BSD Now

Coming up on this week’s episode, we have an interview This episode was brought to you by src="/images/1.png" alt="iXsystems - Enterprise Servers and Storage for Open Source" /> href="http://www.digitalocean.com/" title="DigitalOcean"> src="/images/2.png" alt="DigitalOcean - Simple Cloud Hosting, Built for Developers" /> href="http://www.tarsnap.com/bsdnow" title="Tarsnap"> src="/images/3.png" alt="Tarsnap - Online Backups for the Truly Paranoid" /> iX Systems Mission Complete Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines OpenBSD 5.8 is released on the 20th birthday of the OpenBSD project 5.8 has landed, and just in time for the 20th birthday of OpenBSD, Oct 18th A long list of changes can be found on the release announcement, but here’s a small scattering of them Drivers for new hardware, such as: rtwn = Realtek RTL8188CE wifi hpb = HyperTransport bridge in IBM CPC945 Improved sensor support for upd driver (USB power devices) Jumbo frame support on re driver, using RTL8168C/D/E/F/G and RTL8411 Updated to installer, improve autoinstall, and questions about SSH setup Sudo in base has been replace with “doas”, sudo moved to package tree New file(1) command with sandboxing and priv separation The tame(2) API WiP Improvements to the httpd(8) daemon, such as support for lua pattern matching redirections Bugfixes and the security updates to OpenSMTPD 5.4.4 LibreSSL security fixes, removed SSLv3 support from openssl(1) (Still working on nuking SSLv3 from all ports) And much more, too much to mention here, read the notes for all the gory details! OpenBSD Developer Interviews To go along with the 20th birthday, we have a whole slew of new interviews brought to us by the beastie.pl team. English and Polish are both provided, so be sure not to miss these! Dmitrij D. Czarkoff Vadim Zhukov Marc Espie Bryan Steele Ingo Schwarze Gilles Chehade Jean-Sébastien Pédron has submitted a call for testing out the neIntel i915 driver A very eagerly awaited feature, Haswell GPU support has begun the testing process The main developer, Jean-Sébastien Pédron [email protected] looking for users to test the patch, both those that have older supported cards (Sandybridge, Ivybridge) that are currently working, and users with Haswell devices that have, until now, not been supported Included is a link to the Wiki with instructions on how to enable debugging, and grab the updated branch of FreeBSD with the graphical improvements. Jean-Sébastien is calling for testers to send results both good and bad over to the freebsd-x11 mailing lists For those who want an “out of box solution” the next PC-BSD 11.0-CURRENT November images will include these changes as well How to install FreeBSD on a Raspberry Pi 2 We have a nice walkthrough this week on how to install FreeBSD, both 10 or 11-CURRENT on a RPi 2! The walkthrough shows us how to use OSX to copy the image to SD card, then booting. In this case, we have him using a USB to serial cable to capture output with screen This is a pretty quick way for users sitting on a RPi2 to get up and running with FreeBSD Interview - Jordan Hubbard - [email protected] NextBSD | NextBSD Github Beastie Bits OpenBSD's Source Tree turned 20 on October 18th GhostBSD working on Graphical ZFS Configuration Utility EuroBSDcon 2014 videos finally online Postdoctoral research position at Memorial University is open NetBSD Security Advisory: TCP LAST_ACK memory exhaustion, reported by NetFlix and Juniper DesktopBSD making a comeback? Feedback/Questions Steve Ben Frank Tyler

This week Allan is away at a ZFS conference, so it seems This episode was brought to you by src="/images/1.png" alt="iXsystems - Enterprise Servers and Storage for Open Source" /> href="http://www.digitalocean.com/" title="DigitalOcean"> src="/images/2.png" alt="DigitalOcean - Simple Cloud Hosting, Built for Developers" /> href="http://www.tarsnap.com/bsdnow" title="Tarsnap"> src="/images/3.png" alt="Tarsnap - Online Backups for the Truly Paranoid" /> Headlines pfsense - 2.3 alpha snapshots available pfsense 2.3 Features and Changes The entire front end has been re-written Upgrade of base OS to FreeBSD 10-STABLE The PPTP server component has been removed, PBIs have been replaced with pkg PHP upgraded to 5.6 The web interface has been converted to Bootstrap *** BSDMag October 2015 out A Look at the New PC-BSD 10.2 - Kris Moore Basis Of The Lumina Desktop Environment 18 - Ken Moore A Secure Webserver on FreeBSD with Hiawatha - David Carlier Defeating CryptoLocker Attacks with ZFS - Michael Dexter Emerging Technology Has Increasingly Been a Force for Both Good and Evil - Rob Somerville Interviews with: Dru Lavigne, Luca Ferrari, Oleksandr Rybalko *** OpnSense 15.7.14 Released Another update to OpnSense has landed! Some of the notable takeaways this time are that it isn’t a security update Major rework of the firewall rules sections including, rules, schedules, virtual ip, nat and aliases pages Latest BIND and Squid packages Improved configuration management, including fixes to importing an old config file. New location for configuration history / backups. *** OpenBSD in Toyota Highlander Images While looking through the ‘Software Information’ screen of a Toyota Highlander, Chad Dougherty of the ACM found a bunch of OpenBSD copyright notices At least one of which I recognize as OpenCrypto, because of the comment about “transforms” It is likely that the vehicle is running QNX, which contains various bits of BSD QNX: Third Party License Terms List version 2.17 Some highlights Robert N. M. Watson (FreeBSD) TrustedBSD Project (FreeBSD) NetBSD Foundation NASA Ames Research Center (NetBSD) Damien Miller (OpenBSD) Theo de Raadt (OpenBSD) Sony Computer Science Laboratories Inc. Bob Beck (OpenBSD) Christos Zoulas (NetBSD) Markus Friedl (OpenBSD) Henning Brauer (OpenBSD) Network Associates Technology, Inc. (FreeBSD) 100s of others OpenSSH seems to be included It also seems to contain tcpdump for some reason Interview - Adam Leventhal - [email protected] / @ahl ZFS and DTrace Beastie-Bits isboot, an iSCSI boot driver for FreeBSD 9 and 10 tame() is now called pledge() Interview with NetBSD developer Leoardo Taccari Fuguita releases LiveCD based on OpenBSD 5.8 Dtrace toolkit gets an update and imported into NetBSD An older article about how to do failover / load-balancing in pfsense Feedback/Questions Michael writes in Possniffer writes in Erno writes in ***

Coming up on this weeks episode, we have BSD news, tidbits and articles out the wazoo to share. Also, be sure to stick around for our interview with Brandon Mercer as he tells us about OpenBSD being used in the healthcare industry. This episode was brought to you by Headlines NetBSD 7.0 Release Announcement DRM/KMS support brings accelerated graphics to x86 systems using modern Intel and Radeon devices (Linux 3.15) Multiprocessor ARM support. Support for many new ARM boards, including the Raspberry Pi 2 and BeagleBone Black Major NPF improvements: BPF with just-in-time (JIT) compilation by default support for dynamic rules support for static (stateless) NAT support for IPv6-to-IPv6 Network Prefix Translation (NPTv6) as per RFC 6296 support for CDB based tables (uses perfect hashing and guarantees lock-free O(1) lookups) Multiprocessor support in the USB subsystem. GPT support in sysinst via the extended partitioning menu. Lua kernel scripting GCC 4.8.4, which brings support for C++11 Experimental support for SSD TRIM in wd(4) and FFS tetris(6): Add colours and a 'down' key, defaulting to 'n'. It moves the block down a line, if it fits. *** CloudFlare develops interesting new netmap feature Normally, when Netmap is enabled on an interface, the kernel is bypassed and all of the packets go to the Netmap consumers CloudFlare has developed a feature that allows all but one of the RX queues to remain connected to the kernel, and only a single queue be passed to Netmap The change is a simple modification to the nm_open API, allowing the application to open only a specific queue of the NIC, rather than the entire thing The RSS or other hashing must be modified to not direct traffic to this queue Then specific flows are directed to the netmap application for matching traffic For example under Linux: ethtool -X eth3 weight 1 1 1 1 0 1 1 1 1 1 ethtool -K eth3 lro off gro off ethtool -N eth3 flow-type udp4 dst-port 53 action 4 Directs all name server traffic to NIC queue number 4 Currently there is no tool like ethtool to accomplish this same under FreeBSD I wonder if the flows could be identified more specifically using something like ipfw-netmap *** Building your own OpenBSD based Mail server! part 2 part 3 The UK Register gives us a great writeup on getting your own mail server setup specifically on OpenBSD 5.7 In this article they used a MiniPC the Acer Revo One RL85, which is a decently priced little box for a mail server While a bit lengthy in 3 parts, it does provide a good walkthrough of getting OpenBSD setup, PostFix and DoveCot configured and working. In the final installment it also provides details on spam filtering and antivirus scanning. Getting started with the UEFI bootloader on OpenBSD If you've been listening over the past few weeks, you've heard about OpenBSD.s new UEFI boot-loader. We now have a blog post with detailed instructions on how to get setup with this on your own system. The initial setup is pretty straightforward, and should only take a few minutes at most. In involves the usual fdisk commands to create a FAT EFI partition, and placing the bootx64.efi file in the correct location. As a bonus, we even get instructions on how to enable the frame-buffer driver on systems without native Intel video support (ThinkPad x250 in this example) *** Recipe for building a 10Mpps FreeBSD based router Olivier, (of FreeNAS and BSD Router Project fame) treats us this week to a neat blog post about building your own high-performance 10Mpps FreeBSD router As he first mentions, the hardware required will need to be beefy, no $200 miniPC here. In his setup he uses a 8 core Intel Xeon E5-2650, along with a Quad port 10 Gigabit Chelsio TS540-CR. He mentions that this doesn't work quite on stock FreeBSD yet, you will need to pull code in from the projects/routing which fixes an issue with scaling on cores, in this case he is shrinking the NIC queues down to 4 from 8. If you don't feel like doing the compiles yourself, he also includes links to experimental BSDRouter project images which he used to do the benchmarks Bonus! Nice graphic of the benchmarks from enabling IPFW or PF and what that does to the performance. *** Interview - Brandon Mercer - [email protected] / @knowmercymod OpenBSD in Healthcare Sorry about the audio quality degradation. The last 7 or 8 minutes of the interview had to be cut, a problem with the software that captures the audio from skype and adds it to our compositor. My local monitor is analogue and did not experience the issue, so I was unaware of the issue during the recording *** News Roundup Nvidia releases new beta FreeBSD driver along with new kernel module Includes a new kernel module, nvidia-modeset.ko While this module does NOT have any user-settable features, it works with the existing nvidia.ko to provide kernel-mode setting (KMS) used by the integrated DRM within the kernel. The beta adds support for 805A and 960A nvidia cards Also fixes a me

