NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Updating GCC GNAT (Ada) in pkgsrc/NetBSD

Advance!BSD – thoughts on a not-for-profit project to support *BSD (2/2)

News Roundup

FreeBSD from a NetBSD user’s perspective

FPGA programming and DragonFly

Chimera Linux - A Linux distribution based on FreeBSD userland and LLVM

EuroBSDcon 2021

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Charlie - several questions
• Dan - kernel driver or module question
• James - Apple M1 ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Jails: Confining the omnipotent root

• A dramatic reading of portions of the paper: Papers We Love: FreeBSD Jails and Solaris Zones *** ### Using Jails with ZFS and PF on DigitalOcean *** ## News Roundup ### NomadBSD 130R is out *** ### KDE Plasma Wayland - a week in FreeBSD *** ### Install Firefox under FreeBSD and Set it Up with Privacy *** Using NetBSD’s pkgsrc everywhere I can ***

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Malcolm - restoring a single file
• Nathan - wireless support
• bluefire - zfs special vdev Push to next show with Allan

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Routing and Firewalling VLANS with FreeBSD

In this article we are going to look at and integrate two network isolation technologies, VLANs and VNET. VLANs are common place, and if you have done some network management or design then you are likely to have interacted with them. The second are FreeBSDs VNET virtual network stacks, a powerful network stack isolation technology that gives FreeBSD jails super powers.
Ethernet VLAN (standardised by IEEE 802.1Q) are an extension to Ethernet and provide an essential method for scaling network deployments. They are used in all environments to enable reuse of common infrastructure by isolating portions of networks from each other. VLANs allow the reuse of common cables, switches and routers to carry completely different networks. It is common to have data that must be separated from different networks carried on common cables until their VLAN tags are finally stripped at a gateway switch or router.

How to set up FreeBSD 12 VNET jail with ZFS

How do I install, set up and configure a FreeBSD 12 jail with VNET on ZFS? How can I create FreeBSD 12 VNET jail with /etc/jail.conf to run OpenVPN, Apache, Wireguard and other Internet-facing services securely on my BSD box?
FreeBSD jail is nothing but operating system-level virtualization that allows partitioning a FreeBSD based Unix server. Such systems have their root user and access rights. Jails can use network subsystem virtualization infrastructure or share an existing network. FreeBSD jails are a powerful way to increase security. Usually, you create jail per services such as an Nginx/Apache webserver with PHP/Perl/Python app, WireGuard/OpeNVPN server, MariaDB/PgSQL server, and more. This page shows how to configure a FreeBSD Jail with vnet and ZFS on FreeBSD 12.x.

News Roundup

pkgsrc-2020Q4 released

The pkgsrc developers are proud to announce the 69th quarterly release
of pkgsrc, the cross-platform packaging system. pkgsrc is available
with more than 24,000 packages, running on 23 separate platforms; more
information on pkgsrc itself is available at https://www.pkgsrc.org/

FreeBSD ON A Raspberry PI 4 With 4GB of RAM

This is the story of how I managed to get FreeBSD running on a Raspberry Pi 4 with 4GB of RAM, though I think the setup story is pretty similar for those with 2GB and 8GB.1

HardenedBSD December 2020 Status Report

Happy New Year! On this the last day of 2020, I submit December's status report.

Beastie Bits

• Christmas Cards The Unix Way - with pic and troff
• Fast RPI3 upgrade from source (cross compile) *** ###Tarsnap
• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Robert - zfs question

• Neb - AMA episode.md

• Joe - puppet

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Headlines

Checksumming in filesystems, and why ZFS is doing it right

One of the best aspects of ZFS is its reliability. This can be accomplished using a few features like copy-on-write approach and checksumming. Today we will look at how ZFS does checksumming and why it does it the proper way. Most of the file systems don’t provide any integrity checking and fail in several scenarios:

• Data bit flips - when the data that we wanted to store are bit flipped by the hard drives, or cables, and the wrong data is stored on the hard drive.
• Misdirected writes - when the CPU/cable/hard drive will bit flip a block to which the data should be written.
• Misdirected read - when we miss reading the block when a bit flip occurred.
• Phantom writes - when the write operation never made it to the disk. For example, a disk or kernel may have some bug that it will return success even if the hard drive never made the write. This problem can also occur when data is kept only in the hard drive cache.

Checksumming may help us detect errors in a few of those situations.

DragonFlyBSD Improves Its TMPFS Implementation For Better Throughput Performance

It's been a while since last having any new magical optimizations to talk about by DragonFlyBSD lead developer Matthew Dillon, but on Wednesday he landed some significant temporary file-system "TMPFS" optimizations for better throughput including with swap.

Of several interesting commits merged tonight, the improved write clustering is a big one. In particular, "Reduces low-memory tmpfs paging I/O overheads by 4x and generally increases paging throughput to SSD-based swap by 2x-4x. Tmpfs is now able to issue a lot more 64KB I/Os when under memory pressure."

• https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/4eb0bb82efc8ef32c4357cf812891c08d38d8860

There's also a new tunable in the VM space as well as part of his commits on Wednesday night. This follows a lot of recent work on dsynth, improved page-out daemon pipelining, and other routine work.

• https://gitweb.dragonflybsd.org/dragonfly.git/commit/bc47dbc18bf832e4badb41f2fd79159479a7d351

This work is building up towards the eventual DragonFlyBSD 5.8 while those wanting to try the latest improvements right away can find their daily snapshots.

News Roundup

Why ZFS is not good at growing and reshaping pools (or shrinking them)

recently read Mark McBride's Five Years of Btrfs (via), which has a significant discussion of why McBride chose Btrfs over ZFS that boils down to ZFS not being very good at evolving your pool structure. You might doubt this judgment from a Btrfs user, so let me say as both a fan of ZFS and a long term user of it that this is unfortunately quite true; ZFS is not a good choice if you want to modify your pool disk layout significantly over time. ZFS works best if the only change in your pools that you do is replacing drives with bigger drives. In our ZFS environment we go to quite some lengths to be able to expand pools incrementally over time, and while this works it both leaves us with unbalanced pools and means that we're basically forced to use mirroring instead of RAIDZ.

(An unbalanced pool is one where some vdevs and disks have much more data than others. This is less of an issue for us now that we're using SSDs instead of HDs.)

Using PKGSRC on Manjaro Linux aarch64 Pinebook-pro

I wanted to see how pkgsrc works on aarch64 Linux Manjaro since it is a very mature framework that is very portable and supported by many architectures – pkgsrc (package source) is a package management system for Unix-like operating systems. It was forked from the FreeBSD ports collection in 1997 as the primary package management system for NetBSD.

One might question why use pkgsrc on Arch based Manjaro, since the pacman package repository is very good on its own. I see alternative pkgsrc as a good automated build framework that offers a way to produce independent build environment /usr/pkg that does not interfere with the current Linux distribution in any way (all libraries are statically built)

I have used the latest Manjaro for Pinebookpro and standard recommended tools as mentioned here https://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc_on_linux/

A Central Log Host with syslog-ng on FreeBSD

• Part 1

syslog-ng is the Swiss army knife of log management. You can collect logs from any source, process them in real time and deliver them to wide range of destinations. It allows you to flexibly collect, parse, classify, rewrite and correlate logs from across your infrastructure. This is why syslog-ng is the perfect solution for the central log host of my (mainly) FreeBSD based infrastructure.

