Sébastien Marie is a user on maly.io. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Sébastien Marie @semarie@maly.io

@ng0 openssh implements several sandbox system (depending the targeted system).

for Linux, one is based on seccomp (anongit.mindrot.org/openssh.gi) and another based on setrlimit(2) (anongit.mindrot.org/openssh.gi). but it isn't a full pledge(2) equivalent, only a way to create the sandbox openssh needed for its own purpose.


Another shoutout for upobsd by @semarie.

Allows automatic upgrades and installs for #OpenBSD.

My serial console server is CompactFlash based and is (for obvious reasons) the one I cannot watch remotely. I usually have a long wait for upgrades since the CF is so slow.

Yesterday I used upobsd to do the main upgrade part unattended. It was *lovely*.

It's a package for 6.3. You can use it on a 6.3 box to make your bsd.rd and copy it to the 6.2 server in question.

La vache, il existe vraiment des sites internet pour tout.
Par exemple un wiki ultra fourni sur les études comparatives de nœuds de chaussure… 😱

@rsadowski for me, it would be the SFTP support that I would use. restic is an interesting tool.

@rsadowski more than the standard user memory limit (786 Mo)

my $HOME is:
- 416708 files
- 20.72 Go

@rsadowski for me, I tried to backup my $HOME but the memory pressure is to high for several operations. I was going back to borg-backup which is more memory friendly.

and if you want to upgrade your -current using sysutils/upobsd (and you are using latest snapshot), you want to add "-V snapshots".

$ upobsd -V snapshots
$ doas cp bsd.rd /bsd
$ doas reboot

Cc @kurtm

why properly documenting API is hard or "a new candidate for worstly-designed trivial API: SSL_CIPHER_description(3)"


@nailyk avec un profil firefox vierge ? il ne connaîtra pas à l'avance que le site doit être en HSTS, et comme le certif n'est pas valide ne devrait pas prendre en compte l'entête HSTS

Awesome read about Meltdown protection, crazy kernel stuff and the collaboration between #Illumos, #DragonFlyBSD and #OpenBSD blog.cooperi.net/a-long-two-mo

# upobsd -u /auto_upgrade.conf -o /bsd && reboot

Fetches the latest installer, injects my answers, reboots into it, upgrades and reboots into new kernel.

How do you upgrade your #OpenBSD?

@clematis no promise, but I will try to take a look at pf-divert stuff.

@cynicalsecurity If you put the generated bsd.rd on the host as /bsd, just rebooting will be enough to upgrade (boot will be done using /bsd per default). So console access could be used only for problem recovery. (and /bsd.booted will be still available as backup)

@neomoevius I never really used FreeBSD, so I can't tell. is just simple, consistent and well documented.

Difficulty is about the user, not about the system itself.

@cynicalsecurity the repository of upobsd is at bitbucket.org/semarie/upobsd/s

upobsd [-v] [-m mirror] [-V version] [-a arch] [-p signify-key] [-i install-response-file] [-u upgrade-response-file] [-o output]

@florian @Vigdis I have a local mirror populated with rsync, and I use upobsd -m file:///var/www/htdocs/pub/OpenBSD -u auto_upgrade-localnet.txt

finally bsd.rd is deployed using ansible on several hosts

@florian glad to see that you like it. you could thanks @Vigdis who harass me to make a port

if you like one of them, you could like others (aka self-promoting of tools for OpenBSD - all available in ports):

- sysclean : list obsolete files between OpenBSD upgrades (aka delete old stuff between upgrades)

- checkrestart : help to find processes that need restarting after upgrade (aka which service to restart after pkg_add -u)

- upobsd : download, verify and patch bsd.rd image (aka upgrading the system without hands)