HardenedBSD September 2023 Status Report

Skip to first unread message

Shawn Webb

Oct 10, 2023, 10:23:22 AM10/10/23
to HardenedBSD Users
Hey all,

Sorry I'm a bit late getting the September 2023 status report out. It has been a
busy few weeks.

The HardenedBSD 14-STABLE build infrastructure is back online. A new package
build is running. I apologize for the outage, and I appreciate the patience.

My wife and I are investigating some potential opportunities to purchase a home
and plant our roots in Colorado. There is a chance we might significantly
accelerate our plans at purchasing a home, moving the date from around June 2024
to even potentially November or December 2023. Should things go the way I'm
thinking they might, the downtime for the HardenedBSD infrastructure would be
limited to a single weekend, perhaps even a single Saturday.

We would like to ask for more public mirrors. Please reach out to
net...@hardenedbsd.org if you would like to mirror our installation media and OS
update artifacts. This may be especially useful in case we find unexpected dead
trees in the metaphorical forest of purchasing a new-to-us home.

In HardenedBSD's src repo:

1. A conditional in the virtual memory subsystem pertaining to our PaX
NOEXEC-inspired strict W^X implementation. I suspect there may be one or two
more conditionals to double-check.
2. The output provided by the `newvers.sh` build script should be more correct.

In the ports tree:

1. First-time submitter Shion Yorigami provided a fix for lang/gcc-aux.
2. Shion Yorigami provided a fix for security/py-cryptography.
3. Shawn Webb patched ports-mgmt/poudriere-hbsd to take into account the
hardening of the vfs.lookup_cap_dotdot and vfs.lookup_cap_dotdot_nonlocal
sysctl nodes.
4. ports-mgmt/pkg is now built with PIE and LTO.
5. devel/boost-libs now builds.
6. math/symengine now builds.
7. The default version of llvm in ports was bumped from 15 to 16. Because we
build base system libraries with LTO, the default minimum ports llvm version
needs to match the base llvm version.

Additional infrastructure info: the rsync service was moved to a new VM to
account for the additional 14-STABLE build artifacts. I hope to deploy the Tor
Onion Service endpoints for the 14-STABLE build infrastructure this week.

I also worked a bit on hbsdfw, forward-porting the changes to its HardenedBSD
14-STABLE feature branch. I'm still hoping to get a new build out soon-ish, but
it is indeed taking longer than I originally anticipated.

We still have a number of ports that are broken, graphics/sane-backends being
broken prevents editors/libreoffice from building. I'm hoping we can get some
help from the community in fixing broken ports. I really appreciate those who
contribute, no matter the form of contribution--code patches, advocacy, funding,
documentation, etc. It's all equally important and very much appreciated.


Shawn Webb
Cofounder / Security Engineer

Reply all
Reply to author
0 new messages