• Part 2

This blog post continues where the blog post A central log host with syslog-ng on FreeBSD left off. Open source solutions to check syslog log messages exist, such as Logcheck or Logwatch. Although these are not too difficult to implement and maintain, I still found these to much. So I went for my own home grown solution to check the syslog messages of the SoCruel.NU central log host.

Beastie Bits

• FreeBSD at Linux Conf 2020 session videos now online
• Unlock your laptop with your phone
• Managing a database of vulnerabilities for a package system: the pkgsrc study
• Hamilton BSD User group will meet again on March 10th](http://studybsd.com/)
• CharmBUG Meeting: March 24th 7pm in Severn, MD ***

Feedback/Questions

• Andrew - ZFS feature Flags
• Sam - TwinCat BSD
• Dacian - Freebsd + amdgpu + Lenovo E595

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

Your Impact on FreeBSD in 2019

It’s hard to believe that 2019 is nearly over. It has been an amazing year for supporting the FreeBSD Project and community! Why do I say that? Because as I reflect over the past 12 months, I realize how many events we’ve attended all over the world, and how many lives we’ve touched in so many ways. From advocating for FreeBSD to implementing FreeBSD features, my team has been there to help make FreeBSD the best open source project and operating system out there.

In 2019, we focused on supporting a few key areas where the Project needed the most help. The first area was software development. Whether it was contracting FreeBSD developers to work on projects like wifi support, to providing internal staff to quickly implement hardware workarounds, we’ve stepped in to help keep FreeBSD innovative, secure, and reliable. Software development includes supporting the tools and infrastructure that make the development process go smoothly, and we’re on it with team members heading up the Continuous Integration efforts, and actively involved in the clusteradmin and security teams.

Our advocacy efforts focused on recruiting new users and contributors to the Project. We attended and participated in 38 conferences and events in 21 countries. From giving FreeBSD presentations and workshops to staffing tables, we were able to have 1:1 conversations with thousands of attendees.

Our travels also provided opportunities to talk directly with FreeBSD commercial and individual users, contributors, and future FreeBSD user/contributors. We’ve seen an increase in use and interest in FreeBSD from all of these organizations and individuals. These meetings give us a chance to learn more about what organizations need and what they and other individuals are working on. The information helps inform the work we should fund.

Wireguard on OpenBSD Router

wireguard (wg) is a modern vpn protocol, using the latest class of encryption algorithms while at the same time promising speed and a small code base.

modern crypto and lean code are also tenants of openbsd, thus it was a no brainer to migrate my router from openvpn over to wireguard.

my setup : a collection of devices, both wired and wireless, that are nat’d through my router (openbsd 6.6) out via my vpn provider azire* and out to the internet using wg-quick to start wg.

running : doubtless this could be improved on, but currently i start wg manually when my router boots. this, and the nat'ing on the vpn interface mean its impossible for clients to connect to the internet without the vpn being up. as my router is on a ups and only reboots when a kernel patch requires it, it’s a compromise i can live with. run wg-quick (please replace vpn with whatever you named your wg .conf file.) and reload pf rules.

News Roundup

Amazon now has FreeBSD/ARM 12

AWS, the cloud division of Amazon, announced in December the next generation of its ARM processors, the Graviton2. This is a custom chip design with a 7nm architecture. It is based on 64-bit ARM Neoverse cores.

Compared to first-generation Graviton processors (A1), today’s new chips should deliver up to 7x the performance of A1 instances in some cases. Floating point performance is now twice as fast. There are additional memory channels and cache speed memory access should be much faster.

The company is working on three types of Graviton2 EC2 instances that should be available soon. Instances with a “g” suffix are powered by Graviton2 chips. If they have a “d” suffix, it also means that they have NVMe local storage.

• General-purpose instances (M6g and M6gd)

• Compute-optimized instances (C6g and C6gd)

• Memory-optimized instances (R6g and R6gd)

You can choose instances with up to 64 vCPUs, 512 GiB of memory and 25 Gbps networking.

And you can see that ARM-powered servers are not just a fad. AWS already promises a 40% better price/performance ratio with ARM-based instances when you compare them with x86-based instances.

AWS has been working with operating system vendors and independent software vendors to help them release software that runs on ARM. ARM-based EC2 instances support Amazon Linux 2, Ubuntu, Red Hat, SUSE, Fedora, Debian and FreeBSD. It also works with multiple container services (Docker, Amazon ECS, and Amazon Elastic Kubernetes Service).

• Coverage of AWS Announcement

Announcing the pkgsrc-2019Q4 release

The pkgsrc developers are proud to announce the 65th quarterly release of pkgsrc, the cross-platform packaging system. pkgsrc is available with more than 20,000 packages, running on 23 separate platforms; more information on pkgsrc itself is available at https://www.pkgsrc.org/

In total, 190 packages were added, 96 packages were removed, and 1,868 package updates (to 1388 unique packages) were processed since the pkgsrc-2019Q3 release. As usual, a large number of updates and additions were processed for packages for go (14), guile (11), perl (170), php (10), python (426), and ruby (110). This continues pkgsrc's tradition of adding useful packages, updating many packages to more current versions, and pruning unmaintained packages that are believed to have essentially no users.

The Joys of UNIX Keyboards

I fell in love with a dead keyboard layout.

A decade or so ago while helping a friends father clean out an old building, we came across an ancient Sun Microsystems server. We found it curious. Everything about it was different from what we were used to. The command line was black on white, the connectors strange and foreign, and the keyboard layout was bizarre.

We never did much with it; turning it on made all the lights in his home dim, and our joint knowledge of UNIX was nonexistent. It sat in his bedroom for years supporting his television at the foot of his bed.

I never forgot that keyboard though. The thought that there was this alternative layout out there seemed intriguing to me.

OpenBSD on Digital Ocean

Last night I had a need to put together a new OpenBSD machine. Since I already use DigitalOcean for one of my public DNS servers I wanted to use them for this need but sadly like all too many of the cloud providers they don't support OpenBSD. Now they do support FreeBSD and I found a couple writeups that show how to use FreeBSD as a shim to install OpenBSD.

They are both sort of old at this point and with OpenBSD 6.6 out I ran into a bit of a snag. The default these days is to use a GPT partition table to enable EFI booting. This is generally pretty sane but it looks to me like the FreeBSD droplet doesn't support this. After the installer rebooted the VM failed to boot, being unable to find the bootloader.

Thankfully DigitalOcean has a recovery ISO that you can boot by simply switching to it and powering off and then on your Droplet.

Beastie Bits

• FreeBSD defaults to LLVM on PPC
• Theo De Raadt Interview between Ottawa 2019 Hackathon and BSDCAN 2019
• Bastille Poll about what people would like to see in 2020
• Notes on the classic book : The Design of the UNIX Operating System
• Multics History
• First meeting of the Hamilton BSD user group, February 11, 2020 18:30 - 21:00, Boston Pizza on Upper James St

Feedback/Questions

• Bill - 1.1 CDROM
• Greg - More 50 Year anniversary information
• Dave - Question time for Allan

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

OpenBSD 6.5 Released

• Changelog
• Mirrors
• 6.5 Includes
  • OpenSMTPD 6.5.0
  • LibreSSL 2.9.1
  • OpenSSH 8.0
  • Mandoc 1.14.5
  • Xenocara
  • LLVM/Clang 7.0.1 (+ patches)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
• Many pre-built packages for each architecture:
  • aarch64: 9654
  • amd64: 10602
  • i386: 10535

Mount your ZFS datasets anywhere you want

ZFS is very flexible about mountpoints, and there are many features available to provide great flexibility. When you create zpool maintank, the default mountpoint is /maintank. You might be happy with that, but you don’t have to be content. You can do magical things.

