NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

2021 FreeBSD Developer Summit

helloSystem – FreeBSD Based OS Brings another Promising Release 0.5.0

News Roundup

GearBSD: a project to help automating your OpenBSD

OpenBGPD 7.0 released

Simple use of Let's Encrypt on OpenBSD is pleasantly straightforward (as of 6.8)

FreeBSD 13 on the Panasonic Let’s Note CF-RZ6

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• [Paul - ZFS Questions](https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/408/feedback/Paul%20-%20ZFS%20Questions)
• [Rafael - relic](https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/408/feedback/Rafael%20-%20relic)
• [matthew - sendfile and ktls](https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/408/feedback/matthew%20-%20sendfile%20and%20ktls)

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Did Linux Kill Commercial Unix?

Sales of commercial Unix have fallen off a cliff. There has to be something behind this dramatic decline. Has Linux killed its ancestor by becoming a perfectly viable replacement, like an operating system version of Invasion of the Body Snatchers?

---

Wireguard: Simple and Secure VPN in FreeBSD

• A great article by Tom Jones about setting up Wireguard on FreeBSD ***

Setup a Three Node Replicated GlusterFS Cluster on FreeBSD

GlusterFS (GFS) is the open source equivalent to Microsoft's Distributed Filesystem (DFS). It's a service that replicates the contents of a filesystem in real time from one server to another. Clients connect to any server and changes made to a file will replicate automatically. It's similar to something like rsync or syncthing, but much more automatic and transparent. A FreeBSD port has been available since v3.4, and (as of this post) is currently at version 8.0 with 9.0 being released soon.

---

News Roundup

OpenBSD on the Lenovo ThinkPad X1 Nano (1st Gen)

Lenovo has finally made a smaller version of its X1 Carbon, something I’ve been looking forward to for years.

---

NetBSD on the EdgeRouter Lite

NetBSD-current now has pre-built octeon bootable images (which will appear in NetBSD 10.0) for the evbmips port, so I decided to finally give it a try. I've been happily running OpenBSD/octeon on my EdgeRouter Lite for a few years now, and have previously published some notes including more detail about the CPU.

---

“TLS Mastery” first draft done!

---

Beastie Bits

• A Thread on a FreeBSD Desktop for PineBook Pro
• FOSSASIA Conference - March 2021(Virtual)
• WireGuard for pfSense Software
• NetBSD logo to going Moon *** ###Tarsnap
• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. ### Producer's Note > Hey everybody, it’s JT here. After our AMA episode where I mentioned I was looking for older BSD Retail Copies, I was contacted by Andrew who hooked me up with a bunch of OpenBSD disks from the 4.x era. So shout out to him, and since that worked so well, I figured I'd give it another shot and ask that if anyone has any old Unixes that will run on an 8088, 8086, or 286 and you're willing to send me copies of the disks. I've recently dug out an old 286 system and I’d love to get a Unix OS on it. I know of Minix, Xenix and Microport, but I haven’t been able to find many versions of them. I've found Microport 1.3.3, and SCO Xenix... but that's about it. Let me know if you happen to have any other versions, or know where I can get them.
  

Feedback/Questions

• Christian - ZFS replication and verification
• Iain - progress
• Paul - APU2 device ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Interview with Michael W. Lucas

SNMP Book
The Networknomicon
Sponsor the TLS Book
Cashflow for creators
Book sale

---

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Special Guest: Michael W Lucas.

Headlines

FuryBSD 2020Q2 Images Available for XFCE and KDE

The Q2 2020 images are not a visible leap forward but a functional leap forward. Most effort was spent creating a better out of box experience for automatic Ethernet configuration, working WiFi, webcam, and improved hypervisor support.

Technical reasons to choose FreeBSD over GNU/Linux

Since I wrote my article "Why you should migrate everything from Linux to BSD" I have been wanting to write something about the technical reasons to choose FreeBSD over GNU/Linux and while I cannot possibly cover every single reason, I can write about some of the things that I consider worth noting.

