NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

From Proxmox to FreeBSD - Story of a Migration

FreeBSD At 30: The History And Future Of The Most Popular BSD-Based OS

News Roundup

Using a dedicated administration workstation for my infrastructure

LibreSSL 4.0.0 Released

Plasma6 and FreeBSD 14

git: world - Replace gnu diff, diff3, and sdiff with BSD versions

Beastie Bits

- How to Upgrade FreeBSD KDE 5 to KDE 6

• ***

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

FreeBSD Status Report First Quarter 2024

Why not BSD + Sequel next week

News Roundup

LibreSSL version 3.9.2 released

Running NetBSD on OmniOS using bhyve

X.Org on NetBSD - the state of things

Unix version control lore: what, ident

How I search in 2024

sshd(8) split into multiple binaries

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

People have no doubt heard of this by now, but are not aware of the BSD side of
things since its mostly been Linux getting all the news. It'd be nice if we
could give a summary of the issue and then address how it does/doesn't affect
the BSDs.
The XZ Backdoor

• NetBSD's statement
• FreeBSD's statement
• OpenBSD?

NetBSD 10.0

News Roundup

iX announces that they will put out a release of TrueNAS 13.3

• A community fork has been announced

State of the Terminal

LibreSSL 3.8.4 and 3.9.1 released

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Derek via feedback has asked for some discussion around this NetBSD security advisory
  -- Advisory Link

• Ben - Nextcloud Installation

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Looking Towards the Future: FreeBSD on the RISC-V Architecture

A bit of XENIX history

News Roundup

Official packages

recover lost text by coredumping firefox

FuguIta 7.4 has been released

LibreSSL 3.8.2 Released

OpenSMTPD 7.4.0p0 Released

Conference News

AsiaBSDCon 2024

BSDCan 2024

EuroBSDCon 2024

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

  ---

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Host Introductions - Jason Tubnor - https://www.tubsta.com / @tubsta / @Tubsta@soc.feditime.com

Headlines

Understanding ZFS vdev Types

Don't abuse su for dropping user privileges

News Roundup

Dynamic Tracing on OpenBSD 7.3

new Libressl

Manual Jails on FreeBSD 12

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Chris - questions
• Dan - zfs questions
• Pablo - Jail question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Unix Philosophy: A Quick Look at the Ideas that Made Unix

Hints for writing Unix Tools

News Roundup

Cron best practices

Filesystems can experience at least three different sorts of errors

LibreSSL 3.5.1 development branch as well as 3.4.3 (stable) and 3.3.6 released

Taskwarrior to manage tasks

Beastie Bits

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Andrew - virtualization
• Brad - jails applications and interoperability

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

RISC-V: The New Architecture on the Block

• If you want more RISC-V, check out JT's interview with Mark Himelstein the CTO of RISC-V International *** ### OpenBSD on the Vortex86DX CPU *** ## News Roundup aka there’s been lots of releases recently so lets go through them: ### Lumina 1.6.1 ### opnsense 21.7.3 ### LibreSSL patches ### OpenBGPD 7.2 ### Midnight BSD 2.1.0 ### GhostBSD 21.09 ISO ### helloSystemv0.6

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Brandon - FreeBSD question
• Bruce - Fixing a weird Apache Bug
• Dan - zfs question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Adventures in Freebernetes: bhyve My Guest

Part 2 of experiments in FreeBSD and Kubernetes: Creating your first guest

---

Tracing Kernel Functions: FBT stack() and arg

In my previous post I described how FBT intercepts function calls and vectors them into the DTrace framework. That laid the foundation for what I want to discuss in this post: the implementation of the stack() action and built-in arg variables. These features rely on the precise layout of the stack, the details of which I touched on previously. In this post I hope to illuminate those details a bit more with the help of some visuals, and then guide you through the implementation of these two DTrace features as they relate to the FBT provider.

---

News Roundup

Dummynet: The Better Way of Building FreeBSD Networks

Dummynet is the FreeBSD traffic shaper, packet scheduler, and network emulator. Dummynet allows you to emulate a whole set of network environments in a straight-forward way. It has the ability to model delay, packet loss, and can act as a traffic shaper and policer. Dummynet is roughly equivalent to netem in Linux, but we have found that dummynet is easier to integrate and provides much more consistent results.

---

New beginnings: CDBUG virtual meetings

I had overwhelmingly positive responses from the broader *BSD community about restarting CDBUG meetings as virtual, at least for now. Hopefully this works well and even when we're back to in-person meetings we can still find a way to bring in virtual attendees.

---

LibreSSL update in DragonFly

DragonFly has a new version of libressl, noting cause it has a newer TLS1.3 implementation – something that may be necessary for you.

---

Signal-cli with scli on FreeBSD

So couple of days ago I migrated from macOS on Macbook Pro to FreeBSD on ThinkPad T480s.

---

Beastie Bits

• Firefox is not paxctl safe for NetBSD
• FreeBSD 12.2-RELEASE on Microsoft Azure Marketplace

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• carlos - BSD Now around the world
• paulo - freebsd on a Bananapi
  • paulo - followup

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

OpenZFS with ZSTD land in FreeBSD 13

• ZStandard Compression for OpenZFS > The primary benefit is maintaining a completely shared code base with the community allowing FreeBSD to receive new features sooner and with less effort. > I would advise against doing 'zpool upgrade' or creating indispensable pools using new features until this change has had a month+ to soak.
• Rebasing FreeBSD’s OpenZFS on the new upstream was sponsored by iXsystems
• The competition of ZSTD support for OpenZFS was sponsored by the FreeBSD Foundation ***

LibreSSL documentation status update

More than six years ago, LibreSSL was forked from OpenSSL, and almost two years ago, i explained the status of LibreSSL documentation during EuroBSDCon 2018 in Bucuresti. So it seems providing an update might be in order.
Note that this is not an update regarding LibreSSL status in general because i'm not the right person to talk about the big picture of working on the LibreSSL code, my work has been quite focussed on documentation. All the same, it is fair to say that even though the number of developers working on it is somewhat limited, the LibreSSL project is quite alive, typically having a release every few months. Progress continues being made with respect to porting and adding new functionality (for example regarding TLSv1.3, CMS, RSA-PSS, RSA-OAEP, GOST, SM3, SM4, XChaCha20 during the last two years), OpenSSL compatibility improvements (including providing additional OpenSSL-1.1 APIs), and lots of bug fixes and code cleanup.

FreeBSD on SPARC64 (is dead)

’m coming pretty late to the party, because SPARC64 support in FreeBSD is apparently doomed: After the POWER platform made the switch to a LLVM/Clang-based toolchain, SPARC64 is one of the last ones that still uses the ancient GCC 4.2-based toolchain that the project wants to finally get rid off (it has already happened as I was writing this – looks like the firm plan was not so firm after all, since they killed it off early). And compared to the other platforms it has seen not too much love in recent times… SPARC64 being a great platform, I’d be quite sad to see it go. But before that happens let’s see what the current status is and what would need to be done if it were to survive, shall we?

News Roundup

Bringing zpool checkpoints to a FreeBSD bootloader

Almost two years ago I wrote a blog post about checkpoints in ZFS. I didn’t hide that I was a big fan of them. That said, after those two years, I still feel that there are underappreciated features in the ZFS world, so I decided to do something about that.
Currently, one of the best practices for upgrading your operating system is to use boot environments. They are a great feature for managing multiple kernels and userlands. They are based on juggling which ZFS datasets are mounted. Each dataset has its own version of the system. Unfortunately, boot environments have their limitations. If we, for example, upgrade our ZFS pool, we may not be able to use older versions of the system anymore.
The big advantage of boot environments is that they have very good tools. Two main tools are beadm (which was created by vermaden) and bectl (which currently is in the FreeBSD base system). These tools allow us to create and manage boot environments.

Beastie Bits

• The First Unix Port
• TLS Mastery updates, August 2020
• What is the Oldest BSD Distribution still around today

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• ben - zfs send questions
• lars - zfs pool question
• neutron - bectl vs beadm

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

OpenBSD 6.5 Released

• Changelog
• Mirrors
• 6.5 Includes
  • OpenSMTPD 6.5.0
  • LibreSSL 2.9.1
  • OpenSSH 8.0
  • Mandoc 1.14.5
  • Xenocara
  • LLVM/Clang 7.0.1 (+ patches)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
• Many pre-built packages for each architecture:
  • aarch64: 9654
  • amd64: 10602
  • i386: 10535

Mount your ZFS datasets anywhere you want

ZFS is very flexible about mountpoints, and there are many features available to provide great flexibility. When you create zpool maintank, the default mountpoint is /maintank. You might be happy with that, but you don’t have to be content. You can do magical things.

• Some highlights are:
  • mount point can be inherited
  • not all filesystems in a zpool need to be mounted
  • each filesystem (directory) can have different ZFS characteristics
  • In my case, let’s look at this new zpool I created earlier today and I will show you some very simple alternatives. This zpool use NVMe devices which should be faster than SSDs especially when used with multiple concurrent writes. This is my plan: run all the Bacula regression tests concurrently.

