Unix News Tutorials Events and Stuff

Thursday, March 31, 2016

[CentOS-announce] CEBA-2016:0535 CentOS 7 cronie BugFix Update

CentOS Errata and Bugfix Advisory 2016:0535

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-0535.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
6cbc2a145c8565672ac0fd8222f375138c34dee9144973365088c9ae00921c23 cronie-1.4.11-14.el7_2.1.x86_64.rpm
e0ba173ab2c53f7e7527495167634002b90aeb4d7e573ed4325d963f0d1d7c65 cronie-anacron-1.4.11-14.el7_2.1.x86_64.rpm
e14273ce8b113ecb16d0bc6e5fc071e604e40af59fdbb01b2fcd6b9ee61501ff cronie-noanacron-1.4.11-14.el7_2.1.x86_64.rpm

Source:
a1c540497ed23d1f419cd0599df2432427c563e23d7eebdf2b2c2e4d30ce4189 cronie-1.4.11-14.el7_2.1.src.rpm

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2016:0534 Moderate CentOS 7 mariadb Security Update

CentOS Errata and Security Advisory 2016:0534 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0534.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
c01db8b118b3e59621a66e96500394af902549b75fe14e65e322d592b2c0ef04 mariadb-5.5.47-1.el7_2.x86_64.rpm
a01e21102e496b2fd0f43a2a42e3a52fbe6be3ff9a1f9735af6ba33e8f62271a mariadb-bench-5.5.47-1.el7_2.x86_64.rpm
4bd9e39cca84b859b56c987e406f56059de07184c3282794712ee22be50d36be mariadb-devel-5.5.47-1.el7_2.i686.rpm
9d6c6b54ec4ad6840e276b3577eef03b2d87a2877a5a79de4865b74a2636ab06 mariadb-devel-5.5.47-1.el7_2.x86_64.rpm
d0692319b0a84a16ed8bbec7259a5fa4c4c8be40f3c3e6767f07e1b628a3cd08 mariadb-embedded-5.5.47-1.el7_2.i686.rpm
7b8ac0c33a44eb597e71a4516e9c1300c0d8cbf2c014d1a9de7d08b4c562793a mariadb-embedded-5.5.47-1.el7_2.x86_64.rpm
0d173b25265cdc3fe078dc6ba4d03a34f8dcd355fc02146b7ab6bedf3d4e5930 mariadb-embedded-devel-5.5.47-1.el7_2.i686.rpm
f865617ecb03fab6ee3a3b4b7dd8f214136dd571d410e291c5e34c4e69bde36f mariadb-embedded-devel-5.5.47-1.el7_2.x86_64.rpm
a65118325f134af83f6e3d6c8b8f319b735158fa82a7ee01403cc33f81c66b0c mariadb-libs-5.5.47-1.el7_2.i686.rpm
b18a582dc3bb5423ac7ac36ee8a3df75c647df69fec361b207db1b3c59695bbb mariadb-libs-5.5.47-1.el7_2.x86_64.rpm
fca7d47e6e4a7839f2a319589b09e2140fc5e3c87dc9fd41457d5cbe9e0b48bb mariadb-server-5.5.47-1.el7_2.x86_64.rpm
8264196ee234079505c8cbdbc477acbbcdd60de30fe897e6daf99d72e1b00ede mariadb-test-5.5.47-1.el7_2.x86_64.rpm

Source:
6c526f0c743b13e33d8c5a47778b71ca2447244d4d7d844f993e7fd64180b44a mariadb-5.5.47-1.el7_2.src.rpm

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

Fedora 24 Alpha for POWER

The Fedora 24 Alpha for POWER is here, right on schedule for our planned June
final release. Download the prerelease from our Get Fedora site:

- Get Fedora 24 Alpha Workstation https://getfedora.org/en/workstation/
prerelease/
- Get Fedora 24 Alpha Server https://getfedora.org/en/server/prerelease/
- Get Fedora 24 Alpha Cloud https://getfedora.org/en/cloud/prerelease/
- Get Fedora 24 Alpha Spins https://spins.fedoraproject.org/prerelease
- Get Fedora 24 Alpha Labs https://labs.fedoraproject.org/prerelease
- Get Fedora 24 Alpha ARM https://arm.fedoraproject.org/prerelease

What is the Alpha release?
--------------------------
The Alpha release contains all the features of Fedora 24's editions in
a form that anyone can help test. This testing, guided by the Fedora
QA team, helps us target and identify bugs. When these bugs are fixed,
we make a Beta release available. A Beta release is code-complete and
bears a very strong resemblance to the third and final release. The
final release of Fedora 24 is expected in June.

If you take the time to download and try out the Alpha, you can check
and make sure the things that are important to YOU are working. Every
bug you find and report doesn't just help you, it improves the
experience of millions of Fedora users worldwide!

Together, we can make Fedora rock-solid. We have a culture of
coordinating new features and pushing fixes upstream as much as we
can, and your feedback improves not only Fedora, but Linux and Free
software as a whole.

* https://fedoraproject.org/wiki/Releases/24/Schedule
* https://fedoraproject.org/wiki/How_to_file_a_bug_report

Fedora-Wide Changes
-------------------
Under the hood, glibc has moved to 2.23. The update includes better
performance, many bugfixes and improvements to POSIX compliance, and
additional locales. The new library is backwards compatible with the
version of glibc that was shipped in Fedora 23, and includes a number
of security and bug fixes.

We've also updated the system compiler to GCC 6 and rebuilt all
packages with that, providing greater code optimization and catching
programming errors which had slipped past previous compilers.

In ppc64/ppc64le golang 1.6 brings all the same golang functionality that
other architectures have enjoyed enabling all the features and apps
that are avaialble there such as docker.

Server
------
- FreeIPA 4.3 (Domain Controller role) is included in Fedora 24. This
version helps streamline installation of replicas by adding a
replica promotion method for new installs. A new topology plugin has
also been added that automatically manages new replication segment
creation. An effective replica topology visualization tool is also
available in the webUI.

- NodeJS 4 in now available for aarch64. Earlier versions of nodejs have
been available on primary architectures for some time. With nodejs4 we
now bring all the functionality to aarch64 too.

- More packages have been removed from the default Server edition to
make the footprint of the default installation smaller.

Cloud
-----
- For Fedora 24, we're working hard to make Fedora the best platform
for developing containers, from the base Fedora container images to
a full-featured PaaS to run and manage them.

- For both ppc64 and ppc64le we have qemu cloud images and add to it
docker base images to the release as well.

Issues and Details
------------------
This is an Alpha release. As such, we expect that you may encounter bugs
or missing features. To report issues encountered during testing,
contact the Fedora QA team via the mailing list or in #fedora-qa on
Freenode.

As testing progresses, common issues are tracked on the Common F24 Bugs
page.

* https://fedoraproject.org/wiki/Common_F24_bugs

For tips on reporting a bug effectively, read "how to file a bug
report."

* https://fedoraproject.org/wiki/How_to_file_a_bug_report

Release Schedule
----------------
The full release schedule is available on the Fedora wiki:

* https://fedoraproject.org/wiki/Releases/24/Schedule

The current schedule calls for a beta release towards the beginning of May,
and
the final release in early June.

Be aware that these dates are development targets. Some projects release
on a set date regardless of feature completeness or bugs; others wait
until certain thresholds for functionality or testing are met. Fedora
uses a hybrid model, with milestones subject to adjustment. This allows
us to make releases with new features and newly-integrated and updated
upstream software while also retaining high quality.
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel-announce@lists.fedoraproject.org

Fedora 24 Alpha for aarch64

The Fedora 24 Alpha for aarch64 is here, right on schedule for our planned June
final release. Download the prerelease from our Get Fedora site:

- Get Fedora 24 Alpha Server
https://dl.fedoraproject.org/pub/fedora-secondary/releases/test/24_Alpha/Server/aarch64/
https://fedoraproject.org/wiki/Architectures/AArch64/F24/Installation

* https://fedoraproject.org/wiki/Releases/24/Schedule
* https://fedoraproject.org/wiki/How_to_file_a_bug_report

We've also updated the system compiler to GCC 6 and rebuilt all
packages with that, providing greater code optimization and catching
programming errors which had slipped past previous compilers.

