01:41:38 <warsoul> whats the correct command to update freebsd 14.0
01:41:39 <warsoul> ?
01:43:33 <markmcb> warsoul: freebsd-update is probably what you want
01:44:06 <warsoul> thanks markmcb
01:48:03 <johnm> warsoul: if you are on the last recent version, you'll want to 'freebsd-update fetch' followed by a 'freebsd-update install' and a reboot -- check out this link for more information and to confirm what steps you need to take: https://docs.freebsd.org/en/books/handbook/cutting-edge/
01:48:04 <VimDiesel> Title: Chapter 26. Updating and Upgrading FreeBSD | FreeBSD Documentation Portal
01:48:41 <beastwick> is there a simple way to "change" the uid/gid of shared folders over nfs to match the user on the client side? I have a simple use case that doesn't require the overhead of kerberos, but I also don't want to change that users id on the client to match the host
02:25:39 <polyex> fluent-bit pkg has a bug? i enable it in rc.conf with fluent_bit_enable="YES", fluent_bit_group="fluentbit", fluent_bit_user="fluentbit". reboot server, sudo top shows fluent-bit running, but service fluent-bit status (rc.d/fluent-bit) says "fluent_bit is not running". fwiw /var/run/fluent_bit.pid exists -rwxr-xr-x fluentbit:fluentbit, not sure why
02:25:39 <polyex> it's +x.
02:25:41 <polyex> the bug was reported already https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269480 but i tried the diff and it didn't seem to fix the problem for me. any help is appreciated!
02:25:43 <VimDiesel> Title: 269480 – sysutils/fluent-bit: rc.d script should not use --daemon option when combined with daemon command
03:19:37 <polyex> anyone know?
03:19:49 <polyex> i'm too new to rc and daemon to figure it out
03:39:38 <polyex> ?
04:17:56 <markmcb> polyex: not sure about that package, but i've seen this bahavior when daemon options -p and -P aren't used correctly, maybe experiment with those
06:24:34 <lw> releng/14.1 just got branched for 14.1-BETA1
06:43:53 <polyex> omfg yess
07:05:35 <polyex> markmcb by "this behavior" talking about the weird +x part or service status not working?
07:48:25 <polyex> tried everything i can think of, like -P and -p
07:48:32 <polyex> still won't fucking work
08:02:55 <polyex> anyone can help pls?
08:09:29 <tiramisan> polyex: missed your question, please state again ^_^
08:09:40 <polyex> fluent-bit pkg has a bug? i enable it in rc.conf with fluent_bit_enable="YES", fluent_bit_group="fluentbit", fluent_bit_user="fluentbit". reboot server, sudo top shows fluent-bit running, but service fluent-bit status (rc.d/fluent-bit) says "fluent_bit is not running". fwiw /var/run/fluent_bit.pid exists -rwxr-xr-x fluentbit:fluentbit, not sure why
08:09:40 <polyex> it's +x.
08:09:46 <polyex> the bug was reported already https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269480 but i tried the diff and it didn't seem to fix the problem for me. any help is appreciated!
08:09:48 <VimDiesel> Title: 269480 – sysutils/fluent-bit: rc.d script should not use --daemon option when combined with daemon command
08:09:54 <polyex> tyvm
08:12:04 <tiramisan> polyex: how does your rc.d script look now? it seems you could just remoev the --daemon from the end of the command_args
08:12:22 <polyex> ya tried. didn't fix anything
08:12:41 <polyex> also tried -P instead of -p
08:14:10 <tiramisan> polyex: what does it say when you enable verbose: service -v fluent_bit restart
08:16:17 <polyex> well restart won't work because it can't find the existing instance so i have to manually kill -9 it then start it. want me to do that?
08:18:09 <tiramisan> polyex: well that's up to you but you might find something useful
08:19:11 <polyex> just says fluent-bit is located in /usr/local/etc/rc.d \n Starting fluent_bit
08:21:48 <polyex> ok just got it kinda working
08:21:51 <polyex> get this...
08:23:15 <polyex> the problem seems to stem from having daemon on in the fluent-bit.conf
08:23:24 <polyex> seems it needs daemon off?
08:28:12 <lw> interesting bug of the day: pf(4) 'match all scrub (reassemble tcp)' breaks TCP connections to Amazon
08:28:15 <polyex> ya the default rc.d doesn't even need to be changed
08:28:20 <polyex> lol
08:51:06 <tiramisan> polyex: lol good job solving it *highfive*
08:51:22 <polyex> ty for helping
08:54:32 <polyex> nowi just need to figure out how to configure fluent bit to actually work lol
08:54:44 <polyex> anyone use fluent bit before?
