summaryrefslogtreecommitdiff
path: root/etc
AgeCommit message (Collapse)Author
2024-02-22add 7.6 syspatch public keyRobert Nagy
2024-02-20add 7.6 fw keyStuart Henderson
2024-02-177.6 packages keyChristian Weisgerber
2024-02-17delete old keysTheo de Raadt
2024-02-17add 7.6 base key, commiting myself to another 6 monthsTheo de Raadt
2024-02-17move to 7.5-betaTheo de Raadt
2024-02-11firefall -> firewall, from Joel CarnatJonathan Gray
2024-01-30Add more RPKI TA constraints: LACNIC ASNs cannot transfer to/from other RIRsJob Snijders
OK tb@
2024-01-17Zap trailing space.Antoine Jacoutot
from Kirill Miazine, thanks.
2024-01-04Import regenerated moduli.Darren Tucker
2023-12-31Increase datasize to 1536 MB for running llvm-tblgen on i386.Alexander Bluhm
Fixes build in src/gnu/usr.bin/clang/include/llvm/AMDGPU. OK semarie@
2023-12-26Align the other RIRs with the recent clarifications from AFRINICJob Snijders
Following https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html Simply apply the inverse of 'afrinic.constraints' r1.2 to the other RIR files (since no resources can be transferred from AFRINIC to any other RIRs). OK tb@
2023-12-19Add markersJob Snijders
OK tb@
2023-12-15Run non-daemons services in a different process group to avoid SIGHUP at bootJeremie Courreges-Anglas
12 factors apps and similar don't daemonize and are thus vulnerable to receiving a SIGHUP signal at the end of /etc/rc. Shield them by running them in a different process group. Do this only for services that need rc_bg=Yes, as suggested by ajacoutot@ There have been several reports about this issue in the past years, the last one being from edd@ who successfully tested this fix. Input from several folks, ok sthen@ ajacoutot@
2023-12-15Sync limits with octeon.Miod Vallat
2023-12-14Constrain the AFRINIC TA furtherJob Snijders
Today AFRINIC clarified its actual current resource holdings by issuing a new CA certificate in response to a report on overclaiming: https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html OK tb@
2023-12-14For historical reasons, APNIC ended up with a v6 block for IX assignmentsJob Snijders
carved out of a larger block assigned to RIPE NCC OK tb@
2023-12-13Impose constraints on RPKI Trust AnchorsJob Snijders
See https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors for more information. Tested for a few months. OK tb@ claudio@
2023-12-11Synchronize datasize-cur limit for staff with the default class.Mark Kettenis
ok deraadt@, millert@, phessler@
2023-12-07add services entries for Matter, a protocol for discovery and commsStuart Henderson
with "smart home"/IoT devices, which runs over TCP or UDP over v6 over various physical/network layers (Ethernet, Wifi, or low power lossy radio-based networks like Thread). req by Jordan Williams ok deraadt https://csa-iot.org/wp-content/uploads/2022/11/22-27349-001_Matter-1.0-Core-Specification.pdf
2023-11-16Use tset -I for all terminals, not just xterm.Todd C. Miller
Terminal initialization is usually only needed for hardware terminals, which are rare these days, and the initialization strings result in a bunch of extra newlines on pseudo-terminals. OK nicm@
2023-11-16Use tset -I for all terminals, not just xterm.Todd C. Miller
Terminal initialization is usually only needed for hardware terminals, which are rare these days, and the initialization strings result in a bunch of extra newlines on pseudo-terminals. OK nicm@
2023-11-16crank some limits because clang is a piggyTheo de Raadt
2023-11-14Bump powerpc64 default datasize to 1536MGeorge Koehler
This is for llvm 16; powerpc64 (like some other platforms) needs a higher datasize limit to build base-clang 16. ok jca@
2023-11-14increase datasize to 1536M for the default login classJonathan Gray
needed to build llvm-16 gnu/usr.bin/clang/include/llvm/AMDGPU ok jca@
2023-11-13raise i386's datasize for 'daemon' class so that relinking libc at bootStuart Henderson
doesn't fail - new clang is even greedier than the old one. I picked the value 1500M out of the air, it works for me but could perhaps be finessed downwards a bit. (I'm also using 1500M for make build / mkr+mkrx on i386; make -j8 build is no longer a good idea on i386 ;)
2023-11-13Bump datasize for staff to match amd64Jeremie Courreges-Anglas
Suggested by jsing@, ok tb@
2023-11-12Bump datasize for the default login class, needed to build clang-16Jeremie Courreges-Anglas
2023-11-12Also bump the default limit on riscv64Jeremie Courreges-Anglas
Reported by jsing@
2023-11-12bump datasize to 1536M for the default login class to allow the buildRobert Nagy
user to generate the AMDGPU includes in llvm-16 discussed with deraadt@
2023-11-05Add cdXX.iso to MDEXT, for it to be included in SHA256; reported by `petcat30'Miod Vallat
on bugs@.
