NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

From Cloud Chaos to FreeBSD Efficiency

August 2024 Foundation Update

News Roundup

Emails encryption at rest on OpenBSD using dovecot and GPG

Workarounds are often forever (unless you work to make them otherwise)

Remote Desktop using RDP and VNC

Iconography of the X Window System: The Boot Stipple

Plan 9 is a Uniquely Complete Operating System

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

Headlines

EuroBSDcon 2019 Recap

We’re back from EuroBSDcon in Lillehammer, Norway. It was a great conference with 212 people attending. 2 days of tutorials, parallel to the FreeBSD Devsummit, followed by two days of talks. Some speakers uploaded their slides to papers.freebsd.org already with more to come.

The social event was also interesting. We visited an open air museum with building preserved from different time periods. In the older section they had a collection of farm buildings, a church originally built in the 1200s and relocated to the museum, and a school house. In the more modern area, they had houses from 1915, and each decade from 1930 to 1990, plus a “house of the future” as imagined in 2001. Many had open doors to allow you to tour the inside, and some were even “inhabited”. The latter fact gave a much more interactive experience and we could learn additional things about the history of that particular house. The town at the end included a general store, a post office, and more. Then, we all had a nice dinner together in the museum’s restaurant.

• The opening keynote by Patricia Aas was very good. Her talk on embedded ethics, from her perspective as someone trying to defend the sanctity of Norwegian elections, and a former developer for the Opera web browser, provided a great deal of insight into the issues. Her points about how the tech community has unleashed a very complex digital work upon people with barely any technical literacy were well taken. Her stories of trying to explain the problems with involving computers in the election process to journalists and politicians struck a chord with many of us, who have had to deal with legislation written by those who do not truly understand the issues with technology.

Setting up buildbot in FreeBSD jails

In this article, I would like to present a tutorial to set up buildbot, a continuous integration (CI) software (like Jenkins, drone, etc.), making use of FreeBSD’s containerization mechanism "jails". We will cover terminology, rationale for using both buildbot and jails together, and installation steps. At the end, you will have a working buildbot instance using its sample build configuration, ready to play around with your own CI plans (or even CD, it’s very flexible!). Some hints for production-grade installations are given, but the tutorial steps are meant for a test environment (namely a virtual machine). Buildbot’s configuration and detailed concepts are not in scope here.

Setting up a mail server with OpenSMTPD, Dovecot and Rspamd

• Self-hosting and encouraging smaller providers is for the greater good

First of all, I was not clear enough about the political consequences of centralizing mail services at Big Mailer Corps.

It doesn’t make sense for Random Joe, sharing kitten pictures with his family and friends, to build a personal mail infrastructure when multiple Big Mailer Corps offer “for free” an amazing quality of service. They provide him with an e-mail address that is immediately available and which will generally work reliably. It really doesn’t make sense for Random Joe not to go there, and particularly if even techies go there without hesitation, proving it is a sound choice.

There is nothing wrong with Random Joes using a service that works.

What is terribly wrong though is the centralization of a communication protocol in the hands of a few commercial companies, EVERY SINGLE ONE OF THEM coming from the same country (currently led by a lunatic who abuses power and probably suffers from NPD), EVERY SINGLE ONE OF THEM having been in the news and/or in a court for random/assorted “unpleasant” behaviors (privacy abuses, eavesdropping, monopoly abuse, sexual or professional harassment, you just name it…), and EVERY SINGLE ONE OF THEM growing user bases that far exceeds the total population of multiple countries combined.

News Roundup

The HamBSD project aims to bring amateur packet radio to OpenBSD

The HamBSD project aims to bring amateur packet radio to OpenBSD, including support for TCP/IP over AX.25 and APRS tracking/digipeating in the base system.

HamBSD will not provide a full AX.25 stack but instead only implement support for UI frames. There will be a focus on simplicity, security and readable code.

The amateur radio community needs a reliable platform for packet radio for use in both leisure and emergency scenarios. It should be expected that the system is stable and resilient (but as yet it is neither).

DragonFlyBSD's HAMMER2 Gets Basic FSCK Support

HAMMER2 is Copy on Write, meaning changes are made to copies of existing data. This means operations are generally atomic and can survive a power outage, etc. (You should read up on it!) However, there’s now a fsck command, useful if you want a report of data validity rather than any manual repair process.

• commit

Add initial fsck support for HAMMER2, although CoW fs doesn't require fsck as a concept. Currently no repairing (no write), just verifying.

Keep this as a separate command for now.
https://i.redd.it/vkdss0mtdpo31.jpg

---

The return of startx for users

Add modesetting driver as a fall-back when appropriate such that we can use it when running without root privileges which prevents us from scanning the PCI bus.

This makes startx(1)/xinit(1) work again on modern systems with inteldrm(4), radeondrm(4) and amdgpu(4). In some cases this will result in using a different driver than with xenodm(4) which may expose issues (e.g. when we prefer the intel Xorg driver) or loss of acceleration (e.g. older cards supported by radeondrm(4)).

Beastie Bits

• Ori Bernstein will be giving the October talk at NYCBUG
• BSD Pizza Night: 2019/09/26, 7–9PM, Portland, Oregon, USA
• Nick Wolff : Home Lab Show & Tell
• Installing the Lumina Desktop in DragonflyBSD
• dhcpcd 8.0.6 added

Feedback/Questions

• Bruce - FOSDEM videos
• Lars - Super Cluster of BSD on Rock64Pr
• Madhukar - Question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

More BSDCan 2015 videos

• Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded
• Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS
• Daichi Goto, FreeBSD for High Density Servers
• Ken Moore, Lumina-DE
• Kevin Bowling, FreeBSD Operations at Limelight Networks
• Maciej Pasternacki, Jetpack, a container runtime for FreeBSD
• Ray Percival, Networking with OpenBSD in a virtualized environment
• Reyk Floeter, Introducing OpenBSD's new httpd
• Still more to come, hopefully ***

OpenBSD httpd rewrite support

• One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
• There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
• Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
• In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you'd like to give it a try now
• It's since been committed to -current, so you can try it out with a snapshot too ***

SSH 2FA on FreeBSD

• We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication
• This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD
• It touches on key pairs with a server-side password, google authenticator and a few other variations
• While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
• OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems ***

NetBSD 7.0-RC1 released

• NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
• Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
• They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team ***

Interview - Sean Chittenden - seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

• We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
• This blog post about it has something not mentioned before: virtual domains and virtual users
• This means you can easily have "user1@domain.com" and "user2@otherdomain.com" both go to a local user on the box (or a different third address)
• It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
• Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we'll cover in more detail when it's released... ***

OctoPkg, a QT frontend to pkgng

• A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
• Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman
• There are some basic instructions on how to get it built and running on the github page
• After some testing, it'll likely make its way to the FreeBSD ports tree
• Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over ***

AFL vs. mandoc, a quantitative analysis

• Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
• It's meant to be accompanying material to his BSDCan talk, which already covered nine topics
• mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
• The article breaks down the 45 different bugs that were found, based on their root cause
• If you're interested in secure coding practices, this'll be a great one to read ***

OpenZFS conference videos

• Videos from the second OpenZFS conference have just started to show up
• The first talk is by, you guessed it, Matt Ahrens
• In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
• There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS ***

Feedback/Questions

• Bryson writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

Key rotation in OpenSSH 6.8

• Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
• Times changes, key types change, problems are found with old algorithms and we switch to new ones
• In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now
• With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange
• Keys that are in your known_hosts file but not on the server will get automatically removed
• This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
• There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple
• There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released ***

NetBSD Banana Pi images

• We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi
• Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
• There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially
• The email includes some steps to get everything working and an overview of what comes with the image
• Also check the wiki page for some related boards and further instructions on getting set up
• On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) ***

LibreSSL shirts and other BSD goodies

• If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online
• There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL"
• While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
• You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
• OpenBSD recently launched their new store, but the selection is still a bit limited right now
• NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
• We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
• Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) ***

OPNsense 15.1.4 released

• The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
• A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs)
• This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
• They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
• A developer has also posted an interesting write-up titled "Development Workflow in OPNsense"
• If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it ***

Interview - Ed Maste - board@freebsdfoundation.org

The FreeBSD foundation's activities

News Roundup

Rolling with OpenBSD snapshots

• One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling
• There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
• This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
• This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
• After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think
• He's now helping test out patches and new ports since he's running the same code as the developers ***

Signing pkgsrc packages

• As of the time this show airs, the official pkgsrc packages aren't cryptographically signed
• Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS
• Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal
• Instead, they're using netpgpverify, a fork of NetBSD's netpgp utility
• Maybe someday this will become the official way to sign packages in NetBSD? ***

FreeBSD support model changes

• Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model
• The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime"
• There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
• This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
• Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read ***

OpenSMTPD, Dovecot and SpamAssassin

• We've been talking about setting up your own BSD-based mail server on the last couple episodes
• Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
• A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
• In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked
• Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane…
• In related news, OpenSMTPD has got some interesting new features coming soon
• They're also planning to switch to LibreSSL by default for the portable version ***

FreeBSD 10 on the Thinkpad T400

• BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400
• Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
• This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
• If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
• The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt ***

PC-BSD 10.1.1 Released

• Automatic background updater now in
• Shiny new Qt5 utils
• OVA files for VM’s
• Full disk encryption with GELI v7 ***

Feedback/Questions

• Camio writes in
• Sha'ul writes in
• John writes in
• Sean writes in (TJ's lengthy reply)
• Christopher writes in ***

Mailing List Gold

• Special Instructions
• Pretending to be a VT220 ***