NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Controlling Resource Limits with rctl in FreeBSD

It's DNS. Of course it's DNS, it's always DNS.

News Roundup

GSOC

• [Work with FreeBSD in Google Summer of Code](https://freebsdfoundation.org/blog/work-with-freebsd-in-google-summer-of-code/)
• [The NetBSD Foundation is a mentoring organization at Google Summer of Code 2022](https://blog.netbsd.org/tnf/entry/the_netbsd_foundation_is_a)

Rsync Technical Notes - Q4 2021

Userland CPU frequency scheduling for OpenBSD

Beastie Bits

• Unofficial HardenedBSD liveCD
• The eurobsdcon 2022 CFP is open
• Testing parallel forwarding
• OpenBSD iwx(4) gains 11ac 80MHz channel support
• OpenBSD/arm64 on Apple M1 systems
• FreeBSD on the CubieBoard2

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

Eric - periodic notifications
Kevin - no question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

FreeBSD 13.0 R Annoucement

• OpenZFS 2.0 (almost 2.1) is included in 13.0
• Removed support for previously-deprecated algorithms in geli(8).
• The armv8crypto(4) driver now supports AES-GCM which is used by IPsec and kernel TLS.

Enable multi-factor authentication on OpenBSD

> In this article I will explain how to add a bit more security to your OpenBSD system by adding a requirement for user logging into the system, locally or by ssh. I will explain how to setup 2 factor authentication (2FA) using TOTP on OpenBSD

News Roundup

KDE on FreeBSD 2021o2

> Gosh, second octant already! Well, let’s take a look at the big things that happened in KDE-on-FreeBSD in these six-and-a-half weeks.

GSoC Reports: Make system(3), popen(3) and popenve(3) use posix_spawn(3) internally (Final report)

> My code can be found at github.com/teknokatze/src in the gsoc2020 branch, at the time of writing some of it is still missing. The test facilities and logs can be found in github.com/teknokatze/gsoc2020. A diff can be found at github which will later be split into several patches before it is sent to QA for merging.
> The initial and defined goal of this project was to make system(3) and popen(3) use posix_spawn(3) internally, which had been completed in June. For the second part I was given the task to replace fork+exec calls in our standard shell (sh) in one scenario. Similar to the previous goal we determined through implementation if the initial motivation, to get performance improvements, is correct otherwise we collect metrics for why posix_spawn() in this case should be avoided. This second part meant in practice that I had to add and change code in the kernel, add a new public libc function, and understand shell internals.

A working D compiler on OpenBSD

> Dr. Brian Robert Callahan (bcallah@) blogged about his work in getting D compiler(s) working under OpenBSD.

• Full Post ***

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Vasilis - upgrade question
• Dennis - zfs questions
• Daniel Dettlaff - KTLS question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Headlines

What has to happen with Unix virtual memory when you have no swap space

> Recently, Artem S. Tashkinov wrote on the Linux kernel mailing list about a Linux problem under memory pressure (via, and threaded here). The specific reproduction instructions involved having low RAM, turning off swap space, and then putting the system under load, and when that happened (emphasis mine):

> Once you hit a situation when opening a new tab requires more RAM than is currently available, the system will stall hard. You will barely be able to move the mouse pointer. Your disk LED will be flashing incessantly (I'm not entirely sure why). [...]

> I'm afraid I have bad news for the people snickering at Linux here; if you're running without swap space, you can probably get any Unix to behave this way under memory pressure. If you can't on your particular Unix, I'd actually say that your Unix is probably not letting you get full use out of your RAM.

> To simplify a bit, we can divide pages of user memory up into anonymous pages and file-backed pages. File-backed pages are what they sound like; they come from some specific file on the filesystem that they can be written out to (if they're dirty) or read back in from. Anonymous pages are not backed by a file, so the only place they can be written out to and read back in from is swap space. Anonymous pages mostly come from dynamic memory allocations and from modifying the program's global variables and data; file backed pages come mostly from mapping files into memory with mmap() and also, crucially, from the code and read-only data of the program.

