NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

FreeBSD Devsummit 2024 Schedule

BSDCan 2024 Schedule

News Roundup

A list of things I was drawn deeper into, got excited about, and wanted to tell you more about.

Syncthing

Paperless-ngx

• FreeBSD ports man page

Neovim

• List of popular plugins and themes

• Neovim for Newbs (by the Typecraft guy)

• Josean Martinez does a step by step tutorial

• Blog post about the setup

• TJ DeVries (Neovim developer) reads the entire manual in 9:27:42

Things we always remind ourselves while coding

Beastie Bits

• Me giving a ZFS intro talk, Sci-fi style (German)
• Gulaschprogrammiernacht (GPN) 22 (some English talks, but most in German)
• A RAM-disk based workflow

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

NetBSD 9.4

FreeBSD Foundation Delivers V1 of FreeBSD SSDF Attestation to Support Cybersecurity Compliance

News Roundup

The Lost Worlds of Telnet

How to alter file ownership and permissions with a feedback information

Coming soon to a -current system near you: parallel raw IP input

OpenBSD routers on AliExpress mini PCs

FreeBSD for Devs

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Daniel - jail issue

• Rick - ZFS

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Comparing Modern Open-Source Storage Solutions OpenZFS vs. The Rest

FreeBSD Q1 Status Report

News Roundup

Hello Systems 0.8.1 Release

OpenBSD: Managing an inverter/converter with NUT

Celebrating Earth Day: Tips for Running a Greener FreeBSD

BSDCAN Registration

Beastie Bits

• [SimCity 2000 running on OpenBSD 7.3 via DOSBox 0.74-3](https://www.reddit.com/r/openbsd_gaming/comments/12k9zt2/simcity_2000_running_on_openbsd_73_via_dosbox_0743/)
• [OpenBSD Webzine #13](https://webzine.puffy.cafe/issue-13.html)
• [AWS Gazo bot](https://github.com/csaltos/aws-gazo-bot)

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

  ---

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Interview - Dan Langille - dan@langille.org / @twitter

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Special Guest: Dan Langille.

Headlines

Why computers suck and how learning from OpenBSD can make them marginally less horrible

How much better could things actually be if we abandoned the enterprise development model?

Next I will compare this enterprise development approach with non-enterprise development - projects such as OpenBSD, which do not hesitate to introduce ABI breaking changes to improve the codebase.

One of the most commonly referred to pillars of the project's philosophy has long been its emphasis on clean functional code. Any code which makes it into OpenBSD is subject to ongoing aggressive audits for deprecated, or otherwise unmaintained code in order to reduce cruft and attack surface. Additionally the project creator, Theo de Raadt, and his team of core developers engage in ongoing development for proactive mitigations for various attack classes many of which are directly adopted by various multi-platform userland applications as well as the operating systems themselves (Windows, Linux, and the other BSDs). Frequently it is the case that introducing new features (not just deprecating old ones) introduces new incompatibilities against previously functional binaries compiled for OpenBSD.

To prevent the sort of kernel memory bloat that has plagued so many other operating systems for years, the project enforces a hard ceiling on the number of lines of code that can ever be in ring 0 at a given time. Current estimates guess the number of bugs per line of code in the Linux kernel are around 1 bug per every 10,000 lines of code. Think of this in the context of the scope creep seen in the Linux kernel (which if I recall correctly is currently at around 100,000,000 lines of code), as well as the Windows NT kernel (500,000,000 lines of code) and you quickly begin to understand how adding more and more functionality into the most privileged components of the operating system without first removing old components begins to add up in terms of the drastic difference seen between these systems in the number of zero day exploits caught in the wild respectively.

How Unix Works: Become a Better Software Engineer

Unix is beautiful. Allow me to paint some happy little trees for you. I’m not going to explain a bunch of commands – that’s boring, and there’s a million tutorials on the web doing that already. I’m going to leave you with the ability to reason about the system.

Every fancy thing you want done is one google search away.

But understanding why the solution does what you want is not the same.

That’s what gives you real power, the power to not be afraid.

And since it rhymes, it must be true.

News Roundup

FreeBSD 12.1 Runs Refreshingly Well With AMD Ryzen Threadripper 3970X

For those of you interested in AMD's new Ryzen Threadripper 3960X/3970X processors with TRX40 motherboards for running FreeBSD, the experience in our initial testing has been surprisingly pleasant. In fact, it works out-of-the-box which one could argue is better than the current Linux support that needs the MCE workaround for booting. Here are some benchmarks of FreeBSD 12.1 on the Threadripper 3970X compared to Linux and Windows for this new HEDT platform.

It was refreshing to see FreeBSD 12.1 booting and running just fine with the Ryzen Threadripper 3970X 32-core/64-thread processor from the ASUS ROG ZENITH II EXTREME motherboard and all core functionality working including the PCIe 4.0 NVMe SSD storage, onboard networking, etc. The system was running with 4 x 16GB DDR4-3600 memory, 1TB Corsair Force MP600 NVMe SSD, and Radeon RX 580 graphics. It was refreshing to see FreeBSD 12.1 running well with this high-end AMD Threadripper system considering Linux even needed a boot workaround.

While the FreeBSD 12.1 experience was trouble-free with the ASUS TRX40 motherboard (ROG Zenith II Extreme) and AMD Ryzen Threadripper 3970X, DragonFlyBSD unfortunately was not. Both DragonFlyBSD 5.6.2 stable and the DragonFlyBSD daily development snapshot from last week were yielding a panic on boot. So with that, DragonFlyBSD wasn't tested for this Threadripper 3970X comparison but just FreeBSD 12.1.

FreeBSD 12.1 on the Threadripper 3970X was benchmarked both with its default LLVM Clang 8.0.1 compiler and again with GCC 9.2 from ports for ruling out compiler differences. The FreeBSD 12.1 performance was compared to last week's Windows 10 vs. Linux benchmarks with the same system.

BSDCan 2020 CFP

BSDCan 2020 will be held 5-6 (Fri-Sat) June, 2020 in Ottawa, at the University of Ottawa. It will be preceded by two days of tutorials on 3-4 June (Wed-Thu).

NOTE the change of month in 2020 back to June Also: do not miss out on the Goat BOF on Tuesday 2 June.

We are now accepting proposals for talks. The talks should be designed with a very strong technical content bias. Proposals of a business development or marketing nature are not appropriate for this venue.

• See http://www.bsdcan.org/2020/

If you are doing something interesting with a BSD operating system, please submit a proposal. Whether you are developing a very complex system using BSD as the foundation, or helping others and have a story to tell about how BSD played a role, we want to hear about your experience. People using BSD as a platform for research are also encouraged to submit a proposal. Possible topics include:

• How we manage a giant installation with respect to handling spam.
• and/or sysadmin.
• and/or networking.
• Cool new stuff in BSD
• Tell us about your project which runs on BSD
• other topics (see next paragraph)

From the BSDCan website, the Archives section will allow you to review the wide variety of past BSDCan presentations as further examples.

Both users and developers are encouraged to share their experiences.

HardenedBSD Infrastructure Goals

2019 has been an extremely productive year with regards to HardenedBSD's infrastructure. Several opportunities aligned themselves in such a way as to open a door for a near-complete rebuild with a vast expansion.

The last few months especially have seen a major expansion of our infrastructure. We obtained a number of to-be-retired Dell R410 servers. The crash of our nightly build server provided the opportunity to deploy these R410 servers, doubling our build capacity.

My available time to spend on HardenedBSD has decreased compared to this time last year. As part of rebuilding our infrastructure, I wanted to enable the community to be able to contribute. I'm structuring the work such that help is just a pull request away. Those in the HardenedBSD community who want to contribute to the infrastructure work can simply open a pull request. I'll review the code, and deploy it after a successful review. Users/contributors don't need access to our servers in order to improve them.

My primary goal for the rest of 2019 and into 2020 is to become fully self-hosted, with the sole exception of email. I want to transition the source-of-truth git repos to our own infrastructure. We will still provide a read-only mirror on GitHub.

As I develop this infrastructure, I'm doing so with human rights in mind. HardenedBSD is in a very unique position. In 2020, I plan to provide production Tor Onion Services for the various bits of our infrastructure. HardenedBSD will provide access to its various internal services to its developers and contributors. The entire development lifecycle, going from dev to prod, will be able to happen over Tor.

Transparency will be key moving forward. Logs for the auto-sync script are now published directly to GitHub. Build logs will be, soon, too. Logs of all automated processes, and the code for those processes, will be tracked publicly via git. This will be especially crucial for development over Tor.

Integrating Tor into our infrastructure so deeply increases risk and maintenance burden. However, I believe that through added transparency, we will be able to mitigate risk. Periodic audits will need to be performed and published.

I hope to migrate HardenedBSD's site away from Drupal to a static site generator. We don't really need the dynamic capabilities Drupal gives us. The many security issues Drupal and PHP both bring also leave much to be desired.

So, that's about it. I spent the last few months of 2019 laying the foundation for a successful 2020. I'm excited to see how the project grows.

Beastie Bits

• FuryBSD - KDE plasma flavor now available
• DragonFly - git: virtio - Fix LUN scan issue w/ Google Cloud
• LPI is looking for BSD Specialist learning material writers
• ZFS sync/async + ZIL/SLOG, explained
• BSD-Licensed Combinatorics library/utility
• SSL client vs server certificates and bacula-fd
• MaxxDesktop planning to come to FreeBSD Project Page

Feedback/Questions

• Tom - ZFS Mirror with different speeds
• Jeff - Knowledge is power
• Johnny - Episode 324 response to Jacob
• Pat - NYC*BUG meeting Jan Meeting Location

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Interview - Michael Lucas

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Special Guest: Michael W Lucas.

Headlines

FreeBSD 11.3-b1 is out

BSDCan 2019 Recap

• We’re back from BSDCan and it was a packed week as always.
• It started with bhyvecon on Tuesday. Meanwhile, Benedict spent the whole day in productive meetings: annual FreeBSD Foundation board meeting and FreeBSD Journal editorial board meeting.
• On Wednesday, tutorials for BSDCan started as well as the FreeBSD Developer Summit. In the mornings, there were presentations in the big auditorium, while working groups about networking, failsafe bootcode, development web services, swap space management, and testing/CI were held. Friday had a similar format with an update from the FreeBSD core team and the “have, need, want” session for FreeBSD 13. In the afternoon, there were working groups about translation tools, package base, GSoC/Outreachy, or general hacking. Benedict held his Icinga tutorial in the afternoon with about 15 people attending. Devsummit presentation slides can be found on the wiki page and video recordings done by ScaleEngine are available on FreeBSD’s youtube channel.
• The conference program was a good mixture of sysadmin and tech talks across the major BSDs. Benedict saw the following talks: How ZFS snapshots really work by Matt Ahrens, 20 years in Jail by Michael W. Lucas, OpenZFS BOF session, the future of OpenZFS and FreeBSD, MQTT for system administrators by Jan-Piet Mens, and spent the rest of the time in between in the hallway track.
• Photos from the event are available on Ollivier Robert’s talegraph and Diane Bruce’s website for day 1, day 2, conference day 1, and conference day 2.
• Thanks to all the sponsors, supporters, organizers, speakers, and attendees for making this yet another great BSDCan. Next year’s BSDCan will be from June 2 - 6, 2020.

OpenIndiana 2019.04 is out

We have released a new OpenIndiana Hipster snapshot 2019.04. The noticeable changes:

• Firefox was updated to 60.6.3 ESR

• Virtualbox packages were added (including guest additions)

• Mate was updated to 1.22

• IPS has received updates from OmniOS CE and Oracle IPS repos, including automatic boot environment naming

• Some OI-specific applications have been ported from Python 2.7/GTK 2 to Python 3.5/GTK 3

• Quick Demo Video: https://www.youtube.com/watch?v=tQ0-fo3XNrg

News Roundup

Overview of ZFS Pools in FreeNAS

FreeNAS uses the OpenZFS (ZFS) file system, which handles both disk and volume management. ZFS offers RAID options mirror, stripe, and its own parity distribution called RAIDZ that functions like RAID5 on hardware RAID. The file system is extremely flexible and secure, with various drive combinations, checksums, snapshots, and replication all possible. For a deeper dive on ZFS technology, read the ZFS Primer section of the FreeNAS documentation.

SUGGEST LAYOUT attempts to balance usable capacity and redundancy by automatically choosing an ideal vdev layout for the number of available disks.