08:55:16 <tiramisan> polyex: a long time ago, i think it was quite straightforward
08:55:47 <polyex> i want to output to an opentelemetry endpoint over network
08:55:50 <tiramisan> polyex: just basic fowarding of java logs methinks
08:56:07 <tiramisan> polyex: ok no clue there unfortunately
09:01:34 <polyex> just saw in the fluent bit log, error permission denied, cannot open /var/log/mylogfile.log
09:01:44 <polyex> from the input:tail plugin
09:02:31 <polyex> the log file is 600 i guess that's why
09:04:53 <polyex> ya there it's outputting over net now
09:05:49 <polyex> it logs error tho, that http status 404 route not found
09:05:50 <polyex> hmm
11:09:11 <polarian> Two things, firstly whats with the FreeBSD mailing list sprawling... there is so many of them
11:09:20 <polarian> which one is the main one?
11:09:35 <polarian> secondly lw what mailing list did you say I should post my query about hardware RF switch?
14:04:34 <deadrom> Hi all.
14:05:53 <deadrom> Is FreeBSD (or any BSD or derivate for tht matter) susceptible to what Linux got with xz-utils? i.e. is there a more centralized checking of the code base that will prevent untrusted external sources comitting unchecked code?
14:08:41 <llua> the person built up trust in the project before commiting the act, so... it normal social engineering that anyone is susceptible to
14:09:22 <sub_pop> deadrom: I asked about this back in March. Here's the discussion thread on fediverse https://floss.social/@subpop/112181350769874172
14:09:23 <VimDiesel> Title: subpop: "Genuinely curious, and not able to research much …" - FLOSS.social
14:14:10 <deadrom> The link doesn't go anywhere
14:15:26 <deadrom> wait, does in chromium, not in vivaldi. nvm
14:17:49 <sub_pop> o_O
14:27:33 <zwr> deadrom: It can happen to any OS, yes. It didn't affect FreeBSD, however
14:28:41 <deadrom> llua: the bit that worries me here and is what I've been getting gtom the Linux crowd as well is that it seems to be seen as ... normal that this type of thing happens. Yes, true, social engineering happened before, but at that scale, with such effort, and right into a central application as crucial as ssh? If blackhat X wants to gain access to a specific system, spies out its particular attributes etc, that's one thing, but infiltrating
14:28:43 <deadrom> the lock maker in general to by abble to open any house using their locks has a new quality to me.
14:30:47 <deadrom> zwr: well, it cannot happen lie this exaclty to any OS if the OS isn't open, one of the prerequisites here being that the attacker could build its scheme on the availability of the src code and play the helpful hand. Not possible to approach like that on say Solaris, or that, um, OS from that Redmond company.
14:32:02 <zwr> Solaris has package management. Updating a program people use to introduce malware can be done without package management, in fact it's easier because there won't be anybody to veto your changes
14:44:50 <unixman_home> deadrom, testing and code review by someone other than the committer are the only ways to stop this sort of code infiltration. This is how FOSS teams are supposed to work. Someone noticed an odd thing with the code, the code was reviewed, the bad code was discovered and fixed. The process worked.
14:52:22 <deadrom> unixman_home: that's not entirely true: someone noticed their openssh server took unusually long to respond and drew too much CPU. That caused them to investigate further. It was a rather close call. The code got into the testing repos exactly because nobody else looked into the code. Apart form the attackers. One overworked guy was maintaining xz-utils. that's what I'm all about, no FOSS distributor tells you they have such mechanisms as
14:52:23 <deadrom> a simple extra pair of eyes checkes.
14:53:01 <deadrom> zwr: if you install any package from anywhere you only have to blame yourself.
14:53:56 <deadrom> unixman_home: ultimately you suggest the thing that need to happen: all code needs to be checked by at least on additional trustworthy party.
16:58:15 <polarian> Is there a usergroup I can add myself to so that I can execute zzz?
16:58:36 <polarian> I would like to be able to invoke zzz from a keybind
17:13:49 <scoobybejesus> i mean, you could have a doas rule that allows your user to execute just your specific command w/out password
18:18:31 <concussious> polarian: i have  been chgrp
18:18:44 <concussious> ing zzz to operator for years with no problems
18:42:05 <monaco> a ka naj shqiptar te gjall
19:55:16 <entikan> the "source" command is missing even though I installed python. Am I missing a packages I'm unaware of?
