00:05:13 yuripv: i have managed to lxc launch --vm a thing, but not yet to connect to it via lxc console 00:29:30 <_xor> Re: Earlier discussion on audio devices... 00:30:10 <_xor> I remember a while back when I was setting up my headphones, it was a pain in the neck to review & figure out the various options/configurations and how they interact with each other. 00:30:27 <_xor> I'm honestly looking at revising the notes I took on it and updating some docs or something on it. 00:31:17 <_xor> One of the things that I remember was bt/virtual_oss vs. kernel/module managed devices and the sysctl combinations neccessary for them. 00:39:11 yuripv: i can't seem to get a login… will try again tomorrow, fresher. 00:43:46 meena: thank you. 00:45:42 btw, i had similiar ifconfig change to show the original ifname parked somewhere, don't remember why it wasn't wanted 00:45:42 How can I generate a custom RARP packet? 00:46:08 in the meantime, i have writen up all my pain points with ifconfig vs infiniband here: https://lists.freebsd.org/archives/freebsd-net/2023-April/003237.html and https://lists.freebsd.org/archives/freebsd-cloud/2023-April/000037.html 00:46:09 Title: Ifconfig limitations 00:47:28 if ab interface is renamed, it would be cool if you could still refer to it somehow, because sysctl doesn't give a damn about your rename 00:48:44 I'm trying to find hosts for which I know the MAC addresses, but they don't source enough packets to show up reliably in the switch's mac address table. So, RARP. 00:57:40 I take it you don't know their IP addresses either? 01:00:15 _xor: If you refine your notes, could you put them up on the wiki? 01:04:57 <_xor> Yes. 01:06:45 <_xor> Going through that stuff is on my agenda, but I'm getting through it pretty slowly as it's not a high priority. I have a ton of notes that would likely be useful in general. The USB issue though is particularly annoying because I remember thinking to myself, "What should have taken no more than 20-30 minutes has now had over an hour spent on it. 01:06:46 <_xor> Maybe I'm just dumb, but better docs here would have saved a bunch of time." 01:08:01 V_PauAmma_V: if I knew the IP, I wouldn't need RARP. :) 01:09:16 _xor: I want to finally just get all the audio and videoconferencing stuff I want working under FreeBSD, and I remember the maze that presented itself last time I tried. 01:09:59 <_xor> Don't source enough packets to show up on the switch? How short is the ARP cache TTL? Or alternatively, depending on the switch, maybe SNMP via push/poll when entries are added/updated/removed? 01:11:07 <_xor> mason: Which version of FreeBSD? Which browser? What's the audio device interface? (e.g. Bluetooth, USB, etc) 01:15:11 ghoti: there are several *arp* utilities in ports/net/, may be one of those could be useful? (looking at arping and arp-scan) 01:16:05 * _xor sighs 01:16:20 _xor: FreeBSD 13.1, or I guess it'll be 13.2, Firefox, USB. 01:17:12 <_xor> That's another thing I should try to spend a bit of time on each week. Submitting internal ports I whipped up. I know I have a few that weren't in the main ports tree before (maybe they are now), of which at least a couple of them dealt with network diagnostics (including ARP utilities). 01:18:10 <_xor> yuripv: In fact, unless I'm mistaken, I think I've seen some of those ports pop up on the freshports.org home page that you created? 01:20:35 <_xor> mason: What was the issue you ran into? Anything relevant pop up in /var/logs around the time you plugged in the USB device or when you tried playing audio in Firefox? Alternatively, launch firefox from a terminal and watch what it dumps to stdout/stderr when trying to play audio to see if there are any warnings/errors (which can tell you if it 01:20:35 <_xor> can't find a device, can't open it, etc) 01:21:24 _xor: Hrm, it was long enough ago that I'll have to try again. One thing I was trying to do was enable V4L and I couldn't for the life of me find how I was supposed to specify device names to ffmpeg on FreeBSD. 01:21:28 <_xor> That's my environment too btw, 13.1 + Firefox + USB headset. 01:22:54 _xor: me? i don't know anything about freshports (probably confusing me with yuri@?) 