Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
85: PIE in the Sky
This time on the show, we'll be talking with Pascal Stumpf about static PIE in the upcoming OpenBSD release. He'll tell us what types of attacks it prevents, and why it's such a big deal. We've also got answers to questions from you in the audience and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Solaris' networking future is with OpenBSD (http://bsdly.blogspot.com/2015/04/solaris-admins-for-glimpse-of-your.html) A curious patch from someone with an Oracle email address was recently sent in (https://www.marc.info/?l=openbsd-tech&m=142822852613581&w=2) to one of the OpenBSD mailing lists It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting This blog post goes through some of the backstory of the two firewalls PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too "Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security" You're welcome, Oracle *** BAFUG discussion videos (https://www.youtube.com/watch?v=Cb--h-iOQEM#t=15) The Bay Area FreeBSD users group has been uploading some videos from their recent meetings Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status) Craig Rodrigues also gave a talk (https://www.youtube.com/watch?v=kPs8Dni_g3M#t=15) about Kyua and the FreeBSD testing framework Lastly, Kip Macy gave a talk (https://www.youtube.com/watch?v=Q13WtuqbZ7E#t=15) titled "network stack changes, user-level FreeBSD" The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime *** More than just a makefile (http://homing-on-code.blogspot.com/2015/04/ports-are-more-than-just-makefile.html) If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News (https://news.ycombinator.com/item?id=9360827)) *** Securing your home fences (http://www.scip.ch/en/?labs.20150409) Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad (http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/) idea (https://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970) by now We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board (http://www.pcengines.ch/apu1d4.htm) He notes that you have a lot of options software-wise, including vanilla FreeBSD (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/), OpenBSD (http://www.bsdnow.tv/tutorials/openbsd-router) or even Linux, but decided to go with OPNsense because of the easy interface and configuration The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD) We love super-detailed guides like this, so everyone should write more and send them to us immediately *** Interview - Pascal Stumpf - pascal@openbsd.org (mailto:pascal@openbsd.org) Static PIE in OpenBSD News Roundup LLVM's new libFuzzer (http://blog.llvm.org/2015/04/fuzz-all-clangs.html) We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility It looks like LLVM is going to have their own fuzzing tool too now The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future *** HardenedBSD upgrades secadm (http://hardenedbsd.org/article/shawn-webb/2015-04-14/introducing-secadm-02) The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support We covered both the secadm tool and integriforce in previous episodes, but the short version is that it's a way to prevent files from being altered (even as root) Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now *** RAID5 returns to OpenBSD (https://www.marc.info/?l=openbsd-tech&m=142877132517229&w=2) OpenBSD's softraid (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/softraid.4) subsystem, somewhat similar to FreeBSD's GEOM, has had experimental RAID5 support for a while However, it was exactly that - experimental - and required a recompile to enable With some work from recent hackathons, the final piece (https://www.marc.info/?l=openbsd-cvs&m=142876943116907&w=2) was added to enable resuming partial array rebuilds Now it's on by default (https://www.marc.info/?l=openbsd-cvs&m=142877026917030&w=2), and there's a call for testing being put out, so grab a snapshot and put the code through its paces The bioctl softraid command also now supports (https://www.marc.info/?l=openbsd-cvs&m=142877223817406&w=2) DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop (https://www.marc.info/?l=openbsd-tech&m=142643313416298&w=2) the "do you want to enable DUIDs?" question entirely *** pkgng 1.5.0 released (https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055463.html) Going back to what we talked about last week (http://www.bsdnow.tv/episodes/2015_04_08-pkg_remove_freebsd-update), the final version of pkgng 1.5.0 is out The "provides" and "requires" support is finally in a regular release A new "-r" switch will allow for direct installation to a chroot or alternate root directory Memory usage should be much better now, and some general code speed-ups were added This version also introduces support for Mac OS X, NetBSD and EdgeBSD - it'll be interesting to see if anything comes of that Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt) *** p2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150411160247) There was another OpenBSD hackathon that just finished up in the UK - this time it was mainly for ports work As usual, the developers sent in reports of some of the things they got done at the event Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit Stefan Sperling wrote in (http://undeadly.org/cgi?action=article&sid=20150414064710), detailing his work with wireless chipsets, specifically when the vendor doesn't provide any hardware documentation, as well as updating some of the games in ports Ken Westerback also sent in a report (http://undeadly.org/cgi?action=article&sid=20150413163333), but decided to be a rebel and not work on ports at all - he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier *** Feedback/Questions Shaun writes in (http://slexy.org/view/s2iNBo2swq) Hrishi writes in (http://slexy.org/view/s202BRLwrd) Randy writes in (http://slexy.org/view/s2KT7M35uY) Zach writes in (http://slexy.org/view/s2Q5lOoxzl) Ben writes in (http://slexy.org/view/s2ynDjuzVi) *** Mailing List Gold Gstreamer hates us (https://www.marc.info/?l=openbsd-ports&m=142884995931428&w=2) At least he's honest (https://lists.torproject.org/pipermail/tor-relays/2015-April/006765.html) I find myself in a situation (https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055390.html) ***
84: pkg remove freebsd-update
On this week's mini-episode, we'll be talking with Baptiste Daroussin about packaging the FreeBSD base system with pkgng. Is this the best way going forward, or are we getting dangerously close to being Linux-like? We'll find out, and also get to a couple of your emails while we're at it, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Xen dom0 in FreeBSD 11-CURRENT (https://svnweb.freebsd.org/ports?view=revision&revision=382965) FreeBSD has just gotten dom0 (http://wiki.xen.org/wiki/Dom0) support for the Xen hypervisor, something NetBSD has had (http://wiki.netbsd.org/ports/xen/howto/#netbsd-dom0) for a while now The ports tree will now have a Xen kernel and toolstack, meaning that they can be updated much more rapidly than if they were part of base It's currently limited to Intel boxes with EPT and a working IOMMU, running a recent version of the -CURRENT branch, but we'll likely see it when 11.0 comes out How will this affect interest in Bhyve? *** A tale of two educational moments (http://blog.anthrobsd.net/044.html) Here we have a blog post from an OpenBSD developer about some experiences he had helping people get involved with the project It's split into two stories: one that could've gone better, and one that went really well For the first one, he found that someone was trying to modify a package from their ports tree to have fewer dependencies Experience really showed its worth, and he was able to write a quick patch to do exactly what the other person had been working on for a few hours - but wasn't so encouraging about getting it committed In the second story, he discussed updating a different port with a user of a forum, and ended up improving the new user's workflow considerably with just a few tips The lesson to take away from this is that we can all help out to encourage and assist new users - everyone was a newbie once *** What's coming in NetBSD 7 (http://saveosx.org/NetBSD7/) We first mentioned NetBSD 7.0 on the show in July of 2014, but it still hasn't been released and there hasn't been much public info about it This blog post outlines some of the bigger features that we can expect to see when it actually does come out Their total platform count is now over 70, so you'd be hard-pressed to find something that it doesn't run on There have been a lot of improvements in the graphics area, particularly with DRM/KMS, including Intel Haswell and Nouveau (for nVidia cards) Many ARM boards now have full SMP support Clang has also finally made its way into the base system, something we're glad to see, and it should be able to build the base OS on i386, AMD64 and ARM - other architectures are still a WIP In the crypto department: their PNRG has switched from the broken RC4 to the more modern ChaCha20, OpenSSL has been updated in base and LibreSSL is in pkgsrc NetBSD's in-house firewall, npf, has gotten major improvements since its initial debut in NetBSD 6.0 Looking to the future, NetBSD hopes to integrate a stable ZFS implementation later on *** OpenZFS office hours (https://www.youtube.com/watch?v=mS4bfbEq46I) We mentioned a couple weeks back that the OpenZFS office hours series was starting back up They've just uploaded the recording of their most recent freeform discussion, with Justin Gibbs (http://www.bsdnow.tv/episodes/2015_03_11-the_pcbsd_tour_ii) being the main presenter In it, they cover how Justin got into ZFS, running in virtualized environments, getting patches into the different projects, getting more people involved, reviewing code, spinning disks vs SSDs, defragging, speeding up resilvering, zfsd and much more *** Interview - Baptiste Daroussin - bapt@freebsd.org (mailto:bapt@freebsd.org) Packaging the FreeBSD base system with pkgng Discussion Packaging the FreeBSD base system with pkgng (follow-up) Feedback/Questions Jeff writes in (http://slexy.org/view/s20AWp6Av1) Anonymous writes in (http://slexy.org/view/s20QiFcdh8) Alex writes in (http://slexy.org/view/s2YzZlswaB) Joris writes in (http://slexy.org/view/s21Mx9TopQ) *** Mailing List Gold ok feedback@ (https://www.marc.info/?l=openbsd-ports&m=142679136422432&w=2) ***
83: woN DSB