In aarch64 golang 1.6 brings all the same golang functionality that
other architectures have enjoyed enabling all the features and apps
that are avaialble there such as docker.

- NodeJS 4 in now available for aarch64. Earlier versions of nodejs have
been available on primary architectures for some time. With nodejs4 we
now bring all the functionality to aarch64 too.

- More packages have been removed from the default Server edition to
make the footprint of the default installation smaller.

Cloud and Docker
----------------
Not quite ready for Alpha both qemu cloud images and docker images will
be appearing for nightly Fedora 24 aarch64 composes starting next week.
All the docker pieces are already in place in Fedora 24 Alpha. The last
pieces of the infrastructure to build the nightly docker images are
almost live into production. There will be appropriate announcements
when they go live.

As testing progresses, common issues are tracked on the Common F24 Bugs
page.

* https://fedoraproject.org/wiki/Common_F24_bugs

For tips on reporting a bug effectively, read "how to file a bug
report."

* https://fedoraproject.org/wiki/How_to_file_a_bug_report

Release Schedule
----------------
The full release schedule is available on the Fedora wiki:

* https://fedoraproject.org/wiki/Releases/24/Schedule

The current schedule calls for a beta release towards the beginning of May,
and
the final release in early June.

reallost1.fbsd2233449--请转交贵单位负责人

reallost1.fbsd2233449 您好

宇文源令

祝您工作顺利，身体健康，家庭幸福。

[CentOS-announce] Announcing release for Developer Toolset 4 on CentOS Linux 7 x86_64 SCL

I am pleased to announce the immediate availability of Developer Toolset
4 on CentOS Linux 7 x86_64, delivered via a Software Collection (SCL)
built by the SCLo Special Interest Group
(https://wiki.centos.org/SpecialInterestGroup/SCLo).

QuickStart
----------
You can get started in three easy steps:
$ sudo yum install centos-release-scl
$ sudo yum install devtoolset-4-toolchain
$ scl enable devtoolset-4 bash

At this point you should be able to use gcc and other tools just as a
normal application. Examples of commands run might be:
$ gcc hello.c
$ sudo yum install devtoolset-4-valgrind
$ valgrind ./a.out
$ gdb ./a.out

In order to view the individual components included in this collection,
including additional development tools, you can run:
$ sudo yum list devtoolset-4\*

About Software Collections
--------------------------
Software Collections give you the power to build, install, and use
multiple versions of software on the same system, without affecting
system-wide installed packages. Each collection is delivered as a group
of RPMs, with the grouping being done using the name of the collection
as a prefix of all packages that are part of the software collection.

The collection devtoolset-4 delivers version 5.2.1 of the GNU Compiler
Collection, GNU Debugger, Eclipse development platform, and other
development, debugging, and performance monitoring tools as RPMs.

The SCLo SIG in CentOS
----------------------
The Software Collections SIG group is an open community group
co-ordinating the development of the SCL technology, and helping curate
a reference set of collections. In addition to the Developer Toolset
collection being released here, we also build and deliver databases, web
servers, and language stacks including multiple versions of PostgreSQL,
MariaDB, Apache HTTP Server, NodeJS, Ruby, Python and others.

Software Collections SIG release was announced at
https://lists.centos.org/pipermail/centos-announce/2015-October/021446.html

You can learn more about Software Collections concepts at:
http://softwarecollections.org
You can find information on the SIG at
https://wiki.centos.org/SpecialInterestGroup/SCLo ; this includes howto
get involved and help with the effort.

We meet every second Wednesday at 16:00 UTC in #centos-devel (ref:
https://www.centos.org/community/calendar), for an informal open forum
open to anyone who might have comments, concerns or wants to get started
with SCL's in CentOS.

Enjoy!

Honza
SCLo SIG member
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] Announcing release for Developer Toolset 4 on CentOS Linux 6 x86_64 SCL

I am pleased to announce the immediate availability of Developer Toolset
4 on CentOS Linux 6 x86_64, delivered via a Software Collection (SCL)
built by the SCLo Special Interest Group
(https://wiki.centos.org/SpecialInterestGroup/SCLo).

QuickStart
----------
You can get started in three easy steps:
$ sudo yum install centos-release-scl
$ sudo yum install devtoolset-4-toolchain
$ scl enable devtoolset-4 bash

At this point you should be able to use gcc and other tools just as a
normal application. Examples of commands run might be:
$ gcc hello.c
$ sudo yum install devtoolset-4-valgrind
$ valgrind ./a.out
$ gdb ./a.out

In order to view the individual components included in this collection,
including additional development tools, you can run:
$ sudo yum list devtoolset-4\*

About Software Collections
--------------------------
Software Collections give you the power to build, install, and use
multiple versions of software on the same system, without affecting
system-wide installed packages. Each collection is delivered as a group
of RPMs, with the grouping being done using the name of the collection
as a prefix of all packages that are part of the software collection.

The collection devtoolset-4 delivers version 5.2.1 of the GNU Compiler
Collection, GNU Debugger, and other development, debugging, and
performance monitoring tools as RPMs.

The SCLo SIG in CentOS
----------------------
The Software Collections SIG group is an open community group
co-ordinating the development of the SCL technology, and helping curate
a reference set of collections. In addition to the Developer Toolset
collection being released here, we also build and deliver databases, web
servers, and language stacks including multiple versions of PostgreSQL,
MariaDB, Apache HTTP Server, NodeJS, Ruby, Python and others.

Software Collections SIG release was announced at
https://lists.centos.org/pipermail/centos-announce/2015-October/021446.html

You can learn more about Software Collections concepts at:
http://softwarecollections.org
You can find information on the SIG at
https://wiki.centos.org/SpecialInterestGroup/SCLo ; this includes howto
get involved and help with the effort.

We meet every second Wednesday at 16:00 UTC in #centos-devel (ref:
https://www.centos.org/community/calendar), for an informal open forum
open to anyone who might have comments, concerns or wants to get started
with SCL's in CentOS.

Enjoy!

Honza
SCLo SIG member
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

Wednesday, March 30, 2016

reallost1.fbsd2233449----学习考核的方法，全面了解绩效管理的运作程序和设计方法

《企业绩效考核与薪酬体系设计实战特训班》

【主讲：蔡巍】

【培训时间】2016年4月08-10广州、15-17北京

【培训对象】企、事业单位董事长、总经理、人力资源总监、人力资源经理、绩效、薪酬等

【授课方式】案例分享、实务分析、互动讨论、培训游戏

【培训费用】5400/ 人 (包含：课程、讲义、午餐、茶点等费用)

【报名热线】 0755--6128--0006，010-5129-9910

【在线QQ、微信】 320588808 、 189-17870808 许先生

注：如不需此类信件信息，请转发送"删除"至tuiding02@163.com,我们会及时处理，谢谢您的理解。

【课程背景】
现代企业管理，更注重"以人为本"的人性化管理模式，企业管理的重点也日趋体现在对人的管理策略上。作为现代企业的人力资源管理者，应以战略高度构建高效实用的人力资源管理系统，建立科学考核激励制度和先进的企业薪酬体系，以最大限度地激发人才潜能，来创建优秀团队，并推动组织变革与创新，最终实现组织的持续发展。我们针对中国企业在推行西方管理模式中的种种弊端和疑惑，以及中国企业目前正处于改革与创新时期，特举办"企业绩效考核与薪酬管理实战特训班"。由著名人力资源专家蔡巍讲授，旨在帮助企业家、人力资源经理开阔思路，激发灵感，培养带领企业持续健康发展的卓越人力资源管理人才，欢迎参加！