News Roundup

+ Not actually Linux distro review deux: GhostBSD

When I began work on the FreeBSD 12.1-RELEASE review last week, it didn't take long to figure out that the desktop portion wasn't going very smoothly.

I think it's important for BSD-curious users to know of easier, gentler alternatives, so I did a little looking around and settled on GhostBSD for a follow-up review.

GhostBSD is based on TrueOS, which itself derives from FreeBSD Stable. It was originally a Canadian distro, but—like most successful distributions—it has transcended its country of origin and can now be considered worldwide. Significant GhostBSD development takes place now in Canada, Italy, Germany, and the United States.

“TLS Mastery” sponsorships open

My next book will be TLS Mastery, all about Transport Layer Encryption, Let’s Encrypt, OCSP, and so on.

This should be a shorter book, more like my DNSSEC or Tarsnap titles, or the first edition of Sudo Mastery. I would like a break from writing doorstops like the SNMP and jails books.

JT (our producer) shared his Open Source Retail Box Collection on twitter this past weekend and there was a nice response from a few in the BSD Community showing their collections:

• JT's post: https://twitter.com/q5sys/status/1251194823589138432

  • High Resolution Image to see the bottom shelf better: https://photos.smugmug.com/photos/i-9QTs2RR/0/f1742096/O/i-9QTs2RR.jpg
  • Closeup of the BSD Section: https://twitter.com/q5sys/status/1251294290782928897

• Others jumped in with their collections:

  • Deb Goodkin's collection: https://twitter.com/dgoodkin/status/1251294016139743232 & https://twitter.com/dgoodkin/status/1251298125672660992
  • FreeBSD Frau's FreeBSD Collection: https://twitter.com/freebsdfrau/status/1251290430475350018
  • Jason Tubnor's OpenBSD Collection: https://twitter.com/Tubsta/status/1251265902214918144

Do you have a nice collection, take a picture and send it in!

Tale of OpenBSD secure memory allocator internals - malloc(3)

Hi there,

It's been a very long time I haven't written anything after my last OpenBSD blogs, that is,

OpenBSD Kernel Internals — Creation of process from user-space to kernel space.

OpenBSD: Introduction to execpromises in the pledge(2)

pledge(2): OpenBSD's defensive approach to OS Security

So, again I started reading OpenBSD source codes with debugger after reducing my sleep timings and managing to get some time after professional life. This time I have picked one of my favourite item from my wishlist to learn and share, that is, OpenBSD malloc(3), secure allocator

How I learned to stop worrying and love SSDs

my home FreeNAS runs two pools for data. One RAIDZ2 with four spinning disk drives and one mirror with two SSDs. Toying with InfluxDB and Grafana in the last couple of days I found that I seem to have a constant write load of 1 Megabyte (!) per second on the SSDs. What the ...?

So I run three VMs on the SSDs in total. One with Windows 10, two with Ubuntu running Confluence, A wiki essentially, with files for attachments and MySQL as the backend database. Clearly the writes had to stop when the wikis were not used at all, just sitting idle, right?

Well even with a full query log and quite some experience in the operation of web applications I could not figure out what Confluence is doing (productively, no doubt) but trust me, it writes a couple of hundred kbytes to the database each second just sitting idle.

My infrastructure as of 2019

I've wanted to write about my infrastructure for a while, but I kept thinking, "I'll wait until after I've done $next_thing_on_my_todo." Of course this cycle never ends, so I decided to write about its state at the end of 2019. Maybe I'll write an update on it in a couple of moons; who knows?

For something different than our usual Beastie Bits… we bring you…

We're all quarantined so lets install BSD on things! Install BSD on something this week, write it up and let us know about it, and maybe we'll feature you!

