This episode was brought to you by

Headlines

BSDCan 2015 videos

• BSDCan just ended last week, but some of the BSD-related presentation videos are already online
• Allan Jude, UCL for FreeBSD
• Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
• Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
• Brooks Davis, CheriBSD: A research fork of FreeBSD
• Giuseppe Lettieri, Even faster VM networking with virtual passthrough
• Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
• Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
• Peter Hessler, Using routing domains / routing tables in a production network
• Ryan Lortie, a stitch in time: jhbuild
• Ted Unangst, signify: Securing OpenBSD From Us To You
• Many more still to come... ***

Documenting my BSD experience

• Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try
• "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in."
• In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
• The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that)
• You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
• He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
• His second post explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box
• After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
• All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
• Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve ***

PC-BSD tries HardenedBSD builds

• The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
• They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that a few weeks ago - but this might open the door for more projects to give it a try as well
• With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have
• Time will tell if more projects and products like FreeNAS might be interested too ***

C-states in OpenBSD

• People who run BSD on their notebooks, you'll want to pay attention to this one
• OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
• According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
• If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings ***

NetBSD at Open Source Conference 2015 Hokkaido

• The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference
• As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
• We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD's dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

• We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS
• As the name "xhyve" might imply, it's a port of bhyve to Mac OS X
• Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
• It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
• There are also a few examples on how to use it ***

4K displays on DragonFlyBSD

• If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine
• Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
• Some GUI applications might look weird on such a huge resolution,
• HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience ***

Sandboxing port daemons on OpenBSD

• We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment
• This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default
• It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
• With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots ***

SmallWall 1.8.2 released

• SmallWall is a relatively new BSD-based project that we've never covered before
• It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
• They've just released the first official version, so you can give it a try now
• If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... ***

Feedback/Questions

• David writes in
• Brian writes in
• Dan writes in
• Joel writes in
• Steve writes in ***

This episode was brought to you by

Headlines

OpenSMTPD for the whole family

• Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts
• This article talks about configuring a home mail server too, but even for the other people you live with
• After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too
• If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through
• In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box ***

NetBSD on the Edgerouter Lite

• We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices
• The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper)
• A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post
• The process is fairly simple, and you can cross-compile your own installation image on any CPU architecture (even from another BSD!)
• OpenBSD and FreeBSD also have some support for these devices ***

Bitrig at NYC*BUG

• The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo
• John discussed Bitrig, an OpenBSD fork that we've talked about a couple times on the show
• He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms
• Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences ***

OPNsense, meet HardenedBSD

• Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD and OPNsense, have decided to join forces
• Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase
• Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface
• We'll cover more news on the collaboration as it comes out ***

Interview - Mike Larkin - mlarkin@openbsd.org / @mlarkin2012

Memory protections in OpenBSD: W^X, ASLR, PIE, SSP

News Roundup

A closer look at FreeBSD

• The week wouldn't be complete without at least one BSD article making it to a mainstream tech site
• This time, it's a high-level overview of FreeBSD, some of its features and where it's used
• Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing
• If you have any BSD-curious Linux friends, this might be a good one to send to them ***

Linksys NSLU2 and NetBSD

• The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004
• "About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]"
• After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box
• If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there ***

OpenBSD disklabel templates

• We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout
• With a few recent changes, there are now a series of templates you can use for a completely customized partition scheme
• This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel
• Combine this new feature with our -stable iso tutorial, and you could deploy completely patched and customized images en masse pretty easily ***

FreeBSD native ARM builds

• FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base
• Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used
• This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen ***

Feedback/Questions

• Sean writes in
• Ron writes in
• Charles writes in
• Bostjan writes in ***

This episode was brought to you by

Headlines

New PAE support in OpenBSD

• OpenBSD has just added Physical Address Extention support to the i386 architecture, but it's probably not what you'd think of when you hear the term
• In most operating systems, PAE's main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms - this version isn't for that
• Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections
• Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don't get the potential security benefit
• As we discussed in a previous episode, the AMD64 platform already saw some major W^X kernel and userland improvements - the i386 kernel reworking will begin shortly
• Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there
• The AMD64 improvements will be in 5.7, due out in just a couple days as of when we're recording this, but the i386 improvements will likely be in 5.8 ***

Booting Windows in bhyve

• Work on FreeBSD's bhyve continues, and a big addition is on the way
• Thus far, bhyve has only been able to boot operating systems with a serial console - no VGA, no graphics, no Windows
• This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter
• Graphics emulation is still in the works; this image was taken by booting headless and using RDP
• A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan)
• Not a lot of details on the matter currently, but we'll be sure to bring you more info as it comes out
• Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts ***