01:22:57 * yuripv hides 01:23:06 <_xor> Yeah, probably. 01:23:16 <_xor> mason: https://wiki.freebsd.org/WebcamCompat 01:23:17 Title: WebcamCompat - FreeBSD Wiki 01:23:40 <_xor> mason: Check that and see if your device(s) need webcamd, cuse, etc. 02:00:07 yuripv: arping doesn't seem to produce rarp. I'll check a few other ports, thanks for that suggestion 02:02:35 _xor: the problem is, the devices don't source packets frequently enough to stay cache. They know their IP, but I can't send them status requests if I don't know where they are. 02:03:56 And besides, I get more utility by populating the local ARP cache than trying to query the switch's mac forwarding table. 05:52:59 So, GELI might be vulnerable, if it uses PBKDF2. https://mjg59.dreamwidth.org/66429.html 05:53:00 Title: Captcha Check 06:03:04 If nothing, that could provide some formal|serious scrutiny (for GELI) as had not found any concrete reviews about the security of the encryption 06:04:17 Ellenor, Thank you for the link 06:15:52 On the related topic, Back to "PBKDF2" from "Aargon2" due to more memory use by the later https://github.com/go-gitea/gitea/pull/14675/commits/b337ef56b90e11136ddb23826838404d8eb2f3e2 06:15:53 Title: Turn default hash password algorightm back to pbkdf2 from argon2 until we found a better one (#14673) by lunny · Pull Request #14675 · go-gitea/gitea · GitHub 06:16:31 the higher memory use is a feature, not a bug... 06:17:20 password validation needs to be rate limited. higher memory and cpu usage is a crude way to do that and sometimes the only 06:18:34 * parv missed to note the date of Gitea commit c 2021 07:31:44 that setting is gone 07:31:59 https://social.treehouse.systems/@marcan/110218592449827689 07:32:00 Title: Hector Martin: "@mjg59⊙nc Something doesn'…" - Treehouse Mastodon 07:46:14 let's hope they're doing better by now, yeah, defaults back to argon2: https://github.com/search?q=repo%3Ago-gitea%2Fgitea%20argon2&type=code 07:46:15 Title: Sign in to GitHub · GitHub 07:47:50 but still, this shit drives me bonkers https://github.com/go-gitea/gitea/issues/3217 07:47:53 Title: Confidential (private) issues on public repo · Issue #3217 · go-gitea/gitea · GitHub 07:48:11 meena, Your earlier URL asked me to "sign-in" 07:48:38 the one with search query 07:48:40 parv: yeah, the new search feature is login only 07:48:55 meena, Aaahhh 07:49:03 because the search is now actually really good lol 07:49:36 but also, i reckon, it is quite costly, performance wise 11:12:21 Ellenor: GELI was designed differently, because it doesn't make assumptions about the number of iterations - instead it tests to see how many iterations can be performed on the CPU it's being initialized on, and subsequently uses that number of iterations. 11:13:16 Also, if the point is to use something that's memory-prohibitive, scrypt is better. 11:13:46 morning, debdrup. :) 11:15:29 well this looks like a fun bug, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270909 11:15:31 Title: 270909 – find: /.zfs: Invalid argument 11:18:28 meena: that's weird indeed. But thanks for the reminder to upgrade. :) 11:20:30 debdrup: and can i increase that despite a low bench 11:25:51 If only there was some sort of manual page that'd give some sort of answer.. 11:28:08 Also, Matthews article is making a LOT of guesses.. 11:33:22 Yes 11:33:30 I'm since hearing it's not credible 11:36:23 Matthews article talks about 128bit key lengths, but GELI is using PKCS#5 specifically because it features HMAC/SHA1 which variable length, and the number of interations that can be performed by the CPU in 2 seconds is what defines that length. 11:37:48 You can try setting up geli on top of a ggate to see how many interations a modern CPU does. 11:38:18 ah. 11:38:20 I find it much more likely that a nation state could manage to simply bypass the encryption simply by knowing the key. 11:38:52 yes. 11:39:33 If someone doesn't know they're being watched, they aren't likely to practice the highest levels of opsec when typing in their password. 