Re-order WRKDIST assignment in bsd.port.mk, so that dist-tuple can work
with it. So far, it has been bypassed in common cases by the logic for
DISTNAME. With this in place, add the quirk for codeberg which uses
${WKRDIR}/${_project} as the WRKDIST.
With this, ports using DIST_TUPLE=codeberg... should no longer need to
set WRKDIST.
ok sthen@
Some new intel machines have a new 3rd tier of cpus called LP-E which are
E-core (Atom) without L3 cache. These cpus are Lethargic, and it sucks
when processes migrate to them.
This introduces sysctl hw.blockcpu= which takes a sequence of 4 letters.
S (for SMT), P (regular performance cpu), E (efficient cpu) generally
80% to 50% as fast), and L (lethargic cpu) which are even slower.
By setting this, you can select cpus to kick out of the scheduler. The
default is SL.
The hw.smt sysctl remains for now but we will eventually delete it.
hw.smt changes and follows hw.blockcpu=S.
ok kettenis mlarkin
Fix an off-by-one error in the X.509 verifier depth checking.
In x509_verify_build_chains(), ensure that we check the current depth
against max_depth prior to turning it into a legacy-style depth index.
Additionally, add a guard to x509_verify_chain_append() so that we avoid
exceeding the maximum certs per chain, even if we fail to handle this
correctly elsewhere. Also prevent the legacy callback from being able
to override the maximum verification depth.
The current off-by-one allows for a 4 byte overwrite to occur on heap
allocated memory - this will likely trigger a crash on OpenBSD (but may
go unnoticed elsewhere). This is only reachable if a TLS client is talking
to a malicious server or if a TLS server has client certificate
verification enabled - in both cases the verification depth also needs to
be set to the maximum allowed value of 32.
It is worth noting that many TLS clients/servers set the maximum
verification depth to a value that is much less than the default. A libtls
client or server uses a default depth of 6 and is not impacted in this
[6 lines not shown]
Update prometheus to the last LTS release (3.5.1)
This drops two patches which are unneeded. First the Makefile workaround
to skip the asset build step is unneeded, instead use
PREBUILT_ASSETS_STATIC_DIR. Second drop the compress_assets.sh diff
and replace it with a BDEP on shell/bash -- too much bashism there.
Update the patch-mmap_openbsd to work with 3.5.1 and extend it to also
cover the chunks and head chunks. This should fix a frequent panic seen
when head chunks are rotated.
Note: all of this is an ugly workaround because OpenBSD lacks a unified
view between mmap and read/write calls.
Some help and testing done by Alvar Penning (post at 0x21.biz)
OK sthen@
update to rspamd-4.0.0
this probably won't affect most users, but:
"Action required for per-user Bayes with Redis sharding: Jump Hash has
been replaced with Ring Hash (Ketama). Run rspamadm statistics_dump
migrate after upgrading or accept temporary accuracy loss as data is
re-learned. Single Redis server setups are not affected."
Reorganize structure of key_code so that it can be built directly by
bitshifts rather than a load of huge switches, from Dane Jensen in
GitHub issue 4953.