This week on BSDNow, we get to hear all of Allans post EuroBSDCon wrap-up and a great interview with Benno Rice from Isilon. We got to discuss some of the pain of doing major forklift upgrades, and why your business should track -CURRENT. This episode was brought to you by Headlines EuroBSDCon Videos EuroBSDCon has started posting videos of the talks online already. The videos posted online are archives of the live stream, so some of the videos contain multiple talks Due to a technical complication, some videos only have 1 channel of audio EuroBSDCon Talk Schedule Red Room Videos Yellow Room Videos Blue Room Videos Photos of the conference courtersy of Ollivier Robert *** A series of OpenSMTPd patches fix multiple vulnerabilities Qualys recently published an audit of the OpenSNMPd source code The fixes for these vulnerabilities were released as 5.7.2 After its release, two additional vulnerabilities were found. One, in the portable version, newer code that was added after the audit started All users are strongly encouraged to upgrade to 5.7.3 OpenBSD users should apply the latest errata or upgrade to the newest snapshot *** FreeBSD updates in -CURRENT Looks like Xen header support has been bumped in FreeBSD from 4.2 -> 4.6 It also enables support for ARM Update to Clang / LLVM to 3.7.0 http://llvm.org/releases/3.7.0/docs/ReleaseNotes.html ZFS gets FRU (field replaceable unit) tracking OpenCL makes it way into the ports tree bhyve has grown UEFI support, plus a CSM module bhyve can now boot Windows Currently there is still only a serial console, so the post includes an unattended install .xml file and instructions on how to repack the ISO. Once Windows is installed, you can RDP into the machine bhyve can also now run IllumOS *** OpenBSD Initial Support for Broadwell Graphics OpenBSD joins DragonFly now with initial support for broadwell GPUs landing in their development branch This brings Open up to Linux 3.14.52 DRM, and Mark Kettenis mentions that it isn.t perfect yet, and may cause some issues with older hardware, although no major regressions yet *** OpenBSD Slides for TAME and libTLS APIs The first set of slides are from a talk Theo de Raadt gave in Croatia, they describe the history and impetus for tame Theo specifically avoids comparisons to other sandboxing techniques like capsicum and seccomp, because he is not impartial tame() itself is only about 1200 lines of code Sandboxing the file(1) command with systrace: 300 lines of code, with tame: 4 lines Theo makes the point that .optional security. is irrelevant. If a mitigation feature has a knob to turn it off, some program will break and advise users to turn the feature off. Eventually, no one uses the feature, and it dies This has lead to OpenBSD.s policy: .Once working, these features cannot be disabled. Application bugs must be fixed. The second talk is by Bob Beck, about LibreSSL when LibreSSL was forked from OpenSSL 1.0.1g, it contained 388,000 lines of C code 30 days in LibreSSL, they had deleted 90,000 lines of C OpenSSL 1.0.2d has 432,000 lines of C (728k total), and OpenSSL Current has 411,000 lines of C (over 1 million total) LibreSSL today, contains 297,000 lines of C (511k total) None of the high risk CVEs against OpenSSL (there have been 5) have affected LibreSSL. It turns out removing old code and unneeded features is good for security. The talk focuses on libtls, an alternative to the OpenSSL API, designed to be easier to use and less error prone In the libtls api, if -1 is returned, it is always an error. In OpenSSL, it might not be an error, needs additional code to check errno In OpenBSD: ftp, nc, ntpd, httpd, spamd, syslog have been converted to the new API The OpenBSD Foundation is looking for donations in order to sponsor 2-3 developers to spend 6 months dedicated to LibreSSL *** Interview - Benno Rice - [email protected] / @jeamland Isilon and building products on top of FreeBSD News Roundup ReLaunchd This past week we got a heads up about another init/launchd replacement, this time .Relaunchd. The goals of this project appear to be keeping launchd functionality, while being portable enough to run on FreeBSD / Linux, etc. It also has aspirations of being .container-aware. with support for jailed services, ala-docker, as well as cluster awareness. Written in ruby :(, it also maintains that it wishes to NOT take over PID1 or replace the initial system boot scripts, but extend / leverage them in new ways. *** Static Intrusion Detection in NetBSD Alistar Crooks has committed a new .sid. utility to NetBSD, which allows intrusion detection by comparing the file-system contents to a database of known good values The utility can compare the entire root file system of a modest NetBSD machine in about 15 seconds The following parameters of each file can be checked: atime, block count, ctime, file type, flags, group, inode, link target, mtime, number of links, permissions, size, user, crc32c checksum, sha256 checksum, sha512 checksum A

This week, we have a great interview with Warner Losh of the FreeBSD project! We will be discussing everything from automatic kernel module loading, IO scheduling and of course NanoBSD. This episode was brought to you by Interview - Warner Losh - [[email protected]]([email protected]) / @bsdimp SSD performance and driver auto-loader

This week on the show, Allan is heading to Sweden, but we have a great interview with Andrew Pantyukhin to bring you. We will be discussing everything from contributions to FreeBSD, which technologies worked best in the datacenter, config management and more. This episode was brought to you by Headlines Allan is away this week, traveling to Sweden for the ACM womENcourage conference followed by EuroBSDCon, but we have an excellent interview for you, so sit back and enjoy the show. Allan will be back on October 5th, so we look forward to bringing you a live show, with all the details about EuroBSD and more! Interview - Andrew Pantyukhin - [email protected] / @infofarmer Building products with FreeBSD

This week, we are going to be talking with Aaron Poffenberger, who has much to share about his first-hand experience in infiltrating Linux conferences with BSD-goodness. This episode was brought to you by Headlines Alexander Motin implements CTL High Availability CTL HA allows two .head. nodes to be connected to the same set of disks, safely An HA storage appliance usually consists of 2 totally separate servers, connected to a shared set of disks in separate JBOD sleds The problem with this setup is that if both machines try to use the disks at the same time, bad things will happen With CTL HA, the two nodes can communicate, in this case over a special TCP protocol, to coordinate and make sure they do not step on each others toes, allowing safe operation The CTL HA implementation in FreeBSD can operate in the following four modes: Active/Unavailable -- without interlink between nodes Active/Standby -- with the second node handling only basic LUN discovery and reservation, synchronizing with the first node through the interlink Active/Active -- with both nodes processing commands and accessing the backing storage, synchronizing with the first node through the interlink Active/Proxy -- with second node working as proxy, transferring all commands to the first node for execution through the interlink The custom TCP protocol has no authentication, so it should never be enabled on public interfaces Doc Update *** Panel Self-Refresh support lands in DragonFlyBSD In what seems almost weekly improvements being made to the Xorg stack for DragonFly, we now have Panel Self-Refresh landing, thanks to Imre Vadász Understanding Panel Self-Refresh and More about Panel Self-Refresh In a nutshell, the above articles talks about how in the case of static images on the screen, power-savings can be obtained by refreshing static images from display memory (frame-buffer), disabling the video processing of the CPU/GPU and associated pipeline during the process. And just for good measure, Imre also committed some further Intel driver cleanup, reducing the diff with Linux 3.17 *** Introducing Sluice, a new ZFS snapshot management tool A new ZFS snapshot management tool written in Python and modeled after Apple.s Time Machine Simple command line interface No configuration files, settings are stored as ZFS user properties Includes simple remote replication support Can operate on remote systems with the zfs://user@host/path@snapname url schema Future feature list includes .import. command to moved files from non-ZFS storage to ZFS and create a snapshot, and .export. to do the inverse Thanks to Dan for tipping us about this new project *** Why WhatsApp only needs 50 engineers for 900 million users Wired has a good write-up on the behind-the-scenes work taking place at WhatsApp While the article mentions FreeBSD, it spends the bulk of its discussion about Erlang and using its scalable concurrency and deployment of new code to running processes. FB messenger uses Haskell to accomplish much the same thing, while Google and Mozilla are currently trying to bring the same level of flexibility to Go and Rust respectively. video Thanks to Ed for submitting this news item *** Interview - Aaron Poffenberger - email@email / @akpoff BSD in a strange place KM: Go ahead and tell us about yourself and how did you first get involved with BSD? AJ: You.ve presented recently at Texas Linux Fest, both on FreeBSD and FreeNAS. What specifically prompted you to do that? KM: What would you say are the main selling points when presenting BSD to Linux users and admins? AJ: On the flip side of this topic, in what areas to do you think we could improve BSD to present better to Linux users? KM: What would you specifically recommend to other BSD users or fans who may also want to help present or teach about BSD? Any things specifically to avoid? AJ: What is the typical depth of knowledge you encounter when presenting BSD to a mostly Linux crowd? Any surprises when doing so? KM: Since you have done this before, are you mainly writing your own material or borrowing from other talks that have been done on BSD? Do you think there.s a place for some collaboration, maybe having a repository of materials that can be used for other BSD presenters at their local linux conference / LUG? AJ: Since you are primarily an OpenBSD user have you thought about doing any talks related to it? Is OpenBSD something on the radar of the typical Linux conference-goer? KM: Is there anything else you would like to mention before we wrap up? *** News Roundup GhostBSD 10.1 released GhostBSD has given us a new release, this time it also includes XFCE as an alternative to the MATE desktop The installer has been updated to allow using GRUB, BSD loader, or none at all It also includes the new OctoPKG manager, which proves a Qt driven front-end to pkgng Thanks to Shawn for submitting this *** Moving to FreeBSD In this blog post, Randy Westlund takes us through his journey of moving from Gentoo over

This week, we have Nigel Williams here to bring us all sorts of info about Multipath TCP, what it is, how it works and the ongoing effort to bring it into FreeBSD. All that and of course the latest BSD news coming your way, right now! This episode was brought to you by Headlines Backing out changes doesn.t always pinpoint the problem Peter Wemm brings us a fascinating look at debugging an issue which occurred on the FreeBSD build cluster recently. Bottom line? Backing out something isn.t necessarily the fix, rather it should be apart of the diagnostic process In this particular case, a change to some mmap() functionality ended up exposing a bug in the kernel.s page fault handler which existed since (wait for it.) 1997! As Peter mentions at the bottom of the Article, this bug had been showing up for years, but was sporadic and often written off as a networking hiccup. *** BSD Router Project benchmarks new routing changes to FreeBSD A project branch of FreeBSD -CURRENT has been created with a number of optimizations to the routing code Alexander V. Chernikov (melifaro@).s routing branch The net result is an almost doubling of peak performance in packets per second Performance scales well with the number of NIC queues (2 queues is 88% faster than 1 queue, 3 is 270% faster). Unlike the previous code, when the number of queues hits 4, performance is down by only 10%, instead of being cut nearly in half Other Benchmark Results, and the tools to do your own tests *** When is SSL not SSL? Our buddy Ted has a good write-up on a weird situation related to licensing of stunnel and LibreSSL The problem exists due to stunnel being released with a different license, that is technically incompatible with the GPL, as well as linking against non-OpenSSL versions. The author has also decided to create specific named exceptions when the *SSL lib is part of the base operating system, but does not personally consider LibreSSL as a valid linking target on its own Ted points out that the LibreSSL team considers LibreSSL == OpenSSL, so this may be a moot concern *** Update on systembsd We.ve mentioned the GSoC project to create a SystemD shim in OpenBSD before. Now we have the slides from Ian Sutton talking about this project. As a refresher, this project is to take DBUS and create daemons emulating various systemd components, such as hostnamed, localed, timedated, and friends. Written from scratch in C, it was mainly created in the hopes of becoming a port, allowing Gnome and related tools to function on OpenBSD. This is a good read, especially for current or aspiring porters who want to bring over newer versions of applications which now depend upon SystemD. *** Interview - Nigel Williams - [[email protected]]([email protected]) Multipath TCP News Roundup OpenBSD UEFI boot loader We.ve mentioned the ongoing work to bring UEFI booting to OpenBSD and it looks like this has now landed in the tree The .fdisk. utility has also been updated with a new -b flag, when used with .-i. will create the special EFI system partition on amd64/i386 . (http://marc.info/?l=openbsd-cvs&m=144139348416071&w=2) Some twitter benchmarks *** FreeBSD Journal, July/August issue The latest issue of the FreeBSD Journal has arrived As always, the Journal opens with a letter from the FreeBSD Foundation Feature Articles: Groupon's Deal on FreeBSD -- How to drive adoption of FreeBSD at your organization, and lessons learned in retraining Linux sysadmins FreeBSD: The Isilon Experience -- Mistakes not to make when basing a product on FreeBSD. TL;DR: track head Reflections on FreeBSD.org: Packages -- A status update on where we are with binary packages, what issues have been overcome, and which still remain Inside the Foundation -- An overview of some of the things you might not be aware that the FreeBSD Foundation is doing to support the project and attract the next generation of committers Includes a book review of .The Practise of System and Network Administration. As usual, various other reports are included: The Ports Report, SVN Update, A conference report, a report from the Essen hackathon, and the Event Calendar *** Building ARMv6 packages on FreeBSD, the easy way Previously we have discussed how to build ARMv6 packages on FreeBSD We also interviewed Sean Bruno about his work in this area Thankfully, over time this process has been simplified, and no longer requires a lot of manual configuration, or fussing with the .image activator. Now, you can just build packages for your Raspberry Pi or similar device, just as simply as you would build for x86, it just takes longer to build. *** New PC-BSD Release Schedule The PC-BSD Team has announce an updated release schedule for beyond 10.2 This schedule follows more closely the FreeBSD schedules, with major releases only occurring when FreeBSD does the next point update, or major version bump. PC-BSD.s source tree has been split into master(current) and stable as well PRODUCTION / EDGE package

It's already our two-year anniversary! This time on the show, we'll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year's vBSDCon. What's it have to offer in an already-crowded BSD conference space? We'll find out. This episode was brought to you by Headlines OpenBSD hypervisor coming soon Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm" Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on *** Why FreeBSD should not adopt launchd Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned) In this article, the author talks about why he thinks this is a bad idea He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities Reddit had quite a bit to say about this one, some in agreement and some not *** DragonFly graphics improvements The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs You should also see some power management improvements, longer battery life and various other bug fixes If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around *** OpenBSD tames the userland Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff) Some classic utilities are even being reworked to make taming them easier - the "w" command, for example The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse) More discussion can be found on HN, as one might expect If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release *** Interview - Scott Courtney - [email protected] / @verisign vBSDCon 2015 News Roundup OPNsense, beyond the fork We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits This is their first big status update, covering some of the things that've happened since the project was born There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything *** LibreSSL nukes SSLv3 With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example) They've now flipped the switch, and the process of complete removal has started From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to

Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you. This episode was brought to you by Headlines EdgeRouter Lite, meet OpenBSD The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8) Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware More discussion can be found on Hacker News and various other places One thing to note about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no WX at all) *** Design and Implementation of the FreeBSD Operating System interview For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points." Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics *** Path list parameter in OpenBSD tame We've mentioned OpenBSD's relatively new "tame" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9 More discussion can be found on Reddit and Hacker News *** FreeBSD & PC-BSD 10.2-RELEASE The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13 New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail Check the full release notes for the rest of the details and changes PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features *** Interview - Damien Miller - [email protected] / @damienmiller OpenSSH: phasing out broken crypto, default cipher changes News Roundup NetBSD at Open Source Conference Shimane We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another This time they had NetBSD running on some Sony NWS devices (MIPS-based) JavaStations were also on display - something we haven't ever seen before (made between 1996-2000) *** BAFUG videos The Bay Area FreeBSD users group has been uploading some videos of their recent meetings Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works Shortly after beginning, Adrian Chadd takes over the conversation and they discuss vario

Allan's away at BSDCam this week, but we've still got an exciting episode for you. We sat down with Bryan Cantrill, CTO of Joyent, to talk about a wide variety of topics: dtrace, ZFS, pkgsrc, containers and much more. This is easily our longest interview to date! This episode was brought to you by Interview - Bryan Cantrill - [email protected] / @bcantrill BSD and Solaris history, illumos, dtrace, Joyent, pkgsrc, various topics (and rants) Feedback/Questions Randy writes in Jared writes in Steve writes in ***

This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up. This episode was brought to you by Headlines FreeBSD on Olimex RT5350F-OLinuXino If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it) It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment In part two of the series, he talks about the GPIO and how you can configure it Part three is still in the works, so check the site later on for further progress and info *** The modern OpenBSD home router In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst" Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless This guide also covers PPP and IPv6, in case you have those requirements In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge He also has a separate post for setting up an IPSEC VPN on the router *** NetBSD at Open Source Conference 2015 Kansai The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it And what conference would be complete without an LED-powered towel *** OpenSSH 7.0 released The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now If you're using an older configuration file, the "without-password" option still works, so no change is required You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications Various bug fixes and documentation improvements are also included Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled *** Interview - Peter Toth - [email protected] / @pannonp Containment with iocage News Roundup More c2k15 reports A few more hackathon reports from c2k15 in Calgary are still slowly trickling in Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things) He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging Renato Westphal sent in a report of his very first hackathon He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well *** FreeBSD jails, the hard way As you learned from our interview this week, there's quite a selection of tools available to manage your jails This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf Unlike with iocage, ZFS isn't actually a require

Coming up this week, we'll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like "what would you like to see in FreeBSD?" and hundreds of responses, well, we've got a lot to cover... This episode was brought to you by Headlines OpenBSD, from distribution to project Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through It's the third part of his ongoing series of posts about OpenBSD removing large bits of code in favor of smaller replacements In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..) After importing new updates every release cycle, they eventually hit a transitional phase - things were updated, but nothing new was imported When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons More discussion on HN and reddit *** Remote ZFS mirrors, the hard way Backups to "the cloud" have become a hot topic in recent years, but most of them require trade-offs between convenience and security You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren't without some compromise As the author puts it: "We don't need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we'll-deletes, or any of the noise that comes with using someone else's infrastructure." This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself The end result is an automatic system for incremental backups that's backed (pun intended) by ZFS If you're serious about keeping your important data safe and sound, you'll want to give this one a read - lots of detailed instructions *** Various DragonFlyBSD updates The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree Intel ValleyView graphics support was finally committed to the main repository While on the topic of graphics, they've also issued a call for testing for a DRM update (matching Linux 3.16's and including some more Broadwell fixes) Their base GCC compiler is also now upgraded to version 5.2 If your hardware supports it, DragonFly will now use an accelerated console by default *** QuakeCon runs on OpenBSD QuakeCon, everyone's favorite event full of rocket launchers, recently gave a mini-tour of their network setup For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution There's also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff Follow-up questions can be asked in this reddit thread The host doesn't seem to be that familiar with the topics at hand, mentioning "OpenPF" multiple times among other things, so our listeners should get a kick out of it *** Interview - Adrian Chadd - [email protected] / @erikarn Rethinking ways to improve FreeBSD News Roundup CII contributes to OpenBSD If you recall back to when we talked to the OpenBSD foundation, one of the things Ken mentioned was the Core Infrastructure Initiative In a nutshell, it's an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers) To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they've just made a large donation to the foundation - this makes them the first "platinum" level donor as well While the exact amount wasn't disclosed, it was somewhere between $50,000 and $100,000 The donation comes less than a month after Microsoft's big donation, so it's good to see these large organizations helping out important open source projects that we depend on every day *** Another BSDCan report The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon In his report, he mainly covers the devsummit and some discussion with the portmgr team One notable change for the upcoming 10.2 release is that the defaul

We've finally reached a hundred episodes, and this week we'll be talking to Sebastian Wiedenroth about pkgsrc. Though originally a NetBSD project, now it runs pretty much everywhere, and he even runs a conference about it! This episode was brought to you by Headlines Remote DoS in the TCP stack A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely This problem has a slightly confusing history that involves different fixes at different points in time from different people Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6 On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn't include the first fix) After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven't released a security notice yet DragonFly is also investigating the issue now to see if they're affected as well *** c2k15 hackathon reports Reports from OpenBSD's latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these) The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?" With mandoc's new internal jump targets, this is a problem of the past now Jasper also sent in a report, doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information) Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!) Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services) It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool") He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example) His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades Foundation director Ken Westerback was also there, getting some disk-related and laptop work done He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home) He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report) Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single

This week we'll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we'll hear about how the recent porting efforts have been since. This episode was brought to you by Headlines OpenBSD presents tame Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops." Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously) Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation) Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc. This is an initial work-in-progress version of tame, so there may be more improvements or further control options added before it hits a release (very specific access policies can sometimes backfire, however) The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it) Kernel bits are in the tree now, with userland changes starting to trickle in too Combined with a myriad of memory protections, tight privilege separation and (above all else) good coding practices, tame should further harden the OpenBSD security fortress Further discussion can be found in the usual places you'd expect *** Using Docker on FreeBSD With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up This docker is "the real thing," and isn’t using a virtual machine as the backend - as such, it has some limitations The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support) For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally) Give it a try, let us know how you find it to be compared to other solutions *** OpenBSD imports doas, removes sudo OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot) Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary? After the initial import, a number of developers began reviewing and improving various bits here and there You can check out the code now if you're interested Command usage and config syntax seem pretty straightforward More discussion on HN *** What would you like to see in FreeBSD Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you&#

Coming up this time on the show, we'll be talking with the CTO of Xinuos, David Meyer, about their adoption of FreeBSD. We also discuss the BSD license model for businesses and the benefits of contributing changes back. This episode was brought to you by Headlines Enabling FreeBSD on AArch64 One of the things the FreeBSD foundation has been dumping money into lately is ARM64 support, but we haven't heard too much about it - this article should change that Since it's on a mainstream ARM site, the article begins with a bit of FreeBSD history, leading up to the current work on ARM64 There's also a summary of some of the ARM work done at this year's BSDCan, including details about running it on the Cavium ThunderX platform (which has 48 cores) As of just a couple months ago, dtrace is even working on this new architecture Come 11.0-RELEASE, the plan is for ARM64 to get the same "tier 1" treatment as X86, which would imply binary updates for base and ports - something Raspberry Pi users often complain about not having *** OpenBSD's tcpdump detailed Most people are probably familiar with tcpdump, a very useful packet sniffing and capturing utility that's included in all the main BSD base systems This video guide is specifically about the version in OpenBSD, which has gone through some major changes (it's pretty much a fork with no version number anymore) Unlike on the other platforms, OpenBSD's tcpdump will always run in a chroot as an unprivileged user - this has saved it from a number of high-profile exploits It also has support for the "pf.os" system, allowing you to filter out operating system fingerprints in the packet captures There's also PF (and pflog) integration, letting you see which line in your ruleset triggered a specific match Being able to run tcpdump directly on your router is pretty awesome for troubleshooting *** More FreeBSD foundation at BSDCan The FreeBSD foundation has another round of trip reports from this year's BSDCan First up is Kamil Czekirda, who gives a good summary of some of the devsummit, FreeBSD-related presentations, some tutorials, getting freebsd-update bugs fixed and of course eating cake A second post from Christian Brueffer, who cleverly planned ahead to avoid jetlag, details how he got some things done during the FreeBSD devsummit Their third report is from our buddy Warren Block, who (unsurprisingly) worked on a lot of documentation-related things, including getting more people involved with writing them In true doc team style, his report is the most well-written of the bunch, including lots of links and a clear separation of topics (doc lounge, contributing to the wiki, presentations...) Finally, the fourth one comes to us from Shonali Balakrishna, who also gives an outline of some of the talks "Not only does a BSD conference have way too many very smart people in one room, but also some of the nicest." *** DragonFly on the Chromebook C720 If you've got one of the Chromebook laptops and weren't happy with the included OS, DragonFlyBSD might be worth a go This article is a "mini-report" on how DragonFly functions on the device as a desktop, and While the 2GB of RAM proved to be a bit limiting, most of the hardware is well-supported DragonFly's wiki has a full guide on getting set up on one of these devices as well *** Interview - David Meyer - [email protected] / @xinuos Xinuos, BSD license model vs. others, community interaction News Roundup Introducing LiteBSD We definitely don't talk about 4.4BSD a lot on the show LiteBSD is "a variant of [the] 4.4BSD operating system adapted for microcontrollers" If you've got really, really old hardware (or are working in the embedded space) then this might be an interesting hobby project to look info *** HardenedBSD announces ASLR completion HardenedBSD, now officially a full-on fork of FreeBSD, has declared their ASLR patchset to be complete The latest and last addition to the work was VDSO (Virtual Dynamic Shared Object) randomization, which is now configurable with a sysctl This post gives a summary of the six main features they've added since the beginning Only a few small things are left to do - man page cleanups, possibly shared object load order improvements *** Unlock the reaper In the ongoing quest to make more of OpenBSD SMP-friendly, a new patch was posted that unlocks the reaper in the kernel When there's a zombie process causing a resource leak, it's the reaper's job to deallocate their resources (and yes we're still talking about computers, not horror movies) Initial testing has yielded positive results and no regressions They're looking for testers, so you can install a -current snapshot and get it automatically An updated version of the patch is coming soon too A hackathon is going on right now, so you can expect more SMP improvements in the near future *** The importance of mentori

Coming up this time on the show, we'll be chatting with Lee Sharp. He's recently revived the m0n0wall codebase, now known as SmallWall, and we'll find out what the future holds for this new addition to the BSD family. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan and pkgsrcCon videos Even more BSDCan 2015 videos are slowly but surely making their way to the internet Nigel Williams, Multipath TCP for FreeBSD Stephen Bourne, Early days of Unix and design of sh John Criswell, Protecting FreeBSD with Secure Virtual Architecture Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto Sevan Janiyan, Adventures in building open source software And finally, the BSDCan 2015 closing Some videos from this year's pkgsrcCon are also starting to appear online Sevan Janiyan, A year of pkgsrc 2014 - 2015 Pierre Pronchery, pkgsrc meets pkg-ng Jonathan Perkin, pkgsrc at Joyent Jörg Sonnenberger, pkg_install script framework Benny Siegert, New Features in BulkTracker This is the first time we've ever seen recordings from the conference - hopefully they continue this trend *** OPNsense 15.7 released The OPNsense team has released version 15.7, almost exactly six months after their initial debut In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago) The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included Shortly afterwards, 15.7.1 was released with a few more small fixes *** NetBSD at Open Source Conference 2015 Okinawa If you liked last week's episode then you'll probably know what to expect with this one The NetBSD users group of Japan hit another open source conference, this time in Okinawa This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? *** OpenBSD BGP and VRFs "VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic" This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts *** Interview - Lee Sharp - [email protected] SmallWall, a continuation of m0n0wall News Roundup Solaris adopts more BSD goodies We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us? Look forward to the upcoming "Solaris Now" podcast (not really) *** EuroBSDCon 2015 talks and tutorials

Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Out with the old, in with the less Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions" "Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs." In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers "Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver." In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness) He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it." Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called "doas" There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing" talk is good complementary reading material *** More OpenZFS and BSDCan videos We mentioned last week that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more Matt Ahrens did a Q&A session and talked about ZFS send and receive, as well as giving an overview of OpenZFS George Wilson talked about a performance retrospective Toshiba, Syneto and HGST also gave some talks about their companies and how they're using ZFS As for BSDCan, more of their BSD presentations have been uploaded too... Ryan Stone, PCI SR-IOV on FreeBSD George Neville-Neil, Measure Twice, Code Once Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD Warner Losh, I/O Scheduling in CAM Kirk McKusick, An Introduction to the Implementation of ZFS Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support Baptiste Daroussin, Packaging FreeBSD's base system Matt Ahrens, New OpenZFS features supporting remote replication Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here, and the slides are here *** SMP steroids for PF An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review Attached to the mail was what may be the beginnings of making native PF SMP-aware Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle The initial response has been quite positive though, with some back and forth between developers and the submitter For now, let's be patient and see what happens *** DragonFly 4.2.0 released DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page about configuring it They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools Work is continuing on the second generation HAMMER fil

This time on the show, we'll be talking some ZFS with Sean Chittenden. He's been using it on FreeBSD at Groupon, and has some interesting stories about how it's saved his data. Answers to your emails and all of this week's headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSDCan 2015 videos Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS Daichi Goto, FreeBSD for High Density Servers Ken Moore, Lumina-DE Kevin Bowling, FreeBSD Operations at Limelight Networks Maciej Pasternacki, Jetpack, a container runtime for FreeBSD Ray Percival, Networking with OpenBSD in a virtualized environment Reyk Floeter, Introducing OpenBSD's new httpd Still more to come, hopefully *** OpenBSD httpd rewrite support One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you'd like to give it a try now It's since been committed to -current, so you can try it out with a snapshot too *** SSH 2FA on FreeBSD We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD It touches on key pairs with a server-side password, google authenticator and a few other variations While the article is focused on FreeBSD, a lot of it can be easily applied to the others too OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems *** NetBSD 7.0-RC1 released NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago) Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1 They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team *** Interview - Sean Chittenden - [email protected] / @seanchittenden FreeBSD at Groupon, ZFS News Roundup OpenSMTPD and Dovecot We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last This blog post about it has something not mentioned before: virtual domains and virtual users This means you can easily have "[email protected]" and "[email protected]" both go to a local user on the box (or a different third address) It also covers SSL certificates, blocking spam and setting up IMAP access, the usual Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we'll cover in more detail when it's released... *** OctoPkg, a QT frontend to pkgng A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman There are some basic instructions on how to get it built and running on the github page After some testing, it'll likely make its way to the FreeBSD ports tree Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over *** AFL vs. mandoc, a quantitative analysis Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL It's meant to be accompanying material to his BSDCan talk, which already covered nine topics mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input The article breaks down the 45 different bugs that were found, based on their root cause If you're interested in secure coding practices, this'll be a great one to read *** OpenZFS conference videos Videos from the second OpenZFS conference have just started to show up The first talk is by, you guessed it, Matt Ahrens In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on There are also videos from Nexenta and HGST, talking about how they

This week on the show, we'll be chatting with Marc Espie. He's recently added some additional security measures to dpb, OpenBSD's package building tool, and we'll find out why they're so important. We've also got all this week's news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 videos BSDCan just ended last week, but some of the BSD-related presentation videos are already online Allan Jude, UCL for FreeBSD Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon? Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel Brooks Davis, CheriBSD: A research fork of FreeBSD Giuseppe Lettieri, Even faster VM networking with virtual passthrough Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet Peter Hessler, Using routing domains / routing tables in a production network Ryan Lortie, a stitch in time: jhbuild Ted Unangst, signify: Securing OpenBSD From Us To You Many more still to come... *** Documenting my BSD experience Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in." In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that) You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon His second post explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve *** PC-BSD tries HardenedBSD builds The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that a few weeks ago - but this might open the door for more projects to give it a try as well With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have Time will tell if more projects and products like FreeNAS might be interested too *** C-states in OpenBSD People who run BSD on their notebooks, you'll want to pay attention to this one OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings *** NetBSD at Open Source Conference 2015 Hokkaido The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time) We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms *** Interview - Marc Espie - [email protected] / @espie_openbsd Recent improvements to OpenBSD's dpb tool News Roundup Introducing xhyve, bhyve on OS X We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS As the name "xhyve" might imply, it's a port of bhyve to Mac OS X Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer There are also a few examples on how to use it *** 4K displays on DragonFlyBSD If you've been using DragonFly as a desktop, maybe with those nice Broadwell gra

We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD. This episode was brought to you by Interview - Sepherosa Ziehau - [email protected] Features of DragonFlyBSD's network stack Discussion Comparing containment methods and privilege separation chroot, jails, systrace, capsicum, filesystem permissions, separating users *** Feedback/Questions Brad writes in Anonymous writes in Benjamin writes in Jeroen writes in ***

Coming up this week, we'll be chatting with Lucas Holt, founder of MidnightBSD. It's a slightly lesser-known fork of FreeBSD, with a focus on easy desktop use. We'll find out what's different about it and why it was created. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Zocker, it's like docker on FreeBSD Containment is always a hot topic, and docker has gotten a lot of hype in Linux land in the last couple years - they're working on native FreeBSD support at the moment This blog post is about a docker-like script, mainly for ease-of-use, that uses only jails and ZFS in the base system In total, it's 1,500 lines of shell script The post goes through the process of using the tool, showing off all the subcommands and explaining the configuration In contrast to something like ezjail, Zocker utilizes the jail.conf system in the 10.x branch *** Patrol Read in OpenBSD OpenBSD has recently imported some new code to support the Patrol Read function of some RAID controllers In a nutshell, Patrol Read is a function that lets you check the health of your drives in the background, similar to a zpool "scrub" operation The goal is to protect file integrity by detecting drive failures before they can damage your data It detects bad blocks and prevents silent data corruption, while marking any bad sectors it finds *** HAMMER 2 improvements DragonFly BSD has been working on the second generation HAMMER FS It now uses LZ4 compression by default, which we've been big fans of in ZFS They've also switched to a faster CRC algorithm, further improving HAMMER's performance, especially when using iSCSI *** FreeBSD foundation May update The FreeBSD foundation has published another update newsletter, detailing some of the things they've been up to lately In it, you'll find some development status updates: notably more ARM64 work and the addition of 64 bit Linux emulation Some improvements were also made to FreeBSD's release building process for non-X86 architectures There's also an AsiaBSDCon recap that covers some of the presentations and the dev events They also have an accompanying blog post where Glen Barber talks about more sysadmin and clusteradm work at NYI *** Interview - Lucas Holt - [email protected] / @midnightbsd MidnightBSD News Roundup The launchd on train is never coming Replacement of init systems has been quite controversial in the last few years Fortunately, the BSDs have avoided most of that conflict thus far, but there have been a few efforts made to port launchd from OS X This blog post details the author's opinion on why he thinks we're never going to have launchd in any of the BSDs Email us your thoughts on the matter *** Native SSH comes to… Windows In what may be the first (and last) mention of Microsoft on BSD Now... They've just recently announced that PowerShell will get native SSH support in the near future It's not based on the commercial SSH either, it's the same one from OpenBSD that we already use everywhere Up until now, interacting between BSD and Windows has required something like PuTTY, WinSCP, FileZilla or Cygwin - most of which are based on really outdated versions The announcement also promises that they'll be working with the OpenSSH community, so we'll see how many Microsoft-submitted patches make it upstream (or how many donations they make) *** Moving to FreeBSD This blog post describes a long-time Linux user's first BSD switching experience The author first talks about his Linux journey, eventually coming to love the more customization-friendly systems, but the journey ended with systemd After doing a bit of research, he gave FreeBSD a try and ended up liking it - the rest of the post mostly covers why that is He also plans to write about his experience with other BSDs, and is writing some tutorials too - we'll check in with him again later on *** Feedback/Questions Adam writes in Dan writes in Ivan writes in Josh writes in ***

This week on the show, we've got something pretty different. We went to a Linux convention and asked various people if they've ever tried BSD and what they know about it. Stay tuned for that, all this week's news and, of course, answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines LUKS in OpenBSD Last week, we were surprised to find out that DragonFlyBSD has support for dm-crypt, sometimes referred to as LUKS (Linux Unified Key Setup) It looks like they might not be the only BSD with support for it for much longer, as OpenBSD is currently reviewing a patch for it as well LUKS would presumably be an additional option in OpenBSD's softraid system, which already provides native disk encryption Support hasn't been officially committed yet, it's still going through testing, but the code is there if you want to try it out and report your findings If enabled, this might pave the way for the first (semi-)cross platform encryption scheme since the demise of TrueCrypt (and maybe other BSDs will get it too in time) *** FreeBSD gets 64bit Linux emulation For those who might be unfamiliar, FreeBSD has an emulation layer to run Linux-only binaries (as rare as they may be) The most common use case is for desktop users, enabling them to run proprietary applications like Adobe Flash or Skype Similar systems can also be found in NetBSD and OpenBSD (though disabled by default on the latter) However, until now, it's only supported binaries compiled for the i386 architecture This new update, already committed to -CURRENT, will open some new possibilities that weren't previously possible Meanwhile, HardenedBSD considers removing the emulation layer entirely *** BSD at Open Source Conference 2015 Nagoya We've covered the Japanese NetBSD users group setting up lots of machines at various conferences in the past, but now they're expanding Their latest report includes many of the NetBSD things you'd expect, but also a couple OpenBSD machines Some of the NetBSD ones included a Power Mac G4, SHARP NetWalker, Cubieboard2 and the not-so-foreign Raspberry Pi One new addition of interest is the OMRON LUNA88k, running the luna88k port of OpenBSD There was even an old cell phone running Windows games on NetBSD Check the mailing list post for some links to all of the nice pictures *** LLVM introduces OpenMP support One of the things that has kept some people in the GCC camp is the lack of OpenMP support in LLVM According to the blog post, it "enables Clang users to harness full power of modern multi-core processors with vector units" With Clang being the default in FreeBSD, Bitrig and OS X, and with some other BSDs exploring the option of switching, the need for this potential speed boost was definitely there This could also open some doors for more BSD in the area of high performance computing, putting an end to the current Linux monopoly *** Interview - Eric, FSF, John, Jose, Kris and Stewart Various "man on the street" style mini-interviews News Roundup BSD-licensed gettext replacement If you've ever installed ports on any of the BSDs, you've probably had GNU's gettext pulled in as a dependency Wikipedia says "gettext is an internationalization and localization (i18n) system commonly used for writing multilingual programs on Unix-like computer operating systems" A new BSD-licensed rewrite has begun, with the initial version being for NetBSD (but it's likely to be portable) If you've got some coding skills, get involved with the project - the more freely-licensed replacements, the better *** Unix history git repo A git repository was recently created to show off some Unix source code history The repository contains 659 thousand commits and 2306 merges You can see early 386BSD commits all the way up to some of the more modern FreeBSD code If you want to browse through the giant codebase, it can be a great history lesson *** PCBSD 10.1.2 and Lumina updates We mentioned 10.1.1 being released last week (and all the cool features a couple weeks before) but now 10.1.2 is out This minor update contained a few hotfixes: RAID-Z installation, cache and log devices and the text-only installer in UEFI mode There's also a new post on the PCBSD blog about Lumina, answering some frequently asked questions and giving a general status update *** Feedback/Questions Jake writes in Van writes in Anonymous writes in Dominik writes in (text answer) Chris writes in *** Mailing List Gold Death by chocolate ***

