Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
75: From the Foundation (Part 1)
This week on the show, we'll be starting a two-part series detailing the activities of various BSD foundations. Ed Maste from the FreeBSD foundation will be joining us this time, and we'll talk about what all they've been up to lately. All this week's news and answers to viewer-submitted questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Key rotation in OpenSSH 6.8 (http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html) Damien Miller (http://www.bsdnow.tv/episodes/2013_12_18-cryptocrystalline) posted a new blog entry about one of the features in the upcoming OpenSSH 6.8 Times changes, key types change, problems are found with old algorithms and we switch to new ones In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange Keys that are in your known_hosts file but not on the server will get automatically removed This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released *** NetBSD Banana Pi images (https://mail-index.netbsd.org/port-arm/2015/01/30/msg002809.html) We've talked about the Banana Pi (http://www.bananapi.org/p/product.html) a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially The email includes some steps to get everything working and an overview of what comes with the image Also check the wiki page (https://wiki.netbsd.org/ports/evbarm/allwinner/) for some related boards and further instructions on getting set up On a related note, NetBSD also recently got GPU acceleration working (https://blog.netbsd.org/tnf/entry/raspberry_pi_gpu_acceleration_in) for the Raspberry Pi (which is a first for their ARM port) *** LibreSSL shirts and other BSD goodies (https://www.marc.info/?l=openbsd-misc&m=142255048510669&w=2) If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online There are two versions, either "keep calm and use LibreSSL (https://shop.openbsdeurope.com/images/shop_openbsdeurope_com/products/large/TSHIRTLSSL.jpg)" or the slightly more snarky "keep calm and abandon OpenSSL (https://shop.openbsdeurope.com/images/shop_openbsdeurope_com/products/large/TSHIRTOSSL.jpg)" While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too You can get some FreeBSD, PCBSD (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=pc-bsd) and FreeNAS stuff (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=shirts) from the FreeBSD mall site (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=tshirt) OpenBSD recently launched their new store (https://www.openbsdstore.com), but the selection is still a bit limited right now NetBSD has a couple places (https://www.netbsd.org/gallery/devotionalia.html#cafepress) where you can buy shirts and other apparel with the flag logo on it We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo (http://www.dragonflybsd.org/images/small_logo.png) is pretty cool Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) *** OPNsense 15.1.4 released (https://forum.opnsense.org/index.php?topic=35.0) The OPNsense guys have been hard at work since we spoke to them (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach), fixing lots of bugs and keeping everything up to date A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs) This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change A developer has also posted an interesting write-up titled "Development Workflow in OPNsense (http://lastsummer.de/development-workflow-in-opnsense/)" If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it *** Interview - Ed Maste - board@freebsdfoundation.org (mailto:board@freebsdfoundation.org) The FreeBSD foundation (https://www.freebsdfoundation.org/donate)'s activities News Roundup Rolling with OpenBSD snapshots (http://homing-on-code.blogspot.com/2015/02/rolling-with-snapshots.html) One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think He's now helping test out patches and new ports since he's running the same code as the developers *** Signing pkgsrc packages (https://mail-index.netbsd.org/tech-pkg/2015/02/02/msg014224.html) As of the time this show airs, the official pkgsrc (http://www.bsdnow.tv/tutorials/pkgsrc) packages aren't cryptographically signed Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal Instead, they're using netpgpverify, a fork of NetBSD's netpgp (https://en.wikipedia.org/wiki/Netpgp) utility Maybe someday this will become the official way to sign packages in NetBSD? *** FreeBSD support model changes (https://lists.freebsd.org/pipermail/freebsd-announce/2015-February/001624.html) Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime" There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read *** OpenSMTPD, Dovecot and SpamAssassin (http://guillaumevincent.com/2015/01/31/OpenSMTPD-Dovecot-SpamAssassin.html) We've been talking about setting up your own BSD-based mail server on the last couple episodes Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering A lot of people regularly ask the developers (http://permalink.gmane.org/gmane.mail.opensmtpd.general/2265) how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane… In related news, OpenSMTPD has got some interesting new features coming soon (http://article.gmane.org/gmane.mail.opensmtpd.general/2272) They're also planning to switch to LibreSSL by default (https://github.com/OpenSMTPD/OpenSMTPD/issues/534) for the portable version *** FreeBSD 10 on the Thinkpad T400 (http://lastsummer.de/freebsd-desktop-on-the-t400/) BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400 Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt *** PC-BSD 10.1.1 Released (http://blog.pcbsd.org/2015/02/1810/) Automatic background updater now in Shiny new Qt5 utils OVA files for VM’s Full disk encryption with GELI v7 *** Feedback/Questions Camio writes in (http://slexy.org/view/s2MsjllAyU) Sha'ul writes in (http://slexy.org/view/s20eYELsAg) John writes in (http://slexy.org/view/s20Y2GN1az) Sean writes in (http://slexy.org/view/s20ARVQ1T6) (TJ's lengthy reply (http://slexy.org/view/s212XezEYt)) Christopher writes in (http://slexy.org/view/s2DRgEv4j8) *** Mailing List Gold Special Instructions (https://lists.freebsd.org/pipermail/freebsd-questions/2015-February/264010.html) Pretending to be a VT220 (https://mail-index.netbsd.org/netbsd-users/2015/01/19/msg015669.html) ***
74: That Sly MINIX
Coming up this week, we've got something a little bit different for you. We'll be talking with Andrew Tanenbaum, the creator of MINIX. They've recently imported parts of NetBSD into their OS, and we'll find out how and why that came about. As always, all the latest news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines The missing EuroBSDCon videos (http://2014.eurobsdcon.org/) Some of the missing videos from EuroBSDCon 2014 we mentioned before (http://www.bsdnow.tv/episodes/2014_11_19-rump_kernels_revisited) have mysteriously appeared Jordan Hubbard (http://www.bsdnow.tv/episodes/2013_11_27-bridging_the_gap), FreeBSD, looking forward to another 10 years (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/01.Keynote%20-%20FreeBSD:%20looking%20forward%20to%20another%2010%20years%20-%20Jordan%20Hubbard.mp4) Lourival Viera Neto, NPF scripting with Lua (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/06.NFS%20scripting%20with%20Lua%20-%20Lourival%20Viera%20Neto.mp4) Kris Moore, Snapshots, replication and boot environments (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/02.Snapshots,%20replication%20and%20boot%20environments%20-%20Kris%20Moore.mp4) Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/07.A%20reimplementation%20of%20NetBSD%20based%20on%20a%20microkernel%20-%20Andy%20Tanenbaum.mp4) Kirk McKusick (http://www.bsdnow.tv/episodes/2013-10-02_stacks_of_cache), An introduction to FreeBSD's implementation of ZFS (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/03.An%20introduction%20to%20the%20implementation%20of%20ZFS%20-%20Kirk%20McKusick.mp4) Emannuel Dreyfus, FUSE and beyond, bridging filesystems (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/05.FUSE%20and%20beyond:%20bridging%20filesystems%20-%20Emannuel%20Dreyfus.mp4) John-Mark Gurney (http://www.bsdnow.tv/episodes/2014_10_29-ipsecond_wind), Optimizing GELI performance (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/04.Optimizing%20GELI%20performance%20-%20John-Mark%20Gurney.mp4) Unfortunately, there are still about six talks missing… and no ETA *** FreeBSD on a MacBook Pro (or two) (https://gist.github.com/mpasternacki/974e29d1e3865e940c53) We've got a couple posts about running FreeBSD on a MacBook Pro this week In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™ Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step He's still not quite to that point yet, but documents his experiments with BSD as a desktop The second article (http://blog.foxkit.us/2015/01/freebsd-on-apple-macbook-pro-13-late.html) also documents an ex-Linux user switching over to BSD for their desktop It also covers (http://blog.foxkit.us/2015/01/freebsd-on-apple-macbook-pro-82-now.html) power management, bluetooth and trackpad setup On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down" Check out both articles if you've been considering running FreeBSD on a MacBook *** Remote logging over TLS (https://www.marc.info/?l=openbsd-tech&m=142136923124184&w=2) In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server The problem is, of course, that it's sent in cleartext (https://en.wikipedia.org/wiki/Syslog#Protocol), unless you tunnel it over SSH or use some kind of third party wrapper With a few recent commits (https://www.marc.info/?l=openbsd-cvs&m=142160989610410&w=2), OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot? That problem was also conquered (https://www.marc.info/?l=openbsd-tech&m=142188450524692&w=2), by loading the CA chain directly from memory (https://www.marc.info/?l=openbsd-cvs&m=142191799331938&w=2), so the entire process can be run in the chroot (https://www.marc.info/?l=openbsd-cvs&m=142191819131993&w=2) without issue Some of the privsep verifcation code even made its way into (https://www.marc.info/?l=openbsd-cvs&m=142191878632141&w=2) LibreSSL right afterwards If you haven't set up remote logging before, now might be an interesting time to try it out *** FreeBSD, not a Linux distro (https://www.youtube.com/watch?v=wwbO4eTieQY) George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro" It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options There's even an interesting "thirty years in three minutes" segment It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s) We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them *** Long-term support considered harmful (http://www.tedunangst.com/flak/post/long-term-support-considered-harmful) There was recently a pretty horrible bug (https://www.marc.info/?l=bugtraq&m=142237866420639&w=2) in GNU's libc (BSDs aren't affected, don't worry) Aside from the severity of the actual problem, the fix was delayed (https://code.google.com/p/chromium/issues/detail?id=364511) for quite a long time, leaving people vulnerable Ted Unangst writes a post about how this idea of long-term support (https://plus.google.com/u/0/+ArtoPekkanen/posts/88jk5ggXYts?cfem=1) could actually be harmful in the long run, and compares it to how OpenBSD does things OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early." There was also some (https://lobste.rs/s/a4iijx/long_term_support_considered_harmful) discussion (https://news.ycombinator.com/item?id=8954737) about the article you can check out *** Interview - Andrew Tanenbaum - info@minix3.org (mailto:info@minix3.org) / @minix3 (https://twitter.com/minix3) MINIX's integration of NetBSD News Roundup Using AFL on OpenBSD (http://www.undeadly.org/cgi?action=article&sid=20150121093259) We've talked about American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/) a bit on a previous episode, and how some OpenBSD devs are using it (https://www.marc.info/?l=openbsd-cvs&w=2&r=1&s=afl&q=b) to catch and fix new bugs Undeadly has a cool guide on how you can get started with fuzzing It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software *** Lumina 0.8.1 released (http://blog.pcbsd.org/2015/01/lumina-desktop-0-8-1-released/) A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements" There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!) If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it (http://www.bsdnow.tv/episodes/2014_09_10-luminary_environment) *** My first OpenBSD port (http://homing-on-code.blogspot.com/2015/01/my-first-openbsd-port.html) The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports He recently made his first port and got it into the tree, so he talks about the whole process from start to finish After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser At that point he did what you're supposed to do in that situation, and started working on it himself OpenBSD has a great porter's handbook (http://www.openbsd.org/faq/ports/) that he referenced throughout the process Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course) If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen *** How to slide with DragonFly (http://www.dragonflybsd.org/docs/docs/howtos/howtoslide/) DragonFly BSD has a new HAMMER FS utility called "Slider" It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine They have a pretty comprehensive guide on how to use it on their wiki page If you're using HAMMER FS, this is a really handy tool to have, check it out *** OpenSMTPD with Dovecot and Salt (https://blog.al-shami.net/2015/01/howto-small-mail-server-with-salt-dovecot-and-opensmtpd/) We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan "Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with" Check it out if you've been thinking about configuring your first mail server on any of the BSDs *** Feedback/Questions Christopher writes in (http://slexy.org/view/s20q2fSfEO) (handbook section (https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-update-os)) Mark writes in (http://slexy.org/view/s2zGvAczeN) Kevin writes in (http://slexy.org/view/s21Dn2Tey8) Stefano writes in (http://slexy.org/view/s215nxxrtF) Matthew writes in (http://slexy.org/view/s20cwezc9l) *** Mailing List Gold Not that interested actually (https://www.marc.info/?l=openbsd-misc&m=142194821910087&w=2) This guy again (https://lists.freebsd.org/pipermail/freebsd-jail/2015-January/002742.html) Yep, this is the place (https://lists.freebsd.org/pipermail/freebsd-doc/2015-January/024888.html) ***
73: Pipe Dreams
This week on the show we'll be chatting with David Maxwell, a former NetBSD security officer. He's got an interesting project called Pipecut that takes a whole new approach to the commandline. We've also got answers to viewer-submitted questions and all this week's headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2014-10-2014-12.html) The FreeBSD team has posted an updated on some of their activities between October and December of 2014 They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve (http://www.bsdnow.tv/tutorials/bhyve), WINE and Xen all got some nice improvements As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released) Git was promoted from beta to an officially-supported version control system (Kris is happy) The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements Check out the full report for all the details that we didn't cover *** OpenBSD package signature audit (http://linux-audit.com/vulnerabilities-and-digital-signatures-for-openbsd-software-packages/) "Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes They recently did an article about OpenBSD, specifically their ports and package system (http://www.bsdnow.tv/tutorials/ports-obsd) and signing infrastructure The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed Package signature formats and public key distribution methods are also touched on After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future If you haven't seen our episode about signify (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) with Ted Unangst, that would be a great one to check out after reading this *** Replacing a Linux router with BSD (http://ask.slashdot.org/story/15/01/15/1547209/ask-slashdot-migrating-a-router-from-linux-to-bsd) There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs." A lot of people were quick to recommend OPNsense (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all) Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) or OpenBSD (http://www.bsdnow.tv/tutorials/openbsd-router) If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information *** LibreSSL in FreeBSD and OPNsense (http://bsdxbsdx.blogspot.com/2015/01/switching-to-openssl-from-ports-in.html) A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL) The reasoning being that updates in base tend to lag behind (http://www.openbsd.org/papers/eurobsdcon2014-libressl.html), whereas the port can be updated for security very quickly OPNsense developers are looking into (https://twitter.com/fitchitis/status/555625679614521345) switching away (http://forum.opnsense.org/index.php?topic=21.0) from OpenSSL to LibreSSL's portable version (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl), for both their ports and base system, which would be a pretty huge differentiator for their project Some ports still need fixing (https://bugs.freebsd.org/bugzilla/buglist.cgi?order=Importance&query_format=advanced&short_desc=libressl&short_desc_type=allwordssubstr) to be compatible though, particularly a few (https://github.com/opnsense/ports/commit/c15af648e9d5fcecf0ae666292e8f41c08979057) python-related (https://github.com/pyca/cryptography/issues/928) ones If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs A lot of the work has already been done in OpenBSD's ports tree (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/) - some patches just need to be adopted More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it *** Interview - David Maxwell - david@netbsd.org (mailto:david@netbsd.org) / @davidwmaxwell (https://twitter.com/david_w_maxwell) Pipecut (https://www.youtube.com/watch?v=CZHEZHK4jRc), text processing, commandline wizardry News Roundup Jetpack, a new jail container system (https://github.com/3ofcoins/jetpack) A new project was launched to adapt FreeBSD jails to the "app container specification" While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker It's a similar project to iocage (https://github.com/pannon/iocage) or bsdploy (https://github.com/ployground/bsdploy), which we haven't talked a whole lot about There was also some discussion (https://news.ycombinator.com/item?id=8893630) about it on Hacker News *** Separating base and package binaries (https://www.reddit.com/r/BSD/comments/2szofc) All of the main BSDs make a strong separation between the base system and third party software This is in contrast to Linux where there's no real concept of a "base system" - more recently, some distros have even merged all the binaries into a single directory A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies Read the comments for the full explanation, but having things separated really helps keep things organized *** Updated i915kms driver for FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=277487) This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward It doesn't introduce Haswell support just yet, but was required before the Haswell bits can be added *** Year of the OpenBSD desktop (http://zacbrown.org/2015/01/18/openbsd-as-a-desktop/) Here we have an article about using OpenBSD as a daily driver for regular desktop usage The author says he "ran fifty thousand different distributions, never being satisfied" After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook He also used FreeBSD between versions 7 and 9, finding a "a mostly harmonious environment," but regressions lead him to give up on desktop *nix once again Starting with 2015, he's back and is using OpenBSD on a Thinkpad x201 The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup He apparently used our desktop tutorial (http://www.bsdnow.tv/tutorials/the-desktop-obsd) - thanks for watching! *** Unattended FreeBSD installation (http://louwrentius.com/freebsd-101-unattended-install-over-pxe-http-no-nfs.html) A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE His goal was to have a setup similar to Redhat's "kickstart" or OpenBSD's autoinstall (http://www.bsdnow.tv/tutorials/autoinstall) The article shows you how to set up DHCP and TFTP, with no NFS share setup required He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you *** Feedback/Questions Robert writes in (http://slexy.org/view/s20UsZjN4h) Sean writes in (http://slexy.org/view/s219cMQz3U) l33tname writes in (http://slexy.org/view/s2EkzMUMyb) Charlie writes in (http://slexy.org/view/s2nq6L6H1n) Eric writes in (http://slexy.org/view/s21EGqUYLd) *** Mailing List Gold Clowning around (https://www.marc.info/?l=openbsd-cvs&m=142159202606668&w=2) Better than succeeding in this case (https://lists.freebsd.org/pipermail/freebsd-ports/2015-January/097734.html) ***
72: Common *Sense Approach
This week on the show, we'll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We'll learn some of the backstory and see what they've got planned for the future. We've also got all this week's news and answers to all your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Be your own VPN provider with OpenBSD (http://networkfilter.blogspot.com/2015/01/be-your-own-vpn-provider-with-openbsd.html) We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company? It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?" The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN *** FreeBSD vs Gentoo comparison (http://www.iwillfolo.com/2015/01/comparison-gentoo-vs-freebsd-tweak-tweak-little-star/) People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more *** Kernel W^X in OpenBSD (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2) W^X, "Write XOR Execute (https://en.wikipedia.org/wiki/W%5EX)," is a security feature of OpenBSD with a rather strange-looking name It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils) Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously (http://www.openbsd.org/papers/ru13-deraadt/) Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while More technical details can be found in some recent CVS commits (https://www.marc.info/?l=openbsd-cvs&m=141917924602780&w=2) *** Building an IPFW-based router (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) We've covered building routers with PF (http://www.bsdnow.tv/tutorials/openbsd-router) many times before, but what about IPFW (https://www.freebsd.org/doc/handbook/firewalls-ipfw.html)? A certain host of a certain podcast decided it was finally time to replace his disappointing (https://github.com/jduck/asus-cmd) consumer router with something BSD-based In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit If you're an IPFW fan and are thinking about putting together a new router, give this post a read *** Interview - Jos Schellevis - project@opnsense.org (mailto:project@opnsense.org) / @opnsense (https://twitter.com/opnsense) The birth of OPNsense (http://opnsense.org) News Roundup On profiling HTTP (http://adrianchadd.blogspot.com/2015/01/on-profiling-http-or-god-damnit-people.html) Adrian Chadd, who we've had on the show before (http://www.bsdnow.tv/episodes/2014_09_17-the_promised_wlan), has been doing some more ultra-high performance testing Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools According to him, it's "not very pretty" He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process You can check out his new code on Github (https://github.com/erikarn/libevhtp-http/) right now *** Using divert(4) to reduce attacks (http://daemonforums.org/showthread.php?s=db0dd79ca26eb645eadd2d8abd267cae&t=8846) We talked about using divert(4) (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/divert.4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series) It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious Consider setting this up to reduce the attack spam in your logs if you run public services *** ChaCha20 patchset for GELI (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046814.html) A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption (http://www.bsdnow.tv/tutorials/fde) system There are also some benchmarks that look pretty good in terms of performance Currently, GELI defaults to AES in XTS mode (https://en.wikipedia.org/wiki/Disk_encryption_theory#XEX-based_tweaked-codebook_mode_with_ciphertext_stealing_.28XTS.29) with a few tweakable options (but also supports Blowfish, Camellia and Triple DES) There's some discussion (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046824.html) going on about whether a stream cipher (https://en.wikipedia.org/wiki/Stream_cipher) is suitable or not (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046834.html) for disk encryption though, so this might not be a match made in heaven just yet *** PCBSD update system enhancements (http://blog.pcbsd.org/2015/01/new-update-gui-for-pc-bsd-automatic-updates/) The PCBSD update utility has gotten an update itself, now supporting automatic upgrades You can choose what parts of your system you want to let it automatically handle (packages, security updates) The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality There's also a new graphical frontend available for it *** Feedback/Questions Mat writes in (http://slexy.org/view/s2XJhAsffU) Chris writes in (http://slexy.org/view/s20qnSHujZ) Andy writes in (http://slexy.org/view/s21O0MShqi) Beau writes in (http://slexy.org/view/s2LutVQOXN) Kutay writes in (http://slexy.org/view/s21Esexdrc) *** Mailing List Gold Wait, a real one? (https://www.mail-archive.com/advocacy@openbsd.org/msg02249.html) What's that glowing... (https://www.marc.info/?l=openbsd-misc&m=142125454022458&w=2) ***
71: System Disaster
This time on the show, we'll be talking to Ian Sutton about his new BSD compatibility wrappers for various systemd dependencies. Don't worry, systemd is not being ported to BSD! We're still safe! We've also got all the week's news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Introducing OPNsense, a pfSense fork (http://opnsense.org/) OPNsense is a new BSD-based firewall project that was recently started (http://www.prnewswire.com/news-releases/deciso-launches-opnsense-a-new-open-source-firewall-initiative-287334371.html), forked from the pfSense codebase Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3) The core team (http://opnsense.org/about/about-opnsense/#opnsense-core-team) includes a well-known DragonFlyBSD developer You can check out their code on Github (https://github.com/opnsense) now, or download an image and try it out - let us know (mailto:feedback@bsdnow.tv) if you do and what you think about it They also have a nice wiki and some instructions on getting started (http://wiki.opnsense.org/index.php/Manual:Installation_and_Initial_Configuration) for new users We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned *** Code rot and why I chose OpenBSD (http://homing-on-code.blogspot.com/2015/01/code-rot-openbsd.html) Here we have a blog post about rotting codebases - a core banking system in this example The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily." It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again" Look for the phrase "Getting Started" in the blog post for a nice little gem *** ZFS vs HAMMER FS (https://forums.freebsd.org/threads/zfs-vs-hammer.49789/) One of the topics we've seen come up from time to time is how FreeBSD's ZFS (http://www.bsdnow.tv/tutorials/zfs) and DragonFly's HAMMER FS (http://www.bsdnow.tv/tutorials/hammer) compare to each other They both have a lot of features that traditional filesystems lack A forum thread was opened for discussion about them both and what they're typically used for It compares resource requirements, ideal hardware and pros/cons of each Hopefully someone will do another new comparison when HAMMER 2 is finished This is not to be confused with the other "hammer" filesystem (https://www.youtube.com/watch?v=HBXlVl5Ll6k) *** Portable OpenNTPD revived (https://www.mail-archive.com/tech@openbsd.org/msg21886.html) With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon (http://www.bsdnow.tv/tutorials/ntpd) OpenBSD has developed OpenNTPD (http://openntpd.org/) since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version Brent Cook, who we've had on the show before (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl) to talk about LibreSSL, decided it was time to fix this While looking through the code, he also found some fixes (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/?sortby=date#dirlist) for the native version as well You can grab it from Github (https://github.com/openntpd-portable/openntpd-portable) now, or just wait for the updated release (https://lists.freebsd.org/pipermail/freebsd-ports/2015-January/097400.html) to hit the repos of your OS of choice *** Interview - Ian Sutton - ian@kremlin.cc (mailto:ian@kremlin.cc) BSD replacements (https://uglyman.kremlin.cc/gitweb/gitweb.cgi?p=systembsd.git;a=summary) for systemd dependencies (http://undeadly.org/cgi?action=article&sid=20140915064856) News Roundup pkgng adds OS X support (https://github.com/freebsd/pkg/pull/1113) FreeBSD's next-gen package manager (http://www.bsdnow.tv/tutorials/pkgng) has just added support for Mac OS X Why would you want that? Well.. we don't really know, but it's cool The author of the patch may have some insight (https://github.com/freebsd/pkg/pull/1113#issuecomment-68063964) about what his goal is though This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc There's also the possibility of pkgng being used as a packaging format for MacPorts in the future While we're on the topic of pkgng, you can also watch bapt (http://www.bsdnow.tv/episodes/2014_01_01-eclipsing_binaries)'s latest presentation about it from ruBSD 2014 - "four years of pkg (http://is.gd/4AvUwt)" *** Secure secure shell (https://stribika.github.io/2015/01/04/secure-secure-shell.html) Almost everyone watching BSD Now probably uses OpenSSH (http://www.bsdnow.tv/tutorials/ssh-tmux) and has set up a server at one point or another This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use There are also good explanations for all the choices, based both on history and probability Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled We've also got a handy chart (http://ssh-comparison.quendi.de/comparison.html) to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients *** Dissecting OpenBSD's divert(4) (http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/) PF has a cool feature that not a lot of people seem to know about: divert It lets you send packets to userspace, allowing you to inspect them a lot easier This blog post, the first in a series, details all the cool things you can do with divert and how to use it A very common example is with intrusion detection systems like Snort *** Screen recording on FreeBSD (https://www.banym.de/freebsd/create-a-screen-recording-on-freebsd-with-kdenlive-and-external-usb-mic) This is a neat article about a topic we don't cover very often: making video content on BSD In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing It also includes lots of details and helpful screenshots throughout the process You should make cool screencasts and send them to us *** Feedback/Questions Camio writes in (http://slexy.org/view/s21Zx0ktmb) ezpzy writes in (http://slexy.org/view/s2vVR5Orhh) Emett writes in (http://slexy.org/view/s21Ahb5Lxa) Ben writes in (http://slexy.org/view/s20oJmveN6) Laszlo writes in (http://slexy.org/view/s2cTayMxPk) *** Mailing List Gold Protocol X97 (https://lists.freebsd.org/pipermail/freebsd-questions/2015-January/263441.html) My thoughts echoed (https://www.marc.info/?l=openbsd-tech&m=141159429123859&w=2) Vulnerability sample (http://www.openwall.com/lists/oss-security/2015/01/04/10) ***
70: Daemons in the North
It's our last episode of 2014, and we'll be chatting with Dan Langille about the upcoming BSDCan conference. We'll find out what's planned and what sorts of presentations they're looking for. As usual, answers to viewer-submitted questions and all the week's news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More conference presentation videos (http://2014.asiabsdcon.org/timetable.html.en) Some more of the presentation videos from AsiaBSDCon are appearing online Masanobu Saitoh, Developing CPE Routers Based on NetBSD (https://www.youtube.com/watch?v=ApruZrU5fVs) Reyk Floeter (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time), VXLAN and Cloud-based Networking with OpenBSD (https://www.youtube.com/watch?v=ufeEP_hzFN0) Jos Jansen, Adapting OS X to the enterprise (https://www.youtube.com/watch?v=gOPfRQgTjNo) Pierre Pronchery (http://www.bsdnow.tv/episodes/2014_04_01-edgy_bsd_users) & Guillaume Lasmayous, Carve your NetBSD (https://www.youtube.com/watch?v=vh-TjLUj6os) Colin Percival (http://www.bsdnow.tv/episodes/2014_01_22-tendresse_for_ten), Everything you need to know about cryptography in 1 hour (https://www.youtube.com/watch?v=jzY3m5Kv7Y8) (not from AsiaBSDCon) The "bsdconferences" YouTube channel has quite a lot of interesting older BSD talks (https://www.youtube.com/user/bsdconferences/videos?sort=da&view=0&flow=grid) too - you may want to go back and watch them if you haven't already *** OpenBSD PIE enhancements (https://www.marc.info/?l=openbsd-cvs&m=141922027318727&w=2) ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization) and PIE (https://en.wikipedia.org/wiki/Position-independent_executable) are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment For example, the default shells (and many other things in /bin and /sbin) are statically linked In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose (https://en.wikipedia.org/wiki/Return-oriented_programming) With this and a few related commits (https://www.marc.info/?l=openbsd-cvs&m=141927571832106&w=2), OpenBSD fixes this by introducing static self-relocation More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy It'll be available in 5.7 in May, or you can use a -current snapshot (http://www.openbsd.org/faq/faq5.html#BldBinary) if you want to get a slice of the action now *** FreeBSD foundation semi-annual newsletter (https://www.freebsdfoundation.org/press/2014dec-newsletter.html) The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already) You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too There are also sections about the FreeBSD Journal (http://www.bsdnow.tv/episodes/2014_01_29-journaled_news_updates)'s progress, a new staff member and a testimonial from NetApp It's a very long report, so dedicate some time to read all the way through it This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too As we go into 2015, consider donating to whichever (https://www.freebsdfoundation.org/donate) BSD (http://www.openbsdfoundation.org/donations.html) you (https://www.netbsd.org/donations/) use (http://www.dragonflybsd.org/donations/), it