Fwd: Paying to port to FreeBSD

[grarpamp]

-- Forwarded message --
From: "James B. Byrne
Reply-To: byrn...@harte-lyne.ca
Date: Thu, 14 Jan 2021
Subject: Paying to port to FreeBSD

I wish to trial a software package (aubit4gl) on FreeBSD.  The application is
written in C and has a maintainer. However, he is not familiar with FreeBSD
insofar as I can determine and he is busy with other things.

The source package is available as a tarball from sourceforge, or I can provide
it.

What I need is someone familiar with building software on FreeBSD to configure
and build this application in a manner suitable for adding to ports if
possible, but to compile and run properly on FreeBSD at a minimum.

I am willing to pay to have this done if it can be accomplished in a reasonably
short period of time and without a great deal of expense.

I anyone is interested then please contact me directly.

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

FreeBSD moving to Git -- OpenBSD FreeBSD: Why and How

[Zenaan Harkness]

Well, good news for OS diversity fans - FreeBSD is transitioning, to Git that 
is :)

   FreeBSD Can Now Be Built From Linux/macOS Hosts, Transition To Git Continues
   https://www.phoronix.com/scan.php?page=news_item=FreeBSD-Q3-2020-Report

  .. - On the Git front, their transitioning from Subversion to Git they
  hope to have a beta repository by the end of October.

  .. - The FreeBSD Ports collection surpassed 40,000 ports/packages.

  .. - As of September it's now possible to build a functioning buildworld
  and buildkernel environment from macOS and Linux hosts. This is done due
  to some CI tools only supporting Linux/macOS and wanting to use them for
  constructing the FreeBSD base system and was sponsored by DARPA.



Apparently even dinosoars can evolve, after all ;)




On Thu, Nov 14, 2019 at 02:08:56PM +1100, Zenaan Harkness wrote:
> A primary thing *BSD needs for "hip young newbie" attractiveness is
> something less geriatric than CVS as their source code distribution
> system... no matter how secure, stable etc it is, it's $CURRENT_YEAR
> already and I for one welcome our Git overlords.
> 
> There's "conservative, stable processes", then there's simply a lack
> of will to engage the learning curve required to properly learn and
> deploy that which is fundamentally superior in very way (except of
> course, that the commands are different, and from the ultra
> conservative view, that is, in fact, inferior).
> 
> 
> 
> 
> On Wed, Nov 13, 2019 at 07:40:17PM -0700, Kurt Buff - GSEC, GCIH wrote:
> > https://www.over-yonder.net/~fullermd/rants/bsd4linux/01
> > 
> > On Wed, Nov 13, 2019 at 6:03 PM grarpamp  wrote:
> > >
> > > https://sivers.org/openbsd
> > > https://news.ycombinator.com/item?id=21521774
> > >
> > > https://openbsd.org/
> > > https://freebsd.org/

Re: OpenBSD FreeBSD: Why and How

[rooty]

HI KURT

 Original Message 
On Nov 13, 2019, 6:40 PM, Kurt Buff - GSEC, GCIH wrote:

> https://www.over-yonder.net/~fullermd/rants/bsd4linux/01
>
> On Wed, Nov 13, 2019 at 6:03 PM grarpamp  wrote:
>>
>> https://sivers.org/openbsd
>> https://news.ycombinator.com/item?id=21521774
>>
>> https://openbsd.org/
>> https://freebsd.org/

Re: OpenBSD FreeBSD: Why and How

[Zenaan Harkness]

A primary thing *BSD needs for "hip young newbie" attractiveness is
something less geriatric than CVS as their source code distribution
system... no matter how secure, stable etc it is, it's $CURRENT_YEAR
already and I for one welcome our Git overlords.

There's "conservative, stable processes", then there's simply a lack
of will to engage the learning curve required to properly learn and
deploy that which is fundamentally superior in very way (except of
course, that the commands are different, and from the ultra
conservative view, that is, in fact, inferior).




