DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default How is this secure ?

Hi,

If OpenBSD's main focus is on security how come by default FIrefox is not updated to the latest version ?

Also why is pf.conf is so relaxed ?

I am not trying to start an argument. I am just curious.

Last edited by bsd007; 1st October 2018 at 02:18 PM.
Reply With Quote
  #2   (View Single Post)  
Old 1st October 2018
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
 
Join Date: Dec 2015
Location: London
Posts: 461
Default

Quote:
Originally Posted by bsd007 View Post
how come by default FIrefox is not updated to the latest version ?
OpenBSD -current has the latest version of both www/mozilla-firefox & www/firefox-esr and I think you were told how to get them running in -stable or -release in a recent thread[1].

The project only supplies binary package updates for -current, users of -stable & -release are expected to build their own (or use Landry's packages), I think.

The ever-useful FAQ has a relevant section:
Quote:
Originally Posted by FAQ
For third party software installed via packages, there are two options:
  • Upgrade your system to -current and use binary packages
    Binary packages for -current snapshots are rebuilt on a regular basis, and these new packages will include any security fixes that were committed. Simply call pkg_add(1) with the -u flag to get the new files.
  • Use the -stable ports tree
    Fetch (or update) your ports tree, run the /usr/ports/infrastructure/bin/out-of-date script to list any packages in need of rebuilding, and issue make update in the affected port directory. To be alerted of port updates, consider following the ports-changes mailing list.
https://www.openbsd.org/faq/faq10.html#Patches

Anyway, www/chromium should probably be favoured because the privsep model is better and it has full integration with both pledge(2) and unveil(2): I run mine with
Code:
/usr/local/bin/chrome --enable-unveil
and the entire filesystem tree (except ~/Downloads) is then hidden from the browser

[1] http://daemonforums.org/showthread.php?t=10734
__________________
Are you infected with Wetiko?
Reply With Quote
  #3   (View Single Post)  
Old 1st October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
... how come by default FIrefox is not updated to the latest version ?
There are three flavors of this OS. You are using the flavor known as "-release."

1. -release
There are 2 releases per year, on or about May 1 and November 1.
Releases are created at a fixed point in time, and once published are never revised. This includes the base OS as well as third party packages such as Firefox.

Errata patches to the base OS may be developed and published. These are published in source code form on the website. For some popular architectures, errata patches are also published in binary form and deployed through the syspatch(8) utility.
2. -stable
Errata patches -- plus any minor OS patches not deemed important enough to be published as errata patches -- are committed to the source code repository as the -stable branch of the OS.
Some ports may receive updates under the -stable branch, if they qualify. The updates must address Common Vulnerabilities and Exposures (CVEs) and require no library changes to be considered for the -stable branch.

As explained to you previously, -stable packages are not built by the Project, as it lacks the resources to produce them. As I'd noted in that thread, users can build -stable packages from the Ports tree, or obtain them from M:Tier, or -- specifically for Firefox -- obtain them from the port's Maintainer.
3. -current
This is the development branch of the OS. While -current changes constantly, the Project produces snapshots of the OS for installation or upgrade. The snapshot cadence varies by architecture and development needs.

For the convenience of the user community, the Project also produces "snapshot" packages from the Ports tree for the most popular architectures.
Quote:
Also why is pf.conf is so relaxed ?
The initial installation makes no assumptions about network use-cases or initial deployment requirements. For example, your personal workstation's network deployment will have nothing in common with my public-facing remote servers' network deployment requirements. You may have access to your keyboard and screen, if for some reason network access is blocked for you. Me? Not necessarily.

Last edited by jggimi; 1st October 2018 at 03:56 PM. Reason: clarity
Reply With Quote
  #4   (View Single Post)  
Old 1st October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

@Head_on_a_Stick

Thanks for replying.

@jggimi

Quote:
As explained to you previously, -stable packages are not built by the Project, as it lacks the resources to produce them. As I'd noted in that thread, users can build -stable packages from the Ports tree, or obtain them from M:Tier, or -- specifically for Firefox -- obtain them from the port's Maintainer.
Do you think adding a "unofficial mirror" may introduce unknown vulnerabilities ?

Sorry for being repetitive but can I add a mirror to /etc/installurl and update FIrefox ?
Reply With Quote
  #5   (View Single Post)  
Old 1st October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
@Head_on_a_Stick

Thanks for replying.

@jggimi



Do you think adding a "unofficial mirror" may introduce unknown vulnerabilities ?

Sorry for being repetitive but can I add a mirror to /etc/installurl and update FIrefox ?
Are you asking me, "Do you trust Landry?" If so, my answer is "Yes." While we've never met, I've been in communication with him for years, and he is an active member of the OpenBSD Project - meaning he is an OpenBSD developer. I understand he is also a Firefox developer.

If you mean, "Do you trust M:Tier?" my answer is, "Yes. It is a commercial company, that happens to have a number of OpenBSD developers on its staff, and that has been providing -stable services to the OpenBSD community for several years."
Reply With Quote
  #6   (View Single Post)  
Old 1st October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by jggimi View Post
Are you asking me, "Do you trust Landry?" If so, my answer is "Yes." While we've never met, I've been in communication with him for years, and he is an active member of the OpenBSD Project - meaning he is an OpenBSD developer. I understand he is also a Firefox developer.

If you mean, "Do you trust M:Tier?" my answer is, "Yes. It is a commercial company, that happens to have a number of OpenBSD developers on its staff, and that has been providing -stable services to the OpenBSD community for several years."
Can I add mirror to /etc/installurl and upgrade Firefox that way ?
Reply With Quote
  #7   (View Single Post)  
Old 1st October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

As per the prior thread, and Landry's instructions, use the $PKG_PATH environment variable to override using your installurl(5) file. Per its man page, only a single site can be named in the file.
Reply With Quote
  #8   (View Single Post)  
Old 1st October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by jggimi View Post
As per the prior thread, and Landry's instructions, use the $PKG_PATH environment variable to override using your installurl(5) file. Per its man page, only a single site can be named in the file.
I am getting this

Code:
$ doas env PKG_PATH=https://packages.rhaalovely.net/snapshots/amd64/ pkg_add -u firefox
doas (none@home.my.domain) password: 
https://packages.rhaalovely.net/snapshots/amd64/firefox-63.0beta10.tgz: signify: can't open /etc/signify/landry-mozilla-pkg.pub for reading: No such file or directory
Reply With Quote
  #9   (View Single Post)  
Old 1st October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Also, is the above adding of mirror permanent ? Will it survive a reboot ?
Reply With Quote
Old 1st October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
I am getting this
You did not download and install his key, as noted in his instructions and as noted in the prior thread.
Quote:
Also, is the above adding of mirror permanent ? Will it survive a reboot ?
No, it is a command you have copied and pasted. You could store it in a shell script for your convenience.
Reply With Quote
Old 1st October 2018
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

bsd007, in the future please limit threads to a single question/topic.

For many on this site, English is not their first language, and technical discussion is difficult enough to have multiple topics so intertwined together. So to simplify discussion for everyone involved, start a new thread when you have a new unrelated question.

Reply With Quote
Old 1st October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

@ocicat
Okay/Sorry for the confusion
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
My lan is growing, how do I secure it? Randux General software and network 9 30th June 2011 08:08 PM
Encrypted == secure? passthejoe OpenBSD Security 13 9th November 2010 05:45 PM
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
I would like to secure a system kungfujesus OpenBSD Security 4 28th September 2008 04:30 PM


All times are GMT. The time now is 05:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick