NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

SSH as a sudo replacement

Core.13 is Now In Office

News Roundup

Running GoToSocial on NetBSD

A DMD package for OpenIndiana

Adding more swap space to Omnios

OpenBSD added initial support for Qualcomm Snapdragon Elite X after 1 day

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Isa - Pinebook Question.md

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

Headlines

FreeBSD 11.3-b1 is out

BSDCan 2019 Recap

• We’re back from BSDCan and it was a packed week as always.
• It started with bhyvecon on Tuesday. Meanwhile, Benedict spent the whole day in productive meetings: annual FreeBSD Foundation board meeting and FreeBSD Journal editorial board meeting.
• On Wednesday, tutorials for BSDCan started as well as the FreeBSD Developer Summit. In the mornings, there were presentations in the big auditorium, while working groups about networking, failsafe bootcode, development web services, swap space management, and testing/CI were held. Friday had a similar format with an update from the FreeBSD core team and the “have, need, want” session for FreeBSD 13. In the afternoon, there were working groups about translation tools, package base, GSoC/Outreachy, or general hacking. Benedict held his Icinga tutorial in the afternoon with about 15 people attending. Devsummit presentation slides can be found on the wiki page and video recordings done by ScaleEngine are available on FreeBSD’s youtube channel.
• The conference program was a good mixture of sysadmin and tech talks across the major BSDs. Benedict saw the following talks: How ZFS snapshots really work by Matt Ahrens, 20 years in Jail by Michael W. Lucas, OpenZFS BOF session, the future of OpenZFS and FreeBSD, MQTT for system administrators by Jan-Piet Mens, and spent the rest of the time in between in the hallway track.
• Photos from the event are available on Ollivier Robert’s talegraph and Diane Bruce’s website for day 1, day 2, conference day 1, and conference day 2.
• Thanks to all the sponsors, supporters, organizers, speakers, and attendees for making this yet another great BSDCan. Next year’s BSDCan will be from June 2 - 6, 2020.

OpenIndiana 2019.04 is out

We have released a new OpenIndiana Hipster snapshot 2019.04. The noticeable changes:

• Firefox was updated to 60.6.3 ESR

• Virtualbox packages were added (including guest additions)

• Mate was updated to 1.22

• IPS has received updates from OmniOS CE and Oracle IPS repos, including automatic boot environment naming

• Some OI-specific applications have been ported from Python 2.7/GTK 2 to Python 3.5/GTK 3

• Quick Demo Video: https://www.youtube.com/watch?v=tQ0-fo3XNrg

News Roundup

Overview of ZFS Pools in FreeNAS

FreeNAS uses the OpenZFS (ZFS) file system, which handles both disk and volume management. ZFS offers RAID options mirror, stripe, and its own parity distribution called RAIDZ that functions like RAID5 on hardware RAID. The file system is extremely flexible and secure, with various drive combinations, checksums, snapshots, and replication all possible. For a deeper dive on ZFS technology, read the ZFS Primer section of the FreeNAS documentation.

SUGGEST LAYOUT attempts to balance usable capacity and redundancy by automatically choosing an ideal vdev layout for the number of available disks.

• The following vdev layout options are available when creating a pool:
  • Stripe data is shared on two drives, similar to RAID0)
  • Mirror copies data on two drives, similar to RAID1 but not limited to 2 disks)
  • RAIDZ1 single parity similar to RAID5
  • RAIDZ2 double parity similar to RAID6
  • RAIDZ3 which uses triple parity and has no RAID equivalent

Why OpenSource Firmware is Important for Security

• Roots of Trust

The goal of the root of trust should be to verify that the software installed in every component of the hardware is the software that was intended. This way you can know without a doubt and verify if hardware has been hacked. Since we have very little to no visibility into the code running in a lot of places in our hardware it is hard to do this. How do we really know that the firmware in a component is not vulnerable or that is doesn’t have any backdoors? Well we can’t. Not unless it was all open source. Every cloud and vendor seems to have their own way of doing a root of trust. Microsoft has Cerberus, Google has Titan, and Amazon has Nitro. These seem to assume an explicit amount of trust in the proprietary code (the code we cannot see). This leaves me with not a great feeling. Wouldn’t it be better to be able to use all open source code? Then we could verify without a doubt that the code you can read and build yourself is the same code running on hardware for all the various places we have firmware. We could then verify that a machine was in a correct state without a doubt of it being vulnerable or with a backdoor. It makes me wonder what the smaller cloud providers like DigitalOcean or Packet have for a root of trust. Often times we only hear of these projects from the big three or five.