On Wed, Nov 13, 2019 at 07:40:17PM -0700, Kurt Buff - GSEC, GCIH wrote:
> https://www.over-yonder.net/~fullermd/rants/bsd4linux/01
> 
> On Wed, Nov 13, 2019 at 6:03 PM grarpamp  wrote:
> >
> > https://sivers.org/openbsd
> > https://news.ycombinator.com/item?id=21521774
> >
> > https://openbsd.org/
> > https://freebsd.org/

Re: OpenBSD FreeBSD: Why and How

[Kurt Buff - GSEC, GCIH]

https://www.over-yonder.net/~fullermd/rants/bsd4linux/01

On Wed, Nov 13, 2019 at 6:03 PM grarpamp  wrote:
>
> https://sivers.org/openbsd
> https://news.ycombinator.com/item?id=21521774
>
> https://openbsd.org/
> https://freebsd.org/

OpenBSD FreeBSD: Why and How

[grarpamp]

https://sivers.org/openbsd
https://news.ycombinator.com/item?id=21521774

https://openbsd.org/
https://freebsd.org/

Git/Mtn for FreeBSD, PGP WoT Sigs, Merkel Hash Tree Based

[grarpamp]

For consideration...

SVN really may not offer much in the way of native
internal self authenticating repo to cryptographic levels
of security against bitrot, transit corruption and repo ops,
external physical editing, have much signing options, etc.
Similar to blockchain and ZFS hash merkle-ization,
signing the repo init and later points tags commits,
along with full verification toolset, is useful function.

https://www.monotone.ca/
https://en.wikipedia.org/wiki/Monotone_(software)
https://git-scm.com/
https://en.wikipedia.org/wiki/Git

Maintaining the kernel's web of trust
https://lwn.net/Articles/798230/

Distributing kernel developer PGP keys via pgpkeys.git
https://lkml.org/lkml/2019/8/30/597

Signing patch flow
https://lwn.net/Articles/737093/

Compromised security happens
https://lwn.net/Articles/464233/

https://security.stackexchange.com/questions/67920/how-safe-are-signed-git-tags-only-as-safe-as-sha-1-or-somehow-safer
https://stackoverflow.com/questions/28792784/why-does-git-use-a-cryptographic-hash-function
http://fossil-scm.org/index.html/doc/trunk/www/hashpolicy.wiki
https://ericsink.com/vcbe/html/cryptographic_hashes.html
https://svn.haxx.se/dev/archive-2015-06/0052.shtml
http://git.661346.n2.nabble.com/Verifying-the-whole-repository-td1368311.html
https://shattered.io/
https://www.youtube.com/watch?v=G8wQ88d85s4
https://en.wikipedia.org/wiki/Data_degradation
https://git-scm.com/docs/git-fsck
https://marc.info/?l=git=118143549107708
https://en.wikipedia.org/wiki/Comparison_of_version-control_software
https://en.wikipedia.org/wiki/Deterministic_compilation
https://www.monotone.ca/monotone.html#Trust-Evaluation-Hooks

How does one know their entire copy of repo obtained on
DVD, "mirror", or elsewhere cryptographically
matches the authoritative repo... that any commits
were actually signed off on... or that any reproducible
builds are even reproducing the main repo... etc...
cannot be done without secure crypto infrastructure at
the very core.

"User also knows that even if someone should break into the shared
hosting server and tamper with the database, they won’t be able to
inject malicious code into the project, because all revisions are signed
by the team members, and he has set his Trust Evaluation Hooks so
he doesn’t trust the server key for signing revisions.
In monotone, the important trust consideration is on the signed content,
rather than on the replication path by which that content arrived in your
database."


Note also CVS, which some BSD's still use (ahem: Open, Net),
is even worse than SVN with zero protection
at all in any component regarding this subject.

It really time to migrate repo tech to year 2020.

IBM Power9 now running FreeBSD and AMDGPU

[grarpamp]

https://news.ycombinator.com/item?id=18531022
https://github.com/POWER9BSD/freebsd
https://www.phoronix.com/scan.php?page=article=power9-x86-servers
https://www.phoronix.com/scan.php?page=news_item=Blackbird-POWER9-Pre-Orders
https://www.phoronix.com/scan.php?page=article=power9-threadripper-core9
https://www.phoronix.com/scan.php?page=news_item=Talos-2-Initial-Hands-On
https://git.raptorcs.com/git/

https://www.raptorcs.com/

RaptorCS accepts Bitcoin BTC

Re: Exploit Lecture: Writing FreeBSD Malware

[Zenaan Harkness]

On Fri, Apr 27, 2018 at 10:39:38PM -0400, grarpamp wrote:
> https://www.youtube.com/watch?v=bT_k06Xg-BE
> 
> Without exploit mitigations and with an insecure-by-default design,
> writing malware for FreeBSD is a fun task, taking us back to 1999-era
> Linux exploit authorship. Several members of FreeBSD's development
> team have claimed that Capsicum, a capabilities/sandboxing framework,
> prevents exploitation of applications. Our in-depth analysis of the
> topics below will show that in order to be effective, applying
> Capsicum to existing complex codebases lends itself to wrapper-style
> sandboxing. Wrapper-style sandbox is a technique whereby privileged
> operations get wrapped and passed to a segregated process, which
> performs the operation on behalf of the capsicumized process.

seL4 for the lowest-latency IPC for any such wrapping, sanboxing,
secure-by-default design you might dream up.


> With a
> new libhijack payload, we will demonstrate that wrapper-style
> sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports
> neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat,
> we'll talk about advances being made with libhijack, a tool announced
> at Thotcon 0x4. The payload developed in the Capsicum discussion will
> be used with libhijack, thus making it easy to extend. We will also
> learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC
> framework places hooks into several key places in the kernel. We'll
> learn how to abuse the MAC framework for writing efficient rootkits.
> Attendees of this presentation should walk away with the knowledge to
> skillfully and artfully write offensive code targeting both the
> FreeBSD userland and the kernel.
> 
> https://twitter.com/lattera/status/989602709950029824
> 
> Shawn Webb is a cofounder of HardenedBSD, a hardened downstream
> distribution of FreeBSD. With over a decade in infosec, he dabbles in
> both the offensive and defensive aspects of the industry. On the
> advisory board for Emerald Onion, Shawn believes in a more free and
> open Internet. His whole house is wired for Tor. Getting on the Tor
> network is only a network jack away!
> 
> https://www.youtube.com/user/CarolinaConVideos/videos
> 
> CarolinaCon was started in 2005 and has been held every year since.
> With each passing year the conference continues to grow and attract
> more attendees and speakers. As has always been the case, CarolinaCon
> is put together and run by an all-volunteer staff. CarolinaCon is
> proudly brought to you by "The CarolinaCon Group". The CarolinaCon
> Group is a non-profit organization registered in the state of NC,
> dedicated to educating the local and global communities about
> technology, information/network/computer security, and information
> rights.
> 
> The CarolinaCon Group is also closely associated with various 2600
> chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the
> volunteers who help develop and deliver CarolinaCon come from those
> chapters.

Exploit Lecture: Writing FreeBSD Malware

[grarpamp]

https://www.youtube.com/watch?v=bT_k06Xg-BE

Without exploit mitigations and with an insecure-by-default design,
writing malware for FreeBSD is a fun task, taking us back to 1999-era
Linux exploit authorship. Several members of FreeBSD's development
team have claimed that Capsicum, a capabilities/sandboxing framework,
prevents exploitation of applications. Our in-depth analysis of the
topics below will show that in order to be effective, applying
Capsicum to existing complex codebases lends itself to wrapper-style
sandboxing. Wrapper-style sandbox is a technique whereby privileged
operations get wrapped and passed to a segregated process, which
performs the operation on behalf of the capsicumized process. With a
new libhijack payload, we will demonstrate that wrapper-style
sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports
neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat,
we'll talk about advances being made with libhijack, a tool announced
at Thotcon 0x4. The payload developed in the Capsicum discussion will
be used with libhijack, thus making it easy to extend. We will also
learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC
framework places hooks into several key places in the kernel. We'll
learn how to abuse the MAC framework for writing efficient rootkits.
Attendees of this presentation should walk away with the knowledge to
skillfully and artfully write offensive code targeting both the
FreeBSD userland and the kernel.