11:42:02 I've no idea what LUKS does with respect to the key derivation function used to supply the key material for the AES encryption, but the French-language text does seem to suggest (to my understanding, which admittedly is very limited) that they decrypted the full-disk encryption by knowing the password since they had full write access to the machine (given that there were modified files). 11:42:40 French is NOT a language I'm even remotely comfortable with, though - so it's possible I missed something. 11:55:14 Iteration count for LUKS1 seems to default to 1000 (used to default to 10) and for LUKS2 it seems to be controlled by a time variable (or the number of iterations can be forced). 12:03:07 I think they used LUKS1, since they mention Ubuntu 18 (which I take to mean the one released in 2018, and which defaulted to LUKS1 according to what little documentation I can find). 12:03:58 1000 iterations wasn't a lot in 2005. 12:16:14 luks has terrible usability… 12:16:59 ..turns out, even the most-recently-released Ubuntu still defaults to LUKS1. 12:20:22 methinks the wikipedia page for LUKS is begging for a "criticism" section.. :) 12:21:13 * debdrup shrugs. 12:36:11 https://gist.github.com/Edu4rdSHL/8f97eb1bab454fb2b348f1167cee7cd2 you can't upgrade a live system 12:36:12 Title: Ubuntu LUKS cryptsetup upgrade · GitHub 12:36:21 fun 12:38:06 I don't see how you should be able to do in-place upgrades of the key derivation function, or the encryption, for any system. 12:38:35 Even changing the number of iterations should, it seems to me, warrent a complete rewrite of the system. 12:39:32 aye, that makes sense 12:41:05 I think if crypto(9) implemented scrypt as a replacement for PKCS#5 and I wanted to take advantage of it, I'd set up partitioning and geli initialiszation a disk connected via USB, then do zpool create (mirroring what's in zpool-history(8)), do zfs send | receive, and then switch out the disks. 12:41:49 If I had a laptop with two M.2 slots, I might insert one, do the partitioning+geli initialization+zpool create+zfs send|receive, and then use rerooting.. 12:43:14 In theory you could reroot to the USB disk and replace the M.2 disk since PCIe does support hot-plugging - but I'm not sure uptime is _that_ important on a laptop. 12:46:16 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270794 Whoa, awesome! 12:46:18 Title: 270794 – multimedia/kodi-addon-inputstream.adaptive unbreak 12:49:26 https://www.freebsd.org/releases/14.0R/schedule/ huh. 12:49:27 Title: FreeBSD 14.0 Release Process | The FreeBSD Project 12:51:04 pretty soon yeah 12:54:40 wat 12:55:25 what are the chances we'll get dhcpcd into base until then 13:03:53 non zero, i would predict 13:05:49 10.0.0 was released, that's what we were waiting for 13:47:52 q 15:01:08 Morning. 15:18:06 meena: https://reviews.freebsd.org/D22012#894877 seems to suggest that there's work being done on it 15:18:08 Title: ⚙ D22012 Import dhcpcd(8) into FreeBSD base. 15:42:20 Having dhcpcd in base would not be a terrible idea. 15:49:23 oh my, i was reading it as dhcpd 15:51:34 dhcpcd is alright... on linux, where the alternatives are BINDCO dhclient and manual configuration. 16:08:44 i have a strange issue where an ethernet interface on pci is being detached overnight with a message such as the following on console: "pci2: at device 0.0 (no driver attached)" "pci2: detached" "pci2: on pcib2" 16:09:19 i'm thinking it would be hardware related since it's an old machine, but not sure 16:14:37 now on a restart it's displaying these messages fairly radpidly, maybe 2-3 per second on average 16:15:18 and also a message "pcib2: Timed out waiting for Data Link Layer Active" 16:19:42 that looks very much like hardware 16:20:26 thanks 16:20:44 i will replace it temporarily with usb-ethernet, hoping that it's not also affected 18:04:58 can someone explain to me what the benefit is of *not* backgrounding dhclient? 18:06:01 Debug. If run in the foreground it is useful for debugging to see the messages in the terminal. 18:11:25 I would also recommend the "dhcpdump" utility run in another terminal window too if debugging that area of things. As a, by-the-by... 18:24:43 I just don't understand why debugging is the default 18:35:06 whew, i don't know how or why, but my LUKS on this laptop is Version 2; and uses argon2 18:36:24 meena: You want argon2id specifically, not argon2i fwiw 18:36:57 Easy enough to fix as it turns out. 18:37:24 cryptsetup luksConvertKey /dev/foo --pbkdf argon2id but take it with my usual warning about breaking the dishes. 18:37:58 mason: what's wrong with argon2i? 18:38:05 I seem to have that :( 18:38:34 meena: This morning I couldn't have told you, but then I read https://crypto.stackexchange.com/questions/72416/when-to-use-argon2i-vs-argon2d-vs-argon2id 18:38:35 Title: encryption - When to use Argon2i vs Argon2d vs Argon2id? - Cryptography Stack Exchange 18:39:49 Maybe that's not the best resource. I wonder if the MJG article notes differences. 18:40:25 It does. https://mjg59.dreamwidth.org/66429.html says: "But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id." 18:40:26 Title: Captcha Check 18:41:12 TL;DR, the algorithm needs to be memory-intensive as well as time-intensive to defeat attackers with a wall of GPUs. 18:41:54 rwp, 18:42:06 I haven't had a chance yet but I'm really curious to see how GELI's default selections stand up. 18:42:26 rwp, hey i figured out the commonality. all the jails having problems with updates were jails that were previously ezjail jails and migrated to iocage. 18:42:28 you can just read the backlog here 18:42:45 meena: Ah, hadn't realized it had come up. Good. 18:42:47 Thank you. 18:45:01 debdrup: Is there a notion of memory consumption, atop a high iteration count? 18:45:21 That was the big thing I learned about today. 18:49:19 mason: sorry, I'm not sure I understand. 18:50:29 meena: making dhclient synchronous/blocking is basically equivalent ot configuring net-wait. 18:52:38 in-place upgrades of KDF for filesystem encryption is trivial because the password isn't used to generate the storage key, but rather to encrypt that key. 18:53:11 so a new KDF is no harder than adding a second user key 18:53:11 debdrup: So, what I take from all of it is that in addition to requiring a decent amount of time, nowadays it's also necessary to take a lot of memory to defeat attackers with parallel processing brute-forcing things. 18:54:57 mason: PKCS#5 doesn't have the features that scrypt does visa-vis being resistent to ASIC attacks because of the larger memory requirements. 18:55:16 hrm 18:55:48 Oh, you'd mentioned that earlier and I missed it. Sorry. 18:57:07 I thought I did :) 19:02:49 If your threat model includes a legitimate worry about a nation state capable of, and willing to go to the trouble of implementing an ASIC to attack gelis KDF, then I suppose now would be an excellent time to sponsor Colin Percival in implementing scrypt into crypto(9) so that it can take the place of PKCS#5 ;) 19:04:59 If argon2 needs to be argon2id in order to be memory-expensive, and also need to be in a copy-free license to be implemented in FreeBSD, it's probably quicker to pay Colin for it. :) 19:06:18 freebsd currently uses SHA256 right? 19:06:23 or sha512 19:06:28 For what? 19:06:39 crypt() 19:06:43 crypto(9) support all manner of things. 19:07:31 the default for password encryption is a sha512-based algorithm 19:07:58 the algorithm used by crypt() is chosen by specifying it as part of the provided salt 19:08:01 i tried copying over a encrypted $6$ password from linux and despite it using the same hmac identifier it was incompatible 19:09:08 crypt(3) would be the place to get answers for your questions, I imagine. 19:10:46 6. SHA-512 19:16:48 sfox: looking at the code they seem to be trying to be compatible. 19:17:07 sfox: you could try running the freebsd test values on linux and see if it gets the same results 19:18:09 e.g. crypt("Hello world!","$6$saltstring") = "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1" 21:08:44 how do you detect if headphones are connected? I was looking at the sysctls values but none of them tells that 21:10:59 depends on the hardware 21:23:52 neirac: do a `sysctl -a > before` and `> after`, then diff to see if you missed something you can use. 21:25:05 If they're USB, you can hook something into that infrastructure, or even just scan `usbconfig list` if that works for you. 21:29:23 ghoti nothing relevant to sound diffing the outputs, I just could add a sysctl to show it for hda 21:31:30 Notice they're not The_Dragon. 