This episode was brought to you by

Headlines

OpenBSD hypervisor coming soon

• Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
• From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm"
• Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
• Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
• One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route
• He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on ***

Why FreeBSD should not adopt launchd

• Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
• One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned)
• In this article, the author talks about why he thinks this is a bad idea
• He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail
• The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
• Reddit had quite a bit to say about this one, some in agreement and some not ***

DragonFly graphics improvements

• The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
• This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
• You should also see some power management improvements, longer battery life and various other bug fixes
• If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around ***

OpenBSD tames the userland

• Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are
• Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
• It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff)
• Some classic utilities are even being reworked to make taming them easier - the "w" command, for example
• The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
• More discussion can be found on HN, as one might expect
• If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release ***

Interview - Scott Courtney - vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

• We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits
• This is their first big status update, covering some of the things that've happened since the project was born
• There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything ***

LibreSSL nukes SSLv3

• With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command
• At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
• They've now flipped the switch, and the process of complete removal has started
• From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!"
• With this change and a few more to follow shortly, Libre*SSL* won't actually support SSL anymore - time to rename it "LibreTLS" ***

FreeBSD MPTCP updated

• For anyone unaware, Multipath TCP is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy."
• There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
• Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
• Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start ***

UEFI and GPT in OpenBSD

• There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
• Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
• This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
• Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in)
• The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made ***

Feedback/Questions

• John writes in
• Mason writes in
• Earl writes in ***

This episode was brought to you by

Headlines

More BSD presentation videos

• The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch
• Corey Vixie, Web Apps in Embedded BSD
• Allan Jude, UCL config
• Kip Macy, iflib
• While we're on the topic of conferences, AsiaBSDCon's CFP was extended by one week
• This year's ruBSD will be on December 13th in Moscow
• Also, the BSDCan call for papers is out, and the event will be in June next year
• Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." ***

BSD-powered digital library in Africa

• You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access
• With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school
• They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently)
• The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it ***

pfSense 2.2 status update

• With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update
• 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc
• All these things have taken more time than previously expected
• The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release ***

Recommended hardware threads

• A few threads on caught our attention this week, all about hardware recommendations for BSD setups
• In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS
• Everyone gave some good recommendations for low power, Atom-based systems
• The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread
• For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this
• If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read ***

Interview - Paul Schenkeveld - freebsd@psconsult.nl

Running a BSD conference

News Roundup

From Linux to FreeBSD - for reals

• Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now)
• After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition
• In the comments, a lot of new switchers offer some advice and reading material
• If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way ***

Running FreeBSD as a Xen Dom0

• Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor
• This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it
• Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features)
• The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet ***

HardenedBSD updates and changes

• a.out is the old executable format for Unix
• The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968
• FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0
• A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8
• However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited
• HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’
• Package building update: more consistent repo, no more i386 packages ***

Feedback/Questions

• Boris writes in
• Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check)
• Chris writes in
• Robert writes in
• Jake writes in ***

Mailing List Gold

• Real world authpf use
• The great perl event of 2014 ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and tutorials