https://twitter.com/lattera/status/989602709950029824

Shawn Webb is a cofounder of HardenedBSD, a hardened downstream
distribution of FreeBSD. With over a decade in infosec, he dabbles in
both the offensive and defensive aspects of the industry. On the
advisory board for Emerald Onion, Shawn believes in a more free and
open Internet. His whole house is wired for Tor. Getting on the Tor
network is only a network jack away!

https://www.youtube.com/user/CarolinaConVideos/videos

CarolinaCon was started in 2005 and has been held every year since.
With each passing year the conference continues to grow and attract
more attendees and speakers. As has always been the case, CarolinaCon
is put together and run by an all-volunteer staff. CarolinaCon is
proudly brought to you by "The CarolinaCon Group". The CarolinaCon
Group is a non-profit organization registered in the state of NC,
dedicated to educating the local and global communities about
technology, information/network/computer security, and information
rights.

The CarolinaCon Group is also closely associated with various 2600
chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the
volunteers who help develop and deliver CarolinaCon come from those
chapters.

Re: [tor-relays] FreeBSD 11.1 ZFS Tor Image

[grarpamp]

On Wed, Feb 28, 2018 at 10:43 AM, mick  wrote:
> On Tue, 27 Feb 2018 14:47:06 -0500
> grarpamp  allegedly wrote:
>
>> If ovh vps gives root, bypass the fee with: md(4) vnode > geli >
>> mount.
>>
>> Then again, if the iron isn't dipped in epoxy (not done), in your own
>> secure datacenter (not extant), on trusted #OpenHW (not AMD / Intel /
>> or any other to date), built in trusted #OpenFabs (non extant),
>> running validated #OpenSW (non extant), in a voluntarist libertarian
>> environment free from force, one's use case might be moot.
>>
>
> Gotta love you Grarpamp. :-)
>
> But in the real world we /have/ to trust someone, somewhere, somehow,
> sometime. What everyone has to decide for themselves is /how much/ trust
> to give, to whom, when, where and why. And that depends entirely on your
> threat model and your appetite for risk.

Sorry, but with decades of both plausible and exploited risk extant,
with however many million millionaires and significant billionaires,
and crowdfunding (further enhanced by the dawn of cryptocurrency
and all its new models that can be brought to bear)... there is no
rational reason to continue this global head in sand downplay and
refusal to get moving and start building #OpenHW in #OpenFabs.
The old goalpost of who, where, how, when, and how much open
and even explicitly proven trust exists in HW / Fabs simply must
start shifting for the better until it becomes the new "real world".
Further, such trust is profitable business model.

If kids can build home semiconductor labs making open IC's,
you can bet the above sponsors with those visionaries can
easily scale beyond a billion gates.

https://www.youtube.com/results?search_query=home+semiconductor+fab

(Obligatory credit given to #OpenSW for at least being opensource,
but they're hardly under open validation programs yet either.)

FreeBSD 2017Q2 Report

[grarpamp]

https://www.freebsd.org/news/status/report-2017-04-2017-06.html

Re: FreeBSD

[Kurt Buff]

On Wed, Apr 12, 2017 at 10:35 PM, grarpamp <grarp...@gmail.com> wrote:
> FreeBSD: Not a Linux Distro
> https://www.youtube.com/watch?v=wwbO4eTieQY
>
> https://www.youtube.com/results?search_query=freebsd+raspberry+pi

Somewhat dated, but still relevant:
http://www.over-yonder.net/~fullermd/rants/bsd4linux/01

FreeBSD

[grarpamp]

FreeBSD: Not a Linux Distro
https://www.youtube.com/watch?v=wwbO4eTieQY

https://www.youtube.com/results?search_query=freebsd+raspberry+pi

Re: FreeBSD Status Report

[John Newman]

A lot of people don't know the Jolitz 386BSD (precursor to all the modern BSDs) 
was out and fully running in like 92.  

