HardenedBSD December 2025 Status Report
2 views
Skip to first unread message
Shawn Webb
Dec 28, 2025, 3:48:55 PM (2 days ago) Dec 28
to HardenedBSD Users
Happy Holidays!
This status report is going to be a lengthy one. Due to scheduling conflicts, I
was unable to get out the November status report, this one will cover the two
months November - December 2025.
A large portion of my focus has been on the infrastructure, getting a build
environment for the recently-created hardened/15-stable/main branch. As
discussed in a previous mailing list thread[1], the 14-STABLE build
infrastructure has now been migrated to 15-STABLE. We have archived the last
14-STABLE package build, which last completed on 24 Dec 2025.
We self-host nearly the entirety of our infrastructure out of my home. We have
only one leased server, from the fine folks at NetActuate (previously RootBSD).
This leased server hosts our main website, the hbsd-update build artifacts, and
the package repos. Our package repos, naturally, grow over time. Back when we
started this, each package repo was at most 75GB in size. Now we're encroaching
135GB.
We now have a 30TB NAS in the home-based infrastructure. In order to support the
growth, we will be migrating the package repo to the home infra. The package
repos themselves have already been migrated. The only thing left to do is adjust
the various DNS entries. I plan to do that once we have a usable 15-STABLE
package repo. We will update this[2] mailing list thread when the migration has
completed, DNS records and all. There will likely be a little blip in HTTPS/TLS
connections as we regenerate LetsEncrypt certs. There's a delicate dance here. I
plan to keep everyone informed as to when I begin and complete the process.
The 14-STABLE build server (which is now being migrated to 15-STABLE) housed two
VMs:
1. The OS installer/update build VM. This builds the artifacts published at
https://installers.hardenedbsd.org/ and mirrors.
2. The package build VM.
When we deployed that (stupendously) slow server to test its capabilities as a
build server for 15-STABLE, we followed the same pattern: two separate VMs. We
are going to keep the 15-STABLE OS installer/update build VM on that slow
server. We're going to power off the 14-STABLE OS build VM and increase the
resources to the package build VM. This means we should be able to decrease the
time it takes for that server to produce a usable package repo. Naturally, this
comes at a cost of a slow build time for the OS installer/updates, but that
process can tolerate **a lot** of slowness. So long as it can produce its build
artifacts in less than 48 hours, I'm satisfied. It's the package building
(36,000+ packages) that takes the most resources.
I spent a lot of time in the ports tree over the past couple months. The focus
was on fixing ports broken by the various hardening techniques we employ. The
introduction of -Werror=format-security caused a large amount of fallout, which
I have been addressing. While addressing those, I figured I might as well fix
ports broken by the other techniques.
I'm working on enhancing libhbsdcontrol with better error handling. I'm hoping
to have that work committed in early January 2026.
I'm hoping in January to spend some time on hbsdfw. The VM I've been using to
build hbsdfw has been panicking when the Poudriere build finishes when building
the hbsdfw packages. In Q1 2026, I plan to migrate hbsdfw from HardenedBSD
14-STABLE to 16-CURRENT. Following the hardened/current/master src branch will
lighten my load in maintaining this little hobby subproject.
I need to file a bug report upstream in FreeBSD/OpenZFS to track this kernel
panic. The panic happens when something during the build checks whether PaX
PAGEEXEC is enabled through looking up a filesystem extended attribute. OpenZFS
recently changed how filesystem extended attributes work, so it's possible we're
hitting a unique edge case.
In January, I'm going to get two lab environments set up:
1. Internal Reticulum nodes to test the Reticulum protocol and its potential for
use with our censorship- and surveillance-resistant mesh network R&D.
2. Internal Radicle nodes to start concerted testing to eventually replace
GitLab with Radicle.
I feel somewhat down for not making more progress this year on the censorship-
and surveillance-resistant networks. I'm hoping to place more emphasis on this
in 2026.
In src:
1. Always build elftc-nm and elft-ar
2. TPE: Ensure user-owned vnodes are unwritable
3. ASLR: Use VMFS_NO_SPACE to map the stack
4. Add various C/C++ hardening flags
* -fno-delete-null-pointer-checks
* -Werror=format-security
5. Unlock the sound mutex on error
6. Fix branch detection in release
7. Disable SafeStack for the Unbound daemon
8. Some pkgbase-related work
In ports (this is gonna be a long list (our longest to date)):
1. Disable LINUX for x11/nvidia-kmod
2. ftp/curl: Fixup .onion patch
3. Add "general compilation hardening" USES
4. Delete unneeded patch for databases/redis
5. Fix archivers/zip
6. Disable hardcflags for devel/m4
7. Disable hardcflags for lang/gcc13
8. Disable HARDCFLAGS for devel/t1lib
9. Fix HARDCFLAGS errors for devel/ctags
10. Disable HARDCFLAGS for archivers/unzip
11. Fix HARDCFLAGS for net-mgmt/libsmi
12. Disable HARDCFLAGS for x11-toolkits/open-motif
13. Disable HARDCFLAGS for devel/expect
14. Fix the devel/ivykis port
15. Fix HARDCFLAGS for multimedia/webcamd
16. Disable HARDCFLAGS for lang/gcc12
17. Disable HardenedBSD features for lang/gcc14
18. Disable HardenedBSD features for lang/gcc15
19. Disable HardenedBSD features for lang/gcc16-devel
20. Fix HARDCFLAGS for multimedia/smpeg
21. Disable HARDCFLAGS for devel/elfutils
22. Fix HARDCFLAGS for converters/recode
23. Disable fortifysource for graphics/netpbm
24. Fix hardcflags for devel/fortytwo-encore
25. Fix HARDCFLAGS for graphics/libvisual04
26. Disable HARDCFLAGS for devel/kBuild
27. Fix HARDCFLAGS for devel/libbegemot
28. Fix HARDCFLAGS for games/pmars-sdl
29. Disable FORTIFYSOURCE for security/signify
30. Disable HARDCFLAGS for mail/mailutils
31. Fix HARDCFLAGS for devel/ta-lib
32. Fix HARDCFLAGS for math/spooles
33. Fix HARDCFLAGS for textproc/wv
34. Fix HARDCFLAGS for databases/sqlite2
35. Disable HARDCFLAGS for graphics/lensfun
36. Fix HARDCFLAGS for devel/rlwrap
37. Disable fortifysource for mail/opensmtpd
38. Fix HARDCFLAGS for x11-toolkits/unique
39. Fix HARDCFLAGS for devel/efivar
40. Fix HARDCFLAGS for lang/f2c
41. Fix HARDCFLAGS for textproc/scim-table-imengine
42. Disable FORTIFYSOURCE and HARDCFLAGS for sysutils/fwupd-efi
43. Fix HARDCFLAGS for games/libmt_client
44. Disable HARDCFLAGS for games/gnugo
45. Fix HARDCFLAGS for comms/rxtx
46. Disable PIE and RELRO for databases/redis
47. Fix build for devel/omniORB
48. Fix build of security/rubygem-bcrypt_pbkdf
49. Fix HARDCFLAGS for math/grace
50. Fix HARDCFLAGS for audio/libbs2b
51. Disable HARDCFLAGS for graphics/plotutils
52. Fix HARDCFLAGS for emulators/libretro-reicast
53. Add -Wformat for HARDCFLAGS
54. Disable HARDCFLAGS for graphics/gracula
55. Fix HARDCFLAGS for mail/spmfilter
56. Add cheat support in games/ioquake3
57. Fix HARDCFLAGS for print/catdvi
58. Fix HARDCFLAGS for graphics/seom
59. Fix HARDCFLAGS for deskutils/presage
60. Fix HARDCFLAGS for graphics/alpng
61. Enable SLH for games/ioquake3
62. Fix -Werror=format-security bug in games/ioquake3
63. Fix HARDCFLAGS for x11-toolkits/fox16
64. Disable HARDCFLAGS for graphics/glslang
65. Re-enable PIE and RELRO for databases/redis
66. Fix HARDCFLAGS for converters/uudeview
67. Fix HARDCFLAGS for textproc/gdome2
68. Disable FORTIFYSOURCE for misc/mbuffer
69. Disable HARDCFLAGS for archivers/unarj
70. Disable FORTIFYSOURCE for misc/amanda-{client,server}
71. Disable FORTIFYSOURCE for net/dante
72. Fix HARDCFLAGS for archivers/sharutils
73. Fix HARDCFLAGS for lang/squeak
74. Disable FORTIFYSOURCE for devel/socket_wrapper
75. Fix HARDCFLAGS for net/pvm
76. Fix HARDCFLAGS for audio/snack
77. Fix HARDCFLAGS for textproc/sgmlformat
78. Fix HARDCFLAGS for cad/iverilog
79. Fix HARDCFLAGS for sysutils/genisoimage
80. Disable HARDCFLAGS for games/libretro-boom3
