This episode was brought to you by

Headlines

EdgeRouter Lite, meet OpenBSD

• The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it
• We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)
• Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it
• He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware
• More discussion can be found on Hacker News and various other places
• One thing to note about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no W^X at all) ***

Design and Implementation of the FreeBSD Operating System interview

• For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development
• InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors
• "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points."
• Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics ***

Path list parameter in OpenBSD tame

• We've mentioned OpenBSD's relatively new "tame" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges
• One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between
• Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers
• The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9
• More discussion can be found on Reddit and Hacker News ***

FreeBSD & PC-BSD 10.2-RELEASE

• The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out
• The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13
• New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to
• A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet
• The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions
• ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards
• The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups
• In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail
• Check the full release notes for the rest of the details and changes
• PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

OpenSSH: phasing out broken crypto, default cipher changes

News Roundup

NetBSD at Open Source Conference Shimane

• We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another
• This time they had NetBSD running on some Sony NWS devices (MIPS-based)
• JavaStations were also on display - something we haven't ever seen before (made between 1996-2000) ***

BAFUG videos

• The Bay Area FreeBSD users group has been uploading some videos of their recent meetings
• Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works
• Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts
• In a second video, Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X"
• In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)
• People should record presentations at their BSD users groups and send them to us ***

L2TP over IPSEC on OpenBSD

• If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well
• Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic
• This guide specifically covers L2TP, using npppd and pre-shared keys
• Server setup, client setup, firewall configuration and routing-related settings are all covered in detail ***

Reliable bare metal with TrueOS

• Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS
• This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution
• Most importantly, he also covers how to keep everything redundant and deal with hard drives failing
• The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like
• Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are ***

Kernel W^X on i386

• We mentioned some big W^X kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now)
• Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well
• Check out our interview with Mike for some more background info on memory protections like W^X ***

Feedback/Questions

• Markus writes in
• Sean writes in
• Theo writes in ***

This episode was brought to you by

Headlines

Bitrig 1.0 released

• If you haven't heard of it, Bitrig is a fork of OpenBSD that started a couple years ago
• According to their FAQ, some of their goals include: only supporting modern hardware and a limited set of CPU architectures, replacing nearly all GNU tools in base with BSD versions and having better virtualization support
• They've finally announced their first official release, 1.0
• This release introduces support for Clang 3.4, replacing the old GCC, along with libc++ replacing the GNU version
• It also includes filesystem journaling, support for GPT and - most importantly - a hacker-style console with green text on black background
• One of the developers answered some questions about it on Hacker News too ***

Is it time to try BSD?

• Here we get a little peek into the Linux world - more and more people are considering switching
• On a more mainstream tech news site, they have an article about people switching away from Linux and to BSD
• People are starting to get even more suspicious of systemd, and lots of drama in the Linux world is leading a whole new group of potential users over to the BSD side
• This article explores some pros and cons of switching, and features opinions of various users ***

Poudriere 3.1 released

• One of the first things we ever covered on the show was poudriere, a tool with a funny name that's used to build binary packages from FreeBSD ports
• It's come a long way since then, and bdrewery and bapt have just announced a new major version
• This new release features a redesigned web interface to check on the status of your packages
• There are lots of new bulk building options to preserve packages even if some fail to compile - this makes maintaining a production repo much easier
• It also introduces a useful new "pkgclean" subcommand to clean out your repository of packages that aren't needed anymore, and poudriere keeps it cleaner by default as well now
• Check the full release notes for all the additions and bug fixes ***

Firewalling with OpenBSD's pf and pfsync

• A talk by David Gwynne from an Australian conference was uploaded, with the subject matter being pf and pfsync
• He uses pf to manage 60 internal networks with a single firewall
• The talk gives some background on how pf originally came to be and some OpenBSD 101 for the uninitiated
• It also touches on different rulesets, use cases, configuration syntax, placing limits on connections, ospf, authpf, segregating VLANs, synproxy handling and a lot more
• The second half of the presentation focuses on pfsync and carp for failover and redundancy
• With two BSD boxes running pfsync, you can actually patch your kernel and still stay connected to IRC ***