I'm almost positive it had fuller functionality than the early ancient Linux 
distros. I think there were some licensing issues that had people iffy on the 
"legality" of running it early on... 


John

> On Nov 15, 2016, at 3:05 AM, grarpamp <grarp...@gmail.com> wrote:
> 
> https://www.freebsd.org/news/status/report-2016-07-2016-09.html
> 
> As focused as we are on the present and what is happening now, it is
> sometimes useful to take a fresh look at where we have come from, and
> where we are going. This quarter, we had our newest doc committer
> working to trace through the tangled history of many utilities, and we
> also get a glimpse looking forward at what may come in FreeBSD 12.
> 
> Though 11.0-RELEASE was not finalized until after the period covered
> in this report, we can still have some anticipatory excitement for the
> features that will be coming in 12.0. The possibilities are
> tantalizing: a base system with no GPL components, arm64 as a Tier-1
> architecture, capsicum protection for common utilities, and the
> CloudABI for custom software are just a few.
> 
> The work of the present is no less exciting, with 11.0 making its way
> out just after the end of Q3, the new core coming into its own, and
> much more that you'll have to read and find out.

FreeBSD Status Report

[grarpamp]

https://www.freebsd.org/news/status/report-2016-07-2016-09.html

As focused as we are on the present and what is happening now, it is
sometimes useful to take a fresh look at where we have come from, and
where we are going. This quarter, we had our newest doc committer
working to trace through the tangled history of many utilities, and we
also get a glimpse looking forward at what may come in FreeBSD 12.

Though 11.0-RELEASE was not finalized until after the period covered
in this report, we can still have some anticipatory excitement for the
features that will be coming in 12.0. The possibilities are
tantalizing: a base system with no GPL components, arm64 as a Tier-1
architecture, capsicum protection for common utilities, and the
CloudABI for custom software are just a few.

The work of the present is no less exciting, with 11.0 making its way
out just after the end of Q3, the new core coming into its own, and
much more that you'll have to read and find out.

Re: FreeBSD 11.0 Released

[John Newman]

On Wed, Oct 12, 2016 at 07:16:47AM -0400, John Newman wrote:
> >> No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
> >> dropped by Open and Dragonfly BSD, for license and
> >> other reasons, including being a dead project.
> >> last release: e9d51c6e58f549c4ab499254c81c90d2
> >> 
> >> PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
> >> NPF is Net's, IPFW3 is Dragon's. All actively maintained
> >> by their own communities. PF is ported to all.
> > 
> > Right, but all the SYNTAX was stolen from IPF.  Or copied. Whatever you 
> > want to call it.
> > 
> > Pf has made some nice improvements in the years since, but there is no 
> > doubt it started as a clone of IPF so Theo could include the superior 
> > software firewall mechanism in openbsd without the license restrictions.
> > 
> > 
> > John
> 
> I've always thought the IPFW mechanism in FreeBSD was crap, compared to 
> IPF/PF, just as an aside... 
> 
> Years ago IPF was actually also ported to Solaris and Linux. I used it on 
> some Sun boxes when I was just a little guy a long fucking time ago.  
> 
> 
> John
> > 
> 

Off-topic - I can't stand the way the phone email clients I habitually
use format email. The results come out looking horrible. It's rare
that I have a chance to reply to the list from an actual computer
(generally I'm too busy when I'm in front of a real computer)...