really can make a difference *** Modernizing OpenSSH fingerprints (https://www.marc.info/?l=openbsd-cvs&m=141920089614758&w=4) When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to Up until now, the key fingerprints have been an MD5 hash, displayed as hex This can be problematic (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033117.html), especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint You can add a "FingerprintHash" line in your ssh_config to force using only the new type There's also a new option (https://www.marc.info/?l=openbsd-cvs&m=141923470520906&w=2) to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type The new options should be in the upcoming 6.8 release *** Interview - Dan Langille - info@bsdcan.org (mailto:info@bsdcan.org) / @bsdcan (https://twitter.com/bsdcan) Plans for the BSDCan 2015 conference News Roundup Introducing ntimed, a new NTP daemon (https://github.com/bsdphk/Ntimed) As we've mentioned before in our tutorials (http://www.bsdnow.tv/tutorials/ntpd), there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD With all the recent security problems with ISC's NTPd, Poul-Henning Kamp (http://www.bsdnow.tv/episodes/2013_10_16-go_directly_to_jail) has been working on a third NTP daemon It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports (https://www.freshports.org/net/ntimed/) or on Github PHK also has a few blog entries (http://phk.freebsd.dk/time/) about the project, including status updates *** OpenBSD-maintained projects list (http://mdocml.bsd.lv/openbsd_projects.html) There was recently a read on the misc mailing list (https://www.marc.info/?t=141961588200003&r=1&w=2) asking about different projects started by OpenBSD developers The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example) A developer compiled a new list from all of the replies to that thread into a nice organized webpage Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout) *** Monitoring network traffic with FreeBSD (https://forums.freebsd.org/threads/howto-monitor-network-traffic-with-netflow-nfdump-nfsen-on-freebsd.49724/) If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage) This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike *** Trapping spammers with spamd (http://www.protoc.org/blog/2014/12/22/trapping-spammers-with-the-openbsd-spam-deferral-daemon) This is a blog post about OpenBSD's spamd (https://en.wikipedia.org/wiki/Spamd) - a spam email deferral daemon - and how to use it for your mail It gives some background on the greylisting approach to spam, rather than just a typical host blacklist "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation." The post also shows how to combine it with PF and other tools for a pretty fancy mail setup You can find spamd in the OpenBSD base system (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/spamd.8), or use it with FreeBSD (https://www.freshports.org/mail/spamd) or NetBSD (http://pkgsrc.se/mail/spamd) via ports and pkgsrc You might also want to go back and listen to BSDTalk episode 68 (https://archive.org/details/bsdtalk068), where Will talks to Bob Beck about spamd *** Feedback/Questions Sean writes in (http://slexy.org/view/s20rUK9XVJ) Brandon writes in (http://slexy.org/view/s20nfzIuT2) Anders writes in (http://slexy.org/view/s20wCBhFLO) David writes in (http://slexy.org/view/s20xGrBIyl) Kyle writes in (http://slexy.org/view/s2QHRaiZJW) *** Mailing List Gold NTP code comparison (https://www.marc.info/?l=openbsd-tech&m=141903858708123&w=2) - 192870 vs. 2898 (https://www.marc.info/?l=openbsd-tech&m=141905854411370&w=2) NICs have feelings too (https://lists.freebsd.org/pipermail/freebsd-hackers/2014-December/046741.html) Just think about it (https://www.marc.info/?l=openbsd-ports&m=141998130824977&w=2) ***
69: Under the Ports Tree
It's a special holiday episode! We asked you guys in the audience to send in the tale of how you first got into BSD, and we're going to share those with everyone today. We'll also be playing two bonus mini-interviews, so get comfy by the fire and listen to some BSD Now - the place to B.. SD. This episode was brought to you by Special segment How our viewers got into BSD Jason's story (text (http://slexy.org/view/s207hi9pTo)) bsdx's story (text (http://slexy.org/view/s20cmh0anD)) David's story (text (http://slexy.org/view/s21r4AL53g)) Brad's story (text (http://slexy.org/view/s2OqEie53V)) Reese's story (video) Bryan's story (video) Pete's story (text (http://slexy.org/view/s2ve2kfgW7)) Anders' story (text (http://slexy.org/view/s20eL5EYMv)) Guillermo's story (text (http://slexy.org/view/s20KRuIaks)) Jonathan's story (text (http://slexy.org/view/s20IFqrc7O)) Adam's story (text (http://slexy.org/view/s2FnnJH9zs)) Chris' story (text (http://slexy.org/view/s21GazXKH2)) Tigersharke's story (text (http://slexy.org/view/s2iJdLoxzZ)) Roller and Kandie's stories (text (http://slexy.org/view/s203RsddHG)) Uwe's story (text (http://slexy.org/view/s2gmB5VaS3)) Pascal's story (text (http://slexy.org/view/s2PWntJ7Tc)) and (image (https://i.imgur.com/ekXbDvb.jpg)) *** Interview - Erwin Lansing - erwin@freebsd.org (mailto:erwin@freebsd.org) BSD in Europe, getting people involved Interview - Cristina Vintila - @cristina_crow (https://twitter.com/cristina_crow) BSD conferences
68: Just the Essentials
Coming up this week, we'll be talking with Michael Lucas about his newest BSD book, "FreeBSD Mastery: Storage Essentials." It's got lots of great information about the disk subsystems, GEOM, filesystems, you name it. We've also got the usual round of news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSD conference videos (https://www.youtube.com/channel/UCLy8AikPZfWEmzWxUec69PA/videos) We mentioned it a few times, but the "New Directions in Operating Systems" conference was held in November in the UK The presentations videos are now online, with a few BSD-related talks of interest Antti Kantee (http://www.bsdnow.tv/episodes/2013_10_23-a_brief_intorduction), Rump kernels and why / how we got here (https://www.youtube.com/watch?v=GoB73cVyScI) Franco Fichtner, An introduction to userland networking (https://www.youtube.com/watch?v=WiMNuGTRgbA) Robert Watson (http://www.bsdnow.tv/episodes/2014_08_13-vpn_my_dear_watson), New ideas about old OS security (https://www.youtube.com/watch?v=60elN996rtg) Lots of other interesting, but non-BSD-related, talks were also presented, so check the full list (https://www.youtube.com/playlist?list=PLmRrx948XMnEUlzKOCYn3AzT8OAInP_5M) if you're interested in operating systems in general The 2014 AsiaBSDCon videos are also slowly being uploaded (better late than never) Kirk McKusick (http://www.bsdnow.tv/episodes/2013-10-02_stacks_of_cache), An Overview of Security in the FreeBSD Kernel (https://www.youtube.com/watch?v=E04LxKiu79I) Matthew Ahrens (http://www.bsdnow.tv/episodes/2014_05_14-bsdcanned_goods), OpenZFS ensures the continued excellence of ZFS (https://www.youtube.com/watch?v=8T9Rh-46jhI) Eric Allman, Bambi Meets Godzilla: They Elope - Open Source Meets the Commercial World (https://www.youtube.com/watch?v=o2dmreSy76Q) Scott Long (http://www.bsdnow.tv/episodes/2013_12_25-the_gift_of_giving), Modifying the FreeBSD kernel Netflix streaming servers (https://www.youtube.com/watch?v=4sZZN8Szh14) Dru Lavigne (http://www.bsdnow.tv/episodes/2014_04_09-pxe_dust), ZFS for the Masses (https://www.youtube.com/watch?v=z5apZFFvx4k) Kris Moore, Snapshots, Replication, and Boot Environments (https://www.youtube.com/watch?v=w-0PlAVSg5U) David Chisnall (http://www.bsdnow.tv/episodes/2014_05_07-lets_get_raid), The Future of LLVM in the FreeBSD Toolchain (https://www.youtube.com/watch?v=NLqDAclXMMU) Luba Tang, Bold, fast optimizing linker for BSD (https://www.youtube.com/watch?v=fWgbBUPMsVw) John Hixson (http://www.bsdnow.tv/episodes/2014_04_23-its_gonna_get_nasty), Introduction to FreeNAS development (https://www.youtube.com/watch?v=iwF82aep-l8) Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM (https://www.youtube.com/watch?v=2KLXcyLZ_RE) Michael Dexter, Visualizing Unix: Graphing bhyve, ZFS and PF with Graphite (https://www.youtube.com/watch?v=rjNg1eQ7uAk) Peter Grehan (http://www.bsdnow.tv/episodes/2014_01_15-bhyve_mind), Nested Paging in Bhyve (https://www.youtube.com/watch?v=wptkUxJSNMY) Martin Matuška, Deploying FreeBSD systems with Foreman and mfsBSD (https://www.youtube.com/watch?v=nb8jB5x0OX4) James Brown (http://www.bsdnow.tv/episodes/2014_04_16-certified_package_delivery), Analysys of BSD Associate Exam Results (https://www.youtube.com/watch?v=6eKMLuzsTbY) Mindaugas Rasiukevicius, NPF - progress and perspective (https://www.youtube.com/watch?v=cgBh0iC9WhM) Luigi Rizzo, Netmap as a core networking technology (https://www.youtube.com/watch?v=nW8iHgOL9y4) Michael W. Lucas (http://www.bsdnow.tv/episodes/2013_11_06-year_of_the_bsd_desktop), Sudo: You're Doing it Wrong (https://www.youtube.com/watch?v=o0purspHg-o) (not from a BSD conference, but still good) They should make for some great material to watch during the holidays *** OpenBSD vs FreeBSD security features (http://networkfilter.blogspot.com/2014/12/security-openbsd-vs-freebsd.html) From the author of both the OpenBSD and FreeBSD secure gateway articles we've featured in the past comes a new entry about security The article goes through a list of all the security features enabled (and disabled) by default in both FreeBSD and OpenBSD It covers a wide range of topics, including: memory protection, randomization, encryption, privilege separation, Capsicum, securelevels, MAC, Jails and chroots, network stack hardening, firewall features and much more This is definitely one of the most in-depth and complete articles we've seen in a while - the author seems to have done his homework If you're looking to secure any sort of BSD box, this post has some very detailed explanations of different exploit mitigation techniques - be sure to read the whole thing There are also some good comments (http://daemonforums.org/showthread.php?s=16fd0771d929aff294b252924b414f2c&t=8823) on DaemonForums and lobste.rs (https://lobste.rs/s/e3s9xr/security_openbsd_vs_freebsd) that you may want to read *** The password? You changed it, right? (http://bsdly.blogspot.com/2014/12/the-password-you-changed-it-right.html) Peter Hansteen (http://www.bsdnow.tv/episodes/2014_04_30-puffy_firewall) has a new blog post up, detailing some weird SSH bruteforcing he's seen recently He apparently reads his auth logs when he gets bored at an airport This new bruteforcing attempt seems to be targetting D-Link devices, as evidenced by the three usernames the bots try to use More than 700 IPs have tried to get into Peter's BSD boxes using these names in combination with weak passwords Lots more details, including the lists of passwords and IPs, can be found in the full article If you're using a BSD router (http://www.bsdnow.tv/tutorials/openbsd-router), things like this can be easily prevented with PF or fail2ban (and you probably don't have a "d-link" user anyway) *** Get started with FreeBSD, an intro for Linux users (http://www.infoworld.com/article/2858288/unix/intro-to-freebsd-for-linux-users.html) Another new BSD article on a mainstream technology news site - seems we're getting popular This article is written for Linux users who may be considering switching over to BSD and wondering what it's all about It details installing FreeBSD 9.3 and getting a basic system setup, while touching on ports and packages, and explaining some terminology along the way "Among the legions of Linux users and admins, there seems to be a sort of passive curiosity about FreeBSD and other BSDs. Like commuters on a packed train, they gaze out at a less crowded, vaguely mysterious train heading in a slightly