• Installation of NetBSD on a Mac Mini

• OpenBSD on the HP Envy 13

• Install NetBSD on a Vintage Computer

• BSDCan Home Lab Panel recording session: May 5th at 18:00 UTC

• Allan started a series of FreeBSD Office Hours

BSDNow is going Independent

• After being part of Jupiter Broadcasting since we started back in 2013, BSDNow is moving to become independent. We extend a very large thank you to Jupiter Broadcasting and Linux Academy for hosting us for so many years, and allowing us to bring you over 100 episodes without advertisements. What does this mean for you, the listener? Not much will change, just make sure your subscription is via the RSS feed at BSDNow.tv rather than one of the Jupiter Broadcasting feeds. We will update you with more news as things settle out.

Feedback/Questions

• Todd - LinusTechTips Claims about ZFS

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

OpenBSD on the Thinkpad X1 Carbon 7th Gen

Another year, another ThinkPad X1 Carbon, this time with a Dolby Atmos sound system and a smaller battery.
The seventh generation X1 Carbon isn't much different than the fifth and sixth generations. I opted for the non-vPro Core i5-8265U, 16Gb of RAM, a 512Gb NVMe SSD, and a matte non-touch WQHD display at ~300 nits. A brighter 500-nit 4k display is available, though early reports indicated it severely impacts battery life.
Gone are the microSD card slot on the back and 1mm of overall thickness (from 15.95mm to 14.95mm), but also 6Whr of battery (down to 51Whr) and a little bit of travel in the keyboard and TrackPoint buttons. I still very much like the feel of both of them, so kudos to Lenovo for not going too far down the Apple route of sacrificing performance and usability just for a thinner profile.
On my fifth generation X1 Carbon, I used a vinyl plotter to cut out stickers to cover the webcam, "X1 Carbon" branding from the bottom of the display, the power button LED, and the "ThinkPad" branding from the lower part of the keyboard deck.

• See link for the rest of the article

How To Install FreeBSD On A MacBook 1,1 or 2,1

• FreeBSD Setup For MacBook 1,1 and 2,1

FreeBSD with some additional setup can be installed on a MacBook 1,1 or 2,1. This article covers how to do so with FreeBSD 10-12.

• Installing

FreeBSD can be installed as the only OS on your MacBook if desired. What you should have is:

• A Mac OS X 10.4.6-10.7.5 installer. Unofficial versions modified for these MacBooks such as 10.8 also work.
• A blank CD or DVD to burn the FreeBSD image to. Discs simply work best with these older MacBooks.
• An ISO file of FreeBSD for x86. The AMD64 ISO does not boot due to the 32 bit EFI of these MacBooks.

• Burn the ISO file to the blank CD or DVD. Once done, make sure it's in your MacBook and then power off the MacBook. Turn it on, and hold down the c key until the FreeBSD disc boots.

  • See link for the rest of the guide

News Roundup

Patch for review: Kernel portion of in-kernel TLS (KTLS)

One of the projects I have been working on for the past several months in conjunction with several other folks is upstreaming work from Netflix to handle some aspects of Transport Layer Security (TLS) in the kernel. In particular, this lets a web server use sendfile() to send static content on HTTPS connections. There is a lot more detail in the review itself, so I will spare pasting a big wall of text here. However, I have posted the patch to add the kernel-side of KTLS for review at the URL below. KTLS also requires other patches to OpenSSL and nginx, but this review is only for the kernel bits. Patches and reviews for the other bits will follow later.

• https://reviews.freebsd.org/D21277

DragonFly Boot Enviroments

This is a tool inspired by the beadm utility for FreeBSD/Illumos systems that creates and manages ZFS boot environments. This utility in contrast is written from the ground up in C, this should provide better performance, integration, and extensibility than the POSIX sh and awk script it was inspired by. During the time this project has been worked on, beadm has been superseded by bectl on FreeBSD. After hammering out some of the outstanding internal logic issues, I might look at providing a similar interface to the command as bectl.

• See link for the rest of the details

Project Trident Updates

• 19.08 Available

This is a general package update to the CURRENT release repository based upon TrueOS 19.08.
Legacy boot ISO functional again
This update includes the FreeBSD fixes for the “vesa” graphics driver for legacy-boot systems. The system can once again be installed on legacy-boot systems.