• The following vdev layout options are available when creating a pool:
  • Stripe data is shared on two drives, similar to RAID0)
  • Mirror copies data on two drives, similar to RAID1 but not limited to 2 disks)
  • RAIDZ1 single parity similar to RAID5
  • RAIDZ2 double parity similar to RAID6
  • RAIDZ3 which uses triple parity and has no RAID equivalent

Why OpenSource Firmware is Important for Security

• Roots of Trust

The goal of the root of trust should be to verify that the software installed in every component of the hardware is the software that was intended. This way you can know without a doubt and verify if hardware has been hacked. Since we have very little to no visibility into the code running in a lot of places in our hardware it is hard to do this. How do we really know that the firmware in a component is not vulnerable or that is doesn’t have any backdoors? Well we can’t. Not unless it was all open source. Every cloud and vendor seems to have their own way of doing a root of trust. Microsoft has Cerberus, Google has Titan, and Amazon has Nitro. These seem to assume an explicit amount of trust in the proprietary code (the code we cannot see). This leaves me with not a great feeling. Wouldn’t it be better to be able to use all open source code? Then we could verify without a doubt that the code you can read and build yourself is the same code running on hardware for all the various places we have firmware. We could then verify that a machine was in a correct state without a doubt of it being vulnerable or with a backdoor. It makes me wonder what the smaller cloud providers like DigitalOcean or Packet have for a root of trust. Often times we only hear of these projects from the big three or five.

OPNsense

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

• Here are the full patch notes:

• system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)

• system: /etc/hosts generation without interfacehasgateway()

• system: show correct timestamp in config restore save message (contributed by nhirokinet)

• system: list the commands for the pluginctl utility when n+ argument is given

• system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly

• system: use absolute path in widget ACLs (reported by Netgate)

• system: RRD-related cleanups for less code exposure

• interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)

• interfaces: replace legacygetallinterface_addresses() usage

• firewall: fix port validation in aliases with leading / trailing spaces

• firewall: fix outbound NAT translation display in overview page

• firewall: prevent CARP outgoing packets from using the configured gateway

• firewall: use CARP net.inet.carp.demotion to control current demotion in status page

• firewall: stop live log poller on error result

• dhcpd: change rule priority to 1 to avoid bogon clash

• dnsmasq: only admins may edit custom options field

• firmware: use insecure mode for base and kernel sets when package fingerprints are disabled

• firmware: add optional device support for base and kernel sets

• firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)

• ipsec: always reset rightallowany to default when writing configuration

• lang: say "hola" to Spanish as the newest available GUI language

• lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese

• network time: only admins may edit custom options field

• openvpn: call openvpnrefreshcrls() indirectly via plugin_configure() for less code exposure

• openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)

• openvpn: remove custom options field from wizard

• unbound: only admins may edit custom options field

• wizard: translate typehint as well

• plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)

• plugins: os-nginx 1.12[2]

• plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)

• plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)

• src: timezone database information update[3]

• src: install(1) broken with partially matching relative paths[4]

• src: microarchitectural Data Sampling (MDS) mitigation[5]

• ports: carootnss 3.44

• ports: php 7.2.18[6]

• ports: sqlite 3.28.0[7]

• ports: strongswan custom XAuth generic patch removed

wiregaurd on OpenBSD

Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current. Jason A. Donenfeld (WireGuard author) has worked to support OpenBSD in WireGuard and as such his post on ports@ last year got me interested in WireGuard, since then others have toyed with WireGuard on OpenBSD before and as such I've used Ted's article as a reference. Note however that some of the options mentioned there are no longer valid. Also, I'll be using two OpenBSD peers here. The setup will be as follows: two OpenBSD peers, of which we'll dub wg1 the server and wg2 the client. The WireGuard service on wg1 is listening on 100.64.4.3:51820.

• Conclusion

WireGuard (cl)aims to be easier to setup and faster than OpenVPN and while I haven't been able to verify the latter, the first is certainly true...once you've figured it out. Most documentation out there is for Linux so I had to figure out the wireguardgo service and the tun parameters. But all in all, sure, it's easier. Especially the client configuration on iOS which I didn't cover here because it's essentially pkgadd libqrencode ; cat client.conf | qrencode -t ansiutf8, scan the code with the WireGuard app and you're good to go. What is particularly neat is that WireGuard on iOS supports Always-on.

Beastie Bits

• Serenity OS
• vkernels vs pmap
• Brian Kernighan interviews Ken Thompson
• Improvements in forking, threading, and signal code
• DragonFly 5.4.3
• NetBSD on the Odroid C2

Feedback/Questions

• Paulo - Laptops
• A Listener - Thanks
• Bostjan - Extend a pool and lower RAM footprint

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

###Interview - Michael W. Lucas - mwl@mwl.io / @mwlauthor
FreeBSD Mastery: Jails

• BR: Welcome back to the show and congratulations on your latest book. How many books did you have to write before you could start on FreeBSD Mastery: Jails?
• AJ: How much research did you have to do about jails?
• BR: The book talks about something called ‘incomplete’ jails. What do you mean by that?
• AJ: There are a lot of jail management frameworks out there. Why did you chose to write about iocage in the book?
• BR: How many jails do you run yourself?
• AJ: Can you tell us a bit about how you handle book sponsorship these days?
• BR: What other books (fiction and non-fiction) are you currently working on?
• AJ: Which talks are you looking forward to attend at the upcoming BSDCan conference?
• BR: How is the BSD user group going?
• AJ: Anything else you’d like to mention before we release you from our interview jail cell?

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

##Headlines
###Silent Fanless FreeBSD Desktop/Server

Today I will write about silent fanless FreeBSD desktop or server computer … or NAS … or you name it, it can have multiple purposes. It also very low power solution, which also means that it will not overheat. Silent means no fans at all, even for the PSU. The format of the system should also be brought to minimum, so Mini-ITX seems best solution here.

I have chosen Intel based solutions as they are very low power (6-10W), if you prefer AMD (as I often do) the closest solution in comparable price and power is Biostar A68N-2100 motherboard with AMD E1-2100 CPU and 9W power. Of course AMD has even more low power SoC solutions but finding the Mini-ITX motherboard with decent price is not an easy task. For comparison Intel has lots of such solutions below 6W whose can be nicely filtered on the ark.intel.com page. Pity that AMD does not provide such filtration for their products. I also chosen AES instructions as storage encryption (GELI on FreeBSD) today seems as obvious as HTTPS for the web pages.

• Here is how the system look powered up and working

This motherboard uses Intel J3355 SoC which uses 10W and has AES instructions. It has two cores at your disposal but it also supports VT-x and EPT extensions so you can even run Bhyve on it.

• Components

Now, an example system would look like that one below, here are the components with their prices.

• $49 CPU/Motherboard ASRock J3355B-ITX Mini-ITX
• $14 RAM Crucial 4 GB DDR3L 1.35V (low power)
• $17 PSU 12V 160W Pico (internal)
• $11 PSU 12V 96W FSP (external)
• $5 USB 2.0 Drive 16 GB ADATA
• $4 USB Wireless 802.11n
• $100 TOTAL

The PSU 12V 160W Pico (internal) and PSU 12V 96W FSP can be purchased on aliexpress.com or ebay.com for example, at least I got them there. Here is the 12V 160W Pico (internal) PSU and its optional additional cables to power the optional HDDs. If course its one SATA power and one MOLEX power so additional MOLEX-SATA power adapter for about 1$ would be needed. Here is the 12V 96W FSP (external) PSU without the power cord.

This gives as total silent fanless system price of about $120. Its about ONE TENTH OF THE COST of the cheapest FreeNAS hardware solution available – the FreeNAS Mini (Diskless) costs $1156 also without disks.

You can put plain FreeBSD on top of it or Solaris/Illumos distribution OmniOSce which is server oriented. You can use prebuilt NAS solution based on FreeBSD like FreeNAS, NAS4Free, ZFSguru or even Solaris/Illumos based storage with napp-it appliance.

###An annotated look at a NetBSD Pinebook’s startup

• Pinebook is an affordable 64-bit ARM notebook. Today we’re going to take a look at the kernel output at startup and talk about what hardware support is available on NetBSD.
• Photo
• Pinebook comes with 2GB RAM standard. A small amount of this is reserved by the kernel and framebuffer.
• NetBSD uses flattened device-tree (FDT) to enumerate devices on all Allwinner based SoCs. On a running system, you can inspect the device tree using the ofctl(8) utility:
• Pinebook’s Allwinner A64 processor is based on the ARM Cortex-A53. It is designed to run at frequencies up to 1.2GHz.
• The A64 is a quad core design. NetBSD’s aarch64 pmap does not yet support SMP, so three cores are disabled for now.
• The interrupt controller is a standard ARM GIC-400 design.
• Clock drivers for managing PLLs, module clock dividers, clock gating, software resets, etc. Information about the clock tree is exported in the hw.clk sysctl namespace (root access required to read these values).

# sysctl hw.clk.sun50ia64ccu0.mmc2
hw.clk.sun50ia64ccu0.mmc2.rate = 200000000
hw.clk.sun50ia64ccu0.mmc2.parent = pll_periph0_2x
hw.clk.sun50ia64ccu0.mmc2.parent_domain = sun50ia64ccu0

Digital Ocean
http://do.co/bsdnow

###BSDCan 2018 Trip Report: Mark Johnston

BSDCan is a highlight of my summers: the ability to have face-to-face conversations with fellow developers and contributors is invaluable and always helps refresh my enthusiasm for FreeBSD. While in a perfect world we would all be able to communicate effectively over the Internet, it’s often noted that locking a group of developers together in a room can be a very efficient way to make progress on projects that otherwise get strung out over time, and to me this is one of the principal functions of BSD conferences. In my case I was able to fix some kgdb bugs that had been hindering me for months; get some opinions on the design of a feature I’ve been working on for FreeBSD 12.0; hear about some ongoing usage of code that I’ve worked on; and do some pair-debugging of an issue that has been affecting another developer.
As is tradition, on Tuesday night I dropped off my things at the university residence where I was staying, and headed straight to the Royal Oak. This year it didn’t seem quite as packed with BSD developers, but I did meet several long-time colleagues and get a chance to catch up. In particular, I chatted with Justin Hibbits and got to hear about the bring-up of FreeBSD on POWER9, a new CPU family released by IBM. Justin was able to acquire a workstation based upon this CPU, which is a great motivator for getting FreeBSD into shape on that platform. POWER9 also has some promise in the server market, so it’s important for FreeBSD to be a viable OS choice there.
Wednesday morning saw the beginning of the two-day FreeBSD developer summit, which precedes the conference proper. Gordon Tetlow led the summit and did an excellent job organizing things and keeping to the schedule. The first presentation was by Deb Goodkin of the FreeBSD Foundation, who gave an overview of the Foundation’s role and activities. After Deb’s presentation, present members of the FreeBSD core team discussed the work they had done over the past two years, as well as open tasks that would be handed over to the new core team upon completion of the ongoing election. Finally, Marius Strobl rounded off the day’s presentations by discussing the state and responsibilities of FreeBSD’s release engineering team.
One side discussion of interest to me was around the notion of tightening integration with our Bugzilla instance; at moment we do not have any good means to mark a given bug as blocking a release, making it easy for bugs to slip into releases and thus lowering our overall quality. With FreeBSD 12.0 upon us, I plan to help with the triage and fixes for known regressions before the release process begins.
After a break, the rest of the morning was devoted to plans for features in upcoming FreeBSD releases. This is one of my favorite discussion topics and typically takes the form of have/need/want, where developers collectively list features that they’ve developed and intend to upstream (have), features that they are missing (need), and nice-to-have features (want). This year, instead of the usual format, we listed features that are intended to ship in FreeBSD 12.0. The compiled list ended up being quite ambitious given how close we are to the beginning of the release cycle, but many individual developers (including myself) have signed up to deliver work. I’m hopeful that most, if not all of it, will make it into the release.
After lunch, I attended a discussion led by Matt Ahrens and Alexander Motin on OpenZFS. Of particular interest to me were some observations made regarding the relative quantity and quality of contributions made by different “camps” of OpenZFS users (illumos, FreeBSD and ZoL), and their respective track records of upstreaming enhancements to the OpenZFS project. In part due to the high pace of changes in ZoL, the definition of “upstream” for ZFS has become murky, and of late ZFS changes have been ported directly from ZoL. Alexander discussed some known problems with ZFS on FreeBSD that have been discovered through performance testing. While I’m not familiar with ZFS internals, Alexander noted that ZFS’ write path has poor SMP scalability on FreeBSD owing to some limitations in a certain kernel API called taskqueue(9). I would like to explore this problem further and perhaps integrate a relatively new alternative interface which should perform better.
Friday and Saturday were, of course, taken up by BSDCan talks. Friday’s keynote was by Benno Rice, who provided some history of UNIX boot systems as a precursor to some discussion of systemd and the difficulties presented by a user and developer community that actively resist change. The rest of the morning was consumed by talks and passed by quickly. First was Colin Percival’s detailed examination of where the FreeBSD kernel spends time during boot, together with an overview of some infrastructure he added to track boot times. He also provided a list of improvements that have been made since he started taking measurements, and some areas we can further improve. Colin’s existing work in this area has already brought about substantial reductions in boot time; amusingly, one of the remaining large delays comes from the keyboard driver, which contains a workaround for old PS/2 keyboards. While there seems to be general agreement that the workaround is probably no longer needed on most systems, the lingering uncertainty around this prevents us from removing the workaround. This is, sadly, a fairly typical example of an OS maintenance burden, and underscores the need to carefully document hardware bug workarounds. After this talk, I got to see some rather novel demonstrations of system tracing using dwatch, a new utility by Devin Teske, which aims to provide a user-friendly interface to DTrace. After lunch, I attended talks on netdump, a protocol for transmitting kernel dumps over a network after the system has panicked, and on a VPC implementation for FreeBSD. After the talks ended, I headed yet again to the hacker lounge and had some fruitful discussions on early microcode loading (one of my features for FreeBSD 12.0). These led me to reconsider some aspects of my approach and saved me a lot of time. Finally, I continued my debugging session from Wednesday with help from a couple of other developers.
Saturday’s talks included a very thorough account by Li-Wen Hsu of his work in organizing a BSD conference in Taipei last year. As one of the attendees, I had felt that the conference had gone quite smoothly and was taken aback by the number of details and pitfalls that Li-Wen enumerated during his talk. This was followed by an excellent talk by Baptiste Daroussin on the difficulties one encounters when deploying FreeBSD in new environments. Baptiste offered criticisms of a number of aspects of FreeBSD, some of which hit close to home as they involved portions of the system that I’ve worked on.
At the conclusion of the talks, we all gathered in the main lecture hall, where Dan led a traditional and quite lively auction for charity. I managed to snag a Pine64 board and will be getting FreeBSD installed on it the first chance I get. At the end of the auction, we all headed to ByWard for dinner, concluding yet another BSDCan.

