03:12:37 <grunge> ;n
03:12:39 <grunge> sorry.
06:56:52 <dch> Demosthenex: you can go 13.2->13.4 , I would just drop the UEFI loader in just before you reboot into new kernel. also, https://rustdate.over-yonder.net/ (in ports as freebsd-rustdate) is a lot faster than freebsd-update in base.
06:57:06 <dch> slow & trusted, vs new and shiny
07:03:43 <dch> Soni: why would you choose to use ipsec over wireguard? its 2024 and wireguard in userland is a well established thing, vs ipsec which is the Cthulhu of protocols
07:04:30 <dch> anybody familiar with apache24 or similar?
07:04:53 <dch> I have some noob questions (or, not really noob, but its been 20 years and I forgot everything)
07:44:26 <dziq> Hi.
08:00:06 <mane> hey, how do i flush pf tables?
08:09:33 <ridcully> `pfctl -t badactors -T flush` ?
08:28:20 <mane> why badsectors?
08:29:38 <mane> i want to flush this table scrub in on tun0 fragment reassemble max-mss 1420 no-df random-id
09:25:51 <dziq> I have problem with vm-bhyve. When I want to install almalinux, vm immediately bacomes locked. I use this template https://dpaste.com/2FF4V7F6T
09:26:06 <dziq> I don't know how to debug it.
09:26:21 <dziq> *becomes
09:29:09 <dziq> I have created network switch services: vm switch create -t manual -b vlan998bridge services, when instalation starts tap0 interface is created
09:34:01 <dziq> and whole process is stopped. I have to kill this https://dpaste.com/5Z74ULPPU process to even stop VM
10:18:33 <Soni> dch: we don't want a fucking vpn
10:19:03 <Soni> yes if we wanted a vpn there are better options, but that's not what we want
10:19:40 <dch> Soni: no need for profanity. you can have a user-space point-to-point wireguard library in your app, ipsec just seems ... so much more work.
10:19:56 <dch> and to go through the IANA/IETF aspect of it seems ... even more work
10:20:00 <Soni> dch: that's because everyone got ipsec wrong
10:20:03 <dch> I guess you have a good reason to want all that pain
10:20:10 <dch> I think everybody agrees on that Soni
10:20:30 <Soni> ipsec is an address family, like ip
10:20:45 <Soni> you run tcp/ipsec or udp/ipsec
10:20:56 <Soni> just like tcp/ip or udp/ip
10:21:38 <Soni> anyway it's purely an API impedance mismatch problem, the wire protocol is mostly fine
10:22:28 <Soni> (and the IETF doesn't do APIs)
10:24:13 <[tj]> not true
10:25:35 <[tj]> ietf has written lots of api documents, and has a very mixed history on "having a single point on anything"
10:27:19 <Soni> [tj]: they're mostly on the independent stream, which isn't IETF standard
10:28:25 <Soni> yes there's value to having them published as RFC, as a way to inform other participants of how someone does it
10:28:27 <[tj]> as an author of an rfc covering apis, and significant contributor to a working group on apis I feel I know what I'm talking about here
10:29:10 <[tj]> but removing stuff I did, there are a bunch on ipv6 documents which are api descriptions
10:29:21 <Soni> [tj]: ipv6 OS APIs are informational, not standard
10:29:30 <[tj]> that distinction is meaningless
10:29:58 <[tj]> anyway, this is off topic for #freebsd
10:31:08 <Soni> yes, so, back on topic, we can do more or less whatever we want with the socket API in freebsd
10:33:27 <Soni> so we'd like to experiment with treating ipsec as a first-class address family
10:33:42 <Soni> complete with sockaddr_ipsec
10:35:17 <Soni> anyone wanna participate?
10:41:42 <Demosthenex> dch: i'll take slow and trusted over let's rewrite the world in the latest fad and start over gaining trust.
10:43:04 <dch> Soni: a good place to ask this question is the freebsd-arch mailing list. Or possibly the transport one.