different direction and wonder what traveling on that train might be like" ** Interview - Michael W. Lucas - mwlucas@michaelwlucas.com (mailto:mwlucas@michaelwlucas.com) / @mwlauthor (https://twitter.com/mwlauthor) FreeBSD Mastery: Storage Essentials (https://www.tiltedwindmillpress.com/?product=freebsd-mastery-storage-essentials) News Roundup OpenSMTPD status update (https://poolp.org/0xa86e/Some-OpenSMTPD-overview,-part-3) The OpenSMTPD guys (http://www.bsdnow.tv/episodes/2013-09-18_mx_with_ttx), particularly Gilles, have posted an update on what they've been up to lately As of 5.6, it's become the default MTA in OpenBSD, and sendmail will be totally gone in 5.7 Email is a much more tricky protocol than you might imagine, and the post goes through some of the weirdness and problems they've had to deal with There's also another post (https://poolp.org/0xa871/The-state-of-filters) that goes into detail on their upcoming filtering API - a feature many have requested The API is still being developed, but you can test it out now if you know what you're doing - full details in the article OpenSMTPD also has portable versions in FreeBSD ports and NetBSD pkgsrc, so check it out *** OpenCrypto changes in FreeBSD (https://lists.freebsd.org/pipermail/svn-src-head/2014-December/065806.html) A little while back, we talked to John-Mark Gurney (http://www.bsdnow.tv/episodes/2014_10_29-ipsecond_wind) about updating FreeBSD's OpenCrypto framework, specifically for IPSEC Some of that work has just landed in the -CURRENT branch, and the commit has a bit of details The ICM and GCM modes of AES were added, and both include support for AESNI There's a new port - "nist-kat" - that can be used to test the new modes of operation Some things were fixed in the process as well, including an issue that would leak timing info and result in the ability to forge messages Code was also borrowed from both OpenBSD and NetBSD to make this possible *** First thoughts on OpenBSD's httpd (http://www.protoc.org/blog/2014/11/23/first-thoughts-on-the-new-openbsd-httpd-server/) Here we have a blog post from a user of OpenBSD's new homegrown web server that made its debut in 5.6 The author loves that it has proper privilege separation, a very simple config syntax and that it always runs in a chroot He also mentions dynamic content hosting with FastCGI, and provides an example of how to set it up Be sure to check our interview with Reyk (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time) about the new httpd if you're curious on how it got started Also, if you're running the version that came with 5.6, there's a huge patch (http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig) you can apply to get a lot of the features and fixes from -current without waiting for 5.7 *** Steam on PCBSD (https://www.youtube.com/watch?v=B04EuZ9hpAI) One of the most common questions people who want to use BSD as a desktop ask us is "can I run games?" or "can I use steam?" Steam through the Linux emulation layer (in FreeBSD) may be possible soon, but it's already possible to use it with WINE This video shows how to get Steam set up on PCBSD using the Windows version There are also some instructions in the video description to look over A second video (https://www.youtube.com/watch?v=BJ88B8aWdk0) details getting streaming set up *** Feedback/Questions Charlie writes in (http://slexy.org/view/s2JgqXcw4i) Sean writes in (http://slexy.org/view/s2WormjMCs) Predrag writes in (http://slexy.org/view/s20UmdFrbj) ***
67: Must Be Rigged
Coming up this week on the show, we've got an interview with Patrick Wildt, one of the developers of Bitrig. We'll find out all the details of their OpenBSD fork, what makes it different and what their plans are going forward. We've also got all the week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Bitrig 1.0 released (http://article.gmane.org/gmane.os.bitrig.devel/6) If you haven't heard of it, Bitrig (https://www.bitrig.org/) is a fork of OpenBSD that started a couple years ago According to their FAQ (https://github.com/bitrig/bitrig/wiki/Faq), some of their goals include: only supporting modern hardware and a limited set of CPU architectures, replacing nearly all GNU tools in base with BSD versions and having better virtualization support They've finally announced their first official release, 1.0 This release introduces support for Clang 3.4, replacing the old GCC, along with libc++ replacing the GNU version It also includes filesystem journaling, support for GPT and - most importantly - a hacker-style console with green text on black background One of the developers answered some questions (https://news.ycombinator.com/item?id=8701936) about it on Hacker News too *** Is it time to try BSD? (http://www.technewsworld.com/story/81424.html) Here we get a little peek into the Linux world - more and more people are considering switching On a more mainstream tech news site, they have an article about people switching away from Linux and to BSD People are starting to get even more suspicious of systemd, and lots of drama in the Linux world is leading a whole new group of potential users over to the BSD side This article explores some pros and cons of switching, and features opinions of various users *** Poudriere 3.1 released (https://github.com/freebsd/poudriere/wiki/release_notes_31) One of the first things we ever covered on the show was poudriere (http://www.bsdnow.tv/tutorials/poudriere), a tool with a funny name that's used to build binary packages from FreeBSD ports It's come a long way since then, and bdrewery (http://www.bsdnow.tv/episodes/2014_07_16-network_iodometry) and bapt (http://www.bsdnow.tv/episodes/2014_01_01-eclipsing_binaries) have just announced a new major version This new release features a redesigned web interface to check on the status of your packages There are lots of new bulk building options to preserve packages even if some fail to compile - this makes maintaining a production repo much easier It also introduces a useful new "pkgclean" subcommand to clean out your repository of packages that aren't needed anymore, and poudriere keeps it cleaner by default as well now Check the full release notes for all the additions and bug fixes *** Firewalling with OpenBSD's pf and pfsync (https://www.youtube.com/watch?v=mN5E2EYJnrw) A talk by David Gwynne from an Australian conference was uploaded, with the subject matter being pf and pfsync He uses pf to manage 60 internal networks with a single firewall The talk gives some background on how pf originally came to be and some OpenBSD 101 for the uninitiated It also touches on different rulesets, use cases, configuration syntax, placing limits on connections, ospf, authpf, segregating VLANs, synproxy handling and a lot more The second half of the presentation focuses on pfsync and carp for failover and redundancy With two BSD boxes running pfsync, you can actually patch your kernel and still stay connected to IRC *** Interview - Patrick Wildt - patrick@bitrig.org (mailto:patrick@bitrig.org) / @bitrig (https://twitter.com/bitrig) The initial release of Bitrig News Roundup Infrastructural enhancements at NYI (http://freebsdfoundation.blogspot.com/2014/12/the-freebsd-cluster-infrastructural.html) The FreeBSD foundation put up a new blog post detailing some hardware improvements they've recently done Their eastern US colocation is hosted at New York Internet, and is used for FTP mirrors, pkgng mirrors, and also as a place for developers to test things There've been fourteen machines purchased since July, and now FreeBSD boasts a total of sixty-eight physical boxes there This blog post goes into detail about how those servers are used and details some of the network topology *** The long tail of MD5 (http://www.tedunangst.com/flak/post/the-long-tail-of-MD5) Our friend Ted Unangst is on a quest to replace all instances of MD5 in OpenBSD's tree with something more modern In this blog post, he goes through some of the different areas where MD5 still lives, and discovers how easy (or impossible) it would be to replace Through some recent commits, OpenBSD now uses SHA512 in some places that you might not expect Some other places (https://www.marc.info/?l=openbsd-cvs&m=141763065223567&w=4) require a bit more care… *** DragonFly cheat sheet (http://www.dragonflybsd.org/varialus/) If you've been thinking of trying out DragonFlyBSD lately, this might make the transition a bit easier A user-created "cheat sheet" on the website lists some common answers to beginner questions The page features a walkthrough of the installer, some shell tips and workarounds for various issues At the end, it also has some things that new users can get involved with to help out *** Experiences with an OpenBSD laptop (http://alxjsn.com/unix/openbsd-laptop/) A lot of people seem to be interested in trying out some form of BSD on their laptop, and this article details just that The author got interested in OpenBSD mostly because of the security focus and the fact that it's not Linux In this blog post, he goes through the steps of researching, installing, configuring, upgrading and finally actually using it on his Thinkpad He even gives us a mention as a good place to learn more about BSD, thanks! *** PC-BSD Updates (http://lists.pcbsd.org/pipermail/testing/2014-December/009638.html) A call for testing of a new update system has gone out Conversion to Qt5 for utils has taken place *** Feedback/Questions Chris writes in (http://slexy.org/view/s2ihSmjpLu) AJ writes in (http://slexy.org/view/s20JXhXS6o) Dan writes in (http://slexy.org/view/s21hfeWB2K) Jeff writes in (http://slexy.org/view/s2k6SmuDGB) *** Mailing List Gold Over 440% faster (https://www.marc.info/?l=openbsd-tech&m=141775233603723&w=2) The (https://lists.freebsd.org/pipermail/freebsd-pf/2014-December/007528.html) PF (https://lists.freebsd.org/pipermail/freebsd-pf/2014-December/007529.html) conundrum (https://lists.freebsd.org/pipermail/freebsd-pf/2014-December/007543.html) (edit: Allan misspoke about PF performance during this segment, apologies.) Violating (https://www.marc.info/?l=openbsd-cvs&m=141807513728073&w=4) bad standards (https://www.marc.info/?l=openbsd-tech&m=141807224826859&w=2) apt-get rid of systemd (https://www.marc.info/?l=openbsd-misc&m=141798194330985&w=2) ***
66: Conference Connoisseur