• Thanks to Mark for sharing his experiences at this years BSDCan

##News Roundup
###Transparent network audio with mpd & sndiod

Landry Breuil (landry@ when wearing his developer hat) wrote in…

I've been a huge fan of MPD over the years to centralize my audio collection, and i've been using it with the http output to stream the music as a radio on the computer i'm currently using…

audio_output {
       type            "sndio"
       name            "Local speakers"
       mixer_type      "software"
}
audio_output {
       type            "httpd"
       name            "HTTP stream"
       mixer_type      "software"
       encoder         "vorbis"
       port            "8000"
       format          "44100:16:2"
}
this setup worked for years, allows me to stream my home radio to $work by tunnelling the port 8000 over ssh via LocalForward, but that still has some issues:

a distinct timing gap between the 'local output' (ie the speakers connected to the machine where MPD is running) and the 'http output' caused by the time it takes to reencode the stream, which is ugly when you walk through the house and have a 15s delay
sometimes mplayer as a client doesn't detect the pauses in the stream and needs to be restarted
i need to configure/start a client on each computer and point it at the sound server url (can do via gmpc shoutcast client plugin…)
it's not that elegant to reencode the stream, and it wastes cpu cycles
So the current scheme is:

mpd -> http output -> network -> mplayer -> sndiod on remote machine
|
-> sndio output -> sndiod on soundserver
Fiddling a little bit with mpd outputs and reading the sndio output driver, i remembered sndiod has native network support… and the mpd sndio output allows you to specify a device (it uses SIO_DEVANY by default).

So in the end, it's super easy to:

enable network support in sndio on the remote machine i want the audio to play by adding -L<local ip> to sndiod_flags (i have two audio devices, with an input coming from the webcam):
sndiod_flags="-L10.246.200.10 -f rsnd/0 -f rsnd/1"
open pf on port 11025 from the sound server ip:
pass in proto tcp from 10.246.200.1 to any port 11025
configure a new output in mpd:
audio_output {
       type            "sndio"
       name            "sndio on renton"
       device          "snd@10.246.200.10/0"
       mixer_type      "software"
}
and enable the new output in mpd:
$mpc enable 2
Output 1 (Local speakers) is disabled
Output 2 (sndio on renton) is enabled
Output 3 (HTTP stream) is disabled
Results in a big win: no gap anymore with the local speakers, no reencoding, no need to configure a client to play the stream, and i can still probably reproduce the same scheme over ssh from $work using a RemoteForward.

mpd -> sndio output 2 -> network -> sndiod on remote machine
|
-> sndio output 1 -> sndiod on soundserver
Thanks ratchov@ for sndiod :)

###MirBSD’s Korn Shell on Plan9 Jehanne

Let start by saying that I’m not really a C programmer.
My last public contribution to a POSIX C program was a little improvement to the Snort’s react module back in 2008.
So while I know the C language well enough, I do not know anything about the subtleness of the standard library and I have little experience with POSIX semantics.
This is not a big issue with Plan 9, since the C library and compiler are not standard anyway, but with Jehanne (a Plan 9 derivative of my own) I want to build a simple, loosely coupled, system that can actually run useful free software ported from UNIX.
So I ported RedHat’s newlib to Jehanne on top of a new system library I wrote, LibPOSIX, that provides the necessary emulations. I wrote several test, checking they run the same on Linux and Jehanne, and then I begun looking for a real-world, battle tested, application to port first.
I approached MirBSD’s Korn Shell for several reason:

• it is simple, powerful and well written
• it has been ported to several different operating systems
• it has few dependencies
• it’s the default shell in Android, so it’s really battle tested

I was very confident. I had read the POSIX standard after all! And I had a test suite!
I remember, I thought “Given newlib, how hard can it be?”
The porting begun on September 1, 2017. It was completed by tg on January 5, 2018. 125 nights later.
Turn out, my POSIX emulation was badly broken. Not just because of the usual bugs that any piece of C can have: I didn’t understood most POSIX semantics at all!

iXsystems

###Static site generator with rsync and lowdown on OpenBSD

• ssg is a tiny POSIX-compliant shell script with few dependencies:

• lowdown(1) to parse markdown,

• rsync(1) to copy temporary files, and

• entr(1) to watch file changes.

• It generates Markdown articles to a static website.

• It copies the current directory to a temporary on in /tmp skipping .* and _*, renders all Markdown articles to HTML, generates RSS feed based on links from index.html, extracts the first <h1> tag from every article to generate a sitemap and use it as a page title, then wraps articles with a single HTML template, copies everything from the temporary directory to $DOCS/

Why not Jekyll or “$X”?

• ssg is one hundred times smaller than Jekyll.

ssg and its dependencies are about 800KB combined. Compare that to 78MB of ruby with Jekyll and all the gems. So ssg can be installed in just few seconds on almost any Unix-like operating system.
Obviously, ssg is tailored for my needs, it has all features I need and only those I use.
Keeping ssg helps you to master your Unix-shell skills: awk, grep, sed, sh, cut, tr. As a web developer you work with lots of text: code and data. So you better master these wonderful tools.

• Performance

100 pps. On modern computers ssg generates a hundred pages per second. Half of a time for markdown rendering and another half for wrapping articles into the template. I heard good static site generators work—twice as fast—at 200 pps, so there’s lots of performance that can be gained. ;)

###Why does FreeBSD have virtually no (0%) desktop market share?

• Because someone made a horrible design decision back in 1984.

In absolute fairness to those involved, it was an understandable decision, both from a research perspective, and from an economic perspective, although likely not, from a technology perspective.

• Why and what.

The decision was taken because the X Window System was intended to run on cheap hardware, and, at the time, that meant reduced functionality in the end-point device with the physical display attached to it.
At the same time, another force was acting to also limit X displays to display services only, rather than rolling in both window management and specific widget instances for common operational paradigms.
Mostly, common operational paradigms didn’t really exist for windowing systems because they also simply didn’t exist at the time, and no one really knew how people were going to use the things, and so researchers didn’t want to commit future research to a set of hard constraints.
So a decision was made: separate the display services from the application at the lowest level of graphics primitives currently in use at the time.

• The ramifications of this were pretty staggering.

First, it guaranteed that all higher level graphics would live on the host side of the X protocol, instead of on the display device side of the protocol.
Despite a good understanding of Moore’s law, and the fact that, since no X Terminals existed at the time as hardware, but were instead running as emulations on workstations that had sufficient capability, this put the higher level GUI object libraries — referred to as “widgets” — in host libraries linked into the applications.
Second, it guaranteed that display organization and management paradigms would also live on the host side of the protocol — assumed, in contradiction to the previous decision, to be running on the workstation.
But, presumably, at some point, as lightweight X Terminals became available, to migrate to a particular host computer managing compute resource login/access services.

• Between these early decisions reigned chaos.

Specifically, the consequences of these decisions have been with us ever since:
Look-and-feel are a consequence of the toolkit chosen by the application programmer, rather than a user decision which applies universally to all applications.
You could call this “lack of a theme”, and — although I personally despise the idea of customizing or “theming” desktops — this meant that one paradigm chosen by the user would not apply universally across all applications, no matter who had written them.
Window management style is a preference.
You could call this a more radical version of “theming” — which you will remember, I despise — but a consequence to this is that training is not universal across personnel using such systems, nor is it transferrable.
In other words, I can’t send someone to a class, and have them come back and use the computers in the office as a tool, with the computer itself — and the elements not specific to the application itself — disappearing into the background.
Both of these ultimately render an X-based system unsuitable for desktops.
I can’t pay once for training. Training that I do pay for does not easily and naturally translate between applications. Each new version may radically alter the desktop management paradigm into unrecognizability.

• Is there hope for the future?

Well, the Linux community has been working on something called Wayland, and it is very promising…
…In the same way X was “very promising” in 1984, because, unfortunately, they are making exactly the same mistakes X made in 1984, rather than correcting them, now that we have 20/20 hindsight, and know what a mature widget library should look like.
So Wayland is screwing up again.
But hey, it only took us, what, 25 years to get from X in 1987 to Wayland in in 2012.
Maybe if we try again in 2037, we can get to where Windows was in 1995.

##Beastie Bits

• New washing machine comes with 7 pages of open source licenses!
• BSD Jobs Site
• FreeBSD Foundation Update, May 2018
• FreeBSD Journal looking for book reviewers
• zedenv ZFS Boot Environment Manager

Tarsnap

##Feedback/Questions

• Wouter - Feedback
• Efraim - OS Suggestion
• kevr - Raspberry Pi2/FreeBSD/Router on a Stick
• Vanja - Interview Suggestion

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

##Headlines##
###TrueOS to Focus on Core Operating System

The TrueOS Project has some big plans in the works, and we want to take a minute and share them with you. Many have come to know TrueOS as the “graphical FreeBSD” that makes things easy for newcomers to the BSDs. Today we’re announcing that TrueOS is shifting our focus a bit to become a cutting-edge operating system that keeps all of the stability that you know and love from ZFS (OpenZFS) and FreeBSD, and adds additional features to create a fresh, innovative operating system. Our goal is to create a core-centric operating system that is modular, functional, and perfect for do-it-yourselfers and advanced users alike.

TrueOS will become a downstream fork that will build on FreeBSD by integrating new software technologies like OpenRC and LibreSSL. Work has already begun which allows TrueOS to be used as a base platform for other projects, including JSON-based manifests, integrated Poudriere / pkg tools and much more. We’re planning on a six month release cycle to keep development moving and fresh, allowing us to bring you hot new features to ZFS, bhyve and related tools in a timely manner. This makes TrueOS the perfect fit to serve as the basis for building other distributions.