News Roundup

Branch for netbsd 9 upcoming, please help and test -current

Folks, once again we are quite late for branching the next NetBSD release (NetBSD 9). Initially planned to happen early in February 2019, we are now approaching May and it is unlikely that the branch will happen before that. On the positive side, lots of good things landed in -current in between, like new Mesa, new jemalloc, lots of ZFS improvements - and some of those would be hard to pull up to the branch later. On the bad side we saw lots of churn in -current recently, and there is quite some fallout where we not even have a good overview right now. And this is where you can help:

• please test -current, on all the various machines you have
• especially interesting would be test results from uncommon architectures or strange combinations (like the sparc userland on sparc64 kernel issue I ran in yesterday) Please test, report success, and file PRs for failures! We will likely announce the real branch date on quite short notice, the likely next candidates would be mid may or end of may. We may need to do extra steps after the branch (like switch some architectures back to old jemalloc on the branch). However, the less difference between -current and the branch, the easier will the release cycle go. Our goal is to have an unprecedented short release cycle this time. But.. we always say that upfront.

---

LibreSSL 2.9.1 Released

We have released LibreSSL 2.9.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release from the 2.9 series, which is also included with OpenBSD 6.5

It includes the following changes and improvements from LibreSSL 2.8.x:

• API and Documentation Enhancements

  • CRYPTO_LOCK is now automatically initialized, with the legacy callbacks stubbed for compatibility.
  • Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
  • Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
  • Added more OPENSSLNO* macros for compatibility with OpenSSL.
  • Partial port of the OpenSSL ECKEYMETHOD API for use by OpenSSH.
  • Implemented further missing OpenSSL 1.1 API.
  • Added support for XChaCha20 and XChaCha20-Poly1305.
  • Added support for AES key wrap constructions via the EVP interface.

• Compatibility Changes

  • Added pbkdf2 key derivation support to openssl(1) enc.
  • Changed the default digest type of openssl(1) enc to sha256.
  • Changed the default digest type of openssl(1) dgst to sha256.
  • Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
  • Changed the default digest type of openssl(1) crl -fingerprint to sha256.

• Testing and Proactive Security

  • Added extensive interoperability tests between LibreSSL and OpenSSL 1.0 and 1.1.
  • Added additional Wycheproof tests and related bug fixes.

• Internal Improvements

  • Simplified sigalgs option processing and handshake signing algorithm selection.
  • Added the ability to use the RSA PSS algorithm for handshake signatures.
  • Added bnrandinterval() and use it in code needing ranges of random bn values.
  • Added functionality to derive early, handshake, and application secrets as per RFC8446.
  • Added handshake state machine from RFC8446.
  • Removed some ASN.1 related code from libcrypto that had not been used since around 2000.
  • Unexported internal symbols and internalized more record layer structs.
  • Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.

• Portable Improvements

  • Added support for assembly optimizations on 32-bit ARM ELF targets.
  • Added support for assembly optimizations on Mingw-w64 targets.
  • Improved Android compatibility

• Bug Fixes

  • Improved protection against timing side channels in ECDSA signature generation.
  • Coordinate blinding was added to some elliptic curves. This is the last bit of the work by Brumley et al. to protect against the Portsmash vulnerability.
  • Ensure transcript handshake is always freed with TLS 1.2.

The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

---

FreeBSD Mastery: Jails – Bail Bond Denied Edition

I had a brilliant, hideous idea: to produce a charity edition of FreeBSD Mastery: Jails featuring the cover art I would use if I was imprisoned and did not have access to a real cover artist. (Never mind that I wouldn’t be permitted to release books while in jail: we creative sorts scoff at mere legal and cultural details.) I originally wanted to produce my own take on the book’s cover art. My first attempt failed spectacularly. I downgraded my expectations and tried again. And again. And again. I’m pleased to reveal the final cover for FreeBSD Mastery: Jails–Bail Bond Edition! This cover represents the very pinnacle of my artistic talents, and is the result of literally hours of effort. But, as this book is available only to the winner of charity fund-raisers, purchase of this tome represents moral supremacy. I recommend flaunting it to your family, coworkers, and all those of lesser character. Get your copy by winning the BSDCan 2019 charity auction… or any other other auction-type event I deem worthwhile. As far as my moral fiber goes: I have learned that art is hard, and that artists are not paid enough. And if I am ever imprisoned, I do hope that you’ll contribute to my bail fund. Otherwise, you’ll get more covers like this one.

One reason ed(1) was a good editor back in the days of V7 Unix

It is common to describe ed(1) as being line oriented, as opposed to screen oriented editors like vi. This is completely accurate but it is perhaps not a complete enough description for today, because ed is line oriented in a way that is now uncommon. After all, you could say that your shell is line oriented too, and very few people use shells that work and feel the same way ed does. The surface difference between most people's shells and ed is that most people's shells have some version of cursor based interactive editing. The deeper difference is that this requires the shell to run in character by character TTY input mode, also called raw mode. By contrast, ed runs in what Unix usually calls cooked mode, where it reads whole lines from the kernel and the kernel handles things like backspace. All of ed's commands are designed so that they work in this line focused way (including being terminated by the end of the line), and as a whole ed's interface makes this whole line input approach natural. In fact I think ed makes it so natural that it's hard to think of things as being any other way. Ed was designed for line at a time input, not just to not be screen oriented. This input mode difference is not very important today, but in the days of V7 and serial terminals it made a real difference. In cooked mode, V7 ran very little code when you entered each character; almost everything was deferred until it could be processed in bulk by the kernel, and then handed to ed all in a single line which ed could also process all at once. A version of ed that tried to work in raw mode would have been much more resource intensive, even if it still operated on single lines at a time.

Beastie Bits

• CFT for FreeBSD ZoL
• Simple DNS Adblock
• AT&T Unix PC in 1985
• OpenBSD-current drm at 4.19, includes new support for Intel GPUs like Coffee Lake
• "What are the differences between Linux and OpenBSD?" - Twitter thread
• Announcing the pkgsrc-2019Q1 release (2019-04-10)

Feedback/Questions

• Brad - iocage
• Frank - Video from Level1Tech and a question
• Niall - Revision Control

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

##Headlines
###Open Source Confronts its midlife crisis

Midlife is tough: the idealism of youth has faded, as has inevitably some of its fitness and vigor. At the same time, the responsibilities of adulthood have grown. Making things more challenging, while you are navigating the turbulence of teenagers, your own parents are likely entering life’s twilight, needing help in new ways from their adult children. By midlife, in addition to the singular joys of life, you have also likely experienced its terrible sorrows: death, heartbreak, betrayal. Taken together, the fading of youth, the growth in responsibility and the endurance of misfortune can lead to cynicism or (worse) drastic and poorly thought-out choices. Add in a little fear of mortality and some existential dread, and you have the stuff of which midlife crises are made…
I raise this not because of my own adventures at midlife, but because it is clear to me that open source — now several decades old and fully adult — is going through its own midlife crisis. This has long been in the making: for years, I (and others) have been critical of service providers’ parasitic relationship with open source, as cloud service providers turn open source software into a service offering without giving back to the communities upon which they implicitly depend. At the same time, open source has been (rightfully) entirely unsympathetic to the proprietary software models that have been burned to the ground — but also seemingly oblivious as to the larger economic waves that have buoyed them.
So it seemed like only a matter of time before the companies built around open source software would have to confront their own crisis of confidence: open source business models are really tough, selling software-as-a-service is one of the most natural of them, the cloud service providers are really good at it — and their commercial appetites seem boundless. And, like a new cherry red two-seater sports car next to a minivan in a suburban driveway, some open source companies are dealing with this crisis exceptionally poorly: they are trying to restrict the way that their open source software can be used. These companies want it both ways: they want the advantages of open source — the community, the positivity, the energy, the adoption, the downloads — but they also want to enjoy the fruits of proprietary software companies in software lock-in and its monopolistic rents. If this were entirely transparent (that is, if some bits were merely being made explicitly proprietary), it would be fine: we could accept these companies as essentially proprietary software companies, albeit with an open source loss-leader. But instead, these companies are trying to license their way into this self-contradictory world: continuing to claim to be entirely open source, but perverting the license under which portions of that source are available. Most gallingly, they are doing this by hijacking open source nomenclature. Of these, the laughably named commons clause is the worst offender (it is plainly designed to be confused with the purely virtuous creative commons), but others (including CockroachDB’s Community License, MongoDB’s Server Side Public License, and Confluent’s Community License) are little better. And in particular, as it apparently needs to be said: no, “community” is not the opposite of “open source” — please stop sullying its good name by attaching it to licenses that are deliberately not open source! But even if they were more aptly named (e.g. “the restricted clause” or “the controlled use license” or — perhaps most honest of all — “the please-don’t-put-me-out-of-business-during-the-next-reInvent-keynote clause”), these licenses suffer from a serious problem: they are almost certainly asserting rights that the copyright holder doesn’t in fact have.
If I sell you a book that I wrote, I can restrict your right to read it aloud for an audience, or sell a translation, or write a sequel; these restrictions are rights afforded the copyright holder. I cannot, however, tell you that you can’t put the book on the same bookshelf as that of my rival, or that you can’t read the book while flying a particular airline I dislike, or that you aren’t allowed to read the book and also work for a company that competes with mine. (Lest you think that last example absurd, that’s almost verbatim the language in the new Confluent Community (sic) License.) I personally think that none of these licenses would withstand a court challenge, but I also don’t think it will come to that: because the vendors behind these licenses will surely fear that they wouldn’t survive litigation, they will deliberately avoid inviting such challenges. In some ways, this netherworld is even worse, as the license becomes a vessel for unverifiable fear of arbitrary liability.
let me put this to you as directly as possible: cloud services providers are emphatically not going to license your proprietary software. I mean, you knew that, right? The whole premise with your proprietary license is that you are finding that there is no way to compete with the operational dominance of the cloud services providers; did you really believe that those same dominant cloud services providers can’t simply reimplement your LDAP integration or whatever? The cloud services providers are currently reproprietarizing all of computing — they are making their own CPUs for crying out loud! — reimplementing the bits of your software that they need in the name of the service that their customers want (and will pay for!) won’t even move the needle in terms of their effort.
Worse than all of this (and the reason why this madness needs to stop): licenses that are vague with respect to permitted use are corporate toxin. Any company that has been through an acquisition can speak of the peril of the due diligence license audit: the acquiring entity is almost always deep pocketed and (not unrelatedly) risk averse; the last thing that any company wants is for a deal to go sideways because of concern over unbounded liability to some third-party knuckle-head. So companies that engage in license tomfoolery are doing worse than merely not solving their own problem: they are potentially poisoning the wellspring of their own community.
in the end, open source will survive its midlife questioning just as people in midlife get through theirs: by returning to its core values and by finding rejuvenation in its communities. Indeed, we can all find solace in the fact that while life is finite, our values and our communities survive us — and that our engagement with them is our most important legacy.

• See the article for the rest

###Donald Knuth - The Yoda of Silicon Valley

For half a century, the Stanford computer scientist Donald Knuth, who bears a slight resemblance to Yoda — albeit standing 6-foot-4 and wearing glasses — has reigned as the spirit-guide of the algorithmic realm.
He is the author of “The Art of Computer Programming,” a continuing four-volume opus that is his life’s work. The first volume debuted in 1968, and the collected volumes (sold as a boxed set for about $250) were included by American Scientist in 2013 on its list of books that shaped the last century of science — alongside a special edition of “The Autobiography of Charles Darwin,” Tom Wolfe’s “The Right Stuff,” Rachel Carson’s “Silent Spring” and monographs by Albert Einstein, John von Neumann and Richard Feynman.
With more than one million copies in print, “The Art of Computer Programming” is the Bible of its field. “Like an actual bible, it is long and comprehensive; no other book is as comprehensive,” said Peter Norvig, a director of research at Google. After 652 pages, volume one closes with a blurb on the back cover from Bill Gates: “You should definitely send me a résumé if you can read the whole thing.”
The volume opens with an excerpt from “McCall’s Cookbook”:

Here is your book, the one your thousands of letters have asked us to publish. It has taken us years to do, checking and rechecking countless recipes to bring you only the best, only the interesting, only the perfect.

Inside are algorithms, the recipes that feed the digital age — although, as Dr. Knuth likes to point out, algorithms can also be found on Babylonian tablets from 3,800 years ago. He is an esteemed algorithmist; his name is attached to some of the field’s most important specimens, such as the Knuth-Morris-Pratt string-searching algorithm. Devised in 1970, it finds all occurrences of a given word or pattern of letters in a text — for instance, when you hit Command+F to search for a keyword in a document.
Now 80, Dr. Knuth usually dresses like the youthful geek he was when he embarked on this odyssey: long-sleeved T-shirt under a short-sleeved T-shirt, with jeans, at least at this time of year. In those early days, he worked close to the machine, writing “in the raw,” tinkering with the zeros and ones.

• See the article for the rest

##News Roundup
###Let’s Encrypt: Certbot For OpenBSD’s httpd

• Intro

Let’s Encrypt is “a free, automated, and open Certificate Authority”.
Certbot is “an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server”, well known as “the official Let’s Encrypt client”.
I remember well how excited I felt when I read Let’s Encrypt’s “Our First Certificate Is Now Live” in 2015.
How wonderful the goal of them is; it’s to “give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free” “to create a more secure and privacy-respecting Web”!
Since this year, they have begun to support even ACME v2 and Wildcard Certificate!
Well, in OpenBSD as well as other operating systems, it’s easy and comfortable to have their big help 😊

• Environment
• OS: OpenBSD 6.4 amd64
• Web Server: OpenBSD’s httpd
• Certification: Let’s Encrypt with Certbot 0.27
• Reference: OpenBSD’s httpd

###FreeBSD 12 released: Here is how to upgrade FreeBSD 11 to 12

The FreeBSD project announces the availability of FreeBSD 12.0-RELEASE. It is the first release of the stable/12 branch. The new version comes with updated software and features for a wild variety of architectures. The latest release provides performance improvements and better support for FreeBSD jails and more. One can benefit greatly using an upgraded version of FreeBSD.

FreeBSD 12.0 supports amd64, i386, powerpc, powerpc64, powerpcspe, sparc64, armv6, armv7, and aarch64 architectures. One can run it on a standalone server or desktop system. Another option is to run it on Raspberry PI computer. FreeBSD 12 also runs on popular cloud service providers such as AWS EC2/Lightsail or Google compute VM.

• New features and highlights:

• OpenSSL version 1.1.1a (LTS)

• OpenSSH server 7.8p1

• Unbound server 1.8.1

• Clang and co 6.0.1

• The FreeBSD installer supports EFI+GELI as an installation option

• VIMAGE FreeBSD kernel configuration option has been enabled by default. VIMAGE was the main reason I custom compiled FreeBSD for the last few years. No more custom compile for me.

• Graphics drivers for modern ATI/AMD and Intel graphics cards are now available in the FreeBSD ports collection

• ZFS has been updated to include new sysctl(s), vfs.zfs.arc_min_prefetch_ms and vfs.zfs.arc_min_prescient_prefetch_ms, which improve performance of the zpool scrub subcommand

• The pf packet filter is now usable within a jail using vnet

• KDE updated to version 5.12.5

• The NFS version 4.1 includes pNFS server support

• Perl 5.26.2

• The default PAGER now defaults to less for most commands

• The dd utility has been updated to add the status=progress option to match GNU/Linux dd command to show progress bar while running dd

• FreeBSD now supports ext4 for read/write operation

• Python 2.7

• much more

###Six Ways to Level Up Your nmap Game

nmap is a network exploration tool and security / port scanner.
If you’ve heard of it, and you’re like me, you’ve most likely used it like this:
ie, you’ve pointed it at an IP address and observed the output which tells you the open ports on a host.
I used nmap like this for years, but only recently grokked the manual to see what else it could do. Here’s a quick look and some of the more useful things I found out.

• 1. Scan a Network
• 1. Scan All Ports
• 1. Get service versions
• 1. Use -A for more data
• 1. Find out what nmap is up to
• 1. Script your own scans with NSE

###[NetBSD Desktop]

• Part 1: Manual NetBSD installation on GPT/UEFI
• NetBSD desktop pt.2: Set up wireless networking on NetBSD with wpa_supplicant and dhcpcd
• Part 3: Simple stateful firewall with NPF
• Part 4: 4: The X Display Manager (XDM)
• Part 5: automounting with Berkeley am-utils

##Beastie Bits

• Call For Testing: ZFS on FreeBSD Project
• DragonFlyBSD 5.4.1 release within a week
• You Can’t Opt Out of the Patent System. That’s Why Patent Pandas Was Created!
• Announcing Yggdrasil Network v0.3
• OpenBSD Network Engineer Job listing
• FreeBSD 12.0 Stable Version Released!
• LibreSSL 2.9.0 released
• Live stream test: Sgi Octane light bar repair / soldering!
• Configure a FreeBSD Email Server Using Postfix, Dovecot, MySQL, DAVICAL and SpamAssassin
• Berkeley smorgasbord
• FOSDEM BSD Devroom schedule

##Feedback/Questions

• Warren - Ep.273: OpenZFS on OS X
• cogoman - tarsnap security and using SSDs in raid
• Andrew - Portland BSD Pizza Night

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

OpenBSD hypervisor coming soon

• Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
• From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm"
• Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
• Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
• One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route
• He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on ***

Why FreeBSD should not adopt launchd

• Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
• One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned)
• In this article, the author talks about why he thinks this is a bad idea
• He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail
• The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
• Reddit had quite a bit to say about this one, some in agreement and some not ***

DragonFly graphics improvements

• The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
• This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
• You should also see some power management improvements, longer battery life and various other bug fixes
• If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around ***

OpenBSD tames the userland

• Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are
• Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
• It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff)
• Some classic utilities are even being reworked to make taming them easier - the "w" command, for example
• The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
• More discussion can be found on HN, as one might expect
• If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release ***

Interview - Scott Courtney - vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

• We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits
• This is their first big status update, covering some of the things that've happened since the project was born
• There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything ***