MidnightBSD 0.6 released

• MidnightBSD is a smaller project we've not covered a lot on the show before
• It's an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use
• They also have their own, smaller version of FreeBSD ports, called "mports"
• If you're already using it, this new version is mainly a security and bugfix release
• It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions
• You can check their site for more information about the project
• We're trying to get the lead developer to come on for an interview, but haven't heard anything back yet ***

OpenBSD rewrites the file utility

• We're all probably familiar with the traditional file command - it's been around since the 1970s
• For anyone who doesn't know, it's used to determine what type of file something actually is
• This tool doesn't see a lot of development these days, and it's had its share of security issues as well
• Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while
• It's not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it
• When you think about it, file was technically designed to be used on untrusted files
• OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite - this time with modern coding practices and the usual OpenBSD scrutiny
• This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made
• With these two things combined, it should drastically reduce the damage a malicious file could potentially do
• Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember
• It'll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future - someone's already thrown together an unofficial portable version
• Coincidentally, the lead developer and current maintainer of file just happens to be our guest today… ***

Interview - Christos Zoulas - christos@netbsd.org

blacklistd and NetBSD advocacy

News Roundup

GSoC-accepted BSD projects

• The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list
• FreeBSD's list includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication
• OpenBSD's list includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it... porting HAMMER FS to OpenBSD
• We'll be sure to keep you up to date on developments from both projects
• Hopefully the other BSDs will make the cut too next year ***

FreeBSD on the Gumstix Duovero

• If you're not familiar with the Gumstix Duovero, it's an dual core ARM-based computer-on-module
• They actually look more like a stick of RAM than a mini-computer
• This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd
• If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us ***

EU study recommends OpenBSD

• A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools
• This is especially important, in all countries, after the mass surveillance documents came out
• "[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts."
• The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on
• Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: "Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways"
• Reddit, Undeadly and Hacker News also had some discussion, particularly about corporations giving back to the BSDs that they make use of in their infrastructure - something we've discussed with Voxer and M:Tier before ***

FreeBSD workflow with Git

• If you're interested in contributing to FreeBSD, but aren't a big fan of SVN, they have a Github mirror too
• This mailing list post talks about interacting between the official source repository and the Git mirror
• This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved ***

Feedback/Questions

• Sean writes in
• Bryan writes in
• Sean writes in
• Charles writes in ***

This episode was brought to you by

Headlines

Solaris' networking future is with OpenBSD

• A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists
• It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF
• For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues
• What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting
• This blog post goes through some of the backstory of the two firewalls
• PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too
• "Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security"
• You're welcome, Oracle ***

BAFUG discussion videos

• The Bay Area FreeBSD users group has been uploading some videos from their recent meetings
• Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status)
• Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework
• Lastly, Kip Macy gave a talk titled "network stack changes, user-level FreeBSD"
• The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics
• If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime ***

More than just a makefile

• If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux
• This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs
• As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all
• The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream
• After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community
• This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News) ***

Securing your home fences

• Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now
• We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now
• In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board
• He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration
• The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process
• Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up
• If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD)
• We love super-detailed guides like this, so everyone should write more and send them to us immediately ***

Interview - Pascal Stumpf - pascal@openbsd.org

Static PIE in OpenBSD

News Roundup

LLVM's new libFuzzer

• We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility
• It looks like LLVM is going to have their own fuzzing tool too now
• The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself
• With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future ***

HardenedBSD upgrades secadm

• The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support
• We covered both the secadm tool and integriforce in previous episodes, but the short version is that it's a way to prevent files from being altered (even as root)
• Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now ***

RAID5 returns to OpenBSD

• OpenBSD's softraid subsystem, somewhat similar to FreeBSD's GEOM, has had experimental RAID5 support for a while
• However, it was exactly that - experimental - and required a recompile to enable
• With some work from recent hackathons, the final piece was added to enable resuming partial array rebuilds
• Now it's on by default, and there's a call for testing being put out, so grab a snapshot and put the code through its paces
• The bioctl softraid command also now supports DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop the "do you want to enable DUIDs?" question entirely ***

pkgng 1.5.0 released

• Going back to what we talked about last week, the final version of pkgng 1.5.0 is out
• The "provides" and "requires" support is finally in a regular release
• A new "-r" switch will allow for direct installation to a chroot or alternate root directory
• Memory usage should be much better now, and some general code speed-ups were added
• This version also introduces support for Mac OS X, NetBSD and EdgeBSD - it'll be interesting to see if anything comes of that
• Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt) ***

p2k15 hackathon reports

• There was another OpenBSD hackathon that just finished up in the UK - this time it was mainly for ports work
• As usual, the developers sent in reports of some of the things they got done at the event
• Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit
• Stefan Sperling wrote in, detailing his work with wireless chipsets, specifically when the vendor doesn't provide any hardware documentation, as well as updating some of the games in ports
• Ken Westerback also sent in a report, but decided to be a rebel and not work on ports at all - he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier ***