This time on the show, we'll be chatting with Jed Reynolds about ZFS. He's been using it extensively on a certain other OS, and we can both learn a bit about the other side's implementation. Answers to your questions and all this week's news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Playing with sandboxing Sandboxing and privilege separation are popular topics these days - they're the goal of the new "shill" scripting language, they're used heavily throughout OpenBSD, and they're gaining traction with the capsicum framework This blog post explores capsicum in FreeBSD, some of its history and where it's used in the base system They also include some code samples so you can verify that capsicum is actually denying the program access to certain system calls Check our interview about capsicum from a while back if you haven't seen it already *** OpenNTPD on by default OpenBSD has enabled ntpd by default in the installer, rather than prompting the user if they want to turn it on In nearly every case, you're going to want to have your clock synced via NTP With the HTTPS constraints feature also enabled by default, this should keep the time checked and accurate, even against spoofing attacks Lots of problems can be traced back to the time on one system or another being wrong, so this will also eliminate some of those cases For those who might be curious, they're using the "pool.ntp.org" cluster of addresses and google for HTTPS constraints (but these can be easily changed) *** FreeBSD workshop in Landshut We mentioned a BSD installfest happening in Germany a few weeks back, and the organizer wrote in with a review of the event The installfest instead became a "FreeBSD workshop" session, introducing curious new users to some of the flagship features of the OS They covered when to use UFS or ZFS, firewall options, the release/stable/current branches and finally how to automate installations with Ansible If you're in south Germany and want to give similar introduction talks or Q&A sessions about the other BSDs, get in touch We'll hear more from him about how it went in the feedback section today *** Swap encryption in DragonFly Doing full disk encryption is very important, but something that people sometimes overlook is encrypting their swap This can actually be more important than the contents of your disks, especially if an unencrypted password or key hits your swap (as it can be recovered quite easily) DragonFlyBSD has added a new experimental option to automatically encrypt your swap partition in fstab There was another way to do it previously, but this is a lot easier You can achieve similar results in FreeBSD by adding ".eli" to the end of the swap device in fstab, there are a few steps to do it in NetBSD and swap in OpenBSD is encrypted by default A one-time key will be created and then destroyed in each case, making recovery of the plaintext nearly impossible *** Interview - Jed Reynolds - [email protected] / @jed_reynolds Comparing ZFS on Linux and FreeBSD News Roundup USB thermometer on OpenBSD So maybe you've got BSD on your server or router, maybe NetBSD on a toaster, but have you ever used a thermometer with one? This blog post introduces the RDing TEMPer Gold USB thermometer, a small device that can tell the room temperature, and how to get it working on OpenBSD Wouldn't you know it, OpenBSD has a native "ugold" driver to support it with the sensors framework How useful such a device would be is another story though *** NAS4Free now on ARM We talk a lot about hardware for network-attached storage devices on the show, but ARM doesn't come up a lot That might be changing soon, as NAS4Free has just released some ARM builds These new (somewhat experimental) images are based on FreeBSD 11-CURRENT Included in the announcement is a list of fully-supported and partially-supported hardware that they've tested it with If anyone has experience with running a NAS on slightly exotic hardware, write in to us *** pkgsrcCon 2015 CFP and info This year's pkgsrcCon will be in Berlin, Germany on July 4th and 5th They're looking for talk proposals and ideas for things you'd like to see If you or your company uses pkgsrc, or if you're just interested in NetBSD in general, it would be a good event to check out *** BSDTalk episode 253 BSDTalk has released another new episode In it, he interviews George Neville-Neil about the 2nd edition of "The Design and Implementation of the FreeBSD Operating System" They discuss what's new since the last edition, who the book's target audience is and a lot more We're up to 90 episodes now, slowly catching up to Will... *** Feedback/Questions Dominik writes in Brad writes in Corvin writes in James writes in ***

This week on the show, we'll be talking to Mike Larkin about various memory protections in OpenBSD. We'll cover recent WX improvements, SSP, ASLR, PIE and all kinds of acronyms! We've also got a bunch of news and answers to your questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines OpenSMTPD for the whole family Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts This article talks about configuring a home mail server too, but even for the other people you live with After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box *** NetBSD on the Edgerouter Lite We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper) A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post The process is fairly simple, and you can cross-compile your own installation image on any CPU architecture (even from another BSD!) OpenBSD and FreeBSD also have some support for these devices *** Bitrig at NYC*BUG The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo John discussed Bitrig, an OpenBSD fork that we've talked about a couple times on the show He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences *** OPNsense, meet HardenedBSD Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD and OPNsense, have decided to join forces Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface We'll cover more news on the collaboration as it comes out *** Interview - Mike Larkin - [email protected] / @mlarkin2012 Memory protections in OpenBSD: WX, ASLR, PIE, SSP News Roundup A closer look at FreeBSD The week wouldn't be complete without at least one BSD article making it to a mainstream tech site This time, it's a high-level overview of FreeBSD, some of its features and where it's used Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing If you have any BSD-curious Linux friends, this might be a good one to send to them *** Linksys NSLU2 and NetBSD The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004 "About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]" After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there *** OpenBSD disklabel templates We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout With a few recent changes, there are now a series of templates you can use for a completely customized partition scheme This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel Combine this new feature with our -stable iso tutorial, and you could deploy completely patched and customized images en masse pretty easily *** FreeBSD native ARM builds FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen *** Feedback/Questions Sean writes in Ron

This time on the show, we'll be talking with Ed Schouten about CloudABI. It's a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week's BSD news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report The FreeBSD team has posted a report of the activities that went on between January and March of this year As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc) The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code Lots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarter Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) *** OpenBSD 5.7 released OpenBSD has formally released another new version, complete with the giant changelog we've come to expect In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs If you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilities Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big WX improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLS The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementations Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL) Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon Speaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6 Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases There's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week Consider picking one up to support the project (and it's the only way to get puffy stickers) For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now... *** Tor-BSD diversity project We've talked about Tor on the show a few times, and specifically about getting more of the network on

Coming up this time on the show, we'll be speaking with Christos Zoulas, a NetBSD security officer. He's got a new project called blacklistd, with some interesting possibilities for stopping bruteforce attacks. We've also got answers to your emails and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines New PAE support in OpenBSD OpenBSD has just added Physical Address Extention support to the i386 architecture, but it's probably not what you'd think of when you hear the term In most operating systems, PAE's main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms - this version isn't for that Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don't get the potential security benefit As we discussed in a previous episode, the AMD64 platform already saw some major WX kernel and userland improvements - the i386 kernel reworking will begin shortly Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of WX that was already there The AMD64 improvements will be in 5.7, due out in just a couple days as of when we're recording this, but the i386 improvements will likely be in 5.8 *** Booting Windows in bhyve Work on FreeBSD's bhyve continues, and a big addition is on the way Thus far, bhyve has only been able to boot operating systems with a serial console - no VGA, no graphics, no Windows This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter Graphics emulation is still in the works; this image was taken by booting headless and using RDP A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan) Not a lot of details on the matter currently, but we'll be sure to bring you more info as it comes out Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts *** MidnightBSD 0.6 released MidnightBSD is a smaller project we've not covered a lot on the show before It's an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use They also have their own, smaller version of FreeBSD ports, called "mports" If you're already using it, this new version is mainly a security and bugfix release It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions You can check their site for more information about the project We're trying to get the lead developer to come on for an interview, but haven't heard anything back yet *** OpenBSD rewrites the file utility We're all probably familiar with the traditional file command - it's been around since the 1970s For anyone who doesn't know, it's used to determine what type of file something actually is This tool doesn't see a lot of development these days, and it's had its share of security issues as well Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while It's not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it When you think about it, file was technically designed to be used on untrusted files OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite - this time with modern coding practices and the usual OpenBSD scrutiny This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made With these two things combined, it should drastically reduce the damage a malicious file could potentially do Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember It'll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future - someone's already thrown together an unofficial portable version Coincidentally, the lead developer and current maintainer of file just happens to be our guest today… *** Interview - Christos Zoulas - [email protected] blacklistd and NetBSD advocacy News Roundup GSoC-accepted BSD projects The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list FreeBSD's list includes: NE2000 device model in userspace for

Coming up this time on the show, we'll be chatting with Antoine Jacoutot about how M:Tier uses BSD in their business. After that, we'll be discussing the different release models across the BSDs, and which style we like the most. As always, answers to your emails and all the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Optimizing TLS for high bandwidth applications Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD TLS has traditionally had too much overhead for the levels of bandwidth they're using, so this pdf outlines some of their strategy in optimizing it The sendfile() syscall (which nginx uses) isn't available when data is encrypted in userland To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel Having encrypted movie streams would be pretty neat *** Crypto in unexpected places OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc) One place you might not expect crypto to be used (or even needed) is in the "ping" utility, right? Well, think again David Gwynne recently committed a change that adds MAC to the ping timestamp payload By default, it'll be filled with a ChaCha stream instead of an unvarying payload, and David says "this lets us have some confidence that the timestamp hasn't been damaged or tampered with in transit" Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward Maybe we can look forward to a cryptographically secure "echo" command next... *** Broadwell in DragonFly The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn't work The two main show-stoppers right now are the graphics and wireless, but they have someone who's already making progress with the GPU support Wireless support will likely have to wait until FreeBSD gets it, then they'll port it back over None of the BSDs currently have full Broadwell support, so stay tuned for further updates *** DIY NAS software roundup In this blog post, the author compares a few different software solutions for a network attached storage device He puts FreeNAS, one of our favorites, up against a number of opponents - both BSD and Linux-based NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface If you've been thinking about putting together a NAS, but aren't quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names Some competition is always good, gotta keep those guys on their toes *** Interview - Antoine Jacoutot - [email protected] / @ajacoutot OpenBSD at M:Tier, business adoption of BSD, various topics News Roundup OpenBSD on DigitalOcean When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction - we hoped that all the other BSDs would soon follow This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS Using a -current snapshot and some swapfile trickery, it's possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk After doing so, you just boot from their web UI-based console and can perform a standard installation You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step *** Initial ARM64 support lands in FreeBSD The ARM64 architecture, sometimes called ARMv8 or AArch64, is a new generation of CPUs that will mostly be in embedded devices FreeBSD has just gotten support for this platform in the -CURRENT branch Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU - now a full build is possible Work should now start happening in the main source code tree, and hopefully they'll have full support in a branch soon *** Scripting with least privilege A new scripting language with a focus on privilege separation and running with only what's absolutely needed has been popular in the headlines lately Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc. Shill aims to answer the questions "how do we limit the authority of scripts" and "how do we determine what authority is necessary" by including a declarative security policy that's checked and enforced by the language runtime If used on FreeBSD, Shill will use Capsicum for sandboxing You can find some more of the techn

This time on the show, we'll be talking with Pascal Stumpf about static PIE in the upcoming OpenBSD release. He'll tell us what types of attacks it prevents, and why it's such a big deal. We've also got answers to questions from you in the audience and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Solaris' networking future is with OpenBSD A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting This blog post goes through some of the backstory of the two firewalls PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too "Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security" You're welcome, Oracle *** BAFUG discussion videos The Bay Area FreeBSD users group has been uploading some videos from their recent meetings Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status) Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework Lastly, Kip Macy gave a talk titled "network stack changes, user-level FreeBSD" The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime *** More than just a makefile If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News) *** Securing your home fences Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD) We love super-detailed guides like this, so everyone should write more and send them to us immediately *** Interview - Pascal Stumpf - [email protected] Static PIE in OpenBSD News Roundup LLVM's new libFuzzer We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility It looks like LLVM is going to have their own fuzzing tool too now The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, t

On this week's mini-episode, we'll be talking with Baptiste Daroussin about packaging the FreeBSD base system with pkgng. Is this the best way going forward, or are we getting dangerously close to being Linux-like? We'll find out, and also get to a couple of your emails while we're at it, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Xen dom0 in FreeBSD 11-CURRENT FreeBSD has just gotten dom0 support for the Xen hypervisor, something NetBSD has had for a while now The ports tree will now have a Xen kernel and toolstack, meaning that they can be updated much more rapidly than if they were part of base It's currently limited to Intel boxes with EPT and a working IOMMU, running a recent version of the -CURRENT branch, but we'll likely see it when 11.0 comes out How will this affect interest in Bhyve? *** A tale of two educational moments Here we have a blog post from an OpenBSD developer about some experiences he had helping people get involved with the project It's split into two stories: one that could've gone better, and one that went really well For the first one, he found that someone was trying to modify a package from their ports tree to have fewer dependencies Experience really showed its worth, and he was able to write a quick patch to do exactly what the other person had been working on for a few hours - but wasn't so encouraging about getting it committed In the second story, he discussed updating a different port with a user of a forum, and ended up improving the new user's workflow considerably with just a few tips The lesson to take away from this is that we can all help out to encourage and assist new users - everyone was a newbie once *** What's coming in NetBSD 7 We first mentioned NetBSD 7.0 on the show in July of 2014, but it still hasn't been released and there hasn't been much public info about it This blog post outlines some of the bigger features that we can expect to see when it actually does come out Their total platform count is now over 70, so you'd be hard-pressed to find something that it doesn't run on There have been a lot of improvements in the graphics area, particularly with DRM/KMS, including Intel Haswell and Nouveau (for nVidia cards) Many ARM boards now have full SMP support Clang has also finally made its way into the base system, something we're glad to see, and it should be able to build the base OS on i386, AMD64 and ARM - other architectures are still a WIP In the crypto department: their PNRG has switched from the broken RC4 to the more modern ChaCha20, OpenSSL has been updated in base and LibreSSL is in pkgsrc NetBSD's in-house firewall, npf, has gotten major improvements since its initial debut in NetBSD 6.0 Looking to the future, NetBSD hopes to integrate a stable ZFS implementation later on *** OpenZFS office hours We mentioned a couple weeks back that the OpenZFS office hours series was starting back up They've just uploaded the recording of their most recent freeform discussion, with Justin Gibbs being the main presenter In it, they cover how Justin got into ZFS, running in virtualized environments, getting patches into the different projects, getting more people involved, reviewing code, spinning disks vs SSDs, defragging, speeding up resilvering, zfsd and much more *** Interview - Baptiste Daroussin - [email protected] Packaging the FreeBSD base system with pkgng Discussion Packaging the FreeBSD base system with pkgng (follow-up) Feedback/Questions Jeff writes in Anonymous writes in Alex writes in Joris writes in *** Mailing List Gold ok feedback@ ***

Coming up this week on the show, we'll be talking to Kamila Součková, a Google intern. She's been working on the FreeBSD pager daemon, and also tells us about her initial experiences trying out BSD and going to a conference. As always, all the week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Major changes coming in PCBSD 11 The PCBSD team has announced that version 11.0 will have some more pretty big changes (as they've been known to do lately with NTP daemons and firewalls) Switching from PF to IPFW provided some benefits for VIMAGE, but the syntax was just too complicated for regular everyday users To solve this, they've ported over Linux's iptables, giving users a much more straightforward configuration While ZFS has served them well as the default filesystem for a while, Kris decided that Btrfs would be a better choice going forward Since the FreeBSD kernel doesn't support it natively, all filesystem calls will be through FUSE from now on - performance is Good Enough People often complain about PCBSD's huge ISO download, so, to save space, the default email client will be switched to mutt, and KDE will be replaced with DWM as the default window manager To reconfigure it, or make any appearance changes, users just need to edit a simple C header file and recompile - easy peasy As we've mentioned on the show, PCBSD has been promoting safe backup solutions for a long time with its "life preserver" utility, making it simple to manage multiple snapshots too To test if people have been listening to this advice, Kris recently activated the backdoor he put in life preserver that deletes all the users' files - hope you had that stuff backed up *** NetBSD and FreeBSD join forces The BSD community has been running into one of the same problems Linux has lately: we just have too many different BSDs to choose from What's more, none of them have any specific areas they focus on or anything like that (they're all basically the same) That situation is about to improve somewhat, as FreeBSD and NetBSD have just merged codebases... say hello to FretBSD Within a week, all mailing lists and webservers for the legacy NetBSD and FreeBSD projects will be terminated - the mailing list for the new combined project will be hosted from the United Nations datacenter on a Microsoft Exchange server As UN monitors will be moderating the mailing lists to prevent disagreements and divisive arguments before they begin, this system is expected to be adequate for the load With FretBSD, your toaster can now run ZFS, so you'll never need to worry about the bread becoming silently corrupted again *** Puffy in the cloud If you've ever wanted to set up a backup server, especially for family members or someone who's not as technology-savvy, you've probably realized there are a lot of options This post explores the option of setting up your own Dropbox-like service with Owncloud and PostgreSQL, running atop the new OpenBSD http daemon Doing it this way with your own setup, you can control all the security aspects - disk encryption, firewall rules, who can access what and from where, etc He also mentions our pf tutorial being helpful in blocking script kiddies from hammering the box Be sure to encourage your less-technical friends to always back up their important data *** NetBSD at AsiaBSDCon Some NetBSD developers have put together a report of what they did at the most recent event in Tokyo It includes a wrap-up of the event, as well as a list of presentations that NetBSD developers gave Have you ever wanted even more pictures of NetBSD running on lots of devices? There's a never-ending supply, apparently At the BSD research booth of AsiaBSDCon, there were a large number of machines on display, and someone has finally uploaded pictures of all of them There's also a video of an OMRON LUNA-II running the luna68k port *** Interview - Kamila Součková - [email protected] / @anotherkamila BSD conferences, Google Summer of Code, various topics News Roundup FreeBSD foundation March update The FreeBSD foundation has published their March update for fundraising and sponsored projects In the document, you'll find information about upcoming ARMv8 enhancements, some event recaps and a Google Summer of Code status update They also mention our interview with the foundation president - be sure to check it out if you haven't *** Inside OpenBSD's new httpd BSD news continues to dominate mainstream tech news sites… well not really, but they talk about it once in a while The SD Times is featuring an article about OpenBSD's in-house HTTP server, after seeing Reyk's AsiaBSDCon presentation about it (which he's giving at BSDCan this year, too) In this article, they talk about the rapid transition of webservers in the base system - apache being replaced with nginx, only to be replaced with httpd short

Coming up this week, we'll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He's been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon 2015 call for papers The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two) Check the announcement for all the specific details and requirements If your talk gets accepted, the conference even pays for your travel expenses *** Making security sausage Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!" The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute It was because of this that FreeBSD actually had to release a security update to their security update He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." *** Running FreeBSD on the server, a sysadmin speaks More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage) They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you *** NetBSD ported to Hardkernel ODROID-C1 In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1 This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35 There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0 More info can be found on their wiki page After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device *** Interview - Bernard Spil - [email protected] / @sp1l LibreSSL adoption in FreeBSD ports and the wider software ecosystem News Roundup Monitoring pf logs with Gource If you're using pf on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy This article will show you how to get set up with Gource for a cinematic-like experience If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories" When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity *** pkgng 1.5.0 alpha1 released The development version of pkgng wa

We're back from AsiaBSDCon! This week on the show, we'll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They're getting BSD in the hands of Windows admins who don't even realize it. We also have all this week's news and answer to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Using OpenBGPD to distribute pf table updates For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems." If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version *** Mounting removable media with autofs The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool It's written by one of the autofs developers, and he details his work on creating and using the utility "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes." He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen There's also some more advanced bonus material on GEOM classes and all the more technical details *** The Tor Browser on BSD The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost It has, however, only been released for Windows, OS X and Linux - no BSD version "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves." Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) *** OpenSSH 6.8 released Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course) Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type) The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers *** NetBSD at AsiaBSDCon The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session There was a grand total of 34 different NetBSD gadgets on display at the event *** Interview - Lawrence Teo - [email protected] / @lteo OpenBS

We're away at AsiaBSDCon this week, but we've still got a packed episode for you. First up is a sequel to the "PC-BSD tour" segment from a while back, highlighting how ZFS boot environments work. After that, Justin Gibbs joins us to talk about the FreeBSD foundation's 15th anniversary. We'll return next week with a normal episode of BSD Now - which is of course, the place to B.. SD. This episode was brought to you by Special segment Demystifying Boot Environments in PC-BSD Interview - Justin Gibbs - [email protected] / @freebsdfndation The FreeBSD foundation's 15th anniversary Discussion The story of PC-BSD

Coming up this time on the show, we'll be talking to Sean Bruno. He's been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We've also got answers to viewer-submitted questions and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines AsiaBSDCon 2015 schedule Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up This year's conference will be between 12-15 March at the Tokyo University of Science in Japan The first and second days are for tutorials, as well as the developer summit and vendor summit Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again Not counting the ones that have yet to be revealed (as of the day we're recording this), there will be thirty-six different talks in all - four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD Summaries of all the presentations are on the timetable page if you scroll down a bit *** FreeBSD foundation updates and more The FreeBSD foundation has posted a number of things this week, the first of which is their February 2015 status update It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform There's a FOSDEM recap and another update of their fundraising goal for 2015 They also have two new blog posts: a trip report from SCALE13x and a featured "FreeBSD in the trenches" article about how a small typo caused a lot of ZFS chaos in the cluster "Then panic ensued. The machine didn't panic -- I did." *** OpenBSD improves browser security No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser Ted Unangst writes in to the OpenBSD misc list to introduce a new project he's working on, simply titled "improving browser security" He gives some background on the WX memory protection in the base system, but also mentions that some applications in ports don't adhere to it For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT engine) needs to be fixed to use it "A system that is 'all WX except where it's not' is the same as a system that's not WX. We've worked hard to provide a secure foundation for programs; we'd like to see them take advantage of it." The work is being supported by the OpenBSD foundation, and we'll keep you updated on this undertaking as more news about it is released There's also some discussion on Hacker News and Undeadly about it *** NetBSD at Open Source Conference 2015 Tokyo The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo There's even a spreadsheet of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around) If you just can't get enough strange devices running BSD, check the mailing list post for lots of pictures Their next target is, as you might guess, AsiaBSDCon 2015 - maybe we'll run into them *** Interview - Sean Bruno - [email protected] / @franknbeans Cross-compiling packages with poudriere and QEMU News Roundup The Crypto Bone The Crypto Bone is a new device that's aimed at making encryption and secure communications easier and more accessible Under the hood, it's actually just a Beaglebone board, running stock OpenBSD with a few extra packages It includes a web interface for configuring keys and secure tunnels The source code is freely available for anyone interested in hacking on it (or auditing the crypto), and there's a technical overview of how everything works on their site If you don't want to teach your mom how to use PGP, buy her one of these(?) *** BSD in the 2015 Google Summer of Code For those who don't know, GSoC is a way for students to get paid to work on a coding project for an open source organization Good news: both FreeBSD and OpenBSD were accepted for the 2015 event FreeBSD has a wiki page of ideas for people to work on OpenBSD also has an ideas page where you can see some of the initial things that might be interesting If you're a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it Who knows, you may even end up on the show if you work on a cool project GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you'd like to hack on *** pfSense 2.3 roadmap The pfSense team has posted a new blog entry, detailing some of their plans for future versions PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions PBIs are scheduled to be replaced with native pkgng packages Version 3.0, something coming

This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We've also got answers to your emails and all the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 schedule The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time) Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks That's not the ideal balance we'd hope for, but BSDCan says they'll try to improve that next year Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error) Michael Lucas (who's on the BSDCan board) wrote up a blog post about the proposals and rejections this year If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available We also interviewed Dan Langille about the conference and what to expect this year, so check that out too *** SSL interception with relayd There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements If you're running relayd, you can mimic this evil setup on your own networks (just for testing of course…) Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that It starts off with some backstory and some of the things relayd is capable of relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario The post is very long, with lots of details and some sample config files - the whole nine yards *** OPNsense 15.1.6.1 released The OPNsense team has released yet another version in rapid succession, but this one has some big changes It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches) This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update) It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports) With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling) *** OpenBSD on a Minnowboard Max What would our show be without at least one story about someone installing BSD on a weird device For once, it's actually not NetBSD… This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom) The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article Have a look at the spec sheet if you're interested, they make for cool little BSD boxes *** Netmap for 40gbit NICs in FreeBSD Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too This should make for some serious packet-pushing power If you have any network hardware like this, he would appreciate testing for the ne

This week on the show, we'll be chatting with Alex Reece and Matt Ahrens about what's new in the world of OpenZFS. After that, we're starting a new tutorial series on submitting your first patch. All the latest BSD news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Revisiting FreeBSD after 20 years With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time." The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things There was some decent discussion on Hacker News about this article too, with counterpoints from both sides *** s2k15 hackathon report: network stack SMP The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack If you're not familiar with him, he gave a presentation at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock Hopefully more trip reports will be sent in during the coming weeks Most of the big code changes should probably appear after the 5.7-release testing period *** From BIND to NSD and Unbound If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... *** m0n0wall calls it quits The original, classic BSD firewall distribution m0n0wall has finally decided to close up shop For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan The project was probably a lot of people's first encounter with BSD in any form If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD or OpenBSD, or going the premade route with something like pfSense, OPNsense or the BSD Router Project The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can." While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly *** Interview - Alex Reece & Matt Ahrens - [email protected] & [email protected] / @openzfs What's new in OpenZFS Tutorial Making your first patch (OpenBSD) News Roundup Overlaying remote LANs with OpenBSD's VXLAN Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) is exactly what you need This article talks about using it to connect two virtualized infrastructures on different ESXi servers It gives a bit of networking background first, in case you're not quite up to speed on all this stuff This tool opens up a lot of very cool possibilities, even possibly doing a "

This week, we'll be talking to Henning Brauer about OpenNTPD and its recently revived portable version. After that, we'll be discussing different ways to securely tunnel your traffic: specifically OpenVPN, IPSEC, SSH and Tor. All that and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Strange timer bug in FreeBSD 11 Peter Wemm wrote in to the FreeBSD -CURRENT mailing list with an interesting observation Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap Peter disagreed and gave some background, offering a different patch to fix the issue and detect it early if it happens again Ultimately, the problem was traced back to an issue with a recent clang import It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down *** An OpenBSD mail server There's been a recent influx of blog posts about building a BSD mail server for some reason In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd That means this is more of a "complete solution" - right down to what the end users see The series is split up into categories so it's very easy to follow along step-by-step *** How DragonFlyBSD uses git DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code In a series of posts, Matthew Dillon (the project lead) details their internal setup They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access) The maintainers of the server are the only ones with shell access available He also details how a cron job syncs from the master to a public box that anyone can check out code from It would be interesting to hear about how other BSD projects manage their master source repository *** Why not try PCBSD? ITwire, another more mainstream tech site, published a recent article about switching to PCBSD They interview a guy named Kris that we've never heard of before In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same "With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD." If you have some friends who complain to you about systemd all the time, this might be a good article to show them *** Interview - Henning Brauer - [email protected] / @henningbrauer OpenNTPD and its portable variant News Roundup Authenticated time in OpenNTPD We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already While at the hackathon, some developers came up with an alternate way to get authenticated NTP responses You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header It's not intended to be a direct time source, just a constraint to keep things within reason If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid Henning and Theo also weigh in to give some of the backstory on the idea Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) *** NetBSD at Open Source Conference 2015 Oita and Hamanako It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them This time the conferences were in Oita and Hamanako, Japan Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices As always, they took lots of pictures from the event of NetBSD on all these weird machines *** Poudriere in a jail A common question we get about our poudriere tutorial is "how do I run it in a jail?" - this blog post is about exactly that It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow

This week on the show, we'll be starting a two-part series detailing the activities of various BSD foundations. Ed Maste from the FreeBSD foundation will be joining us this time, and we'll talk about what all they've been up to lately. All this week's news and answers to viewer-submitted questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Key rotation in OpenSSH 6.8 Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8 Times changes, key types change, problems are found with old algorithms and we switch to new ones In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange Keys that are in your known_hosts file but not on the server will get automatically removed This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released *** NetBSD Banana Pi images We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially The email includes some steps to get everything working and an overview of what comes with the image Also check the wiki page for some related boards and further instructions on getting set up On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) *** LibreSSL shirts and other BSD goodies If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL" While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site OpenBSD recently launched their new store, but the selection is still a bit limited right now NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) *** OPNsense 15.1.4 released The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs) This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change A developer has also posted an interesting write-up titled "Development Workflow in OPNsense" If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it *** Interview - Ed Maste - [email protected] The FreeBSD foundation's activities News Roundup Rolling with OpenBSD snapshots One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think He's now helping test out patches and new ports since he's running the same code as the developers *** Signing pkgsrc packages As of the time this show airs, the official pkgsrc packages aren't cryptographically signed Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS Using GNUPG pulled in a lot of dependencies, and they're trying to

Coming up this week, we've got something a little bit different for you. We'll be talking with Andrew Tanenbaum, the creator of MINIX. They've recently imported parts of NetBSD into their OS, and we'll find out how and why that came about. As always, all the latest news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines The missing EuroBSDCon videos Some of the missing videos from EuroBSDCon 2014 we mentioned before have mysteriously appeared Jordan Hubbard, FreeBSD, looking forward to another 10 years Lourival Viera Neto, NPF scripting with Lua Kris Moore, Snapshots, replication and boot environments Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel Kirk McKusick, An introduction to FreeBSD's implementation of ZFS Emannuel Dreyfus, FUSE and beyond, bridging filesystems John-Mark Gurney, Optimizing GELI performance Unfortunately, there are still about six talks missing… and no ETA *** FreeBSD on a MacBook Pro (or two) We've got a couple posts about running FreeBSD on a MacBook Pro this week In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™ Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step He's still not quite to that point yet, but documents his experiments with BSD as a desktop The second article also documents an ex-Linux user switching over to BSD for their desktop It also covers power management, bluetooth and trackpad setup On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down" Check out both articles if you've been considering running FreeBSD on a MacBook *** Remote logging over TLS In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server The problem is, of course, that it's sent in cleartext, unless you tunnel it over SSH or use some kind of third party wrapper With a few recent commits, OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot? That problem was also conquered, by loading the CA chain directly from memory, so the entire process can be run in the chroot without issue Some of the privsep verifcation code even made its way into LibreSSL right afterwards If you haven't set up remote logging before, now might be an interesting time to try it out *** FreeBSD, not a Linux distro George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro" It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options There's even an interesting "thirty years in three minutes" segment It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s) We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them *** Long-term support considered harmful There was recently a pretty horrible bug in GNU's libc (BSDs aren't affected, don't worry) Aside from the severity of the actual problem, the fix was delayed for quite a long time, leaving people vulnerable Ted Unangst writes a post about how this idea of long-term support could actually be harmful in the long run, and compares it to how OpenBSD does things OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early." There was also some discussion about the article you can check o

This week on the show we'll be chatting with David Maxwell, a former NetBSD security officer. He's got an interesting project called Pipecut that takes a whole new approach to the commandline. We've also got answers to viewer-submitted questions and all this week's headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report The FreeBSD team has posted an updated on some of their activities between October and December of 2014 They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released) Git was promoted from beta to an officially-supported version control system (Kris is happy) The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements Check out the full report for all the details that we didn't cover *** OpenBSD package signature audit "Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed Package signature formats and public key distribution methods are also touched on After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future If you haven't seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this *** Replacing a Linux router with BSD There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs." A lot of people were quick to recommend OPNsense and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all) Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information *** LibreSSL in FreeBSD and OPNsense A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL) The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly OPNsense developers are looking into switching away from OpenSSL to LibreSSL's portable version, for both their ports and base system, which would be a pretty huge differentiator for their project Some ports still need fixing to be compatible though, particularly a few python-related ones If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs A lot of the work has already been done in OpenBSD's ports tree - some patches just need to be adopted More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it *** Interview - David Maxwell - [email protected] / @david_w_maxwell Pipecut, text processing, commandline wizardry News Roundup Jetpack, a new jail container system A new project was launched to adapt FreeBSD jails to the "app container specification" While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker It's a similar project to iocage or bsdploy, which we haven't talked a whole lot about There was

This week on the show, we'll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We'll learn some of the backstory and see what they've got planned for the future. We've also got all this week's news and answers to all your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Be your own VPN provider with OpenBSD We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company? It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?" The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN *** FreeBSD vs Gentoo comparison People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more *** Kernel WX in OpenBSD WX, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils) Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while More technical details can be found in some recent CVS commits *** Building an IPFW-based router We've covered building routers with PF many times before, but what about IPFW? A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit If you're an IPFW fan and are thinking about putting together a new router, give this post a read *** Interview - Jos Schellevis - [email protected] / @opnsense The birth of OPNsense News Roundup On profiling HTTP Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools According to him, it's "not very pretty" He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process You can check out his new code on Github right now *** Using divert(4) to reduce attacks We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series) It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious Consider setting this up to reduce the attack spam in your logs if you run public services *** ChaCha20 patchset for GELI A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system There are also some benchmarks that look pretty good in terms of performance Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES) There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet *** PCBSD update system enhancements The PCBSD update utility has gotten an update itself, now support

This time on the show, we'll be talking to Ian Sutton about his new BSD compatibility wrappers for various systemd dependencies. Don't worry, systemd is not being ported to BSD! We're still safe! We've also got all the week's news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Introducing OPNsense, a pfSense fork OPNsense is a new BSD-based firewall project that was recently started, forked from the pfSense codebase Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3) The core team includes a well-known DragonFlyBSD developer You can check out their code on Github now, or download an image and try it out - let us know if you do and what you think about it They also have a nice wiki and some instructions on getting started for new users We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned *** Code rot and why I chose OpenBSD Here we have a blog post about rotting codebases - a core banking system in this example The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily." It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again" Look for the phrase "Getting Started" in the blog post for a nice little gem *** ZFS vs HAMMER FS One of the topics we've seen come up from time to time is how FreeBSD's ZFS and DragonFly's HAMMER FS compare to each other They both have a lot of features that traditional filesystems lack A forum thread was opened for discussion about them both and what they're typically used for It compares resource requirements, ideal hardware and pros/cons of each Hopefully someone will do another new comparison when HAMMER 2 is finished This is not to be confused with the other "hammer" filesystem *** Portable OpenNTPD revived With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon OpenBSD has developed OpenNTPD since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version Brent Cook, who we've had on the show before to talk about LibreSSL, decided it was time to fix this While looking through the code, he also found some fixes for the native version as well You can grab it from Github now, or just wait for the updated release to hit the repos of your OS of choice *** Interview - Ian Sutton - [email protected] BSD replacements for systemd dependencies News Roundup pkgng adds OS X support FreeBSD's next-gen package manager has just added support for Mac OS X Why would you want that? Well.. we don't really know, but it's cool The author of the patch may have some insight about what his goal is though This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc There's also the possibility of pkgng being used as a packaging format for MacPorts in the future While we're on the topic of pkgng, you can also watch bapt's latest presentation about it from ruBSD 2014 - "four years of pkg" *** Secure secure shell Almost everyone watching BSD Now probably uses OpenSSH and has set up a server at one point or another This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use There are also good explanations for all the choices, based both on history and probability Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled We've also got a handy chart to show which SSH implementations support which ciphers, in case you n

It's our last episode of 2014, and we'll be chatting with Dan Langille about the upcoming BSDCan conference. We'll find out what's planned and what sorts of presentations they're looking for. As usual, answers to viewer-submitted questions and all the week's news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More conference presentation videos Some more of the presentation videos from AsiaBSDCon are appearing online Masanobu Saitoh, Developing CPE Routers Based on NetBSD Reyk Floeter, VXLAN and Cloud-based Networking with OpenBSD Jos Jansen, Adapting OS X to the enterprise Pierre Pronchery & Guillaume Lasmayous, Carve your NetBSD <!-- skip to 5:06 for henning trolling --> Colin Percival, Everything you need to know about cryptography in 1 hour (not from AsiaBSDCon) The "bsdconferences" YouTube channel has quite a lot of interesting older BSD talks too - you may want to go back and watch them if you haven't already *** OpenBSD PIE enhancements ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment For example, the default shells (and many other things in /bin and /sbin) are statically linked In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose With this and a few related commits, OpenBSD fixes this by introducing static self-relocation More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now *** FreeBSD foundation semi-annual newsletter The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already) You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp It's a very long report, so dedicate some time to read all the way through it This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too As we go into 2015, consider donating to whichever BSD you use, it really can make a difference *** Modernizing OpenSSH fingerprints When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to Up until now, the key fingerprints have been an MD5 hash, displayed as hex This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint You can add a "FingerprintHash" line in your ssh_config to force using only the new type There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type The new options should be in the upcoming 6.8 release *** Interview - Dan Langille - [email protected] / @bsdcan Plans for the BSDCan 2015 conference News Roundup Introducing ntimed, a new NTP daemon As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github PHK also has a few blog entries about the project, including status updates *** OpenBSD-maintained projects list There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example) A developer compiled a new list from all of the replies to that thread into a nice organi

It's a special holiday episode! We asked you guys in the audience to send in the tale of how you first got into BSD, and we're going to share those with everyone today. We'll also be playing two bonus mini-interviews, so get comfy by the fire and listen to some BSD Now - the place to B.. SD. This episode was brought to you by Special segment How our viewers got into BSD Jason's story (text) bsdx's story (text) David's story (text) Brad's story (text) Reese's story (video) Bryan's story (video) Pete's story (text) Anders' story (text) Guillermo's story (text) Jonathan's story (text) Adam's story (text) Chris' story (text) Tigersharke's story (text) Roller and Kandie's stories (text) Uwe's story (text) Pascal's story (text) and (image) *** Interview - Erwin Lansing - [email protected] BSD in Europe, getting people involved Interview - Cristina Vintila - @cristina_crow BSD conferences