LibreSSL nukes SSLv3

• With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command
• At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
• They've now flipped the switch, and the process of complete removal has started
• From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!"
• With this change and a few more to follow shortly, Libre*SSL* won't actually support SSL anymore - time to rename it "LibreTLS" ***

FreeBSD MPTCP updated

• For anyone unaware, Multipath TCP is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy."
• There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
• Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
• Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start ***

UEFI and GPT in OpenBSD

• There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
• Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
• This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
• Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in)
• The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made ***

Feedback/Questions

• John writes in
• Mason writes in
• Earl writes in ***

This episode was brought to you by

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)
• It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info ***

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router ***

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel ***

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now
• If you're using an older configuration file, the "without-password" option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled ***

Interview - Peter Toth - peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well ***

FreeBSD jails, the hard way

• As you learned from our interview this week, there's quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn't actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails ***

OpenSSH hardware tokens

• We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too ***

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more
• SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well ***

Feedback/Questions

• James writes in
• Stuart writes in ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted a report of the activities that went on between January and March of this year
• As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
• The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
• The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
• FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
• Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
• Lots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarter
• Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
• Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
• The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
• ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
• The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
• Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) ***

OpenBSD 5.7 released

• OpenBSD has formally released another new version, complete with the giant changelog we've come to expect
• In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
• If you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilities
• Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLS
• The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementations
• Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
• Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily
• BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
• Speaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so
• This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
• Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
• Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases
• There's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week
• Consider picking one up to support the project (and it's the only way to get puffy stickers)
• For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now... ***

Tor-BSD diversity project

• We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
• A new initiative has started to do just that, called the Tor-BSD diversity project
• "Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity."
• In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
• There's an additional progress report for that part specifically, and it looks like most of the work is done now
• Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
• If you've been considering running a node to help out, there's always our handy tutorial on getting set up ***

PC-BSD 10.1.2-RC1 released

• If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
• This quarterly update includes a number of new features, improvements and even some additional utilities
• PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems
• A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use
• Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network
• IPFW is now the default firewall, offering improved VIMAGE capabilities
• The life preserver backup tool now allows for bare-metal restores via the install CD
• ISC's NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
• It also includes the latest Lumina desktop, and there's another post dedicated to that
• Binary packages have also been updated to fresh versions from the ports tree
• More details, including upgrade instructions, can be found in the linked blog post ***

Interview - Ed Schouten - ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

• This article introduces OpenHRC, the "Open Household Router Contraption"
• In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
• It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup
• Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation
• All the code is open source and on Github, so you can read through what's actually being changed and put in place
• There's also a video guide to the entire process, if you're more of a visual person ***

OPNsense 15.1.10 released

• Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version
• 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
• Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree
• Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
• NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
• Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs ***

IBM Workpad Z50 and NetBSD

• Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
• Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display
• You can probably tell where this is going... the article is about installing NetBSD it
• "What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running"
• The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
• He's also got a couple videos of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) ***

FreeBSD from the trenches

• The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases
• In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
• While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually
• Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool ***

Broadwell in DragonFly

• DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
• Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too
• It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being ***

Feedback/Questions

• Bostjan writes in
• Hunter writes in
• Hrishi writes in
• Clint writes in
• Sergei writes in ***

Mailing List Gold

• How did you guess ***

This episode was brought to you by

Headlines

EuroBSDCon 2015 call for papers

• The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
• According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
• If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too
• You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about
• We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two)
• Check the announcement for all the specific details and requirements
• If your talk gets accepted, the conference even pays for your travel expenses ***

Making security sausage

• Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
• "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!"
• The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
• It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
• Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions
• The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
• Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute
• It was because of this that FreeBSD actually had to release a security update to their security update
• He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." ***

Running FreeBSD on the server, a sysadmin speaks

• More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
• ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
• They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
• It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
• If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you ***

NetBSD ported to Hardkernel ODROID-C1

• In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
• This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35
• There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0
• More info can be found on their wiki page
• After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device ***

Interview - Bernard Spil - brnrd@freebsd.org / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

• If you're using pf on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy
• This article will show you how to get set up with Gource for a cinematic-like experience
• If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories"
• When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
• One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity ***

pkgng 1.5.0 alpha1 released

• The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
• This update introduces support for provides/requires, something that we've been wanting for a long time
• It will also now print which package is the reason for direct dependency change
• Another interesting addition is the "pkg -r" switch, allowing cross installation of packages
• Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems
• DragonFly will also likely pick up this update once it's marked stable ***

Welcome to OpenBSD

• We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
• The slides from that talk are now online, and they've been generating quite a bit of discussion online
• It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
• Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
• As you may know, NetBSD has almost 60 supported platforms and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms over 13 CPU architectures, "it probably runs OpenBSD"
• No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
• Try to guess which font he used... ***

BSDTalk episode 252

• And somehow Brian has snuck himself into another news item this week
• He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
• If that sounds familiar, it's probably because we did the same thing, albeit with a different member of their team
• In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
• They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself ***

Feedback/Questions

• Christian writes in
• Stefan writes in
• Possnfiffer writes in
• Ruudsch writes in
• Shane writes in ***

Mailing List Gold

• Accidental support
• Larry's tears
• The boy who sailed with BSD ***

This episode was brought to you by

Headlines

Revisiting FreeBSD after 20 years

• With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades
• This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time
• He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL
• On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time."
• The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together
• Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things
• There was some decent discussion on Hacker News about this article too, with counterpoints from both sides ***

s2k15 hackathon report: network stack SMP

• The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted
• One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack
• If you're not familiar with him, he gave a presentation at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons
• Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock
• Hopefully more trip reports will be sent in during the coming weeks
• Most of the big code changes should probably appear after the 5.7-release testing period ***

From BIND to NSD and Unbound

• If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound
• BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative
• OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD
• Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons
• This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound
• All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... ***

m0n0wall calls it quits

• The original, classic BSD firewall distribution m0n0wall has finally decided to close up shop
• For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk
• It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan
• The project was probably a lot of people's first encounter with BSD in any form
• If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD or OpenBSD, or going the premade route with something like pfSense, OPNsense or the BSD Router Project
• The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can."
• While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly ***

Interview - Alex Reece & Matt Ahrens - alex@delphix.com & matt@delphix.com / @openzfs

What's new in OpenZFS

Tutorial

Making your first patch (OpenBSD)

News Roundup

Overlaying remote LANs with OpenBSD's VXLAN

• Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) is exactly what you need
• This article talks about using it to connect two virtualized infrastructures on different ESXi servers
• It gives a bit of networking background first, in case you're not quite up to speed on all this stuff
• This tool opens up a lot of very cool possibilities, even possibly doing a "remote" LAN party
• Be sure to check the AsiaBSDCon talk about VXLANs if you haven't already ***

2020, year of the PCBSD desktop

• Here we have a blog post about BSD on the desktop, straight from a KDE developer
• He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux's desktop market share (small as it may be)
• With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option
• ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one
• There was also some discussion on Slashdot that might be worth reading ***

OpenSSH host key rotation, redux

• We mentioned the new OpenSSH host key rotation and other goodies in a previous episode, but things have changed a little bit since then
• djm says "almost immediately after smugly declaring 'mission accomplished', the bug reports started rolling in."
• There were some initial complaints from developers about the new options, and a serious bug shortly thereafter
• After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests
• Most importantly, the bigger big fix was described as: "a malicious server (say, "host-a") could advertise the public key of another server (say, "host-b"). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide."
• None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon ***

PCBSD tries out LibreSSL

• PCBSD users may soon be seeing a lot less security problems because of two recent changes
• After switching over to OpenNTPD last week, PCBSD decides to give the portable LibreSSL a try too
• Note that this is only for the packages built from ports, not the base system unfortunately
• They're not the first ones to do this - OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD's ports are built against it
• A good number of patches are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla
• Look forward to Kris wearing a "keep calm and abandon OpenSSL" shirt in the near future ***

Feedback/Questions

• Benjamin writes in
• Mike writes in
• Brad writes in ***

Mailing List Gold

• Debian Dejavu
• Package gone missing ***

This episode was brought to you by

Headlines

Key rotation in OpenSSH 6.8

• Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
• Times changes, key types change, problems are found with old algorithms and we switch to new ones
• In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now
• With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange
• Keys that are in your known_hosts file but not on the server will get automatically removed
• This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
• There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple
• There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released ***

NetBSD Banana Pi images

• We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi
• Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
• There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially
• The email includes some steps to get everything working and an overview of what comes with the image
• Also check the wiki page for some related boards and further instructions on getting set up
• On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) ***

LibreSSL shirts and other BSD goodies

• If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online
• There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL"
• While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
• You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
• OpenBSD recently launched their new store, but the selection is still a bit limited right now
• NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
• We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
• Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) ***

OPNsense 15.1.4 released

• The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
• A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs)
• This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
• They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
• A developer has also posted an interesting write-up titled "Development Workflow in OPNsense"
• If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it ***

Interview - Ed Maste - board@freebsdfoundation.org

The FreeBSD foundation's activities

News Roundup

Rolling with OpenBSD snapshots

• One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling
• There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
• This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
• This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
• After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think
• He's now helping test out patches and new ports since he's running the same code as the developers ***