Coming up this week on the show, we'll be talking to Kamila Součková, a Google intern. She's been working on the FreeBSD pager daemon, and also tells us about her initial experiences trying out BSD and going to a conference. As always, all the week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Major changes coming in PCBSD 11 (http://blog.pcbsd.org/2015/04/huge-announcement-for-pc-bsd/) The PCBSD team has announced that version 11.0 will have some more pretty big changes (as they've been known to do lately with NTP daemons and firewalls) Switching from PF to IPFW provided some benefits for VIMAGE, but the syntax was just too complicated for regular everyday users To solve this, they've ported over Linux's iptables, giving users a much more straightforward configuration (http://dpaste.com/2F1KM6T.txt) While ZFS has served them well as the default filesystem for a while, Kris decided that Btrfs would be a better choice going forward Since the FreeBSD kernel doesn't support it natively, all filesystem calls will be through FUSE from now on - performance is Good Enough People often complain about PCBSD's huge ISO download, so, to save space, the default email client will be switched to mutt, and KDE will be replaced with DWM as the default window manager To reconfigure it, or make any appearance changes, users just need to edit a simple C header file and recompile - easy peasy As we've mentioned on the show, PCBSD has been promoting safe backup solutions for a long time with its "life preserver" utility, making it simple to manage multiple snapshots too To test if people have been listening to this advice, Kris recently activated the backdoor he put in life preserver that deletes all the users' files - hope you had that stuff backed up *** NetBSD and FreeBSD join forces (http://www.freebsddiary.org/fretbsd.php) The BSD community has been running into one of the same problems Linux has lately: we just have too many different BSDs to choose from What's more, none of them have any specific areas they focus on or anything like that (they're all basically the same) That situation is about to improve somewhat, as FreeBSD and NetBSD have just merged codebases... say hello to FretBSD Within a week, all mailing lists and webservers for the legacy NetBSD and FreeBSD projects will be terminated - the mailing list for the new combined project will be hosted from the United Nations datacenter on a Microsoft Exchange server As UN monitors will be moderating the mailing lists to prevent disagreements and divisive arguments before they begin, this system is expected to be adequate for the load With FretBSD, your toaster can now run ZFS, so you'll never need to worry about the bread becoming silently corrupted again *** Puffy in the cloud (http://homing-on-code.blogspot.com/2015/03/puffy-in-cloud.html) If you've ever wanted to set up a backup server, especially for family members or someone who's not as technology-savvy, you've probably realized there are a lot of options This post explores the option of setting up your own Dropbox-like service with Owncloud and PostgreSQL, running atop the new OpenBSD http daemon Doing it this way with your own setup, you can control all the security aspects - disk encryption, firewall rules, who can access what and from where, etc He also mentions our pf tutorial (http://www.bsdnow.tv/tutorials/pf) being helpful in blocking script kiddies from hammering the box Be sure to encourage your less-technical friends to always back up their important data *** NetBSD at AsiaBSDCon (https://blog.netbsd.org/tnf/entry/asiabsdcon_2015) Some NetBSD developers have put together a report of what they did at the most recent event in Tokyo It includes a wrap-up of the event, as well as a list of presentations (https://www.netbsd.org/gallery/presentations/#asiabsdcon2015) that NetBSD developers gave Have you ever wanted even more pictures of NetBSD running on lots of devices? There's a never-ending supply, apparently At the BSD research booth of AsiaBSDCon, there were a large number of machines on display, and someone has finally uploaded pictures of all of them (http://www.ki.nu/~makoto/p15/20150315/) There's also a video (https://www.youtube.com/watch?v=K1y9cdmLFjw) of an OMRON LUNA-II running the luna68k port *** Interview - Kamila Součková - kamila@ksp.sk (mailto:kamila@ksp.sk) / @anotherkamila (https://twitter.com/anotherkamila) BSD conferences, Google Summer of Code, various topics News Roundup FreeBSD foundation March update (https://www.freebsdfoundation.org/press/2015marchupdate.pdf) The FreeBSD foundation has published their March update for fundraising and sponsored projects In the document, you'll find information about upcoming ARMv8 enhancements, some event recaps and a Google Summer of Code status update They also mention our interview with the foundation president (http://www.bsdnow.tv/episodes/2015_03_11-the_pcbsd_tour_ii) - be sure to check it out if you haven't *** Inside OpenBSD's new httpd (http://sdtimes.com/inside-openbsds-new-httpd-web-server/) BSD news continues to dominate mainstream tech news sites… well not really, but they talk about it once in a while The SD Times is featuring an article about OpenBSD's in-house HTTP server, after seeing Reyk's AsiaBSDCon presentation (http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf) about it (which he's giving at BSDCan this year, too) In this article, they talk about the rapid transition of webservers in the base system - apache being replaced with nginx, only to be replaced with httpd shortly thereafter Since the new daemon has had almost a full release cycle to grow, new features and fixes have been pouring in The post also highlights some of the security features: everything runs in a chroot with privsep by default, and it also leverages strong TLS 1.2 defaults (including Perfect Forward Secrecy) *** Using poudriere without OpenSSL (http://bsdxbsdx.blogspot.com/2015/04/build-packages-in-poudriere-without.html) Last week we talked about (http://www.bsdnow.tv/episodes/2015_03_25-ssl_in_the_wild) using LibreSSL in FreeBSD for all your ports One of the problems that was mentioned is that some ports are configured improperly, and end up linking against the OpenSSL in the base system even when you tell them not to This blog post shows how to completely strip OpenSSL out of the poudriere (http://www.bsdnow.tv/tutorials/poudriere) build jails, something that's a lot more difficult than you'd think If you're a port maintainer, pay close attention to this post, and get your ports fixed to adhere to the make.conf options properly *** HAMMER and GPT in OpenBSD (https://www.marc.info/?l=openbsd-tech&m=142755452428573&w=2) Someone, presumably a Google Summer of Code student, wrote in to the lists about his HAMMER FS (http://www.bsdnow.tv/tutorials/hammer) porting proposal He outlined the entire process and estimated timetable, including what would be supported and which aspects were beyond the scope of his work (like the clustering stuff) There's no word yet on if it will be accepted, but it's an interesting idea to explore, especially when you consider that HAMMER really only has one developer In more disk-related news, Ken Westerback (http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2) has been committing quite a lot of GPT-related fixes (https://www.marc.info/?l=openbsd-cvs&w=2&r=1&s=gpt&q=b) recently Full GPT support will most likely be finished before 5.8, but anything involving HAMMER FS is still anyone's guess *** Feedback/Questions Morgan writes in (http://slexy.org/view/s20e30p4qf) Dustin writes in (http://slexy.org/view/s20clKByMP) Stan writes in (http://slexy.org/view/s20aBlmaT5) Mica writes in (http://slexy.org/view/s2ufFrZY9y) *** Mailing List Gold Developers in freefall (https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055281.html) Xorg thieves pt. 1 (https://www.marc.info/?l=openbsd-cvs&m=142786808725483&w=4) Xorg thieves pt. 2 (https://www.marc.info/?l=openbsd-cvs&m=142790740405547&w=4) ***
82: SSL in the Wild
Coming up this week, we'll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He's been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon 2015 call for papers (https://2015.eurobsdcon.org/call-for-papers/) The call for papers has been announced for the next EuroBSDCon (http://www.bsdnow.tv/episodes/2014_12_03-conference-connoisseur), which is set to be held in Sweden this year According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two) Check the announcement for all the specific details and requirements If your talk gets accepted, the conference even pays for your travel expenses *** Making security sausage (http://www.tedunangst.com/flak/post/making-security-sausage) Ted Unangst (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!" The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute It was because of this that FreeBSD actually had to release a security update to their security update (https://lists.freebsd.org/pipermail/freebsd-security-notifications/2015-March/000237.html) He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." *** Running FreeBSD on the server, a sysadmin speaks (http://www.itwire.com/business-it-news/open-source/67420-running-freebsd-on-the-server-a-sysadmin-speaks) More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage) They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you *** NetBSD ported to Hardkernel ODROID-C1 (https://blog.netbsd.org/tnf/entry/netbsd_ported_to_hardkernel_odroid) In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1 (http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433) This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35 There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0 More info can be found on their wiki page (https://wiki.netbsd.org/ports/evbarm/odroid-c1/) After this was written, basic framebuffer console support was also committed (http://mail-index.netbsd.org/source-changes/2015/03/21/msg064156.html), allowing a developer to run XFCE (https://pbs.twimg.com/media/CAqU5CnWEAAEhH2.png:large) on the device *** Interview - Bernard Spil - brnrd@freebsd.org (mailto:brnrd@freebsd.org) / @sp1l (https://twitter.com/sp1l) LibreSSL adoption in FreeBSD ports (https://wiki.freebsd.org/LibreSSL) and the wider software ecosystem News Roundup Monitoring pf logs with Gource (http://www.echothrust.com/blogs/monitoring-pf-logs-gource) If you're using pf (http://www.bsdnow.tv/tutorials/pf) on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy This article will show you how to get set up with Gource for a cinematic-like experience If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories" When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity *** pkgng 1.5.0 alpha1 released (https://svnweb.freebsd.org/ports?view=revision&revision=381573) The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1 This update introduces support for provides/requires, something that we've been wanting for a long time It will also now print which package is the reason for direct dependency change Another interesting addition is the "pkg -r" switch, allowing cross installation of packages Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems DragonFly will also likely pick up this update once it's marked stable *** Welcome to OpenBSD (http://devio.us/~bcallah/rcos2015.pdf) We mentioned last week that our listener Brian was giving a talk in the Troy, New York area The slides from that talk are now online, and they've been generating quite a bit of discussion (https://news.ycombinator.com/item?id=9240533) online (https://www.reddit.com/r/openbsd/comments/2ztokc/welcome_to_openbsd/) It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing) Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved As you may know, NetBSD has almost 60 supported platforms (https://www.netbsd.org/ports/) and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms (http://www.openbsd.org/plat.html) over 13 CPU architectures, "it probably runs OpenBSD" No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet Try to guess which font he used... *** BSDTalk episode 252 (http://bsdtalk.blogspot.com/2015/03/bsdtalk252-devious-with-brian-callahan.html) And somehow Brian has snuck himself into another news item this week He makes an appearance in the latest episode of BSD Talk (http://www.bsdnow.tv/episodes/2014_03_05-bsd_now_vs_bsdtalk), where he chats with Will about running a BSD-based shell provider If that sounds familiar, it's probably because we did the same thing (http://www.bsdnow.tv/episodes/2014_06_18-devious_methods), albeit with a different member of their team In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself *** Feedback/Questions Christian writes in (http://slexy.org/view/s2O81pixhq) Stefan writes in (http://slexy.org/view/s2dhr2WfVc) Possnfiffer writes in (http://slexy.org/view/s2Kisq2EqT) Ruudsch writes in (http://slexy.org/view/s2Xr0e5YAJ) Shane writes in (http://slexy.org/view/s2Xz7BNoJE) *** Mailing List Gold Accidental support (https://lists.freebsd.org/pipermail/svn-src-head/2015-March/069679.html) Larry's tears (https://www.marc.info/?l=openbsd-cvs&m=142686812913221&w=2) The boy who sailed with BSD (https://lists.freebsd.org/pipermail/freebsd-hardware/2015-March/007625.html) ***