21:51:54 how do build snd_hda as a module? 21:53:46 just removing device from kernel config is enough? 21:54:42 yeah 21:55:56 personally I remove almost all devices from the kernel, just leaving the ones needed to boot the machine plus a few "always use" ones 22:02:33 how do I know which kernel I'm running I mean the file 22:06:00 RhodiumToad: do use MINIMAL as your starting point? 22:07:35 neirac: kenv kernel_path and kernelname 22:07:54 meena thanks! 22:08:08 mine: meena@beasdix ~> kenv -v kernel_path ; kenv -v kernelname 22:08:08 kernel_path="/boot/kernel.GENERIC-MMCCAM" 22:08:08 kernelname="/boot/kernel.GENERIC-MMCCAM/kernel" 22:15:12 also sysctl kern.bootfile 22:16:15 iirc, installkernel updates kern.bootfile to point to kernel.old when renaming it 22:35:14 anyone know how to translate this to FreeBSD's route(8)? https://github.com/canonical/cloud-init/pull/2127/files#diff-cd821c37069f7250ff98a74ab14f0203d12eb18e9d394159824fa66e6a8ea4acR22-R45 22:35:16 Title: Support Ephemeral Networking for BSD by holmanb · Pull Request #2127 · canonical/cloud-init · GitHub 22:39:40 ["route", "-4", "add", [-net|-host] + route, gateway, "-interface", interface, and then I'm stuck 22:40:13 is route really not smart enough to figure out if the route is a net or a host address? 22:42:41 it affects old-style parsing of incompletely-specified addresses 22:43:11 e.g. whether 128.32 is interpreted as 128.0.0.32 or 128.32.0.0 22:43:19 (moral, never do that) 22:47:33 what kind of monster does that? 22:47:43 What kind of MONSTER puts that in the SPEC? 22:51:11 anyway, what is the src thing? 22:51:46 vixie 22:51:57 the src thing looks like a linuxism 22:52:00 src ADDRESS 22:52:00 the source address to prefer when sending to the 22:52:00 destinations covered by the route prefix. 22:52:49 I don't think fbsd does source selection that way 22:55:28 that 128.32 thing is only the tip of that particular iceberg of horrors, btw 22:56:06 always use 4 octets/pfxlen for specifying ipv4 destinations 22:58:15 https://suricrasia.online/iceberg/ i wonder if it's actually on here 22:58:16 Title: The Cursed Computer Iceberg Meme 23:33:55 ld-elf.so.1: /usr/local/bin/git: Undefined symbol "__libc_start1@FBSD_1.7" 23:34:17 chasing HEAD and this bit me. is there a way to backout? or must I rebuild everything in ports? 23:36:38 Did you use bectl as part of your update procedure? 23:37:10 only updates if any were from `pkg install xxxx` 23:37:57 s/chasing head/running head 23:38:20 What FreeBSD version? 23:39:41 14.0-current 23:40:34 only affects items installed from pkg. the OS mismatch warning was legit. nvm I'll figure it out 23:41:00 Then it looks like you're installing packages built for 23 23:41:10 hi! I am trying to install FreeBSD in a VPS. During the boot, it stays almost 1min3sec in the line "ugen0.2: at usbus0". It happens on the installation (live CD) and on the installed system. Is there anything I can do to improve this boot time? 23:42:01 Ronis_BR: what's the _next_ line? 23:42:11 ober, it looks like you're installing packages built for 12.x or 13.x under 14-current. That won't work. 23:42:31 ok. I had been without error, but with the warning, so to be expected :P 23:42:32 or installing packages built for an older 14-current on a newer one 23:42:51 Or that. 23:42:58 the whole point of -current is that the ABI is not stable 23:43:01 RhodiumToad: I will run dmesg to check! It is too fast 23:43:39 Ronis_BR, you could also look at /var/run/dmesg.boot. 23:45:12 ok 23:45:27 V_PauAmma_V: Thanks! It is booting 23:45:29 Rockpro64s required 14 afaik 23:49:49 RhodiumToad, V_PauAmma_V: The next line is: "hdacc0: at cad 0 on hdac0 23:53:14 hm 23:54:17 and after that? 23:54:42 and what hypervisor is this? 23:55:16 RhodiumToad: It is a VPS in Vultr, let me check the hypervisor 23:55:39 It seems to be KVM 23:57:33 RhodiumToad: After that line the log is: "hdaa0: at nid1 on hdacc0 23:58:20 so either it's spending a lot of time in trying to figure out an emulated sound device, or there's a lot of other boot probes going on in between that find nothing. 23:58:31 have you tried it with bootverbose on? 23:58:42 no! I will do that