【课程目标】
了解薪酬改革背景，更新观念，理清改革思路，明确改革目标，
　了解岗位测评的相关知识，科学进行岗位测评；
　认识绩效管理的重要性、并正确理解绩效管理，
　学习考核的方法，全面了解绩效管理的运作程序和设计方法，
　重点学习KPI、并介绍平衡计分卡，
　了解绩效管理推进中的问题、并避免运作中的误区。

导师简介 ----【蔡巍】
国内知名的人力资源管理实务专家，工商管理硕士，权威人力资源管理实战专家，特别在绩效与薪酬体系设计方面有很深的造诣，形成了自己特有的实战方法；曾为大型企业集团、上市公司、连锁业集团、高科技公司等多个行业的众多企业进行过全面的人力资源咨询服务。是《中国经营报》、《人力资本》等多家媒体专栏的特约撰稿人和专家评论员。

【出版书籍】
《奔跑的蜈蚣：如何以考核促进成长》、《吹口哨的黄牛：以薪酬留住人才》、
《KPI，"关键绩效"指引成功》、《BSC，"平衡计分"保证发展》，受到企业的高度重视，和给予极高
的评价。

【曾经辅导与参加过培训的企业】
东风汽车、东软集团、中国石油股份、TCL、青岛啤酒、振杰国际、创维集团、徐工集团、三一重工、粤高速、农业银行、北京网通、山西移动、河南移动、宁波成路集团、东风学铁龙、雪铁龙、中国电信、广州西婷化妆品、万家乐燃气热水器、格力空调、南航、新疆华世丹药业、南方李锦记、首信集团、光明维他奶、华工科技、达实智能、拓邦电子、武汉高创集团、华美集团等企业。

课程大纲:

一．推行KPI与绩效管理体系需要解决的三大问题
1、企业建立绩效体系所面临的方法问题；
以感觉为基础判断还是以事实为基础判断？
短期考核还是长期考核？
短期利益还是长期利益？
关键业绩还是非关键业绩？
绩效管理如何与战略接口？
KPI成绩与奖金挂钩的问题？
2、经理人与员工的认识对推行绩效管理的影响；
传统文化对绩效管理的影响
为什么没有人愿意做A？
为什么推行绩效管理这么困难？
3、管理基础对推行KPI的影响

二、绩效管理的方式方法
1、模糊感觉判断法；
2、360°评估；
3、强制分布法；
要不要排名？
谁和谁排名？
怎么排名？
4、关键业绩指标考核；

三．KPI操作中的几个基本问题
1、什么是目标与指标
2、KPI指标的基本属性与操作注意要点
为什么评价起来感觉很难操作——刻度问题；
他们为什么不接受这些考核指标——可控性问题
为什么考核这些指标后适得其反——行为问题
3、在公司建立KPI体系的思路；

四．平衡计分卡
1、什么是平衡计分卡；
2、战略与平衡计分卡有什么关系？——战略与战略地图；
3、平衡计算分卡落实的三种方式；

五．如何分解KPI
KPI如果不分解落实下去，就会失去了基础，但是分解KPI的过程中会遇到很多问题，比如：一个kpi指标和
好多部门都有关系，到底考核谁好呢？
如何解决这些问题呢？如何将KPI分解落实下去呢？
1、如何分解KpI——上一级指标与下级指标的关系
2、分解指标的2种基本方法
3、按照驱动因素分解KPI指标，3种基本的模式
4、按照驱动因素分解的四种方法
按照指标的结构分解法；
OAM分解法；
贡献路径图法；
流程关键控制点法；
5、分解KPI指标的注意问题：权利对指标分解的影响、组织结构的影响、指标的冲突性等

六．指标词典的编制
指标找到了就万事大吉了？还存在什么问题呢？为什么需要定义KPI，怎样定义KPI?
1、为什么需要定义KPI
2、财务指标定义时，需要注意的问题；
3、非财务指标，定义时需要注意的问题；
4、谁来提供数据——自己提供，别人提供，利益相关者提供？

七、任务指标如何定义
职能部门的指标，有些无法量化，该如何定义？
1、职能部门工作的特点；
2、什么是任务指标；
3、难度不同的任务考核；
4、工作量不均衡如何处理？
5、谁来制定任务？
6、临时任务多如何处理？
7、任务指标的定义模式；

八、目标值的确定
找到了衡量指标就可以了嘛？如何确定目标呢？超过了目标应该计多少分？没有达到目标应该得多少分？
1、设定目标的痛苦；
2、目标订不准怎么办？
3、没有历史数据怎么办？
4、竞争，资源，能力对目标的影响；
5、如何让下属主动把目标定的最合适——联合基法
6、长周期的目标如何分解到短周期；

九、KPI的计分方式
1、比率法；
2、层差法；
3、说明法；

十．权重的设计
1、什么是指标的组合方式；
2、组合方式的种类；
3、设置权重的步骤与注意问题；

十一．主基二元考核法
关注了关键业绩指标，非关键业绩指标怎么办？不关注非关键业绩指标是否会出问题？
如果全面关注关键业绩指标和非关键业绩指标，资源是否够用？如何解决这个问题呢？
1、KPI所无法解决的问题；
2、主要绩效与基础绩效的关系；
3、如何在实践中运用主基二元考核法；

十二．推行绩效管理所遇到的问题与对策；
推行KPI不只是人力资源部门或者企管部门的事情，KPI在推行过程中有哪些问题与难点呢？
1、推行绩效管理的组织模式与各个部门的职责；
2、推行绩效管理需要解决观念问题；
3、推行需要解决制度与技巧问题
4、推行需要解决心态问题；

十三、绩效沟通
1、计划阶段的绩效沟通
2、辅导阶段
3、考核阶段的绩效沟通
4、绩效问题分析与改进——组织改进、领导改进、员工改进；

【岗位分析课程大纲】
一．什么是岗位分析
1、什么是岗位分析；
2、岗位分析的作用；

二、岗位分析的方法
1、组织与部门职责与岗位职责的关系
2、常用的岗位分析的方法——资料分析法，问卷法，观察；

三、岗位分析的步骤与流程
1、组织结构设计与流程设计；
2、部门职责设计；
3、岗位职责设计；
4、岗位任职资格设计；
5、常见的岗位设计的误区与错误；

四、如何确定编制的工具方法
1、业务数据分析法；
2、劳动效率定编法；
3、比例法；
4、预算控制法

【薪酬设计课程大纲】
引子:
什么是薪酬；
人力资源价值链；
职位、人、市场、绩效对薪酬的影响；
薪酬设计的框架

一、岗位分析部分：
1、什么是岗位分析
什么是岗位分析；
岗位分析需要分析什么内容；
岗位分析的原则
2、岗位分析的步骤与流程
岗位分析的方法；
如何编制岗位职责；
3、任职资格
职位族划分；
岗位任职资格编制的方法；
4、如何确定编制的工具方法
业务数据分析法；
劳动效率定编法；
比例法；
预算控制法；

二、薪酬设计需要解决的矛盾——内部公平性
1.为什么要职位评估；
2.职位评估所使用的方法；
3.常见的职位评估的工具介绍；
4.如何设计或者选择职位评估模型；
5.职位评估的程序与注意问题；
6.职位评估案例

三、薪酬设计需要解决的矛盾——外部公平性
1.什么是外部公平性；
2.如何进行薪酬调查；
3.如何处理薪酬调查的数据；
4.如何确定薪酬水平；
5.中位值级差的计算；

四、薪酬结构的划分；
1、什么是薪酬结构；
2、薪酬的幅度与重叠度的计算；
3、宽带还是窄带；
4、固定与变动比例的划分需要考虑的问题
薪酬水平
行业特点
管理层次
职位序列；