81: Puffy in a Box
We're back from AsiaBSDCon! This week on the show, we'll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They're getting BSD in the hands of Windows admins who don't even realize it. We also have all this week's news and answer to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Using OpenBGPD to distribute pf table updates (http://www.echothrust.com/blogs/using-openbgpd-distribute-pf-table-updates-your-servers) For those not familiar, OpenBGPD (https://en.wikipedia.org/wiki/OpenBGPD) is a daemon for the Border Gateway Protocol (https://en.wikipedia.org/wiki/Border_Gateway_Protocol) - a way for routers on the internet to discover and exchange routes to different addresses This post, inspired by a talk about using BGP to distribute spam lists (https://www.youtube.com/watch?v=Vet0eQB00X0), details how to use the protocol to distribute some other useful lists and information It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems." If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD (https://www.freshports.org/net/openbgpd/) and a "work in progress" pkgsrc version (http://pkgsrc.se/wip/openbgpd) *** Mounting removable media with autofs (http://freebsdfoundation.blogspot.com/2015/03/freebsd-from-trenches-using-autofs5-to_13.html) The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs (https://www.freebsd.org/cgi/man.cgi?query=autofs&sektion=5) tool It's written by one of the autofs developers, and he details his work on creating and using the utility "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes." He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen There's also some more advanced bonus material on GEOM classes and all the more technical details *** The Tor Browser on BSD (http://trac.haqistan.net/blog/adventures-ports-tor-browser) The Tor Project has provided a "browser bundle (https://www.torproject.org/projects/torbrowser/design/)" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost It has, however, only been released for Windows, OS X and Linux - no BSD version "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves." Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) *** OpenSSH 6.8 released (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033686.html) Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course) Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type) The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers *** NetBSD at AsiaBSDCon (https://mail-index.netbsd.org/netbsd-advocacy/2015/03/15/msg000682.html) The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session There was a grand total of 34 different NetBSD gadgets (https://docs.google.com/spreadsheets/d/14q6zJK5PjlMoSeBV5HBiEik5LkqlrcrbSxPoxVKKlec/edit#gid=0) on display at the event *** Interview - Lawrence Teo - lteo@openbsd.org (mailto:lteo@openbsd.org) / @lteo (https://twitter.com/lteo) OpenBSD at Calyptix (http://www.nycbsdcon.org/2010/presentations/lteo-nycbsdcon2010.pdf) News Roundup HardenedBSD introduces Integriforce (http://hardenedbsd.org/article/shawn-webb/2015-03-11/call-testing-secadm-integriforce) A little bit of background on this one first: NetBSD has something called veriexec (https://www.netbsd.org/docs/guide/en/chap-veriexec.html), used for checking file integrity (http://wiki.netbsd.org/guide/veriexec/) at the kernel level By doing it at the kernel level, similar to securelevels (https://en.wikipedia.org/wiki/Securelevel), it offers some level of protection even when the root account is compromised HardenedBSD has introduced a similar mechanism into their "secadm" utility You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run (http://i.imgur.com/wHp2eAN.png) at all, or if they just print a warning They're looking for some more extensive testing of this new feature *** More s2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150305100712&mode=flat) A couple more Australian hackathon reports have poured in since the last time The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc (http://www.bsdnow.tv/episodes/2014_11_12-a_mans_man) Ted Unangst also sent in a report (http://undeadly.org/cgi?action=article&sid=20150307165135&mode=flat) to detail what he hacked on at the event With a strong focus on improving SMP scalability, he tackled the virtual memory layer His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8 All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities *** DragonFly 4.0.4 and IPFW3 (https://www.dragonflydigest.com/2015/03/10/15733.html) DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4 It includes a minor list of fixes (http://lists.dragonflybsd.org/pipermail/commits/2015-March/418098.html), some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version Shortly after it was released, their new IPFW2 firewall was added to the tree (http://lists.dragonflybsd.org/pipermail/commits/2015-March/418133.html) and subsequently renamed to IPFW3 (http://lists.dragonflybsd.org/pipermail/commits/2015-March/418160.html) (since it's technically the third revision) *** NetBSD gets Raspberry Pi 2 support (https://blog.netbsd.org/tnf/entry/raspberry_pi_2_support_added) NetBSD has announced initial support for the second revision (http://www.raspberrypi.org/products/raspberry-pi-2-model-b/) of the ever-popular Raspberry Pi board There are -current snapshots available for download, and multiprocessor support is also on the way The NetBSD wiki page about the Raspberry Pi also has some more information (https://wiki.netbsd.org/ports/evbarm/raspberry_pi/) and an installation guide The usual Hacker News discussion (https://news.ycombinator.com/item?id=9172100) on the subject If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it *** OpenIKED as a VPN gateway (http://puffysecurity.com/wiki/openikedoffshore.html) In our first discussion segment, we talked about a few different ways to tunnel your traffic While we've done full tutorials on things like SSH tunnels (http://www.bsdnow.tv/tutorials/stunnel), OpenVPN (http://www.bsdnow.tv/tutorials/openvpn) and Tor (http://www.bsdnow.tv/tutorials/tor), we haven't talked a whole lot about OpenBSD's IPSEC suite This article should help fill that gap - it walks you through the complete IKED setup From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all *** Feedback/Questions Gary writes in (http://slexy.org/view/s21G9TWALE) Robert writes in (http://slexy.org/view/s206aZrxOi) Joris writes in (http://slexy.org/view/s28Um5R7LG) Mike writes in (http://slexy.org/view/s2yAJsl1Es) Anders writes in (http://slexy.org/view/s21dMAE55M) *** Mailing List Gold Can you hear me now (https://www.marc.info/?l=openbsd-misc&m=142577632205484&w=2) He must be GNU here (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-March/047207.html) I've seen some... (https://www.marc.info/?l=openbsd-cvs&m=142593175408756&w=2) ***
80: The PC-BSD Tour II
We're away at AsiaBSDCon this week, but we've still got a packed episode for you. First up is a sequel to the "PC-BSD tour" segment from a while back, highlighting how ZFS boot environments work. After that, Justin Gibbs joins us to talk about the FreeBSD foundation's 15th anniversary. We'll return next week with a normal episode of BSD Now - which is of course, the place to B.. SD. This episode was brought to you by Special segment Demystifying Boot Environments in PC-BSD Interview - Justin Gibbs - gibbs@freebsd.org (mailto:gibbs@freebsd.org) / @freebsdfndation (https://twitter.com/freebsdfndation) The FreeBSD foundation's 15th anniversary Discussion The story of PC-BSD
79: Just Add QEMU
Coming up this time on the show, we'll be talking to Sean Bruno. He's been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We've also got answers to viewer-submitted questions and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines AsiaBSDCon 2015 schedule (http://2015.asiabsdcon.org/timetable.html.en) Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up This year's conference will be between 12-15 March at the Tokyo University of Science in Japan The first and second days are for tutorials, as well as the developer summit and vendor summit Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again Not counting the ones that have yet to be revealed (as of the day we're recording this), there will be thirty-six different talks in all - four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD Summaries of all the presentations are on the timetable page if you scroll down a bit *** FreeBSD foundation updates and more (https://www.freebsdfoundation.org/press/2015febupdate.pdf) The FreeBSD foundation (http://www.bsdnow.tv/episodes/2015_02_04-from_the_foundation_1) has posted a number of things this week, the first of which is their February 2015 status update It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform There's a FOSDEM recap and another update of their fundraising goal for 2015 They also have two new blog posts: a trip report from SCALE13x (http://freebsdfoundation.blogspot.com/2015/02/scale-13x-trip-report-michael-dexter.html) and a featured "FreeBSD in the trenches (http://freebsdfoundation.blogspot.com/2015/02/freebsd-from-trenches-zfs-and-how-to.html)" article about how a small typo caused a lot of ZFS chaos in the cluster "Then panic ensued. The machine didn't panic -- I did." *** OpenBSD improves browser security (https://www.marc.info/?l=openbsd-misc&m=142523501726732&w=2) No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser Ted Unangst writes in to the OpenBSD misc list to introduce a new project he's working on, simply titled "improving browser security" He gives some background on the W^X memory protection (https://en.wikipedia.org/wiki/W%5EX) in the base system, but also mentions that some applications in ports don't adhere to it For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT (https://en.wikipedia.org/wiki/Just-in-time_compilation) engine) needs to be fixed to use it "A system that is 'all W^X except where it's not' is the same as a system that's not W^X. We've worked hard to provide a secure foundation for programs; we'd like to see them take advantage of it." The work is being supported by the OpenBSD foundation (http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2), and