OPNsense

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

• Here are the full patch notes:

• system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)

• system: /etc/hosts generation without interfacehasgateway()

• system: show correct timestamp in config restore save message (contributed by nhirokinet)

• system: list the commands for the pluginctl utility when n+ argument is given

• system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly

• system: use absolute path in widget ACLs (reported by Netgate)

• system: RRD-related cleanups for less code exposure

• interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)

• interfaces: replace legacygetallinterface_addresses() usage

• firewall: fix port validation in aliases with leading / trailing spaces

• firewall: fix outbound NAT translation display in overview page

• firewall: prevent CARP outgoing packets from using the configured gateway

• firewall: use CARP net.inet.carp.demotion to control current demotion in status page

• firewall: stop live log poller on error result

• dhcpd: change rule priority to 1 to avoid bogon clash

• dnsmasq: only admins may edit custom options field

• firmware: use insecure mode for base and kernel sets when package fingerprints are disabled

• firmware: add optional device support for base and kernel sets

• firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)

• ipsec: always reset rightallowany to default when writing configuration

• lang: say "hola" to Spanish as the newest available GUI language

• lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese

• network time: only admins may edit custom options field

• openvpn: call openvpnrefreshcrls() indirectly via plugin_configure() for less code exposure

• openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)

• openvpn: remove custom options field from wizard

• unbound: only admins may edit custom options field

• wizard: translate typehint as well

• plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)

• plugins: os-nginx 1.12[2]

• plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)

• plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)

• src: timezone database information update[3]

• src: install(1) broken with partially matching relative paths[4]

• src: microarchitectural Data Sampling (MDS) mitigation[5]

• ports: carootnss 3.44

• ports: php 7.2.18[6]

• ports: sqlite 3.28.0[7]

• ports: strongswan custom XAuth generic patch removed

wiregaurd on OpenBSD

Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current. Jason A. Donenfeld (WireGuard author) has worked to support OpenBSD in WireGuard and as such his post on ports@ last year got me interested in WireGuard, since then others have toyed with WireGuard on OpenBSD before and as such I've used Ted's article as a reference. Note however that some of the options mentioned there are no longer valid. Also, I'll be using two OpenBSD peers here. The setup will be as follows: two OpenBSD peers, of which we'll dub wg1 the server and wg2 the client. The WireGuard service on wg1 is listening on 100.64.4.3:51820.

• Conclusion

WireGuard (cl)aims to be easier to setup and faster than OpenVPN and while I haven't been able to verify the latter, the first is certainly true...once you've figured it out. Most documentation out there is for Linux so I had to figure out the wireguardgo service and the tun parameters. But all in all, sure, it's easier. Especially the client configuration on iOS which I didn't cover here because it's essentially pkgadd libqrencode ; cat client.conf | qrencode -t ansiutf8, scan the code with the WireGuard app and you're good to go. What is particularly neat is that WireGuard on iOS supports Always-on.

Beastie Bits

• Serenity OS
• vkernels vs pmap
• Brian Kernighan interviews Ken Thompson
• Improvements in forking, threading, and signal code
• DragonFly 5.4.3
• NetBSD on the Odroid C2

Feedback/Questions

• Paulo - Laptops
• A Listener - Thanks
• Bostjan - Extend a pool and lower RAM footprint

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

Remote DoS in the TCP stack

• A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections
• While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely
• This problem has a slightly confusing history that involves different fixes at different points in time from different people
• Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th
• On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches
• On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found
• Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6
• On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn't include the first fix)
• After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way
• NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven't released a security notice yet
• DragonFly is also investigating the issue now to see if they're affected as well ***

c2k15 hackathon reports

• Reports from OpenBSD's latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these)
• The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event
• He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?"
• With mandoc's new internal jump targets, this is a problem of the past now
• Jasper also sent in a report, doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information)
• Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!)
• Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services)
• It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool")
• He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example)
• His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades
• Foundation director Ken Westerback was also there, getting some disk-related and laptop work done
• He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues
• Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home)
• He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report)
• Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work
• One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year."
• Jeremy Evans wrote in to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem
• While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon
• Rafael Zalamena, who got commit access at the event, gives his very first report on his networking-related hackathon activities
• With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS
• Jonathan Gray got a lot done in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code
• As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix)
• Martin Pieuchot gave an write-up on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did."
• He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack
• Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle
• We're still eagerly awaiting a report from one of OpenBSD's newest developers, Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes)
• OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint," so that may mean more big changes are still to come... ***

FreeBSD quarterly status report

• FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far
• It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others
• Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased
• In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages
• The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon
• Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012)
• The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support
• Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon)
• ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August
• PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though)
• The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling
• Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report
• Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot
• Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more ***