五、薪酬与能力的关系
1.薪酬为什么需要和能力挂钩；
2.什么情况下需要与能力挂钩；
3.技能薪酬帮助企业解决的三个问题；
4.如何评估员工能力；
5.加薪是以能力为核心，还是以业绩为核心；

六、奖金设计如何使公司、部门、个人三挂钩；
1、几种公司、部门、个人奖金挂钩模式的思考；
2、几种模式优缺点的对比；
3、集团公司下属分子公司的效益是否要与集团公司挂钩？

七、奖金设计与外部因素的影响
1、老总的奖金究竟该不该发？
2、采购经理的奖金究竟该不该发？
3、如果过滤外部因素的影响；

八、企业内各部门奖金设计的要点
1、销售部门提成制，还是奖金制？
2、项目类型工作奖金的设计；
3、生产部门奖金的设计；
4、年薪制奖金的设计；

九、发奖金的周期
1、奖金周期与考核周期；
2、年终奖还是年中奖；
3、时机选择要考虑的要点；
4、奖金的滞后性；

十、薪酬管理
1、薪酬分析；
企业宏观的薪酬分析——投入产出；
微观的薪酬分析——内部竞争比率与外部竞争比率；
2、如何给员工设计加薪
按照业绩考核成绩加薪；
分数与排名对加薪的影响；
按照能力加薪；
按照能力与业绩综合考虑加薪；
按照能力与业绩与员工在宽带中的位置加薪；
3、薪酬预算与控制

温馨提示: 本课程可针对企业需求，上门服务，组织内训，欢迎咨询。

[CentOS-announce] Notice of Service Outage and followup LON1/UK Facility

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

== What happened ==

On Wednesday February 24th, at 6pm UTC time, the DC hosting some of
the CentOS equipments used for various roles had suffered from
multiple electricity power outages. The facility was completely dark
for just under 2 hrs, and we were able to start recovering services by
8pm UTC. By midnight we had most services restored, by 2:00AM UTC Feb
25th we had all services restored.

That meant that the machines in those racks were running on batteries
(ups in the racks) but finally went down in an uncontrolled way due to
lack ot communication with that UPS.

Subsequent on Monday March 14th, we suffered another power outage in
the racks, this time due to a overload on the rack power circuits.

== Services that were impacted ==
- severity critical : mirrorlist.centos.org node (IPv6) went down
(while multiple mirrorlist.centos.org nodes for IPv4 nodes were still
online). That means that machines with only IPV6 connectivity couldn't
get yum to work to retrieve the list of nearest mirrors.
- severity medium : Our main buildservices queue management services
were down; note: this did not impact our ability to build, test and
deliver updates.
- severity medium : www.centos.org and www.centos.org/forums weren't
reachable through IPv6 : at the moment, those services are natively
reachable through IPv4, but proxied through nodes in that DC for IPv6
users. Most tested browsers were falling back to IPv4 during that period
- severity medium : CentOS DevCloud
(https://wiki.centos.org/DevCloud) : that means that CentOS Developers
weren't able to instantiate new CentOS test VMs for their work, but
also weren't able to reach the existing ones.
- severity low : several publicly facing small services like
http://planet.centos.org , http://seven.centos.org (not critical and
could be restored quickly to other VMs elsewhere)
- severity low : the server leading the armv7hl builds for the Plague
build farm was also offline, meaning no armhfp build during that
timeframe (but not updates were to be built, so mitigated issue)

= Followup actions and notes
Over the years, the baseline recovery model we've used and tried to
enforce is one of 'restore in place', take a downtime hit if needed -
and ensure we have service continuity for the user facing components (
the mirrorlist service, the centos update and content distribution
services). For other resources, like the main website etc, we ensure
there are good backups available in multiple places, usable to restore
services should there be a need. This model has worked well for us
over the years, and we've had very little, if any, service outages
that had a user impact. The restore in place/restore outside HA also
meant we were able to better utilise the exclusively sponsored
machines we rely on.

However, as the project grows, with a lot more infrastructure being
consolidated into a few locations for non CDN services, our exposure
to service downtime has dramatically increased. Its clear that we need
to expand the scope of where we backup to, how we backup, how we
anticipate failure and our ability to restore services in a timely
manner should there be facilities outages. In the coming weeks, we are
going to undertake a deep dive into our Infrastructure design and
delivery and try to first come up with a consolidated set of risks we
need to manage against, and then work towards reducing the risk,
spreading the availability as needed.

Our backend storage platform for the DevCloud and persistent
storage for other nodes in the facility is run from a distributed,
replicated Gluster setup. Inspite of the sudden loss of power, in a
production environment with hundreds of running VMs and dozens of
running data jobs, we were able to trivially recover our entire data
set with minimum data loss. Some of the running VMs inside the
DevCloud did see local filesystem issues, but we dont think that was a
backing storage issue. This event has dramatically increased out
confidence in the gluster technology stack and we will certainly be
looking at extending deployments for it internally.

== Comments about hosting facility ==

Their Status post about this
http://status.uk2.net/2016/02/24/london-power-outage/

We have multiple racks at this facility, and have a long standing
relationship with them going back to late Summer 2012. Over this
period we have had a near perfect uptime record for our equipment
there. And above all we have been consistently impressed with the
speed of and the knowledgeable support we've recieved at the DC. In
many cases, how the facility reacts to outage defines the real service
value - and in this case, we can only commend the fantastic support we
had through the outage hours. We do however feel there could be better
monitoring and reporting of some of the facilities information and
will be working with them to improve in those regards.

Fabian Arrotin and Karanbir Singh
The CentOS Project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJW+6mPAAoJEI3Oi2Mx7xbtHo8IAI+RVIDjGwJOzgJ5Ry7mHwLe
Zc+aBUQklDk5oRaDk7QZHsaGp1lclNsutBk3YujNlXwMC4hUKdPwkTVuX50usQ7s
kd7qF1BlElNyfMPfFJGwchIQBDOZqZxkZP4uOrvQUnIZUYfyx6NnPnGS0uatBdnw
hBJ6TbgP6i50h7U0fNWjHU2I8xe0zsx1jVrvNngDMlQcIHC0d1KMtpOgSMR5f9Bn
bLwghfD4/yPyqJP1sc+021ANk1+a7uXs4KKG3MXpMlFyvYmv2ict0Q/sDtz0jzCx
kbRgDGm/GF1TUUENciESkHPKy3kLWA1oCicOkiEhzNz2YwFQNdNpi9PqWEK/F5Q=
=bDIN
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

Tuesday, March 29, 2016

OpenNTPD 5.9p1 released

OpenNTPD 5.9p1 has just been released. t will be available from the
mirrors listed at http://www.openntpd.org/ shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the
Network Time Protocol. It provides the ability to sync the local clock
to remote NTP servers and can act as NTP server itself, redistributing
the local clock.

Changes since OpenNTPD 5.7p4
============================
* When a single "constraint" is specified, try all returned addresses
until one succeeds, rather than the first returned address.
* Relaxed the constraint error margin to be proportional to the number
of NTP peers, avoid constant reconnections when there is a bad NTP
peer.
* Removed disabled hotplug sensor support.
* Added support for detecting crashes in constraint subprocesses.
* Moved the execution of constraints from the ntp process to the
parent process, allowing for better privilege separation since the
ntp process can be further restricted.
* Added pledge(2) support.
* Updated to require LibreSSL 2.3.2 or greater.
* Fixed high CPU usage when the network is down.
* Fixed various memory leaks.
* Switched to RMS for jitter calculations.
* Unified logging functions with other OpenBSD base programs.