Feedback/Questions

• Shaun writes in
• Hrishi writes in
• Randy writes in
• Zach writes in
• Ben writes in ***

Mailing List Gold

• Gstreamer hates us
• At least he's honest
• I find myself in a situation ***

This episode was brought to you by

Headlines

FreeBSD foundation August update

• The foundation has published a new PDF detailing some of their recent activities
• It includes project development updates, the 10.1-RELEASE schedule and some of its new features
• There is also a short interview with Dru Lavigne in the "voices from the community" section
• If you're into hardware, there's another section about some new FreeBSD server equipment
• In closing, there's an update on funding too ***

NSD for an authoritative nameserver

• With BIND having been removed from FreeBSD 10.0, you might be looking to replace your old DNS setup
• This article shows how to use NSD for an authoritative DNS nameserver
• It's also got a link to a similar article on Unbound, the new favorite recursive and caching resolver (they work great together)
• All the instructions are presented very neatly, with all the little details included
• Less BIND means less vulnerabilities, everybody's happy ***

BIND and Nginx removed from OpenBSD

• While we're on the topic of DNS servers, BIND was finally removed from OpenBSD as well
• The base system contains both NSD and Unbound, so users can transition over between 5.6 (November of this year) and 5.7 (May of next year)
• They've also removed nginx from the base system, in favor of the new custom HTTP daemon
• BIND and Nginx are still available in ports if you don't want to switch
• We're hoping to have Reyk Floeter on the show next week to talk about it, but scheduling might not work out, so it may be a little later on
• With Apache gone in the upcoming 5.6, It's also likely that sendmail will be removed before 5.7 - hooray for modern alternatives ***

NetBSD demo videos

• A Japanese NetBSD developer has been uploading lots of interesting videos
• Unsurprisingly, they're all featuring NetBSD running on exotic and weird hardware
• Most of them are demoing sound or running a modern Twitter client on an ancient computer
• They're from the same guy that did the conference wrap-up we mentioned recently ***

Interview - Shawn Webb - shawn.webb@hardenedbsd.org / @lattera

Address space layout randomization in FreeBSD

Tutorial

Reverse SSH tunneling

News Roundup

Puppet master-agent installation on FreeBSD

• If you've got a lot of BSD boxes under your control, or if you're just lazy, you've probably looked into Puppet before
• The author claims a lack of BSD-specific Puppet documentation, so he decided to write up some notes of his own
• He goes through some advantages of using this type of tool for deployments, even when you don't have a huge number of systems
• The rest of the post explains how to set up both the master and the agent configurations ***

Misc. pfSense items

• We found a few miscellaneous pfSense articles this past week
• The first one is about the hunt for the "ultimate" free open source firewall, where pfSense is obviously a strong contender
• The second one shows how to log NAT firewall states (a good way to find out which family member has been torrenting!)
• In the third, you can see how to automatically back up your configuration files
• The fourth item shows how to set up PXE booting with pfSense, similar to one of our tutorials ***

Time Machine backups on ZFS

• If you've got a Mac you need to keep backed up, a FreeBSD server with ZFS can take the place of an expensive "time capsule"
• This post walks you through setting up netatalk and mDNS for a very versatile Time Machine backup system
• With a single command on the OS X side, you can write to and read from the BSD box just like a regular external drive
• Surprisingly simple to do, recommended for anyone with Macs on their network ***

Lumina desktop preview

• Lumina, the BSD-exclusive desktop environment, seems to be coming along nicely
• The main developer has posted an update on the PCBSD blog with some screenshots
• Lots of new features have been added, many of which are documented in the post
• There just might be a BSD Now episode about Lumina coming up.. (cough cough) ***

Feedback/Questions

• Gary writes in
• Cedric writes in
• Caldwell writes in
• Cary writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called "FreeBSD, looking forward to another 10 years" by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn't on the page... how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven't given us an interview yet... well you know what's going to happen
• Why aren't the videos up from last year yet? Will this year also not have any? ***

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• "One is pleasantly functional; the other continues devolving during a journey of pain" - uh oh, who's the loser? ***

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects' funding efforts
• A lot of people don't realize just how widespread open source software is - TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish's funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, "Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software"
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive ***

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users' computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that...)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It's got all the details you need to set up a VPN-like system and bypass those pesky geographic filters ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

OpenBSD's package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they're going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects ***

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless - we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time! ***

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is "a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution."
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with "bsd-cloudinit"
• The author of the article is a regular listener and emailer of the show, hey! ***

