NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Of Sun Ray laptops, MIPS and getting root on them

OpenZFS for HPC Clusters

News Roundup

Self-Hosted Bookmarks using DAV and httpd on OpenBSD

Terraform + Proxmox + OpenBSD = <3

WOL Plex Server

Against Innovation

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Installing BSDs on Cubieboard1

Self-hosting a static site with OpenBSD, httpd, and relayd

News Roundup

NetBSD can also run a Minecraft server

A Little Story About the yes Unix Command

Shell History: Unix

OpenBGPD 7.5 released

Beastie Bits

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Ludensen - Feedback

• Vidar - OpenRGB

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Gemini Capsule in a FreeBSD Jail

With the recent release of FreeBSD 13, I wanted to test it out on a spare RaspberryPi 3 that was part of my old Kubernetes cluster.
In particular, FreeBSD Jails have always interested me, although I’ve never used them in practice. Over the years I’ve managed operating system virtualization through Solaris Zones and Docker containers, and Jails seem like and good middle ground between the two - easier to manage than zones and closer to the OS than Docker.
I also want to run my own Gemini capsule locally to use some of the features that my other hosted capsules don’t have (like SCGI/CGI) and setting up a capsule in a Jail is a good way to learn both at the same time.

FreeBSD Quarterly status report 2021Q1

News Roundup

NetBSD VM on bhyve (on TrueNAS)

My new NAS at home is running TrueNAS Core. So far, it has been excellent, however I struggled a bit setting up a NetBSD VM on it. Part of the problem is that a lot of the docs and how-tos I found are stale, and the information in it no longer applies.
TrueNAS Core allows running VMs using bhyve, which is FreeBSD’s hypervisor. NetBSD is not an officially supported OS, at least according to the guest OS chooser in the TrueNAS web UI :) But since the release of NetBSD 9 a while ago, things have become far simpler than they used to be – with one caveat (see below).

Interview with Michael Lucas *BSD, Unix, IT and other books author

Michael Lucas is a famous IT book author. Perhaps best know for FreeBSD, OpenBSD, and Unix book series. He worked as a system administrator for many years and has now become a full-time book writer. Lately, I did a quick Q and A with Michael about his journey as a professional book author and his daily workflow for writing books.
+

---

pfSense – WireGuard Returns as Experimental Package

---

CGI with Awk on OpenBSD httpd

---

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questionsing

• Adam - system state during upgrade
• paul - BSD grep
• sub - feedback

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

This episode was brought to you by

Headlines

Out with the old, in with the less

• Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions"
• "Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs."
• In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure
• It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers
• "Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver."
• In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced
• The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness)
• He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it."
• Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called "doas"
• There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing" talk is good complementary reading material ***

More OpenZFS and BSDCan videos

• We mentioned last week that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more
• Matt Ahrens did a Q&A session and talked about ZFS send and receive, as well as giving an overview of OpenZFS
• George Wilson talked about a performance retrospective
• Toshiba, Syneto and HGST also gave some talks about their companies and how they're using ZFS
• As for BSDCan, more of their BSD presentations have been uploaded too...
• Ryan Stone, PCI SR-IOV on FreeBSD
• George Neville-Neil, Measure Twice, Code Once
• Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD
• Warner Losh, I/O Scheduling in CAM
• Kirk McKusick, An Introduction to the Implementation of ZFS
• Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support
• Baptiste Daroussin, Packaging FreeBSD's base system
• Matt Ahrens, New OpenZFS features supporting remote replication
• Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities
• The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here, and the slides are here ***

SMP steroids for PF

• An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review
• Attached to the mail was what may be the beginnings of making native PF SMP-aware
• Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle
• The initial response has been quite positive though, with some back and forth between developers and the submitter
• For now, let's be patient and see what happens ***

DragonFly 4.2.0 released

• DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes
• i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release
• Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page about configuring it
• They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery
• The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools
• Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement
• There was also some hacker news discussion you can check out, as well as upgrade instructions ***

OpenSMTPD 5.7.1 released

• The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently
• Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default
• The long-awaited filter API is now enabled by default, though still considered slightly experimental
• Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones)
• Many more small additions and bugfixes were made, so check the changelog for the full list
• Starting with 5.7.1, releases are now cryptographically signed to ensure integrity
• This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server with thousands of emails per second, even offering prizes to whoever can DDoS them the hardest
• OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately
• Let's all encourage Kris to stop procrastinating on switching from Postfix ***