• See link for the rest of the article

Dsynth details on Dragonfly

> First, history: DragonFly has had binaries of dports available for download for quite some time. These were originally built using poudriere, and then using the synth tool put together by John Marino. Synth worked both to build all software in dports, and as a way to test DragonFly’s SMP capability under extreme load.

> Matthew Dillon is working on a new version, called dsynth. It is available now but not yet part of the build. He’s been working quickly on it and there’s plenty more commits than what I have linked here. It’s already led to finding more high-load fixes.

• dsynth

> DSynth is basically synth written in C, from scratch. It is designed to give us a bulk builder in base and be friendly to porting and jails down the line (for now its uses chroot's).

> The original synth was written by John R. Marino and its basic flow was used in writing this program, but as it was written in ada no code was directly copied.

> * The intent is to make dsynth compatible with synth's configuration files and directory structure.

> * This is a work in progress and not yet ready for prime-time. Pushing so we can get some more eyeballs. Most of the directives do not yet work (everything, and build works, and 'cleanup' can be used to clean up any dangling mounts).

• dsynth code

News Roundup

Instant Workstation

> Some considerable time ago I wrote up instructions on how to set up a FreeBSD machine with the latest KDE Plasma Desktop. Those instructions, while fairly short (set up X, install the KDE meta-port, .. and that’s it) are a bit fiddly.

> So – prompted slightly by a Twitter exchange recently – I’ve started a mini-sub-project to script the installation of a desktop environment and the bits needed to support it. To give it at least a modicum of UI, dialog(1) is used to ask for an environment to install and a display manager.

> The tricky bits – pointed out to me after I started – are hardware support, although a best-effort is better than having nothing, I think.

> In any case, in a VBox host it’s now down to running a single script and picking Plasma and SDDM to get a usable system for me. Other combinations have not been tested, nor has system-hardware-setup. I’ll probably maintain it for a while and if I have time and energy it’ll be tried with nVidia (those work quite well on FreeBSD) and AMD (not so much, in my experience) graphics cards when I shuffle some machines around.

• Here is the script in my GitHub repository with notes-for-myself.

New Servers, new Tech

> Following up on an earlier post, the new servers for DragonFly are in place. The old 40-core machine used for bulk build, monster, is being retired. The power efficiency of the new machines is startling. Incidentally, this is where donations go – infrastructure.

• New servers in the colo, monster is being retired

> We have three new servers in the colo now that will be taking most/all bulk package building duties from monster and the two blades (muscles and pkgbox64) that previously did the work. Monster will be retired. The new servers are a dual-socket Xeon (sting) and two 3900X based systems (thor and loki) which all together burn only around half the wattage that monster burned (500W vs 1000W) and 3 times the performance. That's at least a 6:1 improvement in performance efficiency.

> With SSD prices down significantly the new machines have all-SSDs. These new machines allow us to build dports binary packages for release, master, and staged at the same time and reduces the full-on bulk build times for getting all three done down from 2 weeks to 2 days. It will allow us to more promptly synchronize updates to ports with dports and get binary packages up sooner.

> Monster, our venerable 48-core quad-socket opteron is being retired. This was a wonderful dev machine for working on DragonFly's SMP algorithms over the last 6+ years precisely because its inter-core and inter-socket latencies were quite high. If a SMP algorithm wasn't spot-on, you could feel it. Over the years DragonFly's performance on monster in doing things like bulk builds increased radically as the SMP algorithms got better and the cores became more and more localized. This kept monster relevant far longer than I thought it would be.

> But we are at a point now where improvements in efficiency are just too good to ignore. Monster's quad-socket opteron (4 x 12 core 6168's) pulls 1000W under full load while a single Ryzen 3900X (12 core / 24 thread) in a server configuration pulls only 150W, and is slightly faster on the same workload to boot.

> I would like to thank everyone's generous donations over the last few years! We burned a few thousand on the new machines (as well as the major SSD upgrades we did to the blades) and made very good use of the money, particularly this year as prices for all major components (RAM, SSDs, CPUs, Mobos, etc) have dropped significantly.

Experimenting with streaming setups on NetBSD

> Ever since OBS was successfully ported to NetBSD, I’ve been trying it out, seeing what works and what doesn’t. I’ve only just gotten started, and there’ll definitely be a lot of tweaking going forward.

> Capturing a specific application’s windows seems to work okay. Capturing an entire display works, too. I actually haven’t tried streaming to Twitch or YouTube yet, but in a previous experiment a few weeks ago, I was able to run a FFmpeg command line and that could stream to Twitch mostly OK.

> My laptop combined with my external monitor allows me to have a dual-monitor setup wherein the smaller laptop screen can be my “broadcasting station” while the bigger screen is where all the action takes place. I can make OBS visible on all Xfce workspaces, but keep it tucked away on that display only. Altogether, the setup should let me use the big screen for the fun stuff but I can still monitor everything in the small screen.

NetBSD Made Progress Thanks To GSoC In Its March Towards Steam Support

> Ultimately the goal is to get Valve's Steam client running on NetBSD using their Linux compatibility layer while the focus the past few months with Google Summer of Code 2019 were supporting the necessary DRM ioctls for allowing Linux software running on NetBSD to be able to tap accelerated graphics support.

> Student developer Surya P spent the summer working on compat_netbsd32 DRM interfaces to allow Direct Rendering Manager using applications running under their Linux compatibility layer.

> These interfaces have been tested and working as well as updating the "suse131" packages in NetBSD to make use of those interfaces. So the necessary interfaces are now in place for Linux software running on NetBSD to be able to use accelerated graphics though Steam itself isn't yet running on NetBSD with this layer.

> Those curious about this DRM ioctl GSoC project can learn more from the NetBSD blog. NetBSD has also been seeing work this summer on Wayland support and better Wine support to ultimately make this BSD a better desktop operating system and potentially a comparable gaming platform to Linux.

Beastie Bits

• FreeBSD in Wellington?
• FreeBSD on GFE
• Clarification
• Distrotest.net now with BSDs
• Lecture: Anykernels meet fuzzing NetBSD
• Sun Microsystems business plan from 1982 [pdf]

Feedback/Questions

• Alan - Questions
• Rodriguez - Feedback and a question
• Jeff - OpenZFS follow-up, FreeBSD Adventures

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

New PAE support in OpenBSD

• OpenBSD has just added Physical Address Extention support to the i386 architecture, but it's probably not what you'd think of when you hear the term
• In most operating systems, PAE's main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms - this version isn't for that
• Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections
• Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don't get the potential security benefit
• As we discussed in a previous episode, the AMD64 platform already saw some major W^X kernel and userland improvements - the i386 kernel reworking will begin shortly
• Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there
• The AMD64 improvements will be in 5.7, due out in just a couple days as of when we're recording this, but the i386 improvements will likely be in 5.8 ***

Booting Windows in bhyve

• Work on FreeBSD's bhyve continues, and a big addition is on the way
• Thus far, bhyve has only been able to boot operating systems with a serial console - no VGA, no graphics, no Windows
• This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter
• Graphics emulation is still in the works; this image was taken by booting headless and using RDP
• A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan)
• Not a lot of details on the matter currently, but we'll be sure to bring you more info as it comes out
• Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts ***

MidnightBSD 0.6 released

• MidnightBSD is a smaller project we've not covered a lot on the show before
• It's an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use
• They also have their own, smaller version of FreeBSD ports, called "mports"
• If you're already using it, this new version is mainly a security and bugfix release
• It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions
• You can check their site for more information about the project
• We're trying to get the lead developer to come on for an interview, but haven't heard anything back yet ***

OpenBSD rewrites the file utility

• We're all probably familiar with the traditional file command - it's been around since the 1970s
• For anyone who doesn't know, it's used to determine what type of file something actually is
• This tool doesn't see a lot of development these days, and it's had its share of security issues as well
• Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while
• It's not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it
• When you think about it, file was technically designed to be used on untrusted files
• OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite - this time with modern coding practices and the usual OpenBSD scrutiny
• This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made
• With these two things combined, it should drastically reduce the damage a malicious file could potentially do
• Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember
• It'll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future - someone's already thrown together an unofficial portable version
• Coincidentally, the lead developer and current maintainer of file just happens to be our guest today… ***