Some of you are probably asking yourselves “But what if I want to have a graphical desktop?” Don’t worry! We’re making sure that everyone who knows and loves the legacy desktop version of TrueOS will be able to continue using a FreeBSD-based, graphical operating system in the future. For instance, if you want to add KDE, just use sudo pkg install kde and voila! You have your new shiny desktop. Easy right? This allows us to get back to our roots of being a desktop agnostic operating system. If you want to add a new desktop environment, you get to pick the one that best suits your use.

We know that some of you will still be looking for an out-of-the-box solution similar to legacy PC-BSD and TrueOS. We’re happy to announce that Project Trident will take over graphical FreeBSD development going forward. Not much is going to change in that regard other than a new name! You’ll still have Lumina Desktop as a lightweight and feature-rich desktop environment and tons of utilities from the legacy TrueOS toolchain like sysadm and AppCafe. There will be migration paths available for those that would like to move to other FreeBSD-based distributions like Project Trident or GhostBSD.

We look forward to this new chapter for TrueOS and hope you will give the new edition a spin! Tell us what you think about the new changes by leaving us a comment. Don’t forget you can ask us questions on our Twitter and be a part of our community by joining the new TrueOS Forums when they go live in about a week. Thanks for being a loyal fan of TrueOS.

###Project Trident FAQ

• Q: Why did you pick the name “Project Trident”?

A: We were looking for a name that was unique, yet would still relate to the BSD community. Since Beastie (the FreeBSD mascot) is always pictured with a trident, it felt like that would be a great name.

• Q: Where can users go for technical support?

A: At the moment, Project Trident will continue sharing the TrueOS community forums and Telegram channels. We are currently evaluating dedicated options for support channels in the future.

• Q: Can I help contribute to the project?

A: We are always looking for developers who want to join the project. If you’re not a developer you can still help, as a community project we will be more reliant on contributions from the community in the form of how-to guides and other user-centric documentation and support systems.

• Q: How is the project supported financially?

A: Project Trident is sponsored by the community, from both individuals and corporations. iXsystems has stepped up as the first enterprise-level sponsor of the project, and has been instrumental in getting Project Trident up and running. Please visit the Sponsors page to see all the current sponsors.

• Q: How can I help support the project financially?

A: Several methods exist, from one time or recurring donations via Paypal to limited time swag t-shirt campaigns during the year. We are also looking into more alternative methods of support, so please visit the Sponsors page to see all the current methods of sponsorship.

• Q: Will there be any transparency of the financial donations and expenditures?

A: Yes, we will be totally open with how much money comes into the project and what it is spent on. Due to concerns of privacy, we will not identify individuals and their donation amounts unless they specifically request to be identified. We will release a monthly overview in/out ledger, so that community members can see where their money is going.

• Relationship with TrueOS

• Project Trident does have very close ties to the TrueOS project, since most of the original Project Trident developers were once part of the TrueOS project before it became a distribution platform. For users of the TrueOS desktop, we have some additional questions and answers below.

• Q: Do we need to be at a certain TrueOS install level/release to upgrade?

A: As long as you have a TrueOS system which has been updated to at least the 18.03 release you should be able to just perform a system update to be automatically upgraded to Project Trident.

• Q: Which members moved from TrueOS to Project Trident?

A: Project Trident is being led by prior members of the TrueOS desktop team. Ken and JT (development), Tim (documentation) and Rod (Community/Support). Since Project Trident is a community-first project, we look forward to working with new members of the team.

iXsystems

###BSDCan

• BSDCan finished Saturday last week
• It started with the GoatBoF on Tuesday at the Royal Oak Pub, where people had a chance to meet and greet. Benedict could not attend due to an all-day FreeBSD Foundation meeting and and even FreeBSD Journal Editorial Board meeting.
• The FreeBSD devsummit was held the next two days in parallel to the tutorials. Gordon Tetlow, who organized the devsummit, opened the devsummit. Deb Goodkin from the FreeBSD Foundation gave the first talk with a Foundation update, highlighting current and future efforts. Li-Wen Hsu is now employed by the Foundation to assist in QA work (Jenkins, CI/CD) and Gordon Tetlow has a part-time contract to help secteam as their secretary.
• Next, the FreeBSD core team (among them Allan and Benedict) gave a talk about what has happened this last term. With a core election currently running, some of these items will carry over to the next core team, but there were also some finished ones like the FCP process and FreeBSD members initiative. People in the audience asked questions on various topics of interest.
• After the coffee break, the release engineering team gave a talk about their efforts in terms of making releases happen in time and good quality.
• Benedict had to give his Ansible tutorial in the afternoon, which had roughly 15 people attending. Most of them beginners, we could get some good discussions going and I also learned a few new tricks. The overall feedback was positive and one even asked what I’m going to teach next year.
• The second day of the FreeBSD devsummit began with Gordon Tetlow giving an insight into the FreeBSD Security team (aka secteam). He gave a overview of secteam members and responsibilities, explaining the process based on a long past advisory. Developers were encouraged to help out secteam. NDAs and proper disclosure of vulnerabilities were also discussed, and the audience had some feedback and questions.
• When the coffee break was over, the FreeBSD 12.0 planning session happened. A Google doc served as a collaborative way of gathering features and things left to do. People signed up for it or were volunteered. Some features won’t make it into 12.0 as they are not 100% ready for prime time and need a few more rounds of testing and bugfixing. Still, 12.0 will have some compelling features.
• A 360° group picture was taken after lunch, and then people split up into the working groups for the afternoon or started hacking in the UofO Henderson residence.
• Benedict and Allan both attended the OpenZFS working group, lead by Matt Ahrens. He presented the completed and outstanding work in FreeBSD, without spoiling too much of the ZFS presentations of various people that happened later at the conference.
• Benedict joined the boot code session a bit late (hallway track is the reason) when most things seem to have already been discussed.
• BSDCan 2018 — Ottawa (In Pictures)
• iXsystems Photos from BSDCan 2018

##News Roundup
###June HardenedBSD Foundation Update

We at HardenedBSD are working towards starting up a 501©(3) not-for-profit organization in the USA. Setting up this organization will allow future donations to be tax deductible. We’ve made progress and would like to share with you the current state of affairs.

We have identified, sent invitations out, and received acceptance letters from six people who will serve on the HardenedBSD Foundation Board of Directors. You can find their bios below. In the latter half of June 2018 or the beginning half of July 2018, we will meet for the first time as a board and formally begin the process of creating the documentation needed to submit to the local, state, and federal tax services.

Here’s a brief introduction to those who will serve on the board:

• W. Dean Freeman (Advisor): Dean has ten years of professional experience with deploying and security Unix and networking systems, including assessing systems security for government certification and assessing the efficacy of security products. He was introduced to Unix via FreeBSD 2.2.8 on an ISP shell account as a teenager. Formerly, he was the Snort port maintainer for FreeBSD while working in the Sourcefire VRT, and has contributed entropy-related patches to the FreeBSD and HardenedBSD projects – a topic on which he presented at vBSDCon 2017.

• Ben La Monica (Advisor): Ben is a Senior Technology Manager of Software Engineering at Morningstar, Inc and has been developing software for over 15 years in a variety of languages. He advocates open source software and enjoys tinkering with electronics and home automation.

• George Saylor (Advisor): George is a Technical Directory at G2, Inc. Mr. Saylor has over 28 years of information systems and security experience in a broad range of disciplines. His core focus areas are automation and standards in the event correlation space as well as penetration and exploitation of computer systems. Mr Saylor was also a co-founder of the OpenSCAP project.

• Virginia Suydan (Accountant and general administrator): Accountant and general administrator for the HardenedBSD Foundation. She has worked with Shawn Webb for tax and accounting purposes for over six years.

• Shawn Webb (Director): Co-founder of HardenedBSD and all-around infosec wonk. He has worked and played in the infosec industry, doing both offensive and defensive research, for around fifteen years. He loves open source technologies and likes to frustrate the bad guys.

• Ben Welch (Advisor): Ben is currently a Security Engineer at G2, Inc. He graduated from Pennsylvania College of Technology with a Bachelors in Information Assurance and Security. Ben likes long walks, beaches, candlelight dinners, and attending various conferences like BSides and ShmooCon.

###Your own VPN with OpenIKED & OpenBSD

Remote connectivity to your home network is something I think a lot of people find desirable. Over the years, I’ve just established an SSH tunnel and use it as a SOCKS proxy, sending my traffic through that. It’s a nice solution for a “poor man’s VPN”, but it can be a bit clunky, and it’s not great having to expose SSH to the world, even if you make sure to lock everything down

I set out the other day to finally do it properly. I’d come across this great post by Gordon Turner: OpenBSD 6.2 VPN Endpoint for iOS and macOS

Whilst it was exactly what I was looking for, it outlined how to set up an L2TP VPN. Really, I wanted IKEv2 for performance and security reasons (I won’t elaborate on this here, if you’re curious about the differences, there’s a lot of content out on the web explaining this).

The client systems I’d be using have native support for IKEv2 (iOS, macOS, other BSD systems). But, I couldn’t find any tutorials in the same vein.

So, let’s get stuck in!

• A quick note ✍️

This guide will walk through the set up of an IKEv2 VPN using OpenIKED on OpenBSD. It will detail a “road warrior” configuration, and use a PSK (pre-shared-key) for authentication. I’m sure it can be easily adapted to work on any other platforms that OpenIKED is available on, but keep in mind my steps are specifically for OpenBSD.

• Server Configuration

As with all my home infrastructure, I crafted this set-up declaratively. So, I had the deployment of the VM setup in Terraform (deployed on my private Triton cluster), and wrote the configuration in Ansible, then tied them together using radekg/terraform-provisioner-ansible.

One of the reasons I love Ansible is that its syntax is very simplistic, yet expressive. As such, I feel it fits very well into explaining these steps with snippets of the playbook I wrote. I’ll link the full playbook a bit further down for those interested.

• See the full article for the information on:
• sysctl parameters
• The naughty list (optional)
• Configure the VPN network interface
• Configure the firewall
• Configure the iked service
• Gateway configuration
• Client configuration
• Troubleshooting

DigitalOcean

###FreeBSD on a System76 Galago Pro

Hey all, It’s been a while since I last posted but I thought I would hammer something out here. My most recent purchase was a System76 Galago Pro. I thought, afer playing with POP! OS a bit, is there any reason I couldn’t get BSD on this thing. Turns out the answer is no, no there isnt and it works pretty decently.

To get some accounting stuff out of the way I tested this all on FreeBSD Head and 11.1, and all of it is valid as of May 10, 2018. Head is a fast moving target so some of this is only bound to improve.

• The hardware

• Intel Core i5 Gen 8

• UHD Graphics 620

• 16 GB DDR4 Ram

• RTL8411B PCI Express Card Reader

• RTL8111 Gigabit ethernet controller

• Intel HD Audio

• Samsung SSD 960 PRO 512GB NVMe

• The caveats

There are a few things that I cant seem to make work straight out of the box, and that is the SD Card reader, the backlight, and the audio is a bit finicky. Also the trackpad doesn’t respond to two finger scrolling. The wiki is mostly up to date, there are a few edits that need to be made still but there is a bug where I cant register an account yet so I haven’t made all the changes.

• Processor

It works like any other Intel processor. Pstates and throttling work.

• Graphics

The boot menu sets itself to what looks like 1024x768, but works as you expect in a tiny window. The text console does the full 3200x1800 resolution, but the text is ultra tiny. There isnt a font for the console that covers hidpi screens yet. As for X Windows it requres the drm-kmod-next package. Once installed follow the directions from the package and it works with almost no fuss. I have it running on X with full intel acceleration, but it is running at it’s full 3200x1800 resolution, to scale that down just do xrandr --output eDP-1 --scale 0.5x0.5 it will blow it up to roughly 200%. Due to limitations with X windows and hidpi it is harder to get more granular.

• Intel Wireless 8265

The wireless uses the iwm module, as of right now it does not seem to automagically load right now. Adding iwm_load=“YES” will cause the module to load on boot and kldload iwm

• Battery

I seem to be getting about 5 hours out of the battery, but everything reports out of the box as expected. I could get more by throttling the CPU down speed wise.