Signing pkgsrc packages

• As of the time this show airs, the official pkgsrc packages aren't cryptographically signed
• Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS
• Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal
• Instead, they're using netpgpverify, a fork of NetBSD's netpgp utility
• Maybe someday this will become the official way to sign packages in NetBSD? ***

FreeBSD support model changes

• Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model
• The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime"
• There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
• This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
• Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read ***

OpenSMTPD, Dovecot and SpamAssassin

• We've been talking about setting up your own BSD-based mail server on the last couple episodes
• Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
• A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
• In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked
• Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane…
• In related news, OpenSMTPD has got some interesting new features coming soon
• They're also planning to switch to LibreSSL by default for the portable version ***

FreeBSD 10 on the Thinkpad T400

• BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400
• Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
• This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
• If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
• The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt ***

PC-BSD 10.1.1 Released

• Automatic background updater now in
• Shiny new Qt5 utils
• OVA files for VM’s
• Full disk encryption with GELI v7 ***

Feedback/Questions

• Camio writes in
• Sha'ul writes in
• John writes in
• Sean writes in (TJ's lengthy reply)
• Christopher writes in ***

Mailing List Gold

• Special Instructions
• Pretending to be a VT220 ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted an updated on some of their activities between October and December of 2014
• They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements
• As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure
• The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs
• FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released)
• Git was promoted from beta to an officially-supported version control system (Kris is happy)
• The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints
• Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements
• Check out the full report for all the details that we didn't cover ***

OpenBSD package signature audit

• "Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes
• They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure
• The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed
• Package signature formats and public key distribution methods are also touched on
• After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future
• If you haven't seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this ***

Replacing a Linux router with BSD

• There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one
• The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs."
• A lot of people were quick to recommend OPNsense and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all)
• Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD
• If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through
• Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information ***

LibreSSL in FreeBSD and OPNsense

• A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL)
• The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly
• OPNsense developers are looking into switching away from OpenSSL to LibreSSL's portable version, for both their ports and base system, which would be a pretty huge differentiator for their project
• Some ports still need fixing to be compatible though, particularly a few python-related ones
• If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs
• A lot of the work has already been done in OpenBSD's ports tree - some patches just need to be adopted
• More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it ***

Interview - David Maxwell - david@netbsd.org / @david_w_maxwell

Pipecut, text processing, commandline wizardry

News Roundup

Jetpack, a new jail container system

• A new project was launched to adapt FreeBSD jails to the "app container specification"
• While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker
• It's a similar project to iocage or bsdploy, which we haven't talked a whole lot about
• There was also some discussion about it on Hacker News ***

Separating base and package binaries

• All of the main BSDs make a strong separation between the base system and third party software
• This is in contrast to Linux where there's no real concept of a "base system" - more recently, some distros have even merged all the binaries into a single directory
• A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies
• Read the comments for the full explanation, but having things separated really helps keep things organized ***

Updated i915kms driver for FreeBSD

• This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward
• It doesn't introduce Haswell support just yet, but was required before the Haswell bits can be added ***

Year of the OpenBSD desktop

• Here we have an article about using OpenBSD as a daily driver for regular desktop usage
• The author says he "ran fifty thousand different distributions, never being satisfied"
• After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook
• He also used FreeBSD between versions 7 and 9, finding a "a mostly harmonious environment," but regressions lead him to give up on desktop *nix once again
• Starting with 2015, he's back and is using OpenBSD on a Thinkpad x201
• The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup
• He apparently used our desktop tutorial - thanks for watching! ***

Unattended FreeBSD installation

• A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE
• His goal was to have a setup similar to Redhat's "kickstart" or OpenBSD's autoinstall
• The article shows you how to set up DHCP and TFTP, with no NFS share setup required
• He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you ***

Feedback/Questions

• Robert writes in
• Sean writes in
• l33tname writes in
• Charlie writes in
• Eric writes in ***

Mailing List Gold

• Clowning around
• Better than succeeding in this case ***

This episode was brought to you by

Headlines

Updates to FreeBSD's random(4)

• FreeBSD's random device, which presents itself as "/dev/random" to users, has gotten a fairly major overhaul in -CURRENT
• The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna
• Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE)
• Pluggable modules can now be written to add more sources of entropy
• These changes are expected to make it in 11.0-RELEASE, but there hasn't been any mention of MFCing them to 10 or 9 ***

OpenBSD Tor relays and network diversity

• We've talked about getting more BSD-based Tor nodes a few times in previous episodes
• The "tor-relays" mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes
• With the security features and attention to detail, it makes for an excellent dedicated Tor box
• More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large
• A few users are even saying they'll convert their Linux nodes to OpenBSD to help out
• Check the archive for the full conversation, and maybe run a node yourself on any of the BSDs
• The Tor wiki page on OpenBSD is pretty out of date (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it ***

SSP now default for FreeBSD ports

• SSP, or Stack Smashing Protection, is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces
• It's now enabled by default in FreeBSD's ports tree, and the pkgng packages will have it as well - but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer)
• This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates
• If you were using the temporary "new Xorg" or SSP package repositories instead of the default ones, you need to switch back over
• NetBSD made this the default on i386 and amd64 two years ago and OpenBSD made this the default on all architectures twelve years ago
• Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed ***

Building an OpenBSD firewall and router

• While we've discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side
• The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris
• Most agree that, if it's for a business especially, it's worth the extra money to go with something that's well known in the BSD community
• They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc.
• Through the comments, we also find out that QuakeCon runs OpenBSD on their network
• Hopefully most of our listeners are running some kind of BSD as their gateway - try it out if you haven't already ***

Interview - Kristaps Džonsons - kristaps@bsd.lv

Mandoc, historical man pages, various topics

Tutorial

Throttling bandwidth with PF

News Roundup

NetBSD at Kansai Open Forum 2014

• Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything
• From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all
• As always, you can find lots of pictures in the trip report ***

Getting to know your portmgr lurkers

• The lovable "getting to know your portmgr" series makes its triumphant return
• This time around, they interview Alex, one of the portmgr lurkers that joined just this month
• "How would you describe yourself?" "Too lazy."
• Another post includes a short interview with Emanuel, another new lurker
• We discussed the portmgr lurkers initiative with Steve Wills a while back ***

NetBSD's ARM port gets SMP

• The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used
• This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X
• NetBSD's release team is working on getting these changes into the 7 branch before 7.0 is released
• There are also a few nice pictures in the article ***

A high performance mid-range NAS

• This blog post is about FreeNAS and optimizing iSCSI performance
• It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance
• There are some nice graphs and lots of detail if you're interested in tweaking some of your own settings
• They conclude "there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload" ***

Feedback/Questions

• Heto writes in
• Brad writes in
• Tyler writes in
• Tim writes in
• Brad writes in ***

Mailing List Gold

• Suspicious contributions
• La puissance du fromage
• Nothing unusual here ***

This episode was brought to you by

Headlines

BSD panel at Phoenix LUG

• The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
• It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
• They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
• It was a good "real world" example of things potential switchers are curious to know about
• They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea ***

Book of PF signed copy auction

• Peter Hansteen (who we've had on the show) is auctioning off the first signed copy of the new Book of PF
• All the profits from the sale will go to the OpenBSD Foundation
• The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences)
• If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause
• Michael Lucas has challenged Peter to raise more for the foundation than his last book selling - let's see who wins
• Pause the episode, go bid on it and then come back! ***

FreeBSD Foundation goes to EuroBSDCon

• Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
• They also sponsored four other developers to go
• The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD"
• They also have a second report from Kamil Czekirda
• A total of $2000 was raised at the conference ***

OpenBSD 5.6 released

• Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this
• Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
• It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
• 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
• You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
• ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
• This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
• Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
• As always, 5.6 comes with its own song and artwork - the theme this time was obviously LibreSSL
• Be sure to check the full changelog (it's huge) and pick up a CD or tshirt to support their efforts
• If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely
• Here are some cool images of the set
• After you do your installation or upgrade, don't forget to head over to the errata page and apply any patches listed there ***

Interview - John-Mark Gurney - jmg@freebsd.org / @encthenet

Updating FreeBSD's IPSEC stack

News Roundup

Clang in DragonFly BSD

• As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64
• Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
• We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using ***

reallocarray(): integer overflow detection for free

• One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()"
• It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
• Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
• OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too ***

Switching from Linux blog

• A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
• After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
• So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far
• It'll be an ongoing series, so we may check back in with him again later on ***

Owncloud in a FreeNAS jail

• One of the most common emails we get is about running Owncloud in FreeNAS
• Now, finally, someone made a video on how to do just that, and it's even jailed
• A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
• If you're looking for an easy way to back up and sync your files, this might be worth a watch ***

Feedback/Questions

• Ernõ writes in
• David writes in
• Kamil writes in
• Torsten writes in
• Dominik writes in ***