• Some highlights are:
  • mount point can be inherited
  • not all filesystems in a zpool need to be mounted
  • each filesystem (directory) can have different ZFS characteristics
  • In my case, let’s look at this new zpool I created earlier today and I will show you some very simple alternatives. This zpool use NVMe devices which should be faster than SSDs especially when used with multiple concurrent writes. This is my plan: run all the Bacula regression tests concurrently.

News Roundup

Branch for netbsd 9 upcoming, please help and test -current

Folks, once again we are quite late for branching the next NetBSD release (NetBSD 9). Initially planned to happen early in February 2019, we are now approaching May and it is unlikely that the branch will happen before that. On the positive side, lots of good things landed in -current in between, like new Mesa, new jemalloc, lots of ZFS improvements - and some of those would be hard to pull up to the branch later. On the bad side we saw lots of churn in -current recently, and there is quite some fallout where we not even have a good overview right now. And this is where you can help:

• please test -current, on all the various machines you have
• especially interesting would be test results from uncommon architectures or strange combinations (like the sparc userland on sparc64 kernel issue I ran in yesterday) Please test, report success, and file PRs for failures! We will likely announce the real branch date on quite short notice, the likely next candidates would be mid may or end of may. We may need to do extra steps after the branch (like switch some architectures back to old jemalloc on the branch). However, the less difference between -current and the branch, the easier will the release cycle go. Our goal is to have an unprecedented short release cycle this time. But.. we always say that upfront.

---

LibreSSL 2.9.1 Released

We have released LibreSSL 2.9.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release from the 2.9 series, which is also included with OpenBSD 6.5

It includes the following changes and improvements from LibreSSL 2.8.x:

• API and Documentation Enhancements

  • CRYPTO_LOCK is now automatically initialized, with the legacy callbacks stubbed for compatibility.
  • Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
  • Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
  • Added more OPENSSLNO* macros for compatibility with OpenSSL.
  • Partial port of the OpenSSL ECKEYMETHOD API for use by OpenSSH.
  • Implemented further missing OpenSSL 1.1 API.
  • Added support for XChaCha20 and XChaCha20-Poly1305.
  • Added support for AES key wrap constructions via the EVP interface.

• Compatibility Changes

  • Added pbkdf2 key derivation support to openssl(1) enc.
  • Changed the default digest type of openssl(1) enc to sha256.
  • Changed the default digest type of openssl(1) dgst to sha256.
  • Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
  • Changed the default digest type of openssl(1) crl -fingerprint to sha256.

• Testing and Proactive Security

  • Added extensive interoperability tests between LibreSSL and OpenSSL 1.0 and 1.1.
  • Added additional Wycheproof tests and related bug fixes.

• Internal Improvements

  • Simplified sigalgs option processing and handshake signing algorithm selection.
  • Added the ability to use the RSA PSS algorithm for handshake signatures.
  • Added bnrandinterval() and use it in code needing ranges of random bn values.
  • Added functionality to derive early, handshake, and application secrets as per RFC8446.
  • Added handshake state machine from RFC8446.
  • Removed some ASN.1 related code from libcrypto that had not been used since around 2000.
  • Unexported internal symbols and internalized more record layer structs.
  • Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.

• Portable Improvements

  • Added support for assembly optimizations on 32-bit ARM ELF targets.
  • Added support for assembly optimizations on Mingw-w64 targets.
  • Improved Android compatibility

• Bug Fixes

  • Improved protection against timing side channels in ECDSA signature generation.
  • Coordinate blinding was added to some elliptic curves. This is the last bit of the work by Brumley et al. to protect against the Portsmash vulnerability.
  • Ensure transcript handshake is always freed with TLS 1.2.

The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

---

FreeBSD Mastery: Jails – Bail Bond Denied Edition

I had a brilliant, hideous idea: to produce a charity edition of FreeBSD Mastery: Jails featuring the cover art I would use if I was imprisoned and did not have access to a real cover artist. (Never mind that I wouldn’t be permitted to release books while in jail: we creative sorts scoff at mere legal and cultural details.) I originally wanted to produce my own take on the book’s cover art. My first attempt failed spectacularly. I downgraded my expectations and tried again. And again. And again. I’m pleased to reveal the final cover for FreeBSD Mastery: Jails–Bail Bond Edition! This cover represents the very pinnacle of my artistic talents, and is the result of literally hours of effort. But, as this book is available only to the winner of charity fund-raisers, purchase of this tome represents moral supremacy. I recommend flaunting it to your family, coworkers, and all those of lesser character. Get your copy by winning the BSDCan 2019 charity auction… or any other other auction-type event I deem worthwhile. As far as my moral fiber goes: I have learned that art is hard, and that artists are not paid enough. And if I am ever imprisoned, I do hope that you’ll contribute to my bail fund. Otherwise, you’ll get more covers like this one.

One reason ed(1) was a good editor back in the days of V7 Unix

It is common to describe ed(1) as being line oriented, as opposed to screen oriented editors like vi. This is completely accurate but it is perhaps not a complete enough description for today, because ed is line oriented in a way that is now uncommon. After all, you could say that your shell is line oriented too, and very few people use shells that work and feel the same way ed does. The surface difference between most people's shells and ed is that most people's shells have some version of cursor based interactive editing. The deeper difference is that this requires the shell to run in character by character TTY input mode, also called raw mode. By contrast, ed runs in what Unix usually calls cooked mode, where it reads whole lines from the kernel and the kernel handles things like backspace. All of ed's commands are designed so that they work in this line focused way (including being terminated by the end of the line), and as a whole ed's interface makes this whole line input approach natural. In fact I think ed makes it so natural that it's hard to think of things as being any other way. Ed was designed for line at a time input, not just to not be screen oriented. This input mode difference is not very important today, but in the days of V7 and serial terminals it made a real difference. In cooked mode, V7 ran very little code when you entered each character; almost everything was deferred until it could be processed in bulk by the kernel, and then handed to ed all in a single line which ed could also process all at once. A version of ed that tried to work in raw mode would have been much more resource intensive, even if it still operated on single lines at a time.

