HardenedBSD May 2026 Status Report
0 views
Skip to first unread message
Shawn Webb
Jun 1, 2026, 11:00:38 AM (3 days ago) Jun 1
to HardenedBSD Users
Hey all,
These past two months have been incredibly busy. I didn't publish a status
report for April 2026, so this status report will cover that, too.
We have mostly completed the migration from our self-hosted GitLab Enterprise
instance to Radicle. There's still further work to be done, but the most crucial
bits have made it over. We're also still working on ironing out some kinks in
learning "the Radicle way". I hope soon to write an article chronicling our
journey thus far.
I wrote documentation[1] on how to bootstrap Radicle's local storage directory
with src and ports. If you hope to someday submit issues and/or patches,
following these bootstrap instructions will certainly ease the initial pain. I
plan to include an export of these Radicle storage bootstrap archives with each
official build. The current exports are not signed. I'm going to include the
hashes in this signed email. I am working on a candidate patch to our build
scripts to perform this export. The archives exported by our builder VMs will be
signed with our normal ssh key-based signing method.
Fully fixing the release image generation (chiefly fixing generation of
disc1.iso) is my first priority. Radicle bootstrap archive generation is my
second priority. Radicle integration in our auto-sync is my third priority. Our
commit emails came from GitLab. I need to replicate that functionality but with
"the Radicle way." For now, I'm performing the sync myself when time permits
(usually multiple times per day.)
The past couple months have also seen a number of FreeBSD security advisories,
so we've published new builds for 16-CURRENT and 15-STABLE. Installer image
generation is still somewhat broken, though I've seen some success with
memstick.img. I plan to continue working on this until we're 100% fixed, though
it will take time. It takes quite the number of hours to test even the smallest
of changes. I get pretty much at most two attempts at testing fixes per day.
I spent some time studying Reticulum's code. I'm in the process of writing a
shim to abstract how its backbone interface implementation uses select and
friends. Back when I last looked at it, it required use of epoll. Simultaenously
while I was working on that, I did notice the Reticulum project was working on a
more portable backbone interface implementation. So I need to restart that
research when the time comes.
I also spent a little bit of time with hbsdfw. I started work on forward-porting
our 14-stable hbsdfw-specific patches to 15-STABLE. Then GitLab died, and my
priorities switched to the Radicle migration. So I need to restart this
research, too, when the time comes. I think I might target -CURRENT rather than
15-STABLE. That way, we don't have to periodically forward-port patches: we just
maintain our patches against the naturally-evvolving hardened/current/master.
We completed the ISP account migration. Some pain is left to resolve. We lost
support for our tunneled IPv6 (via Hurricane Electric's Tunnel Broker). I need
to schedule a part of my day to capture some packets and get on the phone with
some tech support folks on the side of both my ISP and HE. Until then, I've
removed the AAAA DNS records for the relevant bits of infrastructure.
In src:
1. FreeBSD merged llvm 21 into base. We needed to fix one compilation error in
HardenedBSD's code caught by llvm 21
2. Replace FreeBSD's README.md with our main wiki-based documentation.
3. Drop the -HBSD suffix in newvers.sh
4. Migrate hbsd-update-build to Radicle
5. Revert the release/ subdirectory to a known good-ish commit. This brought
back generation of memstick.img
6. The hardening.pax.kmod_load_disable sysctl node logic was enhanced
7. Fix MK_LLVM_LINK_STATIC_LIBRARIES in src.opts.mk
In ports:
1. multimedia/ffmpeg build was fixed
2. ports-mgmt/pkg was updated to 2.7.5
3. ports-mgmt/poudriere-hbsd was updated to 3.4.8
4. A patch was brought in to fix the graphics/hdr_histogram port
5. hardenedbsd/secadm was updated to account for recent MAC hook changes by
FreeBSD
6. Some incredibly basic support was implemented for downloading distfiles via
Radicle HTTP
7. ports-mgmt/pkg was migrated to Radicle
8. The default llvm version was bumped to 21 for latest 16-CURRENT users
9. ports-mgmt/poudriere-hbsd was migrated to Radicle
10. COMPAT32 was disable for misc/compat{14,15}
11. PIE was disabled for devel/ccache4
12. net-p2p/reticulum was migrated to Radicle
13. hardenedbsd/secadm was migrated to Radicle
I want to say a heartfelt thank you to the Radicle folks. You've spent a lot of
time in helping out. You didn't have to, but you chose to. And for that, I'm
incredibly grateful. It's fun to see the Radicle network evolve.
==== BEGIN ARTIFACT HASHES ====
$ sha256 ports.tar.xz
SHA256 (ports.tar.xz) = b12f303b96b02b16744c1286868726ab4df43a06f6d28de3c247d4d1598f743b
$ wc -c ports.tar.xz
1472685664 ports.tar.xz
$ sha256 src.tar.xz
SHA256 (src.tar.xz) = 00301a70910127f4fd9564dca1be948e6b9909e864053a76b9197565768345cf
$ wc -c src.tar.xz
2069117660 src.tar.xz
==== END ARTIFACT HASHES ====
[1]: https://radicle.network/nodes/rad.hardenedbsd.org/rad:z4Aucnb2nozutuek6o8PC9YfaBeTm#contributing-to-hardenedbsd
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 (719) 756-1197 / activist_opsec.27
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
These past two months have been incredibly busy. I didn't publish a status
report for April 2026, so this status report will cover that, too.
