sour grapes than any kind of valid
criticism, IMO. Perhaps you didn't intend it that way.

> I digress; OpenBSD is free.

Definitely glad that it is.
--
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key

Re: Anonym.OS - OpenBSD-based live CD

2006-01-23 Thread Scott Francis 
On 1/22/06, NetNeanderthal <[EMAIL PROTECTED]> wrote:
> On 1/22/06, Scott Francis <[EMAIL PROTECTED]> wrote:
> > you mean, aside from including man38.tgz? What else are you looking
> > for? There's some docs on their website, but why would you need
> > anything beyond what ships with OpenBSD? There's a man page for
> > everything, and while they don't include a "we did the following steps
> > in this order, and here's why we have privoxy and pf and how they're
> > configured", it's easy enough to just read the config files and the
> > relevant man pages. Keep in mind also that this is, at best, a beta
> > release (if not alpha).
> 'They' as in you, sure.. and they didn't.  Go to the site.  Go to

I'm not involved with the project - just a user. I didn't even make it
to ShmooCon this year to see it firsthand. At any rate, what I said
stands - everything _in_ the CD is documented. It's just OpenBSD,
after all (and some things from the ports tree, which all come with
man pages of their own). They may not have included a "project
rationale" or purpose statement or anything like that, but this is no
great loss, IMO. It's OpenBSD. We all know how to read man pages for
ourselves.

> So, by my own determination, I choose not to trust it.  You can find
> no fault with that logic, especially considering the purpose of your
> project.

again, not my project.

> > the packages are from the ports tree - are you saying they're somehow
> > less trusted because you didn't install/build them yourself? The boot
> > script is there for anybody to peruse who wants to; no "trust" is
> > required - or at least, no more than is required for, say, flashdist
> > or any other project based on a modified OpenBSD install. There's no
> > secret sauce, no binary blobs, no closed source or NDAs.
> So, if it's just a group of ports and a boot script, the kernel was
> left untouched?  I did notice some .dist files in /etc.. perhaps
> 'diff' is all the documentation required.  The flashdist script isn't
> applicable, they don't hand out images of OpenBSD but show you how to
> 'roll your own' and provide a script.  Sure, documentation there is
> loose as well, but it's more than the sparse peppering of a
> description provided by Anonym.OS.  How do you plan to keep this
> patched?  How are vulnerabilities handled?  Errata?

All the project is, as far as I can see, is OpenBSD with a few changes
made to the boot sequence, and some stuff from ports. All things one
could easily roll for oneself, especially since their changes are all
available to view/diff/patch/apply for oneself. I really think you're
making a mountain out of a molehill, but maybe that's just me.

> > As far as "unwilling or unable to use OpenBSD in its native form",
> > keep in mind the purpose of the project and their target audience. Not
> > everybody has the luxury of their own laptop, and it's always nice to
> > have something relatively secure to fall back on when stuck with a
> > less-than-sanitary public-use PC.
> Agreed, somewhat.  This topic has been bludgeoned to death on misc,
> your reasoning fails -- search the list archives.

My reasoning is that if you don't have your own PC, it's nice to have
something that provides a little extra security. Nothing is 100%, and
if you're waiting for something that is, you've got a long wait ahead
of you. blah blah keystroke loggers blah blah paranoia etc. A dose of
reality is called for, I think. Granted, not everyone faces the same
level of risk, so a solution that's good for J. Random User may not be
sufficient for you (or me), and vice versa. I'd rather have a
reasonably secure platform that I can get some work done on than no
platform at all (getting no work done, while I wait for the 100%
secure platform). Risk analysis and mitigation and all that. Nothing
new here.

> Copying a free OS and adding a few packages hardly constitutes the tag
> 'developer', perhaps .. installer? scripter?  I'm quite certain

*shrug* they developed the live CD. I didn't say it was a work of art,
genius or Herculean effort. :) Just that it's nice to see some effort
ongoing in that area, and that I'd like to see more.

> OpenBSD developers really could care less if their project is taken
> from its natural habitat and bastardized for the consumption of a
> wider audience.  By your own words, this project is really not much
> more than a HOWTO, sans end-user effort and the actual HOWTO document.
>  Or did I miss something?

They went ahead and provided something for the casual user that nobody
had bothered to package yet. I