Our next p2k19 report comes from Jeremy Evans (jeremy@):
While I had originally planned to attend the entire hackathon, circumstances changed and I was only able to make it there for a few days. Still, I was able to get some work done.
This year having been a bit hectic with work and house renovation, i was really planning to enjoy bucarest as the first real break of the year.. and it definitely was a blast.
Fresh from Bucharest is this story from Martin Pieuchot (mpi@) with his experience from p2k19:
Since I attend OpenBSD hackathons, I hear stories about how crazy are the ports hackathons. So I try my best to look like a porter in order to experience this craziness. I must admit p2k19 was awesome but the craziness of port hackathons is still an enigma to me.
Damien Miller (djm@) posted to tech@:
Hi, I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys.
I already came to Bucharest a year ago for EuroBSDcon, but I welcomed the
chance at spending more time here, especially at a hackathon organized
by Paul, who is such a great guy.
I heard that there was a lot of chanting involved around the city, but we
had magical weather, totally unseasonally warm and sunny for november
in Romania.
Theo de Raadt (deraadt@) posted to tech@:
The ntpd options -s and -S are going to be removed soon and at startup with print: -s option no longer works and will be removed soon. Please reconfigure to use constraints or trusted servers. Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove -s and -S from getopt, and starting with those options will fail. Effective immediately, the -s option stops doing what you expect. It now does nothing. Big improvements have happened in ntpd recently. At startup, ntpd aggressively tries to learn from NTP packets validated by constraints, and set the time. That means a smarter variation of -s is the default, but the information is now *VALIDATED* by constraints. 2 additional constraints have been added. If you have upgraded, please review /etc/examples/ntpd.conf for modern use Those who cannot use https constraints, can instead tag server lines with the keyword "trusted", which means you believe MITM attacks are not possible on the network to those specific NTP servers. Do this only on servers directly connected over trusted network. If someone does "servers pool.ntp.org trusted", we're going to have a great laugh. We're creating something a bit complex, but our goal is for every machine to have a close approximation of correct time. If we get there, some good things will happen. Some serious cargo-culting for using -s has gotten in the way (-s performs no MITM checks).