|
||||
For the convenience of the user community, M:Tier provides binary builds of -stable, the patch branch of OpenBSD. The OpenBSD Project does not have the resources to do so.
As described in OpenBSD FAQ 5.1, -stable includes published errata and may also include patches by the Project that are not in the errata. If so these are either less critical or have a narrow use case. In addition to OpenBSD itself, the ports tree may also have patches tagged as -stable. As with the OS, these are patches for stability or security for ports which do not require library changes. See OpenBSD FAQ 15.3.10. Last edited by jggimi; 15th November 2014 at 11:49 PM. Reason: typo, and clarity |
|
||||
Generally the errata is for those who want to stick with -RELEASE and just apply the security patches (someone please feel free to correct me here), whereas syncing your sources to -STABLE (with CVS) and rebuilding the base system is for those who actually want to follow -STABLE (probably ports tree included). So presumably if M tier provides binary builds of stable (no idea), then the same applies - and you would probably not want to combine it with patches on the errata page.
|
|
||||
Thanks for the reply, cynwulf. I'm using the install56 ISO from the openbsd mirrors to install OpenBSD 5.6. Can someone tell me if it is acceptable to use both the errata and openup on an OpenBSD 5.6 install? I'm not sure if I'm reading these replies correctly. Perhaps I'm mixing up what stable and release means. Sorry for the extra noise in this channel.
Thanks for any and all replies.
__________________
hitest |
|
||||
I hope this helps clarify.
Run -release+errata, or run -stable. The choice is yours. Some people may require a -stable patch that was not published as errata, so they must run it. Others may find maintaining -stable is easier than manually building modules affected by errata, whether building -stable themselves, or using the M:Tier provided kernels and filesets. |
|
|||
Would I be correct in thinking that it would be a mistake to connect one's freshly installed 5.6 release directly to the Internet then executing openup (with certificate in place)?
|
|
||||
Quote:
|
|
|||
How would I configure named (or unbound which I think is now in base) to resolve mtier.org?
Last edited by gso; 26th November 2014 at 09:10 PM. |
|
||||
Do you need to operate your own nameserver? Looking at this same use case --- your first installation of a new system, you need only point your resolver at your ISP's nameserver.
If you are using DHCP for dynamic IP address configuration, the DHCP server would provide your system with the IP address(es) of your nameserver(s) at connection time. On OpenBSD, the resolver is configured by the dhclient(8) program, which is either run manually by the admin -- you, now -- or run at boot time by specifying "dhcp" in the applicable hostname.if(5) file. The program does this by altering your resolv.conf(5) file when it receives its assigned IP address and any nameserver IP address(es) from the DHCP server it contacts. If you assign static IP addresses, you would edit /etc/resolv.conf manually, or you would let the installation script edit the file on your behalf by providing a nameserver IP address during installation. Last edited by jggimi; 26th November 2014 at 09:15 PM. Reason: typos |
|
|||
I wouldn't normally consider unencrypted DNS, however the issue I was experiencing seems to have been resolved with the dhclient.conf supercede modifier and dhcp DNS option to overide the DHCP provided DNS with an alternative server (advertising enhanced security as a feature in this instance). Why this should make all the difference I'm not sure. Maybe the DNS should not be left to ISP defaults?
With this, M:Tier (provisionally at least) seems to have done the job fine. The only point I would note is that if not prior copied into /etc/signify the mtier public key is downloaded with ftp - the $FETCH var. at the top of the openup script though can be used to change the download method. Security hardened and socksified firefox-esr seems to be holding out also. Last edited by gso; 27th November 2014 at 02:37 PM. |
|
||||
There are OpenBSD users who would say that is an oxymoron. There is an active thread on the misc@ mailing list where a user is attempting to isolate FF with various methods. Other users have chimed in to try to help.
http://marc.info/?t=141616714600001&r=1&w=2 |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
M:tier Updates - Positive Experience | shep | OpenBSD General | 1 | 16th March 2014 03:13 PM |
M:Tier ssl certificate | shep | OpenBSD Installation and Upgrading | 5 | 12th November 2013 06:36 PM |
Current Packages in 2nd Tier US mirrors | shep | OpenBSD Installation and Upgrading | 0 | 4th April 2012 02:00 PM |