81. Fix HARDCFLAGS for math/testu01
82. Disable FORTIFYSOURCE for devel/pcc-libs
83. Disable PIE for security/cryptlib
84. Fix HARDCFLAGS for mail/addresses-goodies
85. Fix build of devel/ivykis on 14-stable
86. Disable HARDCFLAGS for security/pgpin
87. (0x1eef) Fix grub2-bhyve build error
88. Disable HARDCFLAGS for devel/cunit
89. Disable FORTIFYSOURCE for editors/dte
90. Disable FORTIFYSOURCE for mail/akpop3d
91. Disable HARDCFLAGS for emulators/x48
92. Fix HARDCFLAGS for net/osrtspproxy
93. Fix HARDCFLAGS for mail/qmailmrtg7
94. Fix HARDCFLAGS for print/transfig
95. Disable PIE for graphics/nsxiv
96. Disable FORTIFYSOURCE for devel/uid_wrapper
97. Disable HARDCFLAGS for devel/cweb
98. Fix FORTIFYSOURCE for multimedia/ffmpeg
99. Fix build of lang/gcc14
100. Fix FORTIFYSOURCE for devel/tex-libtexluajit
101. Disable FORTIFYSOURCE and HARDCFLAGS for security/barnyard2
102. Fix build of lang/gcc12
103. Fix build of databases/arrow
[1]: https://groups.google.com/a/hardenedbsd.org/g/users/c/51IARO8noYo/m/asRq6xstAgAJ
[2]: https://groups.google.com/a/hardenedbsd.org/g/users/c/G6HbsE8DA5w/m/I4ouQmNBAAAJ
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
This status report is going to be a lengthy one. Due to scheduling conflicts, I
was unable to get out the November status report, this one will cover the two
months November - December 2025.
A large portion of my focus has been on the infrastructure, getting a build
environment for the recently-created hardened/15-stable/main branch. As
discussed in a previous mailing list thread[1], the 14-STABLE build
infrastructure has now been migrated to 15-STABLE. We have archived the last
14-STABLE package build, which last completed on 24 Dec 2025.
We self-host nearly the entirety of our infrastructure out of my home. We have
only one leased server, from the fine folks at NetActuate (previously RootBSD).
This leased server hosts our main website, the hbsd-update build artifacts, and
the package repos. Our package repos, naturally, grow over time. Back when we
started this, each package repo was at most 75GB in size. Now we're encroaching
135GB.
We now have a 30TB NAS in the home-based infrastructure. In order to support the
growth, we will be migrating the package repo to the home infra. The package
repos themselves have already been migrated. The only thing left to do is adjust
the various DNS entries. I plan to do that once we have a usable 15-STABLE
package repo. We will update this[2] mailing list thread when the migration has
completed, DNS records and all. There will likely be a little blip in HTTPS/TLS
connections as we regenerate LetsEncrypt certs. There's a delicate dance here. I
plan to keep everyone informed as to when I begin and complete the process.
The 14-STABLE build server (which is now being migrated to 15-STABLE) housed two
VMs:
1. The OS installer/update build VM. This builds the artifacts published at
https://installers.hardenedbsd.org/ and mirrors.
2. The package build VM.
When we deployed that (stupendously) slow server to test its capabilities as a
build server for 15-STABLE, we followed the same pattern: two separate VMs. We
are going to keep the 15-STABLE OS installer/update build VM on that slow
server. We're going to power off the 14-STABLE OS build VM and increase the
resources to the package build VM. This means we should be able to decrease the
time it takes for that server to produce a usable package repo. Naturally, this
comes at a cost of a slow build time for the OS installer/updates, but that
process can tolerate **a lot** of slowness. So long as it can produce its build
artifacts in less than 48 hours, I'm satisfied. It's the package building
(36,000+ packages) that takes the most resources.