• The 2014 EuroBSDCon videos have been online for over a month, but unannounced - keep in mind these links may be temporary (but we'll mention their new location in a future show and fix the show notes if that's the case) <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Arun Thomas, BSD ARM Kernel Internals <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Ted Unangst, Developing Software in a Hostile Environment <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Martin Pieuchot, Taming OpenBSD Network Stack Dragons <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Henning Brauer, OpenBGPD turns 10 years <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Claudio Jeker, vscsi and iscsid iSCSI initiator the OpenBSD way <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Paul Irofti, Making OpenBSD Useful on the Octeon Network Gear <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Baptiste Daroussin, Cross Building the FreeBSD ports tree <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Boris Astardzhiev, Smartcom’s control plane software, a customized version of FreeBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Michał Dubiel, OpenStack and OpenContrail for FreeBSD platform <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Martin Husemann & Joerg Sonnenberger, Tool-chaining the Hydra, the ongoing quest for modern toolchains in NetBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Taylor R Campbell, The entropic principle: /dev/u?random and NetBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Dag-Erling Smørgrav, Securing sensitive & restricted data <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Peter Hansteen, Building The Network You Need With PF <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Stefan Sperling, Subversion for FreeBSD developers <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Peter Hansteen, Transition to OpenBSD 5.6 <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Ingo Schwarze, Let’s make manuals more useful <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Francois Tigeot, Improving DragonFly’s performance with PostgreSQL <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Justin Cormack, Running Applications on the NetBSD Rump Kernel <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Pierre Pronchery, EdgeBSD, a year later <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Peter Hessler, Using routing domains or tables in a production network <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Sean Bruno, QEMU user mode on FreeBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Kristaps Dzonsons, Bugs Ex Ante <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Yann Sionneau, Porting NetBSD to the LatticeMico32 open source CPU <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Alexander Nasonov, JIT Code Generator for NetBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Masao Uebayashi, Porting Valgrind to NetBSD and OpenBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Marc Espie, parallel make, working with legacy code <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Francois Tigeot, Porting the drm-kms graphic drivers to DragonFly <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• The following talks (from the Vitosha track room) are all currently missing:
• Jordan Hubbard, FreeBSD, Looking forward to another 10 years (but we have another recording)
• Theo de Raadt, Randomness, how arc4random has grown since 1998 (but we have another recording)
• Kris Moore, Snapshots, Replication, and Boot-Environments
• Kirk McKusick, An Introduction to the Implementation of ZFS
• John-Mark Gurney, Optimizing GELI Performance
• Emmanuel Dreyfus, FUSE and beyond, bridging filesystems
• Lourival Vieira Neto, NPF scripting with Lua
• Andy Tanenbaum, A Reimplementation of NetBSD Based on a Microkernel
• Stefano Garzarella, Software segmentation offloading for FreeBSD
• Ted Unangst, LibreSSL
• Shawn Webb, Introducing ASLR In FreeBSD
• Ed Maste, The LLDB Debugger in FreeBSD
• Philip Guenther, Secure lazy binding ***

OpenBSD adopts SipHash

• Even more DJB crypto somehow finds its way into OpenBSD's base system
• This time it's SipHash, a family of pseudorandom functions that's resistant to hash bucket flooding attacks while still providing good performance
• After an initial import and some clever early usage, a few developers agreed that it would be better to use it in a lot more places
• It will now be used in the filesystem, and the plan is to utilize it to protect all kernel hash functions
• Some other places that Bernstein's work can be found in OpenBSD include the ChaCha20-Poly1305 authenticated stream cipher and Curve25519 KEX used in SSH, ChaCha20 used in the RNG, and Ed25519 keys used in signify and SSH ***

FreeBSD 10.1-RELEASE

• FreeBSD's release engineering team likes to troll us by uploading new versions just a few hours after we finish recording an episode
• The first maintenance update for the 10.x branch is out, improving upon a lot of things found in 10.0-RELEASE
• The vt driver was merged from -CURRENT and can now be enabled with a loader.conf switch (and can even be used on a PlayStation 3)
• Bhyve has gotten quite a lot of fixes and improvements from its initial debut in 10.0, including boot support for ZFS
• Lots of new ARM hardware is supported now, including SMP support for most of them
• A new kernel selection menu was added to the loader, so you can switch between newer and older kernels at boot time
• 10.1 is the first to support UEFI booting on amd64, which also has serial console support now
• Lots of third party software (OpenSSH, OpenSSL, Unbound..) and drivers have gotten updates to newer versions
• It's a worthy update from 10.0, or a good time to try the 10.x branch if you were avoiding the first .0 release, so grab an ISO or upgrade today
• Check the detailed release notes for more information on all the changes
• Also take a look at some of the known problems to see if you'll be affected by any of them
• PC-BSD was also updated accordingly with some of their own unique features and changes ***

arc4random - Randomization for All Occasions

• Theo de Raadt gave an updated version of his EuroBSDCon presentation at Hackfest 2014 in Quebec
• The presentation is mainly about OpenBSD's arc4random function, and outlines the overall poor state of randomization in the 90s and how it has evolved in OpenBSD over time
• It begins with some interesting history on OpenBSD and how it became a security-focused OS - in 1996, their syslogd got broken into and "suddenly we became interested in security"
• The talk also touches on how low-level changes can shake up the software ecosystem and third party packages that everyone uses
• There's some funny history on the name of the function (being called arc4random despite not using RC4 anymore) and an overall status update on various platforms' usage of it
• Very detailed and informative presentation, and the slides can be found here
• A great quote from the beginning: "We consider ourselves a community of (probably rather strange) people who work on software specifically for the purpose of trying to make it better. We take a 'whole-systems' approach: trying to change everything in the ecosystem that's under our control, trying to see if we can make it better. We gain a lot of strength by being able to throw backwards compatibility out the window. So that means that we're able to do research and the minute that we decide that something isn't right, we'll design an alternative for it and push it in. And if it ends up breaking everybody's machines from the previous stage to the next stage, that's fine because we'll end up in a happier place." ***