OpenNTPD portable-specific changes:

* Added support for syncing time with the Realtime Clock (RTC) on OSes
that require it.
* CFLAGS is no longer overridden by the build system.
* FreeBSD RTABLE support is disabled
* FreeBSD is no longer linked with -lmd to avoid hash function
collisions, causing failures in constraint certificate loading.
* Fixed crashes due to __progname being used before initialized.
* Added Solaris 10 compatibility.
* Added --disable-https-constraint build option for explicitly
disabling constraint support.
* Synced build system files with LibreSSL

The libtls library, as shipped with LibreSSL 2.3.2 or later, is
required to use the HTTPS constraint feature, though it is not
required to use OpenNTPD.

For detailed changes, see the changes either in the OpenBSD CVS
repository or the GitHub mirror.

Checksums:
==========

SHA256 (openntpd-5.9p1.tar.gz) = 200c04056d4d6441653cac71d515611f3903aa7b15b8f5661a40dab3fb3697b3

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at
https://github.com/openntpd-portable/openntpd-portable/

[lfs-announce] LFS Stable Systemd Version 7.9 is released

The Linux From Scratch community is pleased to announce the release of LFS
Systemd Version 7.9.

This release is a major update to LFS.

The LFS release includes updates to glibc-2.23, binutils-2.26, gcc-5.3.0,
and systemd-229. In total, 26 packages were updated and changes to text
have been made throughout the book.

Thanks for this release go to Douglas R Reno and DJ Lucas.

You can read the books online[0], or download[1] to read locally.

Please note that a stable version of the systemd version of BLFS will not
be released in the near future. The next planned release will be version
7.10 in October. In the meantime, the development version[2] is the
recommended source for the most up to date location for packages beyond
LFS that need systemd.

Please direct any comments about this release to the LFS development
team at lfs-dev@linuxfromscratch.org. Registration for the mailing lists
is required to avoid junk email.

-- Bruce Dubbs
LFS

[0] http://www.linuxfromscratch.org/lfs/view/7.9-systemd/
[1] http://www.linuxfromscratch.org/lfs/downloads/7.9-systemd/

[2] http://www.linuxfromscratch.org/blfs/view/systemd/
--
http://lists.linuxfromscratch.org/listinfo/lfs-announce
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

OpenBSD 5.9 released - March 29

------------------------------------------------------------------------
- OpenBSD 5.9 RELEASED -------------------------------------------------

March 29, 2016.

We are pleased to announce the official release of OpenBSD 5.9.
This is our 39th release on CD-ROM (and 40th via FTP/HTTP). We remain
proud of OpenBSD's record of more than twenty years with only two remote
holes in the default install.

As in our previous releases, 5.9 provides significant improvements,
including new features, in nearly all areas of the system:

- Processor support, including:
o W^X policy enforced in the i386 kernel address space.

- Improved hardware support, including:
o New asmc(4) driver for the Apple System Management Controller.
o New pchtemp(4) driver for the thermal sensor found on Intel X99,
C610 series, 9 series and 100 series PCH.
o New uonerng(4) driver for the Moonbase Otago OneRNG.
o New dwiic(4) driver for the Synopsys DesignWare I2C controller.
o New ikbd(4), ims(4), and imt(4) drivers for HID-over-i2c
keyboards, mice and multitouch touchpads.
o New efifb(4) driver for EFI frame buffer.
o New viocon(4) driver for the virtio(4) console interface provided
by KVM, QEMU, and others.
o New xen(4) driver implementing Xen domU initialization and PVHVM
device attachment.
o New xspd(4) driver for the XenSource Platform Device providing
guests with additional capabilities.
o New xnf(4) driver for Xen paravirtualized networking interface.
o amd64 can now boot from 32 bit and 64 bit EFI.
o Initial support for hardware reduced ACPI added to acpi(4).
o Support for ACPI configured SD host controllers has been added to
sdhc(4).
o The puc(4) driver now supports Moxa CP-168U, Perle Speed8 LE and
QEMU PCI serial devices.
o Intel 100 Series PCH Ethernet MAC with i219 PHY support has been
added to the em(4) driver.
o RTL8168H/RTL8111H support has been added to re(4).
o inteldrm(4) has been updated to Linux 3.14.52 adding initial
support for Bay Trail and Broadwell graphics.
o Support for audio in Thinkpad docks has been added to the
azalia(4) driver.
o Support for Synaptic touchpads without W mode has been added to
the pms(4) driver.
o Support for tap-and-drag detection with ALPS touchpads in the
pms(4) driver has been improved.
o The sdmmc(4) driver now supports sector mode for eMMC devices,
such as those found on some BeagleBone Black boards.
o The cnmac(4) driver now supports checksum offloading.
o The ipmi(4) driver now supports OpenIPMI compatible character
device.
o Support for ST-506 disks has been removed.

- pledge(2) support integrated:
o The tame(2) system call was renamed to pledge(2). Behavior and
semantics were extended and refined.
o 453 out of 707 base system binaries were adapted to use pledge.
o 14 ports now use pledge(2): some decompression tools, mutt, some
pdf tools, chromium/iridium, and the i3 window manager.
o Various bugs exposed by pledge(2) were corrected. For example in
bgpd(8), iked(8), ldapd(8), ntpd(8), and syslogd(8).
o Several misfeatures were removed, such as:
- support for HOSTALIASES in the resolver.
- support for lookup yp in resolv.conf(5).
- setuid-preserving code in tools from binutils.
- handling of ed-style diffs via proc/exec in patch(1).
o Userland programs were audited so that they could be properly
annotated with pledge(2). This resulted in design changes such as:
- addition of privilege separation to rdate(8)
- addition of privilege separation to sndiod(8)
- the introduction of the SOCK_DNS socket(2) flag that makes
an SS_DNS tagged socket conceptually different from a plain
socket.
o pledge(2) is also used to constrain programs that handle untrusted
data to a very limited subset of POSIX. For example, strings(1) or
objdump(1) from binutils or the RSA-privsep process in smtpd(8).

- SMP network stack improvements:
o The task processing incoming packets can now run mostly in
parallel of the rest of the kernel. This includes:
- carp(4), trunk(4), vlan(4) and other pseudo-drivers with the
exception of bridge(4).
- Ethernet decapsulation, ARP processing and MPLS forwarding
path.
- bpf(4) filter matching.
o The Rx and Tx rings of the ix(4), myx(4), em(4), bge(4), bnx(4),
vmx(4), gem(4), re(4) and cas(4) drivers can now be processed in
parallel of the rest of the kernel.
o The Rx ring of the cnmac(4) driver can now be processed in
parallel of the rest of the kernel.

- Initial IEEE 802.11n wireless support:
o The ieee80211(9) subsystem now supports HT data rates up to
65 Mbit/s (802.11n MCS 0-7).
o The input path of ieee80211(9) now supports receiving A-MPDU and
A-MSDU aggregated frames.
o The iwm(4) and iwn(4) drivers make use of the above features.
o 802.11n mode is used by default if supported by the OpenBSD
wireless driver and the access point. Operation in 802.11a,
802.11b, and 802.11g modes can be forced with the new ifconfig(8)
mode subcommand.

- Generic network stack improvements:
o New etherip(4) pseudo-device for tunneling Ethernet frames across
IP[46] networks using RFC 3378 EtherIP encapsulation.
o New pair(4) pseudo-device for creating paired virtual Ethernet
interfaces.
o New tap(4) pseudo-device split up from tun(4) providing a layer
3 interface with userland.
o Support for obsolete IPv6 socket options has been removed.
o The iwn(4) driver now passes IEEE 802.11 control frames in monitor
mode, allowing full capture of traffic on a particular wireless
channel.
o pflow(4) now supports IPv6 for transport.

- Installer improvements:
o Inappropriate user choices from a list of options are more
reliably rejected.
o Installing to a disk partitioned with a GPT is now supported
(amd64 only).
o When initializing a GPT, the required EFI System partition is
automatically created.
o When installing to a GPT disk, installboot(8) now formats the EFI
System partition, creates the appropriate directory structure and
copies the required UEFI boot files into place.