Interview - Jun Ebihara (蛯原純) - jun@netbsd.org / @ebijun

Lesser-known CPU architectures, embedded NetBSD devices

News Roundup

FreeBSD foundation at BSDCan

• The FreeBSD foundation has posted a few BSDCan summaries on their blog
• The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people."
• He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily
• Their second trip report is from Ahmed Kamal, who flew in all the way from Egypt
• A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD
• There are also two more wrap-ups from Zbigniew Bodek and Vsevolod Stakhov, so you've got plenty to read ***

OpenBSD from a veteran Linux user perspective

• In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time
• "For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration."
• The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags
• One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless."
• He also goes through some of the basics, installing and updating software, following different branches
• It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern." ***

FreeBSD on the desktop, am I crazy

• Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop
• He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think."
• With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd
• The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash
• Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well
• In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too ***

OpenIKED and Cisco CSR 1000v IPSEC

• This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED
• What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud
• There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon
• It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be ***

HardenedBSD improves stack randomization

• The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area
• In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well
• They're now stacking the new on top of the old as well, with the goal being even more entropy
• This change triggered an ABI and API incompatibility, so their major version has been bumped ***

OpenSSH 6.9 released

• The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes
• There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments
• One very notable change is that the default cipher has changed as of this release
• The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo
• Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits
• Many small bugs fixes and improvements were also made, so check the announcement for everything else
• The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon ***

Feedback/Questions

• Brad writes in
• Mason writes in
• Jochen writes in
• Simon writes in ***

This episode was brought to you by

Headlines

More BSDCan 2015 videos

• Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded
• Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS
• Daichi Goto, FreeBSD for High Density Servers
• Ken Moore, Lumina-DE
• Kevin Bowling, FreeBSD Operations at Limelight Networks
• Maciej Pasternacki, Jetpack, a container runtime for FreeBSD
• Ray Percival, Networking with OpenBSD in a virtualized environment
• Reyk Floeter, Introducing OpenBSD's new httpd
• Still more to come, hopefully ***

OpenBSD httpd rewrite support

• One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
• There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
• Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
• In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you'd like to give it a try now
• It's since been committed to -current, so you can try it out with a snapshot too ***

SSH 2FA on FreeBSD

• We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication
• This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD
• It touches on key pairs with a server-side password, google authenticator and a few other variations
• While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
• OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems ***

NetBSD 7.0-RC1 released

• NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
• Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
• They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team ***

Interview - Sean Chittenden - seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

• We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
• This blog post about it has something not mentioned before: virtual domains and virtual users
• This means you can easily have "user1@domain.com" and "user2@otherdomain.com" both go to a local user on the box (or a different third address)
• It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
• Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we'll cover in more detail when it's released... ***

OctoPkg, a QT frontend to pkgng

• A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
• Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman
• There are some basic instructions on how to get it built and running on the github page
• After some testing, it'll likely make its way to the FreeBSD ports tree
• Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over ***

AFL vs. mandoc, a quantitative analysis

• Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
• It's meant to be accompanying material to his BSDCan talk, which already covered nine topics
• mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
• The article breaks down the 45 different bugs that were found, based on their root cause
• If you're interested in secure coding practices, this'll be a great one to read ***

OpenZFS conference videos

• Videos from the second OpenZFS conference have just started to show up
• The first talk is by, you guessed it, Matt Ahrens
• In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
• There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS ***

Feedback/Questions

• Bryson writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

Major changes coming in PCBSD 11

• The PCBSD team has announced that version 11.0 will have some more pretty big changes (as they've been known to do lately with NTP daemons and firewalls)
• Switching from PF to IPFW provided some benefits for VIMAGE, but the syntax was just too complicated for regular everyday users
• To solve this, they've ported over Linux's iptables, giving users a much more straightforward configuration
• While ZFS has served them well as the default filesystem for a while, Kris decided that Btrfs would be a better choice going forward
• Since the FreeBSD kernel doesn't support it natively, all filesystem calls will be through FUSE from now on - performance is Good Enough
• People often complain about PCBSD's huge ISO download, so, to save space, the default email client will be switched to mutt, and KDE will be replaced with DWM as the default window manager
• To reconfigure it, or make any appearance changes, users just need to edit a simple C header file and recompile - easy peasy
• As we've mentioned on the show, PCBSD has been promoting safe backup solutions for a long time with its "life preserver" utility, making it simple to manage multiple snapshots too
• To test if people have been listening to this advice, Kris recently activated the backdoor he put in life preserver that deletes all the users' files - hope you had that stuff backed up ***

NetBSD and FreeBSD join forces

• The BSD community has been running into one of the same problems Linux has lately: we just have too many different BSDs to choose from
• What's more, none of them have any specific areas they focus on or anything like that (they're all basically the same)
• That situation is about to improve somewhat, as FreeBSD and NetBSD have just merged codebases... say hello to FretBSD
• Within a week, all mailing lists and webservers for the legacy NetBSD and FreeBSD projects will be terminated - the mailing list for the new combined project will be hosted from the United Nations datacenter on a Microsoft Exchange server
• As UN monitors will be moderating the mailing lists to prevent disagreements and divisive arguments before they begin, this system is expected to be adequate for the load
• With FretBSD, your toaster can now run ZFS, so you'll never need to worry about the bread becoming silently corrupted again ***

