NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Useless use of GNU

Meet the 2021 FreeBSD Google Summer of Code Students

News Roundup

Large Unix programs were historically not all that portable between Unixes

• References this article: I’m not sure that UNIX won *** ### A new path: vm86-based venix emulator *** ### ZFS Is Mysteriously Eating My CPU *** ### traceroute(8) gets speed boost ***

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Al - TransAtlantic Cables
• Christopher - NVMe
• JohnnyK - Vivaldi ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

FreeBSD 13.0 R Annoucement

• OpenZFS 2.0 (almost 2.1) is included in 13.0
• Removed support for previously-deprecated algorithms in geli(8).
• The armv8crypto(4) driver now supports AES-GCM which is used by IPsec and kernel TLS.

Enable multi-factor authentication on OpenBSD

In this article I will explain how to add a bit more security to your OpenBSD system by adding a requirement for user logging into the system, locally or by ssh. I will explain how to setup 2 factor authentication (2FA) using TOTP on OpenBSD

News Roundup

KDE on FreeBSD 2021o2

Gosh, second octant already! Well, let’s take a look at the big things that happened in KDE-on-FreeBSD in these six-and-a-half weeks.

GSoC Reports: Make system(3), popen(3) and popenve(3) use posix_spawn(3) internally (Final report)

My code can be found at github.com/teknokatze/src in the gsoc2020 branch, at the time of writing some of it is still missing. The test facilities and logs can be found in github.com/teknokatze/gsoc2020. A diff can be found at github which will later be split into several patches before it is sent to QA for merging.
The initial and defined goal of this project was to make system(3) and popen(3) use posix_spawn(3) internally, which had been completed in June. For the second part I was given the task to replace fork+exec calls in our standard shell (sh) in one scenario. Similar to the previous goal we determined through implementation if the initial motivation, to get performance improvements, is correct otherwise we collect metrics for why posix_spawn() in this case should be avoided. This second part meant in practice that I had to add and change code in the kernel, add a new public libc function, and understand shell internals.

---

A working D compiler on OpenBSD

Dr. Brian Robert Callahan (bcallah@) blogged about his work in getting D compiler(s) working under OpenBSD.

• Full Post ***

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Vasilis - upgrade question
• Dennis - zfs questions
• Daniel Dettlaff - KTLS question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

This episode was brought to you by

Headlines

Introducing OPNsense, a pfSense fork

• OPNsense is a new BSD-based firewall project that was recently started, forked from the pfSense codebase
• Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3)
• The core team includes a well-known DragonFlyBSD developer
• You can check out their code on Github now, or download an image and try it out - let us know if you do and what you think about it
• They also have a nice wiki and some instructions on getting started for new users
• We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned ***

Code rot and why I chose OpenBSD

• Here we have a blog post about rotting codebases - a core banking system in this example
• The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project
• He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born
• Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it
• The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds
• "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily."
• It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again"
• Look for the phrase "Getting Started" in the blog post for a nice little gem ***

ZFS vs HAMMER FS

• One of the topics we've seen come up from time to time is how FreeBSD's ZFS and DragonFly's HAMMER FS compare to each other
• They both have a lot of features that traditional filesystems lack
• A forum thread was opened for discussion about them both and what they're typically used for
• It compares resource requirements, ideal hardware and pros/cons of each
• Hopefully someone will do another new comparison when HAMMER 2 is finished
• This is not to be confused with the other "hammer" filesystem ***

Portable OpenNTPD revived

• With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon
• OpenBSD has developed OpenNTPD since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years
• The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version
• Brent Cook, who we've had on the show before to talk about LibreSSL, decided it was time to fix this
• While looking through the code, he also found some fixes for the native version as well
• You can grab it from Github now, or just wait for the updated release to hit the repos of your OS of choice ***

Interview - Ian Sutton - ian@kremlin.cc

BSD replacements for systemd dependencies

News Roundup

pkgng adds OS X support

• FreeBSD's next-gen package manager has just added support for Mac OS X
• Why would you want that? Well.. we don't really know, but it's cool
• The author of the patch may have some insight about what his goal is though
• This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc
• There's also the possibility of pkgng being used as a packaging format for MacPorts in the future
• While we're on the topic of pkgng, you can also watch bapt's latest presentation about it from ruBSD 2014 - "four years of pkg" ***

Secure secure shell

• Almost everyone watching BSD Now probably uses OpenSSH and has set up a server at one point or another
• This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear
• It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use
• There are also good explanations for all the choices, based both on history and probability
• Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled
• We've also got a handy chart to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients ***

Dissecting OpenBSD's divert(4)

• PF has a cool feature that not a lot of people seem to know about: divert
• It lets you send packets to userspace, allowing you to inspect them a lot easier
• This blog post, the first in a series, details all the cool things you can do with divert and how to use it
• A very common example is with intrusion detection systems like Snort ***

Screen recording on FreeBSD

• This is a neat article about a topic we don't cover very often: making video content on BSD
• In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg
• There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing
• It also includes lots of details and helpful screenshots throughout the process
• You should make cool screencasts and send them to us ***

Feedback/Questions

• Camio writes in
• ezpzy writes in
• Emett writes in
• Ben writes in
• Laszlo writes in ***

Mailing List Gold

• Protocol X97
• My thoughts echoed
• Vulnerability sample ***

This episode was brought to you by

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we'd love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they'd be interested in someone helping out with
• OpenBSD's want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year ***

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There's also details about flowd and nfsen, more great tools to make network monitoring easy
• If you're listening, Peter... stop ignoring our emails and come on the show! We know you're watching! ***

BSDMag's February issue is out

• The theme is "configuring basic services on OpenBSD 5.4"
• There's also an interview with Peter Hansteen (oh hey...)
• Topics also include locking down SSH, a GIMP lesson, user/group management, and...
• Linux and Solaris articles? Why?? ***

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords - other OSes need to update theirs too! (FreeBSD already has)
• "The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor 'b'."
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full thing ***

Interview - Will Backman - bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the "machdep.allowaperture" sysctl to 0 and still use a GUI ***

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list ***

Creating an OpenBSD USB drive

• Since OpenBSD doesn't distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there's some recent emails that suggest official USB images may be coming soon... oh wait ***

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM ***

Feedback/Questions

• espressowar writes in
• Antonio writes in
• Christian writes in
• Adam writes in
• Alex writes in ***