we'll keep you updated on this undertaking as more news about it is released There's also some discussion on Hacker News (https://news.ycombinator.com/item?id=9128360) and Undeadly (http://undeadly.org/cgi?action=article&sid=20150303075848&mode=expanded) about it *** NetBSD at Open Source Conference 2015 Tokyo (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/28/msg000680.html) The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo There's even a spreadsheet (https://docs.google.com/spreadsheets/d/1DTJbESfnOUgOiVkFG8vsrxTq6oCGRpf8PkRcMkhWYWQ/edit#gid=0) of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around) If you just can't get enough strange devices running BSD, check the mailing list post for lots of pictures Their next target is, as you might guess, AsiaBSDCon 2015 - maybe we'll run into them *** Interview - Sean Bruno - sbruno@freebsd.org (mailto:sbruno@freebsd.org) / @franknbeans (https://twitter.com/franknbeans) Cross-compiling packages with poudriere (http://www.bsdnow.tv/tutorials/poudriere) and QEMU News Roundup The Crypto Bone (http://crypto-bone.com/what.html) The Crypto Bone is a new device (http://www.crypto-bone.com/) that's aimed at making encryption and secure communications easier (http://crypto-bone.com/cbb-usersview.html) and more accessible Under the hood, it's actually just a Beaglebone (http://beagleboard.org/bone) board, running stock OpenBSD with a few extra packages It includes a web interface (http://crypto-bone.com/release/root/var/www/apache/html/) for configuring keys and secure tunnels The source code (http://crypto-bone.com/release/root/) is freely available for anyone interested in hacking on it (or auditing the crypto), and there's a technical overview (http://crypto-bone.com/cbb-technicalview.html) of how everything works on their site If you don't want to teach your mom how to use PGP, buy her one of these(?) *** BSD in the 2015 Google Summer of Code (https://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2015/about_page) For those who don't know, GSoC is a way for students to get paid to work on a coding project for an open source organization Good news: both FreeBSD and OpenBSD were accepted (https://www.google-melange.com/gsoc/org/list/public/google/gsoc2015) for the 2015 event FreeBSD has a wiki page (https://wiki.freebsd.org/SummerOfCodeIdeas) of ideas for people to work on OpenBSD also has an ideas page (http://www.openbsdfoundation.org/gsoc2015.html) where you can see some of the initial things that might be interesting If you're a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it Who knows, you may even end up on the show (http://www.bsdnow.tv/episodes/2015_01_07-system_disaster) if you work on a cool project GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you'd like to hack on *** pfSense 2.3 roadmap (https://blog.pfsense.org/?p=1588) The pfSense team has posted a new blog entry, detailing some of their plans for future versions PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions PBIs are scheduled to be replaced with native pkgng packages Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely Their ultimate goal is for pfSense to be a package you can install atop of a regular FreeBSD install, rather than a repackaged distribution *** PCBSD 10.1.2 security features (http://blog.pcbsd.org/2015/03/a-look-at-the-upcoming-features-for-10-1-2/) PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post A new "personacrypt" utility is introduced, which allows for easy encryption and management of external drives for your home directory Going along with this, it also has a "stealth mode" that allows for one-time temporary home directories (but it doesn't self-destruct, don't worry) The LibreSSL integration also continues, and now packages will be built with it by default If you're using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update They've also been working on introducing some new options to enable tunneling your traffic through Tor There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity Look forward to Kris wearing a Tor shirt (https://www.torproject.org/getinvolved/tshirt.html) in future episodes *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2ofBPRT5n) Chris writes in (http://slexy.org/view/s26LsYcoJF) Van writes in (http://slexy.org/view/s28Rho0jvL) Stu writes in (http://slexy.org/view/s21AkGbniU) *** Mailing List Gold H (https://lists.freebsd.org/pipermail/freebsd-ports/2015-February/098183.html) Pay up, mister Free (https://lists.freebsd.org/pipermail/freebsd-chat/2015-February/007024.html) Heritage protected (https://www.mail-archive.com/tech%40openbsd.org/msg22663.html) Blind leading the blind (https://lists.freebsd.org/pipermail/freebsd-questions/2015-February/264466.html) What are the chances (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/068682.html) ***
78: From the Foundation (Part 2)
This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We've also got answers to your emails and all the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 schedule (https://www.bsdcan.org/2015/schedule/) The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time) Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks That's not the ideal balance (https://twitter.com/bsdcan/status/570394627158773760) we'd hope for, but BSDCan says (https://twitter.com/bsdcan/status/570398181864972288) they'll try to improve that next year Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error) Michael Lucas (who's on the BSDCan board) wrote up a blog post (http://blather.michaelwlucas.com/archives/2325) about the proposals and rejections this year If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available We also interviewed Dan Langille (http://www.bsdnow.tv/episodes/2014_12_31-daemons_in_the_north) about the conference and what to expect this year, so check that out too *** SSL interception with relayd (http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception) There was a lot of commotion recently about superfish (http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/), a way that Lenovo was intercepting HTTPS traffic and injecting advertisements If you're running relayd (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/relayd.8), you can mimic this evil setup on your own networks (just for testing of course…) Reyk Floeter (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time), the guy who wrote relayd, came up a blog post about how to do just that (https://gist.github.com/reyk/4b42858d1eab3825f9bc#file-relayd-superfish-conf) It starts off with some backstory and some of the things relayd is capable of relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario The post is very long, with lots of details (https://www.marc.info/?l=openbsd-tech&m=135887624714548&w=2) and some sample config files - the whole nine yards *** OPNsense 15.1.6.1 released (https://forum.opnsense.org/index.php?topic=77.0) The OPNsense team has released yet another version in rapid succession, but this one has some big changes It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches) This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update) It also includes security fixes for BIND (https://kb.isc.org/article/AA-01235) and PHP (http://php.net/ChangeLog-5.php#5.6.6), as well as some other assorted bug fixes The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports) With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL (https://forum.opnsense.org/index.php?topic=78.0) for testing (and have instructions on how to switch over without reinstalling) *** OpenBSD on a Minnowboard Max (http://www.countersiege.com/2015/02/22/minnowboard_max_openbsd.html) What would our show be without at least one story about someone installing BSD on a weird device For once, it's actually not NetBSD… This article is about the minnowboard max (http://www.minnowboard.org/meet-minnowboard-max/), a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom) The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article Have a look at the spec sheet if you're interested, they make for cool little BSD boxes *** Netmap for 40gbit NICs in FreeBSD (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054717.html) Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too This should make for some serious packet-pushing power If you have any network hardware like this, he would appreciate testing for the new code *** Interview - Ken Westerback - directors@openbsdfoundation.org (mailto:directors@openbsdfoundation.org) The OpenBSD foundation (http://www.openbsdfoundation.org/donations.html)'s activities News Roundup s2k15 hackathon report: dhclient/dhcpd/fdisk (http://undeadly.org/cgi?action=article&sid=20150221222235) The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to Ken was also busy, getting a few networking-related things fixed and improved in the base system He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient *** FreeBSD beginner video series (https://www.youtube.com/user/bsdtutorial/videos) A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand So far, he's covered how to get FreeBSD (https://www.youtube.com/watch?v=D26rOHkI-iE), an introduction to installing in VirtualBox (https://www.youtube.com/watch?v=PCyYW19bPDU), a simple installation (https://www.youtube.com/watch?v=HCE89kObutA) or a more in-depth manual installation (https://www.youtube.com/watch?v=OwqCjz9Fgao), navigating the filesystem (https://www.youtube.com/watch?v=6YJhdOGjN50), basic ssh use (https://www.youtube.com/watch?v=Yl5Bg2qz21I), managing users and groups (https://www.youtube.com/watch?v=ioB73i7QUjI) and finally some basic editing (https://www.youtube.com/watch?v=VxxbO-gt9FA) with vi (https://www.youtube.com/watch?v=16FNtCj-uS4) and a few other topics Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers It should be an ongoing series with more topics to come *** NetBSD tests: zero unexpected failures (https://blog.netbsd.org/tnf/entry/regular_test_runs_down_to) The NetBSD guys have a new blog post up about their testing suite (http://wiki.netbsd.org/tutorials/atf/) for all the CPU architectures They've finally gotten the number of "expected" failures down to zero on a few select architectures Results are published (http://releng.netbsd.org/test-results.html) on a special release engineering page, so you can have a look if you're interested The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch *** PCBSD switches to IPFW (https://github.com/pcbsd/pcbsd/commit/b80f78d8a5d002396c28ac0e5fd6f69699beaace) The PCBSD crew continues their recent series of switching between major competing features This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall Look forward to Kris wearing a "keep calm and use IPFW" shir- wait *** Feedback/Questions Sean writes in (http://slexy.org/view/s21U6Ln6wC) Dan writes in (http://slexy.org/view/s2Kp0xdfIb) Florian writes in (http://slexy.org/view/s216DcA8DP) Sean writes in (http://slexy.org/view/s271iJjqtQ) Chris writes in (http://slexy.org/view/s21zerHI9P) *** Mailing List Gold VCS flamebait (https://www.marc.info/?l=openbsd-misc&m=142454205416445&w=2) Hidden agenda (https://lists.freebsd.org/pipermail/freebsd-gnome/2015-February/031561.html) ***
77: Noah's L2ARC
