Project Wycheproof provides test vectors for crypto algorithms including AES,
DH, DSA, ECDH, ECDSA, and RSA. These vectors allow to detect whether a library
is vulnerable to many attacks, including invalid curve attacks, biased nonces
in digital signature schemes, and all Bleichenbacher attacks.
ok jsing sthen
I am commiting this so that work can continue in tree because the diff
is starting to get really big. This commit includes several changes
required for unveil(2) described below:
- overhaul of the sandboxing code for pledge(2) to match what is being
done on other platforms
- avoid using /dev/urandom and switch to arc4random(3) or arc4random_buf(3)
- start using pledge(2) for the main browser process as well, disabled by
default for now as the list changes rapidly. The list of pledges are read
from the /etc/chromium/pledge.main file if available. When this is complete
the list of pledges will be hardcoded just as it is for the other process
types.
- add the --enable-unveil flag to use unveil(2) in all of the browser processes
by reading the list of unveil'd paths from files located in /etc/chromium,
e.g.: /etc/chromium/unveil.main or /etc/chromium/unveil.gpu.
These files are not included in the package by default as they are work in
progress. If you want to help please visit: https://github.com/rnagy/chromium
- if unveil(2) is used, chromium will not be able to access most of the filesystem
so for example if you would like to download or upload something, only the unveil'd
paths are going to be available, which is by default include ~/Downloads.
surprising.
It's always controlled by MODPY_BUILDDEP, which defaults to Yes
usually, unless NO_BUILD=Yes is set, and then it defaults to No.
this caters to matthieu's xcbgen port
okay aja@, rpointel@
- move the logic for choosing junk into add_tasks
- create specific finalize hooks at end of extract and configure
so that nojunk only starts at end of extract, thus gaining a few
(precious) minutes for big nojunk ports
- introduce noconfigurejunk logic, so that a port may configure without
junking opening. This should fix sporadic bugs in automake-based ports
without locking junking for the full build (roughly 200 ports are
affected)
sync with what we had on the system during an update (because
update-mime-database(1) is now only run once at the end). That triggered some
weird behaviors if you 'pkg_add -u' while running on a fd.o Desktop as spotted
by landry@.
With this change we are now doing what most other BSD/Linux are doing, we dont't
package the files/dirs created by update-mime-database anymore and use some
@unexec-delete dance to cope with the removal of this extra stuff. So everything
should be in-sync at a given time.
input from espie@