We have mostly completed the migration from our self-hosted GitLab Enterprise
instance to Radicle. There's still further work to be done, but the most crucial
bits have made it over. We're also still working on ironing out some kinks in
learning "the Radicle way". I hope soon to write an article chronicling our
journey thus far.
I wrote documentation[1] on how to bootstrap Radicle's local storage directory
with src and ports. If you hope to someday submit issues and/or patches,
following these bootstrap instructions will certainly ease the initial pain. I
plan to include an export of these Radicle storage bootstrap archives with each
official build. The current exports are not signed. I'm going to include the
hashes in this signed email. I am working on a candidate patch to our build
scripts to perform this export. The archives exported by our builder VMs will be
signed with our normal ssh key-based signing method.
Fully fixing the release image generation (chiefly fixing generation of
disc1.iso) is my first priority. Radicle bootstrap archive generation is my
second priority. Radicle integration in our auto-sync is my third priority. Our
commit emails came from GitLab. I need to replicate that functionality but with
"the Radicle way." For now, I'm performing the sync myself when time permits
(usually multiple times per day.)
The past couple months have also seen a number of FreeBSD security advisories,
so we've published new builds for 16-CURRENT and 15-STABLE. Installer image
generation is still somewhat broken, though I've seen some success with
memstick.img. I plan to continue working on this until we're 100% fixed, though
it will take time. It takes quite the number of hours to test even the smallest
of changes. I get pretty much at most two attempts at testing fixes per day.
I spent some time studying Reticulum's code. I'm in the process of writing a
shim to abstract how its backbone interface implementation uses select and
friends. Back when I last looked at it, it required use of epoll. Simultaenously
while I was working on that, I did notice the Reticulum project was working on a
more portable backbone interface implementation. So I need to restart that
research when the time comes.
I also spent a little bit of time with hbsdfw. I started work on forward-porting
our 14-stable hbsdfw-specific patches to 15-STABLE. Then GitLab died, and my
priorities switched to the Radicle migration. So I need to restart this
research, too, when the time comes. I think I might target -CURRENT rather than
15-STABLE. That way, we don't have to periodically forward-port patches: we just
maintain our patches against the naturally-evvolving hardened/current/master.
We completed the ISP account migration. Some pain is left to resolve. We lost
support for our tunneled IPv6 (via Hurricane Electric's Tunnel Broker). I need
to schedule a part of my day to capture some packets and get on the phone with
some tech support folks on the side of both my ISP and HE. Until then, I've
removed the AAAA DNS records for the relevant bits of infrastructure.
In src:
1. FreeBSD merged llvm 21 into base. We needed to fix one compilation error in
HardenedBSD's code caught by llvm 21
2. Replace FreeBSD's README.md with our main wiki-based documentation.
3. Drop the -HBSD suffix in newvers.sh
4. Migrate hbsd-update-build to Radicle
5. Revert the release/ subdirectory to a known good-ish commit. This brought
back generation of memstick.img
6. The hardening.pax.kmod_load_disable sysctl node logic was enhanced
7. Fix MK_LLVM_LINK_STATIC_LIBRARIES in src.opts.mk
In ports:
1. multimedia/ffmpeg build was fixed
2. ports-mgmt/pkg was updated to 2.7.5
3. ports-mgmt/poudriere-hbsd was updated to 3.4.8
4. A patch was brought in to fix the graphics/hdr_histogram port
5. hardenedbsd/secadm was updated to account for recent MAC hook changes by
FreeBSD
6. Some incredibly basic support was implemented for downloading distfiles via
Radicle HTTP
7. ports-mgmt/pkg was migrated to Radicle
8. The default llvm version was bumped to 21 for latest 16-CURRENT users
9. ports-mgmt/poudriere-hbsd was migrated to Radicle
10. COMPAT32 was disable for misc/compat{14,15}
11. PIE was disabled for devel/ccache4
12. net-p2p/reticulum was migrated to Radicle
13. hardenedbsd/secadm was migrated to Radicle
I want to say a heartfelt thank you to the Radicle folks. You've spent a lot of
time in helping out. You didn't have to, but you chose to. And for that, I'm
incredibly grateful. It's fun to see the Radicle network evolve.
==== BEGIN ARTIFACT HASHES ====
$ sha256 ports.tar.xz
SHA256 (ports.tar.xz) = b12f303b96b02b16744c1286868726ab4df43a06f6d28de3c247d4d1598f743b
$ wc -c ports.tar.xz
1472685664 ports.tar.xz
$ sha256 src.tar.xz
SHA256 (src.tar.xz) = 00301a70910127f4fd9564dca1be948e6b9909e864053a76b9197565768345cf
$ wc -c src.tar.xz
2069117660 src.tar.xz
==== END ARTIFACT HASHES ====
[1]: https://radicle.network/nodes/rad.hardenedbsd.org/rad:z4Aucnb2nozutuek6o8PC9YfaBeTm#contributing-to-hardenedbsd
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 (719) 756-1197 / activist_opsec.27
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages