AGWA

// Migrate an old-style git-crypt revamp branch key to a new-style git-crypt revamp branch key.
// Reads old key from stdin and writes new key to stdout.
// Compile with: c++ -o migrate-revamp-key migrate-revamp-key.cpp

#include <iostream>
#include <cstdlib>
#include <cstring>

static void grab (char* p, std::streamsize len)
{

AGWA

diff -ru _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc
--- _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc	2014-09-17 07:30:35.000000000 -0700
+++ _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc	2014-09-22 23:56:57.000000000 -0700
@@ -970,6 +970,12 @@
    else
       Local = true;
 
+   // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
+   // file when its doing the indexcopy
+   if (RealURI.substr(0,6) == "cdrom:" &&

AGWA

pkgname=git-crypt
pkgver=0.4.2
pkgrel=1
pkgdesc="Transparent file encryption in Git"
arch=('i686' 'x86_64')
url="https://www.agwa.name/projects/${pkgname}/"
license=('GPL3')
depends=('git' 'openssl')
provides=("$pkgname")
conflicts=("${pkgname}-git")

AGWA

// This is C++11-only because it assumes that std::strings can
// be accessed and mutated as a contiguous sequence of chars.
std::string	sys::readlink (const char* pathname)
{
	std::string		buffer(64, '\0');
	ssize_t			len;

	while ((len = ::readlink(pathname, &buffer[0], buffer.size())) == static_cast<ssize_t>(buffer.size())) {
		// buffer may have been truncated - grow and try again
		buffer.resize(buffer.size() * 2);

AGWA

/* 
 * Adds name constraints to a certificate.  Useful if you need to
 * import your organization's private CA into your web browser, but
 * you only want to trust it for your organization's domains and not
 * the Internet at large.
 *
 * The certificate is re-signed by an ephemeral issuer with a random
 * key so you don't need access to the private key.  A random serial number
 * is placed in the Issuer DN so browsers don't attempt to verify the
 * signature when you import the certificate.

AGWA

AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. (server trust = CKT_NSS_MUST_VERIFY_TRUST)
ComSign CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure Global eBusiness CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure eBusiness CA 1 (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Business (Class B) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Express (Class C) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Qualified (Class QA) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Authentication and Encryption Root CA 2005 PN (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Universal Root CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)

AGWA

addkeystoagent
addressfamily
afstokenpassing
batchmode
bindaddress
canonicaldomains
canonicalizefallbacklocal
canonicalizehostname
canonicalizemaxdots
canonicalizepermittedcnames

AGWA

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

AGWA

/*
 * Demonstrates that LibreSSL's PRNG is not fork-safe on Linux.
 * See https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
 * This code is in the public domain.
 */

#include <openssl/rand.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

AGWA

Save the route script to /usr/local/lib/openvpn/route on the client. Make it executable with chmod +x.

Remove the push redirect-gateway option from the OpenVPN server config.

Add these options to the OpenVPN client config:

setenv OPENVPN_ROUTE_TABLE 94
route-noexec
route-up /usr/local/lib/openvpn/route
route 0.0.0.0 128.0.0.0