This week on the show, we'll be talking with Paul Schenkeveld, chairman of the EuroBSDCon foundation. He tells us about his experiences running BSD conferences and how regular users can get involved too. We've also got answers to all your emails and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSD presentation videos (https://www.meetbsd.com/) The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch Corey Vixie, Web Apps in Embedded BSD (https://www.youtube.com/watch?v=Pbks12Mqpp8) Allan Jude, UCL config (https://www.youtube.com/watch?v=TjP86iWsEzQ) Kip Macy, iflib (https://www.youtube.com/watch?v=P4FRPKj7F80) While we're on the topic of conferences, AsiaBSDCon's CFP was extended (https://twitter.com/asiabsdcon/status/538352055245492226) by one week This year's ruBSD (https://events.yandex.ru/events/yagosti/rubsd14/) will be on December 13th in Moscow Also, the BSDCan call for papers (http://lists.bsdcan.org/pipermail/bsdcan-announce/2014-December/000135.html) is out, and the event will be in June next year Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." *** BSD-powered digital library in Africa (http://peercorpsglobal.org/nzegas-digital-library-becomes-a-reality/) You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently) The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it *** pfSense 2.2 status update (https://blog.pfsense.org/?p=1486) With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc All these things have taken more time than previously expected The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release *** Recommended hardware threads (https://www.reddit.com/r/BSD/comments/2n8wrg/bsd_on_mini_itx/) A few threads on caught our attention this week, all about hardware recommendations for BSD setups In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS Everyone gave some good recommendations for low power, Atom-based systems The second thread (https://www.marc.info/?t=141694918800006&r=1&w=2) started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third (https://www.reddit.com/r/homelab/comments/24m6tj/) and fourth (https://www.reddit.com/r/PFSENSE/comments/2nblgp/) threads confirming this If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read *** Interview - Paul Schenkeveld - freebsd@psconsult.nl (mailto:freebsd@psconsult.nl) Running a BSD conference News Roundup From Linux to FreeBSD - for reals (https://www.reddit.com/r/freebsd/comments/2nqa60/) Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now) After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition In the comments, a lot of new switchers offer some advice and reading material If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way *** Running FreeBSD as a Xen Dom0 (http://wiki.xenproject.org/wiki/FreeBSD_Dom0) Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features) The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet *** HardenedBSD updates and changes (http://hardenedbsd.org/article/shawn-webb/2014-11-18/aout-and-null-mapping-support-removal) a.out is the old executable format for Unix The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968 FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0 A restriction against NULL mapping was introduced in FreeBSD 7 (https://www.freebsd.org/security/advisories/FreeBSD-EN-09:05.null.asc) and enabled by default in FreeBSD 8 However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’ Package building update: more consistent repo, no more i386 packages (http://hardenedbsd.org/article/shawn-webb/2014-11-30/package-building-infrastructure-maintenance) *** Feedback/Questions Boris writes in (http://slexy.org/view/s2kVPKICqj) Alex writes in (http://slexy.org/view/s21Fic4dZC) (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check) Chris writes in (http://slexy.org/view/s2zk1Tvfe9) Robert writes in (http://slexy.org/view/s22alvJ4mu) Jake writes in (http://slexy.org/view/s203YMc2zL) *** Mailing List Gold Real world authpf use (https://www.marc.info/?t=141711266800001&r=1&w=2) The (https://svnweb.freebsd.org/ports/head/UPDATING?r1=373564&r2=373563&pathrev=373564) great (https://lists.freebsd.org/pipermail/freebsd-ports/2014-November/096788.html) perl (https://lists.freebsd.org/pipermail/freebsd-ports/2014-November/096799.html) event (https://lists.freebsd.org/pipermail/freebsd-perl/2014-November/010146.html) of (https://lists.freebsd.org/pipermail/freebsd-perl/2014-November/010149.html) 2014 (https://lists.freebsd.org/pipermail/freebsd-perl/2014-November/010167.html) ***
65: 8,000,000 Mogofoo-ops
Coming up on the show this week, we've got an interview with Brendan Gregg of Netflix. He's got a lot to say about performance tuning and benchmarks, and even some pretty funny stories about how people have done them incorrectly. As always, this week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Even more BSD presentation videos (https://www.meetbsd.com/) More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week Robert Ryan, At the Heart of the Digital Economy (https://www.youtube.com/watch?v=Rc9k1xEepWU) FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives (https://www.youtube.com/watch?v=d1C6DELK7fc) Richard Yao, libzfs_core and ioctl stabilization (https://www.youtube.com/watch?v=PIC0dwLRBZU) OpenZFS, Company lightning talks (https://www.youtube.com/watch?v=LmbI7F7XTTc) OpenZFS, Hackathon Presentation and Awards (https://www.youtube.com/watch?v=gPbVPwScMGk) Pavel Zakharov, Fast File Cloning (https://www.youtube.com/watch?v=_lGOAZFXra8) Rick Reed, Half a billion unsuspecting FreeBSD users (https://www.youtube.com/watch?v=TneLO5TdW_M) Alex Reece & Matt Ahrens, Device Removal (https://www.youtube.com/watch?v=Xs6MsJ9kKKE) Chris Side, Channel Programs (https://www.youtube.com/watch?v=RMTxyqcomPA) David Maxwell, The Unix command pipeline (https://www.youtube.com/watch?v=CZHEZHK4jRc) Be sure to check out the giant list of videos from last week's episode (http://www.bsdnow.tv/episodes/2014_11_19-rump_kernels_revisited) if you haven't seen them already *** NetBSD on a Cobalt Qube 2 (http://www.jarredcapellman.com/2014/3/9/NetBSD-and-a-Cobalt-Qube-2) The Cobalt Qube was a very expensive networking appliance around 2000 In 2014, you can apparently get one of these MIPS-based machines for about forty bucks This blog post details getting NetBSD installed and set up on the rare relic of our networking past If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you Lots of great pictures of the hardware too *** OpenBSD vs. AFL (https://www.marc.info/?l=openbsd-cvs&w=2&r=1&s=afl&q=b) In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree (https://twitter.com/damienmiller/status/534156368391831552) with a fuzzer If you're not familiar, fuzzing (https://en.wikipedia.org/wiki/Fuzz_testing) is a semi-automated way to test programs for crashes and potential security problems The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/), in particular, has provided some interesting results across various open source projects recently So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc (http://www.bsdnow.tv/episodes/2014_11_12-a_mans_man) and a few other things (https://www.marc.info/?l=openbsd-cvs&m=141646270127039&w=2) AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself *** GNOME 3 hits the FreeBSD ports tree (https://svnweb.freebsd.org/ports?view=revision&revision=372768) While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD Be sure to check the commit message and /usr/ports/UPDATING (http://www.bsdnow.tv/tutorials/ports) if you're upgrading from GNOME 2 You might also want to go back and listen to our interview (http://www.bsdnow.tv/episodes/2014_02_26-port_authority) with Joe Marcus Clark about GNOME's portability *** Interview - Brendan Gregg - bgregg@netflix.com (mailto:bgregg@netflix.com) / @brendangregg (https://twitter.com/brendangregg) Performance tuning, benchmarks, debugging News Roundup DragonFlyBSD 4.0 released (http://www.dragonflybsd.org/release40/) A new major version of DragonFly, 4.0.1, was just recently announced This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes *** Can we talk about FreeBSD vs Linux (https://news.ycombinator.com/item?id=8645443) Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy *** OpenBSD IPSEC tunnel guide (http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/) If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts Though the article itself is a few years old, it mostly still applies to the latest stuff today All the tools used are in the OpenBSD base system, so that's pretty handy too *** DragonFly starts work on IPFW2 (http://www.dragonflybsd.org/docs/ipfw2/) DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3") Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap (http://www.dragonflybsd.org/docs/ipfw2/#index6h1) page with some planned additions The guy who's working on this has already agreed to come on the show for an interview, but we're going to give him a chance to get some more work done first Expect that sometime next year, once he's made some progress *** Feedback/Questions Michael writes in (http://slexy.org/view/s2NYgVifXN) Samael writes in (http://slexy.org/view/s21X02saI3) Steven writes in (http://slexy.org/view/s21Dj7zImH) Remy writes in (http://slexy.org/view/s218lXg38C) Michael writes in (http://slexy.org/view/s20SEuKlaH) ***
64: Rump Kernels Revisited
This time on the show, we'll be talking with Justin Cormack about NetBSD rump kernels. We'll learn how to run them on other operating systems, what's planned for the future and a lot more. As always, answers to viewer-submitted questions and all the news for the week, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon 2014 talks and tutorials (http://2014.eurobsdcon.org/talks-and-schedule/) The 2014 EuroBSDCon videos have been online for over a month, but unannounced - keep in mind these links may be temporary (but we'll mention their new location in a future show and fix the show notes if that's the case) Arun Thomas, BSD ARM Kernel Internals (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/01.BSD-ARM%20Kernel%20Internals%20-%20Arun%20Thomas.mp4) Ted Unangst, Developing Software in a Hostile Environment (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/02.Developing%20Software%20in%20a%20Hostile%20Environment%20-%20Ted%20Unangst.mp4) Martin Pieuchot, Taming OpenBSD Network Stack Dragons (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/03.Taming%20OpenBSD%20Network%20Stack%20Dragons%20-%20Martin%20Pieuchot.mp4) Henning Brauer, OpenBGPD turns 10 years (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/04.OpenBGPD%20turns%2010%20years%20-%20%20Henning%20Brauer.mp4) Claudio Jeker, vscsi and iscsid iSCSI initiator the OpenBSD way (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/05.vscsi(4)%20and%20iscsid%20-%20iSCSI%20initiator%20the%20OpenBSD%20way%20-%20Claudio%20Jeker.mp4) Paul Irofti, Making OpenBSD Useful on the Octeon Network Gear (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/06.Making%20OpenBSD%20Useful%20on%20the%20Octeon%20Network%20Gear%20-%20Paul%20Irofti.mp4) Baptiste Daroussin, Cross Building the FreeBSD ports tree (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/04.Sunday/01.Cross%20Building%20the%20FreeBSD%20ports%20tree%20-%20Baptiste%20Daroussin.mp4) Boris Astardzhiev, Smartcom’s control plane software, a customized version of FreeBSD (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/04.Sunday/02.Smartcom%e2%80%99s%20control%20plane%20software,%20a%20customized%20version%20of%20FreeBSD%20-%20Boris%20Astardzhiev.mp4) Michał Dubiel, OpenStack and OpenContrail for FreeBSD platform (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/04.Sunday/03.OpenStack%20and%20OpenContrail%20for%20FreeBSD%20platform%20-%20Micha%c5%82%20Dubiel.mp4) Martin Husemann & Joerg Sonnenberger, Tool-chaining the Hydra, the ongoing quest for modern toolchains in NetBSD (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/04.Sunday/04.