Interview - Patrick Wildt - patrick@bitrig.org / @bitrig

The initial release of Bitrig

News Roundup

Infrastructural enhancements at NYI

• The FreeBSD foundation put up a new blog post detailing some hardware improvements they've recently done
• Their eastern US colocation is hosted at New York Internet, and is used for FTP mirrors, pkgng mirrors, and also as a place for developers to test things
• There've been fourteen machines purchased since July, and now FreeBSD boasts a total of sixty-eight physical boxes there
• This blog post goes into detail about how those servers are used and details some of the network topology ***

The long tail of MD5

• Our friend Ted Unangst is on a quest to replace all instances of MD5 in OpenBSD's tree with something more modern
• In this blog post, he goes through some of the different areas where MD5 still lives, and discovers how easy (or impossible) it would be to replace
• Through some recent commits, OpenBSD now uses SHA512 in some places that you might not expect
• Some other places require a bit more care… ***

DragonFly cheat sheet

• If you've been thinking of trying out DragonFlyBSD lately, this might make the transition a bit easier
• A user-created "cheat sheet" on the website lists some common answers to beginner questions
• The page features a walkthrough of the installer, some shell tips and workarounds for various issues
• At the end, it also has some things that new users can get involved with to help out ***

Experiences with an OpenBSD laptop

• A lot of people seem to be interested in trying out some form of BSD on their laptop, and this article details just that
• The author got interested in OpenBSD mostly because of the security focus and the fact that it's not Linux
• In this blog post, he goes through the steps of researching, installing, configuring, upgrading and finally actually using it on his Thinkpad
• He even gives us a mention as a good place to learn more about BSD, thanks! ***

PC-BSD Updates

• A call for testing of a new update system has gone out
• Conversion to Qt5 for utils has taken place ***

Feedback/Questions

• Chris writes in
• AJ writes in
• Dan writes in
• Jeff writes in ***

Mailing List Gold

• Over 440% faster
• The PF conundrum (edit: Allan misspoke about PF performance during this segment, apologies.)
• Violating bad standards
• apt-get rid of systemd ***

This episode was brought to you by

Headlines

Secure communications with OpenBSD and OpenVPN

• Starting off today's theme of encryption...
• A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
• Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show)
• Part 2 covers the initial setup of OpenVPN certificates and keys
• Parts 3 and 4 are the OpenVPN server and client configuration
• Part 5 is some updates and closing remarks ***

FreeBSD Foundation Newsletter

• The December 2013 semi-annual newsletter was sent out from the foundation
• In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
• The president's letter alone is worth the read, really amazing
• Really long, with lots of details and stories from the conferences and projects ***

Use of NetBSD with Marvell Kirkwood Processors

• Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
• The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)."
• Really cool little NetBSD ARM project with lots of graphs, pictures and details ***

Experimenting with zero-copy network IO

• Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD
• Discusses the different OS' implementations and options
• He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there
• Tons of details, check the full post ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Tutorial

Full disk encryption in FreeBSD & OpenBSD

News Roundup

OpenZFS office hours

• Our buddy George Wilson sat down to take some ZFS questions from the community
• You can see more info about it here ***

License summaries in pkgng

• A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
• Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow
• Maybe we could get a "pkg licenses" command to display the license of all installed packages
• Ok bapt, do it ***

The FreeBSD challenge continues

• Checking in with our buddy from the Linux foundation...
• The switching from Linux to FreeBSD blog series continues for his month-long trial
• Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding."
• Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more ***

Ports gets a stable branch

• For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch
• This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes
• All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 ***

Feedback/Questions

• John writes in
• Spencer writes in
• Campbell writes in
• Sha'ul writes in
• Clint writes in ***