IABSD.fr/src/etc

Branch :


Log

Author Commit Date CI Message
d9badc08 2025-04-13 20:04:02 track upgrade.site(5) If present, this is probably the first user-specified code that runs on new systems, right in the installer even before reboot, so watch for changes. OK job
9f1c115b 2025-04-07 14:49:26 only run sysctl -f if the sysctl.conf file exists (using -s) ok tb lucas
aee0bd00 2025-04-05 14:12:37 replace shell parser with sysctl's new -f to apply /etc/sysctl.conf
22339438 2025-03-31 17:35:28 Support setting the new variable PASSWDSKIP in /etc/daily.local to prevent security(8) from complaining about specific accounts that have no password, typically used for services like anoncvs and gotd. In addition to improving support for gotd, this also improves security for everyone because the exception will now only exist on machines where the admin explicitly enables it. Based on an idea from stsp@; OK stsp@. (Actually, sthen@ also mentioned a similar idea in 2009, and afresh1@ indicated potential support for the general direction in 2024.)
35409f47 2025-03-10 04:05:14 Use the new syntax, listen for accounting, and use file module.
42117123 2025-03-04 19:04:34 root.mail: bump year, we're apparently in 2025 "Roads? Where we're going, we don't need roads."
002bb7b2 2025-03-04 10:20:00 fix day of the week
10fc8ac3 2025-03-01 19:44:07 move to 7.7-beta
1e32fabb 2025-03-01 15:22:01 mips64: Bump build datasize for LLVM 19 OK deraadt@
d997cf94 2025-02-28 20:21:07 fix comment header for "Building ports with DPB uses raised limits" on amd64, in alignment with other sections in this file and all other archs
af136ac2 2025-02-22 06:48:19 add 7.8 syspatch key
48dd2004 2025-02-21 23:05:35 7.8 packages key
5f804832 2025-02-21 20:55:53 7.8 base key
9e68f358 2025-02-21 19:27:40 add 7.8 firmware key
1d2dd358 2025-02-21 10:19:52 Remove acme-challenge location from HTTPS server configuration as RFC8555 8.3 explicitly states that the challenge must be over HTTP. From Lucas de Sena (lucas AT seninha.org), thanks! ok sdk@
46a4264a 2025-02-19 21:36:02 Use installboot -c in the installer such that a freshly installed or upgraded system will boot from the disk we installed on. ok deraadt@, kn@
2e876759 2025-02-05 20:45:00 Add AS26597 to LACNIC allowlist Seems the hole got filled OK tb@
1e57e084 2025-01-28 19:43:10 Add allow for AS112 Project IPv6 prefix to ARIN's constraints OK tb@
ce222dd0 2025-01-17 00:20:15 Finally include ARIN's RPKI Trust Anchor Locator Backstory: We strive to provide a source distribution that can be freely used, copied, modified, and redistributed by anyone and for any purpose. Unfortunately, up until now, several legal barriers stopped us from distributing the ARIN TAL. The main legal obstacles stemmed from the terms and conditions in the Relying Party Agreement (RPA) governing access to ARIN's RPKI repository and the way ARIN tried to ensure that agreement was binding. Originally, ARIN used a cumbersome email-based method of RPA acceptance. Then in 2016, ARIN moved to a browser user interface-based "clickwrap" method via their website, requiring affirmative assent via a mouse-click. In 2019, a new approach was offered where ARIN encouraged software distributors to pass through restrictive terms in irksome pop-ups during installation; this we also deemed unworkable. In 2022, this "Redistributor RPA" was subsumed in a single RPA, but without material change to the mechanics, and the terms remained a showstopper. Over the years various people suggested ARIN to adopt an "AS IS" disclaimer of warranties. In 2024, Job Snijders authored a modified version of the BSD license and proposed ARIN to include it in the optional comment section in the TAL file format. In 2025 ARIN updated its TAL to include this disclaimer. After more than a decade of iterations, this public key now is available to the public in an unencumbered fashion and can serve its main purpose, a purpose that can only occur through immensely widespread distribution. Some pointers for historic context: 2012 - https://web.archive.org/web/20130127143807/https://www.arin.net/resources/rpki/rpa.pdf 2015 - https://web.archive.org/web/20150203184532/https://www.arin.net/public/rpki/tal/index.xhtml 2017 - https://lists.arin.net/pipermail/arin-ppml/2017-January/031231.html 2017 - https://www.arin.net/vault/about/welcome/board/meetings/20170405/exhibit_d.pdf 2018 - https://mailman.nanog.org/pipermail/nanog/2018-September/097161.html 2019 - https://papers.ssrn.com/sol3/Papers.cfm?abstract_id=3308619 2019 - https://www.arin.net/vault/participate/meetings/reports/ARIN_43/PDF/PPM/yoo_rpki.pdf 2019 - https://www.arin.net/vault/announcements/20191021/ 2019 - https://www.theregister.com/2019/10/28/arin_rpki_open_source/ 2022 - https://www.arin.net/vault/announcements/20220926/ 2022 - https://www.arin.net/vault/announcements/20220929/ 2025 - https://www.arin.net/announcements/20250116-tal/ OK tb@ claudio@ deraadt@
853e987b 2025-01-16 09:39:40 Bump datasize of build user to 2000M on sparc64. LLVM19 llvm-tblgen needs around 1900M during a make build so this should give use a bit of air. OK tb@
bfeff85e 2025-01-09 08:43:21 regen
4fcc5b99 2025-01-08 23:09:25 Increase the default count of /dev/videoX from 2 to 4 It's quite common for a laptop to have a visible light camera, an infrared camera, or both, in addition to a camera connected via USB. OK: sthen@ ratchov@ mglocker@ armani@
7dd88e41 2024-12-21 14:12:45 ld.lld now needs 9GB of ram to link firefox/libxul.so on riscv64
4cf1cdd0 2024-12-18 16:00:26 Make the example bgpd.conf work with 4byte ASN out of the box. Use local-as in community and large-community stanzas since that will be expanded at runtime. For communities that only work with 2byte ASN the filter will never match (or nothing will be set / deleted) since a 4byte ASN can never match. We want an bgpd.conf example ruleset that is sensible, works and is a good starting point for beginners. In other words we should not add traps to the config. OK deraadt@ job@
52e728d0 2024-12-04 13:16:26 use kmem(4) instead of "all memory" which has more information about what exactly is allowed, and specifically refers to allowkmem (and that it permits both /dev/mem and /dev/kmem). discussed with deraadt
9b8b48b5 2024-12-04 10:14:14 Mention kern.allowdt and kern.allowkmem in examples/sysctl.conf. From espie, ok claudio mpi
ca433cef 2024-12-04 06:01:23 Bump datasize-cur for the pbuild user on sparc64 so that we can build llvm 18. ok sthen
f651b06a 2024-11-29 00:13:36 Import regenerated moduli.
ececade9 2024-11-02 16:55:44 add the build user to the build login class now that enough time has passed since the addition of that class ok deraadt@
bb54ed3d 2024-11-02 09:43:12 Update APNIC trust anchor constraints The IANA IPv6 Global Unicast Address Assignments registry has been updated to reflect the allocation of the following block to APNIC: 2410::/12 APNIC 2024-11-01 the registry is at: https://www.iana.org/assignments/ipv6-unicast-address-assignments/ OK sthen@
9923fb39 2024-10-31 22:14:04 track dhcp6leased uuid; OK florian
1b590ae1 2024-10-29 21:03:09 Include cdXX.iso in MDEXT on arm64 ok deraadt@
91e742ee 2024-10-22 22:23:21 rc: Use the correct path to sshd-auth's relink kit From Josiah Frentsos <jfrent AT tilde.team> OK tb
a5ae96e3 2024-10-15 00:08:27 grow i386 media a bit
115810f9 2024-10-14 02:46:50 sshd-auth also has a relink kit
ce178b85 2024-10-12 07:36:52 introduce a new build class to be used by the build user this class will be required for the upcoming llvm update that requires bumped datasize because of llvm-tblgen ok deraadt@
35fe2a76 2024-10-09 15:42:56 Get trust anchor via unbound-checkconf(8) This tool knows our default config path and '-o auto-trust-anchor-file' prints the actually set path, if any, regardless of whether exists. Use that to generate it rather than a best-effort grep/hardcoded path. OK sthen
a69ebb35 2024-09-30 14:31:56 change release date
4f37b6d8 2024-09-29 14:36:13 sync synopsis and usage, sort commands, fix their spacing OK input lucas
95790570 2024-09-23 20:54:01 Replace `&&' with `if' for proper $? handling; OK lucas iked and isakmpd guard against themselves with "return 0" as rc.subr(8) checks rc_pre()'s return code and aborts daemo start iff non-zero, but that isn't needed if we use ksh properly.