- Routing daemons and other userland network improvements:
o New eigrpd(8) routing daemon for the Enhanced Interior Gateway
Routing Protocol.
o dhclient(8) now supports multiple domain names provided via DHCP
option 15 (Domain Name).
o dhclient(8) now supports search domains provided via DHCP option
119 (Domain Search).
o dhclient(8) no longer continually checks for a change to the
routing domain of the interface it controls. It now relies on the
appropriate routing socket messages.
o dhclient(8) now issues DHCP DECLINE responses to lease offers
found to be inadequate, and restarts the DISCOVER/RENEW process
rather than waiting indefinitely for a better lease to appear.
o dhclient(8) no longer exits if a desired route cannot be added. It
now just reports the fact.
o dhclient(8) now takes a much more careful approach to received
packets to ensure only received data is used to process the
packet. Packets with incorrect length information or lacking
appropriate header information are now dropped.
o dhclient(8) again disables pending timeouts if the interface link
is lost, preventing endless retries at obtaining a lease.
o dhcpd(8) again properly utilizes default-lease-time,
max-lease-time and bootp-lease-time options.
o tcpdump(8) now displays more information about IEEE 802.11 frames
when run with the -y IEEE802_11_RADIO and -v options.
o Several interoperability issues in iked(8) have been fixed,
including EAP auth with OS X El Capitan.

- Security improvements:
o Chacha20-Poly1305 authenticated encryption mode has been
implemented in the IPsec stack for the ESP protocol.
o Support for looking up hosts via YP has been removed from libc.
The 'yp' lookup method in resolv.conf is no longer available.
o Support for the HOSTALIASES environment variable has been removed
from libc.

- Assorted improvements:
o doas(1) is a little friendlier to use.
o Updated flex(1).
o Forked less(1) from upstream, then proceeded to clean it up
substantially.
o pdisk(8) was largely rewritten and pledged.
o Renaming files in the root directory of a MSDOS filesystem was
fixed.
o Many obsolete disktab(5) attributes and entries were removed.
o softraid(4) volumes now correctly look for the disklabel in the
first OpenBSD disk partition, not the last.
o softraid(4) volumes can now be partitioned with a GPT.
o fdisk(8) now creates a default GPT as well as the protective MBR
when the -g flag is used.
o fdisk(8) now has a -b flag that specifies the size of the EFI
System partition to create.
o fdisk(8) now has a -v flag that causes a verbose display of both
MBR and GPT information.
o fdisk(8) now provides full interactive GPT editing.
o fdisk(8) was pledged.
o Disks with sector sizes other than 512 bytes can now be
partitioned with a GPT.
o The GPT kernel option was removed and GPT support is part of all
GENERIC and GENERIC derived kernels.
o Many improvements were made to the GPT kernel support to ensure
safe and reliable operation of GPT and MBR processing.
o disklabel(8) no longer supports boot code installation, with the
-B and -b flags being removed. The associated fields in the
disklabel were also removed. These functions are now all performed
by installboot(8).
o PowerPC converted to secure-PLT ABI variant.
o Perform lazy binding updates in ld.so(1) using kbind(2) to improve
security and reduce overhead in threaded processes.
o Over 100 internal or obsolete interfaces have been deleted or are
no longer exported by libc, reducing symbol conflicts and process
size.
o libc now uses local references for most of its own functions to
avoid symbol overriding, improve standards compliance, increase
speed, and reduce dynamic linking overhead.
o Handle intra-thread kills via new thrkill(2) system call to
tighten pledge(2) restrictions and improve pthread_kill(3) and
pthread_cancel(3) compliance.
o Added getpwnam_shadow(3) and getpwuid_shadow(3) to permit tighter
pledge(2) restrictions.
o Added support to ktrace(1) the arguments to execve(2) and
pledge(2). Removed support for tracing context switch points.
kevent structures are now dumped.
o Disabled support for loading locales other than UTF-8.
o UTF-8 character locale data has been updated to Unicode 7.0.0.
o Added UTF-8 support to several utilities, including calendar(1),
colrm(1), cut(1), fmt(1), ls(1), ps(1), rs(1), ul(1), uniq(1) and
wc(1).
o Partial support for inserting and deleting UTF-8 characters in
ksh(1) emacs command line editing mode.
o Native language support (NLS) has been removed from libc.
o ddb(4) now automatically shows a stack trace upon panic.

- OpenSMTPD 5.9.1
o Security:
- Both smtpd(8) and smtpctl(8) have been pledged.
- The offline enqueue mode of smtpctl(8) has been redesigned to
remove the need for a publicly writable directory which was a
vector of multiple attacks in the Qualys Security audit.
o The following improvements were brought in this release:
- Experimental support for filters API is now available with
several filters available in ports.
- Add Message-Id header if necessary.
- Removed the kick mechanism which was misbehaving.
- Increased the length of acceptable headers lines.
- Assume messages are 8-bit bytes by default.

