This episode was brought to you by

Headlines

More BSDCan 2015 videos

• Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded
• Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS
• Daichi Goto, FreeBSD for High Density Servers
• Ken Moore, Lumina-DE
• Kevin Bowling, FreeBSD Operations at Limelight Networks
• Maciej Pasternacki, Jetpack, a container runtime for FreeBSD
• Ray Percival, Networking with OpenBSD in a virtualized environment
• Reyk Floeter, Introducing OpenBSD's new httpd
• Still more to come, hopefully ***

OpenBSD httpd rewrite support

• One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
• There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
• Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
• In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you'd like to give it a try now
• It's since been committed to -current, so you can try it out with a snapshot too ***

SSH 2FA on FreeBSD

• We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication
• This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD
• It touches on key pairs with a server-side password, google authenticator and a few other variations
• While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
• OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems ***

NetBSD 7.0-RC1 released

• NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
• Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
• They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team ***

Interview - Sean Chittenden - seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

• We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
• This blog post about it has something not mentioned before: virtual domains and virtual users
• This means you can easily have "user1@domain.com" and "user2@otherdomain.com" both go to a local user on the box (or a different third address)
• It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
• Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we'll cover in more detail when it's released... ***

OctoPkg, a QT frontend to pkgng

• A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
• Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman
• There are some basic instructions on how to get it built and running on the github page
• After some testing, it'll likely make its way to the FreeBSD ports tree
• Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over ***

AFL vs. mandoc, a quantitative analysis

• Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
• It's meant to be accompanying material to his BSDCan talk, which already covered nine topics
• mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
• The article breaks down the 45 different bugs that were found, based on their root cause
• If you're interested in secure coding practices, this'll be a great one to read ***

OpenZFS conference videos

• Videos from the second OpenZFS conference have just started to show up
• The first talk is by, you guessed it, Matt Ahrens
• In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
• There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS ***

Feedback/Questions

• Bryson writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

Solaris' networking future is with OpenBSD

• A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists
• It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF
• For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues
• What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting
• This blog post goes through some of the backstory of the two firewalls
• PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too
• "Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security"
• You're welcome, Oracle ***

BAFUG discussion videos

• The Bay Area FreeBSD users group has been uploading some videos from their recent meetings
• Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status)
• Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework
• Lastly, Kip Macy gave a talk titled "network stack changes, user-level FreeBSD"
• The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics
• If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime ***

More than just a makefile

• If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux
• This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs
• As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all
• The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream
• After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community
• This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News) ***

Securing your home fences

• Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now
• We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now
• In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board
• He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration
• The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process
• Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up
• If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD)
• We love super-detailed guides like this, so everyone should write more and send them to us immediately ***

Interview - Pascal Stumpf - pascal@openbsd.org

Static PIE in OpenBSD

News Roundup

LLVM's new libFuzzer

• We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility
• It looks like LLVM is going to have their own fuzzing tool too now
• The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself
• With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future ***

HardenedBSD upgrades secadm

• The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support
• We covered both the secadm tool and integriforce in previous episodes, but the short version is that it's a way to prevent files from being altered (even as root)
• Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now ***

RAID5 returns to OpenBSD

• OpenBSD's softraid subsystem, somewhat similar to FreeBSD's GEOM, has had experimental RAID5 support for a while
• However, it was exactly that - experimental - and required a recompile to enable
• With some work from recent hackathons, the final piece was added to enable resuming partial array rebuilds
• Now it's on by default, and there's a call for testing being put out, so grab a snapshot and put the code through its paces
• The bioctl softraid command also now supports DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop the "do you want to enable DUIDs?" question entirely ***

pkgng 1.5.0 released

• Going back to what we talked about last week, the final version of pkgng 1.5.0 is out
• The "provides" and "requires" support is finally in a regular release
• A new "-r" switch will allow for direct installation to a chroot or alternate root directory
• Memory usage should be much better now, and some general code speed-ups were added
• This version also introduces support for Mac OS X, NetBSD and EdgeBSD - it'll be interesting to see if anything comes of that
• Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt) ***

p2k15 hackathon reports

• There was another OpenBSD hackathon that just finished up in the UK - this time it was mainly for ports work
• As usual, the developers sent in reports of some of the things they got done at the event
• Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit
• Stefan Sperling wrote in, detailing his work with wireless chipsets, specifically when the vendor doesn't provide any hardware documentation, as well as updating some of the games in ports
• Ken Westerback also sent in a report, but decided to be a rebel and not work on ports at all - he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier ***

Feedback/Questions

• Shaun writes in
• Hrishi writes in
• Randy writes in
• Zach writes in
• Ben writes in ***

Mailing List Gold

• Gstreamer hates us
• At least he's honest
• I find myself in a situation ***

This episode was brought to you by

Headlines

The missing EuroBSDCon videos

• Some of the missing videos from EuroBSDCon 2014 we mentioned before have mysteriously appeared
• Jordan Hubbard, FreeBSD, looking forward to another 10 years
• Lourival Viera Neto, NPF scripting with Lua
• Kris Moore, Snapshots, replication and boot environments
• Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel
• Kirk McKusick, An introduction to FreeBSD's implementation of ZFS
• Emannuel Dreyfus, FUSE and beyond, bridging filesystems
• John-Mark Gurney, Optimizing GELI performance
• Unfortunately, there are still about six talks missing… and no ETA ***

FreeBSD on a MacBook Pro (or two)