Anyway, I suppose I could start using mutt on android :P 


John


signature.asc
Description: PGP signature

Re: FreeBSD 11.0 Released

[John Newman]

> On Oct 12, 2016, at 7:04 AM, John Newman <j...@synfin.org> wrote:
> 
> 
>>> On Oct 12, 2016, at 12:48 AM, grarpamp <grarp...@gmail.com> wrote:
>>> 
>>> On Tue, Oct 11, 2016 at 2:28 PM, John Newman <j...@synfin.org> wrote:
>>> Yes I use FreeBSD 10
>>> it has supported PF
>>> for a long time, which it basically stole from
>>> openbsd (who stole it from Darren Reed).
>> 
>> No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
>> dropped by Open and Dragonfly BSD, for license and
>> other reasons, including being a dead project.
>> last release: e9d51c6e58f549c4ab499254c81c90d2
>> 
>> PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
>> NPF is Net's, IPFW3 is Dragon's. All actively maintained
>> by their own communities. PF is ported to all.
> 
> Right, but all the SYNTAX was stolen from IPF.  Or copied. Whatever you want 
> to call it.
> 
> Pf has made some nice improvements in the years since, but there is no doubt 
> it started as a clone of IPF so Theo could include the superior software 
> firewall mechanism in openbsd without the license restrictions.
> 
> 
> John

I've always thought the IPFW mechanism in FreeBSD was crap, compared to IPF/PF, 
just as an aside... 

Years ago IPF was actually also ported to Solaris and Linux. I used it on some 
Sun boxes when I was just a little guy a long fucking time ago.  


John
> 

Re: FreeBSD 11.0 Released

[John Newman]

> On Oct 12, 2016, at 12:48 AM, grarpamp <grarp...@gmail.com> wrote:
> 
>> On Tue, Oct 11, 2016 at 2:28 PM, John Newman <j...@synfin.org> wrote:
>> Yes I use FreeBSD 10
>> it has supported PF
>> for a long time, which it basically stole from
>> openbsd (who stole it from Darren Reed).
> 
> No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
> dropped by Open and Dragonfly BSD, for license and
> other reasons, including being a dead project.
> last release: e9d51c6e58f549c4ab499254c81c90d2
> 
> PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
> NPF is Net's, IPFW3 is Dragon's. All actively maintained
> by their own communities. PF is ported to all.

Right, but all the SYNTAX was stolen from IPF.  Or copied. Whatever you want to 
call it.

Pf has made some nice improvements in the years since, but there is no doubt it 
started as a clone of IPF so Theo could include the superior software firewall 
mechanism in openbsd without the license restrictions.


John

Re: FreeBSD 11.0 Released

[grarpamp]

On Tue, Oct 11, 2016 at 1:08 PM, Tom <t...@vondein.org> wrote:
> You didn't ask, but: if you ever use FreeBSD for a longer time, you'll
> never go back to Linux. At least not voluntarily :)

Many don't get that the Linux "distros" are often just that,
distributions... of the same damn thing... they make some app
bundling and packager choices but that's about it. Except for
the commercial ventures like RedHat which do contribute sizeable
raw development.
Whereas the BSD's all picked something long ago and generally
stick with it to this day, with blending across them...
Open - secure, free
Free - serving, all around utility, hardware, storage
Dragon - clustering
Net - platforms including your toaster

> In the end you'll need to compare them yourself, features, policies,
> hardware support, security, whatever.

That's the key as always. Someone really needs to
maintain a giant wiki table with this and the bsd's.

Re: FreeBSD 11.0 Released

[Tom]

On Wed, Oct 12, 2016 at 02:18:40AM -0400, grarpamp wrote:
> > Also of note that GNU also has its own kernel, Hurd (microkernel-based),
> > which is still under development a couple of decades later.
> 
> So is plan9 and a bunch of other stuff that still hasn't
> gone anyware. Oh well.

But don't worry, it's already scheduled for 2057. Be prepared ...



- Tom

Re: FreeBSD 11.0 Released

[grarpamp]

On Wed, Oct 12, 2016 at 2:04 AM, Shawn K. Quinn  wrote:
> It is important not to confuse Linux, the kernel, with GNU, the actual

I don't. Sure there's bsd-gnuland and linux-bsdland hybrids now too.
Yet to a bsd user, the linux kernel is the most visible trackable thing
to them guiding what they can do with any linux (even though to match
a bsd base you have to pack at least binutils and glibc to linux kernel...
but that's mostly moot herein).

> Also of note that GNU also has its own kernel, Hurd (microkernel-based),
> which is still under development a couple of decades later.