2dcab2a6 2024-09-23 20:44:24 zap redundant "|| return 1"; OK lucas unbound-checkconf(8) itself exits 1 on error already.
ee503ce9 2024-09-18 11:29:55 back to previous plan
39dae566 2024-09-18 02:43:54 adjust date
88baa316 2024-09-03 09:36:12 regen
48fdf972 2024-09-03 09:35:46 For AMD SEV create /dev/psp. To call ioctl(2) for the platform security processor (PSP), vmd(8) needs a device file. It is currently linked to the cryptographic co-processor ccp(4). We may split this into a separate psp(4) device. from hshoexer@; input jsg@
d2e81d51 2024-08-29 12:58:57 draft-ietf-v6ops-rfc3849-update turned into RFC9637, adjust comment
c19afa09 2024-08-26 22:54:21 calendars are so hard
39cd50f5 2024-08-21 07:06:27 Import regenerated moduli.
74154050 2024-08-16 06:42:21 add 7.7 syspatch pubkey
2d33a48f 2024-08-15 10:25:25 add 77-fw pubkey
9e043578 2024-08-12 19:40:17 xkbcomp 1.7.0 moved its data files from lib/X11 to share/X11
6d453ff9 2024-08-09 14:57:06 7.7 packages key
90885033 2024-08-07 23:03:24 old keys can go away
67c00f17 2024-08-07 23:02:48 add 7.7 base key
64c8f752 2024-08-07 15:59:24 crank to 7.6-beta, release date is vague
ba9b1da2 2024-08-04 20:06:04 bump datasize for armv7's pbuild user, some software has grown over the years OK jca@
4efb5f0a 2024-07-24 19:28:37 Add 5f00::/16 segment routing SRv6 SIDs prefix to example bogon list "In SRv6, SR source nodes initiate packets with a segment identifier in the Destination Address of the IPv6 header, and SR segment endpoint nodes process a local segment present in the Destination Address of an IPv6 header." https://www.iana.org/assignments/iana-ipv6-special-registry/ https://datatracker.ietf.org/doc/html/draft-ietf-6man-sids OK phessler@
76917c93 2024-07-24 18:56:57 3fff::/20 has been set aside as an additional documentation prefix Per https://www.iana.org/assignments/iana-ipv6-special-registry/ and https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-rfc3849-update OK phessler@ claudio@
a6b235b6 2024-07-14 09:39:15 Add /usr/X11R6/include/va. ok tb@
a523645b 2024-07-12 12:35:32 Recommend veb(4) instead of bridge(4). bridge(4) has weird interactions with traffic crossing the bridge. Missing change after updating the faq pointed out by ajacoutot OK dv
ec5358ab 2024-07-04 05:06:58 Revert "Make daily(8) reporting services that are running" Stop daily(8) mails with false information on rogue services. OK florian@, solene@
0fbf39a0 2024-06-30 17:30:52 delete dhclient(8). ipv4 dhcp leases have been acquired by the always-running-in-background dhcpleased(8) for a while, which is activated per-interface with "ifconfig $if autoconf', or "ifconfig $if inet autoconf", or with "inet autoconf" in /etc/hostname.$if dhclient(8) has done execve(3) of ifconfig(8) to handle this for a while, so everyone has moved to the dhcpleased(8) method ok florian
bb7daed8 2024-06-04 18:13:23 services: add matrix-fed tcp port 8448 registered at IANA since last august for Matrix Federation Protocol https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8448 ok djm@ solene@
28d450f0 2024-06-03 10:07:27 Track changes to dhcp6leased.conf looks correct to deraadt
060ceba5 2024-06-03 10:06:35 etc bits for dhcp6leased looks correct to deraadt
b32d40bd 2024-06-02 12:32:33 user, group & /var/db/dhcp6leased for dhcpleased(8) typo spotted by ccappuc Input & OK deraadt
ae8ed1c1 2024-05-30 14:29:05 sem_open() uses /tmp/*.sem files. Exclude them from /tmp daily cleanup like is already done for /tmp/*.shm used by libc. ok millert@ tb@, same diff landry@
821b7f42 2024-05-17 00:33:43 run the sshd-session link kit also
068b29ca 2024-05-16 11:33:59 Make daily(8) reporting services that are running but not enabled in rc.conf.local(8) wording by jmc@ ok schwarze@ florian@
e9beec88 2024-05-08 15:30:26 - for pwraction, point to acpibtn(4) - for lidaction, document the value 0 - for lidaction, adjust the description to a format similar to that of pwraction ok kettenis deraadt
e81b35ef 2024-04-17 14:31:59 Sync RPKI Trust Anchor constraints to nro-delegated-stats Turns out that registry at https://www.iana.org/assignments/as-numbers/as-numbers.xml is an incomplete one, where only 'new' assignments are listed. In the past this registry used to list all ASNs, but the RIRs asked IANA to revert to not being very detailed... There is another source of truth, the 'nro-delegated-stats' file at https://ftp.ripe.net/pub/stats/ripencc/nro-stats/latest/nro-delegated-stats this is updated daily and composed of information from each RIR. Summary of changes: * LACNIC manages a more ASNs than previously known: - allow those ASNs for LACNIC - deny those for RIPE, APNIC, ARIN * AFRINIC's allow list was good (compared to nro-delegated-stats), but the full set of AfriNIC ASNs wasn't denylisted for RIPE, ARIN, APNIC. OK tb@
5ee01a3f 2024-04-09 11:13:51 Remove the "cubie" miniroot. There are far more popular armv7 boards with Allwinner SoCs and the presence of this particular miniroot is making it hard to update U-Boot. ok jsg@
39a11509 2024-04-02 08:21:04 also relink ssh-agent
abe7e67a 2024-03-31 10:14:46 Regen
86970818 2024-03-31 10:14:35 Fix /dev/bio major.