The OpenSSH bug that wasn't

• There's been a lot of discussion about a supposed flaw in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even)
• There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections
• FreeBSD in its default configuration, with PAM and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH, nor any of the other BSDs, and not even the majority of Linux distros
• If you disable all forms of authentication except public keys, like you're supposed to, then this is also not a big deal for FreeBSD systems
• Realistically speaking, it's more of a PAM bug than anything else
• OpenSSH added an additional check for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update) ***

Interview - Sebastian Wiedenroth - wiedi@netbsd.org / @wied0r

pkgsrc and pkgsrcCon

News Roundup

Now served by OpenBSD

• We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it
• The use case for the author was for a webserver, so he decided to try out the httpd in base
• Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting
• TLS 1.2 by default, strong ciphers with LibreSSL and HSTS combined give you a pretty secure web server ***

FreeBSD laptop playbooks

• A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops"
• It's based on ansible, and uses the playbook format for automatic set up and configuration
• Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models
• Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop ***

NetBSD on the NVIDIA Jetson TK1

• If you've never heard of the Jetson TK1, we can go ahead and spoil the secret here: NetBSD runs on it
• As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE
• This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything)
• You can even run X11 on it, pretty sweet ***

DragonFly power mangement options

• DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there
• In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well
• He also did some testing with each of them and gave his findings about power saving
• If you've been thinking about running DragonFly on a laptop, this would be a good one to read ***

OpenBSD router under FreeBSD bhyve

• If one BSD just isn't enough for you, and you've only got one machine, why not run two at once
• This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it
• If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware
• The author also includes a little bit of history on how he got into both operating systems
• There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research
• Of course, the next logical step is to put that bhyve host under Xen on NetBSD... ***

Feedback/Questions

• Kevin writes in
• Logan writes in
• Peter writes in
• Randy writes in ***

This episode was brought to you by

Headlines

Revisiting FreeBSD after 20 years

• With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades
• This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time
• He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL
• On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time."
• The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together
• Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things
• There was some decent discussion on Hacker News about this article too, with counterpoints from both sides ***

s2k15 hackathon report: network stack SMP

• The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted
• One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack
• If you're not familiar with him, he gave a presentation at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons
• Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock
• Hopefully more trip reports will be sent in during the coming weeks
• Most of the big code changes should probably appear after the 5.7-release testing period ***

From BIND to NSD and Unbound

• If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound
• BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative
• OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD
• Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons
• This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound
• All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... ***

m0n0wall calls it quits

• The original, classic BSD firewall distribution m0n0wall has finally decided to close up shop
• For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk
• It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan
• The project was probably a lot of people's first encounter with BSD in any form
• If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD or OpenBSD, or going the premade route with something like pfSense, OPNsense or the BSD Router Project
• The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can."
• While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly ***

Interview - Alex Reece & Matt Ahrens - alex@delphix.com & matt@delphix.com / @openzfs

What's new in OpenZFS

Tutorial

Making your first patch (OpenBSD)

News Roundup

Overlaying remote LANs with OpenBSD's VXLAN

• Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) is exactly what you need
• This article talks about using it to connect two virtualized infrastructures on different ESXi servers
• It gives a bit of networking background first, in case you're not quite up to speed on all this stuff
• This tool opens up a lot of very cool possibilities, even possibly doing a "remote" LAN party
• Be sure to check the AsiaBSDCon talk about VXLANs if you haven't already ***

2020, year of the PCBSD desktop

• Here we have a blog post about BSD on the desktop, straight from a KDE developer
• He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux's desktop market share (small as it may be)
• With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option
• ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one
• There was also some discussion on Slashdot that might be worth reading ***

OpenSSH host key rotation, redux

• We mentioned the new OpenSSH host key rotation and other goodies in a previous episode, but things have changed a little bit since then
• djm says "almost immediately after smugly declaring 'mission accomplished', the bug reports started rolling in."
• There were some initial complaints from developers about the new options, and a serious bug shortly thereafter
• After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests
• Most importantly, the bigger big fix was described as: "a malicious server (say, "host-a") could advertise the public key of another server (say, "host-b"). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide."
• None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon ***

PCBSD tries out LibreSSL

• PCBSD users may soon be seeing a lot less security problems because of two recent changes
• After switching over to OpenNTPD last week, PCBSD decides to give the portable LibreSSL a try too
• Note that this is only for the packages built from ports, not the base system unfortunately
• They're not the first ones to do this - OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD's ports are built against it
• A good number of patches are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla
• Look forward to Kris wearing a "keep calm and abandon OpenSSL" shirt in the near future ***

Feedback/Questions

• Benjamin writes in
• Mike writes in
• Brad writes in ***

Mailing List Gold

• Debian Dejavu
• Package gone missing ***

This episode was brought to you by

Interview - Pawel Jakub Dawidek - pjd@freebsd.org

Porting ZFS, GEOM, GELI, Capsicum, various topics