Beastie Bits

• CFT for FreeBSD ZoL
• Simple DNS Adblock
• AT&T Unix PC in 1985
• OpenBSD-current drm at 4.19, includes new support for Intel GPUs like Coffee Lake
• "What are the differences between Linux and OpenBSD?" - Twitter thread
• Announcing the pkgsrc-2019Q1 release (2019-04-10)

Feedback/Questions

• Brad - iocage
• Frank - Video from Level1Tech and a question
• Niall - Revision Control

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Interview - Bryan Cantrill - bryan@joyent.com / @bcantrill

BSD and Solaris history, illumos, dtrace, Joyent, pkgsrc, various topics (and rants)

Feedback/Questions

• Randy writes in
• Jared writes in
• Steve writes in ***

This episode was brought to you by

Headlines

Remote DoS in the TCP stack

• A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections
• While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely
• This problem has a slightly confusing history that involves different fixes at different points in time from different people
• Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th
• On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches
• On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found
• Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6
• On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn't include the first fix)
• After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way
• NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven't released a security notice yet
• DragonFly is also investigating the issue now to see if they're affected as well ***

c2k15 hackathon reports

• Reports from OpenBSD's latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these)
• The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event
• He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?"
• With mandoc's new internal jump targets, this is a problem of the past now
• Jasper also sent in a report, doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information)
• Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!)
• Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services)
• It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool")
• He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example)
• His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades
• Foundation director Ken Westerback was also there, getting some disk-related and laptop work done
• He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues
• Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home)
• He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report)
• Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work
• One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year."
• Jeremy Evans wrote in to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem
• While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon
• Rafael Zalamena, who got commit access at the event, gives his very first report on his networking-related hackathon activities
• With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS
• Jonathan Gray got a lot done in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code
• As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix)
• Martin Pieuchot gave an write-up on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did."
• He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack
• Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle
• We're still eagerly awaiting a report from one of OpenBSD's newest developers, Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes)
• OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint," so that may mean more big changes are still to come... ***

FreeBSD quarterly status report

• FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far
• It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others
• Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased
• In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages
• The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon
• Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012)
• The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support
• Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon)
• ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August
• PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though)
• The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling
• Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report
• Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot
• Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more ***

The OpenSSH bug that wasn't

• There's been a lot of discussion about a supposed flaw in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even)
• There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections
• FreeBSD in its default configuration, with PAM and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH, nor any of the other BSDs, and not even the majority of Linux distros
• If you disable all forms of authentication except public keys, like you're supposed to, then this is also not a big deal for FreeBSD systems
• Realistically speaking, it's more of a PAM bug than anything else
• OpenSSH added an additional check for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update) ***

Interview - Sebastian Wiedenroth - wiedi@netbsd.org / @wied0r

pkgsrc and pkgsrcCon

News Roundup

Now served by OpenBSD

• We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it
• The use case for the author was for a webserver, so he decided to try out the httpd in base
• Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting
• TLS 1.2 by default, strong ciphers with LibreSSL and HSTS combined give you a pretty secure web server ***

FreeBSD laptop playbooks

• A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops"
• It's based on ansible, and uses the playbook format for automatic set up and configuration
• Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models
• Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop ***

NetBSD on the NVIDIA Jetson TK1

• If you've never heard of the Jetson TK1, we can go ahead and spoil the secret here: NetBSD runs on it
• As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE
• This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything)
• You can even run X11 on it, pretty sweet ***

DragonFly power mangement options

• DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there
• In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well
• He also did some testing with each of them and gave his findings about power saving
• If you've been thinking about running DragonFly on a laptop, this would be a good one to read ***

OpenBSD router under FreeBSD bhyve

• If one BSD just isn't enough for you, and you've only got one machine, why not run two at once
• This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it
• If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware
• The author also includes a little bit of history on how he got into both operating systems
• There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research
• Of course, the next logical step is to put that bhyve host under Xen on NetBSD... ***

Feedback/Questions

• Kevin writes in
• Logan writes in
• Peter writes in
• Randy writes in ***

This episode was brought to you by

Headlines

Playing with sandboxing

• Sandboxing and privilege separation are popular topics these days - they're the goal of the new "shill" scripting language, they're used heavily throughout OpenBSD, and they're gaining traction with the capsicum framework
• This blog post explores capsicum in FreeBSD, some of its history and where it's used in the base system
• They also include some code samples so you can verify that capsicum is actually denying the program access to certain system calls
• Check our interview about capsicum from a while back if you haven't seen it already ***

OpenNTPD on by default

• OpenBSD has enabled ntpd by default in the installer, rather than prompting the user if they want to turn it on
• In nearly every case, you're going to want to have your clock synced via NTP
• With the HTTPS constraints feature also enabled by default, this should keep the time checked and accurate, even against spoofing attacks
• Lots of problems can be traced back to the time on one system or another being wrong, so this will also eliminate some of those cases
• For those who might be curious, they're using the "pool.ntp.org" cluster of addresses and google for HTTPS constraints (but these can be easily changed) ***

FreeBSD workshop in Landshut

• We mentioned a BSD installfest happening in Germany a few weeks back, and the organizer wrote in with a review of the event
• The installfest instead became a "FreeBSD workshop" session, introducing curious new users to some of the flagship features of the OS
• They covered when to use UFS or ZFS, firewall options, the release/stable/current branches and finally how to automate installations with Ansible
• If you're in south Germany and want to give similar introduction talks or Q&A sessions about the other BSDs, get in touch
• We'll hear more from him about how it went in the feedback section today ***

Swap encryption in DragonFly

• Doing full disk encryption is very important, but something that people sometimes overlook is encrypting their swap
• This can actually be more important than the contents of your disks, especially if an unencrypted password or key hits your swap (as it can be recovered quite easily)
• DragonFlyBSD has added a new experimental option to automatically encrypt your swap partition in fstab
• There was another way to do it previously, but this is a lot easier
• You can achieve similar results in FreeBSD by adding ".eli" to the end of the swap device in fstab, there are a few steps to do it in NetBSD and swap in OpenBSD is encrypted by default
• A one-time key will be created and then destroyed in each case, making recovery of the plaintext nearly impossible ***

Interview - Jed Reynolds - jed@bitratchet.com / @jed_reynolds

Comparing ZFS on Linux and FreeBSD

News Roundup

USB thermometer on OpenBSD

• So maybe you've got BSD on your server or router, maybe NetBSD on a toaster, but have you ever used a thermometer with one?
• This blog post introduces the RDing TEMPer Gold USB thermometer, a small device that can tell the room temperature, and how to get it working on OpenBSD
• Wouldn't you know it, OpenBSD has a native "ugold" driver to support it with the sensors framework
• How useful such a device would be is another story though ***

NAS4Free now on ARM

• We talk a lot about hardware for network-attached storage devices on the show, but ARM doesn't come up a lot
• That might be changing soon, as NAS4Free has just released some ARM builds
• These new (somewhat experimental) images are based on FreeBSD 11-CURRENT
• Included in the announcement is a list of fully-supported and partially-supported hardware that they've tested it with
• If anyone has experience with running a NAS on slightly exotic hardware, write in to us ***

pkgsrcCon 2015 CFP and info

• This year's pkgsrcCon will be in Berlin, Germany on July 4th and 5th
• They're looking for talk proposals and ideas for things you'd like to see
• If you or your company uses pkgsrc, or if you're just interested in NetBSD in general, it would be a good event to check out ***

BSDTalk episode 253

• BSDTalk has released another new episode
• In it, he interviews George Neville-Neil about the 2nd edition of "The Design and Implementation of the FreeBSD Operating System"
• They discuss what's new since the last edition, who the book's target audience is and a lot more
• We're up to 90 episodes now, slowly catching up to Will... ***

Feedback/Questions

• Dominik writes in
• Brad writes in
• Corvin writes in
• James writes in ***

This episode was brought to you by

Headlines

The missing EuroBSDCon videos

• Some of the missing videos from EuroBSDCon 2014 we mentioned before have mysteriously appeared
• Jordan Hubbard, FreeBSD, looking forward to another 10 years
• Lourival Viera Neto, NPF scripting with Lua
• Kris Moore, Snapshots, replication and boot environments
• Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel
• Kirk McKusick, An introduction to FreeBSD's implementation of ZFS
• Emannuel Dreyfus, FUSE and beyond, bridging filesystems
• John-Mark Gurney, Optimizing GELI performance
• Unfortunately, there are still about six talks missing… and no ETA ***