• PACKAGE CHANGES FROM 19.07-U1

  • New Packages: 154
  • Deleted Packages: 394
  • Updated Packages: 4926

• 12-U3 Available

This is the third general package update to the STABLE release repository based upon TrueOS 12-Stable.

• PACKAGE CHANGES FROM STABLE 12-U2
  • New Packages: 105
  • Deleted Packages: 386
  • Updated Packages: 1046

vBSDcon

• vBSDcon 2019 will return to the Hyatt Regency in Reston, VA on September 5-7 2019. ***

Beastie Bits

• The next NYCBUG meeting will be Sept 4 @ 18:45

Feedback/Questions

• Tom - Questions
• Michael - dfbeadm
• Bostjan - Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

Optimizing TLS for high bandwidth applications

• Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD
• TLS has traditionally had too much overhead for the levels of bandwidth they're using, so this pdf outlines some of their strategy in optimizing it
• The sendfile() syscall (which nginx uses) isn't available when data is encrypted in userland
• To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel
• Having encrypted movie streams would be pretty neat ***

Crypto in unexpected places

• OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc)
• One place you might not expect crypto to be used (or even needed) is in the "ping" utility, right? Well, think again
• David Gwynne recently committed a change that adds MAC to the ping timestamp payload
• By default, it'll be filled with a ChaCha stream instead of an unvarying payload, and David says "this lets us have some confidence that the timestamp hasn't been damaged or tampered with in transit"
• Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward
• Maybe we can look forward to a cryptographically secure "echo" command next... ***

Broadwell in DragonFly

• The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status
• Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn't work
• The two main show-stoppers right now are the graphics and wireless, but they have someone who's already making progress with the GPU support
• Wireless support will likely have to wait until FreeBSD gets it, then they'll port it back over
• None of the BSDs currently have full Broadwell support, so stay tuned for further updates ***

DIY NAS software roundup

• In this blog post, the author compares a few different software solutions for a network attached storage device
• He puts FreeNAS, one of our favorites, up against a number of opponents - both BSD and Linux-based
• NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface
• If you've been thinking about putting together a NAS, but aren't quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names
• Some competition is always good, gotta keep those guys on their toes ***

Interview - Antoine Jacoutot - ajacoutot@openbsd.org / @ajacoutot

OpenBSD at M:Tier, business adoption of BSD, various topics

News Roundup

OpenBSD on DigitalOcean

• When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction - we hoped that all the other BSDs would soon follow
• This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS
• Using a -current snapshot and some swapfile trickery, it's possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk
• After doing so, you just boot from their web UI-based console and can perform a standard installation
• You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step ***

Initial ARM64 support lands in FreeBSD

• The ARM64 architecture, sometimes called ARMv8 or AArch64, is a new generation of CPUs that will mostly be in embedded devices
• FreeBSD has just gotten support for this platform in the -CURRENT branch
• Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU - now a full build is possible
• Work should now start happening in the main source code tree, and hopefully they'll have full support in a branch soon ***

Scripting with least privilege

• A new scripting language with a focus on privilege separation and running with only what's absolutely needed has been popular in the headlines lately
• Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc.
• Shill aims to answer the questions "how do we limit the authority of scripts" and "how do we determine what authority is necessary" by including a declarative security policy that's checked and enforced by the language runtime
• If used on FreeBSD, Shill will use Capsicum for sandboxing
• You can find some more of the technical information in their documentation pdf or watch their USENIX presentation video
• Hacker News also had some discussion on the topic ***

OpenBSD first impressions

• A brand new BSD user has started documenting his experience through a series of blog posts
• Formerly a Linux guy, he's tried out FreeBSD and OpenBSD so far, and is currently working on an OpenBSD desktop
• The first post goes into why he chose BSD at all, why he's switching away from Linux, how the initial transition has been, what you'll need to relearn and what he's got planned going forward
• He's only been using OpenBSD for a few days as of the time this was written - we don't usually get to hear from people this early in on their BSD journey, so it offers a unique perspective ***

PCBSD and 4K oh my!