36cf69b3 2024-03-30 07:35:01 program relinking currently uses a Makefile.relink inside the re-link kit. For sshd (the only relinked program at the moment), this file is created in an extremely nasty way. It'll be better if we have a proper clean install.sh script, which I've built for sshd. But let's first commit the change to /etc/rc which will handle that in the near future. ok djm
3d0ad41c 2024-03-26 01:23:11 Import regenerated moduli.
f6444559 2024-03-23 04:18:56 Expand ASN range for LACNIC LACNIC received a new block of ASNs from IANA https://mail.lacnic.net/pipermail/lacnog/2024-March/009690.html OK tb@
6a1ce0f2 2024-03-13 10:02:37 mail(1) is very sensitive to spacing in the header, and sometimes when we manually edit this file we forget that. noticed by naddy
d1483037 2024-03-04 08:37:40 fix weekday
90280a8f 2024-03-03 18:24:07 better estimate
c51145c5 2024-02-29 22:21:21 An empty file /var/account/acct in etc.tgz simplifies accounting. OK deraadt@
a81e9577 2024-02-22 08:35:38 add 7.6 syspatch public key
21cabe6c 2024-02-20 15:30:54 add 7.6 fw key
7d92a13a 2024-02-17 22:33:06 7.6 packages key
b7f1152f 2024-02-17 16:27:29 delete old keys
950548fb 2024-02-17 16:27:21 add 7.6 base key, commiting myself to another 6 months
de8ea3c7 2024-02-17 16:13:24 move to 7.5-beta
5a77c2f7 2024-02-11 01:31:28 firefall -> firewall, from Joel Carnat
e1e64b41 2024-01-30 03:40:01 Add more RPKI TA constraints: LACNIC ASNs cannot transfer to/from other RIRs OK tb@
9c93d01c 2024-01-17 08:26:06 Zap trailing space. from Kirill Miazine, thanks.
a03fa7cf 2024-01-04 09:51:49 Import regenerated moduli.
e006e8e6 2023-12-31 16:05:50 Increase datasize to 1536 MB for running llvm-tblgen on i386. Fixes build in src/gnu/usr.bin/clang/include/llvm/AMDGPU. OK semarie@
49a7a16f 2023-12-26 13:36:18 Align the other RIRs with the recent clarifications from AFRINIC Following https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html Simply apply the inverse of 'afrinic.constraints' r1.2 to the other RIR files (since no resources can be transferred from AFRINIC to any other RIRs). OK tb@
5568aeed 2023-12-19 08:10:19 Add markers OK tb@
654e8744 2023-12-15 16:59:48 Run non-daemons services in a different process group to avoid SIGHUP at boot 12 factors apps and similar don't daemonize and are thus vulnerable to receiving a SIGHUP signal at the end of /etc/rc. Shield them by running them in a different process group. Do this only for services that need rc_bg=Yes, as suggested by ajacoutot@ There have been several reports about this issue in the past years, the last one being from edd@ who successfully tested this fix. Input from several folks, ok sthen@ ajacoutot@
592bd543 2023-12-15 10:17:40 Sync limits with octeon.
0b77ea89 2023-12-14 12:26:03 Constrain the AFRINIC TA further Today AFRINIC clarified its actual current resource holdings by issuing a new CA certificate in response to a report on overclaiming: https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html OK tb@
b44517b3 2023-12-14 09:13:00 For historical reasons, APNIC ended up with a v6 block for IX assignments carved out of a larger block assigned to RIPE NCC OK tb@
668419e1 2023-12-13 11:34:56 Impose constraints on RPKI Trust Anchors See https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors for more information. Tested for a few months. OK tb@ claudio@