BSD Now - Episodes Tagged with “Prng”

48: Liberating SSL

JT Pennington — Wed, 30 Jul 2014 08:00:00 -0400

Coming up in this week's episode, we'll be talking with one of OpenBSD's newest developers - Brent Cook - about the portable version of LibreSSL and how it's developed. We've also got some information about the FreeBSD port of LibreSSL you might not know. The latest news and your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

FreeBSD has gotten quite a lot done this quarter
Changes in the way release branches are supported - major releases will get at least five years over their lifespan
A new automounter is in the works, hoping to replace amd (which has some issues)
The CAM target layer and RPC stack have gotten some major optimization and speed boosts
Work on ZFSGuru continues, with a large status report specifically for that
The report also mentioned some new committers, both source and ports
It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
"Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

Work has begun on a new HTTP daemon in the OpenBSD base system
A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
This has the added benefit of the usual, easy-to-understand syntax and privilege separation
There's a very brief man page online already
It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

The newest version of FreeBSD's second generation package management system has been released, with lots of new features
It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
Lots of the code has been sandboxed for extra security
You'll probably notice some new changes to the UI too, making things more user friendly
A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

A number of people have written in to ask us "how do I secure my BSD box after I install it?"
With this blog post, hopefully most of their questions will finally be answered in detail
It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
Not only does it just list things to do, but the post also does a good job of explaining why you should do them
Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

MWL's new book about the FreeBSD storage subsystems now has an early draft available
Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
You'll get access to the completed (e)book when it's done if you buy the early draft
The suggested price is $8 ***

Why BSD and not Linux?

Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
Lots of good responses from users of the various BSDs
Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

Following up from last week's huge list of hackathon reports, we have a few more
Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
The main topic of discussion is mandoc, which some users might not be familiar with
mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
We'll catch up to you soon, Will! ***

Feedback/Questions

Thomas writes in
Stephen writes in
Sha'ul writes in
Florian writes in
Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***

47: DES Challenge IV

JT Pennington — Wed, 23 Jul 2014 08:00:00 -0400

Coming up this week on the show! We've got an interview with Dag-Erling Smørgrav, the current security officer of FreeBSD, to discuss what exactly being in such an important position is like. The latest news, answers to your emails and even some LibreSSL drama, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

g2k14 hackathon reports

Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
Lots of work got done - in just the first two weeks of July, there were over 1000 commits to their CVS tree
Some of the developers wrote in to document what they were up to at the event
Bob Beck planned to work on kernel stuff, but then "LibreSSL happened" and he spent most of his time working on that
Miod Vallat also tells about his LibreSSL experiences
Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we'll be interviewing him next week!)
Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
Martin Pelikan integrated read-only ext4 support
Vadim Zhukov did lots of ports work, including working on KDE4
Theo de Raadt created a new, more secure system call, "sendsyslog" and did a lot of work with /etc, sysmerge and the rc scripts
Paul Irofti worked on the USB stack, specifically for the Octeon platform
Sebastian Benoit worked on relayd filters and IPv6 code
Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
Stefan Sperling fixed a lot of issues with wireless drivers
Florian Obser did many things related to IPv6
Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
Matthieu Herrb worked on updating and modernizing parts of xenocara ***

FreeBSD pf discussion takes off

Concerns from last week, about FreeBSD's packet filter being old and unmaintained, seemed to have finally sparked some conversation about the topic on the "questions" and "current" mailing lists (unfortunately people didn't always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
Straight from the SMP FreeBSD pf maintainer: "no one right now [is actively developing pf on FreeBSD]"
Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
FreeBSD's pf man pages are lacking, and some of FreeBSD's documentation still links to OpenBSD's pages, which won't work anymore - possibly turning away would-be BSD converts because it's frustrating
There's also the issue of importing patches from pfSense, but most of those still haven't been done either
Lots of disagreement among developers vs. users...
Many users are very vocal about wanting it updated, saying the syntax change is no big deal and is worth the benefits - developers aren't interested
Henning Brauer, the main developer of pf on OpenBSD, has been very nice and offered to help the other BSDs get their pf fixed on multiple occasions
Gleb Smirnoff, author of the FreeBSD-specific SMP patches, questions Henning's claims about OpenBSD's improved speed as "uncorroborated claims" (but neither side has provided any public benchmarks)
Gleb had to abandon his work on FreeBSD's pf because funding ran out ***

LibreSSL progress update

LibreSSL's first few portable releases have come out and they're making great progress, releasing 2.0.3 two days ago
Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
However, there has already been some drama... with Linux users
There was a problem with Linux's PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
This "problem" doesn't affect OpenBSD's native implementation, only the portable version
The developers decide to weigh in to calm the misinformation and rage
A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now - remember to say thanks, guys
Ted Unangst has a really good post about the whole situation, definitely check it out
As a follow-up from last week, bapt says they're working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly - if you're a port maintainer, please test your ports against it ***

Preparation for NetBSD 7

The release process for NetBSD 7.0 is finally underway
The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
If you run NetBSD, that'll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
They're also looking for some help updating documentation and fixing any bugs that get reported
Another formal announcement will be made when the beta binaries are up ***

Interview - Dag-Erling Smørgrav - des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
There's also some detail about the signing infrastructure and different mirrors
Ports people and source people need to talk more often about ABI breakage
The post also includes information about pkg 1.3, the old pkg tools' EOL, the quarterly stable package sets and a lot more (it's a huge post!) ***

Cross-compiling ports with QEMU and poudriere

With recent QEMU features, you can basically chroot into a completely different architecture
This article goes through the process of building ARMv6 packages on a normal X86 box
Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
The poudriere-devel port now has a "qemu user" option that will pull in all the requirements
Hopefully this will pave the way for official pkgng packages on those lesser-used architectures ***

Cloning FreeBSD with ZFS send

For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
This post shows his entire process in creating a mirror machine, using ZFS for everything
The "zfs send" and "zfs snapshot" commands really come in handy for this
He does the whole thing from a live CD, pretty impressive ***

FreeBSD Overview series

A new blog series we stumbled upon about a Linux user switching to BSD
In part one, he gives a little background on being "done with Linux distros" and documents his initial experience getting and installing FreeBSD 10
He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
Most of what he was used to on Linux was already in the default FreeBSD (except bash...)
Part two documents his experiences with pkgng and ports ***