19:58:43 <mason> entikan: "source" is a shell command
19:59:29 <mason> entikan: Try "." instead of "source".
20:00:29 <entikan> ah there we go
20:00:34 <entikan> thanks, mason
20:00:43 <mason> entikan: If you were using Bash, you'd have "source".
20:00:56 <mason> But it's the same thing, so I just use "." everywhere.
20:02:28 <entikan> makes sense. Shows what I know thinking it was a python thing :)
20:17:29 <scoobybejesus> FWIW entikan, when i'm creating a venv, i'm creating another user, installing bash, and using bash for that user, and then source bin/activate works
20:25:49 <titou> hey
20:26:15 <entikan> scoobybejesus: I was tempted to install bash but after looking into it want to try it the bsd way first :P  You wouldn't happen to know how to symlink directories in the site-packages?
20:26:36 <titou> since I updated some ports (in particular amavisd-new), it crashs when it tries to check an ED25519 DKIM signature with signal 6...
20:27:25 <titou> here is the output I got from amavisd: https://pastebin.com/d4GfJ6Qz
20:27:27 <VimDiesel> Title: /usr/local/sbin/amavisd[19629]: (19629-04) get_body_digest: reading mail body fr - Pastebin.com
20:27:38 <scoobybejesus> you can just ln -s whatever you want, but ideally you don't need to.  you generally just want to the python inside the venv to be called so that its got a proper path... i think
20:27:44 <titou> unfortunately I don't find any similar bug on the internet.. I don't understand since my ports are up to date
20:27:54 <titou> and I don't know how to debug that..
20:30:26 <polarian> scoobybejesus: idk... it feels wrong writing doas in a script
20:31:01 <polarian> and although I currently use nopass, it will not work if there is nopass because the command is forked into the background by the wm
20:31:25 <polarian> concussious: chgrp'ing what exactly?
20:31:28 <polarian> zzz is a command...
20:36:51 <titou> if you don't have any idea (and I think so since you don't develop these tools..) maybe you could tell me what you use in order to add protection to an smtp server to add antivirus and spam protection in 2024 (without using amavisd)
20:36:57 <titou> for a small smtp server
20:49:26 <jgh> ClamAV... but nothing stops spam entirely.  Firewalling whole countries and AS' helps, if you can
20:50:27 <polarian> Its a little redundant as some spam will still get through, and when you start putting more barriers in the way you risk spamming legitimate emails
20:50:45 <polarian> if you are a small smtp server you should be fine with just enforcing DMARC, and validating spf and DKIM
20:51:13 <titou> thanks
20:51:22 <titou> and what do you think about rspamd ? I just discovered it
20:51:50 <polarian> rspamd is commonly used... but afaik it doesn't support IPv6 (and the developer refuses to admit IPv6 even exists)
20:52:07 <titou> really? where does he come from?!
20:52:27 <titou> in fact if rspamd is used locally as a milter we don't care about IPv6 no?
20:53:58 * polarian shrugs... I have never dabbled in rspamd
20:54:45 <polarian> I think it only matters if you try using blacklists
20:55:11 <titou> ok
20:56:00 <polarian> wait the IPv6 stuff can't find a source on... I must have got it confused with something else
21:13:54 <voy4g3r2> it is just seasier to setup ssh on a jail than trying to remember jexec -u root <jailname>
21:16:08 <polarian> is it? surely that is more attack surface area... why setup a jail if you expose another ssh instance you got to protect?
21:17:29 <polarian> Also... I found that setting the brightness with xrandr (or xorg in any other way) seems to just make the pixels darker... instead of actually dimming the backlight... dimming the backlight works well if you use backlight(8) but there isn't any conf for it... what would be the best way to issue "backlight 50" on startup?
21:17:41 <polarian> I have seen some posts on making it a rc service... but there must be a better way?
21:19:22 <voy4g3r2> polarian: that is possible but i am looking at this as ease and this is a homelab
21:19:35 <voy4g3r2> plus you do not allow password prompt logins, you have to have a valid cert. so minimizes that
21:20:00 <polarian> voy4g3r2: well if its within a homelab, and isn't exposed to WAN... then maybe it isn't a big deal...
21:20:10 <polarian> you could just alias jexec -u root no?
21:20:15 <polarian> make an alias for it
21:20:26 <voy4g3r2> yes, that is an option also
21:20:51 <voy4g3r2> i do not want to be in jail as root but as a user i created for services i have running so it would be jexec -u root <jail>; su <user>; do work
21:20:57 <voy4g3r2> now i just ssh <user>@<jail>
21:20:58 <voy4g3r2> :)
21:21:52 <polarian> whatever floats your boat...
21:24:55 <voy4g3r2> yeah, it was just like.. why they heck am i doing all these extra steps
21:26:12 <polarian> security sometimes requires extra steps :P
21:30:22 <jmnbtslsQE> ssh may actually be more secure than jexec - https://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
21:32:59 <concussious> ssh is unbroken
21:33:19 <concussious> imho unbroken is the highest level in security
21:33:29 <llua> famous last words
21:33:50 <concussious> polarian: chgrp operator /usr/sbin/zzz
21:34:16 <concussious> then, a user in the operator group is allowed to operate the zzz command
21:34:16 <polarian> oh...
21:34:31 <concussious> which, to me, is consistent with the meaning of the operator group
21:34:38 <polarian> I think this is similar to giving the user doas permissions
21:34:58 <concussious> no, doas is adding an extra layer on top
21:35:13 <concussious> doing it the way i suggested is using raw unix
21:35:52 <concussious> so, from a security standpoint, doas and sudo are unbroken, but they're an extra attack surface, extra complexity, resource usage, etc
21:36:02 <polarian> concussious: yes... but doas elevates you to root
21:36:09 <polarian> while operator only gives you access to operator group'd permissions
21:36:30 <polarian> so operator i would assume is better
21:36:43 <concussious> precisely! my way doesn't elevate you. it simply lets the operator... operate sleep mode
21:36:47 <polarian> but anyways I found I don't need to do this... I found the function key to do it instead :)
21:36:49 <polarian> no keybind needed
21:36:58 <concussious> oooh tell me more
21:37:04 <polarian> concussious: I already use doas... sooooo
21:37:09 <polarian> either one works
21:37:22 <polarian> concussious: E6430 F1 key
21:37:24 <polarian> lol
21:37:45 <concussious> huh, thanks for sharing, but mine doesn't do that
21:39:11 <concussious> there's definitely different ways of doing everything
21:39:21 <polarian> any ideas on my other issue...
21:39:30 <polarian> executing the backlight command on boot?
21:40:57 <concussious> backlight is new since freebsd 13, actually this is my first time seeing it
21:41:04 <concussious> thank you
21:41:44 <polarian> lol
21:41:46 <concussious> ive never figured out, after all this time, how to bind backlight and volume adjustment to keys
21:41:49 <polarian> well its the only thing which worked
21:41:53 <polarian> I have tried on and off for weeks
21:41:59 <polarian> but I have been having a really bad headache for weeks...
21:42:09 <polarian> and its from the brightness being at max... literally burning my eyes
21:42:32 <polarian> 50% seems to be a more comfortable brightness... plus saves quite a bit of power too \o/
21:43:16 <polarian> concussious: I have function keys for volume on my E6430, they work out of the box
21:43:22 <polarian> the mute button doesn't...
21:43:33 <concussious> you could put the brightness command in your .login
21:43:36 <polarian> and the brightness up and down keys do not work either
21:43:42 <polarian> concussious: amazing idea, thanks!
21:45:40 <concussious> putting it in .login is certainly not the best way to do it though
21:46:09 <concussious> but i don't know a better way
21:49:25 <polarian> hey... its a quick and easy solution
22:10:57 <voy4g3r2> polarian: quick and easy solutions all around
22:11:10 <polarian> lol
22:12:07 <voy4g3r2> for console keybinding, i have used this: https://man.freebsd.org/cgi/man.cgi?kbdcontrol
22:12:08 <VimDiesel> Title: kbdcontrol
22:12:22 <voy4g3r2> when in a gui.. i have used this: https://vhernando.github.io/xbindkeys-grab-keys-X
22:12:23 <VimDiesel> Title: xbindkeys: how to bind keys to commands (X window) - Vicente Hernando
22:15:46 <concussious> i just use csh's bindkey
22:16:02 <concussious> interestingly, "which bindkey" shows nothing
22:17:06 <concussious> but "which which" says "which: shell built-in command."
22:17:42 <concussious> after unaliasing which, i alias which to /usr/bin/which because it supports -a
22:53:28 <polyex> anyone have fluentbit log collector running and outputting with opentelemetry?