10:43:51 <[tj]> freebsd-network would be the place
10:44:02 <dch> oh yes even better
11:17:30 <Soni> alright
12:25:54 <Soni> is it possible to do filesystem compression?
12:30:49 <Soni> (not to be confused with transparent file compression)
12:36:26 <nimaje> you mean some abstraction over the drive, that does compression and then write the filesystem on top of that?
12:43:25 <dch> blacklistd has me beat today
13:12:31 <Soni> no we mean something like how git has a garbage collector and delta compression
13:18:11 <Soni> what is freebsd-network? freebsd-net?
13:23:57 <FragmentedCurve> Where does the /usr/local/openssl/cert.pem file come from?
13:24:23 <FragmentedCurve> pkg which says: /usr/local/openssl/cert.pem was not found in the database
13:38:56 <FragmentedCurve> The full path is in the database, but not the symlink.
13:44:02 <FragmentedCurve> nm
13:45:35 <dch> Soni: https://lists.freebsd.org/
13:55:38 <Soni> we'll just assume they meant freebsd-net
14:12:26 <mzar> Soni: we have TCP-MD5 working, it will probably suit your needs, whtat do you thik ?
14:13:29 <Soni> mzar: what is tcp-md5
14:14:22 <mzar>  TCP MD5 Signature Option
14:15:06 <mzar> from your email it appears that you want to protect the connection
14:15:54 <Soni> we want to protect the endpoint
14:16:08 <mzar> OK
14:17:20 <Soni> for example if you run an sshd, you'd need the endpoint key, which you get via dns and not via scanning the internet, this would protect sshd from network-scanning malware
14:17:38 <Soni> keeps the logs quiet
14:24:07 <Soni> this is a low-work thing you can do that makes things high-work for them
14:25:07 <mzar> that;s /14
14:25:10 <mzar> err
14:25:52 <mzar> that's probably what TCP-MD5 and TCP-AO was invented for
14:27:16 <Soni> but why is it TCP-only?
14:27:35 <Soni> we'd rather use ipsec authentication header
14:29:11 <Soni> ipsec lets us use it as an address family, which has benefits if we ever manage to expand this to DNS
14:32:57 <Soni> (and to URIs, ideally)
14:36:55 <mzar> OK
14:43:17 <Soni> ideally we should be able to treat different keys as different hosts, too
14:57:15 <nimaje> Soni: can you explain a bit more what you want there
14:58:12 <nimaje> what layer would do the compression? on what data? do you mean something like CoW or dedup?
15:24:38 <CrtxReavr> Soni, UDP and specifically IPsec can be especially problematic over NAT'd connections.
15:36:15 <Demosthenex> arg, isn't there a command to check the checksums of the core os files?
15:51:34 <Demosthenex> freebsd-update IDS
15:53:03 <mzar> Demosthenex: what if you are not running RELEASE ?
15:53:16 <Demosthenex> mzar: no idea. i just wanted to make sure specific files hadn't changed.
15:53:23 <Demosthenex> and not packages, system.
18:41:53 <Soni> CrtxReavr: that's why we don't care about supporting ipv4
18:42:14 <Soni> nimaje: we mean something like git. we would happily use git as a filesystem if we could make it work.
18:44:43 <Soni> CrtxReavr: also, https://lists.freebsd.org/archives/freebsd-net/2025-January/006299.html
18:50:35 <CrtxReavr> Soni, I'm all for ditching "LegacyIP."
19:02:52 <Soni> CrtxReavr: rename AF_INET to AF_INET_LEGACY when :v
19:03:50 <Soni> (okay, not a serious suggestion, but anyway)
20:12:38 <uskerine> Hi, I am trying to launch X in a fresh new install of FreeBSD14. It is a system running under qemu. I get this error:
20:13:23 <uskerine> (EE) xf86OpenConsole: No console driver found Supported drivers: pccons (with X support), syscons, pcvt Check your kernel's console driver configuration and /dev entries(EE)
20:13:39 <uskerine> Does anyone what could I try?
20:13:43 <uskerine> know*
20:18:23 <drewlander> is your user a part of the video group? are you using drm-kmod?
20:19:11 <mzar> drewlander: drm-kmod? that's qemu
20:19:24 <drewlander> i didnt see qemu i apologize
20:19:45 <uskerine> I am trying with root
20:19:51 <uskerine> to avoid any permission issues
20:19:51 <mzar> no worries
20:20:50 <uskerine> since it is qemu console is redirected to a telnet port (I guess it might be related to this issue)
20:21:07 <uskerine> so I have to telnet my apple to access the console of the virtualized FreeBSD
20:21:37 <uskerine> https://wiki.freebsd.org/arm64/QEMU
20:26:22 <uskerine> also, I do not have any /dev/ttyvx file, just /dev/ttyu0 (which I understnad it is the serial -redirected by qemu to telnet-
20:45:10 <nimaje> Soni: so a blocklevel CAS for the filesystem?
20:46:05 <Soni> nimaje: CAS?
20:46:31 <wcarson> i have security/py-cryptography installed, but i can't seem get a venv to use it. i tried python3.11 -m venv myproj; source myproj/bin/activate; pip install <app>, and it keeps trying to build py-cryptography. i thought maybe because it required a newer version, so i did -c constraints.txt but with cryptography<=43.0.0 (i have 42.0.8)... but it just goes and tries to get 42.0.0 and build it again
20:46:54 <wcarson> er, i did use --system-site-packages
20:47:33 <nimaje> Soni: content addressed storage
20:48:09 <Soni> nimaje: uh no? we want delta compression and stuff
20:48:47 <Soni> cross-file compression for the filesystem
20:49:00 <Soni> (on top of regular compression)
20:49:15 <Soni> just like git does
20:50:03 <Soni> but really, any filesystem that can cope with multiple gigabytes of build artifacts would be fine
20:50:34 <Soni> (because we keep running out of storage while trying to compile the freebsd)
21:15:43 <nimaje> wcarson: well, you have installed on your system then, venvs are there to seperate from your system, you can tell it to also use system modules when creating the venv, but I don't remember the argument
21:16:27 * Ober stops updating stuff as all it does is break yubikey/pcsc yet again
21:17:57 <nimaje> Soni: where does git does compression for storage? afaik it only has a store were all objects (files, trees, commits, …) are stored by their hash, so you can reference some object by its hash
21:18:36 <haroldp> what do you use yubikeys for on FreeBSD?
21:18:52 <Soni> nimaje: the "pack" is delta-compressed and also deflate compressed
21:21:07 <Ober> haroldp: 2fa on everything :p
21:21:30 <haroldp> I use mine on websites via my browser
21:21:58 <haroldp> and as a third factor on my password manager
21:22:20 <haroldp> you doing other cool stuff?
21:27:44 <Ober> just ykman/browser stuff
21:29:51 <haroldp> wasn't aware of ykman.  thanks.
21:38:17 <Ober> haroldp: yeah the browser works fine., just cli stuff for sites that don't support webn, but require fido. :[
21:40:21 <haroldp> wondering if I should try to shoehorn it in as another factor for ssh or something
21:42:32 <haroldp> I recently got an M4 iPad and discovered I couldn't log into *anything* because it doesn't have NFC and wouldn't talk to my YubiKey over USC-C
21:42:53 <haroldp> but they fixed it about a month ago with an iPadOS update
21:52:25 <levitating> Hey, anyone got experience using the collectd package?
21:52:29 <levitating> It returns with exit code 1 for me
21:52:47 <levitating> Immediately upon starting, it doesn't print or log any error
21:53:21 <levitating> It would be helpful to run a command like strace on it, but I am not sure how to do that on FreeBSD
21:59:14 <Ober> ktrace
22:00:10 <kevans> yeah, ktrace or truss depending on how much extra output you feel like dealing with
22:04:21 <nimaje> and if it is not enought for you, you can use dtrace
22:31:35 <Ober> ahh issue was pcscd was having issues with polkit. disabling that fixed it
23:05:19 <levitating> figured it out
23:05:22 <levitating> with collectd