Re: osfp pfctl and states

2013-09-11 Thread Henning Brauer
* sven falempin [2013-09-11 22:30]: > At his point <> is available. > Lets assume pf_state got a "struct pf_osfp_enlist l_osfp" > To get back the info from userland, doing > > Would a diff like this hurts ?? everything that grows the state hurts (last not least hurts performance), so it has

Re: Split rtinit()

2013-09-11 Thread Claudio Jeker
On Thu, Aug 29, 2013 at 11:20:56AM +0200, Martin Pieuchot wrote: > On 27/08/13(Tue) 10:44, Kenneth R Westerback wrote: > > On Tue, Aug 27, 2013 at 03:38:49PM +0200, Martin Pieuchot wrote: > > > So I started to play with the routine table and I'm slowly trying to > > > unify the various code paths t

Re: defer routing table updates on link state changes

2013-09-11 Thread Claudio Jeker
On Tue, Aug 27, 2013 at 01:39:14PM +0200, Martin Pieuchot wrote: > On 26/08/13(Mon) 13:36, Mike Belopuhov wrote: > > hi, > > > > in order to make our life a bit easier and prevent rogue > > accesses to the routing table from the hardware interrupt > > context violating all kinds of spl assumptions

Re: Iso image integrity verification

2013-09-11 Thread Stuart Henderson
On 2013/09/12 00:55, Ville Valkonen wrote: > Not sure whether this is already proposed but here's my two cents: why > not to check SHA256 sums from the various mirrors and perform the > comparison? > > -- > Cheers, > Ville Valkonen > How does this help prove that the files haven't been tampered

Re: Iso image integrity verification

2013-09-11 Thread Ville Valkonen
On 11 September 2013 20:42, Valentin Zagura wrote: > The idea was to display a checksum of the files on such a https page. > Like for example https://www.freebsd.org/releases/9.1R/announce.html at the > bottom of the page. Not sure whether this is already proposed but here's my two cents: why not

INADDR_ANY in pflow(4)

2013-09-11 Thread Florian Obser
Since no one presented a case why sending from INADDR_ANY is a good thing[tm], make it clear that it won't work. The ifconfig(8) diff generates this output: $ sudo ifconfig pflow0 up $ ifconfig pflow0 pflow0: flags=1 mtu 1492 priority: 0 pflow: sender: INVALID receiver: INVALID:INV

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe us

Re: osfp pfctl and states

2013-09-11 Thread sven falempin
If I want this on FreeBSD i am alone, but here... So this code check the fingerprint, and does not bother to save it, because it is never used , and that s good :-) I read the code a bit: pf.c : around line 3232 - - - - - - case IPPROTO_TCP: PF_TEST_ATTRIB(((r->flagset & th->th_flags) != r

Re: Iso image integrity verification

2013-09-11 Thread John Long
On Wed, Sep 11, 2013 at 08:42:46PM +0300, Valentin Zagura wrote: > The idea was to display a checksum of the files on such a https page. > Like for example https://www.freebsd.org/releases/9.1R/announce.html at the > bottom of the page. > > > On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson wro

Re: Iso image integrity verification

2013-09-11 Thread Kenneth R Westerback
On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: > I don't think I'm more paranoid than the average considering that Debian > has a way to do this (http://www.debian.org/CD/verify), fedora has a way to > do this (https://fedoraproject.org/verify), even Freebsd has a way to do > this

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
If I were a dissident in one of those countries, I would not trust a third party with my life (but maybe I'm too paranoid). AFAIK OpenBSD is Canada, not US, but again, I might be wrong.

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
The idea was to display a checksum of the files on such a https page. Like for example https://www.freebsd.org/releases/9.1R/announce.html at the bottom of the page. On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson wrote: > On 2013/09/11 16:46, Janne Johansson wrote: > > So you publish somethi

Re: Iso image integrity verification

2013-09-11 Thread sven falempin
maintaining a mirror and a cvs sync tree is quite good too. morevover you cloud have some https on your mirror On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura wrote: > I don't think I'm more paranoid than the average considering that Debian > has a way to do this (http://www.debian.org/CD/veri

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
Almost. The difference is that all the others use strong cryptography (https or GnuPG in Debian case) to ensure that the signatures you get are actually from them. On Wed, Sep 11, 2013 at 8:57 PM, Brandon Mercer wrote: > There's literally the same thing on the mirror? > http://ftp.openbsd.org/pu

Re: Iso image integrity verification

2013-09-11 Thread Daniel Bolgheroni
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: > Yes, we know, but that file can also be easily compromised if it's not > available for download with a secure protocol (HTTPS) If you're paranoid, build your own hardware from the ground up, including designing your own CPU and com

Re: Iso image integrity verification

2013-09-11 Thread Brynet
On Wed, Sep 11, 2013 at 01:57:22PM -0400, Brandon Mercer wrote: > There's literally the same thing on the mirror? > http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256 This discussion is probably more suited for misc@, but as Brandon wrote, SHA256 checksums are on all the mirrors. If you don

Re: Iso image integrity verification

2013-09-11 Thread Brandon Mercer
There's literally the same thing on the mirror? http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256 On Wed, Sep 11, 2013 at 1:53 PM, Valentin Zagura wrote: > I don't think I'm more paranoid than the average considering that Debian > has a way to do this (http://www.debian.org/CD/verify), fe

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
I don't think I'm more paranoid than the average considering that Debian has a way to do this (http://www.debian.org/CD/verify), fedora has a way to do this (https://fedoraproject.org/verify), even Freebsd has a way to do this ( https://www.freebsd.org/releases/9.1R/announce.html). The thought of