• Overall impression

It is a pretty decent experience. While not as polished as a Thinkpad there is a lot of potential with a bit of work and polishing. The laptop itself is not bad, the keyboard is responsive. The build quality is pretty solid. My only real complaint is the trackpad is stiff to click and sort of tiny. They seem to be a bit indifferent to non linux OSes running on the gear but that isnt anything new. I wont have any problems using it and is enough that when I work through this laptop, but I’m not sure at this stage if my next machine will be a System76 laptop, but they have impressed me enough to put them in the running when I go to look for my next portable machine but it hasn’t yet replaced the hole left in my heart by lenovo messing with the thinkpad.

###Hardware accelerated AES/HMAC-SHA on octeons

In this commit, visa@ submitted code (disabled for now) to use built-in acceleration on octeon CPUs, much like AESNI for x86s.

I decided to test tcpbench(1) and IPsec, before and after updating and enabling the octcrypto(4) driver.

I didn't capture detailed perf stats from before the update, I had heard someone say that Edgerouter Lite boxes would only do some 6MBit/s over ipsec, so I set up a really simple ipsec.conf with ike esp from A to B leading to a policy of

esp tunnel from A to B spi 0xdeadbeef auth hmac-sha2-256 enc aes
going from one ERL to another (I collect octeons, so I have a bunch to test with) and let tcpbench run for a while on it. My numbers hovered around 7Mbit/s, which coincided with what I've heard, and also that most of the CPU gets used while doing it.
Then I edited /sys/arch/octeon/conf/GENERIC, removed the # from octcrypto0 at mainbus0 and recompiled. Booted into the new kernel and got a octcrypto0 line in dmesg, and it was time to rock the ipsec tunnel again. The crypto algorithm and HMAC used by default on ipsec coincides nicely with the list of accelerated functions provided by the driver.

Before we get to tunnel traffic numbers, just one quick look at what systat pigs says while the ipsec is running at full steam:

     PID USER        NAME                 CPU     20\    40\    60\    80\  100\
   58917 root        crypto             52.25 #################
   42636 root        softnet            42.48 ##############
                     (idle)             29.74 #########
    1059 root        tcpbench           24.22 #######
   67777 root        crynlk             19.58 ######
So this indicates that the load from doing ipsec and generating the traffic is somewhat nicely evened out over the two cores in the Edgerouter, and there's even some CPU left unused, which means I can actually ssh into it and have it usable. I have had it running for almost 2 days now, moving some 2.1TB over the tunnel.
Now for the new and improved performance numbers:

   204452123        4740752       37.402  100.00% 
Conn:   1 Mbps:       37.402 Peak Mbps:       58.870 Avg Mbps:       37.402
   204453149        4692968       36.628  100.00% 
Conn:   1 Mbps:       36.628 Peak Mbps:       58.870 Avg Mbps:       36.628
   204454167        5405552       42.480  100.00% 
Conn:   1 Mbps:       42.480 Peak Mbps:       58.870 Avg Mbps:       42.480
   204455188        5202496       40.804  100.00% 
Conn:   1 Mbps:       40.804 Peak Mbps:       58.870 Avg Mbps:       40.804
   204456194        5062208       40.256  100.00% 
Conn:   1 Mbps:       40.256 Peak Mbps:       58.870 Avg Mbps:       40.256

The tcpbench numbers fluctuate up and down a bit, but the output is nice enough to actually keep tabs on the peak values. Peaking to 58.8MBit/s! Of course, as you can see, the average is lower but nice anyhow.

A manyfold increase in performance, which is good enough in itself, but also moves the throughput from a speed that would make a poor but cheap gateway to something actually useful and decent for many home network speeds. Biggest problem after this gets enabled will be that my options to buy cheap used ERLs diminish.

##Beastie Bits

• Using FreeBSD Text Dumps
• llvm’s lld now the default linker for amd64 on FreeBSD
• Author Discoverability
• Pledge and Unveil in OpenBSD {pdf}
• EuroBSDCon 2018 CFP Closes June 17, hurry up and get your submissions in
• Just want to attend, but need help getting to the conference? Applications for the Paul Schenkeveld travel grant accepted until June 15th

Tarsnap

##Feedback/Questions

• Casey - ZFS on Digital Ocean
• Jürgen - A Question
• Kevin - Failover best practice
• Dennis - SQL

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

OpenBSD hypervisor coming soon

• Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
• From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm"
• Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
• Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
• One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route
• He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on ***

Why FreeBSD should not adopt launchd

• Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
• One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned)
• In this article, the author talks about why he thinks this is a bad idea
• He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail
• The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
• Reddit had quite a bit to say about this one, some in agreement and some not ***

DragonFly graphics improvements

• The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
• This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
• You should also see some power management improvements, longer battery life and various other bug fixes
• If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around ***

OpenBSD tames the userland

• Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are
• Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
• It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff)
• Some classic utilities are even being reworked to make taming them easier - the "w" command, for example
• The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
• More discussion can be found on HN, as one might expect
• If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release ***

Interview - Scott Courtney - vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

• We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits
• This is their first big status update, covering some of the things that've happened since the project was born
• There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything ***

LibreSSL nukes SSLv3

• With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command
• At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
• They've now flipped the switch, and the process of complete removal has started
• From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!"
• With this change and a few more to follow shortly, Libre*SSL* won't actually support SSL anymore - time to rename it "LibreTLS" ***

FreeBSD MPTCP updated

• For anyone unaware, Multipath TCP is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy."
• There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
• Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
• Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start ***

UEFI and GPT in OpenBSD

• There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
• Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
• This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
• Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in)
• The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made ***

Feedback/Questions

• John writes in
• Mason writes in
• Earl writes in ***

This episode was brought to you by

Headlines

OpenBSD, from distribution to project

• Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through
• It's the third part of his ongoing series of posts about OpenBSD removing large bits of code in favor of smaller replacements
• In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..)
• After importing new updates every release cycle, they eventually hit a transitional phase - things were updated, but nothing new was imported
• When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed
• In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons
• More discussion on HN and reddit ***

Remote ZFS mirrors, the hard way

• Backups to "the cloud" have become a hot topic in recent years, but most of them require trade-offs between convenience and security
• You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren't without some compromise
• As the author puts it: "We don't need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we'll-deletes, or any of the noise that comes with using someone else's infrastructure."
• This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself
• The end result is an automatic system for incremental backups that's backed (pun intended) by ZFS
• If you're serious about keeping your important data safe and sound, you'll want to give this one a read - lots of detailed instructions ***

Various DragonFlyBSD updates

• The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree
• Intel ValleyView graphics support was finally committed to the main repository
• While on the topic of graphics, they've also issued a call for testing for a DRM update (matching Linux 3.16's and including some more Broadwell fixes)
• Their base GCC compiler is also now upgraded to version 5.2
• If your hardware supports it, DragonFly will now use an accelerated console by default ***

QuakeCon runs on OpenBSD

• QuakeCon, everyone's favorite event full of rocket launchers, recently gave a mini-tour of their network setup
• For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF
• In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more
• He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution
• There's also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff
• Follow-up questions can be asked in this reddit thread
• The host doesn't seem to be that familiar with the topics at hand, mentioning "OpenPF" multiple times among other things, so our listeners should get a kick out of it ***

Interview - Adrian Chadd - adrian@freebsd.org / @erikarn

Rethinking ways to improve FreeBSD

News Roundup

CII contributes to OpenBSD

• If you recall back to when we talked to the OpenBSD foundation, one of the things Ken mentioned was the Core Infrastructure Initiative
• In a nutshell, it's an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet
• The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers)
• To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they've just made a large donation to the foundation - this makes them the first "platinum" level donor as well
• While the exact amount wasn't disclosed, it was somewhere between $50,000 and $100,000
• The donation comes less than a month after Microsoft's big donation, so it's good to see these large organizations helping out important open source projects that we depend on every day ***

Another BSDCan report

• The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon
• In his report, he mainly covers the devsummit and some discussion with the portmgr team
• One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch - Mark talks a bit about this as well
• He also gives his thoughts on using QEMU for cross-compiling packages and network performance testing ***

Lumina 0.8.6 released

• The PC-BSD team has released another version of Lumina, their BSD-licensed desktop environment
• This is mainly a bugfix and performance improvement release, rather than one with lots of new features
• The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc)
• Lots of non-English translation updates and assorted fixes are included as well
• If you haven't given it a try yet, or maybe you're looking for a new window manager, Lumina runs on all the BSDs ***

More c2k15 hackathon reports

• Even more reports from OpenBSD's latest hackathon are starting to pour in
• The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle)
• He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD
• Second up is Andrew Fresh, who went without any specific plans, but still ended up getting some UTF8 work done
• On the topic of ARMv7, "I did enjoy being there when things weren't working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn't much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon."
• Florian Obser sent in a report that includes a little bit of everything: setting up the hackathon's network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food
• Paul Irofti wrote in as well about his activities, which were mainly focused on the Octeon CPU architecture
• He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification
• This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices) ***

Feedback/Questions

• Hamza writes in
• Florian writes in
• Dominik writes in ***

This episode was brought to you by

Headlines

Enabling FreeBSD on AArch64

• One of the things the FreeBSD foundation has been dumping money into lately is ARM64 support, but we haven't heard too much about it - this article should change that
• Since it's on a mainstream ARM site, the article begins with a bit of FreeBSD history, leading up to the current work on ARM64
• There's also a summary of some of the ARM work done at this year's BSDCan, including details about running it on the Cavium ThunderX platform (which has 48 cores)
• As of just a couple months ago, dtrace is even working on this new architecture
• Come 11.0-RELEASE, the plan is for ARM64 to get the same "tier 1" treatment as X86, which would imply binary updates for base and ports - something Raspberry Pi users often complain about not having ***

OpenBSD's tcpdump detailed

• Most people are probably familiar with tcpdump, a very useful packet sniffing and capturing utility that's included in all the main BSD base systems
• This video guide is specifically about the version in OpenBSD, which has gone through some major changes (it's pretty much a fork with no version number anymore)
• Unlike on the other platforms, OpenBSD's tcpdump will always run in a chroot as an unprivileged user - this has saved it from a number of high-profile exploits
• It also has support for the "pf.os" system, allowing you to filter out operating system fingerprints in the packet captures
• There's also PF (and pflog) integration, letting you see which line in your ruleset triggered a specific match
• Being able to run tcpdump directly on your router is pretty awesome for troubleshooting ***

More FreeBSD foundation at BSDCan

• The FreeBSD foundation has another round of trip reports from this year's BSDCan
• First up is Kamil Czekirda, who gives a good summary of some of the devsummit, FreeBSD-related presentations, some tutorials, getting freebsd-update bugs fixed and of course eating cake
• A second post from Christian Brueffer, who cleverly planned ahead to avoid jetlag, details how he got some things done during the FreeBSD devsummit
• Their third report is from our buddy Warren Block, who (unsurprisingly) worked on a lot of documentation-related things, including getting more people involved with writing them
• In true doc team style, his report is the most well-written of the bunch, including lots of links and a clear separation of topics (doc lounge, contributing to the wiki, presentations...)
• Finally, the fourth one comes to us from Shonali Balakrishna, who also gives an outline of some of the talks
• "Not only does a BSD conference have way too many very smart people in one room, but also some of the nicest." ***

DragonFly on the Chromebook C720

• If you've got one of the Chromebook laptops and weren't happy with the included OS, DragonFlyBSD might be worth a go
• This article is a "mini-report" on how DragonFly functions on the device as a desktop, and
• While the 2GB of RAM proved to be a bit limiting, most of the hardware is well-supported
• DragonFly's wiki has a full guide on getting set up on one of these devices as well ***

Interview - David Meyer - info@xinuos.com / @xinuos

Xinuos, BSD license model vs. others, community interaction

News Roundup

Introducing LiteBSD

• We definitely don't talk about 4.4BSD a lot on the show
• LiteBSD is "a variant of [the] 4.4BSD operating system adapted for microcontrollers"
• If you've got really, really old hardware (or are working in the embedded space) then this might be an interesting hobby project to look info ***

HardenedBSD announces ASLR completion

• HardenedBSD, now officially a full-on fork of FreeBSD, has declared their ASLR patchset to be complete
• The latest and last addition to the work was VDSO (Virtual Dynamic Shared Object) randomization, which is now configurable with a sysctl
• This post gives a summary of the six main features they've added since the beginning
• Only a few small things are left to do - man page cleanups, possibly shared object load order improvements ***

Unlock the reaper

• In the ongoing quest to make more of OpenBSD SMP-friendly, a new patch was posted that unlocks the reaper in the kernel
• When there's a zombie process causing a resource leak, it's the reaper's job to deallocate their resources (and yes we're still talking about computers, not horror movies)
• Initial testing has yielded positive results and no regressions
• They're looking for testers, so you can install a -current snapshot and get it automatically
• An updated version of the patch is coming soon too
• A hackathon is going on right now, so you can expect more SMP improvements in the near future ***

The importance of mentoring

• Adrian Chadd has a blog post up about mentoring new users, and it tells the story of how he originally got into FreeBSD
• He tells the story of, at age 11, meeting someone else who knew about making crystal sets that became his role model
• Eventually we get to his first FreeBSD 1.1 installation (which he temporarily abandoned for Linux, since it didn't have a color "ls" command) and how he started using the OS
• Nowadays, there's a formal mentoring system in FreeBSD
• While he talks about FreeBSD in the post, a lot of the concepts apply to all the BSDs (or even just life in general) ***

Feedback/Questions

• Sean writes in
• Herminio writes in
• Stuart writes in
• Richard writes in ***

This episode was brought to you by

Headlines

BSDCan 2015 videos

• BSDCan just ended last week, but some of the BSD-related presentation videos are already online
• Allan Jude, UCL for FreeBSD
• Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
• Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
• Brooks Davis, CheriBSD: A research fork of FreeBSD
• Giuseppe Lettieri, Even faster VM networking with virtual passthrough
• Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
• Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
• Peter Hessler, Using routing domains / routing tables in a production network
• Ryan Lortie, a stitch in time: jhbuild
• Ted Unangst, signify: Securing OpenBSD From Us To You
• Many more still to come... ***

Documenting my BSD experience

• Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try
• "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in."
• In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
• The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that)
• You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
• He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
• His second post explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box
• After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
• All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
• Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve ***

PC-BSD tries HardenedBSD builds

• The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
• They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that a few weeks ago - but this might open the door for more projects to give it a try as well
• With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have
• Time will tell if more projects and products like FreeNAS might be interested too ***

C-states in OpenBSD

• People who run BSD on their notebooks, you'll want to pay attention to this one
• OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
• According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
• If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings ***

NetBSD at Open Source Conference 2015 Hokkaido

• The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference
• As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
• We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD's dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

• We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS
• As the name "xhyve" might imply, it's a port of bhyve to Mac OS X
• Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
• It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
• There are also a few examples on how to use it ***

4K displays on DragonFlyBSD

• If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine
• Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
• Some GUI applications might look weird on such a huge resolution,
• HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience ***

Sandboxing port daemons on OpenBSD

• We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment
• This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default
• It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
• With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots ***

SmallWall 1.8.2 released

• SmallWall is a relatively new BSD-based project that we've never covered before
• It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
• They've just released the first official version, so you can give it a try now
• If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... ***

Feedback/Questions

• David writes in
• Brian writes in
• Dan writes in
• Joel writes in
• Steve writes in ***

This episode was brought to you by

Interview - Sepherosa Ziehau - sephe@dragonflybsd.org

Features of DragonFlyBSD's network stack

Discussion

Comparing containment methods and privilege separation

• chroot, jails, systrace, capsicum, filesystem permissions, separating users ***

Feedback/Questions

• Brad writes in
• Anonymous writes in
• Benjamin writes in
• Jeroen writes in ***

This episode was brought to you by

Headlines

Zocker, it's like docker on FreeBSD

• Containment is always a hot topic, and docker has gotten a lot of hype in Linux land in the last couple years - they're working on native FreeBSD support at the moment
• This blog post is about a docker-like script, mainly for ease-of-use, that uses only jails and ZFS in the base system
• In total, it's 1,500 lines of shell script
• The post goes through the process of using the tool, showing off all the subcommands and explaining the configuration
• In contrast to something like ezjail, Zocker utilizes the jail.conf system in the 10.x branch ***

Patrol Read in OpenBSD

• OpenBSD has recently imported some new code to support the Patrol Read function of some RAID controllers
• In a nutshell, Patrol Read is a function that lets you check the health of your drives in the background, similar to a zpool "scrub" operation
• The goal is to protect file integrity by detecting drive failures before they can damage your data
• It detects bad blocks and prevents silent data corruption, while marking any bad sectors it finds ***

HAMMER 2 improvements

• DragonFly BSD has been working on the second generation HAMMER FS
• It now uses LZ4 compression by default, which we've been big fans of in ZFS
• They've also switched to a faster CRC algorithm, further improving HAMMER's performance, especially when using iSCSI ***

FreeBSD foundation May update

• The FreeBSD foundation has published another update newsletter, detailing some of the things they've been up to lately
• In it, you'll find some development status updates: notably more ARM64 work and the addition of 64 bit Linux emulation
• Some improvements were also made to FreeBSD's release building process for non-X86 architectures
• There's also an AsiaBSDCon recap that covers some of the presentations and the dev events
• They also have an accompanying blog post where Glen Barber talks about more sysadmin and clusteradm work at NYI ***

Interview - Lucas Holt - questions@midnightbsd.org / @midnightbsd

MidnightBSD

News Roundup

The launchd on train is never coming

• Replacement of init systems has been quite controversial in the last few years
• Fortunately, the BSDs have avoided most of that conflict thus far, but there have been a few efforts made to port launchd from OS X
• This blog post details the author's opinion on why he thinks we're never going to have launchd in any of the BSDs
• Email us your thoughts on the matter ***

Native SSH comes to… Windows

• In what may be the first (and last) mention of Microsoft on BSD Now...
• They've just recently announced that PowerShell will get native SSH support in the near future
• It's not based on the commercial SSH either, it's the same one from OpenBSD that we already use everywhere
• Up until now, interacting between BSD and Windows has required something like PuTTY, WinSCP, FileZilla or Cygwin - most of which are based on really outdated versions
• The announcement also promises that they'll be working with the OpenSSH community, so we'll see how many Microsoft-submitted patches make it upstream (or how many donations they make) ***

Moving to FreeBSD

• This blog post describes a long-time Linux user's first BSD switching experience
• The author first talks about his Linux journey, eventually coming to love the more customization-friendly systems, but the journey ended with systemd
• After doing a bit of research, he gave FreeBSD a try and ended up liking it - the rest of the post mostly covers why that is
• He also plans to write about his experience with other BSDs, and is writing some tutorials too - we'll check in with him again later on ***

Feedback/Questions

• Adam writes in
• Dan writes in
• Ivan writes in
• Josh writes in ***

This episode was brought to you by

Headlines

More conference presentation videos

• Some more of the presentation videos from AsiaBSDCon are appearing online
• Masanobu Saitoh, Developing CPE Routers Based on NetBSD
• Reyk Floeter, VXLAN and Cloud-based Networking with OpenBSD
• Jos Jansen, Adapting OS X to the enterprise
• Pierre Pronchery & Guillaume Lasmayous, Carve your NetBSD <!-- skip to 5:06 for henning trolling -->
• Colin Percival, Everything you need to know about cryptography in 1 hour (not from AsiaBSDCon)
• The "bsdconferences" YouTube channel has quite a lot of interesting older BSD talks too - you may want to go back and watch them if you haven't already ***

OpenBSD PIE enhancements

• ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem
• They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment
• For example, the default shells (and many other things in /bin and /sbin) are statically linked
• In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose
• With this and a few related commits, OpenBSD fixes this by introducing static self-relocation
• More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy
• It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now ***

FreeBSD foundation semi-annual newsletter

• The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities
• As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved
• The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)
• You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too
• There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp
• It's a very long report, so dedicate some time to read all the way through it
• This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too
• As we go into 2015, consider donating to whichever BSD you use, it really can make a difference ***

Modernizing OpenSSH fingerprints

• When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to
• Up until now, the key fingerprints have been an MD5 hash, displayed as hex
• This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to
• This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint
• You can add a "FingerprintHash" line in your ssh_config to force using only the new type
• There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type
• The new options should be in the upcoming 6.8 release ***

Interview - Dan Langille - info@bsdcan.org / @bsdcan

Plans for the BSDCan 2015 conference

News Roundup

Introducing ntimed, a new NTP daemon

• As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD
• With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon
• It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github
• PHK also has a few blog entries about the project, including status updates ***

OpenBSD-maintained projects list

• There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers
• The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)
• A developer compiled a new list from all of the replies to that thread into a nice organized webpage
• Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more
• This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout) ***

Monitoring network traffic with FreeBSD

• If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you
• It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)
• This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike ***

Trapping spammers with spamd

• This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail
• It gives some background on the greylisting approach to spam, rather than just a typical host blacklist
• "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."
• The post also shows how to combine it with PF and other tools for a pretty fancy mail setup
• You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc
• You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd ***

Feedback/Questions

• Sean writes in
• Brandon writes in
• Anders writes in
• David writes in
• Kyle writes in ***

Mailing List Gold

• NTP code comparison - 192870 vs. 2898
• NICs have feelings too
• Just think about it ***

This episode was brought to you by

Headlines

More BSD presentation videos

• The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch
• Corey Vixie, Web Apps in Embedded BSD
• Allan Jude, UCL config
• Kip Macy, iflib
• While we're on the topic of conferences, AsiaBSDCon's CFP was extended by one week
• This year's ruBSD will be on December 13th in Moscow
• Also, the BSDCan call for papers is out, and the event will be in June next year
• Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." ***

BSD-powered digital library in Africa

• You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access
• With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school
• They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently)
• The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it ***

pfSense 2.2 status update

• With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update
• 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc
• All these things have taken more time than previously expected
• The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release ***

Recommended hardware threads

• A few threads on caught our attention this week, all about hardware recommendations for BSD setups
• In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS
• Everyone gave some good recommendations for low power, Atom-based systems
• The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread
• For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this
• If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read ***

Interview - Paul Schenkeveld - freebsd@psconsult.nl

Running a BSD conference

News Roundup

From Linux to FreeBSD - for reals

• Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now)
• After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition
• In the comments, a lot of new switchers offer some advice and reading material
• If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way ***

Running FreeBSD as a Xen Dom0

• Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor
• This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it
• Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features)
• The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet ***

HardenedBSD updates and changes

• a.out is the old executable format for Unix
• The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968
• FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0
• A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8
• However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited
• HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’
• Package building update: more consistent repo, no more i386 packages ***

Feedback/Questions

• Boris writes in
• Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check)
• Chris writes in
• Robert writes in
• Jake writes in ***

Mailing List Gold

• Real world authpf use
• The great perl event of 2014 ***

This episode was brought to you by

Headlines

Password gropers take spamtrap bait

• Our friend Peter Hansteen, who keeps his eyes glued to his log files, has a new blog post
• He seems to have discovered another new weird phenomenon in his pop3 logs
• "yes, I still run one, for the same bad reasons more than a third of my readers probably do: inertia"
• Someone tried to log in to his service with an address that was known to be invalid
• The rest of the post goes into detail about his theory of why someone would use a list of invalid addresses for this purpose ***

Inside the Atheros wifi chipset

• Adrian Chadd - sometimes known in the FreeBSD community as "the wireless guy" - gave a talk at the Defcon Wireless Village 2014
• He covers a lot of topics on wifi, specifically on Atheros chips and why they're so popular for open source development
• There's a lot of great information in the presentation, including cool (and evil) things you can do with wireless cards
• Very technical talk; some parts might go over your head if you're not a driver developer
• The raw video file is also available to download on archive.org
• Adrian has also recently worked on getting Kismet and Aircrack-NG to work better with FreeBSD, including packet injection and other fun things ***

Trip report and hackathon mini-roundup

• A few more (late) reports from BSDCan and the latest OpenBSD hackathon have been posted
• Mark Linimon mentions some of the future plans for FreeBSD's release engineering and ports
• Bapt also has a BSDCan report detailing his work on ports and packages
• Antoine Jacoutot writes about his work at the most recent hackathon, working with rc configuration and a new /etc/examples layout
• Peter Hessler, a latecomer to the hackathon, details his experience too, hacking on the installer and built-in upgrade function
• Christian Weisgerber talks about starting some initial improvements of OpenBSD's ports infrastructure ***

DragonFly BSD 3.8.2 released

• Although it was already branched, the release media is now available for DragonFly 3.8.2
• This is a minor update, mostly to fix the recent OpenSSL vulnerabilities
• It also includes some various other small fixes ***

Interview - Eric Le Blan - info@xinuos.com

Xinuos' recent FreeBSD integration, BSD in the commercial server space

Tutorial

Building a hardened, feature-rich webserver

News Roundup

Defend your network and privacy, FreeBSD version

• Back in episode 39, we covered a blog post about creating an OpenBSD gateway - partly based on our tutorial
• This is a follow-up post, by the same author, about doing a similar thing with FreeBSD
• He mentions some of the advantages and disadvantages between the two operating systems, and encourages users to decide for themselves which one suits their needs
• The rest is pretty much the same things: firewall, VPN, DHCP server, DNSCrypt, etc. ***

Don't encrypt all the things

• Another couple of interesting blog posts from Ted Unangst about encryption
• It talks about how Google recently started ranking sites with HTTPS higher in their search results, and then reflects on how sometimes encryption does more harm than good
• After heartbleed, the ones who might be able to decrypt your emails went from just a three-letter agency to any script kiddie
• He also talks a bit about some PGP weaknesses and a possible future replacement
• He also has another, similar post entitled "in defense of opportunistic encryption" ***

New automounter lands in FreeBSD

• The work on the new automounter has just landed in 11-CURRENT
• With help from the FreeBSD Foundation, we'll have a new "autofs" kernel option
• Check the SVN viewer online to read over the man pages if you're not running -CURRENT
• You can also read a bit about it in the recent newsletter ***

OpenSSH 6.7 CFT

• It's been a little while since the last OpenSSH release, but 6.7 is almost ready
• Our friend Damien Miller issued a call for testing for the upcoming version, which includes a fair amount of new features
• It includes some old code removal, some new features and some internal reworkings - we'll cover the full list in detail when it's released
• This version also officially supports being built with LibreSSL now
• Help test it out and report any findings, especially if you have access to something a little more exotic than just a BSD system ***

Feedback/Questions

• David writes in
• Lachlan writes in
• Francis writes in
• Frank writes in
• Sean writes in ***

This episode was brought to you by

Headlines

g2k14 hackathon reports

• Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
• Lots of work got done - in just the first two weeks of July, there were over 1000 commits to their CVS tree
• Some of the developers wrote in to document what they were up to at the event
• Bob Beck planned to work on kernel stuff, but then "LibreSSL happened" and he spent most of his time working on that
• Miod Vallat also tells about his LibreSSL experiences
• Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we'll be interviewing him next week!)
• Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
• Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
• Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
• Martin Pelikan integrated read-only ext4 support
• Vadim Zhukov did lots of ports work, including working on KDE4
• Theo de Raadt created a new, more secure system call, "sendsyslog" and did a lot of work with /etc, sysmerge and the rc scripts
• Paul Irofti worked on the USB stack, specifically for the Octeon platform
• Sebastian Benoit worked on relayd filters and IPv6 code
• Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
• Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
• Stefan Sperling fixed a lot of issues with wireless drivers
• Florian Obser did many things related to IPv6
• Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
• Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
• Matthieu Herrb worked on updating and modernizing parts of xenocara ***

FreeBSD pf discussion takes off

• Concerns from last week, about FreeBSD's packet filter being old and unmaintained, seemed to have finally sparked some conversation about the topic on the "questions" and "current" mailing lists (unfortunately people didn't always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
• Straight from the SMP FreeBSD pf maintainer: "no one right now [is actively developing pf on FreeBSD]"
• Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
• FreeBSD's pf man pages are lacking, and some of FreeBSD's documentation still links to OpenBSD's pages, which won't work anymore - possibly turning away would-be BSD converts because it's frustrating
• There's also the issue of importing patches from pfSense, but most of those still haven't been done either
• Lots of disagreement among developers vs. users...
• Many users are very vocal about wanting it updated, saying the syntax change is no big deal and is worth the benefits - developers aren't interested
• Henning Brauer, the main developer of pf on OpenBSD, has been very nice and offered to help the other BSDs get their pf fixed on multiple occasions
• Gleb Smirnoff, author of the FreeBSD-specific SMP patches, questions Henning's claims about OpenBSD's improved speed as "uncorroborated claims" (but neither side has provided any public benchmarks)
• Gleb had to abandon his work on FreeBSD's pf because funding ran out ***

LibreSSL progress update

• LibreSSL's first few portable releases have come out and they're making great progress, releasing 2.0.3 two days ago
• Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
• However, there has already been some drama... with Linux users
• There was a problem with Linux's PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
• This "problem" doesn't affect OpenBSD's native implementation, only the portable version
• The developers decide to weigh in to calm the misinformation and rage
• A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now - remember to say thanks, guys
• Ted Unangst has a really good post about the whole situation, definitely check it out
• As a follow-up from last week, bapt says they're working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly - if you're a port maintainer, please test your ports against it ***

Preparation for NetBSD 7

• The release process for NetBSD 7.0 is finally underway
• The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
• If you run NetBSD, that'll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
• They're also looking for some help updating documentation and fixing any bugs that get reported
• Another formal announcement will be made when the beta binaries are up ***

Interview - Dag-Erling Smørgrav - des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

• Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
• Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
• There's also some detail about the signing infrastructure and different mirrors
• Ports people and source people need to talk more often about ABI breakage
• The post also includes information about pkg 1.3, the old pkg tools' EOL, the quarterly stable package sets and a lot more (it's a huge post!) ***

Cross-compiling ports with QEMU and poudriere

• With recent QEMU features, you can basically chroot into a completely different architecture
• This article goes through the process of building ARMv6 packages on a normal X86 box
• Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
• The poudriere-devel port now has a "qemu user" option that will pull in all the requirements
• Hopefully this will pave the way for official pkgng packages on those lesser-used architectures ***

Cloning FreeBSD with ZFS send

• For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
• This post shows his entire process in creating a mirror machine, using ZFS for everything
• The "zfs send" and "zfs snapshot" commands really come in handy for this
• He does the whole thing from a live CD, pretty impressive ***

FreeBSD Overview series

• A new blog series we stumbled upon about a Linux user switching to BSD
• In part one, he gives a little background on being "done with Linux distros" and documents his initial experience getting and installing FreeBSD 10
• He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
• Most of what he was used to on Linux was already in the default FreeBSD (except bash...)
• Part two documents his experiences with pkgng and ports ***

Feedback/Questions

• Bostjan writes in
• Rick writes in
• Clint writes in
• Esteban writes in
• Ben writes in
• Matt sends in pictures of his FreeBSD CD collection ***

This episode was brought to you by

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb's ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• "FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support"
• If you're running -CURRENT, just add "WITH_PIE=1" to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR ***

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone's gotta test the pfSense hardware devices before they're sold, which involves powering them all on at least once
• To make that process faster, they're building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only...) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch ***

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• "The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice"
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels' overhead factor ***

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we're slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what's in -CURRENT (but still isn't using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There's a list of changes between 9.2 and 9.3 as well, but we'll be sure to cover it when the -RELEASE hits ***

Interview - Bryce Chidester - brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the "linux questions" forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to "politics" (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later ***

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He's part of the "Jenkins CI for FreeBSD" group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about... the food ***

FreeBSD disk partitioning

• For his latest book series on FreeBSD's GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don't have to read the 500 mailing list posts, he's summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools ***

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It's now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• Bad news... the minimum disk size requirement has increased to 512MB... getting pretty bloated ***

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in ***

This episode was brought to you by

Headlines

FreeBSD moves to Bugzilla

• Historically, FreeBSD has used the old GNATS system for keeping track of bug reports
• After years and years of wanting to switch, they've finally moved away from GNATS to Bugzilla
• It offers a lot of advantages, is much more modern and actively maintained and
• There's a new workflow chart for developers to illustrate the new way of doing things
• The old "send-pr" command will still work for the time being, but will eventually be phased out in favor of native Bugzilla reporting tools (of which there are multiple in ports)
• This will hopefully make reporting bugs a lot less painful ***

DIY NAS: EconoNAS 2014

• We previously covered this blog last year, but the 2014 edition is up
• More of a hardware-focused article, the author details the parts he's using for a budget NAS
• Details the motherboard, RAM, CPU, hard drives, case, etc
• With a set goal of $500 max, he goes just over it - $550 for all the parts
• Lots of nice pictures of the hardware and step by step instructions for assembly, as well as software configuration instructions ***

DragonflyBSD 3.8 released

• Justin announced the availability of DragonflyBSD 3.8.0
• Binaries in /bin and /sbin are dynamic now, enabling the use of PAM and NSS to manage user accounts
• It includes a new HAMMER FS backup script and lots of FreeBSD tools have been synced with their latest versions
• Work continues on for the Intel graphics drivers, but it's currently limited to the HD4000 and Ivy Bridge series
• See the release page for more info and check the link for source-based upgrade instructions ***

OpenZFS European conference 2014

• There was an OpenZFS conference held in Europe recently, and now the videos are online for your viewing pleasure
• Matt Ahrens, Introduction
• Michael Alexander, FhGFS performance on ZFS
• Andriy Gapon, Testing ZFS on FreeBSD
• Luke Marsden, HybridCluster: ZFS in the cloud
• Vadim Comănescu, Syneto: continuously delivering a ZFS-based OS
• Chris George, DDRdrive ZIL accelerator: random write revelation
• Grenville Whelan, High-Availability
• Phil Harman, Harman Holistic
• Mark Rees, Storiant and OpenZFS
• Andrew Holway, EraStor ZFS appliances
• Dan Vâtca, Syneto and OpenZFS
• Luke Marsden, HybridCluster and OpenZFS
• Matt Ahrens, Delphix and OpenZFS
• Check the link for slides and other goodies ***

Interview - Benedict Reuschling - bcr@freebsd.org

BSD documentation, getting commit access, unix education, various topics

News Roundup

Getting to know your portmgr, Steve Wills

• "It is my pleasure to introduce Steve Wills, the newest member of the portmgr team"
• swills is an all-round good guy, does a lot for ports (especially the ruby ports)
• In this interview, we learn why he uses FreeBSD, the most embarrassing moment in his FreeBSD career and much more
• He used to work for Red Hat, woah ***

BSDTalk episode 242

• This time on BSDTalk, Will interviews Chris Buechler from pfSense
• Topics include: the heartbleed vulnerability and how it affected pfSense, how people usually leave their firewalls unpatched for a long time (or even forget about them!), changes between major versions, the upgrade process, upcoming features in their 10-based version, backporting drivers and security fixes
• They also touch on recent concerns in the pfSense community about their license change, that they may be "going commercial" and closing the source - so tune in to find out what their future plans are for all of that ***

Turn old PC hardware into a killer home server

• Lots of us have old hardware lying around doing nothing but collecting dust
• Why not turn that old box into a modern file server with FreeNAS and ZFS?
• This article goes through the process of setting up a NAS, gives a little history behind the project and highlights some of the different protocols FreeNAS can use (NFS, SMB, AFS, etc)
• Most of our users are already familiar with all of this stuff, nothing too advanced
• Good to see BSD getting some well-deserved attention on a big mainstream site ***

Unbloating the VAX install CD

• After a discussion on the VAX mailing list, something very important came to the attention of the developers...
• You can't boot NetBSD on a VAX box with 16MB of RAM from the CD image
• This blog post goes through the developer's adventure in trying to fix that through emulation and stripping various things out of the kernel to make it smaller
• In the end, he got it booting - and now all three VAX users who want to run NetBSD can do so on their systems with 16MB of RAM... ***

Feedback/Questions

• Thomas writes in
• Reynold writes in
• Bostjan writes in
• Paul writes in
• John writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports, part 2

• More presentations and trip reports are still being uploaded
• Ingo Schwarze, New Trends in mandoc
• Vsevolod Stakhov, The Architecture of the New Solver in pkg
• Julio Merino, The FreeBSD Test Suite
• Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
• There's also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks! ***

Beyond security, getting to know OpenBSD's real purpose

• Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a "webcast" last week, and the audio and slides are finally up
• It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
• Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a "pressure cooker for ideas," briefly touches on GPL vs BSDL, their "do it right or don't do it at all" attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
• Here's a direct link to the slides
• Great presentation if you'd like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too ***

FreeBSD vs Linux, a comprehensive comparison

• Another blog post covering something people seem to be obsessed with - FreeBSD vs Linux
• This one was worth mentioning because it's very thorough in regards to how things are done behind the scenes, not just the usual technical differences
• It highlights the concept of a "core team" and their role vs "contributors" and "committers" (similar to a presentation Kirk McKusick did not long ago)
• While a lot of things will be the same on both platforms, you might still be asking "which one is right for me?" - this article weighs in with some points for both sides and different use cases
• Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don't hate us for linking it ***

