NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

An RNG that runs in your brain

Going Stateless

News Roundup

SmolBSD

The Wi-Fi only works when it's raining

Wayland, where are we in 2024? Any good for being the default?

Omnios pxe booting

OpenBSD scripts to convert wg-quick VPN files

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

This episode was brought to you by

Headlines

Revisiting FreeBSD after 20 years

• With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades
• This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time
• He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL
• On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time."
• The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together
• Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things
• There was some decent discussion on Hacker News about this article too, with counterpoints from both sides ***

s2k15 hackathon report: network stack SMP

• The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted
• One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack
• If you're not familiar with him, he gave a presentation at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons
• Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock
• Hopefully more trip reports will be sent in during the coming weeks
• Most of the big code changes should probably appear after the 5.7-release testing period ***

From BIND to NSD and Unbound

• If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound
• BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative
• OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD
• Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons
• This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound
• All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... ***

m0n0wall calls it quits

• The original, classic BSD firewall distribution m0n0wall has finally decided to close up shop
• For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk
• It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan
• The project was probably a lot of people's first encounter with BSD in any form
• If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD or OpenBSD, or going the premade route with something like pfSense, OPNsense or the BSD Router Project
• The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can."
• While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly ***

Interview - Alex Reece & Matt Ahrens - alex@delphix.com & matt@delphix.com / @openzfs

What's new in OpenZFS

Tutorial

Making your first patch (OpenBSD)

News Roundup

Overlaying remote LANs with OpenBSD's VXLAN

• Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) is exactly what you need
• This article talks about using it to connect two virtualized infrastructures on different ESXi servers
• It gives a bit of networking background first, in case you're not quite up to speed on all this stuff
• This tool opens up a lot of very cool possibilities, even possibly doing a "remote" LAN party
• Be sure to check the AsiaBSDCon talk about VXLANs if you haven't already ***

2020, year of the PCBSD desktop

• Here we have a blog post about BSD on the desktop, straight from a KDE developer
• He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux's desktop market share (small as it may be)
• With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option
• ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one
• There was also some discussion on Slashdot that might be worth reading ***

OpenSSH host key rotation, redux

• We mentioned the new OpenSSH host key rotation and other goodies in a previous episode, but things have changed a little bit since then
• djm says "almost immediately after smugly declaring 'mission accomplished', the bug reports started rolling in."
• There were some initial complaints from developers about the new options, and a serious bug shortly thereafter
• After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests
• Most importantly, the bigger big fix was described as: "a malicious server (say, "host-a") could advertise the public key of another server (say, "host-b"). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide."
• None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon ***

PCBSD tries out LibreSSL

• PCBSD users may soon be seeing a lot less security problems because of two recent changes
• After switching over to OpenNTPD last week, PCBSD decides to give the portable LibreSSL a try too
• Note that this is only for the packages built from ports, not the base system unfortunately
• They're not the first ones to do this - OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD's ports are built against it
• A good number of patches are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla
• Look forward to Kris wearing a "keep calm and abandon OpenSSL" shirt in the near future ***

Feedback/Questions

• Benjamin writes in
• Mike writes in
• Brad writes in ***

Mailing List Gold

• Debian Dejavu
• Package gone missing ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• FreeBSD has gotten quite a lot done this quarter
• Changes in the way release branches are supported - major releases will get at least five years over their lifespan
• A new automounter is in the works, hoping to replace amd (which has some issues)
• The CAM target layer and RPC stack have gotten some major optimization and speed boosts
• Work on ZFSGuru continues, with a large status report specifically for that
• The report also mentioned some new committers, both source and ports
• It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
• "Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

• Work has begun on a new HTTP daemon in the OpenBSD base system
• A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
• Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
• It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
• This has the added benefit of the usual, easy-to-understand syntax and privilege separation
• There's a very brief man page online already
• It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
• Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

• The newest version of FreeBSD's second generation package management system has been released, with lots of new features
• It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
• Lots of the code has been sandboxed for extra security
• You'll probably notice some new changes to the UI too, making things more user friendly
• A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

• A number of people have written in to ask us "how do I secure my BSD box after I install it?"
• With this blog post, hopefully most of their questions will finally be answered in detail
• It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
• Not only does it just list things to do, but the post also does a good job of explaining why you should do them
• Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

• MWL's new book about the FreeBSD storage subsystems now has an early draft available
• Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
• Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
• You'll get access to the completed (e)book when it's done if you buy the early draft
• The suggested price is $8 ***

Why BSD and not Linux?

• Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
• Lots of good responses from users of the various BSDs
• Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
• And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
• Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

• Following up from last week's huge list of hackathon reports, we have a few more
• Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
• Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
• Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
• Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

• The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
• The main topic of discussion is mandoc, which some users might not be familiar with
• mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
• We'll catch up to you soon, Will! ***

Feedback/Questions

• Thomas writes in
• Stephen writes in
• Sha'ul writes in
• Florian writes in
• Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***