Thank you & farewell to HardenedBSD

56 views
Skip to first unread message

Uwe Trenkner

unread,
Nov 28, 2022, 10:54:02 AM11/28/22
to HardenedBSD Users
Dear all,

in 2019, I first used HardenedBSD on a production server. More servers
were added in the following years. But I recently migrated my last
server (back) to FreeBSD. I would like to use the opportunity to say
thank you to Shawn and the other project members and everyone with whom
I interacted on the mailing list.

I would like to explain why I have moved away from HardenedBSD. Please,
do not read it as an attack on the project or anyone in particular!

When I first used HardenedBSD it was out of a belief that it would make
my server more secure and also easier to maintain (at that time we had
very frequent patches to FreeBSD’s base system due to software such as
OpenSSL and NTPd, both of which were replaced by HardenedBSD through
saner alternatives). I also hoped that HardenedBSD would become the
testbed for new security features that would later be included in
FreeBSD. However, first the project had to bid farewell to LibreSSL due
to lack of manpower. And then I found out more and more that updating
HardenedBSD was somewhat of an adventure, e.g. would the new kernel play
with the secadm kernel module? Or would the server stop booting because
of incompatability. Updating the operating system or packages also
required (more) downtime because of secadm as it prevents the unlinking
of certain files. And several times I (and others) found out that some
port did not build anymore on a new HardenedBSD version. Sometimes, I
found out in advance via the mailing list, sometimes I ran into trouble
myself. As a result, I often found myself postponing necessary updates.
I began with the 11 branch, but that was silently phased out. I think
updates stopped for something like ¾ year before the end of the official
support was announced, again due to lack of manpower. The main servers
of the project had to be moved to new locations several times since
2019, sometimes resulting in weeks of downtime and no updates.

Overall, my two hopes/expectations have not come true: HardenedBSD has
not made my admin life easier. And unfortunately, I do not see FreeBSD
picking up on the security solutions developed by the HardenedBSD
project. The differences between the two operating systems seem to get
bigger and bigger, sometimes leading to additional built problems on the
part of HardenedBSD.

I absolutely see value in HardenedBSD and I am thankful for the work you
all put into it. But for my use cases, it does not feel like the best
solution. That’s why I am saying farewell. I just sent another donation
to the HardenedBSD project and wish you all the best.

Kind regards
Uwe

Dustin Marquess

unread,
Nov 28, 2022, 7:06:50 PM11/28/22
to HardenedBSD Users, Uwe Trenkner
On Nov 28, 2022 at 9:54 AM -0600, Uwe Trenkner <utr...@gmail.com>, wrote:
Dear all,

in 2019, I first used HardenedBSD on a production server. More servers
were added in the following years. But I recently migrated my last
server (back) to FreeBSD. I would like to use the opportunity to say
thank you to Shawn and the other project members and everyone with whom
I interacted on the mailing list.

I indeed thank Shawn, Loic, and MrUnix for all that they've done to make HardenedBSD so incredible!
When I first used HardenedBSD it was out of a belief that it would make
my server more secure and also easier to maintain (at that time we had
very frequent patches to FreeBSD’s base system due to software such as
OpenSSL and NTPd, both of which were replaced by HardenedBSD through
saner alternatives). I also hoped that HardenedBSD would become the
testbed for new security features that would later be included in
FreeBSD. However, first the project had to bid farewell to LibreSSL due
to lack of manpower. And then I found out more and more that updating
HardenedBSD was somewhat of an adventure, e.g. would the new kernel play
with the secadm kernel module? Or would the server stop booting because
of incompatability. Updating the operating system or packages also
required (more) downtime because of secadm as it prevents the unlinking
of certain files. And several times I (and others) found out that some
port did not build anymore on a new HardenedBSD version. Sometimes, I
found out in advance via the mailing list, sometimes I ran into trouble
myself. As a result, I often found myself postponing necessary updates.
I began with the 11 branch, but that was silently phased out. I think
updates stopped for something like ¾ year before the end of the official
support was announced, again due to lack of manpower. The main servers
of the project had to be moved to new locations several times since
2019, sometimes resulting in weeks of downtime and no updates.

I could be wrong since I run -CURRENT, but I thought that even in -STABLE that secadm got replaced? Since I moved to the extended attribute system managed by hbsdcontrol.sh, I haven't had any boot issues caused by HardenedBSD at all. In fact, the 2-3 times I've had boot issues were all caused by -CURRENT breakage from upstream FreeBSD (mainly UEFI).

I've also luckily never really been impacted by port breakages, especially recently, as Loic has been pretty responsive in that respect.

As for LibreSSL, while I much prefer it for security, between the way they handled the OPENSSL_VERSION macro causing all kinds of API check issues, but also dragging their feet on TLSv1.3 support basically caused them to be tossed to the back burner by everybody. I don't fault Shawn for switching away from it, Void Linux and many others did it too.
Overall, my two hopes/expectations have not come true: HardenedBSD has
not made my admin life easier. And unfortunately, I do not see FreeBSD
picking up on the security solutions developed by the HardenedBSD
project. The differences between the two operating systems seem to get
bigger and bigger, sometimes leading to additional built problems on the
part of HardenedBSD.
Sadly I think the reason that HardenedBSD exists in the first place is also the reason why the features don't seem to make them back upstream: the FreeBSD devs simply don't want them for some reason.

Personally as I'd pretty much the exact opposite experience as you. The more servers I've moved off of FreeBSD, Linux, and even Illumos over to HardenedBSD has been less for me to worry about and deal with.

-Dustin
Reply all
Reply to author
Forward
0 new messages