Interview - Christos Zoulas - christos@netbsd.org

blacklistd and NetBSD advocacy

News Roundup

GSoC-accepted BSD projects

• The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list
• FreeBSD's list includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication
• OpenBSD's list includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it... porting HAMMER FS to OpenBSD
• We'll be sure to keep you up to date on developments from both projects
• Hopefully the other BSDs will make the cut too next year ***

FreeBSD on the Gumstix Duovero

• If you're not familiar with the Gumstix Duovero, it's an dual core ARM-based computer-on-module
• They actually look more like a stick of RAM than a mini-computer
• This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd
• If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us ***

EU study recommends OpenBSD

• A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools
• This is especially important, in all countries, after the mass surveillance documents came out
• "[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts."
• The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on
• Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: "Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways"
• Reddit, Undeadly and Hacker News also had some discussion, particularly about corporations giving back to the BSDs that they make use of in their infrastructure - something we've discussed with Voxer and M:Tier before ***

FreeBSD workflow with Git

• If you're interested in contributing to FreeBSD, but aren't a big fan of SVN, they have a Github mirror too
• This mailing list post talks about interacting between the official source repository and the Git mirror
• This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved ***

Feedback/Questions

• Sean writes in
• Bryan writes in
• Sean writes in
• Charles writes in ***

This episode was brought to you by

Headlines

BSDCan 2015 schedule

• The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
• Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada
• This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
• Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings
• In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
• That's not the ideal balance we'd hope for, but BSDCan says they'll try to improve that next year
• Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error)
• Michael Lucas (who's on the BSDCan board) wrote up a blog post about the proposals and rejections this year
• If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available
• We also interviewed Dan Langille about the conference and what to expect this year, so check that out too ***

SSL interception with relayd

• There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
• If you're running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
• Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
• It starts off with some backstory and some of the things relayd is capable of
• relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
• When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
• The post is very long, with lots of details and some sample config files - the whole nine yards ***

OPNsense 15.1.6.1 released

• The OPNsense team has released yet another version in rapid succession, but this one has some big changes
• It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
• This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update)
• It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
• The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
• With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices
• Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling) ***

OpenBSD on a Minnowboard Max

• What would our show be without at least one story about someone installing BSD on a weird device
• For once, it's actually not NetBSD…
• This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
• It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
• The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage
• You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article
• Have a look at the spec sheet if you're interested, they make for cool little BSD boxes ***

Netmap for 40gbit NICs in FreeBSD

• Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed
• The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support
• It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
• This should make for some serious packet-pushing power
• If you have any network hardware like this, he would appreciate testing for the new code ***

Interview - Ken Westerback - directors@openbsdfoundation.org

The OpenBSD foundation's activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

• The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
• Ken was also busy, getting a few networking-related things fixed and improved in the base system
• He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
• The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
• There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient ***

FreeBSD beginner video series

• A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
• We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
• So far, he's covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
• Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers
• It should be an ongoing series with more topics to come ***

NetBSD tests: zero unexpected failures

• The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
• They've finally gotten the number of "expected" failures down to zero on a few select architectures
• Results are published on a special release engineering page, so you can have a look if you're interested
• The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch ***

PCBSD switches to IPFW

• The PCBSD crew continues their recent series of switching between major competing features
• This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall
• Look forward to Kris wearing a "keep calm and use IPFW" shir- wait ***

Feedback/Questions

• Sean writes in
• Dan writes in
• Florian writes in
• Sean writes in
• Chris writes in ***