FreeBSD on a MacBook Pro (or two)

• We've got a couple posts about running FreeBSD on a MacBook Pro this week
• In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™
• Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier
• He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step
• He's still not quite to that point yet, but documents his experiments with BSD as a desktop
• The second article also documents an ex-Linux user switching over to BSD for their desktop
• It also covers power management, bluetooth and trackpad setup
• On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down"
• Check out both articles if you've been considering running FreeBSD on a MacBook ***

Remote logging over TLS

• In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time
• That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server
• The problem is, of course, that it's sent in cleartext, unless you tunnel it over SSH or use some kind of third party wrapper
• With a few recent commits, OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification
• By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot?
• That problem was also conquered, by loading the CA chain directly from memory, so the entire process can be run in the chroot without issue
• Some of the privsep verifcation code even made its way into LibreSSL right afterwards
• If you haven't set up remote logging before, now might be an interesting time to try it out ***

FreeBSD, not a Linux distro

• George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro"
• It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history
• He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options
• There's even an interesting "thirty years in three minutes" segment
• It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s)
• We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products
• This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them ***

Long-term support considered harmful

• There was recently a pretty horrible bug in GNU's libc (BSDs aren't affected, don't worry)
• Aside from the severity of the actual problem, the fix was delayed for quite a long time, leaving people vulnerable
• Ted Unangst writes a post about how this idea of long-term support could actually be harmful in the long run, and compares it to how OpenBSD does things
• OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes
• He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date
• "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early."
• There was also some discussion about the article you can check out ***

Interview - Andrew Tanenbaum - info@minix3.org / @minix3

MINIX's integration of NetBSD

News Roundup

Using AFL on OpenBSD

• We've talked about American Fuzzy Lop a bit on a previous episode, and how some OpenBSD devs are using it to catch and fix new bugs
• Undeadly has a cool guide on how you can get started with fuzzing
• It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read
• Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software ***

Lumina 0.8.1 released

• A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released
• This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements"
• There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options
• You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!)
• If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it ***

My first OpenBSD port

• The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports
• He recently made his first port and got it into the tree, so he talks about the whole process from start to finish
• After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser
• At that point he did what you're supposed to do in that situation, and started working on it himself
• OpenBSD has a great porter's handbook that he referenced throughout the process
• Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course)
• If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen ***

How to slide with DragonFly

• DragonFly BSD has a new HAMMER FS utility called "Slider"
• It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine
• They have a pretty comprehensive guide on how to use it on their wiki page
• If you're using HAMMER FS, this is a really handy tool to have, check it out ***

OpenSMTPD with Dovecot and Salt

• We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three
• This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment
• Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan
• "Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with"
• Check it out if you've been thinking about configuring your first mail server on any of the BSDs ***

Feedback/Questions

• Christopher writes in (handbook section)
• Mark writes in
• Kevin writes in
• Stefano writes in
• Matthew writes in ***

Mailing List Gold

• Not that interested actually
• This guy again
• Yep, this is the place ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 registration open

• September is getting closer, and that means it's time for EuroBSDCon - held in Bulgaria this year
• Registration is finally open to the public, with prices for businesses ($287), individuals ($217) and students ($82) for the main conference until August 18th
• Tutorials, sessions, dev summits and everything else all have their own pricing as well
• Registering between August 18th - September 12th will cost more for everything
• You can register online here and check hotels in the area
• The FreeBSD foundation is also accepting applications for travel grants ***

OpenBSD SMP PF update

• A couple weeks ago we talked about how DragonflyBSD updated their PF to be multithreaded
• With them joining the SMP ranks along with FreeBSD, a lot of users have been asking about when OpenBSD is going to make the jump
• In a recent mailing list thread, Henning Brauer addresses some of the concerns
• The short version is that too many things in OpenBSD are currently single-threaded for it to matter - just reworking PF by itself would be useless
• He also says PF on OpenBSD is over four times faster than FreeBSD's old version, presumably due to those extra years of development it's gone through
• There's also been even more recent concern about the uncertain future of FreeBSD's PF, being mostly unmaintained since their SMP patches
• We reached out to four developers (over week ago) about coming on the show to talk about OpenBSD network performance and SMP, but they all ignored us ***

Introduction to NetBSD pkgsrc

• An article from one of our listeners about how to create a new pkgsrc port or fix one that you need
• The post starts off with how to get the pkgsrc tree, shows how to get the developer tools and finally goes through the Makefile format
• It also lists all the different bmake targets and their functions in relation to the porting process
• Finally, the post details the whole process of creating a new port ***

FreeBSD 9.3-RELEASE

• After three RCs, FreeBSD 9.3 was scheduled to be finalized and announced today but actually came out yesterday
• The full list of changes is available, but it's mostly a smaller maintenance release
• Lots of driver updates, ZFS issues fixed, hardware RNGs are entirely disabled by default, netmap framework updates, read-only ext4 support was added, the vt driver was merged from -CURRENT, new hardware support (including radeon KMS), various userland tools got new features, OpenSSL and OpenSSH were updated... and much more
• If you haven't jumped to the 10.x branch yet (and there are a lot of people who haven't!) this is a worthwhile upgrade - 9.2-RELEASE will reach EOL soon
• Good news, this will be the first release with PGP-signed checksums on the FTP mirrors - a very welcome change
• With that out of the way, the 10.1-RELEASE schedule was posted ***

Interview - Bryan Drewery - bdrewery@freebsd.org / @bdrewery

The FreeBSD package building cluster, pkgng, ports, various topics

Tutorial

Tunneling traffic through DNS

News Roundup

SSH two-factor authentication on FreeBSD

• We've previously mentioned stories on how to do two-factor authentication with a Yubikey or via a third party website
• This blog post tells you how to do exactly that, but with your Google account and the pam_google_authenticator port
• Using this setup, every user that logs in with a password will have an extra requirement before they can gain access - but users with public keys can login normally
• It's a really, really simple process once you have the port installed - full details on the page ***

Ditch tape backup in favor of FreeNAS

• The author of this post shares some of his horrible experiences with tape backups for a client
• Having constant, daily errors and failed backups, he needed to find another solution
• With 1TB of backups, tapes just weren't a good option anymore - so he switched to FreeNAS (after also ruling out a pre-built NAS)
• The rest of the article details his experiences with it and tells about his setup ***

NetBSD vs FreeBSD, desktop experiences

• A NetBSD and pkgsrc developer details his experiences running NetBSD on a workstation at his job
• Becoming more and more disappointed with graphics performance, he finally decides to give FreeBSD 10 a try - especially since it has a native nVidia driver
• "Running on VAX, PlayStation 2 and Amiga is fun, but I’ll tell you a little secret: nobody cares anymore about VAX, PlayStation 2 and Amiga."
• He's become pretty satisfied with FreeBSD, a modern choice for a 2014 desktop system ***

PCBSD not-so-weekly digest

• Speaking of choices for a desktop system, it's the return of the PCBSD digest!
• Warden and PBI_add have gotten some interesting new features
• You can now create jails "on the fly" when adding a new PBI to your application library
• Bulk jail creation is also possible now, and it's really easy
• New Jenkins integration, with public access to poudriere logs as well
• PkgNG 1.3.0.rc2 testing for EDGE users ***

Feedback/Questions

• Jeff writes in - Sending Encrypted Backups over SSH + Sending ZFS snapshots via user
• Bruce writes in
• Richard writes in
• Jeff writes in - NYCBUG dmesg list
• Steve writes in ***

This episode was brought to you by

Headlines

pfSense 2.1.4 released

• The pfSense team has released 2.1.4, shortly after 2.1.3 - it's mainly a security release
• Included within are eight security fixes, most of which are pfSense-specific
• OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
• It also includes a large number of various other bug fixes
• Update all your routers! ***

DragonflyBSD's pf gets SMP

• While we're on the topic of pf...
• Dragonfly patches their old[er than even FreeBSD's] pf to support multithreading in many areas
• Stemming from a user's complaint, Matthew Dillon did his own work on pf to make it SMP-aware
• Altering your configuration's ruleset can also help speed things up, he found
• When will OpenBSD, the source of pf, finally do the same? ***

ChaCha usage and deployment

• A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
• This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
• OpenSSH offers it as a stream cipher now, OpenBSD uses it for it's random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
• Both Google's fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
• Unfortunately, this article has one mistake: FreeBSD does not use it - they still use the broken RC4 algorithm ***

BSDMag June 2014 issue

• The monthly online BSD magazine releases their newest issue
• This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, "saving time and headaches using the robot framework for testing," an interview and an article about the increasing number of security vulnerabilities
• The free pdf file is available for download as always ***

Interview - Craig Rodrigues - rodrigc@freebsd.org

FreeBSD's continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

• Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
• In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end - this had the advantage of not requiring any extra disk space, but raised some security concerns
• With signify, now everything is fully downloaded and verified before tar is even invoked
• The pkg_add utility works a little bit differently, but it's also been improved in this area - details in the post
• Be sure to also read the original post from Adam, lots of good information ***

FreeBSD 9.3-RC2 is out

• As the -RELEASE inches closer, release candidate 2 is out and ready for testing
• Since the last one, it's got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
• The updated bsdconfig will use pkgng style packages now too
• A lesser known fact: there are also premade virtual machine images you can use too ***

pkgsrcCon 2014 wrap-up

• In what may be the first real pkgsrcCon article we've ever had!
• Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
• Unfortunately no recordings to be found... ***

PostgreSQL FreeBSD performance and scalability

• FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
• On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
• Lots of technical details if you're interested in getting the best performance out of your hardware
• It also includes specific kernel options he used and the rest of the configuration
• If you don't want to open the pdf file, you can use this link too ***

Feedback/Questions

• James writes in
• Klemen writes in
• John writes in
• Brad writes in
• Adam writes in ***

This episode was brought to you by

Headlines

FreeBSD 11 goals and discussion

• Something that actually happened at BSDCan this year...
• During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE
• Some of MWL's notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support
• A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more
• There's also some notes from the devsummit virtualization session, mostly talking about bhyve
• Lastly, he also provides some notes about ports and packages and where they're going ***

An SSH honeypot with OpenBSD and Kippo

• Everyone loves messing with script kiddies, right?
• This blog post introduces Kippo, an SSH honeypot tool, and how to use it in combination with OpenBSD
• It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely
• You can use this to get new 0day exploits or find weaknesses in your systems
• OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications ***

NetBSD foundation financial report

• The NetBSD foundation has posted their 2013 financial report
• It's a very "no nonsense" page, pretty much only the hard numbers
• In 2013, they got $26,000 of income in donations
• The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else
• Be sure to donate to whichever BSDs you like and use! ***

Building a fully-encrypted NAS with OpenBSD

• Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you're doing
• This article takes a look at the OpenBSD side and explains how to build a NAS with security in mind
• The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require - this means the kernel itself is even protected
• The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people's needs too
• There's also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware - fantastic write up! ***

Interview - Brian Callahan & Aaron Bieber - admin@lists.nycbug.org & admin@cobug.org

Forming a local BSD Users Group

Tutorial

The basics of pkgsrc

News Roundup

FreeBSD periodic mails vs. monitoring

• If you've ever been an admin for a lot of FreeBSD boxes, you've probably noticed that you get a lot of email
• This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them
• From bad SSH logins to Zabbix alerts, it all adds up quickly
• It highlights the periodic.conf file and FreeBSD's periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers ***

Doing cool stuff with OpenBSD routing domains

• A blog post from our viewer and regular emailer, Kjell-Aleksander!
• He manages some internally-routed IP ranges at his work, but didn't want to have equipment for each separate project
• This is where OpenBSD routing domains and pf come in to save the day
• The blog post goes through the process with all the network details you could ever dream of
• He even named his networking equipment... after us ***

LibreSSL, the good and the bad

• We're all probably familiar with OpenBSD's fork of OpenSSL at this point
• However, "for those of you that don't know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk"
• This article talks about some of the cryptographic development challenges involved with maintaining such a massive project
• You need cryptographers, software engineers, software optimization specialists - there are a lot of roles that need to be filled
• It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork - the main one being their aim for backwards compatibility ***

PCBSD weekly digest

• Lots going on in PCBSD land this week, AppCafe has been redesigned
• The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update
• In the more recent post, there's some further explanation of the PBI system and the reason for the transition
• It's got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion ***

Feedback/Questions

• Antonio writes in
• Daniel writes in
• Sean writes in
• tsyn writes in
• Chris writes in ***

This episode was brought to you by

Headlines

FreeBSD ASLR status update

• Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
• He's implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
• Work has also started on testing ASLR on ARM, using a Raspberry Pi
• He's giving a presentation at BSDCan this year about his ASLR work
• While we're on the topic of BSDCan... ***

BSDCan tutorials, improving the experience

• Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
• The tutorials are called "Building the network you need with PF, the OpenBSD packet filter" and "Transitioning to OpenBSD 5.5" - both scheduled to last three hours each
• He's requesting anyone that'll be there to go ahead and contact him, telling him exactly what you'd like to learn
• There's also a bit of background information about the tutorials and how he's looking to improve them
• If you're interested in OpenBSD and going to BSDCan this year, hit him up ***

pkgsrc-2014Q1 released

• The new stable branch of pkgsrc packages has been built and is ready
• Python 3.3 is now a "first class citizen" in pkgsrc
• 14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
• There's a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD - you could even use pkgsrc instead of pkgng or ports if you were so inclined
• They're also looking into signing packages ***

Only two holes in a heck of a long time, who cares?

• A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
• He questions "what's the big deal" about OpenBSD's slogan being "Only two remote holes in the default install, in a heck of a long time!"
• Luckily, the community and Theo set the record straight about why you should care about this
• Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
• It spawned a discussion about ease of management and Linux's poor security record, definitely worth reading ***

Interview - Dru Lavigne - dru@freebsd.org / @bsdevents

FreeBSD's documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

• A new version of pfSense is released, mainly to fix some security issues
• Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
• There are also some NIC driver updates and other things
• Of course if you want to learn more about pfSense, watch episode 25
• 2.1.2 is already up for testing too ***

FreeBSD gets UEFI support

• It looks like FreeBSD's battle with UEFI may be coming to a close?
• Ed Maste committed a giant list of patches to enable UEFI support on x86_64
• Look through the list to see all the details and information
• Thanks FreeBSD foundation! ***

Ideas for the next DragonflyBSD release

• Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
• They're aiming for late May for the next version
• Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
• Gasp, they're even considering dropping i386 ***

PCBSD weekly digest

• Lots of new PBI updates for 10.0, new runtime implementation
• New support for running 32 bit applications in PBI runtime
• New default CD and DVD player, umplayer
• Latest GNOME 3 and Cinnamon merged, new edge package builds ***

