HardenedBSD January 2026 Status Report
0 views
Skip to first unread message
Shawn Webb
9:56 AM (5 hours ago) 9:56 AM
to HardenedBSD Users
Hey all,
January was a busy month with regards to infrastructure. With both OpenSSL and
FreeBSD announcing security fixes, we published new builds just weeks after our
new quarterlies dropped. :-)
Now that we have the new quarterlies, I plan to "MFC" (old FreeBSD CVS/SVN term
for "Merge From Current".) Kids these days call it `git cherry-pick`. MFC is
shorter to type, so that's what I'll use. I plan to MFC a number of commits made
in hardened/current/master to the hardened/15-stable/main branch this week.
I've also received multiple reports of crashes with the 15-STABLE installer. I
haven't been able to work on this just yet, but am hoping to in the next two
weeks. It is almost my current first priority (the MFCs being first.) I figure
that if testing the cherry-picked code proves successful, I could cherry-pick
those commits into the relevant quarterly branch. Kind of a "thank you" gesture
for being patient with me. :-)
I applied relevant updates across the entire infrastructure. I migrated the
package repos from being served by a leased server with limited storage to out
of my home with plenty of storage. My next goal is to fully automate the build,
including syncing. This will mark a good next step to eventually supporting
mirroring our package repos. It's much easier to transfer a 140GB package repo
over a local 2.5Gbps LAN than a 150Mbps link upstream.
I spent some time experimenting with Meshtastic and Reticulum. I'm getting a
better picture from a user's perspective on the current state of mesh
networking. My next goal is to teach Reticulum's BackboneInterface
implementation how to work on FreeBSD/HardenedBSD.
Two of the four donated Protectli devices are providing the testing lab for this
Meshtastic and Reticulum research. Even though the timeframe has shifted pretty
dramatically, I'm grateful for their donations and their support.
In src:
1. Opt ipfw into -ftrivial-var-auto-init=zero
2. Remove our old MAC hook for jail/prison destruction (this commit breaks
building secadm. I'm waiting on upstream to implement a specific MAC hook,
and a patch for (for src, not for secadm) is being worked on by FreeBSD's
Kyle Evans.)
3. Disable WITNESS' checking of vnode locks by default. FreeBSD changed some
vnode locking semantics and not all filesystem code paths have been
updated. As such, we are seeing vnode locking-related panics. I need to get
a consequtive block of time to dive in. I'm not a filesytems developer, so
this one might take a while to figure out unless someone beats me to it.
4. rc.subr: Ignore required_modules failures in jails (patch submission by
leper4{ _AT_ }protnmail.com.)
In ports:
1. Bump ftp/curl to 8.18.0
2. Update Reticulum to latest git HEAD
3. Disable HARDCFLAGS for devel/avr-gcc
4. Enable ZEROREG for security/openssl3*. This could induce a noticeable
performance hit. Please let me know if you have any serious performance
issues after this next package build.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
January was a busy month with regards to infrastructure. With both OpenSSL and
FreeBSD announcing security fixes, we published new builds just weeks after our
new quarterlies dropped. :-)
Now that we have the new quarterlies, I plan to "MFC" (old FreeBSD CVS/SVN term
for "Merge From Current".) Kids these days call it `git cherry-pick`. MFC is
shorter to type, so that's what I'll use. I plan to MFC a number of commits made
in hardened/current/master to the hardened/15-stable/main branch this week.
I've also received multiple reports of crashes with the 15-STABLE installer. I
haven't been able to work on this just yet, but am hoping to in the next two
weeks. It is almost my current first priority (the MFCs being first.) I figure
that if testing the cherry-picked code proves successful, I could cherry-pick
those commits into the relevant quarterly branch. Kind of a "thank you" gesture
for being patient with me. :-)
I applied relevant updates across the entire infrastructure. I migrated the
package repos from being served by a leased server with limited storage to out
of my home with plenty of storage. My next goal is to fully automate the build,
including syncing. This will mark a good next step to eventually supporting
mirroring our package repos. It's much easier to transfer a 140GB package repo
over a local 2.5Gbps LAN than a 150Mbps link upstream.
I spent some time experimenting with Meshtastic and Reticulum. I'm getting a
better picture from a user's perspective on the current state of mesh
networking. My next goal is to teach Reticulum's BackboneInterface
implementation how to work on FreeBSD/HardenedBSD.
Two of the four donated Protectli devices are providing the testing lab for this
Meshtastic and Reticulum research. Even though the timeframe has shifted pretty
dramatically, I'm grateful for their donations and their support.
In src:
1. Opt ipfw into -ftrivial-var-auto-init=zero
2. Remove our old MAC hook for jail/prison destruction (this commit breaks
building secadm. I'm waiting on upstream to implement a specific MAC hook,
and a patch for (for src, not for secadm) is being worked on by FreeBSD's
Kyle Evans.)
3. Disable WITNESS' checking of vnode locks by default. FreeBSD changed some
vnode locking semantics and not all filesystem code paths have been
updated. As such, we are seeing vnode locking-related panics. I need to get
a consequtive block of time to dive in. I'm not a filesytems developer, so
this one might take a while to figure out unless someone beats me to it.
4. rc.subr: Ignore required_modules failures in jails (patch submission by
leper4{ _AT_ }protnmail.com.)
In ports:
1. Bump ftp/curl to 8.18.0
2. Update Reticulum to latest git HEAD
3. Disable HARDCFLAGS for devel/avr-gcc
4. Enable ZEROREG for security/openssl3*. This could induce a noticeable
performance hit. Please let me know if you have any serious performance
issues after this next package build.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages