HardenedBSD April 2023 Status Report

Skip to first unread message

Shawn Webb

May 1, 2023, 4:40:35 PM5/1/23
to HardenedBSD Users
Hey all,

April was busy from an administrative perspective, with me working to get the
Foundation and the Project ready to move to Colorado. We have around 90% of what
we need to file as a not-for-profit, tax-exempt charitable organization in
Colorado. We're hoping to file by the end of 05 May 2023.

Once the Colorado organization is live, we'll switch the federal side to point
the headquarters to the new, yet-to-be-determined Colorado address. I believe
once that's done, we should be fully re-headquartered.

On 02 June 2023, I plan to do our last pre-move code sync. Remember, we provide
read-only mirrors on GitHub (listed below) for our base and ports repositories.

On 03 June 2023, I plan to take the build infrastructure down for the move. We
do not have an ETA for bringing it back up, but bringing up the infrastructure
will be of highest priority. I'll be unpacking and powering on equipment before
I unpack the kitchen. ;-)

Package repos will remain online even during the move. However, we will need to
rely on our mirrors (link to the mirrors page below) to provide installation
media. We are grateful for those who provide public mirrors.

Please reach out to us (co...@hardenedbsd.org or net...@hardenedbsd.org) to get
set up as a public mirror if you're interested. The sooner we can get new
mirrors launched, the better poised we (the community) are for the move.

Let's get to the changes! In src:

1. The installer will no longer ask to install the kernel debug distset. We do
not support downloading the distsets at install time.
2. FreeBSD kept trying various methods to enable Netlink support in the kernel.
Given my concerns about Netlink's current code quality, I kept trying to
follow in disabling Netlink by default.

In ports:

1. MrUnix disabled the JIT in www/chromium and www/iridium, which switches the
default javascript engine to one that's PaX MPROTECT-safe.
2. MrUnix fixed multimedia/obs-studio
3. MrUnix disabled PaX MPROTECT for www/node18
4. MrUnix disabled PaX MPROTECT for www/node19
5. MrUnix disabled PaX PAGEEXEC for devel/valgrind and devel/valgrind-devel

I have decided to punish myself by running HardenedBSD 14-CURRENT/amd64 with
Cross-DSO CFI enabled for base on my primary laptop. My goal here is to see if I
can effectuate the move to Colorado while running with Cross-DSO CFI. The first
problem I experienced was i3wm, which would crash upon launching any command.
Interestintly, xfce4 mostly works. The xfce4-panel application crashes, but the
rest of xfce4 seems to work just fine and dandy.

We are grateful for the past, present, and future contributions from the
community. There are many ways to contribute to the project. You don't have to
be a security expert or even know how to program! We appreciate contributions in
any form they come in, like advocacy, monetary donations, documentation, bug
reports, etc. Thank you for making this project possible!

GitHub src repo: https://github.com/HardenedBSD/hardenedBSD
GitHub ports repo: https://github.com/hardenedBSD/ports
Installation media mirrors: https://hardenedbsd.org/content/mirrors

Shawn Webb
Cofounder / Security Engineer

Reply all
Reply to author
0 new messages