• We've got a couple posts about running FreeBSD on a MacBook Pro this week
• In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™
• Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier
• He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step
• He's still not quite to that point yet, but documents his experiments with BSD as a desktop
• The second article also documents an ex-Linux user switching over to BSD for their desktop
• It also covers power management, bluetooth and trackpad setup
• On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down"
• Check out both articles if you've been considering running FreeBSD on a MacBook ***

Remote logging over TLS

• In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time
• That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server
• The problem is, of course, that it's sent in cleartext, unless you tunnel it over SSH or use some kind of third party wrapper
• With a few recent commits, OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification
• By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot?
• That problem was also conquered, by loading the CA chain directly from memory, so the entire process can be run in the chroot without issue
• Some of the privsep verifcation code even made its way into LibreSSL right afterwards
• If you haven't set up remote logging before, now might be an interesting time to try it out ***

FreeBSD, not a Linux distro

• George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro"
• It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history
• He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options
• There's even an interesting "thirty years in three minutes" segment
• It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s)
• We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products
• This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them ***

Long-term support considered harmful

• There was recently a pretty horrible bug in GNU's libc (BSDs aren't affected, don't worry)
• Aside from the severity of the actual problem, the fix was delayed for quite a long time, leaving people vulnerable
• Ted Unangst writes a post about how this idea of long-term support could actually be harmful in the long run, and compares it to how OpenBSD does things
• OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes
• He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date
• "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early."
• There was also some discussion about the article you can check out ***

Interview - Andrew Tanenbaum - info@minix3.org / @minix3

MINIX's integration of NetBSD

News Roundup

Using AFL on OpenBSD

• We've talked about American Fuzzy Lop a bit on a previous episode, and how some OpenBSD devs are using it to catch and fix new bugs
• Undeadly has a cool guide on how you can get started with fuzzing
• It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read
• Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software ***

Lumina 0.8.1 released

• A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released
• This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements"
• There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options
• You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!)
• If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it ***

My first OpenBSD port

• The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports
• He recently made his first port and got it into the tree, so he talks about the whole process from start to finish
• After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser
• At that point he did what you're supposed to do in that situation, and started working on it himself
• OpenBSD has a great porter's handbook that he referenced throughout the process
• Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course)
• If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen ***

How to slide with DragonFly

• DragonFly BSD has a new HAMMER FS utility called "Slider"
• It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine
• They have a pretty comprehensive guide on how to use it on their wiki page
• If you're using HAMMER FS, this is a really handy tool to have, check it out ***

OpenSMTPD with Dovecot and Salt

• We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three
• This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment
• Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan
• "Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with"
• Check it out if you've been thinking about configuring your first mail server on any of the BSDs ***

Feedback/Questions

• Christopher writes in (handbook section)
• Mark writes in
• Kevin writes in
• Stefano writes in
• Matthew writes in ***

Mailing List Gold

• Not that interested actually
• This guy again
• Yep, this is the place ***

This episode was brought to you by

Headlines

Even more BSD presentation videos

• More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week
• Robert Ryan, At the Heart of the Digital Economy
• FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives
• Richard Yao, libzfs_core and ioctl stabilization
• OpenZFS, Company lightning talks
• OpenZFS, Hackathon Presentation and Awards
• Pavel Zakharov, Fast File Cloning
• Rick Reed, Half a billion unsuspecting FreeBSD users
• Alex Reece & Matt Ahrens, Device Removal
• Chris Side, Channel Programs
• David Maxwell, The Unix command pipeline
• Be sure to check out the giant list of videos from last week's episode if you haven't seen them already ***

NetBSD on a Cobalt Qube 2

• The Cobalt Qube was a very expensive networking appliance around 2000
• In 2014, you can apparently get one of these MIPS-based machines for about forty bucks
• This blog post details getting NetBSD installed and set up on the rare relic of our networking past
• If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you
• Lots of great pictures of the hardware too ***

OpenBSD vs. AFL

• In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree with a fuzzer
• If you're not familiar, fuzzing is a semi-automated way to test programs for crashes and potential security problems
• The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs
• American Fuzzy Lop, in particular, has provided some interesting results across various open source projects recently
• So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc and a few other things
• AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix
• It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself ***

GNOME 3 hits the FreeBSD ports tree

• While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now
• Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD
• Be sure to check the commit message and /usr/ports/UPDATING if you're upgrading from GNOME 2
• You might also want to go back and listen to our interview with Joe Marcus Clark about GNOME's portability ***

Interview - Brendan Gregg - bgregg@netflix.com / @brendangregg

Performance tuning, benchmarks, debugging

News Roundup

DragonFlyBSD 4.0 released

• A new major version of DragonFly, 4.0.1, was just recently announced
• This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs
• It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club
• Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes ***

Can we talk about FreeBSD vs Linux

• Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once
• Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities
• If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read
• Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy ***

OpenBSD IPSEC tunnel guide

• If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you
• It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN
• The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts
• Though the article itself is a few years old, it mostly still applies to the latest stuff today
• All the tools used are in the OpenBSD base system, so that's pretty handy too ***

DragonFly starts work on IPFW2

• DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use
• Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3")
• Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap page with some planned additions
• The guy who's working on this has already agreed to come on the show for an interview, but we're going to give him a chance to get some more work done first
• Expect that sometime next year, once he's made some progress ***

Feedback/Questions

• Michael writes in
• Samael writes in
• Steven writes in
• Remy writes in
• Michael writes in ***