Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Pondering a new (slower) HardenedBSD build cadence
9 views
Skip to first unread message
Shawn Webb
Apr 21, 2025, 5:34:08 PMApr 21
to HardenedBSD Users
Hey all,
The latest version of the FreeBSD package manager (pkg) does a lot of
extra work in determining dependencies, so much so that it's really
prolonging our package builds. 21 days into the 14-STABLE package
build, we still have over 9,000 packages to build (out of 36,000+).
It's likely that this package build will NOT complete within this
month cycle.
We (HardenedBSD) may need to scale back our monthly
installation/updater builds to quarterly because of just how much the
new package manager prolongs building packages.
The problem then becomes, what do we do when there's a FreeBSD
Security Advisory? We may have to adopt a more formal approach to
handling security advisories for the base OS. That would be a good
thing to have overall, but hasn't really been needed until now-ish.
Our exploit mitigations and security hardening techniques generally
mitigate a large portion of security advisories, so waiting for the
next monthly build has been an acceptable compromise. That changes if
we go to quarterly builds.
Does the community have any thoughts regarding a slower cadence, going
from monthly to quarterly?
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
The latest version of the FreeBSD package manager (pkg) does a lot of
extra work in determining dependencies, so much so that it's really
prolonging our package builds. 21 days into the 14-STABLE package
build, we still have over 9,000 packages to build (out of 36,000+).
It's likely that this package build will NOT complete within this
month cycle.
We (HardenedBSD) may need to scale back our monthly
installation/updater builds to quarterly because of just how much the
new package manager prolongs building packages.
The problem then becomes, what do we do when there's a FreeBSD
Security Advisory? We may have to adopt a more formal approach to
handling security advisories for the base OS. That would be a good
thing to have overall, but hasn't really been needed until now-ish.
Our exploit mitigations and security hardening techniques generally
mitigate a large portion of security advisories, so waiting for the
next monthly build has been an acceptable compromise. That changes if
we go to quarterly builds.
Does the community have any thoughts regarding a slower cadence, going
from monthly to quarterly?
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Dustin Marquess
Apr 21, 2025, 5:44:53 PMApr 21
to HardenedBSD Users
On Apr 21, 2025 at 4:34 PM -0500, Shawn Webb <shawn...@hardenedbsd.org>, wrote:
Hey all,
The latest version of the FreeBSD package manager (pkg) does a lot of
extra work in determining dependencies, so much so that it's really
prolonging our package builds. 21 days into the 14-STABLE package
build, we still have over 9,000 packages to build (out of 36,000+).
It's likely that this package build will NOT complete within this
month cycle.
We (HardenedBSD) may need to scale back our monthly
installation/updater builds to quarterly because of just how much the
new package manager prolongs building packages.
The problem then becomes, what do we do when there's a FreeBSD
Security Advisory? We may have to adopt a more formal approach to
handling security advisories for the base OS. That would be a good
thing to have overall, but hasn't really been needed until now-ish.
Our exploit mitigations and security hardening techniques generally
mitigate a large portion of security advisories, so waiting for the
next monthly build has been an acceptable compromise. That changes if
we go to quarterly builds.
Does the community have any thoughts regarding a slower cadence, going
from monthly to quarterly?
That seems to be the most logical choice. I tend to use the package repos for convenience on my lower-end machines (eg, PC Engines apu2) that I don't mind running a hbd-update and rebooting often. For anything serious where I can't take the constant downtime, I've pretty much resorted to running my own poudriere anyways, since there eventually is too much ABI breakage.
-Dustin
-Dustin
Shawn Webb
Apr 28, 2025, 8:16:41 PMApr 28
to HardenedBSD Users
On Mon, Apr 21, 2025 at 09:34:04PM +0000, Shawn Webb wrote:
> Hey all,
>
> The latest version of the FreeBSD package manager (pkg) does a lot of
> extra work in determining dependencies, so much so that it's really
> prolonging our package builds. 21 days into the 14-STABLE package
> build, we still have over 9,000 packages to build (out of 36,000+).
> It's likely that this package build will NOT complete within this
> month cycle.
>
> We (HardenedBSD) may need to scale back our monthly
> installation/updater builds to quarterly because of just how much the
> new package manager prolongs building packages.
>
> The problem then becomes, what do we do when there's a FreeBSD
> Security Advisory? We may have to adopt a more formal approach to
> handling security advisories for the base OS. That would be a good
> thing to have overall, but hasn't really been needed until now-ish.
>
> Our exploit mitigations and security hardening techniques generally
> mitigate a large portion of security advisories, so waiting for the
> next monthly build has been an acceptable compromise. That changes if
> we go to quarterly builds.
>
> Does the community have any thoughts regarding a slower cadence, going
> from monthly to quarterly?
Hey all,
> Hey all,
>
> The latest version of the FreeBSD package manager (pkg) does a lot of
> extra work in determining dependencies, so much so that it's really
> prolonging our package builds. 21 days into the 14-STABLE package
> build, we still have over 9,000 packages to build (out of 36,000+).
> It's likely that this package build will NOT complete within this
> month cycle.
>
> We (HardenedBSD) may need to scale back our monthly
> installation/updater builds to quarterly because of just how much the
> new package manager prolongs building packages.
>
> The problem then becomes, what do we do when there's a FreeBSD
> Security Advisory? We may have to adopt a more formal approach to
> handling security advisories for the base OS. That would be a good
> thing to have overall, but hasn't really been needed until now-ish.
>
> Our exploit mitigations and security hardening techniques generally
> mitigate a large portion of security advisories, so waiting for the
> next monthly build has been an acceptable compromise. That changes if
> we go to quarterly builds.
>
> Does the community have any thoughts regarding a slower cadence, going
> from monthly to quarterly?
We have two days left of the month, and the 14-STABLE package builder
still has 2300 packages left to build. I will be moving us to a slower
cadence as discussed above.
I plan to build quarterly, on the first day of the new quarter. That
would be:
01 January
01 April
01 July
01 October
This will be effective immediately. I will take some time to come up
with a more formal security policy regarding builds. I'll keep
everyone informed as to my progress.
Reply all
Reply to author
Forward
0 new messages