This week on the show, we'll be chatting with Alex Reece and Matt Ahrens about what's new in the world of OpenZFS. After that, we're starting a new tutorial series on submitting your first patch. All the latest BSD news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Revisiting FreeBSD after 20 years (http://changelog.complete.org/archives/9317-has-linux-lost-its-way-comments-prompt-a-debian-developer-to-revisit-freebsd-after-20-years) With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time." The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things There was some decent discussion (https://news.ycombinator.com/item?id=9063216) on Hacker News about this article too, with counterpoints from both sides *** s2k15 hackathon report: network stack SMP (http://undeadly.org/cgi?action=article&sid=20150218085759) The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack If you're not familiar with him, he gave a presentation (http://www.openbsd.org/papers/tamingdragons.pdf) at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/03.Taming%20OpenBSD%20Network%20Stack%20Dragons%20-%20Martin%20Pieuchot.mp4) Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock (https://en.wikipedia.org/wiki/Giant_lock) Hopefully more trip reports will be sent in during the coming weeks Most of the big code changes should probably appear after the 5.7-release testing period *** From BIND to NSD and Unbound (https://www.tumfatig.net/20150215/bind-nsd-unbound-openbsd-5-6/) If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... *** m0n0wall calls it quits (http://m0n0.ch/wall/end_announcement.php) The original, classic BSD firewall distribution m0n0wall (https://en.wikipedia.org/wiki/M0n0wall) has finally decided to close up shop For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan The project was probably a lot of people's first encounter with BSD in any form If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) or OpenBSD (http://www.bsdnow.tv/tutorials/openbsd-router), or going the premade route with something like pfSense (http://www.bsdnow.tv/episodes/2014_02_19-a_sixth_pfsense), OPNsense (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) or the BSD Router Project (http://www.bsdnow.tv/episodes/2014_10_22-dont_buy_a_router) The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can." While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly *** Interview - Alex Reece & Matt Ahrens - alex@delphix.com (mailto:alex@delphix.com) & matt@delphix.com (mailto:matt@delphix.com) / @openzfs (https://twitter.com/openzfs) What's new in OpenZFS Tutorial Making your first patch (OpenBSD) (http://www.bsdnow.tv/tutorials/patching-obsd) News Roundup Overlaying remote LANs with OpenBSD's VXLAN (http://www.echothrust.com/blogs/using-openbsd-and-vxlan-overlay-remote-lans) Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/vxlan.4) is exactly what you need This article talks about using it to connect two virtualized infrastructures on different ESXi servers It gives a bit of networking background first, in case you're not quite up to speed on all this stuff This tool opens up a lot of very cool possibilities, even possibly doing a "remote" LAN party Be sure to check the AsiaBSDCon talk (https://www.youtube.com/watch?v=ufeEP_hzFN0) about VXLANs if you haven't already *** 2020, year of the PCBSD desktop (http://lukewolf.blogspot.com/2015/02/a-prediction-2020-year-of-pc-bsd-on.html) Here we have a blog post about BSD on the desktop, straight from a KDE developer He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux's desktop market share (small as it may be) With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one There was also some discussion on Slashdot (http://bsd.slashdot.org/story/15/02/16/2355236/pc-bsd-set-for-serious-growth) that might be worth reading *** OpenSSH host key rotation, redux (http://blog.djm.net.au/2015/02/hostkey-rotation-redux.html) We mentioned the new OpenSSH host key rotation and other goodies in a previous episode (http://www.bsdnow.tv/episodes/2015_02_04-from_the_foundation_1), but things have changed a little bit since then djm (http://www.bsdnow.tv/episodes/2013_12_18-cryptocrystalline) says "almost immediately after smugly declaring 'mission accomplished', the bug reports started rolling in." There were some initial complaints from developers about the new options, and a serious bug shortly thereafter After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests Most importantly, the bigger big fix was described as: "a malicious server (say, "host-a") could advertise the public key of another server (say, "host-b"). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide." None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon *** PCBSD tries out LibreSSL (https://github.com/pcbsd/pcbsd/commit/6ede13117dcee1272d7a7060b16818506874286e) PCBSD users may soon be seeing a lot less security problems because of two recent changes After switching over to OpenNTPD last week (http://www.bsdnow.tv/episodes/2015_02_11-time_for_a_change), PCBSD decides to give the portable LibreSSL (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl) a try too Note that this is only for the packages built from ports, not the base system unfortunately They're not the first ones to do this - OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD's ports are built against it A good number of patches (https://github.com/pcbsd/freebsd-ports/commit/2eee669f4d6ab9a641162ecda29b62ab921438eb) are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla Look forward to Kris wearing a "keep calm and abandon OpenSSL (https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=item&dept_id=01&sub_dept_id=01&product_id=TSHIRTOSSL)" shirt in the near future *** Feedback/Questions Benjamin writes in (http://slexy.org/view/s28nyJ5omV) Mike writes in (http://slexy.org/view/s2wYUmUmh0) Brad writes in (http://slexy.org/view/s2BAKAQvMt) *** Mailing List Gold Debian (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/068405.html) Dejavu (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html) Package gone missing (http://lists.dragonflybsd.org/pipermail/users/2015-February/207475.html) ***
76: Time for a Change
This week, we'll be talking to Henning Brauer about OpenNTPD and its recently revived portable version. After that, we'll be discussing different ways to securely tunnel your traffic: specifically OpenVPN, IPSEC, SSH and Tor. All that and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Strange timer bug in FreeBSD 11 (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054295.html) Peter Wemm (http://www.bsdnow.tv/episodes/2014_09_24-beastly_infrastructure) wrote in to the FreeBSD -CURRENT mailing list with an interesting observation Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap Peter disagreed and gave some background (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054320.html), offering a different patch to fix (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/067827.html) the issue and detect it early (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/067828.html) if it happens again Ultimately, the problem was traced back to an issue with a recent clang import It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down *** An OpenBSD mail server (http://technoquarter.blogspot.com/p/series.html) There's been a recent influx of blog posts about building a BSD mail server for some reason In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd That means this is more of a "complete solution" - right down to what the end users see The series is split up into categories so it's very easy to follow along step-by-step *** How DragonFlyBSD uses git (http://lists.dragonflybsd.org/pipermail/users/2015-January/207421.html) DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code In a series (http://lists.dragonflybsd.org/pipermail/users/2015-January/207422.html) of posts (http://lists.dragonflybsd.org/pipermail/users/2015-January/207424.html), Matthew Dillon (the project lead) details their internal setup They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access) The maintainers of the server are the only ones with shell access available He also details how a cron job syncs from the master to a public box that anyone can check out code from It would be interesting to hear about how other BSD projects manage their master source repository *** Why not try PCBSD? (http://www.itwire.com/business-it-news/open-source/66900-fed-up-with-systemd-and-linux?-why-not-try-pc-bsd) ITwire, another more mainstream tech site, published a recent article about switching to PCBSD They interview a guy named Kris that we've never heard of before In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same "With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD." If you have some friends who complain to you about systemd all the time, this might be a good article to show them *** Interview - Henning Brauer - henning@openbsd.org (mailto:henning@openbsd.org) / @henningbrauer (https://twitter.com/henningbrauer) OpenNTPD (http://openntpd.org/) and its portable variant News Roundup Authenticated time in OpenNTPD (https://www.marc.info/?l=openbsd-tech&m=142356166731390&w=2) We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already While at the hackathon, some developers came up with an alternate way (https://www.marc.info/?l=openbsd-cvs&m=142355043928397&w=2) to get authenticated NTP responses You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header It's not intended to be a direct time source, just a constraint to keep things within reason If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid Henning (https://www.marc.info/?l=openbsd-tech&m=142363215730069&w=2) and Theo (https://www.marc.info/?l=openbsd-tech&m=142363400330522&w=2) also weigh in to give some of the backstory on the idea Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) *** NetBSD at Open Source Conference 2015 Oita and Hamanako (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/08/msg000678.html) It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them This time the conferences were in Oita and Hamanako (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/11/msg000679.html), Japan Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices As always, they took lots of pictures from the event of NetBSD on all these weird machines *** Poudriere in a jail (http://www.tobeannounced.org/2015/02/poudriere-in-a-jail/) A common question we get about our poudriere tutorial (http://www.bsdnow.tv/tutorials/poudriere) is "how do I run it in a jail?" - this blog post is about exactly that It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow poudriere to work its magic *** Bruteblock, another way to stop bruteforce (http://easyos.net/articles/bsd/freebsd/bruteblock_protection_against_bruteforce_attacks_in_ssh) We've mentioned a few different ways to stop ssh bruteforce attempts in the past: fail2ban, denyhosts, or even just with pf's built-in rate limiting Bruteblock is a similar tool, but it's not just for ssh logins - it can do a number of other services It can also work directly with IPFW, which is a plus if you're using that as your firewall Add a few lines to your syslog.conf and bruteblock will get executed automatically The rest of the article takes you through the different settings you can configure for