HardendedBSD Issue 32 - hbsd-update rewrite
Ron Georgia
All or Any,
I am slowly working my way towards understanding the hbsd-update shell script. HardenedBSD issue 32 hbsd issue 32 calls for a rewrite with C or C++. Also suggested was to use flua. I have a few questions.
First, should the following questions and points of clarification be submitted to the Issue board for #32?
The check_sanity() function has the following,
if [ ${local_resolver} !=
${remote_resolver} ]; then
remote_resolver=${local_resolver}
fi
local_resolver and remote_resolver default to 0, unless the -R option is called then both are set to one. Question: why this check? Is there a situation where local or remote can be set to different values?
Currently I am working out of github (hbsd-update), but I can move it to gitlab if that would make life easier. I understand all the cool kids use gitlab. 🙂 Here's my question, being fairly new to the lua ecosystem, should the lua script be a single monolithic file or is there a way to install the project as a lua package? I mean, I know there's a way to install a lua package, but would it be expedient or even possible since hbsd-update is part of hbsd builds?
Any and all suggestions, criticisms or corrections are welcomed. Six years of submarine duty cured me of having a thin skin, so don't hold back.
-- ”There is a scratch in the prism of my understanding.”
Shawn Webb
Thanks for working on this! My responses will be inline.
On Fri, Feb 13, 2026 at 02:57:02PM -0500, Ron Georgia wrote:
> All or Any,
>
> I am slowly working my way towards understanding the hbsd-update shell
> script. HardenedBSD issue 32 hbsd issue 32
> questions.
>
> First, should the following questions and points of clarification be
> submitted to the Issue board for #32?
>
> The check_sanity() function has the following,
>
> if [ ${local_resolver} != ${remote_resolver} ]; then
> remote_resolver=${local_resolver}
> fi
>
> local_resolver and remote_resolver default to 0, unless the -R option is
was slightly confused. That conditional was an attempt to fix that
confusion (since the confused code was committed) while providing some
form of backwards compatibility.
I would be in favor of unifying that with one variable,
remote_resolver, controlled by the -R flag.
>
> Currently I am working out of github (hbsd-update
> gitlab. 🙂 Here's my question, being fairly new to the lua ecosystem, should
> the lua script be a single monolithic file or is there a way to install the
> project as a lua package? I mean, I know there's a way to install a lua
> package, but would it be expedient or even possible since hbsd-update is
> part of hbsd builds?
src tree, optionally replacing the existing hbsd-udpate via a new
WITH_* flag (maybe, WITH_HBSDUPDATE_FLUA or something similar; I have
no strong opinion here.)
I've not toyed with {,f}lua before, either. But, I suspect studying
the flua code in the stand/lua[1] directory in the src tree.
[1]: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/tree/hardened/current/master/stand/lua?ref_type=heads
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Ron Georgia
'remote_resolver' with a default of false, set to true with the -R flag.
And thanks for the link to flua source. I will look it over.