Coming up this week, we'll be talking with Michael Lucas about his newest BSD book, "FreeBSD Mastery: Storage Essentials." It's got lots of great information about the disk subsystems, GEOM, filesystems, you name it. We've also got the usual round of news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSD conference videos We mentioned it a few times, but the "New Directions in Operating Systems" conference was held in November in the UK The presentations videos are now online, with a few BSD-related talks of interest Antti Kantee, Rump kernels and why / how we got here Franco Fichtner, An introduction to userland networking Robert Watson, New ideas about old OS security Lots of other interesting, but non-BSD-related, talks were also presented, so check the full list if you're interested in operating systems in general The 2014 AsiaBSDCon videos are also slowly being uploaded (better late than never) Kirk McKusick, An Overview of Security in the FreeBSD Kernel Matthew Ahrens, OpenZFS ensures the continued excellence of ZFS Eric Allman, Bambi Meets Godzilla: They Elope - Open Source Meets the Commercial World Scott Long, Modifying the FreeBSD kernel Netflix streaming servers Dru Lavigne, ZFS for the Masses Kris Moore, Snapshots, Replication, and Boot Environments David Chisnall, The Future of LLVM in the FreeBSD Toolchain Luba Tang, Bold, fast optimizing linker for BSD John Hixson, Introduction to FreeNAS development Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM Michael Dexter, Visualizing Unix: Graphing bhyve, ZFS and PF with Graphite Peter Grehan, Nested Paging in Bhyve Martin Matuška, Deploying FreeBSD systems with Foreman and mfsBSD James Brown, Analysys of BSD Associate Exam Results Mindaugas Rasiukevicius, NPF - progress and perspective Luigi Rizzo, Netmap as a core networking technology Michael W. Lucas, Sudo: You're Doing it Wrong (not from a BSD conference, but still good) They should make for some great material to watch during the holidays *** OpenBSD vs FreeBSD security features From the author of both the OpenBSD and FreeBSD secure gateway articles we've featured in the past comes a new entry about security The article goes through a list of all the security features enabled (and disabled) by default in both FreeBSD and OpenBSD It covers a wide range of topics, including: memory protection, randomization, encryption, privilege separation, Capsicum, securelevels, MAC, Jails and chroots, network stack hardening, firewall features and much more This is definitely one of the most in-depth and complete articles we've seen in a while - the author seems to have done his homework If you're looking to secure any sort of BSD box, this post has some very detailed explanations of different exploit mitigation techniques - be sure to read the whole thing There are also some good comments on DaemonForums and lobste.rs that you may want to read *** The password? You changed it, right? Peter Hansteen has a new blog post up, detailing some weird SSH bruteforcing he's seen recently He apparently reads his auth logs when he gets bored at an airport This new bruteforcing attempt seems to be targetting D-Link devices, as evidenced by the three usernames the bots try to use More than 700 IPs have tried to get into Peter's BSD boxes using these names in combination with weak passwords Lots more details, including the lists of passwords and IPs, can be found in the full article If you're using a BSD router, things like this can be easily prevented with PF or fail2ban (and you probably don't have a "d-link" user anyway) *** Get started with FreeBSD, an intro for Linux users Another new BSD article on a mainstream technology news site - seems we're getting popular This article is written for Linux users who may be considering switching over to BSD and wondering what it's all about It details installing FreeBSD 9.3 and getting a basic system setup, while touching on ports and packages, and explaining some terminology along the way "Among the legions of Linux users and admins, there seems to be a sort of passive curiosity about FreeBSD and other BSDs. Like commuters on a packed train, they gaze out at a less crowded, vaguely mysterious train heading in a slightly different direction and wonder what traveling on that train might be like" ** Interview - Michael W. Lucas - [email protected] / @mwlauthor FreeBSD Mastery: Storage Essentials News Roundup OpenSMTPD status update The OpenSMTPD guys, particularly Gilles, have posted an update on what they've been up to lately As of 5.6, it's become the default MTA in OpenBSD, and sendmail will be totally gone in 5.7 Email is a much more tricky protocol than you might imagine, and the post goes through some of the weirdness and problems they've had to deal with There's also another post tha

Coming up this week on the show, we've got an interview with Patrick Wildt, one of the developers of Bitrig. We'll find out all the details of their OpenBSD fork, what makes it different and what their plans are going forward. We've also got all the week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Bitrig 1.0 released If you haven't heard of it, Bitrig is a fork of OpenBSD that started a couple years ago According to their FAQ, some of their goals include: only supporting modern hardware and a limited set of CPU architectures, replacing nearly all GNU tools in base with BSD versions and having better virtualization support They've finally announced their first official release, 1.0 This release introduces support for Clang 3.4, replacing the old GCC, along with libc++ replacing the GNU version It also includes filesystem journaling, support for GPT and - most importantly - a hacker-style console with green text on black background One of the developers answered some questions about it on Hacker News too *** Is it time to try BSD? Here we get a little peek into the Linux world - more and more people are considering switching On a more mainstream tech news site, they have an article about people switching away from Linux and to BSD People are starting to get even more suspicious of systemd, and lots of drama in the Linux world is leading a whole new group of potential users over to the BSD side This article explores some pros and cons of switching, and features opinions of various users *** Poudriere 3.1 released One of the first things we ever covered on the show was poudriere, a tool with a funny name that's used to build binary packages from FreeBSD ports It's come a long way since then, and bdrewery and bapt have just announced a new major version This new release features a redesigned web interface to check on the status of your packages There are lots of new bulk building options to preserve packages even if some fail to compile - this makes maintaining a production repo much easier It also introduces a useful new "pkgclean" subcommand to clean out your repository of packages that aren't needed anymore, and poudriere keeps it cleaner by default as well now Check the full release notes for all the additions and bug fixes *** Firewalling with OpenBSD's pf and pfsync A talk by David Gwynne from an Australian conference was uploaded, with the subject matter being pf and pfsync He uses pf to manage 60 internal networks with a single firewall The talk gives some background on how pf originally came to be and some OpenBSD 101 for the uninitiated It also touches on different rulesets, use cases, configuration syntax, placing limits on connections, ospf, authpf, segregating VLANs, synproxy handling and a lot more The second half of the presentation focuses on pfsync and carp for failover and redundancy With two BSD boxes running pfsync, you can actually patch your kernel and still stay connected to IRC *** Interview - Patrick Wildt - [email protected] / @bitrig The initial release of Bitrig News Roundup Infrastructural enhancements at NYI The FreeBSD foundation put up a new blog post detailing some hardware improvements they've recently done Their eastern US colocation is hosted at New York Internet, and is used for FTP mirrors, pkgng mirrors, and also as a place for developers to test things There've been fourteen machines purchased since July, and now FreeBSD boasts a total of sixty-eight physical boxes there This blog post goes into detail about how those servers are used and details some of the network topology *** The long tail of MD5 Our friend Ted Unangst is on a quest to replace all instances of MD5 in OpenBSD's tree with something more modern In this blog post, he goes through some of the different areas where MD5 still lives, and discovers how easy (or impossible) it would be to replace Through some recent commits, OpenBSD now uses SHA512 in some places that you might not expect Some other places require a bit more care… *** DragonFly cheat sheet If you've been thinking of trying out DragonFlyBSD lately, this might make the transition a bit easier A user-created "cheat sheet" on the website lists some common answers to beginner questions The page features a walkthrough of the installer, some shell tips and workarounds for various issues At the end, it also has some things that new users can get involved with to help out *** Experiences with an OpenBSD laptop A lot of people seem to be interested in trying out some form of BSD on their laptop, and this article details just that The author got interested in OpenBSD mostly because of the security focus and the fact that it's not Linux In this blog post, he goes through the steps of researching, installing, configuring, upgrading and finally actually using it on his Thinkpad He even gives us a mention as a go

This week on the show, we'll be talking with Paul Schenkeveld, chairman of the EuroBSDCon foundation. He tells us about his experiences running BSD conferences and how regular users can get involved too. We've also got answers to all your emails and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSD presentation videos The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch Corey Vixie, Web Apps in Embedded BSD Allan Jude, UCL config Kip Macy, iflib While we're on the topic of conferences, AsiaBSDCon's CFP was extended by one week This year's ruBSD will be on December 13th in Moscow Also, the BSDCan call for papers is out, and the event will be in June next year Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." *** BSD-powered digital library in Africa You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently) The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it *** pfSense 2.2 status update With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc All these things have taken more time than previously expected The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release *** Recommended hardware threads A few threads on caught our attention this week, all about hardware recommendations for BSD setups In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS Everyone gave some good recommendations for low power, Atom-based systems The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read *** Interview - Paul Schenkeveld - [email protected] Running a BSD conference News Roundup From Linux to FreeBSD - for reals Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now) After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition In the comments, a lot of new switchers offer some advice and reading material If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way *** Running FreeBSD as a Xen Dom0 Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features) The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet *** HardenedBSD updates and changes a.out is the old executable format for Unix The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968 FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0 A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8 However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’ Package building update: more consistent repo, no more i386 packages *** Feedback/Questions Boris writes in Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check) Chris writes in Robert writes in Jake writes in *** Mailing List Gold Real world authpf use The great perl event of 2014 ***

Coming up on the show this week, we've got an interview with Brendan Gregg of Netflix. He's got a lot to say about performance tuning and benchmarks, and even some pretty funny stories about how people have done them incorrectly. As always, this week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Even more BSD presentation videos More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week Robert Ryan, At the Heart of the Digital Economy FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives Richard Yao, libzfs_core and ioctl stabilization OpenZFS, Company lightning talks OpenZFS, Hackathon Presentation and Awards Pavel Zakharov, Fast File Cloning Rick Reed, Half a billion unsuspecting FreeBSD users Alex Reece & Matt Ahrens, Device Removal Chris Side, Channel Programs David Maxwell, The Unix command pipeline Be sure to check out the giant list of videos from last week's episode if you haven't seen them already *** NetBSD on a Cobalt Qube 2 The Cobalt Qube was a very expensive networking appliance around 2000 In 2014, you can apparently get one of these MIPS-based machines for about forty bucks This blog post details getting NetBSD installed and set up on the rare relic of our networking past If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you Lots of great pictures of the hardware too *** OpenBSD vs. AFL In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree with a fuzzer If you're not familiar, fuzzing is a semi-automated way to test programs for crashes and potential security problems The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs American Fuzzy Lop, in particular, has provided some interesting results across various open source projects recently So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc and a few other things AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself *** GNOME 3 hits the FreeBSD ports tree While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD Be sure to check the commit message and /usr/ports/UPDATING if you're upgrading from GNOME 2 You might also want to go back and listen to our interview with Joe Marcus Clark about GNOME's portability *** Interview - Brendan Gregg - [email protected] / @brendangregg Performance tuning, benchmarks, debugging News Roundup DragonFlyBSD 4.0 released A new major version of DragonFly, 4.0.1, was just recently announced This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes *** Can we talk about FreeBSD vs Linux Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy *** OpenBSD IPSEC tunnel guide If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts Though the article itself is a few years old, it mostly still applies to the latest stuff today All the tools used are in the OpenBSD base system, so that's pretty handy too *** DragonFly starts work on IPFW2 DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3") Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap page with some planned additions

This time on the show, we'll be talking with Justin Cormack about NetBSD rump kernels. We'll learn how to run them on other operating systems, what's planned for the future and a lot more. As always, answers to viewer-submitted questions and all the news for the week, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon 2014 talks and tutorials The 2014 EuroBSDCon videos have been online for over a month, but unannounced - keep in mind these links may be temporary (but we'll mention their new location in a future show and fix the show notes if that's the case) <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Arun Thomas, BSD ARM Kernel Internals <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Ted Unangst, Developing Software in a Hostile Environment <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Martin Pieuchot, Taming OpenBSD Network Stack Dragons <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Henning Brauer, OpenBGPD turns 10 years <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Claudio Jeker, vscsi and iscsid iSCSI initiator the OpenBSD way <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Paul Irofti, Making OpenBSD Useful on the Octeon Network Gear <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Baptiste Daroussin, Cross Building the FreeBSD ports tree <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Boris Astardzhiev, Smartcom’s control plane software, a customized version of FreeBSD <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Michał Dubiel, OpenStack and OpenContrail for FreeBSD platform <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Martin Husemann & Joerg Sonnenberger, Tool-chaining the Hydra, the ongoing quest for modern toolchains in NetBSD <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Taylor R Campbell, The entropic principle: /dev/u?random and NetBSD <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Dag-Erling Smørgrav, Securing sensitive & restricted data <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Peter Hansteen, Building The Network You Need With PF <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Stefan Sperling, Subversion for FreeBSD developers <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Peter Hansteen, Transition to OpenBSD 5.6 <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Ingo Schwarze, Let’s make manuals more useful <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Francois Tigeot, Improving DragonFly’s performance with PostgreSQL <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Justin Cormack, Running Applications on the NetBSD Rump Kernel <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Pierre Pronchery, EdgeBSD, a year later <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Peter Hessler, Using routing domains or tables in a production network <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Sean Bruno, QEMU user mode on FreeBSD <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Kristaps Dzonsons, Bugs Ex Ante <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Yann Sionneau, Porting NetBSD to the LatticeMico32 open source CPU <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Alexander Nasonov, JIT Code Generator for NetBSD <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Masao Uebayashi, Porting Valgrind to NetBSD and OpenBSD <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Marc Espie, parallel make, working with legacy code <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> Francois Tigeot, Porting the drm-kms graphic drivers to DragonFly <!-- i wonder if freebsdnews will rip our html again and repost it _^ --> The following talks (from the Vitosha track room) are all currently missing: Jordan Hubbard, FreeBSD, Looking forward to another 10 years (but we have another recording) Theo de Raadt, Randomness, how arc4random has grown since 1998 (but we have another recording) Kris Moore, Snapshots, Replication, and Boot-Environments Kirk McKusick, An Introduction to the Implementation of ZFS John-Mark Gurney, Optimizing GELI Performance Emmanuel Dreyfus, FUSE and beyond, bridging filesystems Lourival Vieira Neto, NPF scripting with Lua Andy Tanenbaum, A Reimplementation of NetB