Expand FreeNAS with plugins

• One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
• With these plugins, you can greatly expand the feature set of your NAS via third party programs
• This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
• Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
• It then goes into more detail about each of them, how to actually install plugins and then how to set them up ***

Interview - Karl Lehenbauer - karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

Ports and packages in OpenBSD

News Roundup

Code review culture meets FreeBSD

• In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
• This article describes Phabricator, an open source code review system that we briefly mentioned last week
• Instructions for using it are on the wiki
• While not approved by the core team yet for anything official, it's in a testing phase and developers are encouraged to try it out and get their patches reviewed
• Just look at that fancy interface!! ***

Upcoming BSD books

• Sneaky MWL somehow finds his way into both our headlines and the news roundup
• He gives us an update on the next BSD books that he's planning to release
• The plan is to release three (or so) books based on different aspects of FreeBSD's storage system(s) - GEOM, UFS, ZFS, etc.
• This has the advantage of only requiring you to buy the one(s) you're specifically interested in
• "When will they be released? When I'm done writing them. How much will they cost? Dunno."
• It's not Absolute FreeBSD 3rd edition... ***

CARP failover and high availability on FreeBSD

• If you're running a cluster or a group of servers, you should have some sort of failover in place
• But the question comes up, "how do you load balance the load balancers!?"
• This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
• Also mentions DNS-based load balancing as another option ***

PCBSD weekly digest

• This time in PCBSD land, we're getting ready for the 10.0.2 release (ISOs here)
• AppCafe got a good number of fixes, and now shows 10 random highlighted applications
• EasyPBI added a "bulk" mode to create PBIs of an entire FreeBSD port category
• Lumina, the new desktop environment, is still being worked on and got some bug fixes too ***

Feedback/Questions

• Paul writes in
• Matt writes in
• Kjell writes in
• Paul writes in
• Tom writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer's keynote (he's on next week's episode)
• Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
• Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL - The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There's also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question "my server already works, why bother switching?"
• "Stackoverflow’s answers assume I have apt-get installed"
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
• Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It's a free PDF, go grab it ***

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
• The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

• We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in ***

This episode was brought to you by

Presentation - Matthew Ahrens - matt@mahrens.org / @mahrens1

OpenZFS discussion

Feedback/Questions

• Remy writes in
• Darin writes in
• Steve writes in
• Pascal writes in ***

This episode was brought to you by

Headlines

ALTQ removed from PF

• Kicking off our big PF episode...
• The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current
• There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf
• As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping
• After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem
• This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. ***

FreeBSD Quarterly Status Report

• The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks
• Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added
• We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team
• LOTS of details and LOTS of topics to cover, give it a read ***

OpenBSD's OpenSSL rewrite continues with m2k14

• A mini OpenBSD hackathon begins in Morocco, Africa
• You can follow the changes in the -current CVS log, but a lot of work is mainly going towards the OpenSSL cleaning
• We've got two trip reports so far, hopefully we'll have some more to show you in a future episode
• You can see some of the more interesting quotes from the tear-down or see everything
• Apparently they are going to call the fork "LibreSSL" ....
• What were the OpenSSL developers thinking? The RSA private key was used to seed the entropy!
• We also got some mainstream news coverage and another post from Ted about the history of the fork
• Definitely consider donating to the OpenBSD foundation, this fork will benefit all the other BSDs too ***

NetBSD 6.1.4 and 6.0.5 released

• New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes
• The main update is - of course - the heartbleed vulnerability
• Also includes fixes for other security issues and even a kernel panic... on Atari
• Patch your Ataris right now, this is serious business ***

Interview - Peter Hansteen - peter@bsdly.net / @pitrh

The Book of PF: 3rd edition

Tutorial

BSD Firewalls: PF

News Roundup

New Xorg now the default in FreeBSD

• For quite a while now, FreeBSD has had two versions of X11 in ports
• The older, stable version was the default, but you could install a newer one by having "WITH_NEW_XORG" in /etc/make.conf
• They've finally made the switch for 10-STABLE and 9-STABLE
• Check this wiki page for more info ***

GSoC-accepted BSD projects

• The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned
• OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon
• The FreeBSD list was also posted
• Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more
• Good luck to all the students participating, hopefully they become full time BSD users ***

Complexity of FreeBSD VFS using ZFS as an example

• HybridCluster posted the second part of their VFS and ZFS series
• This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy
• Of course, also watch episode 24 for our interview with HybridCluster - they do really interesting stuff ***

PCBSD weekly digest

• Preload has been ported over, it's a daemon that prefetches applications
• PCBSD is developing their own desktop environment, Lumina (there's also an FAQ)
• It's still in active development, but you can try it out by installing from ports
• We'll be showing a live demo of it in a few weeks (when development settles down a bit)
• Some kid in Australia subjects his poor mother to being on camera while she tries out PCBSD and gives her impressions of it ***

This episode was brought to you by

Headlines

BSDCan schedule, speakers and talks

• This year's BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone's looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts ***

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo's talk, "Releasing NetBSD: So Many Targets, So Little Time"
• Dru Lavigne's talk, "ZFS Management Tools in FreeNAS and PC-BSD"
• Scott Long's talk, "Serving one third of the Internet via FreeBSD"
• Michael W. Lucas' talk, "BSD Breaking Barriers" ***

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal's second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they've already gotten over 1000 subscribers! It's available on Google Play, iTunes, Amazon, etc
• "We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD"
• Check our interview with GNN for more information about the journal ***

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There's been a pretty vicious response from security experts all across the internet and in all of the BSD projects - and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: "Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL's bug tracker is only used to park bugs, not fix them"
• Sounds like someone else was having fun with the bug for a while too
• There's also another OpenSSL bug that OpenBSD patched - it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out - we're seeing a fork in real time ***

Interview - Jim Brown - info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new "signify" tool in OpenBSD
• Now there's a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems ***

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There's also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet ***

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• "Update Center" is getting a lot of development and improvements
• Lots of misc. bug fixes and updates ***

Feedback/Questions

• There's a reddit thread we wanted to highlight - a user wants to show his friend BSD and why it's great
• Brad writes in
• Sha'ul writes in
• iGibbs writes in
• Matt writes in ***

This episode was brought to you by

Headlines

FreeBSD ASLR status update

• Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
• He's implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
• Work has also started on testing ASLR on ARM, using a Raspberry Pi
• He's giving a presentation at BSDCan this year about his ASLR work
• While we're on the topic of BSDCan... ***

BSDCan tutorials, improving the experience

• Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
• The tutorials are called "Building the network you need with PF, the OpenBSD packet filter" and "Transitioning to OpenBSD 5.5" - both scheduled to last three hours each
• He's requesting anyone that'll be there to go ahead and contact him, telling him exactly what you'd like to learn
• There's also a bit of background information about the tutorials and how he's looking to improve them
• If you're interested in OpenBSD and going to BSDCan this year, hit him up ***

pkgsrc-2014Q1 released

• The new stable branch of pkgsrc packages has been built and is ready
• Python 3.3 is now a "first class citizen" in pkgsrc
• 14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
• There's a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD - you could even use pkgsrc instead of pkgng or ports if you were so inclined
• They're also looking into signing packages ***

Only two holes in a heck of a long time, who cares?

• A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
• He questions "what's the big deal" about OpenBSD's slogan being "Only two remote holes in the default install, in a heck of a long time!"
• Luckily, the community and Theo set the record straight about why you should care about this
• Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
• It spawned a discussion about ease of management and Linux's poor security record, definitely worth reading ***

Interview - Dru Lavigne - dru@freebsd.org / @bsdevents

FreeBSD's documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

• A new version of pfSense is released, mainly to fix some security issues
• Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
• There are also some NIC driver updates and other things
• Of course if you want to learn more about pfSense, watch episode 25
• 2.1.2 is already up for testing too ***

FreeBSD gets UEFI support

• It looks like FreeBSD's battle with UEFI may be coming to a close?
• Ed Maste committed a giant list of patches to enable UEFI support on x86_64
• Look through the list to see all the details and information
• Thanks FreeBSD foundation! ***

Ideas for the next DragonflyBSD release

• Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
• They're aiming for late May for the next version
• Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
• Gasp, they're even considering dropping i386 ***

PCBSD weekly digest

• Lots of new PBI updates for 10.0, new runtime implementation
• New support for running 32 bit applications in PBI runtime
• New default CD and DVD player, umplayer
• Latest GNOME 3 and Cinnamon merged, new edge package builds ***

Feedback/Questions

• Remy writes in
• Jan writes in
• Eddie writes in
• Zen writes in
• Sean writes in ***

This episode was brought to you by

Headlines

Tailoring OpenBSD for an old, strange computer

• The author of this article had an OmniBook 800CT, which comes with a pop-out mouse, black and white display, 32MB of RAM and a 133MHz CPU
• Obviously he had to install some kind of BSD on it!
• This post goes through all his efforts of trimming down OpenBSD to work on such a limited device
• He goes through the trial and error of "compile, break it, rebuild, try again"
• After cutting a lot out from the kernel, saving a precious megabyte here and there, he eventually gets it working ***

pkgsrcCon and BSDCan

• pkgsrccon is "a technical conference for people working on the NetBSD Packages Collection, focusing on existing technologies, research projects, and works-in-progress in pkgsrc infrastructure"
• This year it will be on June 21st and 22nd
• The schedule is still being worked out, so if you want to give a talk, submit it
• BSDCan's schedule was also announced
• We'll be having presentations about ARM on NetBSD and FreeBSD, PF on OpenBSD, Capsicum and casperd, ASLR in FreeBSD, more about migrating from Linux to BSD, FreeNAS stuff and much more
• Kris' presentation was accepted!
• Tons of topics, look forward to the recorded versions of all of them hopefully! ***

Two factor auth with pushover

• A new write-up from our friend Ted Unangst
• Pushover is "a web hook to smartphone push notification gateway" - you sent a POST to a web server and it sends a code to your phone
• His post goes through the steps of editing your login.conf and setting it all up to work
• Now you can get a two factor authenticated login for ssh! ***

The status of GNOME 3 on BSD

• It's no secret that the GNOME team is a Linux-obsessed bunch, almost to the point of being hostile towards other operating systems
• OpenBSD keeps their GNOME 3 ports up to date very well, and Antoine Jacoutot writes about his work on that and how easy it is to use
• This post goes through the process of how simple it is to get GNOME 3 set up on OpenBSD and even includes a screencast
• A few recent posts from some GNOME developers show that they're finally working with the BSD guys to improve portability
• The FreeBSD and OpenBSD teams are working together to bring the latest GNOME to all of us - it's a beautiful thing
• This goes right along with our interview today! ***

Interview - Joe Marcus Clark - marcus@freebsd.org

The life and daily activities of portmgr, GNOME 3, Tinderbox, portlint, various topics

Tutorial

The FreeBSD Ports Collection

News Roundup

DragonflyBSD 3.8 goals and 3.6.1 release

• The Dragonfly team is thinking about what should be in version 3.8
• On their bug tracker, it lists some of the things they'd like to get done before then
• In the meantime, 3.6.1 was released with lots of bugfixes ***

NYCBSDCon 2014 wrap-up piece

• We've got a nice wrap-up titled "NYCBSDCon 2014 Heats Up a Cold Winter Weekend"
• The author also interviews GNN about the conference
• There's even a little "beginner introduction" to BSD segment
• Includes a mention of the recently-launched journal and lots of pictures from the event ***

FreeBSD and Linux, a comparative analysis

• GNN in yet another story - he gave a presentation at the NYLUG about the differences between FreeBSD and Linux
• He mentions the history of BSD, the patch set and 386BSD, the lawsuit, philosophy and license differences, a complete system vs "distros," development models, BSD-only features and technologies, how to become a committer, overall comparisons, different hats and roles, the different bsds and their goals and actual code differences
• Serves as a good introduction you can show your Linux friends ***

PCBSD CFT and weekly digest

• Upgrade tools have gotten a major rewrite
• You have to help test it, there is no choice! Read more here
• How dare Kris be "unimpressed with" freebsd-update and pkgng!?
• Various updates and fixes ***

Feedback/Questions

• Jeffrey writes in
• Shane writes in
• Ferdinand writes in
• Curtis writes in
• Clint writes in
• Peter writes in ***