Interview - Justin Cormack - justin@netbsd.org / @justincormack

NetBSD on Xen, rump kernels, various topics

News Roundup

The FreeBSD foundation's biggest donation

• The FreeBSD foundation has a new blog post about the largest donation they've ever gotten
• From the CEO of WhatsApp comes a whopping one million dollars in a single donation
• It also has some comments from the donor about why they use BSD and why it's important to give back
• Be sure to donate to the foundation of whatever BSD you use when you can - every little bit helps, especially for OpenBSD, NetBSD and DragonFly who don't have huge companies supporting them regularly like FreeBSD does ***

OpenZFS Dev Summit 2014 videos

• Videos from the recent OpenZFS developer summit are being uploaded, with speakers from different represented platforms and companies <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Matt Ahrens, opening keynote <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Raphael Carvalho, Platform Overview: ZFS on OSv <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Brian Behlendorf, Platform Overview: ZFS on Linux <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Prakash Surya, Platform Overview: illumos <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Xin Li, Platform Overview: FreeBSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• All platforms, Group Q&A Session <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Dave Pacheco, Manta <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Saso Kiselkov, Compression <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• George Wilson, Performance <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Tim Feldman, Host-Aware SMR <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Pavel Zakharov, Fast File Cloning <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• The audio is pretty poor on all of them unfortunately ***

BSDTalk 248

• Our friend Will Backman is still busy getting BSD interviews as well
• This time he sits down with Matthew Dillon, the lead developer of DragonFly BSD
• We've never had Dillon on the show, so you'll definitely want to give this one a listen
• They mainly discuss all the big changes coming in DragonFly's upcoming 4.0 release ***

MeetBSD 2014 videos

• The presentations from this year's MeetBSD conference are starting to appear online as well <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Kirk McKusick, A Narrative History of BSD <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Jordan Hubbard, FreeBSD: The Next 10 Years <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• Brendan Gregg, Performance Analysis <!-- i wonder if freebsdnews will rip our html again and repost it ^{_^} -->
• The slides can be found here ***

Feedback/Questions

• Dominik writes in
• Steven writes in
• Florian writes in
• Richard writes in
• Kevin writes in ***

Mailing List Gold

• Contributing without code
• Compression isn't a CRIME
• Securing web browsers ***

This episode was brought to you by

Headlines

Updates to FreeBSD's random(4)

• FreeBSD's random device, which presents itself as "/dev/random" to users, has gotten a fairly major overhaul in -CURRENT
• The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna
• Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE)
• Pluggable modules can now be written to add more sources of entropy
• These changes are expected to make it in 11.0-RELEASE, but there hasn't been any mention of MFCing them to 10 or 9 ***

OpenBSD Tor relays and network diversity

• We've talked about getting more BSD-based Tor nodes a few times in previous episodes
• The "tor-relays" mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes
• With the security features and attention to detail, it makes for an excellent dedicated Tor box
• More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large
• A few users are even saying they'll convert their Linux nodes to OpenBSD to help out
• Check the archive for the full conversation, and maybe run a node yourself on any of the BSDs
• The Tor wiki page on OpenBSD is pretty out of date (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it ***

SSP now default for FreeBSD ports

• SSP, or Stack Smashing Protection, is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces
• It's now enabled by default in FreeBSD's ports tree, and the pkgng packages will have it as well - but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer)
• This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates
• If you were using the temporary "new Xorg" or SSP package repositories instead of the default ones, you need to switch back over
• NetBSD made this the default on i386 and amd64 two years ago and OpenBSD made this the default on all architectures twelve years ago
• Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed ***

Building an OpenBSD firewall and router

• While we've discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side
• The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris
• Most agree that, if it's for a business especially, it's worth the extra money to go with something that's well known in the BSD community
• They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc.
• Through the comments, we also find out that QuakeCon runs OpenBSD on their network
• Hopefully most of our listeners are running some kind of BSD as their gateway - try it out if you haven't already ***

