HardenedBSD git read-only access option?

[Dewayne Geraghty]

I'm a bit confused. I thought that HardenedBSD was updated every 6
hours, but comparing UPDATING files on
https://cgit.freebsd.org/src/commit/?h=stable/14&id=76fdef764db9b21f913e56eea571172fe1608c4b
with
https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING
(on stable-14 branch)

I note that FreeBSD UPDATING entries exist for: 20250228 and 20250117,
while HardenedBSD's latest entries are: 20250214
which suggests a 2 week delay between FreeBSD and HardenedBSD. Has
something broken?


How did I get here? I wanted to ensure the version of HardenedBSD was
1402504, otherwise I would wait to perform a git pull. So, lets find a
hyperlink to stable/14 git...

The html link on the home page is broken, as the two lines need to be
cut/pasted to properly take you to:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git/hardenedbsd-14-stable
which then presented a
https://git.hardenedbsd.org/users/sign_in
Unfortunately I don't have a phone that performs MFA/2FA, so the sign-in
page is problematic.

Fortunately there was another git link on the homepage...
https://github.com/HardenedBSD
though don't select https://github.com/HardenedBSD/hardenedBSD-stable as
its outdated, but
https://github.com/HardenedBSD/hardenedBSD and selecting 14-stable,
looked like it was the right place :)

And to my pleasant surprise
https://github.com/HardenedBSD/hardenedBSD/blob/hardened/14-stable/master/sys/sys/param.h
#define __FreeBSD_version 1402504
which was my initial enquiry. :) Though the UPDATING information raises
some question as to whether its authoritative or a distant cousin that
is irregularly updated?

PS I'd also tried to get information from the mirrors but they looked
like binary updates. BTW https://mirrors.lavabit.com/hardenedbsd/ is
unavailable as at Sun Mar 2 06:51:50 UTC 2025.

[Shawn Webb]

Hey Dewaye,

My response is in-line.

On Sun, Mar 02, 2025 at 05:59:52PM +1100, Dewayne Geraghty wrote:
> I'm a bit confused. I thought that HardenedBSD was updated every 6 hours,
> but comparing UPDATING files on
> https://cgit.freebsd.org/src/commit/?h=stable/14&id=76fdef764db9b21f913e56eea571172fe1608c4b
> with
> https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING
> (on stable-14 branch)

That is correct: we sync every six hours. Merge conflicts can delay
the sync since resolving them takes human effort. Merge conflicts are
usually resolved within 24-48 hours, most of the time much quicker.

>
> I note that FreeBSD UPDATING entries exist for: 20250228 and 20250117,
> while HardenedBSD's latest entries are: 20250214
> which suggests a 2 week delay between FreeBSD and HardenedBSD. Has
> something broken?

HardenedBSD does not change UPDATING. It's up to FreeBSD to keep
UPDATING up-to-date.

>
>
> How did I get here? I wanted to ensure the version of HardenedBSD was
> 1402504, otherwise I would wait to perform a git pull. So, lets find a
> hyperlink to stable/14 git...
>
> The html link on the home page is broken, as the two lines need to be
> cut/pasted to properly take you to:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git/hardenedbsd-14-stable
> which then presented a
> https://git.hardenedbsd.org/users/sign_in
> Unfortunately I don't have a phone that performs MFA/2FA, so the sign-in
> page is problematic.

The link you're looking for is this:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/tree/hardened/14-stable/master?ref_type=heads

>
> Fortunately there was another git link on the homepage...
> https://github.com/HardenedBSD
> though don't select https://github.com/HardenedBSD/hardenedBSD-stable as its
> outdated, but
> https://github.com/HardenedBSD/hardenedBSD and selecting 14-stable, looked
> like it was the right place :)

The hardenedBSD-stable repo on GitHub is deprecated. It was only used
for building installation media. We don't use that repo anymore.

>
> And to my pleasant surprise
> https://github.com/HardenedBSD/hardenedBSD/blob/hardened/14-stable/master/sys/sys/param.h
> #define __FreeBSD_version 1402504
> which was my initial enquiry. :) Though the UPDATING information raises
> some question as to whether its authoritative or a distant cousin that is
> irregularly updated?

HardenedBSD maintains its own UPDATING file named
UPDATING-HardenedBSD. That tracks the __HardenedBSD_version (aka, the
hardening.version sysctl node). It's up to FreeBSD to maintain
UPDATING.

>
> PS I'd also tried to get information from the mirrors but they looked like
> binary updates. BTW https://mirrors.lavabit.com/hardenedbsd/ is unavailable
> as at Sun Mar 2 06:51:50 UTC 2025.

Thanks for letting me know! I'll reach out to the Lavabit folks to see
what's up.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[Dewayne Geraghty]

Thank-you Shawn. The url was what I sought. :)

Could I suggest that
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/tree/hardened/14-stable/master?ref_type=heads
for stable and
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/tree/hardened/current/master/
replace the deprecated urls on the home page?

Re:

>> I note that FreeBSD UPDATING entries exist for: 20250228 and 20250117,
>> while HardenedBSD's latest entries are: 20250214
>> which suggests a 2 week delay between FreeBSD and HardenedBSD. Has
>> something broken?
>
> HardenedBSD does not change UPDATING. It's up to FreeBSD to keep
> UPDATING up-to-date.

I appreciate the maintenance of the UPDATING-HardenedBSD and I review
both it and the FreeBSD's maintained UPDATING regularly. The numbers
above demonstrated the time delay difference between what was in
UPDATING on each of FBSD v HBSD; which is largely moot as the url is
deprecated. I should've been more careful in my phrasing to avoid
ambiguity. ;)

Kind regards, Dewayne
UTC+11