• Yesterday, Kris got ahold of some 4K monitor hardware to test PC-BSD out
• The short of it - It works great!
• Minor tweaks being made to some of the PC-BSD defaults to better accommodate 4K out of box
• This particular model monitor ships with DisplayPort set to 1.1 mode only, switching it to 1.2 mode enables 60Hz properly ***

Feedback/Questions

• Darin writes in
• Mitch writes in ***

Discussion

Comparison of BSD release cycles

• FreeBSD, OpenBSD, NetBSD and DragonFlyBSD ***

This episode was brought to you by

Headlines

EuroBSDCon 2015 call for papers

• The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
• According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
• If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too
• You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about
• We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two)
• Check the announcement for all the specific details and requirements
• If your talk gets accepted, the conference even pays for your travel expenses ***

Making security sausage

• Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
• "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!"
• The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
• It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
• Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions
• The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
• Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute
• It was because of this that FreeBSD actually had to release a security update to their security update
• He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." ***

Running FreeBSD on the server, a sysadmin speaks

• More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
• ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
• They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
• It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
• If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you ***

NetBSD ported to Hardkernel ODROID-C1

• In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
• This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35
• There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0
• More info can be found on their wiki page
• After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device ***

Interview - Bernard Spil - brnrd@freebsd.org / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

• If you're using pf on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy
• This article will show you how to get set up with Gource for a cinematic-like experience
• If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories"
• When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
• One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity ***

pkgng 1.5.0 alpha1 released

• The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
• This update introduces support for provides/requires, something that we've been wanting for a long time
• It will also now print which package is the reason for direct dependency change
• Another interesting addition is the "pkg -r" switch, allowing cross installation of packages
• Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems
• DragonFly will also likely pick up this update once it's marked stable ***

Welcome to OpenBSD

• We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
• The slides from that talk are now online, and they've been generating quite a bit of discussion online
• It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
• Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
• As you may know, NetBSD has almost 60 supported platforms and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms over 13 CPU architectures, "it probably runs OpenBSD"
• No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
• Try to guess which font he used... ***

BSDTalk episode 252

• And somehow Brian has snuck himself into another news item this week
• He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
• If that sounds familiar, it's probably because we did the same thing, albeit with a different member of their team
• In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
• They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself ***

Feedback/Questions

• Christian writes in
• Stefan writes in
• Possnfiffer writes in
• Ruudsch writes in
• Shane writes in ***

Mailing List Gold

• Accidental support
• Larry's tears
• The boy who sailed with BSD ***

This episode was brought to you by

Headlines

Password gropers take spamtrap bait

• Our friend Peter Hansteen, who keeps his eyes glued to his log files, has a new blog post
• He seems to have discovered another new weird phenomenon in his pop3 logs
• "yes, I still run one, for the same bad reasons more than a third of my readers probably do: inertia"
• Someone tried to log in to his service with an address that was known to be invalid
• The rest of the post goes into detail about his theory of why someone would use a list of invalid addresses for this purpose ***

Inside the Atheros wifi chipset

• Adrian Chadd - sometimes known in the FreeBSD community as "the wireless guy" - gave a talk at the Defcon Wireless Village 2014
• He covers a lot of topics on wifi, specifically on Atheros chips and why they're so popular for open source development
• There's a lot of great information in the presentation, including cool (and evil) things you can do with wireless cards
• Very technical talk; some parts might go over your head if you're not a driver developer
• The raw video file is also available to download on archive.org
• Adrian has also recently worked on getting Kismet and Aircrack-NG to work better with FreeBSD, including packet injection and other fun things ***