So is plan9 and a bunch of other stuff that still hasn't
gone anyware. Oh well.

Re: FreeBSD 11.0 Released

[Shawn K. Quinn]

On Wed, 2016-10-12 at 01:50 -0400, grarpamp wrote:
> Linux is on it's own M.m.r release model.

It is important not to confuse Linux, the kernel, with GNU, the actual
operating system. Linux, the kernel, and GNU, the operating system, are
developed mostly independently of each other. Technically, there is no
requirement that one run only a GNU variant under Linux, the kernel, or
that GNU must run only under Linux, the kernel (in fact there is or at
least was a port of GNU to the FreeBSD kernel at one time).

Also of note that GNU also has its own kernel, Hurd (microkernel-based),
which is still under development a couple of decades later.

-- 
Shawn K. Quinn <skqu...@rushpost.com>

Re: FreeBSD 11.0 Released

[grarpamp]

>>> 0 * * * * cd /usr/src && make world
>
> Looks really promising. Doing something like this automatically on the
> Linux Kernel + monkey patching, would probably break in the first try.

Open uses continuous integration, they're picky about it.
Free spreads the same idea across whatever RELENG_M
branches are open... 9,10,11 right now, and adds release
branches. Linux is on it's own M.m.r release model.
It's all pretty reliable so long as you look over your
output to detect relatively rare build fail.

> Same goes with the Gentoo port system.

Ports on any os seem like will always be spotty,
far too many dependencies and upstream change.
That's more or less expected.

Re: FreeBSD 11.0 Released

[grarpamp]

On Tue, Oct 11, 2016 at 2:28 PM, John Newman <j...@synfin.org> wrote:
> Yes I use FreeBSD 10
> it has supported PF
> for a long time, which it basically stole from
> openbsd (who stole it from Darren Reed).

No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
dropped by Open and Dragonfly BSD, for license and
other reasons, including being a dead project.
last release: e9d51c6e58f549c4ab499254c81c90d2

PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
NPF is Net's, IPFW3 is Dragon's. All actively maintained
by their own communities. PF is ported to all.

Re: FreeBSD 11.0 Released

[Ben Mezger]

Thanks Tom, I will look into it more and perhaps give it a try. OpenBSD
has lots of packages, but unfortunately not the ones I really need.

>> Oh - and not caring about security doesn't lead to an insecure system
>> neccessarily. Many years ago we made an audit of some BSDi machine: it
>> had all patches installed and was top secure. However, nobody have been
>> logged in since a couple of years. So, why was it so secure? Because:
>> 
>> 0 * * * * cd /usr/src && make world

Looks really promising. Doing something like this automatically on the
Linux Kernel + monkey patching, would probably break in the first try.
Same goes with the Gentoo port system.

On 11/10/16 15:43, Tom wrote:
> On Tue, Oct 11, 2016 at 02:13:28PM -0300, Ben Mezger wrote:
>> As I am still trying to understand OpenBSDs core, is there a main reason
>> I should check out FreeBSD (except the reasons you pointed out)?
> 
> In the end you'll need to compare them yourself, features, policies,
> hardware support, security, whatever.
> 
> I just happen to like FreeBSD more and Theo de Raadt less :)
> 
>> How is the default security on FreeBSD?
> 
> Why, pretty good I'd say. 
> 
>> "FreeBSD devs don't really care much about security as much as they should"
>> How true is this statement?
> 
> Replace "FreeBSD Users" with "human beings" and the sentence might be
> true. Of course there are uncaring FreeBSD users, as are uncaring
> Windows, OSX or OpenBSD users.
> 
> Oh - and not caring about security doesn't lead to an insecure system
> neccessarily. Many years ago we made an audit of some BSDi machine: it
> had all patches installed and was top secure. However, nobody have been
> logged in since a couple of years. So, why was it so secure? Because:
> 
> 0 * * * * cd /usr/src && make world
> 
> :-)
>  
>> 1. How does FreeBSD handle ASLR? If any, does it use SEGVGUARD?
>> 3. How about W^X?
>> 4. Trusted Path Execution?
> 
> I'm not sure about all those things, google will help you with details.
> Maybe HardenedBSD, NetBSD or - as you're already using - OpenBSD might
> be better suited from this perspective.
> 
>> 2. How easy can I sandbox software? Using jails only?
> 
> There's bhyve. I use jails and am very happy with it.
> 
> 
> 
> - Tom
> 