Puffy in the cloud

• If you've ever wanted to set up a backup server, especially for family members or someone who's not as technology-savvy, you've probably realized there are a lot of options
• This post explores the option of setting up your own Dropbox-like service with Owncloud and PostgreSQL, running atop the new OpenBSD http daemon
• Doing it this way with your own setup, you can control all the security aspects - disk encryption, firewall rules, who can access what and from where, etc
• He also mentions our pf tutorial being helpful in blocking script kiddies from hammering the box
• Be sure to encourage your less-technical friends to always back up their important data ***

NetBSD at AsiaBSDCon

• Some NetBSD developers have put together a report of what they did at the most recent event in Tokyo
• It includes a wrap-up of the event, as well as a list of presentations that NetBSD developers gave
• Have you ever wanted even more pictures of NetBSD running on lots of devices? There's a never-ending supply, apparently
• At the BSD research booth of AsiaBSDCon, there were a large number of machines on display, and someone has finally uploaded pictures of all of them
• There's also a video of an OMRON LUNA-II running the luna68k port ***

Interview - Kamila Součková - kamila@ksp.sk / @anotherkamila

BSD conferences, Google Summer of Code, various topics

News Roundup

FreeBSD foundation March update

• The FreeBSD foundation has published their March update for fundraising and sponsored projects
• In the document, you'll find information about upcoming ARMv8 enhancements, some event recaps and a Google Summer of Code status update
• They also mention our interview with the foundation president - be sure to check it out if you haven't ***

Inside OpenBSD's new httpd

• BSD news continues to dominate mainstream tech news sites… well not really, but they talk about it once in a while
• The SD Times is featuring an article about OpenBSD's in-house HTTP server, after seeing Reyk's AsiaBSDCon presentation about it (which he's giving at BSDCan this year, too)
• In this article, they talk about the rapid transition of webservers in the base system - apache being replaced with nginx, only to be replaced with httpd shortly thereafter
• Since the new daemon has had almost a full release cycle to grow, new features and fixes have been pouring in
• The post also highlights some of the security features: everything runs in a chroot with privsep by default, and it also leverages strong TLS 1.2 defaults (including Perfect Forward Secrecy) ***

Using poudriere without OpenSSL

• Last week we talked about using LibreSSL in FreeBSD for all your ports
• One of the problems that was mentioned is that some ports are configured improperly, and end up linking against the OpenSSL in the base system even when you tell them not to
• This blog post shows how to completely strip OpenSSL out of the poudriere build jails, something that's a lot more difficult than you'd think
• If you're a port maintainer, pay close attention to this post, and get your ports fixed to adhere to the make.conf options properly ***

HAMMER and GPT in OpenBSD

• Someone, presumably a Google Summer of Code student, wrote in to the lists about his HAMMER FS porting proposal
• He outlined the entire process and estimated timetable, including what would be supported and which aspects were beyond the scope of his work (like the clustering stuff)
• There's no word yet on if it will be accepted, but it's an interesting idea to explore, especially when you consider that HAMMER really only has one developer
• In more disk-related news, Ken Westerback has been committing quite a lot of GPT-related fixes recently
• Full GPT support will most likely be finished before 5.8, but anything involving HAMMER FS is still anyone's guess ***

Feedback/Questions

• Morgan writes in
• Dustin writes in
• Stan writes in
• Mica writes in ***

Mailing List Gold

• Developers in freefall
• Xorg thieves pt. 1
• Xorg thieves pt. 2 ***

This episode was brought to you by

Headlines

Password gropers take spamtrap bait

• Our friend Peter Hansteen, who keeps his eyes glued to his log files, has a new blog post
• He seems to have discovered another new weird phenomenon in his pop3 logs
• "yes, I still run one, for the same bad reasons more than a third of my readers probably do: inertia"
• Someone tried to log in to his service with an address that was known to be invalid
• The rest of the post goes into detail about his theory of why someone would use a list of invalid addresses for this purpose ***

Inside the Atheros wifi chipset

• Adrian Chadd - sometimes known in the FreeBSD community as "the wireless guy" - gave a talk at the Defcon Wireless Village 2014
• He covers a lot of topics on wifi, specifically on Atheros chips and why they're so popular for open source development
• There's a lot of great information in the presentation, including cool (and evil) things you can do with wireless cards
• Very technical talk; some parts might go over your head if you're not a driver developer
• The raw video file is also available to download on archive.org
• Adrian has also recently worked on getting Kismet and Aircrack-NG to work better with FreeBSD, including packet injection and other fun things ***

