| Age | Commit message (Collapse) | Author |
|---|
|
The cadence of updates being applied to the RPKI Trust Anchor constraints
seems sufficiently low, while the required understanding of context to make
educated decisions quite high, so centralized coordination of updates through
tech@openbsd.org is more appropriate.
requested by & OK deraadt@, OK tb@
|
|
An upgrade stalled on me, either my testing was flawed or my diff is...
Having stop_watchdog() is fine, but calling it in a different place has
is apparently too subtle for me to get right.
|
|
We have {reset,start}_watchdog() which are only used in unattended upgrade
code, but stopping the background timer is done inline for all upgrades,
incl. interactive ones.
Relocate it out of the very end of do_upgrade() right after its only caller
and limit it to unattended upgrades to match where/how the timer is started.
OK afresh1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
landry@ noted it wasn't in arm64 contents
|
|
|
|
OK deraadt@
|
|
|
|
|
|
|
|
|
|
bioctl(8) uses readpassphrase(3) RPP_REQUITE_TTY, so always pass stdin,
but only use it over TTY with -s in unattended mode.
Prodding afresh1 sthen
"much better" sthen
|
|
|
|
|
|
|
|
|
|
|
|
Interactively keeps using bioctl(8)'s own prompt, in unattended mode
ask_passphrase() ensures non-empty responses or fails.
Unlike user passwords, autoinstall(8) only supports plaintext passphrases:
Encrypt the root disk with a (p)assphrase or (k)eydisk = passphrase
New passphrase = secret
Make sure to trust the install network or use a pre-configured key disk:
Encrypt the root disk with a (p)assphrase or (k)eydisk = keydisk
Which disk contains the key disk = sd2
Which sd2 partition is the key disk = a
initial diff from Chris Narkiewicz
OK afresh1
Feedback sthen
|
|
|
|
|
|
|
|
|
|
requires retpoline. If 0, we should do everything in our power to avoid
pure retpoline (replacing it with a simple thunk where possible), because
by it's nature retpoline converts an indirect-branch into a direct branch
(push to stack & ret), and therefore it is an IBT (endbr64) bypass method.
This sysctl leverages guenther's decision-making logic in the kernel, which
already uses codepatch to fix the kernel retpoline thunk.
In my opinion, the retpoline-using logic really should be flipped; ROP
execution bypassing IBT to re-enter regular control flow is more dangerous
than spectre.
ok kettenis
|
|
|
|
|
|
a file to a dir with the libc++ update to 16. ok deraadt phessler
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These are config files and once modified they should not be overwritten
if they have local changes.
ok deraadt job
|
|
|
|
containing the EFI boot loaders and install it as an El Torito boot image,
making the install CDs bootable in EFI mode.
"looks great" deraadt@
ok mlarkin@
|
|
|
|
|
|
|
|
|
|
|