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The "call for papers" was issued, so if you're around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event ***

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in ***

This episode was brought to you by

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb's ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• "FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support"
• If you're running -CURRENT, just add "WITH_PIE=1" to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR ***

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone's gotta test the pfSense hardware devices before they're sold, which involves powering them all on at least once
• To make that process faster, they're building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only...) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch ***

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• "The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice"
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels' overhead factor ***

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we're slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what's in -CURRENT (but still isn't using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There's a list of changes between 9.2 and 9.3 as well, but we'll be sure to cover it when the -RELEASE hits ***

Interview - Bryce Chidester - brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the "linux questions" forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to "politics" (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later ***

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He's part of the "Jenkins CI for FreeBSD" group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about... the food ***

FreeBSD disk partitioning

• For his latest book series on FreeBSD's GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don't have to read the 500 mailing list posts, he's summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools ***

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It's now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• Bad news... the minimum disk size requirement has increased to 512MB... getting pretty bloated ***

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in ***

This episode was brought to you by

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you've probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes... and a lot more
• The full list of changes is HUGE, be sure to read through it all if you're interested in the details
• If you're doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations... especially those OpenSSL ones (some of which still aren't fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release - 5.6 is going to be even more awesome with "Libre"SSL and lots of other stuff that's currently in development ***

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they're spending the money that everyone donates
• "As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we've done to help FreeBSD become the most innovative, reliable, and high-performance operation system"
• During this spring, they want to highlight the new UEFI boot support and newcons
• There's a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we'll get to see what other work is being sponsored ***

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won't have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES in counter mode and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys - only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we'll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc, would be really neat ***

BSDMag's April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around, good ***

Interview - David Chisnall - theraven@freebsd.org

The LLVM/Clang switch, FreeBSD's core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• Our buddy Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest - mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and... much more
• GNN also talks a little about the Precision Time Protocol and how it's different than NTP
• Two people we've interviewed talking to each other, awesome
• If you're interested in NTP, be sure to see our tutorial too ***

m2k14 trip reports

• We've got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter and gave us the screenshots for the OpenBSD desktop tutorial)
• "Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do"
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports' compatibility with LibreSSL
• Speaking of LibreSSL, there's an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD ***

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• The 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS ***

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more ***

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in ***

This episode was brought to you by

Headlines

FreeBSD ASLR status update

• Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
• He's implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
• Work has also started on testing ASLR on ARM, using a Raspberry Pi
• He's giving a presentation at BSDCan this year about his ASLR work
• While we're on the topic of BSDCan... ***

BSDCan tutorials, improving the experience

• Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
• The tutorials are called "Building the network you need with PF, the OpenBSD packet filter" and "Transitioning to OpenBSD 5.5" - both scheduled to last three hours each
• He's requesting anyone that'll be there to go ahead and contact him, telling him exactly what you'd like to learn
• There's also a bit of background information about the tutorials and how he's looking to improve them
• If you're interested in OpenBSD and going to BSDCan this year, hit him up ***

pkgsrc-2014Q1 released

• The new stable branch of pkgsrc packages has been built and is ready
• Python 3.3 is now a "first class citizen" in pkgsrc
• 14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
• There's a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD - you could even use pkgsrc instead of pkgng or ports if you were so inclined
• They're also looking into signing packages ***

Only two holes in a heck of a long time, who cares?

• A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
• He questions "what's the big deal" about OpenBSD's slogan being "Only two remote holes in the default install, in a heck of a long time!"
• Luckily, the community and Theo set the record straight about why you should care about this
• Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
• It spawned a discussion about ease of management and Linux's poor security record, definitely worth reading ***

Interview - Dru Lavigne - dru@freebsd.org / @bsdevents

FreeBSD's documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

• A new version of pfSense is released, mainly to fix some security issues
• Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
• There are also some NIC driver updates and other things
• Of course if you want to learn more about pfSense, watch episode 25
• 2.1.2 is already up for testing too ***

FreeBSD gets UEFI support

• It looks like FreeBSD's battle with UEFI may be coming to a close?
• Ed Maste committed a giant list of patches to enable UEFI support on x86_64
• Look through the list to see all the details and information
• Thanks FreeBSD foundation! ***

Ideas for the next DragonflyBSD release

• Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
• They're aiming for late May for the next version
• Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
• Gasp, they're even considering dropping i386 ***

PCBSD weekly digest

• Lots of new PBI updates for 10.0, new runtime implementation
• New support for running 32 bit applications in PBI runtime
• New default CD and DVD player, umplayer
• Latest GNOME 3 and Cinnamon merged, new edge package builds ***

Feedback/Questions

• Remy writes in
• Jan writes in
• Eddie writes in
• Zen writes in
• Sean writes in ***