Trip report and hackathon mini-roundup

• A few more (late) reports from BSDCan and the latest OpenBSD hackathon have been posted
• Mark Linimon mentions some of the future plans for FreeBSD's release engineering and ports
• Bapt also has a BSDCan report detailing his work on ports and packages
• Antoine Jacoutot writes about his work at the most recent hackathon, working with rc configuration and a new /etc/examples layout
• Peter Hessler, a latecomer to the hackathon, details his experience too, hacking on the installer and built-in upgrade function
• Christian Weisgerber talks about starting some initial improvements of OpenBSD's ports infrastructure ***

DragonFly BSD 3.8.2 released

• Although it was already branched, the release media is now available for DragonFly 3.8.2
• This is a minor update, mostly to fix the recent OpenSSL vulnerabilities
• It also includes some various other small fixes ***

Interview - Eric Le Blan - info@xinuos.com

Xinuos' recent FreeBSD integration, BSD in the commercial server space

Tutorial

Building a hardened, feature-rich webserver

News Roundup

Defend your network and privacy, FreeBSD version

• Back in episode 39, we covered a blog post about creating an OpenBSD gateway - partly based on our tutorial
• This is a follow-up post, by the same author, about doing a similar thing with FreeBSD
• He mentions some of the advantages and disadvantages between the two operating systems, and encourages users to decide for themselves which one suits their needs
• The rest is pretty much the same things: firewall, VPN, DHCP server, DNSCrypt, etc. ***

Don't encrypt all the things

• Another couple of interesting blog posts from Ted Unangst about encryption
• It talks about how Google recently started ranking sites with HTTPS higher in their search results, and then reflects on how sometimes encryption does more harm than good
• After heartbleed, the ones who might be able to decrypt your emails went from just a three-letter agency to any script kiddie
• He also talks a bit about some PGP weaknesses and a possible future replacement
• He also has another, similar post entitled "in defense of opportunistic encryption" ***

New automounter lands in FreeBSD

• The work on the new automounter has just landed in 11-CURRENT
• With help from the FreeBSD Foundation, we'll have a new "autofs" kernel option
• Check the SVN viewer online to read over the man pages if you're not running -CURRENT
• You can also read a bit about it in the recent newsletter ***

OpenSSH 6.7 CFT

• It's been a little while since the last OpenSSH release, but 6.7 is almost ready
• Our friend Damien Miller issued a call for testing for the upcoming version, which includes a fair amount of new features
• It includes some old code removal, some new features and some internal reworkings - we'll cover the full list in detail when it's released
• This version also officially supports being built with LibreSSL now
• Help test it out and report any findings, especially if you have access to something a little more exotic than just a BSD system ***

Feedback/Questions

• David writes in
• Lachlan writes in
• Francis writes in
• Frank writes in
• Sean writes in ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• FreeBSD has gotten quite a lot done this quarter
• Changes in the way release branches are supported - major releases will get at least five years over their lifespan
• A new automounter is in the works, hoping to replace amd (which has some issues)
• The CAM target layer and RPC stack have gotten some major optimization and speed boosts
• Work on ZFSGuru continues, with a large status report specifically for that
• The report also mentioned some new committers, both source and ports
• It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
• "Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

• Work has begun on a new HTTP daemon in the OpenBSD base system
• A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
• Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
• It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
• This has the added benefit of the usual, easy-to-understand syntax and privilege separation
• There's a very brief man page online already
• It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
• Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

• The newest version of FreeBSD's second generation package management system has been released, with lots of new features
• It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
• Lots of the code has been sandboxed for extra security
• You'll probably notice some new changes to the UI too, making things more user friendly
• A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

• A number of people have written in to ask us "how do I secure my BSD box after I install it?"
• With this blog post, hopefully most of their questions will finally be answered in detail
• It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
• Not only does it just list things to do, but the post also does a good job of explaining why you should do them
• Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

• MWL's new book about the FreeBSD storage subsystems now has an early draft available
• Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
• Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
• You'll get access to the completed (e)book when it's done if you buy the early draft
• The suggested price is $8 ***

Why BSD and not Linux?

• Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
• Lots of good responses from users of the various BSDs
• Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
• And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
• Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

• Following up from last week's huge list of hackathon reports, we have a few more
• Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
• Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
• Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
• Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

• The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
• The main topic of discussion is mandoc, which some users might not be familiar with
• mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
• We'll catch up to you soon, Will! ***

Feedback/Questions

• Thomas writes in
• Stephen writes in
• Sha'ul writes in
• Florian writes in
• Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***