Mailing List Gold

• That's not our IP
• Is this thing on? ***

This episode was brought to you by

Headlines

FreeBSD 10.1-BETA1 is out

• The first maintenance update in the 10.x series of FreeBSD is on its way
• Since we can't see a changelog yet, the 10-STABLE release notes offer a glimpse at some of the new features and fixes that will be included in 10.1
• The vt driver was merged from -CURRENT, lots of drivers were updated, lots of bugs were fixed and bhyve also got many improvements from 11
• Initial UEFI support, multithreaded softupdates for UFS and many more things were added
• You can check the release schedule for the planned release dates
• Details for the various forms of release media can be found in the announcement ***

Remote headless OpenBSD installation

• A lot of server providers only offer a limited number of operating systems to be easily installed on their boxes
• Sometimes you'll get lucky and they'll offer FreeBSD, but it's much harder to find ones that natively support other BSDs
• This article shows how you can use a Linux-based rescue system, a RAM disk and QEMU to install OpenBSD on the bare metal of a server, headlessly and remotely
• It required a few specific steps you'll want to take note of, but is extremely useful for those pesky hosting providers ***

Building a firewall appliance with pfSense

• In this article, we learn how to easily set up a gateway and wireless access point with pfSense on a Netgate ALIX2C3 APU
• After the author's modem died, he decided to look into a more do-it-yourself option with pf and a tiny router board
• The hardware he used has gigabit ports and a BSD-compatible wireless card, as well as enough CPU power for a modest workload and a few services (OpenVPN, etc.)
• There's a lot of great pictures of the hardware and detailed screenshots, definitely worth a look ***

Receive Side Scaling - UDP testing

• Adrian Chadd has been working on RSS (Receive Side Scaling) in FreeBSD, and gives an update on the progress
• He's using some quad core boxes with 10 gigabit ethernet for the tests
• The post gives lots of stats and results from his network benchmark, as well as some interesting workarounds he had to do
• He also provides some system configuration options, sysctl knobs, etc. (if you want to try it out)
• And speaking of Adrian Chadd... ***

Interview - Adrian Chadd - adrian@freebsd.org / @erikarn

BSD on laptops, wifi, drivers, various topics

News Roundup

Sendmail removed from OpenBSD

• Mail server admins around the world are rejoicing, because sendmail is finally gone from OpenBSD
• With OpenSMTPD being a part of the base system, sendmail became largely redundant and unneeded
• If you've ever compared a "sendmail.cf" file to an "smtpd.conf" file... the different is as clear as night and day
• 5.6 will serve as a transitional release, including both sendmail and OpenSMTPD, but 5.7 will be the first release without it
• If you still need it for some reason, sendmail will live in ports from now on
• Hopefully FreeBSD will follow suit sometime in the future as well, possibly including DragonFly's mail transfer agent in base (instead of an entire mail server) ***

pfSense backups with pfmb

• We've mentioned the need for a tool to back up pfSense configs a number of times on the show
• This script, hosted on github, does pretty much exactly that
• It can connect to one (or more!) pfSense installations and back up the configuration
• You can roll back or replace failed hardware very easily with its restore function
• Everything is done over SSH, so it should be pretty secure ***

The Design and Implementation of the FreeBSD Operating System

• We mentioned when the pre orders were up, but now "The Design and Implementation of the FreeBSD Operating System, 2nd edition" seems to be shipping out
• If you're interested in FreeBSD development, or learning about the operating system internals, this is a great book to buy
• We've even had all three authors on the show before! ***

OpenBSD's systemd replacement updates

• We mentioned last week that the news of OpenBSD creating systemd wrappers was getting mainstream attention
• One of the developers writes in to Undeadly, detailing what's going on and what the overall status is
• He also clears up any confusion about "porting systemd to BSD" (that's not what's going on) or his code ever ending up in base (it won't)
• The top comment as of right now is a Linux user asking if his systemd wrappers can be ported back to Linux... poor guy ***

Feedback/Questions

• Brad writes in
• Ben writes in
• Mathieu writes in
• Steve writes in ***

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

• The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
• MeetBSD has an "unconference" format, which means there will be both planned talks and community events
• All the extra details will be on their site soon
• It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
• Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

• A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
• The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
• He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
• From there, it talks about how he used the OpenBSD USB image and got a fully-working system
• He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
• Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

• When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
• However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
• This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
• Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
• While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

• OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
• Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
• LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
• Whichever version of whatever SSL you use, make sure it's patched for these issues
• DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

• If you use git (like a certain host of this show) then you've probably considered setting up your own server
• This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
• It even shows you how to set up multiple repos with key-based user separation and other cool things
• The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

• In this article, different methods of data storage and backup are compared
• After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
• He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
• It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

• As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
• If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
• In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
• Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

• If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
• FreeBSD, ZFS and Samba obviously!
• The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
• This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
• It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

• An interesting Reddit thread (or two)
• PB writes in
• Sean writes in
• Steve writes in
• Lachlan writes in
• Justin writes in ***

This episode was brought to you by

Headlines

FreeBSD foundation semi-annual newsletter

• The FreeBSD foundation published their semi-annual newsletter, complete with a letter from the president of the foundation
• "In fact after reading [the president's] letter, I was motivated to come up with my own elevator pitch instead of the usual FreeBSD is like Linux, only better!"
• It talks about the FreeBSD journal as being one of the most exciting things they've launched this year, conferences they funded and various bits of sponsored code that went into -CURRENT
• The full list of funded projects is included, also with details in the financial reports
• There are also a number of conference wrap-ups: NYCBSDCon, BSDCan, AsiaBSDCon and details about the upcoming EuroBSDCon

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• FreeBSD has gotten quite a lot done this quarter
• Changes in the way release branches are supported - major releases will get at least five years over their lifespan
• A new automounter is in the works, hoping to replace amd (which has some issues)
• The CAM target layer and RPC stack have gotten some major optimization and speed boosts
• Work on ZFSGuru continues, with a large status report specifically for that
• The report also mentioned some new committers, both source and ports
• It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
• "Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

• Work has begun on a new HTTP daemon in the OpenBSD base system
• A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
• Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
• It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
• This has the added benefit of the usual, easy-to-understand syntax and privilege separation
• There's a very brief man page online already
• It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
• Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

• The newest version of FreeBSD's second generation package management system has been released, with lots of new features
• It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
• Lots of the code has been sandboxed for extra security
• You'll probably notice some new changes to the UI too, making things more user friendly
• A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

• A number of people have written in to ask us "how do I secure my BSD box after I install it?"
• With this blog post, hopefully most of their questions will finally be answered in detail
• It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
• Not only does it just list things to do, but the post also does a good job of explaining why you should do them
• Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

• MWL's new book about the FreeBSD storage subsystems now has an early draft available
• Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
• Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
• You'll get access to the completed (e)book when it's done if you buy the early draft
• The suggested price is $8 ***

Why BSD and not Linux?

• Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
• Lots of good responses from users of the various BSDs
• Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
• And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
• Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

• Following up from last week's huge list of hackathon reports, we have a few more
• Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
• Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
• Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
• Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

• The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
• The main topic of discussion is mandoc, which some users might not be familiar with
• mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
• We'll catch up to you soon, Will! ***

Feedback/Questions

• Thomas writes in
• Stephen writes in
• Sha'ul writes in
• Florian writes in
• Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***

This episode was brought to you by

Headlines

g2k14 hackathon reports

• Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
• Lots of work got done - in just the first two weeks of July, there were over 1000 commits to their CVS tree
• Some of the developers wrote in to document what they were up to at the event
• Bob Beck planned to work on kernel stuff, but then "LibreSSL happened" and he spent most of his time working on that
• Miod Vallat also tells about his LibreSSL experiences
• Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we'll be interviewing him next week!)
• Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
• Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
• Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
• Martin Pelikan integrated read-only ext4 support
• Vadim Zhukov did lots of ports work, including working on KDE4
• Theo de Raadt created a new, more secure system call, "sendsyslog" and did a lot of work with /etc, sysmerge and the rc scripts
• Paul Irofti worked on the USB stack, specifically for the Octeon platform
• Sebastian Benoit worked on relayd filters and IPv6 code
• Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
• Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
• Stefan Sperling fixed a lot of issues with wireless drivers
• Florian Obser did many things related to IPv6
• Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
• Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
• Matthieu Herrb worked on updating and modernizing parts of xenocara ***

FreeBSD pf discussion takes off

• Concerns from last week, about FreeBSD's packet filter being old and unmaintained, seemed to have finally sparked some conversation about the topic on the "questions" and "current" mailing lists (unfortunately people didn't always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
• Straight from the SMP FreeBSD pf maintainer: "no one right now [is actively developing pf on FreeBSD]"
• Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
• FreeBSD's pf man pages are lacking, and some of FreeBSD's documentation still links to OpenBSD's pages, which won't work anymore - possibly turning away would-be BSD converts because it's frustrating
• There's also the issue of importing patches from pfSense, but most of those still haven't been done either
• Lots of disagreement among developers vs. users...
• Many users are very vocal about wanting it updated, saying the syntax change is no big deal and is worth the benefits - developers aren't interested
• Henning Brauer, the main developer of pf on OpenBSD, has been very nice and offered to help the other BSDs get their pf fixed on multiple occasions
• Gleb Smirnoff, author of the FreeBSD-specific SMP patches, questions Henning's claims about OpenBSD's improved speed as "uncorroborated claims" (but neither side has provided any public benchmarks)
• Gleb had to abandon his work on FreeBSD's pf because funding ran out ***