I spent a lot of time in the ports tree over the past couple months. The focus
was on fixing ports broken by the various hardening techniques we employ. The
introduction of -Werror=format-security caused a large amount of fallout, which
I have been addressing. While addressing those, I figured I might as well fix
ports broken by the other techniques.
I'm working on enhancing libhbsdcontrol with better error handling. I'm hoping
to have that work committed in early January 2026.
I'm hoping in January to spend some time on hbsdfw. The VM I've been using to
build hbsdfw has been panicking when the Poudriere build finishes when building
the hbsdfw packages. In Q1 2026, I plan to migrate hbsdfw from HardenedBSD
14-STABLE to 16-CURRENT. Following the hardened/current/master src branch will
lighten my load in maintaining this little hobby subproject.
I need to file a bug report upstream in FreeBSD/OpenZFS to track this kernel
panic. The panic happens when something during the build checks whether PaX
PAGEEXEC is enabled through looking up a filesystem extended attribute. OpenZFS
recently changed how filesystem extended attributes work, so it's possible we're
hitting a unique edge case.
In January, I'm going to get two lab environments set up:
1. Internal Reticulum nodes to test the Reticulum protocol and its potential for
use with our censorship- and surveillance-resistant mesh network R&D.
2. Internal Radicle nodes to start concerted testing to eventually replace
GitLab with Radicle.
I feel somewhat down for not making more progress this year on the censorship-
and surveillance-resistant networks. I'm hoping to place more emphasis on this
in 2026.
In src:
1. Always build elftc-nm and elft-ar
2. TPE: Ensure user-owned vnodes are unwritable
3. ASLR: Use VMFS_NO_SPACE to map the stack
4. Add various C/C++ hardening flags
* -fno-delete-null-pointer-checks
* -Werror=format-security
5. Unlock the sound mutex on error
6. Fix branch detection in release
7. Disable SafeStack for the Unbound daemon
8. Some pkgbase-related work
In ports (this is gonna be a long list (our longest to date)):
1. Disable LINUX for x11/nvidia-kmod
2. ftp/curl: Fixup .onion patch
3. Add "general compilation hardening" USES
4. Delete unneeded patch for databases/redis
5. Fix archivers/zip
6. Disable hardcflags for devel/m4
7. Disable hardcflags for lang/gcc13
8. Disable HARDCFLAGS for devel/t1lib
9. Fix HARDCFLAGS errors for devel/ctags
10. Disable HARDCFLAGS for archivers/unzip
11. Fix HARDCFLAGS for net-mgmt/libsmi
12. Disable HARDCFLAGS for x11-toolkits/open-motif
13. Disable HARDCFLAGS for devel/expect
14. Fix the devel/ivykis port
15. Fix HARDCFLAGS for multimedia/webcamd
16. Disable HARDCFLAGS for lang/gcc12
17. Disable HardenedBSD features for lang/gcc14
18. Disable HardenedBSD features for lang/gcc15
19. Disable HardenedBSD features for lang/gcc16-devel
20. Fix HARDCFLAGS for multimedia/smpeg
21. Disable HARDCFLAGS for devel/elfutils
22. Fix HARDCFLAGS for converters/recode
23. Disable fortifysource for graphics/netpbm
24. Fix hardcflags for devel/fortytwo-encore
25. Fix HARDCFLAGS for graphics/libvisual04
26. Disable HARDCFLAGS for devel/kBuild
27. Fix HARDCFLAGS for devel/libbegemot
28. Fix HARDCFLAGS for games/pmars-sdl
29. Disable FORTIFYSOURCE for security/signify