- OpenSSH 7.2:
o Security:
- Qualys Security identified vulnerabilities in the ssh(1)
client experimental support for resuming SSH-connections
(roaming). In the default configuration, this could
potentially leak client keys to a hostile server. The
authentication of the server host key prevents exploitation
by a man-in-the-middle, so this information leak is
restricted to connections to malicious or compromised
servers. This feature has been disabled in the ssh(1) client,
and it has been removed from the source tree. The matching
server code has never been shipped.
- sshd(8): OpenSSH 7.0 contained a logic error in
PermitRootLogin=prohibit-password/without-password that
could, depending on compile-time configuration, permit
password authentication to root while preventing other forms
of authentication.
- Fix an out of-bound read access in the packet handling code.
- Further use of explicit_bzero(3) has been added in various
buffer handling code paths to guard against compilers
aggressively doing dead-store removal.
- ssh(1), sshd(8): remove unfinished and unused roaming code.
- ssh(1): eliminate fallback from untrusted X11 forwarding to
trusted forwarding when the X server disables the SECURITY
extension.
- ssh(1), sshd(8): increase the minimum modulus size supported
for diffie-hellman-group-exchange to 2048 bits.
o Potentially-incompatible changes:
- This release disables a number of legacy cryptographic
algorithms by default in ssh(1):
o Several ciphers: blowfish-cbc, cast128-cbc, all arcfour
variants and the rijndael-cbc aliases for AES.
o MD5-based and truncated HMAC algorithms.
o New/changed features:
- all: add support for RSA signatures using SHA-256/512 hash
algorithms based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt.
- ssh(1): add an AddKeysToAgent client option which can be set
to yes, no, ask, or confirm, and defaults to no. When
enabled, a private key that is used during authentication
will be added to ssh-agent(1) if it is running (with
confirmation enabled if set to confirm).
- sshd(8): add a new authorized_keys option restrict that
includes all current and future key restrictions
(no-*-forwarding, etc.). Also add permissive versions of the
existing restrictions, e.g. no-pty -> pty. This simplifies
the task of setting up restricted keys and ensures they are
maximally-restricted, regardless of any permissions we might
implement in the future.
- ssh(1): add ssh_config(5) CertificateFile option to
explicitly list certificates. (bz#2436)
- ssh-keygen(1): allow ssh-keygen(1) to change the key comment
for all supported formats.
- ssh-keygen(1): allow fingerprinting from standard input, e.g.
"ssh-keygen -lf -".
- ssh-keygen(1): allow fingerprinting multiple public keys in a
file, e.g. ssh-keygen -lf ~/.ssh/authorized_keys. (bz#1319)
- sshd(8): support none as an argument for sshd_config(5)
Foreground and ChrootDirectory. Useful inside Match blocks to
override a global default. (bz#2486)
- ssh-keygen(1): support multiple certificates (one per line)
and reading from standard input (using "-f -") for ssh-keygen
-L.
- ssh-keyscan(1): add ssh-keyscan -c ... flag to allow fetching
certificates instead of plain keys.
- ssh(1): better handle anchored FQDNs (e.g. cvs.openbsd.org.)
in hostname canonicalisation - treat them as already
canonical and trailing '.' before matching ssh_config(5).
o The following significant bugs have been fixed in this release:
- ssh(1), sshd(8): add compatibility workarounds for FuTTY.
- ssh(1), sshd(8): refine compatibility workarounds for WinSCP.
- Fix a number of memory faults (double-free, free of
uninitialised memory, etc.) in ssh(1) and ssh-keygen(1).
- Correctly interpret the first_kex_follows option during the
initial key exchange.
- sftp(1): existing destination directories should not
terminate recursive uploads (regression in openssh 6.8).
(bz#2528)
- ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
replies to unexpected messages during key exchange. (bz#2949)
- ssh(1): refuse attempts to set ConnectionAttempts=0, which
does not make sense and would cause ssh to print an
uninitialised stack variable. (bz#2500)
- ssh(1): fix errors when attempting to connect to scoped IPv6
addresses with hostname canonicalisation enabled.
- sshd_config(5): list a couple more options usable in Match
blocks. (bz#2489)
- sshd(8): fix PubkeyAcceptedKeyTypes +... inside a Match
block.
- ssh(1): expand tilde characters in filenames passed to -i
options before checking whether or not the identity file
exists. Avoids confusion for cases where shell doesn't expand
(e.g. -i ~/file vs. -i~/file). (bz#2481)
- ssh(1): do not prepend "exec" to the shell command run by
Match exec in a config file, which could cause some commands
to fail in certain environments. (bz#2471)
- ssh-keyscan(1): fix output for multiple hosts/addrs on one
line when host hashing or a non standard port is in use.
(bz#2479)
- sshd(8): skip "Could not chdir to home directory" message
when ChrootDirectory is active. (bz#2485)
- ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
- sshd(8): avoid changing TunnelForwarding device flags if they
are already what is needed; makes it possible to use tun(4)/
tap(4) networking as non-root user if device permissions and
interface flags are pre-established.
- ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
(bz#2521)
- ssh(1): fix multiplexing master failure to notice client
exit.
- ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that
present empty key IDs. (bz#1773)
- sshd(8): avoid printf(3) of NULL argument. (bz#2535)
- ssh(1), sshd(8): allow RekeyLimits larger than 4GB. (bz#2521)
- ssh-agent(1), sshd(8): fix several bugs in (unused) KRL
signature support.
- ssh(1), sshd(8): fix connections with peers that use the key
exchange guess feature of the protocol. (bz#2515)
- sshd(8): include remote port number in log messages.
(bz#2503)
- ssh(1): don't try to load SSHv1 private key when compiled
without SSHv1 support. (bz#2505)
- ssh-agent(1), ssh(1): fix incorrect error messages during key
loading and signing errors. (bz#2507)
- ssh-keygen(1): don't leave empty temporary files when
performing known_hosts file edits when known_hosts doesn't
exist.
- sshd(8): correct packet format for tcpip-forward replies for
requests that don't allocate a port. (bz#2509)
- ssh(1), sshd(8): fix possible hang on closed output.
(bz#2469)
- ssh(1): expand %i in ControlPath to UID. (bz#2449)
- ssh(1), sshd(8): fix return type of openssh_RSA_verify.
(bz#2460)
- ssh(1), sshd(8): fix some option parsing memory leaks.
(bz#2182)
- ssh(1): add some debug output before DNS resolution; it's a
place where ssh could previously silently stall in cases of
unresponsive DNS servers. (bz#2433)
- ssh(1): remove spurious newline in visual hostkey. (bz#2686)
- ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
- ssh(1): fix expansion of HostkeyAlgorithms=+...

- LibreSSL 2.3.2
o User-visible features:
- This release corrects the handling of ClientHello messages
that do not include TLS extensions, resulting in such
handshakes being aborted.
- When loading a DSA key from a raw (without DH parameters)
ASN.1 serialization, perform some consistency checks on its
`p' and `q' values, and return an error if the checks failed.
- Fixed a bug in ECDH_compute_key that can lead to silent
truncation of the result key without error. A coding error
could cause software to use much shorter keys than intended.
- Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations
are no longer supported.
- The engine command and parameters are removed from
openssl(1). Previous releases removed dynamic and built-in
engine support already.
- SHA-0 is removed, which was withdrawn shortly after
publication twenty years ago.
- Added Certplus CA root certificate to the default cert.pem
file.
- Fixed a leak in SSL_new(3) in the error path.
- Fixed a memory leak and out-of-bounds access in
OBJ_obj2txt(3).
- Fixed an up-to 7 byte overflow in RC4 when len is not a
multiple of sizeof(RC4_CHUNK).
- Added EVP_aead_chacha20_poly1305_ietf(3) which matches the
AEAD construction introduced in RFC 7539, which is different
than that already used in TLS with
EVP_aead_chacha20_poly1305(3).
- More man pages converted from pod to mdoc(7) format.
- Added COMODO RSA Certification Authority and QuoVadis root
certificates to cert.pem.
- Removed "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority" (serial
3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
certificate from cert.pem.
- Fixed incorrect TLS certificate loading by nc(1).
- The openssl(1) s_time command now performs a proper shutdown
which allows a full TLS connection to be benchmarked more
accurately. A new -no_shutdown flag makes s_time adopt the
previous behavior so that comparisons can still be made with
OpenSSL's version.
- Removed support for the SSLEAY_CONF backwards compatibility
environment variable in openssl(1).
- The following CVEs had been fixed:
o CVE-2015-3194--NULL pointer dereference in client side
certificate validation.
o CVE-2015-3195--memory leak in PKCS7, not reachable from
TLS/SSL.
- Note: The following OpenSSL CVEs did not apply to LibreSSL:
o CVE-2015-3193--carry propagating bug in the x86_64
Montgomery squaring procedure.
o CVE-2015-3196--double free race condition of the
identify hint data.
o Code improvements:
- Added install target for cmake builds.
- Updated pkgconfig files to correctly report the release
version number, not the individual library ABI version
numbers.
- SSLv3 is now permanently removed from the tree.
- The libtls API is changed from the 2.2.x series:
o The tls_read(3) and tls_write(3) functions now work better
with external event libraries.
o Client-side verification is now supported, with the client
supplying the certificate to the server.
o Also, when using tls_connect_fds(3),
tls_connect_socket(3) or tls_accept_fds(3), libtls no longer
implicitly closes the passed in sockets. The caller is
responsible for closing them in this case.
- New interface OPENSSL_cpu_caps is provided that does not
allow software to inadvertently modify cpu capability flags.
OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
- The out_len argument of AEAD changed from ssize_t to size_t.
- Deduplicated DTLS code, sharing bugfixes and improvements
with TLS.
- Converted nc(1) to use libtls for client and server
operations; it is included in the libressl-portable
distribution as an example of how to use the libtls library.
This is intended to be a simpler and more robust replacement
for openssl s_client and openssl s_server for day-to-day
operations.
- ASN.1 cleanups and RFC5280 compliance fixes.
- Time representations switched from unsigned long to time_t.
LibreSSL now checks if the host OS supports 64-bit time_t.
- Support always extracting the peer cipher and version with
libtls.
- Added ability to check certificate validity times with
libtls, tls_peer_cert_notbefore(3) and
tls_peer_cert_notafter(3).
- Changed tls_connect_servername(3) to use the first address
that resolves with getaddrinfo(3).
- Remove broken conditional EVP_CHECK_DES_KEY code
(non-functional since initial commit in 2004).
- Reject too small bits value in BN_generate_prime(3), so that
it does not risk becoming negative in
probable_prime_dh_safe().
- Changed format of LIBRESSL_VERSION_NUMBER to match that of
OPENSSL_VERSION_NUMBER.
- Avoid a potential undefined C99+ behavior due to shift
overflow in AES_decrypt.
- Deprecated the SSL_OP_SINGLE_DH_USE flag.

- Ports and packages:
Many pre-built packages for each architecture:
o alpha: 7450 o mips64el: 7846
o amd64: 9295 o powerpc: 8383
o hppa: 6304 o sh: 111
o i386: 9290 o sparc: 1105
o mips64: 7094 o sparc64: 8528

- Some highlights:

o Chromium 48.0.2564.116 o Node.js 4.3.0
o Emacs 21.4 and 24.5 o OpenLDAP 2.3.43 and 2.4.43
o GCC 4.9.3 o PHP 5.4.45, 5.5.32 and 5.6.18
o GHC 7.10.3 o Postfix 3.0.3
o GNOME 3.18.2 o PostgreSQL 9.4.6
o Go 1.5.3 o Python 2.7.11, 3.4.4 and 3.5.1
o Groff 1.22.3 o R 3.2.3
o JDK 7u80 and 8u72 o Ruby 1.8.7.374, 2.0.0.648,
o KDE 3.5.10 and 4.14.3 (plus 2.1.8, 2.2.4 and 2.2.0
KDE4 core updates) o Rust 1.6.0
o LLVM/Clang 3.5 (20140228) o Sendmail 8.15.2
o LibreOffice 5.0.4.2 o Sudo 1.8.15
o MariaDB 10.0.23 o Tcl/Tk 8.5.18 and 8.6.4
o Mono 4.2.1.102 o TeX Live 2014
o Mozilla Firefox 38.6.1esr and o Vim 7.4.900
44.0.2 o Xfce 4.12
o Mozilla Thunderbird 38.6.0

- As usual, steady improvements in manual pages and other documentation.

- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.17.4 + patches,
freetype 2.6.2, fontconfig 2.11.1, Mesa 11.0.9, xterm 322,
xkeyboard-config 2.17 and more)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.20.2 (+ patches)
o SQLite 3.9.2 (+ patches)
o NSD 4.1.7
o Unbound 1.5.7
o Ncurses 5.7
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.8
and 5.9, look at

http://www.OpenBSD.org/plus59.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 5.9 HTTP/CD-ROM binaries and the actual 5.9
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to

http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS --------------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:

http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.9 is also available on CD-ROM. The 3-CD set costs 44 EUR and
is available via web order worldwide.

The CD set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our HTTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains audio tracks
for two songs: "Doctor W^X" and "Systemagic (Anniversary Edition)".
MP3 and OGG versions of the audio tracks can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

http://www.OpenBSD.org/lyrics.html#59

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.9 CD-ROMs are bootable on the following platforms:

o i386
o amd64
o macppc
o sparc64

(Other platforms must boot from network, floppy, or other method).

For more information on ordering CD-ROMs, see:

http://www.OpenBSD.org/orders.html

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:

http://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs. Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution company also sells T-shirts with new and old
designs and other merchandise, available from its web ordering system.

------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via HTTP downloads. Typically you need a single
small piece of boot media (e.g., a USB flash drive) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet. Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via HTTP. With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of HTTP
mirrors which provide OpenBSD, then choose one near you:

http://www.OpenBSD.org/ftp.html
http://ftp.openbsd.org/pub/OpenBSD/ftplist

As of March 29, 2016, the following HTTP mirror sites have the 5.9 release:

http://ftp.eu.openbsd.org/pub/OpenBSD/5.9/ Stockholm, Sweden
http://ftp.bytemine.net/pub/OpenBSD/5.9/ Oldenburg, Germany
http://ftp.ch.openbsd.org/pub/OpenBSD/5.9/ Zurich, Switzerland
http://ftp.fr.openbsd.org/pub/OpenBSD/5.9/ Paris, France
http://ftp5.eu.openbsd.org/pub/OpenBSD/5.9/ Vienna, Austria
http://mirror.aarnet.edu.au/pub/OpenBSD/5.9/ Brisbane, Australia
http://ftp.usa.openbsd.org/pub/OpenBSD/5.9/ CO, USA
http://ftp5.usa.openbsd.org/pub/OpenBSD/5.9/ CA, USA
http://mirror.esc7.net/pub/OpenBSD/5.9/ TX, USA

The release is also available at the master site:

http://ftp.openbsd.org/pub/OpenBSD/5.9/ Alberta, Canada

However it is strongly suggested you use a mirror.

Other mirror sites may take a day or two to update.

2) Connect to that HTTP mirror site and go into the directory
pub/OpenBSD/5.9/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT alpha/ luna88k/ sparc64/
Changelogs/ amd64/ macppc/ src.tar.gz
HARDWARE armish/ octeon/ sys.tar.gz
PACKAGES armv7/ packages/ tools/
PORTS hppa/ ports.tar.gz xenocara.tar.gz
README i386/ root.mail zaurus/
SHA256 landisk/ sgi/
SHA256.sig loongson/ socppc/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

README - generic README
HARDWARE - list of hardware we support
PORTS - description of our ports tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:

BOOTIA32.EFI* bsd* floppy59.fs pxeboot*
BOOTX62.EFI* bsd.mp* game59.tgz xbase59.tgz
BUILDINFO bsd.rd* index.txt xfont59.tgz
INSTALL.amd64 cd59.iso install59.fs xserv59.tgz
SHA256 cdboot* install59.iso xshare59.tgz
SHA256.sig cdbr* man59.tgz
base59.tgz comp59.tgz miniroot59.fs

If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install59.iso. The install59.iso file (roughly 290MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.

If you prefer to use a USB flash drive, fetch install59.fs and
follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

http://www.OpenBSD.org/errata.html

This is the page where we talk about the mistakes we made while
creating the 5.9 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily. Be sure to try out xdm(1) and see how we have customized
it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 5.9 ports collection
is included on the 3-CD set. Please see the PORTS file for more
information.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD. Also, many popular ports have
been pre-compiled for those who do not desire to build their own binaries
(see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES ------------------------------------------------------

A large number of binary packages are provided. Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/5.9/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/5.9/README)
file explains how to deal with these source files. For those who
are doing an HTTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.9/ directory:

xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and
Christian Weisgerber. Base and X system builds by
Jasper Lievisse Adriaanse, Kenji Aoyama, Theo de Raadt, Jonathan Gray,
and Tobias Ulmer. ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 5.9 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky,
Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh,
Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
Benoit Lecocq, Bob Beck, Brandon Mercer, Brent Cook, Bret Lambert,
Bryan Steele, Can Erkin Acar, Charles Longeau, Chris Cappuccio,
Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
Damien Miller, Daniel Boulet, Daniel Dickman, Darren Tucker,
David Coppa, David Gwynne, Dmitrij Czarkoff, Doug Hogan,
Edd Barrett, Eric Faurot, Florian Obser, Gerhard Roth,
Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Igor Sobrado,
Ingo Feinerer, Ingo Schwarze, James Turner, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Joshua Stein, Juan Francisco Cantero Hurtado,
Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner,
Kirill Bychkov, Kurt Miller, Landry Breuil, Lawrence Teo,
Luke Tymowski, Marc Espie, Mark Kettenis, Mark Lumsden,
Markus Friedl, Martijn van Duren, Martin Pieuchot, Martynas Venckus,
Masao Uebayashi, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
Matthieu Herrb, Michael McConville, Mike Belopuhov, Mike Larkin,
Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nigel Taylor,
Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Paul Irofti,
Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre,
Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter,
Ricardo Mestre, Robert Nagy, Robert Peichaer, Sasano Takayoshi,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Stefan Fritsch, Stefan Kempf, Stefan Sperling, Steven Mestdagh,
Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend,
Ted Unangst, Theo Buehler, Theo de Raadt, Tim van der Molen,
Tobias Stoeckmann, Tobias Ulmer, Todd C. Miller, Ulf Brosziewski,
Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko,
Yojiro Uo