blocking *** New iwm(4) driver and cross-polination (https://www.marc.info/?l=openbsd-cvs&m=142325218626853&w=2) The OpenBSD guys recently imported a new "iwm" driver for newer Intel 7260 wireless cards (commonly found in Thinkpads) NetBSD wasted no time in porting it over (https://mail-index.netbsd.org/source-changes/2015/02/07/msg062979.html), giving a bit of interesting backstory According to Antti Kantee (http://www.bsdnow.tv/episodes/2013_10_23-a_brief_intorduction), "it was created for OpenBSD by writing and porting a NetBSD driver which was developed in a rump kernel in Linux userspace" Both projects would appreciate further testing if you have the hardware and can provide useful bug reports Maybe FreeBSD and DragonFly will port it over too, or come up with something that's partially based on the code *** PCBSD current images (http://blog.pcbsd.org/2015/02/pc-bsd-11-0-current-images-now-available/) The first PCBSD -CURRENT images should be available this weekend This image will be tagged 11.0-CURRENTFEB2015, with planned monthly updates For the more adventurous this will allow testing both FreeBSD and PCBSD bleeding edge *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2E4NbJwzs) Richard writes in (http://slexy.org/view/s2FkxcSYKy) Charlie writes in (http://slexy.org/view/s217EgA1JC) Ben writes in (http://slexy.org/view/s21vlCbGDt) *** Mailing List Gold A systematic effort (https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00360.html) GCC's lunch (https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00457.html) Hopes and dreams (https://marc.info/?l=openbsd-cvs&m=142331891908776&w=2) *** Discussion Comparison of ways to securely tunnel your traffic OpenVPN (https://openvpn.net/index.php/open-source.html), OpenBSD IKED (http://www.openiked.org/), FreeBSD IPSEC (https://www.freebsd.org/doc/handbook/ipsec.html), OpenSSH (http://www.openssh.com/), Tor (https://www.torproject.org/) ***
75: From the Foundation (Part 1)
This week on the show, we'll be starting a two-part series detailing the activities of various BSD foundations. Ed Maste from the FreeBSD foundation will be joining us this time, and we'll talk about what all they've been up to lately. All this week's news and answers to viewer-submitted questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Key rotation in OpenSSH 6.8 (http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html) Damien Miller (http://www.bsdnow.tv/episodes/2013_12_18-cryptocrystalline) posted a new blog entry about one of the features in the upcoming OpenSSH 6.8 Times changes, key types change, problems are found with old algorithms and we switch to new ones In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange Keys that are in your known_hosts file but not on the server will get automatically removed This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released *** NetBSD Banana Pi images (https://mail-index.netbsd.org/port-arm/2015/01/30/msg002809.html) We've talked about the Banana Pi (http://www.bananapi.org/p/product.html) a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially The email includes some steps to get everything working and an overview of what comes with the image Also check the wiki page (https://wiki.netbsd.org/ports/evbarm/allwinner/) for some related boards and further instructions on getting set up On a related note, NetBSD also recently got GPU acceleration working (https://blog.netbsd.org/tnf/entry/raspberry_pi_gpu_acceleration_in) for the Raspberry Pi (which is a first for their ARM port) *** LibreSSL shirts and other BSD goodies (https://www.marc.info/?l=openbsd-misc&m=142255048510669&w=2) If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online There are two versions, either "keep calm and use LibreSSL (https://shop.openbsdeurope.com/images/shop_openbsdeurope_com/products/large/TSHIRTLSSL.jpg)" or the slightly more snarky "keep calm and abandon OpenSSL (https://shop.openbsdeurope.com/images/shop_openbsdeurope_com/products/large/TSHIRTOSSL.jpg)" While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too You can get some FreeBSD, PCBSD (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=pc-bsd) and FreeNAS stuff (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=shirts) from the FreeBSD mall site (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=tshirt) OpenBSD recently launched their new store (https://www.openbsdstore.com), but the selection is still a bit limited right now NetBSD has a couple places (https://www.netbsd.org/gallery/devotionalia.html#cafepress) where you can buy shirts and other apparel with the flag logo on it We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo (http://www.dragonflybsd.org/images/small_logo.png) is pretty cool Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) *** OPNsense 15.1.4 released (https://forum.opnsense.org/index.php?topic=35.0) The OPNsense guys have been hard at work since we spoke to them (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach), fixing lots of bugs and keeping everything up to date A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs) This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change A developer has also posted an interesting write-up titled "Development Workflow in OPNsense (http://lastsummer.de/development-workflow-in-opnsense/)" If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it *** Interview - Ed Maste - board@freebsdfoundation.org (mailto:board@freebsdfoundation.org) The FreeBSD foundation (https://www.freebsdfoundation.org/donate)'s activities News Roundup Rolling with OpenBSD snapshots (http://homing-on-code.blogspot.com/2015/02/rolling-with-snapshots.html) One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think He's now helping test out patches and new ports since he's running the same code as the developers *** Signing pkgsrc packages (https://mail-index.netbsd.org/tech-pkg/2015/02/02/msg014224.html) As of the time this show airs, the official pkgsrc (http://www.bsdnow.tv/tutorials/pkgsrc) packages aren't cryptographically signed Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal Instead, they're using netpgpverify, a fork of NetBSD's netpgp (https://en.wikipedia.org/wiki/Netpgp) utility Maybe someday this will become the official way to sign packages in NetBSD? *** FreeBSD support model changes (https://lists.freebsd.org/pipermail/freebsd-announce/2015-February/001624.html) Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime" There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read *** OpenSMTPD, Dovecot and SpamAssassin (http://guillaumevincent.com/2015/01/31/OpenSMTPD-Dovecot-SpamAssassin.html) We've been talking about setting up your own BSD-based mail server on the last couple episodes Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering A lot of people regularly ask the developers (http://permalink.gmane.org/gmane.mail.opensmtpd.general/2265) how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane… In related news, OpenSMTPD has got some interesting new features coming soon (http://article.gmane.org/gmane.mail.opensmtpd.general/2272) They're also planning to switch to LibreSSL by default (https://github.com/OpenSMTPD/OpenSMTPD/issues/534) for the portable version *** FreeBSD 10 on the Thinkpad T400 (http://lastsummer.de/freebsd-desktop-on-the-t400/) BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400 Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt *** PC-BSD 10.1.1 Released (http://blog.pcbsd.org/2015/02/1810/) Automatic background updater now in Shiny new Qt5 utils OVA files for VM’s Full disk encryption with GELI v7 *** Feedback/Questions Camio writes in (http://slexy.org/view/s2MsjllAyU) Sha'ul writes in (http://slexy.org/view/s20eYELsAg) John writes in (http://slexy.org/view/s20Y2GN1az) Sean writes in (http://slexy.org/view/s20ARVQ1T6) (TJ's lengthy reply (http://slexy.org/view/s212XezEYt)) Christopher writes in (http://slexy.org/view/s2DRgEv4j8) *** Mailing List Gold Special Instructions (https://lists.freebsd.org/pipermail/freebsd-questions/2015-February/264010.html) Pretending to be a VT220 (https://mail-index.netbsd.org/netbsd-users/2015/01/19/msg015669.html) ***
74: That Sly MINIX
Coming up this week, we've got something a little bit different for you. We'll be talking with Andrew Tanenbaum, the creator of MINIX. They've recently imported parts of NetBSD into their OS, and we'll find out how and why that came about. As always, all the latest news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines The missing EuroBSDCon videos (http://2014.eurobsdcon.org/) Some of the missing videos from EuroBSDCon 2014 we mentioned before (http://www.bsdnow.tv/episodes/2014_11_19-rump_kernels_revisited) have mysteriously appeared Jordan Hubbard (http://www.bsdnow.tv/episodes/2013_11_27-bridging_the_gap), FreeBSD, looking forward to another 10 years (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/01.Keynote%20-%20FreeBSD:%20looking%20forward%20to%20another%2010%20years%20-%20Jordan%20Hubbard.mp4) Lourival Viera Neto, NPF scripting with Lua (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/06.NFS%20scripting%20with%20Lua%20-%20Lourival%20Viera%20Neto.mp4) Kris Moore, Snapshots, replication and boot environments (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/02.Snapshots,%20replication%20and%20boot%20environments%20-%20Kris%20Moore.mp4) Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/07.A%20reimplementation%20of%20NetBSD%20based%20on%20a%20microkernel%20-%20Andy%20Tanenbaum.mp4) Kirk McKusick (http://www.bsdnow.tv/episodes/2013-10-02_stacks_of_cache), An introduction to FreeBSD's implementation of ZFS (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/03.An%20introduction%20to%20the%20implementation%20of%20ZFS%20-%20Kirk%20McKusick.mp4) Emannuel Dreyfus, FUSE and beyond, bridging filesystems (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/05.FUSE%20and%20beyond:%20bridging%20filesystems%20-%20Emannuel%20Dreyfus.mp4) John-Mark Gurney (http://www.bsdnow.tv/episodes/2014_10_29-ipsecond_wind), Optimizing GELI performance (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/04.Optimizing%20GELI%20performance%20-%20John-Mark%20Gurney.mp4) Unfortunately, there are still about six talks missing… and no ETA *** FreeBSD on a MacBook Pro (or two) (https://gist.github.com/mpasternacki/974e29d1e3865e940c53) We've got a couple posts about running FreeBSD on a MacBook Pro this week In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™ Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step He's still not quite to that point yet, but documents his experiments with BSD as a desktop The second article (http://blog.foxkit.us/2015/01/freebsd-on-apple-macbook-pro-13-late.html) also documents an ex-Linux user switching over to BSD for their desktop It also covers (http://blog.foxkit.us/2015/01/freebsd-on-apple-macbook-pro-82-now.html) power management, bluetooth and trackpad setup On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down" Check out both articles if you've been considering running FreeBSD on a MacBook *** Remote logging over TLS (https://www.marc.info/?l=openbsd-tech&m=142136923124184&w=2) In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server The problem is, of course, that it's sent in cleartext (https://en.wikipedia.org/wiki/Syslog#Protocol), unless