LibreSSL progress update

• LibreSSL's first few portable releases have come out and they're making great progress, releasing 2.0.3 two days ago
• Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
• However, there has already been some drama... with Linux users
• There was a problem with Linux's PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
• This "problem" doesn't affect OpenBSD's native implementation, only the portable version
• The developers decide to weigh in to calm the misinformation and rage
• A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now - remember to say thanks, guys
• Ted Unangst has a really good post about the whole situation, definitely check it out
• As a follow-up from last week, bapt says they're working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly - if you're a port maintainer, please test your ports against it ***

Preparation for NetBSD 7

• The release process for NetBSD 7.0 is finally underway
• The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
• If you run NetBSD, that'll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
• They're also looking for some help updating documentation and fixing any bugs that get reported
• Another formal announcement will be made when the beta binaries are up ***

Interview - Dag-Erling Smørgrav - des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

• Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
• Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
• There's also some detail about the signing infrastructure and different mirrors
• Ports people and source people need to talk more often about ABI breakage
• The post also includes information about pkg 1.3, the old pkg tools' EOL, the quarterly stable package sets and a lot more (it's a huge post!) ***

Cross-compiling ports with QEMU and poudriere

• With recent QEMU features, you can basically chroot into a completely different architecture
• This article goes through the process of building ARMv6 packages on a normal X86 box
• Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
• The poudriere-devel port now has a "qemu user" option that will pull in all the requirements
• Hopefully this will pave the way for official pkgng packages on those lesser-used architectures ***

Cloning FreeBSD with ZFS send

• For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
• This post shows his entire process in creating a mirror machine, using ZFS for everything
• The "zfs send" and "zfs snapshot" commands really come in handy for this
• He does the whole thing from a live CD, pretty impressive ***

FreeBSD Overview series

• A new blog series we stumbled upon about a Linux user switching to BSD
• In part one, he gives a little background on being "done with Linux distros" and documents his initial experience getting and installing FreeBSD 10
• He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
• Most of what he was used to on Linux was already in the default FreeBSD (except bash...)
• Part two documents his experiences with pkgng and ports ***

Feedback/Questions

• Bostjan writes in
• Rick writes in
• Clint writes in
• Esteban writes in
• Ben writes in
• Matt sends in pictures of his FreeBSD CD collection ***

This episode was brought to you by

Headlines

pfSense 2.1.4 released

• The pfSense team has released 2.1.4, shortly after 2.1.3 - it's mainly a security release
• Included within are eight security fixes, most of which are pfSense-specific
• OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
• It also includes a large number of various other bug fixes
• Update all your routers! ***

DragonflyBSD's pf gets SMP

• While we're on the topic of pf...
• Dragonfly patches their old[er than even FreeBSD's] pf to support multithreading in many areas
• Stemming from a user's complaint, Matthew Dillon did his own work on pf to make it SMP-aware
• Altering your configuration's ruleset can also help speed things up, he found
• When will OpenBSD, the source of pf, finally do the same? ***

ChaCha usage and deployment

• A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
• This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
• OpenSSH offers it as a stream cipher now, OpenBSD uses it for it's random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
• Both Google's fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
• Unfortunately, this article has one mistake: FreeBSD does not use it - they still use the broken RC4 algorithm ***

BSDMag June 2014 issue

• The monthly online BSD magazine releases their newest issue
• This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, "saving time and headaches using the robot framework for testing," an interview and an article about the increasing number of security vulnerabilities
• The free pdf file is available for download as always ***

Interview - Craig Rodrigues - rodrigc@freebsd.org

FreeBSD's continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

• Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
• In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end - this had the advantage of not requiring any extra disk space, but raised some security concerns
• With signify, now everything is fully downloaded and verified before tar is even invoked
• The pkg_add utility works a little bit differently, but it's also been improved in this area - details in the post
• Be sure to also read the original post from Adam, lots of good information ***

FreeBSD 9.3-RC2 is out

• As the -RELEASE inches closer, release candidate 2 is out and ready for testing
• Since the last one, it's got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
• The updated bsdconfig will use pkgng style packages now too
• A lesser known fact: there are also premade virtual machine images you can use too ***

pkgsrcCon 2014 wrap-up

• In what may be the first real pkgsrcCon article we've ever had!
• Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
• Unfortunately no recordings to be found... ***

PostgreSQL FreeBSD performance and scalability

• FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
• On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
• Lots of technical details if you're interested in getting the best performance out of your hardware
• It also includes specific kernel options he used and the rest of the configuration
• If you don't want to open the pdf file, you can use this link too ***

Feedback/Questions

• James writes in
• Klemen writes in
• John writes in
• Brad writes in
• Adam writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called "FreeBSD, looking forward to another 10 years" by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn't on the page... how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven't given us an interview yet... well you know what's going to happen
• Why aren't the videos up from last year yet? Will this year also not have any? ***

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• "One is pleasantly functional; the other continues devolving during a journey of pain" - uh oh, who's the loser? ***

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects' funding efforts
• A lot of people don't realize just how widespread open source software is - TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish's funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, "Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software"
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive ***

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users' computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that...)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It's got all the details you need to set up a VPN-like system and bypass those pesky geographic filters ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

OpenBSD's package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they're going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects ***

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless - we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time! ***

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is "a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution."
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with "bsd-cloudinit"
• The author of the article is a regular listener and emailer of the show, hey! ***

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The "call for papers" was issued, so if you're around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event ***

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in ***

This episode was brought to you by

Headlines

FreeBSD moves to Bugzilla

• Historically, FreeBSD has used the old GNATS system for keeping track of bug reports
• After years and years of wanting to switch, they've finally moved away from GNATS to Bugzilla
• It offers a lot of advantages, is much more modern and actively maintained and
• There's a new workflow chart for developers to illustrate the new way of doing things
• The old "send-pr" command will still work for the time being, but will eventually be phased out in favor of native Bugzilla reporting tools (of which there are multiple in ports)
• This will hopefully make reporting bugs a lot less painful ***

DIY NAS: EconoNAS 2014

• We previously covered this blog last year, but the 2014 edition is up
• More of a hardware-focused article, the author details the parts he's using for a budget NAS
• Details the motherboard, RAM, CPU, hard drives, case, etc
• With a set goal of $500 max, he goes just over it - $550 for all the parts
• Lots of nice pictures of the hardware and step by step instructions for assembly, as well as software configuration instructions ***

DragonflyBSD 3.8 released

• Justin announced the availability of DragonflyBSD 3.8.0
• Binaries in /bin and /sbin are dynamic now, enabling the use of PAM and NSS to manage user accounts
• It includes a new HAMMER FS backup script and lots of FreeBSD tools have been synced with their latest versions
• Work continues on for the Intel graphics drivers, but it's currently limited to the HD4000 and Ivy Bridge series
• See the release page for more info and check the link for source-based upgrade instructions ***

OpenZFS European conference 2014

• There was an OpenZFS conference held in Europe recently, and now the videos are online for your viewing pleasure
• Matt Ahrens, Introduction
• Michael Alexander, FhGFS performance on ZFS
• Andriy Gapon, Testing ZFS on FreeBSD
• Luke Marsden, HybridCluster: ZFS in the cloud
• Vadim Comănescu, Syneto: continuously delivering a ZFS-based OS
• Chris George, DDRdrive ZIL accelerator: random write revelation
• Grenville Whelan, High-Availability
• Phil Harman, Harman Holistic
• Mark Rees, Storiant and OpenZFS
• Andrew Holway, EraStor ZFS appliances
• Dan Vâtca, Syneto and OpenZFS
• Luke Marsden, HybridCluster and OpenZFS
• Matt Ahrens, Delphix and OpenZFS
• Check the link for slides and other goodies ***

Interview - Benedict Reuschling - bcr@freebsd.org

BSD documentation, getting commit access, unix education, various topics

News Roundup

Getting to know your portmgr, Steve Wills

• "It is my pleasure to introduce Steve Wills, the newest member of the portmgr team"
• swills is an all-round good guy, does a lot for ports (especially the ruby ports)
• In this interview, we learn why he uses FreeBSD, the most embarrassing moment in his FreeBSD career and much more
• He used to work for Red Hat, woah ***

BSDTalk episode 242

• This time on BSDTalk, Will interviews Chris Buechler from pfSense
• Topics include: the heartbleed vulnerability and how it affected pfSense, how people usually leave their firewalls unpatched for a long time (or even forget about them!), changes between major versions, the upgrade process, upcoming features in their 10-based version, backporting drivers and security fixes
• They also touch on recent concerns in the pfSense community about their license change, that they may be "going commercial" and closing the source - so tune in to find out what their future plans are for all of that ***

Turn old PC hardware into a killer home server

• Lots of us have old hardware lying around doing nothing but collecting dust
• Why not turn that old box into a modern file server with FreeNAS and ZFS?
• This article goes through the process of setting up a NAS, gives a little history behind the project and highlights some of the different protocols FreeNAS can use (NFS, SMB, AFS, etc)
• Most of our users are already familiar with all of this stuff, nothing too advanced
• Good to see BSD getting some well-deserved attention on a big mainstream site ***

Unbloating the VAX install CD

• After a discussion on the VAX mailing list, something very important came to the attention of the developers...
• You can't boot NetBSD on a VAX box with 16MB of RAM from the CD image
• This blog post goes through the developer's adventure in trying to fix that through emulation and stripping various things out of the kernel to make it smaller
• In the end, he got it booting - and now all three VAX users who want to run NetBSD can do so on their systems with 16MB of RAM... ***

Feedback/Questions

• Thomas writes in
• Reynold writes in
• Bostjan writes in
• Paul writes in
• John writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports, part 2

• More presentations and trip reports are still being uploaded
• Ingo Schwarze, New Trends in mandoc
• Vsevolod Stakhov, The Architecture of the New Solver in pkg
• Julio Merino, The FreeBSD Test Suite
• Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
• There's also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks! ***

Beyond security, getting to know OpenBSD's real purpose

• Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a "webcast" last week, and the audio and slides are finally up
• It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
• Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a "pressure cooker for ideas," briefly touches on GPL vs BSDL, their "do it right or don't do it at all" attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
• Here's a direct link to the slides
• Great presentation if you'd like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too ***

FreeBSD vs Linux, a comprehensive comparison

• Another blog post covering something people seem to be obsessed with - FreeBSD vs Linux
• This one was worth mentioning because it's very thorough in regards to how things are done behind the scenes, not just the usual technical differences
• It highlights the concept of a "core team" and their role vs "contributors" and "committers" (similar to a presentation Kirk McKusick did not long ago)
• While a lot of things will be the same on both platforms, you might still be asking "which one is right for me?" - this article weighs in with some points for both sides and different use cases
• Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don't hate us for linking it ***

Expand FreeNAS with plugins

• One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
• With these plugins, you can greatly expand the feature set of your NAS via third party programs
• This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
• Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
• It then goes into more detail about each of them, how to actually install plugins and then how to set them up ***

Interview - Karl Lehenbauer - karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

Ports and packages in OpenBSD

News Roundup

Code review culture meets FreeBSD

• In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
• This article describes Phabricator, an open source code review system that we briefly mentioned last week
• Instructions for using it are on the wiki
• While not approved by the core team yet for anything official, it's in a testing phase and developers are encouraged to try it out and get their patches reviewed
• Just look at that fancy interface!! ***

Upcoming BSD books

• Sneaky MWL somehow finds his way into both our headlines and the news roundup
• He gives us an update on the next BSD books that he's planning to release
• The plan is to release three (or so) books based on different aspects of FreeBSD's storage system(s) - GEOM, UFS, ZFS, etc.
• This has the advantage of only requiring you to buy the one(s) you're specifically interested in
• "When will they be released? When I'm done writing them. How much will they cost? Dunno."
• It's not Absolute FreeBSD 3rd edition... ***

CARP failover and high availability on FreeBSD

• If you're running a cluster or a group of servers, you should have some sort of failover in place
• But the question comes up, "how do you load balance the load balancers!?"
• This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
• Also mentions DNS-based load balancing as another option ***

PCBSD weekly digest

• This time in PCBSD land, we're getting ready for the 10.0.2 release (ISOs here)
• AppCafe got a good number of fixes, and now shows 10 random highlighted applications
• EasyPBI added a "bulk" mode to create PBIs of an entire FreeBSD port category
• Lumina, the new desktop environment, is still being worked on and got some bug fixes too ***

Feedback/Questions

• Paul writes in
• Matt writes in
• Kjell writes in
• Paul writes in
• Tom writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer's keynote (he's on next week's episode)
• Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
• Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL - The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There's also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question "my server already works, why bother switching?"
• "Stackoverflow’s answers assume I have apt-get installed"
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
• Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It's a free PDF, go grab it ***

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
• The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

• We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in ***

This episode was brought to you by

Headlines

FreeBSD 11 goals and discussion

• Something that actually happened at BSDCan this year...
• During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE
• Some of MWL's notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support
• A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more
• There's also some notes from the devsummit virtualization session, mostly talking about bhyve
• Lastly, he also provides some notes about ports and packages and where they're going ***

An SSH honeypot with OpenBSD and Kippo

• Everyone loves messing with script kiddies, right?
• This blog post introduces Kippo, an SSH honeypot tool, and how to use it in combination with OpenBSD
• It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely
• You can use this to get new 0day exploits or find weaknesses in your systems
• OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications ***

NetBSD foundation financial report

• The NetBSD foundation has posted their 2013 financial report
• It's a very "no nonsense" page, pretty much only the hard numbers
• In 2013, they got $26,000 of income in donations
• The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else
• Be sure to donate to whichever BSDs you like and use! ***

Building a fully-encrypted NAS with OpenBSD

• Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you're doing
• This article takes a look at the OpenBSD side and explains how to build a NAS with security in mind
• The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require - this means the kernel itself is even protected
• The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people's needs too
• There's also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware - fantastic write up! ***

Interview - Brian Callahan & Aaron Bieber - admin@lists.nycbug.org & admin@cobug.org

Forming a local BSD Users Group

Tutorial

The basics of pkgsrc

News Roundup

FreeBSD periodic mails vs. monitoring

• If you've ever been an admin for a lot of FreeBSD boxes, you've probably noticed that you get a lot of email
• This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them
• From bad SSH logins to Zabbix alerts, it all adds up quickly
• It highlights the periodic.conf file and FreeBSD's periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers ***

Doing cool stuff with OpenBSD routing domains

• A blog post from our viewer and regular emailer, Kjell-Aleksander!
• He manages some internally-routed IP ranges at his work, but didn't want to have equipment for each separate project
• This is where OpenBSD routing domains and pf come in to save the day
• The blog post goes through the process with all the network details you could ever dream of
• He even named his networking equipment... after us ***

LibreSSL, the good and the bad

• We're all probably familiar with OpenBSD's fork of OpenSSL at this point
• However, "for those of you that don't know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk"
• This article talks about some of the cryptographic development challenges involved with maintaining such a massive project
• You need cryptographers, software engineers, software optimization specialists - there are a lot of roles that need to be filled
• It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork - the main one being their aim for backwards compatibility ***

PCBSD weekly digest

• Lots going on in PCBSD land this week, AppCafe has been redesigned
• The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update
• In the more recent post, there's some further explanation of the PBI system and the reason for the transition
• It's got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion ***

Feedback/Questions

• Antonio writes in
• Daniel writes in
• Sean writes in
• tsyn writes in
• Chris writes in ***

This episode was brought to you by

Headlines

ALTQ removed from PF

• Kicking off our big PF episode...
• The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current
• There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf
• As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping
• After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem
• This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. ***

FreeBSD Quarterly Status Report

• The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks
• Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added
• We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team
• LOTS of details and LOTS of topics to cover, give it a read ***

OpenBSD's OpenSSL rewrite continues with m2k14

• A mini OpenBSD hackathon begins in Morocco, Africa
• You can follow the changes in the -current CVS log, but a lot of work is mainly going towards the OpenSSL cleaning
• We've got two trip reports so far, hopefully we'll have some more to show you in a future episode
• You can see some of the more interesting quotes from the tear-down or see everything
• Apparently they are going to call the fork "LibreSSL" ....
• What were the OpenSSL developers thinking? The RSA private key was used to seed the entropy!
• We also got some mainstream news coverage and another post from Ted about the history of the fork
• Definitely consider donating to the OpenBSD foundation, this fork will benefit all the other BSDs too ***

NetBSD 6.1.4 and 6.0.5 released

• New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes
• The main update is - of course - the heartbleed vulnerability
• Also includes fixes for other security issues and even a kernel panic... on Atari
• Patch your Ataris right now, this is serious business ***

Interview - Peter Hansteen - peter@bsdly.net / @pitrh

The Book of PF: 3rd edition

Tutorial

BSD Firewalls: PF

News Roundup

New Xorg now the default in FreeBSD

• For quite a while now, FreeBSD has had two versions of X11 in ports
• The older, stable version was the default, but you could install a newer one by having "WITH_NEW_XORG" in /etc/make.conf
• They've finally made the switch for 10-STABLE and 9-STABLE
• Check this wiki page for more info ***

GSoC-accepted BSD projects

• The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned
• OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon
• The FreeBSD list was also posted
• Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more
• Good luck to all the students participating, hopefully they become full time BSD users ***

Complexity of FreeBSD VFS using ZFS as an example

• HybridCluster posted the second part of their VFS and ZFS series
• This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy
• Of course, also watch episode 24 for our interview with HybridCluster - they do really interesting stuff ***

PCBSD weekly digest

• Preload has been ported over, it's a daemon that prefetches applications
• PCBSD is developing their own desktop environment, Lumina (there's also an FAQ)
• It's still in active development, but you can try it out by installing from ports
• We'll be showing a live demo of it in a few weeks (when development settles down a bit)
• Some kid in Australia subjects his poor mother to being on camera while she tries out PCBSD and gives her impressions of it ***