Feedback/Questions

• Remy writes in
• Jan writes in
• Eddie writes in
• Zen writes in
• Sean writes in ***

This episode was brought to you by

Headlines

Tailoring OpenBSD for an old, strange computer

• The author of this article had an OmniBook 800CT, which comes with a pop-out mouse, black and white display, 32MB of RAM and a 133MHz CPU
• Obviously he had to install some kind of BSD on it!
• This post goes through all his efforts of trimming down OpenBSD to work on such a limited device
• He goes through the trial and error of "compile, break it, rebuild, try again"
• After cutting a lot out from the kernel, saving a precious megabyte here and there, he eventually gets it working ***

pkgsrcCon and BSDCan

• pkgsrccon is "a technical conference for people working on the NetBSD Packages Collection, focusing on existing technologies, research projects, and works-in-progress in pkgsrc infrastructure"
• This year it will be on June 21st and 22nd
• The schedule is still being worked out, so if you want to give a talk, submit it
• BSDCan's schedule was also announced
• We'll be having presentations about ARM on NetBSD and FreeBSD, PF on OpenBSD, Capsicum and casperd, ASLR in FreeBSD, more about migrating from Linux to BSD, FreeNAS stuff and much more
• Kris' presentation was accepted!
• Tons of topics, look forward to the recorded versions of all of them hopefully! ***

Two factor auth with pushover

• A new write-up from our friend Ted Unangst
• Pushover is "a web hook to smartphone push notification gateway" - you sent a POST to a web server and it sends a code to your phone
• His post goes through the steps of editing your login.conf and setting it all up to work
• Now you can get a two factor authenticated login for ssh! ***

The status of GNOME 3 on BSD

• It's no secret that the GNOME team is a Linux-obsessed bunch, almost to the point of being hostile towards other operating systems
• OpenBSD keeps their GNOME 3 ports up to date very well, and Antoine Jacoutot writes about his work on that and how easy it is to use
• This post goes through the process of how simple it is to get GNOME 3 set up on OpenBSD and even includes a screencast
• A few recent posts from some GNOME developers show that they're finally working with the BSD guys to improve portability
• The FreeBSD and OpenBSD teams are working together to bring the latest GNOME to all of us - it's a beautiful thing
• This goes right along with our interview today! ***

Interview - Joe Marcus Clark - marcus@freebsd.org

The life and daily activities of portmgr, GNOME 3, Tinderbox, portlint, various topics

Tutorial

The FreeBSD Ports Collection

News Roundup

DragonflyBSD 3.8 goals and 3.6.1 release

• The Dragonfly team is thinking about what should be in version 3.8
• On their bug tracker, it lists some of the things they'd like to get done before then
• In the meantime, 3.6.1 was released with lots of bugfixes ***

NYCBSDCon 2014 wrap-up piece

• We've got a nice wrap-up titled "NYCBSDCon 2014 Heats Up a Cold Winter Weekend"
• The author also interviews GNN about the conference
• There's even a little "beginner introduction" to BSD segment
• Includes a mention of the recently-launched journal and lots of pictures from the event ***

FreeBSD and Linux, a comparative analysis

• GNN in yet another story - he gave a presentation at the NYLUG about the differences between FreeBSD and Linux
• He mentions the history of BSD, the patch set and 386BSD, the lawsuit, philosophy and license differences, a complete system vs "distros," development models, BSD-only features and technologies, how to become a committer, overall comparisons, different hats and roles, the different bsds and their goals and actual code differences
• Serves as a good introduction you can show your Linux friends ***

PCBSD CFT and weekly digest

• Upgrade tools have gotten a major rewrite
• You have to help test it, there is no choice! Read more here
• How dare Kris be "unimpressed with" freebsd-update and pkgng!?
• Various updates and fixes ***

Feedback/Questions

• Jeffrey writes in
• Shane writes in
• Ferdinand writes in
• Curtis writes in
• Clint writes in
• Peter writes in ***

This episode was brought to you by

Headlines

EuroBSDCon and AsiaBSDCon

• This year, EuroBSDCon will be in September in Sofia, Bulgaria
• They've got a call for papers up now, so everyone can submit the talks they want to present
• There will also be a tutorial section of the conference
• AsiaBSDCon will be next month, in March!
• All the info about the registration, tutorials, hotels, timetable and location have been posted
• Check the link for all the details on the talks - if you plan on going to Tokyo next month, hang out with Allan and Kris and lots of BSD developers! ***

FreeBSD 10 on Ubiquiti EdgeRouter Lite

• The Ubiquiti EdgeRouter Lite is a router that costs less than $100 and has a MIPS CPU
• This article goes through the process of installing and configuring FreeBSD on it to use as a home router
• Lots of good pictures of the hardware and specific details needed to get you set up
• It also includes the scripts to create your own images if you don't want to use the ones rolled by someone else
• For such a cheap price, might be a really fun weekend project to replace your shitty consumer router
• Of course if you're more of an OpenBSD guy, you can always see our tutorial for that too ***

Signed pkgsrc package guide

• We got a request on IRC for more pkgsrc stuff on the show, and a listener provided a nice write-up
• It shows you how to set up signed packages with pkgsrc, which works on quite a few OSes (not just NetBSD)
• He goes through the process of signing packages with a public key and how to verify the packages when you install them
• The author also happens to be an EdgeBSD developer ***

Big batch of OpenBSD hackathon reports

• Five trip reports from the OpenBSD hackathon in New Zealand! In the first one, jmatthew details his work on fiber channel controller drivers, some octeon USB work and ARM fixes for AHCI
• In the second, ketennis gets into his work with running interrupt handlers without holding the kernel lock, some SPARC64 improvements and a few other things
• In the third, jsg updated libdrm and mesa and did various work on xenocara
• In the fourth, dlg came with the intention to improve SMP support, but got distracted and did SCSI stuff instead - but he talks a little bit about the struggle OpenBSD has with SMP and some of the work he's done
• In the fifth, claudio talks about some stuff he did for routing tables and misc. other things ***

Interview - Chris Buechler - cmb@pfsense.com / @cbuechler

pfSense

Tutorial

pfSense walkthrough

News Roundup

FreeBSD challenge continues

• Our buddy from the Linux foundation continues his switching to BSD journey
• In day 13, he covers some tips for new users, mentions trying things out in a VM first
• In day 14, he starts setting up XFCE and X11, feels like he's starting over as a new Linux user learning the ropes again - concludes that ports are the way to go
• In day 15, he finishes up his XFCE configuration and details different versions of ports with different names, as well as learns how to apply his first patch
• In day 16, he dives into the world of FreeBSD jails! ***

BSD books in 2014

• BSD books are some of the highest quality technical writings available, and MWL has written a good number of them
• In this post, he details some of his plans for 2014
• In includes at least one OpenBSD book, at least one FreeBSD book and...
• Very strong possibility of Absolute FreeBSD 3rd edition (watch our interview with him)
• Check the link for all the details ***

How to build FreeBSD/EC2 images

• Our friend Colin Percival details how to build EC2 images in a new blog post
• Most people just use the images he makes on their instances, but some people will want to make their own from scratch
• You build a regular disk image and then turn it into an AMI
• It requires a couple ports be installed on your system, but the whole process is pretty straightforward ***

PCBSD weekly digest

• This time around we discuss how you can become a developer
• Kris also details the length of supported releases
• Expect lots of new features in 10.1 ***

Feedback/Questions

• Sean writes in
• Jake writes in
• Niclas writes in
• Steffan writes in
• Antonio writes in
• Chris writes in ***

This episode was brought to you by

Headlines

FreeBSD's new testing infrastructure

• A new test suite was added to FreeBSD, with 3 powerful machines available
• Both -CURRENT and stable/10 have got the test suite build infrastructure in place
• Designed to help developers test and improve major scalability across huge amounts of CPUs and RAM
• More details available here
• Could the iXsystems monster server be involved...? ***

OpenBSD gets signify

• At long last, OpenBSD gets support for signed releases!
• For "the world's most secure OS" it was very easy to MITM kernel patches, updates, installer isos, everything
• A commit to the -current tree reveals a new "signify" tool is currently being kicked around
• More details in a blog post from the guy who committed it
• Quote: "yeah, briefly, the plan is to sign sets and packages. that's still work in progress." ***

Faces of FreeBSD

• This time they interview Isabell Long
• She's a volunteer staff member on the freenode IRC network
• In 2011, she participated in the Google Code-In contest and became involved with documentation
• "The new committer mentoring process proved very useful and that, plus the accepting community of FreeBSD, are reasons why I stay involved." ***

pkgsrc-2013Q4 branched

• The quarterly pkgsrc branch from NetBSD is out
• 13472 total packages for NetBSD-current/amd64 + 13049 binary packages built with clang!
• Lots of numbers and stats in the announcement
• pkgsrc works on quite a few different OSes, not just NetBSD
• See our interview with Amitai Schlair for a bit about pkgsrc ***

OpenBSD on Google's Compute Engine

• Google Compute Engine is a "cloud computing" platform similar to EC2
• Unfortunately, they only offer poor choices for the OS (Debian and CentOS)
• Recently it's been announced that there is a custom OS option
• It's using a WIP virtio-scsi driver, lots of things still need more work
• Lots of technical and networking details about the struggles to get OpenBSD working on it ***

The Installfest

We'll be showing you the installer of each of the main BSDs. As of the date this episode airs, we're using:

• FreeBSD 10.0
• OpenBSD 5.4
• NetBSD 6.1.2
• DragonflyBSD 3.6
• PCBSD 10.0 ***

News Roundup

Building an OpenBSD wireless access point

• A neat write up we found around the internet about making an OpenBSD wifi router
• Goes through the process of PXE booting, installing base, using a serial console, setting up networking and wireless
• Even includes a puffy sticker on the Soekris box at the end, how cute ***

FreeBSD 4.X jails on 10.0

• Blog entry from our buddy Michael Lucas
• For whatever reason (an "in-house application"), he needed to run a FreeBSD 4 jail in FreeBSD 10
• Talks about the options he had: porting software, virtualizing, dealing with slow old hardware
• He goes through the whole process of making an ancient jail
• It's "an acceptable trade-off, if it means I don’t have to touch actual PHP code." ***

Unscrewed: a story about OpenBSD

• Pretty long blog post about how a network admin used OpenBSD to save the day
• To set the tone, "It was 5am, and the network was down"
• Great war story about replacing expensive routers and networking equipment with cheaper hardware and BSD
• Mentions a lot of the built in tools and how OpenBSD is great for routers and high security applications ***

PCBSD weekly digest

• 10.0-RC3 is out and ready to be tested
• New detection of ATI Hybrid Graphics, they're working on nVidia next
• Re-classifying Linux jails as unsupported / experimental ***

Feedback/Questions

• Daniel writes in
• Erik writes in
• SW writes in
• [Bostjan writes in[(http://slexy.org/view/s20N9bfkum)
• Samuel writes in ***

Headlines

Faces of FreeBSD

• The FreeBSD foundation is publishing articles on different FreeBSD developers
• This one is about Colin Percival (cperciva@), the ex-security officer
• Tells the story of how he first found BSD, what he contributed back, how he eventually became the security officer
• Running series with more to come ***

Lots of BSD presentation videos uploaded

• EuroBSDCon 2013 dev summit videos, AsiaBSDCon 2013 videos, MWL's presentation video
• Most of us never get to see the dev summit talks since they're only for developers
• AsiaBSDCon 2013 videos also up finally
• List of AsiaBSDCon presentation topics here
• Our buddy Michael W Lucas gave an "OpenBSD for Linux users" talk at a Michigan Unix Users Group.
• He says "Among other things, I compare OpenBSD to Richard Stallman and physically assault an audience member. We also talk long long time, memory randomization, PF, BSD license versus GPL, Microsoft and other OpenBSD stuff"
• Really informative presentation, pretty long, answers some common questions at the end ***

Call for Presentations: FOSDEM 2014 and NYCBSDCon 2014

• FOSDEM 2014 will take place on 1–2 February, 2014, in Brussels, Belgium
• Just like in the last years, there will be both a BSD booth and a developer's room
• The topics of the devroom include all BSD operating systems. Every talk is welcome, from internal hacker discussion to real-world examples and presentations about new and shiny features.
• If you are in the area or want to go, check the show notes for details
• NYCBSDCon is also accepting papers.
• It'll be in New York City at the beginning of February 2014
• If anyone wants to give a talk at one of these conferences, go ahead and send in your stuff! ***

FreeBSD foundation's year-end fundraising campaign

• The FreeBSD foundation has been supporting the FreeBSD project and community for over 13 years
• As of today they have raised about half a million dollars, but still have a while to go
• Donations go towards new features, paying for the server infrastructure, conferences, supporting the community, hiring full-time staff members and promoting FreeBSD at events
• They are preparing the debut of a new online magazine, the FreeBSD Journal
• Typically big companies make their huge donations in December, like a couple of anonymous donors that gave around $250,000 each last year
• Make your donation today over at freebsdfoundation.org, every little bit helps
• Everyone involved with BSD Now made a donation last year and will do so again this year ***

Interview - Amitai Schlair - schmonz@netbsd.org / @schmonz

The NetBSD Foundation, pkgsrc, future plans

Tutorial

Combining SSH and tmux

• Note: there was a mistake in the video version of the tutorial, please consult the written version for the proper instructions. ***

News Roundup

PS4 released

• Sony's Playstation 4 is finally released
• As previously thought, its OS is heavily based on FreeBSD and uses the kernel among other things
• Link in the show notes contains the full list of BSD software they're using
• Always good to see BSD being so widespread ***

BSD Mag November issue

• Free monthly BSD magazine publishes another issue
• This time their topics include: Configuring a Highly Available Service on FreeBSD, IT Inventory & Asset Management Automation, more FreeBSD Programming Primer, PfSense and Snort and a few others
• PDF linked in the show notes ***

pbulk builds made easy

• NetBSD's pbulk tool is similar to poudriere, but for pkgsrc
• While working on updating the documentation, a developer cleaned up quite a lot of code
• He wrote a script that automates pbulk deployment and setup
• The whole setup of a dedicated machine has been reduced to just three commands ***

PCBSD weekly digest

• Over 200 PBIs have been populated in to the PC-BSD 10 Stable Appcafe
• Many PC-BSD programs received some necessary bug fixes and updates
• Some include network detection in the package and update managers, nvidia graphic detection, security updates for PCDM ***

Feedback/Questions

• Peter writes in
• Kjell-Aleksander writes in
• Jordan writes in
• Christian writes in
• entransic writes in ***