HEADS UP: [gjb@freebsd.org: Delay in 14.0-RELEASE cycle and blocking items]

39 views
Skip to first unread message

Shawn Webb

unread,
May 4, 2023, 3:31:37 PM5/4/23
to HardenedBSD Users
Hey all,

I normally wouldn't forward an email from a FreeBSD mailing list to
the HardenedBSD Users' mailing list, but I think this one warrants it.

The part I think will impact HardenedBSD's users the most is OpenSSL.
The ZFS stuff is mostly worked out (though I was bit by it pretty hard
recently.)

There's an interesting play between base and ports, especially with
regards to providers of libcrypto.so/libssl.so (OpenSSL, LibreSSL,
etc.) Even though the announcement discusses FreeBSD's 14.0 release
schedule, there is also an impact to HardenedBSD 13-STABLE users
(and, obviously, 14-CURRENT).

FreeBSD has its work cut out for it. I think they're going in the
right direction so far (it appears they will indeed adopt OpenSSL 3 in
base prior to 14.0-RELEASE landing.)

While I'm confident in FreeBSD to complete the work with quality, I
suspect there may be cobwebs and oddities that may cause issues during
this transitional work. There may still be considerable fallout, given
the size and complexity of the task at hand.

So, this email is to serve as a heads up. Hopefully the pain will be
minimal (if at all.)

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

----- Forwarded message from Glen Barber <g...@freebsd.org> -----

Date: Mon, 1 May 2023 18:14:49 +0000
From: Glen Barber <g...@freebsd.org>
To: freebs...@freebsd.org, freebsd...@freebsd.org
Cc: freebsd...@freebsd.org, FreeBSD Release Engineering Team
<r...@freebsd.org>, FreeBSD Security Team <sec...@freebsd.org>
Subject: Delay in 14.0-RELEASE cycle and blocking items

According to the 14.0-RELEASE schedule, the code slush in main and the
freeze to the KBI for 14.0 was scheduled for April 25, 2023. As some of
you may have noticed, that did not happen.

First, and most importantly for 14.0, is the status of the OpenSSL
update to version 3. This in itself is reason to delay the schedule
until some tangible progress has been made. Yes, some have expressed
interest in helping in this area, however at this moment, this is the
key blocker.

Second is the status of the branch and how it pertains to the recent
upstream merge from OpenZFS. Although block_cloning is disabled by
default, there have been other regressions discovered (and fixed), but
as a whole, I do not feel that we have a solid understanding of the
regressions about which we do not know.

There is no feasible way we are going to make the branch point of
stable/14 in time, with that scheduled for May 12, 2023 with the above
points. That said, this is not an all-inclusive list, but the more
major items on our radar at the moment.

A more up-to-date schedule for the 14.0 release will be published in the
near future, though nothing is yet set in stone.

Thank you for your patience, and for any help in getting us through
these outstanding items.

Glen
On behalf of: re@




----- End forwarded message -----
signature.asc

Dustin Marquess

unread,
Jun 6, 2023, 7:18:42 PM6/6/23
to HardenedBSD Users, Shawn Webb
On May 4, 2023 at 2:31 PM -0500, Shawn Webb <shawn...@hardenedbsd.org>, wrote:
FreeBSD has its work cut out for it. I think they're going in the
right direction so far (it appears they will indeed adopt OpenSSL 3 in
base prior to 14.0-RELEASE landing.)

Good luck to them. The LibreSSL guys seem to have finally leapfrogged OpenSSL again (eg, no official QUIC in OpenSSL planned for a while) and the OpenSSL team seems to have notorious project management issues. I know Alpine was thinking about maybe going back to LibreSSL ( https://gitlab.alpinelinux.org/alpine/tsc/-/issues/28 ) and the HAproxy guys are pretty scathing about horrible performance in OpenSSL3: https://www.mail-archive.com/hap...@formilux.org/msg43600.html

-Dustin

Shawn Webb

unread,
Jun 7, 2023, 1:10:11 PM6/7/23
to HardenedBSD Users
On Thu, May 04, 2023 at 03:31:34PM -0400, Shawn Webb wrote:
> Hey all,
>
> I normally wouldn't forward an email from a FreeBSD mailing list to
> the HardenedBSD Users' mailing list, but I think this one warrants it.
>
> The part I think will impact HardenedBSD's users the most is OpenSSL.
> The ZFS stuff is mostly worked out (though I was bit by it pretty hard
> recently.)
>
> There's an interesting play between base and ports, especially with
> regards to providers of libcrypto.so/libssl.so (OpenSSL, LibreSSL,
> etc.) Even though the announcement discusses FreeBSD's 14.0 release
> schedule, there is also an impact to HardenedBSD 13-STABLE users
> (and, obviously, 14-CURRENT).
>
> FreeBSD has its work cut out for it. I think they're going in the
> right direction so far (it appears they will indeed adopt OpenSSL 3 in
> base prior to 14.0-RELEASE landing.)
>
> While I'm confident in FreeBSD to complete the work with quality, I
> suspect there may be cobwebs and oddities that may cause issues during
> this transitional work. There may still be considerable fallout, given
> the size and complexity of the task at hand.
>
> So, this email is to serve as a heads up. Hopefully the pain will be
> minimal (if at all.)
> ----- End forwarded message -----

FreeBSD has made significant progress in this area, enough so that
they're asking for volunteers to help test.

So, you'll find two new 14-CURRENT branches in the HardenedBSD src
tree:

1. hardened/current/openssl-3.0.9
https://github.com/HardenedBSD/hardenedBSD/tree/hardened/current/openssl-3.0.9
2. hardened/current/cross-dso-cfi_openssl3.0.9
https://github.com/HardenedBSD/hardenedBSD/tree/hardened/current/cross-dso-cfi_openssl3.0.9

I'm currently running the Cross-DSO CFI branch on my laptop. I used
Poudriere to rebuild the few ports I depend on on my laptop. The only
build OpenSSL 3.0.9-related build failure was www/node18. Granted, I'm
only building a small subset of the ports tree. Initial results look
promising regardless.

If you would like to help both FreeBSD and HardenedBSD test OpenSSL
3.0.9 in base, please do so and report back any results here.
Reporting both successes and failures are equally important. We need
to know what works and what needs updating.
signature.asc
Reply all
Reply to author
Forward
0 new messages