Trip report and hackathon mini-roundup

• A few more (late) reports from BSDCan and the latest OpenBSD hackathon have been posted
• Mark Linimon mentions some of the future plans for FreeBSD's release engineering and ports
• Bapt also has a BSDCan report detailing his work on ports and packages
• Antoine Jacoutot writes about his work at the most recent hackathon, working with rc configuration and a new /etc/examples layout
• Peter Hessler, a latecomer to the hackathon, details his experience too, hacking on the installer and built-in upgrade function
• Christian Weisgerber talks about starting some initial improvements of OpenBSD's ports infrastructure ***

DragonFly BSD 3.8.2 released

• Although it was already branched, the release media is now available for DragonFly 3.8.2
• This is a minor update, mostly to fix the recent OpenSSL vulnerabilities
• It also includes some various other small fixes ***

Interview - Eric Le Blan - info@xinuos.com

Xinuos' recent FreeBSD integration, BSD in the commercial server space

Tutorial

Building a hardened, feature-rich webserver

News Roundup

Defend your network and privacy, FreeBSD version

• Back in episode 39, we covered a blog post about creating an OpenBSD gateway - partly based on our tutorial
• This is a follow-up post, by the same author, about doing a similar thing with FreeBSD
• He mentions some of the advantages and disadvantages between the two operating systems, and encourages users to decide for themselves which one suits their needs
• The rest is pretty much the same things: firewall, VPN, DHCP server, DNSCrypt, etc. ***

Don't encrypt all the things

• Another couple of interesting blog posts from Ted Unangst about encryption
• It talks about how Google recently started ranking sites with HTTPS higher in their search results, and then reflects on how sometimes encryption does more harm than good
• After heartbleed, the ones who might be able to decrypt your emails went from just a three-letter agency to any script kiddie
• He also talks a bit about some PGP weaknesses and a possible future replacement
• He also has another, similar post entitled "in defense of opportunistic encryption" ***

New automounter lands in FreeBSD

• The work on the new automounter has just landed in 11-CURRENT
• With help from the FreeBSD Foundation, we'll have a new "autofs" kernel option
• Check the SVN viewer online to read over the man pages if you're not running -CURRENT
• You can also read a bit about it in the recent newsletter ***

OpenSSH 6.7 CFT

• It's been a little while since the last OpenSSH release, but 6.7 is almost ready
• Our friend Damien Miller issued a call for testing for the upcoming version, which includes a fair amount of new features
• It includes some old code removal, some new features and some internal reworkings - we'll cover the full list in detail when it's released
• This version also officially supports being built with LibreSSL now
• Help test it out and report any findings, especially if you have access to something a little more exotic than just a BSD system ***

Feedback/Questions

• David writes in
• Lachlan writes in
• Francis writes in
• Frank writes in
• Sean writes in ***

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

• The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
• MeetBSD has an "unconference" format, which means there will be both planned talks and community events
• All the extra details will be on their site soon
• It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
• Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

• A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
• The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
• He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
• From there, it talks about how he used the OpenBSD USB image and got a fully-working system
• He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
• Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

• When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
• However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
• This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
• Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
• While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

• OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
• Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
• LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
• Whichever version of whatever SSL you use, make sure it's patched for these issues
• DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

• If you use git (like a certain host of this show) then you've probably considered setting up your own server
• This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
• It even shows you how to set up multiple repos with key-based user separation and other cool things
• The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

• In this article, different methods of data storage and backup are compared
• After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
• He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
• It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

• As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
• If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
• In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
• Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

• If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
• FreeBSD, ZFS and Samba obviously!
• The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
• This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
• It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

• An interesting Reddit thread (or two)
• PB writes in
• Sean writes in
• Steve writes in
• Lachlan writes in
• Justin writes in ***

This episode was brought to you by

Headlines

FreeBSD foundation semi-annual newsletter

• The FreeBSD foundation published their semi-annual newsletter, complete with a letter from the president of the foundation
• "In fact after reading [the president's] letter, I was motivated to come up with my own elevator pitch instead of the usual FreeBSD is like Linux, only better!"
• It talks about the FreeBSD journal as being one of the most exciting things they've launched this year, conferences they funded and various bits of sponsored code that went into -CURRENT
• The full list of funded projects is included, also with details in the financial reports
• There are also a number of conference wrap-ups: NYCBSDCon, BSDCan, AsiaBSDCon and details about the upcoming EuroBSDCon

This episode was brought to you by

Headlines

pfSense 2.1.4 released

• The pfSense team has released 2.1.4, shortly after 2.1.3 - it's mainly a security release
• Included within are eight security fixes, most of which are pfSense-specific
• OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
• It also includes a large number of various other bug fixes
• Update all your routers! ***

DragonflyBSD's pf gets SMP

• While we're on the topic of pf...
• Dragonfly patches their old[er than even FreeBSD's] pf to support multithreading in many areas
• Stemming from a user's complaint, Matthew Dillon did his own work on pf to make it SMP-aware
• Altering your configuration's ruleset can also help speed things up, he found
• When will OpenBSD, the source of pf, finally do the same? ***

ChaCha usage and deployment

• A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
• This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
• OpenSSH offers it as a stream cipher now, OpenBSD uses it for it's random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
• Both Google's fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
• Unfortunately, this article has one mistake: FreeBSD does not use it - they still use the broken RC4 algorithm ***

BSDMag June 2014 issue

• The monthly online BSD magazine releases their newest issue
• This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, "saving time and headaches using the robot framework for testing," an interview and an article about the increasing number of security vulnerabilities
• The free pdf file is available for download as always ***

Interview - Craig Rodrigues - rodrigc@freebsd.org

FreeBSD's continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

• Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
• In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end - this had the advantage of not requiring any extra disk space, but raised some security concerns
• With signify, now everything is fully downloaded and verified before tar is even invoked
• The pkg_add utility works a little bit differently, but it's also been improved in this area - details in the post
• Be sure to also read the original post from Adam, lots of good information ***

FreeBSD 9.3-RC2 is out

• As the -RELEASE inches closer, release candidate 2 is out and ready for testing
• Since the last one, it's got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
• The updated bsdconfig will use pkgng style packages now too
• A lesser known fact: there are also premade virtual machine images you can use too ***

pkgsrcCon 2014 wrap-up

• In what may be the first real pkgsrcCon article we've ever had!
• Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
• Unfortunately no recordings to be found... ***

PostgreSQL FreeBSD performance and scalability

• FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
• On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
• Lots of technical details if you're interested in getting the best performance out of your hardware
• It also includes specific kernel options he used and the rest of the configuration
• If you don't want to open the pdf file, you can use this link too ***

Feedback/Questions

• James writes in
• Klemen writes in
• John writes in
• Brad writes in
• Adam writes in ***

This episode was brought to you by

Headlines

BSDCan schedule, speakers and talks

• This year's BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone's looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts ***

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo's talk, "Releasing NetBSD: So Many Targets, So Little Time"
• Dru Lavigne's talk, "ZFS Management Tools in FreeNAS and PC-BSD"
• Scott Long's talk, "Serving one third of the Internet via FreeBSD"
• Michael W. Lucas' talk, "BSD Breaking Barriers" ***

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal's second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they've already gotten over 1000 subscribers! It's available on Google Play, iTunes, Amazon, etc
• "We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD"
• Check our interview with GNN for more information about the journal ***

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There's been a pretty vicious response from security experts all across the internet and in all of the BSD projects - and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: "Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL's bug tracker is only used to park bugs, not fix them"
• Sounds like someone else was having fun with the bug for a while too
• There's also another OpenSSL bug that OpenBSD patched - it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out - we're seeing a fork in real time ***

Interview - Jim Brown - info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new "signify" tool in OpenBSD
• Now there's a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems ***

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There's also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet ***

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• "Update Center" is getting a lot of development and improvements
• Lots of misc. bug fixes and updates ***

Feedback/Questions

• There's a reddit thread we wanted to highlight - a user wants to show his friend BSD and why it's great
• Brad writes in
• Sha'ul writes in
• iGibbs writes in
• Matt writes in ***