Re: Iso image integrity verification

2013-09-11 Thread System Administrator
I think you are missing two very important points that are addressed in the official documentation and have been pointed out to you by other respondents: 1. what you are asking for provides NO real added security, and perhaps just the opposite through FALSE SENSE of security, and 2. the fact t

Re: Iso image integrity verification

2013-09-11 Thread Brandon Mercer
The easier solution is probably just to build it from source. The documentation on the site is quite good. On Wed, Sep 11, 2013 at 12:18 PM, Stuart Henderson wrote: > On 2013/09/11 16:46, Janne Johansson wrote: >> So you publish something on a HTTPS page, which means that when the browser >> says

Re: Iso image integrity verification

2013-09-11 Thread Stuart Henderson
On 2013/09/11 16:46, Janne Johansson wrote: > So you publish something on a HTTPS page, which means that when the browser > says "green padlock", it only says: "this site was using a key signed by > someone who in turn was signed by someone out of a few hundred CAs in a > list which include compani

Re: Iso image integrity verification

2013-09-11 Thread Janne Johansson
And from that we can deduce what? $evil_country can't spend $10k to be able to intercept and silently MITM all https? 2013/9/11 InterNetX - Robert Garrett > also means somebody paid a lot of money for that green bar > > > On 09/11/2013 04:46 PM, Janne Johansson wrote: > >> So you publish somet

Re: Iso image integrity verification

2013-09-11 Thread Marc Espie
On Wed, Sep 11, 2013 at 05:36:45PM +0300, Valentin Zagura wrote: > Thanks for the suggestion, we will probably order the CD. > > But on the other hand, I hope that you realize that people in some > countries (Iran, China, Egypt, Syria) would not have this possibility and > they could be more affec

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
That could also mean "This is THE openbsd.org site" if you're using eff ssl observatory. On Wed, Sep 11, 2013 at 5:46 PM, Janne Johansson wrote: > So you publish something on a HTTPS page, which means that when the > browser says "green padlock", it only says: "this site was using a key > signed

Re: Iso image integrity verification

2013-09-11 Thread InterNetX - Robert Garrett
also means somebody paid a lot of money for that green bar On 09/11/2013 04:46 PM, Janne Johansson wrote: So you publish something on a HTTPS page, which means that when the browser says "green padlock", it only says: "this site was using a key signed by someone who in turn was signed by someone

Re: Iso image integrity verification

2013-09-11 Thread Janne Johansson
So you publish something on a HTTPS page, which means that when the browser says "green padlock", it only says: "this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*". That will help a lot. *)

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
Thanks for the suggestion, we will probably order the CD. But on the other hand, I hope that you realize that people in some countries (Iran, China, Egypt, Syria) would not have this possibility and they could be more affected by a compromise than we would be (they might probably pay with their li

Re: Iso image integrity verification

2013-09-11 Thread sven falempin
I love the stickers to enclose the box when getting a CD release, probably easy to forge but so cool :-) On Wed, Sep 11, 2013 at 9:00 AM, Beavis wrote: > +1 on this, to make sure that your OpenBSD Distribution is legit, get the > CD, support the project! what more could you ask for ;) > > > On

sync gettimeofday.2 with sys/time.h

2013-09-11 Thread Dawe
Index: gettimeofday.2 === RCS file: /cvs/src/lib/libc/sys/gettimeofday.2,v retrieving revision 1.24 diff -u -p -r1.24 gettimeofday.2 --- gettimeofday.2 17 Jul 2013 05:42:11 - 1.24 +++ gettimeofday.2 11 Sep 2013 13:18

Re: Iso image integrity verification

2013-09-11 Thread Beavis
+1 on this, to make sure that your OpenBSD Distribution is legit, get the CD, support the project! what more could you ask for ;) On Wed, Sep 11, 2013 at 4:58 AM, Peter N. M. Hansteen wrote: > On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: > > > We are going to use a OpenBSD sy

Re: Iso image integrity verification

2013-09-11 Thread Otto Moerbeek
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: > Yes, we know, but that file can also be easily compromised if it's not > available for download with a secure protocol (HTTPS) So get the CD. You'll support the project as well. -Otto > > On Wed, Sep 11, 2013 at 1:59 PM,

Re: Iso image integrity verification

2013-09-11 Thread Valentin Zagura
Yes, we know, but that file can also be easily compromised if it's not available for download with a secure protocol (HTTPS) On Wed, Sep 11, 2013 at 1:59 PM, Stan Gammons wrote: > The sha256 file located in the directory with the installxx.iso image has > the sha256 checksum for all of the files

Re: Iso image integrity verification

2013-09-11 Thread Stan Gammons
The sha256 file located in the directory with the installxx.iso image has the sha256 checksum for all of the files in that directory. On Sep 11, 2013, at 5:49 AM, Valentin Zagura wrote: > Hi, > > We are going to use a OpenBSD system in a PCI-DSS compliant environment. > Is there any way we ca

Re: Iso image integrity verification

2013-09-11 Thread Peter N. M. Hansteen
On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: > We are going to use a OpenBSD system in a PCI-DSS compliant environment. > Is there any way we can prove to our PCI-DSS assessor that the OpenBSD > image we use for our installation can be checked so that it is the correct > one (

Iso image integrity verification

2013-09-11 Thread Valentin Zagura
Hi, We are going to use a OpenBSD system in a PCI-DSS compliant environment. Is there any way we can prove to our PCI-DSS assessor that the OpenBSD image we use for our installation can be checked so that it is the correct one (is not modified in a malicious way by a third party) ? A https link to