Mailing List Gold

• VCS flamebait
• Hidden agenda ***

This episode was brought to you by

Headlines

Introducing OPNsense, a pfSense fork

• OPNsense is a new BSD-based firewall project that was recently started, forked from the pfSense codebase
• Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3)
• The core team includes a well-known DragonFlyBSD developer
• You can check out their code on Github now, or download an image and try it out - let us know if you do and what you think about it
• They also have a nice wiki and some instructions on getting started for new users
• We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned ***

Code rot and why I chose OpenBSD

• Here we have a blog post about rotting codebases - a core banking system in this example
• The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project
• He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born
• Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it
• The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds
• "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily."
• It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again"
• Look for the phrase "Getting Started" in the blog post for a nice little gem ***

ZFS vs HAMMER FS

• One of the topics we've seen come up from time to time is how FreeBSD's ZFS and DragonFly's HAMMER FS compare to each other
• They both have a lot of features that traditional filesystems lack
• A forum thread was opened for discussion about them both and what they're typically used for
• It compares resource requirements, ideal hardware and pros/cons of each
• Hopefully someone will do another new comparison when HAMMER 2 is finished
• This is not to be confused with the other "hammer" filesystem ***

Portable OpenNTPD revived

• With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon
• OpenBSD has developed OpenNTPD since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years
• The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version
• Brent Cook, who we've had on the show before to talk about LibreSSL, decided it was time to fix this
• While looking through the code, he also found some fixes for the native version as well
• You can grab it from Github now, or just wait for the updated release to hit the repos of your OS of choice ***

Interview - Ian Sutton - ian@kremlin.cc

BSD replacements for systemd dependencies

News Roundup

pkgng adds OS X support

• FreeBSD's next-gen package manager has just added support for Mac OS X
• Why would you want that? Well.. we don't really know, but it's cool
• The author of the patch may have some insight about what his goal is though
• This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc
• There's also the possibility of pkgng being used as a packaging format for MacPorts in the future
• While we're on the topic of pkgng, you can also watch bapt's latest presentation about it from ruBSD 2014 - "four years of pkg" ***

Secure secure shell

• Almost everyone watching BSD Now probably uses OpenSSH and has set up a server at one point or another
• This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear
• It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use
• There are also good explanations for all the choices, based both on history and probability
• Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled
• We've also got a handy chart to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients ***

Dissecting OpenBSD's divert(4)

• PF has a cool feature that not a lot of people seem to know about: divert
• It lets you send packets to userspace, allowing you to inspect them a lot easier
• This blog post, the first in a series, details all the cool things you can do with divert and how to use it
• A very common example is with intrusion detection systems like Snort ***

Screen recording on FreeBSD

• This is a neat article about a topic we don't cover very often: making video content on BSD
• In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg
• There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing
• It also includes lots of details and helpful screenshots throughout the process
• You should make cool screencasts and send them to us ***

Feedback/Questions

• Camio writes in
• ezpzy writes in
• Emett writes in
• Ben writes in
• Laszlo writes in ***

Mailing List Gold

• Protocol X97
• My thoughts echoed
• Vulnerability sample ***

This episode was brought to you by

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we'd love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they'd be interested in someone helping out with
• OpenBSD's want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year ***

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There's also details about flowd and nfsen, more great tools to make network monitoring easy
• If you're listening, Peter... stop ignoring our emails and come on the show! We know you're watching! ***

BSDMag's February issue is out

• The theme is "configuring basic services on OpenBSD 5.4"
• There's also an interview with Peter Hansteen (oh hey...)
• Topics also include locking down SSH, a GIMP lesson, user/group management, and...
• Linux and Solaris articles? Why?? ***

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords - other OSes need to update theirs too! (FreeBSD already has)
• "The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor 'b'."
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full thing ***

Interview - Will Backman - bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the "machdep.allowaperture" sysctl to 0 and still use a GUI ***

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list ***

Creating an OpenBSD USB drive

• Since OpenBSD doesn't distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there's some recent emails that suggest official USB images may be coming soon... oh wait ***

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM ***

Feedback/Questions

• espressowar writes in
• Antonio writes in
• Christian writes in
• Adam writes in
• Alex writes in ***