2023-10-29Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warningKlemens Nanni
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error. Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section. OK benno
2023-10-26do not create /usr/local/share/nls and subdirectories by defaultChristian Weisgerber
The share/nls/<locale> paths are unused. ok miod@ deraadt@
2023-10-25Import regenerated moduli.Darren Tucker
2023-10-08move release a earlier. when we wait for security fixes from one pieceTheo de Raadt
of software, another one will announce that we should wait for a security fix. the only winning move is not to play.
2023-10-02maybe a bit earlierTheo de Raadt
2023-10-01show fingerprint of freshly generated ssh host key on first bootChristian Weisgerber
Print to the console the fingerprint of a newly generated ssh host key of the preferred type (currently ED25519), typically when booting for the first time. This simplifies a secure first ssh connection to a freshly installed machine. ok deraadt@ kn@, and various for earlier iterations
2023-09-27Match GRACEFUL_SHUTDOWN only from ebgp sessions as specified byClaudio Jeker
RFC8326 Section 4.1. OK sthen@ phessler@ job@
2023-09-24Strip realm part for bsdauth. This is required and an exmaple usage ofYASUOKA Masahiko
new radius_standard module.
2023-09-19etc: drop vestiges of obsolete DSA ssh host keysChristian Weisgerber
It has been 8 years since DSA keys were disabled by default for ssh/sshd, and 15 months since ssh-keygen -A belatedly stopped generating DSA host keys. ok semarie@ deraadt@
2023-09-18match style used in revision 1.16 of src/etc/examples/radiusd.confIgor Sobrado
ok yasuoka@
2023-09-18crank to 7.4-betaTheo de Raadt
2023-09-16add 7.5 syspatch keyRobert Nagy
2023-09-167.5 packages keyChristian Weisgerber
2023-09-16add 7.5 firmware keyStuart Henderson
2023-08-18Tweak radiusd.conf example. input from an anonymous user.YASUOKA Masahiko
2023-06-22Add machdep.lidaction example. We support this on arm64 laptops now.Tobias Heider
From Jan Stary Ok patrick@
2023-06-19The group "operator" gatekeeps a few superuser abilities (dumping disks,Theo de Raadt
manipulating tape drives -> means gid operator on device nodes). This group is also used with group-access bit on the setuid-root shutdown command (mode ug+x,u+s). Some people use this to shutdown/reboot their machines, but use of that group is giving them disk read access also, which is wrong. It would be a pain to re-gid all the device nodes, so instead let's renumber the operator execution gid into group "_shutdown". Users using this shutdown/reboot functionality will notice it no longer works, and move themselves to the correct group. Various choices discussed at large, this seems our best choice. ok sthen
2023-06-09we always create keys 2 releases into the futureTheo de Raadt
2023-05-25After RFC 9110, the IANA services registry now lists both udp and tcpStuart Henderson
for https (HTTP/3 over QUIC). Add it to /etc/services so that it's included when /etc/rc populates sysctl net.inet.udp.baddynamic. suggested by Renauld Allard, ok tb@