-- 
Kind Regards,
Ben Mezger

Met vriendelijke groet,
Ben Mezger

Re: FreeBSD 11.0 Released

[Tom]

On Tue, Oct 11, 2016 at 02:13:28PM -0300, Ben Mezger wrote:
> As I am still trying to understand OpenBSDs core, is there a main reason
> I should check out FreeBSD (except the reasons you pointed out)?

In the end you'll need to compare them yourself, features, policies,
hardware support, security, whatever.

I just happen to like FreeBSD more and Theo de Raadt less :)

> How is the default security on FreeBSD?

Why, pretty good I'd say. 

> "FreeBSD devs don't really care much about security as much as they should"
> How true is this statement?

Replace "FreeBSD Users" with "human beings" and the sentence might be
true. Of course there are uncaring FreeBSD users, as are uncaring
Windows, OSX or OpenBSD users.

Oh - and not caring about security doesn't lead to an insecure system
neccessarily. Many years ago we made an audit of some BSDi machine: it
had all patches installed and was top secure. However, nobody have been
logged in since a couple of years. So, why was it so secure? Because:

0 * * * * cd /usr/src && make world

:-)
 
> 1. How does FreeBSD handle ASLR? If any, does it use SEGVGUARD?
> 3. How about W^X?
> 4. Trusted Path Execution?

I'm not sure about all those things, google will help you with details.
Maybe HardenedBSD, NetBSD or - as you're already using - OpenBSD might
be better suited from this perspective.

> 2. How easy can I sandbox software? Using jails only?

There's bhyve. I use jails and am very happy with it.



- Tom

Re: FreeBSD 11.0 Released

[grarpamp]

>> ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.0/
>
> crypto signature and downloading the checksums from the same (possibly

They're in the release announcement linked in OP.

As I've said before, FreeBSD has issues with strong cryptographic
provenance, stemming from their choice of repo, on out to iso's and
packages. But they're getting better fast. ie: They're almost, if not
100%, reproducible builds now... see new flags to ar(1) for a simple
example, commitlogs 'reproducible'.

> As an aside, why big vendors choose linux (android, wireless routers,
> etc) instead of the permissive BSD license (do the fuck what you want,
> no GPL, no Stallman)? (BSD appears to support less hardware, but for few
> bucks this can be solved).

Vendors are cheap, including not paying devs to "do the fuck they want",
so they choose whatever licence won't get them sued (either is fine),
and whatever os has been cobbled together for their hardware, and
is known to the vendors cobbled together team. That's usually linux,
or windows.

Re: FreeBSD 11.0 Released

[Georgi Guninski]

On Tue, Oct 11, 2016 at 01:50:20AM -0400, grarpamp wrote:
> Alternative OS news [not Windows, not Linux]...
> 
> ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.0/

Nice to see open source competition :)

How do I verify the ISOs from the above plain ftp url, there is no
crypto signature and downloading the checksums from the same (possibly
owned) site doesn't make much sense.

As an aside, why big vendors choose linux (android, wireless routers,
etc) instead of the permissive BSD license (do the fuck what you want,
no GPL, no Stallman)? (BSD appears to support less hardware, but for few
bucks this can be solved).

Re: FreeBSD 11.0 Released

[grarpamp]

https://www.freebsd.org/ports/

FreeBSD 11.0 Released

[grarpamp]

Alternative OS news [not Windows, not Linux]...

https://www.freebsd.org/releases/11.0R/announce.html
https://www.freebsd.org/releases/11.0R/relnotes.html
https://www.freebsd.org/features.html
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
https://forums.freebsd.org/
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.0/