This time on the show, we'll be talking with Ed Schouten about CloudABI. It's a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week's BSD news and answers to your emails, on BSD Now - the place to B.. SD.
This episode was brought to you by
Headlines
FreeBSD quarterly status report
The FreeBSD team has posted a report of the activities that went on between January and March of this yearAs usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarterThe core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forwardFreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release teamSome topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel codeLots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarterClang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENTWork to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time beingThe project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 alreadyASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executableThe report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and moreAlso of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64)***
OpenBSD 5.7 released
OpenBSD has formally released another new version, complete with the giant changelog we've come to expectIn the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICsIf you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilitiesSome new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big WX improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLSThe entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementationsBeing that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavilyBIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemonSpeaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do soThis release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandocCheck the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releasesThere's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next weekConsider picking one up to support the project (and it's the only way to get puffy stickers)For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now...***
Tor-BSD diversity project
We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)A new initiative has started to do just that, called the Tor-BSD diversity project"Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity."In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacyThere's an additional progress report for that part specifically, and it looks like most of the work is done nowEngaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list If you've been considering running a node to help out, there's always our handy tutorial on getting set up***
PC-BSD 10.1.2-RC1 released
If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grabThis quarterly update includes a number of new features, improvements and even some additional utilitiesPersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systemsA new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after useSimilarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor networkIPFW is now the default firewall, offering improved VIMAGE capabilitiesThe life preserver backup tool now allows for bare-metal restores via the install CDISC's NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSLIt also includes the latest Lumina desktop, and there's another post dedicated to thatBinary packages have also been updated to fresh versions from the ports treeMore details, including upgrade instructions, can be found in the linked blog post***
Interview - Ed Schouten - [email protected] / @edschouten
News Roundup
Open Household Router Contraption
This article introduces OpenHRC, the "Open Household Router Contraption"In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway deviceIt also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setupEverything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validationAll the code is open source and on Github, so you can read through what's actually being changed and put in placeThere's also a video guide to the entire process, if you're more of a visual person***
OPNsense 15.1.10 released
Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source codeGoing along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports treeTheir binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixedNanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as wellVersion 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs***
IBM Workpad Z50 and NetBSD
Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the sameBack in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 displayYou can probably tell where this is going... the article is about installing NetBSD it"What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running"The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modernHe's also got a couple videos of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination)***
FreeBSD from the trenches
The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use casesIn this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELIWhile the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manuallyEach command is explained, and he walks you through the process of doing an encrypted installation on your root zpool***
Broadwell in DragonFly
DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driverTheir i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards tooIt's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being***
Feedback/Questions
Bostjan writes inHunter writes inHrishi writes inClint writes inSergei writes in***
Mailing List Gold
How did you guess***