30. Disable HARDCFLAGS for mail/mailutils
31. Fix HARDCFLAGS for devel/ta-lib
32. Fix HARDCFLAGS for math/spooles
33. Fix HARDCFLAGS for textproc/wv
34. Fix HARDCFLAGS for databases/sqlite2
35. Disable HARDCFLAGS for graphics/lensfun
36. Fix HARDCFLAGS for devel/rlwrap
37. Disable fortifysource for mail/opensmtpd
38. Fix HARDCFLAGS for x11-toolkits/unique
39. Fix HARDCFLAGS for devel/efivar
40. Fix HARDCFLAGS for lang/f2c
41. Fix HARDCFLAGS for textproc/scim-table-imengine
42. Disable FORTIFYSOURCE and HARDCFLAGS for sysutils/fwupd-efi
43. Fix HARDCFLAGS for games/libmt_client
44. Disable HARDCFLAGS for games/gnugo
45. Fix HARDCFLAGS for comms/rxtx
46. Disable PIE and RELRO for databases/redis
47. Fix build for devel/omniORB
48. Fix build of security/rubygem-bcrypt_pbkdf
49. Fix HARDCFLAGS for math/grace
50. Fix HARDCFLAGS for audio/libbs2b
51. Disable HARDCFLAGS for graphics/plotutils
52. Fix HARDCFLAGS for emulators/libretro-reicast
53. Add -Wformat for HARDCFLAGS
54. Disable HARDCFLAGS for graphics/gracula
55. Fix HARDCFLAGS for mail/spmfilter
56. Add cheat support in games/ioquake3
57. Fix HARDCFLAGS for print/catdvi
58. Fix HARDCFLAGS for graphics/seom
59. Fix HARDCFLAGS for deskutils/presage
60. Fix HARDCFLAGS for graphics/alpng
61. Enable SLH for games/ioquake3
62. Fix -Werror=format-security bug in games/ioquake3
63. Fix HARDCFLAGS for x11-toolkits/fox16
64. Disable HARDCFLAGS for graphics/glslang
65. Re-enable PIE and RELRO for databases/redis
66. Fix HARDCFLAGS for converters/uudeview
67. Fix HARDCFLAGS for textproc/gdome2
68. Disable FORTIFYSOURCE for misc/mbuffer
69. Disable HARDCFLAGS for archivers/unarj
70. Disable FORTIFYSOURCE for misc/amanda-{client,server}
71. Disable FORTIFYSOURCE for net/dante
72. Fix HARDCFLAGS for archivers/sharutils
73. Fix HARDCFLAGS for lang/squeak
74. Disable FORTIFYSOURCE for devel/socket_wrapper
75. Fix HARDCFLAGS for net/pvm
76. Fix HARDCFLAGS for audio/snack
77. Fix HARDCFLAGS for textproc/sgmlformat
78. Fix HARDCFLAGS for cad/iverilog
79. Fix HARDCFLAGS for sysutils/genisoimage
80. Disable HARDCFLAGS for games/libretro-boom3
81. Fix HARDCFLAGS for math/testu01
82. Disable FORTIFYSOURCE for devel/pcc-libs
83. Disable PIE for security/cryptlib
84. Fix HARDCFLAGS for mail/addresses-goodies
85. Fix build of devel/ivykis on 14-stable
86. Disable HARDCFLAGS for security/pgpin
87. (0x1eef) Fix grub2-bhyve build error
88. Disable HARDCFLAGS for devel/cunit
89. Disable FORTIFYSOURCE for editors/dte
90. Disable FORTIFYSOURCE for mail/akpop3d
91. Disable HARDCFLAGS for emulators/x48
92. Fix HARDCFLAGS for net/osrtspproxy
93. Fix HARDCFLAGS for mail/qmailmrtg7
94. Fix HARDCFLAGS for print/transfig
95. Disable PIE for graphics/nsxiv
96. Disable FORTIFYSOURCE for devel/uid_wrapper
97. Disable HARDCFLAGS for devel/cweb
98. Fix FORTIFYSOURCE for multimedia/ffmpeg
99. Fix build of lang/gcc14
100. Fix FORTIFYSOURCE for devel/tex-libtexluajit
101. Disable FORTIFYSOURCE and HARDCFLAGS for security/barnyard2
102. Fix build of lang/gcc12
103. Fix build of databases/arrow
[1]: https://groups.google.com/a/hardenedbsd.org/g/users/c/51IARO8noYo/m/asRq6xstAgAJ
[2]: https://groups.google.com/a/hardenedbsd.org/g/users/c/G6HbsE8DA5w/m/I4ouQmNBAAAJ
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages