guest - flak

the peculiar libretunnel situation

The author of stunnel has (once, twice) asserted that stunnel may not be used with LibreSSL, only with OpenSSL. This is perhaps a strange thing for free software to do, and it creates the potential for some very weird consequences.

First, some background. The OpenSSL license and the GPL are both free software licenses, but they are different flavors of freedom, meaning you can’t mix them. It would be like mixing savory and sweet. Can’t do it. Alright, so maybe technically you can do it, but you’re not supposed to. The flavor, er, freedom police will come get you. One workaround is for the GPL software to say, oh, but maybe wait, here’s an exception. (Does this make the software more or less free?) Here’s a longer explanation with sample exception.

Continue reading the peculiar libretunnel situation...

Posted 2015-09-01 04:29:06 by tedu Updated: 2015-09-01 04:29:06
Tagged: politics software

OpenBSD on EdgeRouter Lite

The Ubiquiti EdgeRouter Lite machine is an interesting alternative for a light router/gateway. It’s cheap, small, low power, and includes three network interfaces. Almost like it’s purpose built to be a router. The OpenBSD octeon port has partially supported the ERL for a while, but with the 5.8 release comes support for the onboard storage, making it a viable standalone system.

The web page and INSTALL.octeon file have more extensive notes, but sometimes it can be too much info. Here’s the short version.


Do a network install. On the network side, you need a DHCP and tftpd server, with the octeon bsd.rd in /tftproot.

Continue reading OpenBSD on EdgeRouter Lite...

Posted 2015-08-18 12:03:38 by tedu Updated: 2015-08-25 01:08:32
Tagged: computers gadget openbsd

a prettier web, not a thicker one

There’s been a lot of fuss recently about the state of the web. quirksmode got the party started by telling us to stop pushing the web forward. Enough, enough, there’s too much! From the other direction, The Verge points out it’s really only too much because Microsoft refuses to release IE for iPhone. Whatever. For the morbidly curious, two fairly long recaps are Stop blaming the web. Stop breaking the web. and What’s wrong with the web?

Mostly the focus has been on overwhelming cognitive load for developers and a worsening user experience for, uh, users. What about security? Or privacy? The things nobody cares about because they can’t be A/B tested. Let’s take a look at a few feature fuckups. Bear with me, I had to dig to find these examples, so some links could be as much as a month old.

Continue reading a prettier web, not a thicker one...

Posted 2015-08-13 17:05:33 by tedu Updated: 2015-08-13 17:05:33
Tagged: software thoughts web

refined spam typography

From a random spam:

font-family: Cambria, "Hoefler Text", "Liberation Serif", Times, "Times New Roman", serif;

So we’ve got Windows, Mac, and... Linux? Well, some Linux. No love for DejaVu fonts I guess.

Posted 2015-08-10 00:33:22 by tedu Updated: 2015-08-10 00:33:22
Tagged: mailfail

on the detection of quantum insert

The NSA has a secret project that can redirect web browsers to sites containing more sophisticated exploits called QUANTUM INSERT. (Do I still need to say allegedly?) It works by injecting packets into the TCP stream, though overwriting the stream may be a more accurate description. Refer to Deep dive into QUANTUM INSERT for more details. At the end of that post, there’s links to some code that can help one detect QI attacks in the wild. As noted by Wired and Bruce Schneier, among dozens of others, now we can defend ourselves against this attack (well, at least detect it).

Continue reading on the detection of quantum insert...

Posted 2015-08-06 02:24:12 by tedu Updated: 2015-08-06 02:24:12
Tagged: project security software web

bad robot

The best part of running your own server is definitely reviewing the logs. There are a lot of silly people out there, and each and every one of them has written a program that would like to visit your server.

The fun comes from watching each bot, then trying to guess the nature of the bug.

Continue reading bad robot...

Posted 2015-08-04 11:34:08 by tedu Updated: 2015-08-04 11:34:08
Tagged: rants software web

from distribution to project

OpenBSD is going through something of a minimalist phase right now, but that wasn’t always the case. There was definitely an era of aggressive importation as well. Times change, priorities change, projects change. I wasn’t involved with OpenBSD during the early years, but I think I can explain the shift in attitudes. This is part three of an apparently ongoing series that started with Pruning and Polishing and out with the old, in with the less.


Kirk is really the guy who knows the early history, so I’ll keep this section short to avoid making mistakes. The CSRG wrote quite a lot of code, but they also reused lots of the original unix code. Hence, distribution. BSD wasn’t just an operating system; it was a distribution of a particular operating system. That changed as more code was replaced moving towards the lite releases, but collecting and curating remained important functions. Some pretty big components, e.g. NFS, were developed elsewhere and incorporated.

Continue reading from distribution to project...

Posted 2015-07-31 03:52:04 by tedu Updated: 2015-07-31 03:52:04
Tagged: openbsd

doas - dedicated openbsd application subexecutor

Three days of the doas.

I started working on doas quite some time ago after some personal issues with the default sudo config. The “safe environment” was under constant revision and I regularly found myself unable to run pkg_add or build a flavored port or whatever because the expected variables were being excised from the environment. If I had been paying attention, keeping sudoers up to date probably would not have been such an ordeal, but I don’t like change.

The core of the problem was really that some people like to use sudo to build elaborate sysadmin infrastructures with highly refined sets of permissions and checks and balances. Some people (me) like to use sudo to get a root shell without remembering two passwords. And so there was considerable tension trying to ship a default config that would mostly work with the second group, but not be too permissive for the first group.

Continue reading doas - dedicated openbsd application subexecutor...

Posted 2015-07-20 04:25:50 by tedu Updated: 2015-07-20 14:22:09
Tagged: openbsd software

branchless development

Among other developmental heresies, I’m also a believer in everybody working in the same branch. I’ve dropped hints from time to time, and of course OpenBSD practitioners are familiar with this ideology, but I’ve only tried explaining it in full to a few coworkers. Who sat through my talk alternating between being shocked and appalled. Good times.

There’s not much of a narrative here, just some scattered thoughts. Now revised with a few more thoughts. No promises about the cohesion, however. This post started out as a longer form followup to Why OpenBSD doesn’t use GitHub but it’s gone in a slightly different direction. (Wow, that email is three years old.)

Continue reading branchless development...

Posted 2015-07-19 03:40:03 by tedu Updated: 2015-07-28 16:05:30
Tagged: programming thoughts

help wan

A reminder to leave the artisanal kerning to the professionals.

Who’s Wan?

Posted 2015-07-15 02:32:30 by tedu Updated: 2015-07-15 02:32:30
Tagged: quote