(Tool-)chaining%20the%20Hydra%20The%20ongoing%20quest%20for%20modern%20toolchains%20in%20NetBSD%20-%20Martin%20Huseman%20&%20Joerg%20Sonnenberger.mp4) Taylor R Campbell, The entropic principle: /dev/u?random and NetBSD (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/04.Sunday/05.The%20entropic%20principle:%20dev-u%3frandom%20and%20NetBSD%20-%20Taylor%20R%20Campbell.mp4) Dag-Erling Smørgrav, Securing sensitive & restricted data (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/04.Sunday/06.Securing%20sensitive%20&%20restricted%20data%20-%20Dag-Erling%20Sm%c3%b8rgrav.mp4) Peter Hansteen, Building The Network You Need (https://va.ludost.net/files/eurobsdcon/2014/Pirin/01.Thursday/01.Building%20The%20Network%20You%20Need%20With%20PF%20-%20Peter%20Hansteen.mp4) With PF (https://va.ludost.net/files/eurobsdcon/2014/Pirin/01.Thursday/02.Building%20The%20Network%20You%20Need%20With%20PF%20-%20Peter%20Hansteen.mp4) Stefan Sperling, Subversion for FreeBSD developers (https://va.ludost.net/files/eurobsdcon/2014/Pirin/01.Thursday/03.Subversion%20for%20FreeBSD%20developers%20-%20Stefan%20Sperling.mp4) Peter Hansteen, Transition to (https://va.ludost.net/files/eurobsdcon/2014/Pirin/02.Friday/01.Transition%20to%20OpenBSD%205.6%20-%20Peter%20Hansteen.mp4) OpenBSD 5.6 (https://va.ludost.net/files/eurobsdcon/2014/Pirin/02.Friday/02.Transition%20to%20OpenBSD%205.6%20-%20Peter%20Hansteen.mp4) Ingo Schwarze, Let’s make manuals (https://va.ludost.net/files/eurobsdcon/2014/Pirin/02.Friday/03.Let%e2%80%99s%20make%20manuals%20more%20useful%20-%20Ingo%20Schwarze.mp4) more useful (https://va.ludost.net/files/eurobsdcon/2014/Pirin/02.Friday/04.Let%e2%80%99s%20make%20manuals%20more%20useful%20-%20Ingo%20Schwarze.mp4) Francois Tigeot, Improving DragonFly’s performance with PostgreSQL (https://va.ludost.net/files/eurobsdcon/2014/Pirin/03.Saturday/01.Improving%20DragonFly%e2%80%99s%20performance%20with%20PostgreSQL%20-%20Francois%20Tigeot.mp4) Justin Cormack, Running Applications on the NetBSD Rump Kernel (https://va.ludost.net/files/eurobsdcon/2014/Pirin/03.Saturday/02.Running%20Applications%20on%20the%20NetBSD%20Rump%20Kernel%20-%20Justin%20Cormack.mp4) Pierre Pronchery, EdgeBSD, a year later (https://va.ludost.net/files/eurobsdcon/2014/Pirin/03.Saturday/04.EdgeBSD,%20a%20year%20later%20-%20%20Pierre%20Pronchery.mp4) Peter Hessler, Using routing domains or tables in a production network (https://va.ludost.net/files/eurobsdcon/2014/Pirin/03.Saturday/05.Using%20routing%20domains%20or%20tables%20in%20a%20production%20network%20-%20%20Peter%20Hessler.mp4) Sean Bruno, QEMU user mode on FreeBSD (https://va.ludost.net/files/eurobsdcon/2014/Pirin/03.Saturday/06.QEMU%20user%20mode%20on%20FreeBSD%20-%20%20Sean%20Bruno.mp4) Kristaps Dzonsons, Bugs Ex Ante (https://va.ludost.net/files/eurobsdcon/2014/Pirin/04.Sunday/01.Bugs%20Ex%20Ante%20-%20Kristaps%20Dzonsons.mp4) Yann Sionneau, Porting NetBSD to the LatticeMico32 open source CPU (https://va.ludost.net/files/eurobsdcon/2014/Pirin/04.Sunday/02.Porting%20NetBSD%20to%20the%20LatticeMico32%20open%20source%20CPU%20-%20Yann%20Sionneau.mp4) Alexander Nasonov, JIT Code Generator for NetBSD (https://va.ludost.net/files/eurobsdcon/2014/Pirin/04.Sunday/03.JIT%20Code%20Generator%20for%20NetBSD%20-%20Alexander%20Nasonov.mp4) Masao Uebayashi, Porting Valgrind to NetBSD and OpenBSD (https://va.ludost.net/files/eurobsdcon/2014/Pirin/04.Sunday/04.Porting%20Valgrind%20to%20NetBSD%20and%20OpenBSD%20-%20Masao%20Uebayashi.mp4) Marc Espie, parallel make, working with legacy code (https://va.ludost.net/files/eurobsdcon/2014/Pirin/04.Sunday/05.parallel%20make:%20working%20with%20legacy%20code%20-%20Marc%20Espie.mp4) Francois Tigeot, Porting the drm-kms graphic drivers to DragonFly (https://va.ludost.net/files/eurobsdcon/2014/Pirin/04.Sunday/06.Porting%20the%20drm-kms%20graphic%20drivers%20to%20DragonFly%20-%20Francois%20Tigeot.mp4) The following talks (from the Vitosha track room) are all currently missing: Jordan Hubbard, FreeBSD, Looking forward to another 10 years (but we have another recording) Theo de Raadt, Randomness, how arc4random has grown since 1998 (but we have another recording) Kris Moore, Snapshots, Replication, and Boot-Environments Kirk McKusick, An Introduction to the Implementation of ZFS John-Mark Gurney, Optimizing GELI Performance Emmanuel Dreyfus, FUSE and beyond, bridging filesystems Lourival Vieira Neto, NPF scripting with Lua Andy Tanenbaum, A Reimplementation of NetBSD Based on a Microkernel Stefano Garzarella, Software segmentation offloading for FreeBSD Ted Unangst, LibreSSL Shawn Webb, Introducing ASLR In FreeBSD Ed Maste, The LLDB Debugger in FreeBSD Philip Guenther, Secure lazy binding *** OpenBSD adopts SipHash (https://www.marc.info/?l=openbsd-tech&m=141614801713457&w=2) Even more DJB crypto somehow finds its way into OpenBSD's base system This time it's SipHash (https://131002.net/siphash/), a family of pseudorandom functions that's resistant to hash bucket flooding attacks while still providing good performance After an initial import (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/crypto/siphash.c?rev=1.1&content-type=text/x-cvsweb-markup) and some clever early usage (https://www.marc.info/?l=openbsd-cvs&m=141604896822253&w=2), a few developers agreed that it would be better to use it in a lot more places It will now be used in the filesystem, and the plan is to utilize it to protect all kernel hash functions Some other places (http://www.bsdnow.tv/episodes/2013_12_18-cryptocrystalline) that Bernstein's work can be found in OpenBSD include the ChaCha20-Poly1305 authenticated stream cipher and Curve25519 KEX used in SSH, ChaCha20 used in the RNG, and Ed25519 keys used in signify (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) and SSH *** FreeBSD 10.1-RELEASE (https://www.freebsd.org/releases/10.1R/announce.html) FreeBSD's release engineering team (http://www.bsdnow.tv/episodes/2013-09-11_engineering_powder_kegs) likes to troll us by uploading new versions just a few hours after we finish recording an episode The first maintenance update for the 10.x branch is out, improving upon a lot of things found in 10.0-RELEASE The vt driver was merged from -CURRENT and can now be enabled with a loader.conf switch (and can even be used on a PlayStation 3) Bhyve has gotten quite a lot of fixes and improvements from its initial debut in 10.0, including boot support for ZFS Lots of new ARM hardware is supported now, including SMP support for most of them A new kernel selection menu was added to the loader, so you can switch between newer and older kernels at boot time 10.1 is the first to support UEFI booting on amd64, which also has serial console support now Lots of third party software (OpenSSH, OpenSSL, Unbound..) and drivers have gotten updates to newer versions It's a worthy update from 10.0, or a good time to try the 10.x branch if you were avoiding the first .0 release, so grab an ISO (http://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-amd64/10.1/) or upgrade (https://www.freebsd.org/cgi/man.cgi?query=freebsd-update) today Check the detailed release notes (https://www.freebsd.org/releases/10.1R/relnotes.html) for more information on all the changes Also take a look at some of the known problems (https://www.freebsd.org/releases/10.1R/errata.html#open-issues) to see if (https://forums.freebsd.org/threads/segmentation-fault-while-upgrading-from-10-0-release-to-10-1-release.48977/) you'll (https://lists.freebsd.org/pipermail/freebsd-stable/2014-October/080599.html) be (https://forums.freebsd.org/threads/10-0-10-1-diocaddrule-operation-not-supported-by-device.49016/) affected (https://www.reddit.com/r/freebsd/comments/2mmzzy/101release_restart_problems_anyone/) by any of them PC-BSD was also updated accordingly (http://wiki.pcbsd.org/index.php/What%27s_New/10.1) with some of their own unique features and changes *** arc4random - Randomization for All Occasions (https://www.youtube.com/watch?v=aWmLWx8ut20) Theo de Raadt gave an updated version of his EuroBSDCon presentation at Hackfest 2014 in Quebec The presentation is mainly about OpenBSD's arc4random function, and outlines the overall poor state of randomization in the 90s and how it has evolved in OpenBSD over time It begins with some interesting history on OpenBSD and how it became a security-focused OS - in 1996, their syslogd got broken into and "suddenly we became interested in security" The talk also touches on how low-level changes can shake up the software ecosystem and third party packages that everyone uses There's some funny history on the name of the function (being called arc4random despite not using RC4 anymore) and an overall status update on various platforms' usage of it Very detailed and informative presentation, and the slides can be found here (http://www.openbsd.org/papers/hackfest2014-arc4random/index.html) A great quote from the beginning: "We consider ourselves a community of (probably rather strange) people who work on software specifically for the purpose of trying to make it better. We take a 'whole-systems' approach: trying to change everything in the ecosystem that's under our control, trying to see if we can make it better. We gain a lot of strength by being able to throw backwards compatibility out the window. So that means that we're able to do research and the minute that we decide that something isn't right, we'll design an alternative for it and push it in. And if it ends up breaking everybody's machines from the previous stage to the next stage, that's fine because we'll end up in a happier place." *** Interview - Justin Cormack - justin@netbsd.org (mailto:justin@netbsd.org) / @justincormack (https://twitter.com/justincormack) NetBSD on Xen, rump kernels, various topics News Roundup The FreeBSD foundation's biggest donation (http://freebsdfoundation.blogspot.com/2014/11/freebsd-foundation-announces-generous.html) The FreeBSD foundation has a new blog post about the largest donation they've ever gotten From the CEO of WhatsApp comes a whopping one million dollars in a single donation It also has some comments from the donor about why they use BSD and why it's important to give back Be sure to donate to the foundation of whatever BSD you use when you can - every little bit helps, especially for OpenBSD (http://www.openbsd.org/donations.html), NetBSD (https://www.netbsd.org/donations/) and DragonFly (http://www.dragonflybsd.org/donations/) who don't have huge companies supporting them regularly like FreeBSD does *** OpenZFS Dev Summit 2014 videos (http://open-zfs.org/wiki/OpenZFS_Developer_Summit) Videos from the recent OpenZFS developer summit are being uploaded, with speakers from different represented platforms and companies Matt Ahrens (http://www.bsdnow.tv/episodes/2014_05_14-bsdcanned_goods), opening keynote (https://www.youtube.com/watch?v=XnTzbisLYzg) Raphael Carvalho, Platform Overview: ZFS on OSv (https://www.youtube.com/watch?v=TJLOBLSRoHE) Brian Behlendorf, Platform Overview: ZFS on Linux (https://www.youtube.com/watch?v=_MVOpMNV7LY) Prakash Surya, Platform Overview: illumos (https://www.youtube.com/watch?v=UtlGt3ag0o0) Xin Li, Platform Overview: FreeBSD (https://www.youtube.com/watch?v=xO0x5_3A1X4) All platforms, Group Q&A Session (https://www.youtube.com/watch?v=t4UlT0RmSCc) Dave Pacheco, Manta (https://www.youtube.com/watch?v=BEoCMpdB8WU) Saso Kiselkov, Compression (https://www.youtube.com/watch?v=TZF92taa_us) George Wilson (http://www.bsdnow.tv/episodes/2013_12_04-zettabytes_for_days), Performance (https://www.youtube.com/watch?v=deJc0EMKrM4) Tim Feldman, Host-Aware SMR (https://www.youtube.com/watch?v=b1yqjV8qemU) Pavel Zakharov, Fast File Cloning (https://www.youtube.com/watch?v=-4c4gsLi1LI) The audio is pretty poor (https://twitter.com/OpenZFS/status/534005125853888512) on all of them unfortunately *** BSDTalk 248 (http://bsdtalk.blogspot.com/2014/11/bsdtalk248-dragonflybsd-with-matthew.html) Our friend Will Backman is still busy getting BSD interviews as well This time he sits down with Matthew Dillon, the lead developer of DragonFly BSD We've never had Dillon on the show, so you'll definitely want to give this one a listen They mainly discuss all the big changes coming in DragonFly's upcoming 4.0 release *** MeetBSD 2014 videos (https://www.meetbsd.com/) The presentations from this year's MeetBSD conference are starting to appear online as well Kirk McKusick (http://www.bsdnow.tv/episodes/2013-10-02_stacks_of_cache), A Narrative History of BSD (https://www.youtube.com/watch?v=DEEr6dT-4uQ) Jordan Hubbard (http://www.bsdnow.tv/episodes/2013_11_27-bridging_the_gap), FreeBSD: The Next 10 Years (https://www.youtube.com/watch?v=Mri66Uz6-8Y) Brendan Gregg, Performance Analysis (https://www.youtube.com/watch?v=uvKMptfXtdo) The slides can be found here (https://www.meetbsd.com/agenda/) *** Feedback/Questions Dominik writes in (http://slexy.org/view/s20PXjp55N) Steven writes in (http://slexy.org/view/s2LwEYT3bA) Florian writes in (http://slexy.org/view/s2ubK8vQVt) Richard writes in (http://slexy.org/view/s216Eq8nFG) Kevin writes in (http://slexy.org/view/s21D2ugDUy) *** Mailing List Gold Contributing without code (https://www.marc.info/?t=141600819500004&r=1&w=2) Compression isn't a CRIME (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033176.html) Securing web browsers (https://www.marc.info/?t=141616714600001&r=1&w=2) ***
63: A Man's man(1)
This time on the show, we've got an interview with Kristaps Džonsons, the creator of mandoc. He tells us how the project got started and what its current status is across the various BSDs. We also have a mini-tutorial on using PF to throttle bandwidth. This week's news, answers to your emails and even some cheesy mailing list gold, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Updates to FreeBSD's random(4) (https://svnweb.freebsd.org/base?view=revision&revision=273872) FreeBSD's random device, which presents itself as "/dev/random" to users (https://news.ycombinator.com/item?id=8550457), has gotten a fairly major overhaul in -CURRENT The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE) Pluggable modules can now be written to add more sources of entropy These changes are expected to make it in 11.0-RELEASE, but there hasn't been any mention of MFCing them to 10 or 9 *** OpenBSD Tor relays and network diversity (https://lists.torproject.org/pipermail/tor-relays/2014-November/005661.html) We've talked about getting more BSD-based Tor nodes (http://lists.nycbug.org/mailman/listinfo/tor-bsd) a few times in previous episodes The "tor-relays" mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes With the security features and attention to detail, it makes for an excellent dedicated Tor box More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large A few users are even saying they'll convert their Linux nodes to OpenBSD to help out Check the archive for the full conversation, and maybe run a node yourself (http://www.bsdnow.tv/tutorials/tor) on any of the BSDs The Tor wiki page on OpenBSD is pretty out of date (https://lists.torproject.org/pipermail/tor-dev/2014-November/007715.html) (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it *** SSP now default for FreeBSD ports (https://lists.freebsd.org/pipermail/freebsd-ports/2014-November/096344.html) SSP, or Stack Smashing Protection (https://en.wikipedia.org/wiki/Buffer_overflow_protection), is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces It's now enabled by default in FreeBSD's ports tree, and the pkgng packages will have it as well - but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer) This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates If you were using the temporary "new Xorg" or SSP package repositories instead of the default ones, you need to switch back over NetBSD made this the default on i386 and amd64 two years ago (https://www.netbsd.org/releases/formal-6/NetBSD-6.0.html) and OpenBSD made this the default on all architectures twelve years ago (https://www.marc.info/?l=openbsd-cvs&m=103881967909595&w=2) Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed *** Building an OpenBSD firewall and router (https://www.reddit.com/r/BSD/comments/2ld0yw/building_an_openbsd_firewall_and_router/) While we've discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris Most agree that, if it's for a business especially, it's worth the extra money to go with something that's well known in the BSD community They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc. Through the comments, we also find out that QuakeCon runs OpenBSD on their network Hopefully most of our listeners are running some kind of BSD as their gateway - try it out (http://www.bsdnow.tv/tutorials/openbsd-router) if you haven't already *** Interview - Kristaps Džonsons - kristaps@bsd.lv (mailto:kristaps@bsd.lv) Mandoc, historical man pages, various topics Tutorial Throttling bandwidth with PF (http://www.bsdnow.tv/tutorials/openbsd-router#queues) News Roundup NetBSD at Kansai Open Forum 2014 (https://mail-index.netbsd.org/netbsd-advocacy/2014/11/08/msg000672.html) Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all As always, you can find lots of pictures in the trip report *** Getting to know your portmgr lurkers (http://blogs.freebsdish.org/portmgr/2014/11/04/getting-to-know-your-portmgr-lurker-ak/) The lovable "getting to know your portmgr" series makes its triumphant return This time around, they interview Alex, one of the portmgr lurkers that joined just this month "How would you describe yourself?" "Too lazy." Another post (http://blogs.freebsdish.org/portmgr/2014/11/08/getting-to-know-your-portmgr-lurker-ehaupt/) includes a short interview with Emanuel, another new lurker We discussed the portmgr lurkers initiative with Steve Wills a while back (http://www.bsdnow.tv/episodes/2014_10_01-the_daemons_apprentice) *** NetBSD's ARM port gets SMP (https://blog.netbsd.org/tnf/entry/working_arm_multiprocessor_support) The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X NetBSD's release team is working on getting these changes into the 7 branch before 7.0 is released There are also a few nice pictures in the article *** A high performance mid-range NAS (http://pivotallabs.com/high-performing-mid-range-nas-server-part-2-performance-tuning-iscsi/) This blog post is about FreeNAS and optimizing iSCSI performance It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance There are some nice graphs and lots of detail if you're interested in tweaking some of your own settings They conclude "there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload" *** Feedback/Questions Heto writes in (http://slexy.org/view/s2xGCUj8mC) Brad writes in (http://slexy.org/view/s2SJ8xppDJ) Tyler writes in (http://slexy.org/view/s20Ktl6BMk) Tim writes in (http://slexy.org/view/s2AsrxU0ZQ) Brad writes in (http://slexy.org/view/s21yn0xLv2) *** Mailing List Gold Suspicious contributions (https://www.marc.info/?t=141379917200003&r=1&w=2) La puissance du fromage (https://www.marc.info/?l=openbsd-cvs&m=141538800019451&w=2) Nothing unusual here (https://mail-index.netbsd.org/tech-ports/2002/07/05/0000.html) ***
62: Gift from the Sun
We're away at MeetBSD this week, but we've still got a great show for you. We'll be joined by Pawel Dawidek, who's done quite a lot of things in FreeBSD over the years, including the initial ZFS port. We'll get to hear how that came about, what he's up to now and a whole lot more. We'll be back next week with a normal episode of BSD Now - the place to B.. SD. This episode was brought to you by Interview - Pawel Jakub Dawidek - pjd@freebsd.org (mailto:pjd@freebsd.org) Porting ZFS, GEOM, GELI, Capsicum, various topics
61: IPSECond Wind
This week on the show, we sat down with John-Mark Gurney to talk about modernizing FreeBSD's IPSEC stack. We'll learn what he's adding, what needed to be fixed and how we'll benefit from the changes. As always, answers to your emails and all of this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSD panel at Phoenix LUG (https://www.youtube.com/watch?v=3AOF7fm-TJ0) The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy It was a good "real world" example of things potential switchers are curious to know about They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea *** Book of PF signed copy auction (http://bsdly.blogspot.com/2014/10/the-book-of-pf-3rd-edition-is-here.html) Peter Hansteen (who we've had on the show (http://www.bsdnow.tv/episodes/2014_04_30-puffy_firewall)) is auctioning off the first signed copy of the new Book of PF All the profits from the sale will go to the OpenBSD Foundation (http://www.openbsd.org/donations.html) The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences) If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause Michael Lucas (http://www.bsdnow.tv/episodes/2013_11_06-year_of_the_bsd_desktop) has challenged Peter (https://www.marc.info/?l=openbsd-misc&m=141429413908567&w=2) to raise more for the foundation than his last book selling - let's see who wins Pause the episode, go bid on it (http://www.ebay.com/itm/321563281902) and then come back! *** FreeBSD Foundation goes to EuroBSDCon (http://freebsdfoundation.blogspot.com/2014/10/freebsd-foundation-goes-to-eurobsdcon.html) Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report They also sponsored four other developers to go The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD" They also have a second report (http://freebsdfoundation.blogspot.com/2014/10/eurobsdcon-trip-report-kamil-czekirda.html) from Kamil Czekirda A total of $2000 was raised at the conference *** OpenBSD 5.6 released (http://www.openbsd.org/56.html) Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6 It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial (http://www.bsdnow.tv/tutorials/fde) for that) ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time) and from BIND to Unbound Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions As always, 5.6 comes with its own song and artwork (http://www.openbsd.org/lyrics.html#56) - the theme this time was obviously LibreSSL Be sure to check the full changelog (http://www.openbsd.org/plus56.html) (it's huge) and pick up a CD or tshirt (http://www.openbsd.org/orders.html) to support their efforts If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely Here are some cool images of the set (https://imgur.com/a/5PtFe) After you do your installation or upgrade (http://www.openbsd.org/faq/upgrade56.html), don't forget to head over to the errata page (http://www.openbsd.org/errata56.html) and apply any patches listed there *** Interview - John-Mark Gurney - jmg@freebsd.org (mailto:jmg@freebsd.org) / @encthenet (https://twitter.com/encthenet) Updating FreeBSD's IPSEC stack News Roundup Clang in DragonFly BSD (https://www.dragonflydigest.com/2014/10/22/14942.html) As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64 Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using *** reallocarray(): integer overflow detection for free (http://lteo.net/blog/2014/10/28/reallocarray-in-openbsd-integer-overflow-detection-for-free/) One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()" It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost Theo and a few other developers have already started (https://secure.freshbsd.org/search?project=openbsd&q=reallocarray) a mass audit of the entire source tree, replacing many instances with this new feature OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too *** Switching from Linux blog (http://bothsidesofthence.tumblr.com/) A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome) So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far It'll be an ongoing series, so we may check back in with him again later on *** Owncloud in a FreeNAS jail (https://www.youtube.com/watch?v=z6VQwOl4wE4) One of the most common emails we get is about running Owncloud in FreeNAS Now, finally, someone made a video on how to do just that, and it's even jailed A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend If you're looking for an easy way to back up and sync your files, this might be worth a watch *** Feedback/Questions Ernõ writes in (http://slexy.org/view/s2XEsQdggZ) David writes in (http://slexy.org/view/s21EizH2aR) Kamil writes in (http://slexy.org/view/s24SAJ5im6) Torsten writes in (http://slexy.org/view/s20ABZe0RD) Dominik writes in (http://slexy.org/view/s208jQs9c6) *** Mailing List Gold That's not our IP (https://mail-index.netbsd.org/source-changes/2014/10/17/msg059564.html) Is this thing on? (https://lists.freebsd.org/pipermail/freebsd-acpi/2014-June/008644.html) ***