Interview - Kristaps Džonsons - kristaps@bsd.lv

Mandoc, historical man pages, various topics

Tutorial

Throttling bandwidth with PF

News Roundup

NetBSD at Kansai Open Forum 2014

• Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything
• From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all
• As always, you can find lots of pictures in the trip report ***

Getting to know your portmgr lurkers

• The lovable "getting to know your portmgr" series makes its triumphant return
• This time around, they interview Alex, one of the portmgr lurkers that joined just this month
• "How would you describe yourself?" "Too lazy."
• Another post includes a short interview with Emanuel, another new lurker
• We discussed the portmgr lurkers initiative with Steve Wills a while back ***

NetBSD's ARM port gets SMP

• The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used
• This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X
• NetBSD's release team is working on getting these changes into the 7 branch before 7.0 is released
• There are also a few nice pictures in the article ***

A high performance mid-range NAS

• This blog post is about FreeNAS and optimizing iSCSI performance
• It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance
• There are some nice graphs and lots of detail if you're interested in tweaking some of your own settings
• They conclude "there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload" ***

Feedback/Questions

• Heto writes in
• Brad writes in
• Tyler writes in
• Tim writes in
• Brad writes in ***

Mailing List Gold

• Suspicious contributions
• La puissance du fromage
• Nothing unusual here ***

This episode was brought to you by

Interview - Pawel Jakub Dawidek - pjd@freebsd.org

Porting ZFS, GEOM, GELI, Capsicum, various topics

This episode was brought to you by

Headlines

BSD panel at Phoenix LUG

• The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
• It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
• They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
• It was a good "real world" example of things potential switchers are curious to know about
• They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea ***

Book of PF signed copy auction

• Peter Hansteen (who we've had on the show) is auctioning off the first signed copy of the new Book of PF
• All the profits from the sale will go to the OpenBSD Foundation
• The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences)
• If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause
• Michael Lucas has challenged Peter to raise more for the foundation than his last book selling - let's see who wins
• Pause the episode, go bid on it and then come back! ***

FreeBSD Foundation goes to EuroBSDCon

• Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
• They also sponsored four other developers to go
• The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD"
• They also have a second report from Kamil Czekirda
• A total of $2000 was raised at the conference ***

OpenBSD 5.6 released

• Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this
• Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
• It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
• 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
• You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
• ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
• This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
• Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
• As always, 5.6 comes with its own song and artwork - the theme this time was obviously LibreSSL
• Be sure to check the full changelog (it's huge) and pick up a CD or tshirt to support their efforts
• If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely
• Here are some cool images of the set
• After you do your installation or upgrade, don't forget to head over to the errata page and apply any patches listed there ***

Interview - John-Mark Gurney - jmg@freebsd.org / @encthenet

Updating FreeBSD's IPSEC stack

News Roundup

Clang in DragonFly BSD

• As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64
• Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
• We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using ***

reallocarray(): integer overflow detection for free

• One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()"
• It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
• Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
• OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too ***

Switching from Linux blog

• A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
• After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
• So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far
• It'll be an ongoing series, so we may check back in with him again later on ***

Owncloud in a FreeNAS jail

• One of the most common emails we get is about running Owncloud in FreeNAS
• Now, finally, someone made a video on how to do just that, and it's even jailed
• A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
• If you're looking for an easy way to back up and sync your files, this might be worth a watch ***

Feedback/Questions

• Ernõ writes in
• David writes in
• Kamil writes in
• Torsten writes in
• Dominik writes in ***

Mailing List Gold

• That's not our IP
• Is this thing on? ***

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

• The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
• MeetBSD has an "unconference" format, which means there will be both planned talks and community events
• All the extra details will be on their site soon
• It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
• Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

• A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
• The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
• He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
• From there, it talks about how he used the OpenBSD USB image and got a fully-working system
• He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
• Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

• When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
• However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
• This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
• Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
• While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

• OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
• Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
• LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
• Whichever version of whatever SSL you use, make sure it's patched for these issues
• DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

• If you use git (like a certain host of this show) then you've probably considered setting up your own server
• This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
• It even shows you how to set up multiple repos with key-based user separation and other cool things
• The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

• In this article, different methods of data storage and backup are compared
• After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
• He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
• It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

• As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
• If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
• In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
• Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

• If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
• FreeBSD, ZFS and Samba obviously!
• The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
• This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
• It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

• An interesting Reddit thread (or two)
• PB writes in
• Sean writes in
• Steve writes in
• Lachlan writes in
• Justin writes in ***