| Age | Commit message (Collapse) | Author |
|---|
|
In autonomous systems running bgpd(8) and rpki-client(8) on their edge
routers, it may be beneficial when out-of-the-box all routers don't all
do rpki fetches & bgp loads at the same time. It is expected behavior
for RPKI information to un-evenly percolate towards the BGP edge in a
staggered way.
The 'once an hour' pace may be a reasonable balance between the needs of
internet users, and what network operators tolerate in churn.
OK deraadt@
|
|
The random intervals used can be adjusted as needed. OK deraadt@
|
|
|
|
|
|
|
|
ok kettenis@ deraadt@
|
|
with /dev/console.
Feedback from and ok kettenis@
|
|
|
|
ok deraadt@
|
|
|
|
ok deraadt@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This is needed in case a foobar fails to start but still returns 0. Changing its
flags (in rc.conf.local) would then get ignored because of this cache (which is
around to handle stop/check/reload on flags changes).
claudio@ reported this issue when struggling with prometheus several weeks ago
|
|
|
|
"prefix-set" blocks work with line breaks just fine,
probably old macro leftover.
OK job claudio
|
|
effectively reverting r1.9 to follow principal of least surprise
"this is fine" millert
"i agree with direction" schwarze
|
|
|
|
|
|
keep command-line arguments again; ok aja@ djm@
|
|
|
|
ok visa@, kettenis@, deraadt@
|
|
|
|
because each invocation will grow the path, but that exposed an interaction
with loginShell:true in our dot.Xdefaults...
|
|
OK millert@
|
|
|
|
with help from claudio@
|
|
1 of 10-100 startups'). "makes sense" deraadt@
Beware if you have multiple sshd processes (e.g. on different ports) and
want to restart/stop just one - with the current proctitle there's no way
to distinguish between these so rc.d/rcctl will match all of them.
|
|
|
|
|
|
|
|
"route -q" already silences all standard output; if it still prints
something, that's a bug to fix in route.
OK bluhm
|
|
check that the resulting db works instead of some more specific test
okay schwarze@
|
|
|
|
ok deraadt@
|
|
okay millert@, tb@
|
|
|
|
|
|
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
|
|
|
|
|
|
repair that.
|
|
|
|
|
|
OK claudio@
|
|
OK claudio@ benno@
|