you tunnel it over SSH or use some kind of third party wrapper With a few recent commits (https://www.marc.info/?l=openbsd-cvs&m=142160989610410&w=2), OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot? That problem was also conquered (https://www.marc.info/?l=openbsd-tech&m=142188450524692&w=2), by loading the CA chain directly from memory (https://www.marc.info/?l=openbsd-cvs&m=142191799331938&w=2), so the entire process can be run in the chroot (https://www.marc.info/?l=openbsd-cvs&m=142191819131993&w=2) without issue Some of the privsep verifcation code even made its way into (https://www.marc.info/?l=openbsd-cvs&m=142191878632141&w=2) LibreSSL right afterwards If you haven't set up remote logging before, now might be an interesting time to try it out *** FreeBSD, not a Linux distro (https://www.youtube.com/watch?v=wwbO4eTieQY) George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro" It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options There's even an interesting "thirty years in three minutes" segment It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s) We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them *** Long-term support considered harmful (http://www.tedunangst.com/flak/post/long-term-support-considered-harmful) There was recently a pretty horrible bug (https://www.marc.info/?l=bugtraq&m=142237866420639&w=2) in GNU's libc (BSDs aren't affected, don't worry) Aside from the severity of the actual problem, the fix was delayed (https://code.google.com/p/chromium/issues/detail?id=364511) for quite a long time, leaving people vulnerable Ted Unangst writes a post about how this idea of long-term support (https://plus.google.com/u/0/+ArtoPekkanen/posts/88jk5ggXYts?cfem=1) could actually be harmful in the long run, and compares it to how OpenBSD does things OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early." There was also some (https://lobste.rs/s/a4iijx/long_term_support_considered_harmful) discussion (https://news.ycombinator.com/item?id=8954737) about the article you can check out *** Interview - Andrew Tanenbaum - info@minix3.org (mailto:info@minix3.org) / @minix3 (https://twitter.com/minix3) MINIX's integration of NetBSD News Roundup Using AFL on OpenBSD (http://www.undeadly.org/cgi?action=article&sid=20150121093259) We've talked about American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/) a bit on a previous episode, and how some OpenBSD devs are using it (https://www.marc.info/?l=openbsd-cvs&w=2&r=1&s=afl&q=b) to catch and fix new bugs Undeadly has a cool guide on how you can get started with fuzzing It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software *** Lumina 0.8.1 released (http://blog.pcbsd.org/2015/01/lumina-desktop-0-8-1-released/) A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements" There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!) If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it (http://www.bsdnow.tv/episodes/2014_09_10-luminary_environment) *** My first OpenBSD port (http://homing-on-code.blogspot.com/2015/01/my-first-openbsd-port.html) The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports He recently made his first port and got it into the tree, so he talks about the whole process from start to finish After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser At that point he did what you're supposed to do in that situation, and started working on it himself OpenBSD has a great porter's handbook (http://www.openbsd.org/faq/ports/) that he referenced throughout the process Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course) If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen *** How to slide with DragonFly (http://www.dragonflybsd.org/docs/docs/howtos/howtoslide/) DragonFly BSD has a new HAMMER FS utility called "Slider" It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine They have a pretty comprehensive guide on how to use it on their wiki page If you're using HAMMER FS, this is a really handy tool to have, check it out *** OpenSMTPD with Dovecot and Salt (https://blog.al-shami.net/2015/01/howto-small-mail-server-with-salt-dovecot-and-opensmtpd/) We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan "Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with" Check it out if you've been thinking about configuring your first mail server on any of the BSDs *** Feedback/Questions Christopher writes in (http://slexy.org/view/s20q2fSfEO) (handbook section (https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-update-os)) Mark writes in (http://slexy.org/view/s2zGvAczeN) Kevin writes in (http://slexy.org/view/s21Dn2Tey8) Stefano writes in (http://slexy.org/view/s215nxxrtF) Matthew writes in (http://slexy.org/view/s20cwezc9l) *** Mailing List Gold Not that interested actually (https://www.marc.info/?l=openbsd-misc&m=142194821910087&w=2) This guy again (https://lists.freebsd.org/pipermail/freebsd-jail/2015-January/002742.html) Yep, this is the place (https://lists.freebsd.org/pipermail/freebsd-doc/2015-January/024888.html) ***
73: Pipe Dreams
This week on the show we'll be chatting with David Maxwell, a former NetBSD security officer. He's got an interesting project called Pipecut that takes a whole new approach to the commandline. We've also got answers to viewer-submitted questions and all this week's headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2014-10-2014-12.html) The FreeBSD team has posted an updated on some of their activities between October and December of 2014 They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve (http://www.bsdnow.tv/tutorials/bhyve), WINE and Xen all got some nice improvements As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released) Git was promoted from beta to an officially-supported version control system (Kris is happy) The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements Check out the full report for all the details that we didn't cover *** OpenBSD package signature audit (http://linux-audit.com/vulnerabilities-and-digital-signatures-for-openbsd-software-packages/) "Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes They recently did an article about OpenBSD, specifically their ports and package system (http://www.bsdnow.tv/tutorials/ports-obsd) and signing infrastructure The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed Package signature formats and public key distribution methods are also touched on After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future If you haven't seen our episode about signify (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) with Ted Unangst, that would be a great one to check out after reading this *** Replacing a Linux router with BSD (http://ask.slashdot.org/story/15/01/15/1547209/ask-slashdot-migrating-a-router-from-linux-to-bsd) There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs." A lot of people were quick to recommend OPNsense (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all) Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) or OpenBSD (http://www.bsdnow.tv/tutorials/openbsd-router) If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information *** LibreSSL in FreeBSD and OPNsense (http://bsdxbsdx.blogspot.com/2015/01/switching-to-openssl-from-ports-in.html) A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL) The reasoning being that updates in base tend to lag behind (http://www.openbsd.org/papers/eurobsdcon2014-libressl.html), whereas the port can be updated for security very quickly OPNsense developers are looking into (https://twitter.com/fitchitis/status/555625679614521345) switching away (http://forum.opnsense.org/index.php?topic=21.0) from OpenSSL to LibreSSL's portable version (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl), for both their ports and base system, which would be a pretty huge differentiator for their project Some ports still need fixing (https://bugs.freebsd.org/bugzilla/buglist.cgi?order=Importance&query_format=advanced&short_desc=libressl&short_desc_type=allwordssubstr) to be compatible though, particularly a few (https://github.com/opnsense/ports/commit/c15af648e9d5fcecf0ae666292e8f41c08979057) python-related (https://github.com/pyca/cryptography/issues/928) ones If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs A lot of the work has already been done in OpenBSD's ports tree (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/) - some patches just need to be adopted More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it *** Interview - David Maxwell - david@netbsd.org (mailto:david@netbsd.org) / @davidwmaxwell (https://twitter.com/david_w_maxwell) Pipecut (https://www.youtube.com/watch?v=CZHEZHK4jRc), text processing, commandline wizardry News Roundup Jetpack, a new jail container system (https://github.com/3ofcoins/jetpack) A new project was launched to adapt FreeBSD jails to the "app container specification" While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker It's a similar project to iocage (https://github.com/pannon/iocage) or bsdploy (https://github.com/ployground/bsdploy), which we haven't talked a whole lot about There was also some discussion (https://news.ycombinator.com/item?id=8893630) about it on Hacker News *** Separating base and package binaries (https://www.reddit.com/r/BSD/comments/2szofc) All of the main BSDs make a strong separation between the base system and third party software This is in contrast to Linux where there's no real concept of a "base system" - more recently, some distros have even merged all the binaries into a single directory A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies Read the comments for the full explanation, but having things separated really helps keep things organized *** Updated i915kms driver for FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=277487) This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward It doesn't introduce Haswell support just yet, but was required before the Haswell bits can be added *** Year of the OpenBSD desktop (http://zacbrown.org/2015/01/18/openbsd-as-a-desktop/) Here we have an article about using OpenBSD as a daily driver for regular desktop usage The author says he "ran fifty thousand different distributions, never being satisfied" After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook He also used FreeBSD between versions 7 and 9, finding a "a mostly harmonious environment," but regressions lead him to give up on desktop *nix once again Starting with 2015, he's back and is using OpenBSD on a Thinkpad x201 The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup He apparently used our desktop tutorial (http://www.bsdnow.tv/tutorials/the-desktop-obsd) - thanks for watching! *** Unattended FreeBSD installation (http://louwrentius.com/freebsd-101-unattended-install-over-pxe-http-no-nfs.html) A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE His goal was to have a setup similar to Redhat's "kickstart" or OpenBSD's autoinstall (http://www.bsdnow.tv/tutorials/autoinstall) The article shows you how to set up DHCP and TFTP, with no NFS share setup required He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you *** Feedback/Questions Robert writes in (http://slexy.org/view/s20UsZjN4h) Sean writes in (http://slexy.org/view/s219cMQz3U) l33tname writes in (http://slexy.org/view/s2EkzMUMyb) Charlie writes in (http://slexy.org/view/s2nq6L6H1n) Eric writes in (http://slexy.org/view/s21EGqUYLd) *** Mailing List Gold Clowning around (https://www.marc.info/?l=openbsd-cvs&m=142159202606668&w=2) Better than succeeding in this case (https://lists.freebsd.org/pipermail/freebsd-ports/2015-January/097734.html) ***
72: Common *Sense Approach
This week on the show, we'll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We'll learn some of the backstory and see what they've got planned for the future. We've also got all this week's news and answers to all your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Be your own VPN provider with OpenBSD (http://networkfilter.blogspot.com/2015/01/be-your-own-vpn-provider-with-openbsd.html) We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company? It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?" The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN *** FreeBSD vs Gentoo comparison (http://www.iwillfolo.com/2015/01/comparison-gentoo-vs-freebsd-tweak-tweak-little-star/) People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more *** Kernel W^X in OpenBSD (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2) W^X, "Write XOR Execute (https://en.wikipedia.org/wiki/W%5EX)," is a security feature of OpenBSD with a rather strange-looking name It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils) Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously (http://www.openbsd.org/papers/ru13-deraadt/) Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while More technical details can be found in some recent CVS commits (https://www.marc.info/?l=openbsd-cvs&m=141917924602780&w=2) *** Building an IPFW-based router (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) We've covered building routers with PF (http://www.bsdnow.tv/tutorials/openbsd-router) many times before, but what about IPFW (https://www.freebsd.org/doc/handbook/firewalls-ipfw.html)? A certain host of a certain podcast decided it was finally time to replace his disappointing (https://github.com/jduck/asus-cmd) consumer router with something BSD-based In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit If you're an IPFW fan and are thinking about putting together a new router, give this post a read *** Interview - Jos Schellevis - project@opnsense.org (mailto:project@opnsense.org) / @opnsense (https://twitter.com/opnsense) The birth of OPNsense (http://opnsense.org) News Roundup On profiling HTTP (http://adrianchadd.blogspot.com/2015/01/on-profiling-http-or-god-damnit-people.html) Adrian Chadd, who we've had on the show before (http://www.bsdnow.tv/episodes/2014_09_17-the_promised_wlan), has been doing some more ultra-high performance testing Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools According to him, it's "not very pretty" He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process You can check out his new code on Github (https://github.com/erikarn/libevhtp-http/) right now *** Using divert(4) to reduce attacks (http://daemonforums.org/showthread.php?s=db0dd79ca26eb645eadd2d8abd267cae&t=8846) We talked about using divert(4) (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/divert.4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series) It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious Consider setting this up to reduce the attack spam in your logs if you run public services *** ChaCha20 patchset for GELI (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046814.html) A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption (http://www.bsdnow.tv/tutorials/fde) system There are also some benchmarks that look pretty good in terms of performance Currently, GELI defaults to AES in XTS mode (https://en.wikipedia.org/wiki/Disk_encryption_theory#XEX-based_tweaked-codebook_mode_with_ciphertext_stealing_.28XTS.29) with a few tweakable options (but also supports Blowfish, Camellia and Triple DES) There's some discussion (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046824.html) going on about whether a stream cipher (https://en.wikipedia.org/wiki/Stream_cipher) is suitable or not (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046834.html) for disk encryption though, so this might not be a match made in heaven just yet *** PCBSD update system enhancements (http://blog.pcbsd.org/2015/01/new-update-gui-for-pc-bsd-automatic-updates/) The PCBSD update utility has gotten an update itself, now supporting automatic upgrades You can choose what parts of your system you want to let it automatically handle (packages, security updates) The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality There's also a new graphical frontend available for it *** Feedback/Questions Mat writes in (http://slexy.org/view/s2XJhAsffU) Chris writes in (http://slexy.org/view/s20qnSHujZ) Andy writes in (http://slexy.org/view/s21O0MShqi) Beau writes in (http://slexy.org/view/s2LutVQOXN) Kutay writes in (http://slexy.org/view/s21Esexdrc) *** Mailing List Gold Wait, a real one? (https://www.mail-archive.com/advocacy@openbsd.org/msg02249.html) What's that glowing... (https://www.marc.info/?l=openbsd-misc&m=142125454022458&w=2) ***
71: System Disaster
This time on the show, we'll be talking to Ian Sutton about his new BSD compatibility wrappers for various systemd dependencies. Don't worry, systemd is not being ported to BSD! We're still safe! We've also got all the week's news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Introducing OPNsense, a pfSense fork (http://opnsense.org/) OPNsense is a new BSD-based firewall project that was recently started (http://www.prnewswire.com/news-releases/deciso-launches-opnsense-a-new-open-source-firewall-initiative-287334371.html), forked from the pfSense codebase Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3) The core team (http://opnsense.org/about/about-opnsense/#opnsense-core-team) includes a well-known DragonFlyBSD developer You can check out their code on Github (https://github.com/opnsense) now, or download an image and try it out - let us know (mailto:feedback@bsdnow.tv) if you do and what you think about it They also have a nice wiki and some instructions on getting started (http://wiki.opnsense.org/index.php/Manual:Installation_and_Initial_Configuration) for new users We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned *** Code rot and why I chose OpenBSD (http://homing-on-code.blogspot.com/2015/01/code-rot-openbsd.html) Here we have a blog post about rotting codebases - a core banking system in this example The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily." It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again" Look for the phrase "Getting Started" in the blog post for a nice little gem *** ZFS vs HAMMER FS (https://forums.freebsd.org/threads/zfs-vs-hammer.49789/) One of the topics we've seen come up from time to time is how FreeBSD's ZFS (http://www.bsdnow.tv/tutorials/zfs) and DragonFly's HAMMER FS (http://www.bsdnow.tv/tutorials/hammer) compare to each other They both have a lot of features that traditional filesystems lack A forum thread was opened for discussion about them both and what they're typically used for It compares resource requirements, ideal hardware and pros/cons of each Hopefully someone will do another new comparison when HAMMER 2 is finished This is not to be confused with the other "hammer" filesystem (https://www.youtube.com/watch?v=HBXlVl5Ll6k) *** Portable OpenNTPD revived (https://www.mail-archive.com/tech@openbsd.org/msg21886.html) With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon (http://www.bsdnow.tv/tutorials/ntpd) OpenBSD has developed OpenNTPD (http://openntpd.org/) since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version Brent Cook, who we've had on the show before (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl) to talk about LibreSSL, decided it was time to fix this While looking through the code, he also found some fixes (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/?sortby=date#dirlist) for the native version as well You can grab it from Github (https://github.com/openntpd-portable/openntpd-portable) now, or just wait for the updated release (https://lists.freebsd.org/pipermail/freebsd-ports/2015-January/097400.html) to hit the repos of your OS of choice *** Interview - Ian Sutton - ian@kremlin.cc (mailto:ian@kremlin.cc) BSD replacements (https://uglyman.kremlin.cc/gitweb/gitweb.cgi?p=systembsd.git;a=summary) for systemd dependencies (http://undeadly.org/cgi?action=article&sid=20140915064856) News Roundup pkgng adds OS X support (https://github.com/freebsd/pkg/pull/1113) FreeBSD's next-gen package manager (http://www.bsdnow.tv/tutorials/pkgng) has just added support for Mac OS X Why would you want that? Well.. we don't really know, but it's cool The author of the patch may have some insight (https://github.com/freebsd/pkg/pull/1113#issuecomment-68063964) about what his goal is though This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc There's also the possibility of pkgng being used as a packaging format for MacPorts in the future While we're on the topic of pkgng, you can also watch bapt (http://www.bsdnow.tv/episodes/2014_01_01-eclipsing_binaries)'s latest presentation about it from ruBSD 2014 - "four years of pkg (http://is.gd/4AvUwt)" *** Secure secure shell (https://stribika.github.io/2015/01/04/secure-secure-shell.html) Almost everyone watching BSD Now probably uses OpenSSH (http://www.bsdnow.tv/tutorials/ssh-tmux) and has set up a server at one point or another This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use There are also good explanations for all the choices, based both on history and probability Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled We've also got a handy chart (http://ssh-comparison.quendi.de/comparison.html) to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients *** Dissecting OpenBSD's divert(4) (http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/) PF has a cool feature that not a lot of people seem to know about: divert It lets you send packets to userspace, allowing you to inspect them a lot easier This blog post, the first in a series, details all the cool things you can do with divert and how to use it A very common example is with intrusion detection systems like Snort *** Screen recording on FreeBSD (https://www.banym.de/freebsd/create-a-screen-recording-on-freebsd-with-kdenlive-and-external-usb-mic) This is a neat article about a topic we don't cover very often: making video content on BSD In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing It also includes lots of details and helpful screenshots throughout the process You should make cool screencasts and send them to us *** Feedback/Questions Camio writes in (http://slexy.org/view/s21Zx0ktmb) ezpzy writes in (http://slexy.org/view/s2vVR5Orhh) Emett writes in (http://slexy.org/view/s21Ahb5Lxa) Ben writes in (http://slexy.org/view/s20oJmveN6) Laszlo writes in (http://slexy.org/view/s2cTayMxPk) *** Mailing List Gold Protocol X97 (https://lists.freebsd.org/pipermail/freebsd-questions/2015-January/263441.html) My thoughts echoed (https://www.marc.info/?l=openbsd-tech&m=141159429123859&w=2) Vulnerability sample (http://www.openwall.com/lists/oss-security/2015/01/04/10) ***