Podcasts about matthieu herrb

NetBSD 8.0 available, FreeBSD on Scaleway’s ARM64 VPS, encrypted backups with OpenBSD, Dragonfly server storage upgrade, zpool checkpoints, g2k18 hackathon reports, and more. ##Headlines NetBSD v8.0 Released The NetBSD Project is pleased to announce NetBSD 8.0, the sixteenth major release of the NetBSD operating system. This release brings stability improvements, hundreds of bug fixes, and many new features. Some highlights of the NetBSD 8.0 release are: USB stack rework, USB3 support added. In-kernel audio mixer (audio_system(9)). Reproducible builds (MKREPRO, see mk.conf(5)). Full userland debug information (MKDEBUG, see mk.conf(5)) available. While most install media do not come with them (for size reasons), the debug and xdebug sets can be downloaded and extracted as needed later. They provide full symbol information for all base system and X binaries and libraries and allow better error reporting and (userland) crash analysis. PaX MPROTECT (W^X) memory protection enforced by default on some architectures with fine-grained memory protection and suitable ELF formats: i386, amd64, evbarm, landisk. PaX ASLR (Address Space Layout Randomization) enabled by default on: i386, amd64, evbarm, landisk, sparc64. Position independent executables by default for userland on: i386, amd64, arm, m68k, mips, sh3, sparc64. A new socket layer can(4) has been added for communication of devices on a CAN bus. A special pseudo interface ipsecif(4) for route-based VPNs has been added. Parts of the network stack have been made MP-safe. The kernel option NET_MPSAFE is required to enable this. Hardening of the network stack in general. Various WAPBL (the NetBSD file system “log” option) stability and performance improvements. Specific to i386 and amd64 CPUs: Meltdown mitigation: SVS (Separate Virtual Space), enabled by default. SpectreV2 mitigation: retpoline (support in gcc), used by default for kernels. Other hardware mitigations are also available. SpectreV4 mitigations available for Intel and AMD. PopSS workaround: user access to debug registers is turned off by default. Lazy FPU saving disabled on vulnerable Intel CPUs (“eagerfpu”). SMAP support. Improvement and hardening of the memory layout: W^X, fewer writable pages, better consistency, better performance. (U)EFI bootloader. Many evbarm kernels now use FDT (flat device tree) information (loadable at boot time from an external file) for device configuration, the number of kernels has decreased but the number of boards has vastly increased. Lots of updates to 3rd party software included: GCC 5.5 with support for Address Sanitizer and Undefined Behavior Sanitizer GDB 7.12 GNU binutils 2.27 Clang/LLVM 3.8.1 OpenSSH 7.6 OpenSSL 1.0.2k mdocml 1.14.1 acpica 20170303 ntp 4.2.8p11-o dhcpcd 7.0.6 Lua 5.3.4 ###Running FreeBSD on the ARM64 VPS from Scaleway I’ve been thinking about this 6 since 2017, but only yesterday signed up for an account and played around with the ARM64 offering. Turns out it’s pretty great! KVM boots into UEFI, there’s a local VirtIO disk attached, no NBD junk required. So we can definitely run FreeBSD. I managed to “depenguinate” a running instance, the notes are below. Would be great if Scaleway offered an official image instead :wink: For some reason, unlike on x86 4, mounting additional volumes is not allowed 4 on ARM64 instances. So we’ll have to move the running Linux to a ramdisk using pivotroot and then we can do whatever to our one and only disk. Spin up an instance with Ubuntu Zesty and ssh in. Prepare the system and change the root to a tmpfs: apt install gdisk mount -t tmpfs tmpfs /tmp cp -r /bin /sbin /etc /dev /root /home /lib /run /usr /var /tmp mkdir /tmp/proc /tmp/sys /tmp/oldroot mount /dev/vda /tmp/oldroot mount --make-rprivate / pivotroot /tmp /tmp/oldroot for i in dev proc sys run; do mount --move /oldroot/$i /$i; done systemctl daemon-reload systemctl restart sshd Now reconnect to ssh from a second terminal (note: rm the connection file if you use ControlPersist in ssh config), then exit the old session. Kill the old sshd process, restart or stop the rest of the stuff using the old disk: pkill -f notty sed -ibak 's/RefuseManualStart.$//g' /lib/systemd/system/dbus.service systemctl daemon-reload systemctl restart dbus systemctl daemon-reexec systemctl stop user@0 ntp cron systemd-logind systemctl restart systemd-journald systemd-udevd pkill agetty pkill rsyslogd Check that nothing is touching /oldroot: lsof | grep oldroot There will probably be an old dbus-daemon, kill it. And finally, unmount the old root and overwrite the hard disk with a memstick image: umount -R /oldroot wget https://download.freebsd.org/ftp/snapshots/arm64/aarch64/ISO-IMAGES/12.0/FreeBSD-12.0-CURRENT-arm64-aarch64-20180719-r336479-mini-memstick.img.xz xzcat FreeBSD-12.0-CURRENT-arm64-aarch64-20180719-r336479-mini-memstick.img.xz | dd if=/dev/stdin of=/dev/vda bs=1M (Look for the newest snapshot, don’t copy paste the July 19 link above if you’re reading this in the future. Actually maybe use a release instead of CURRENT…) Now, fix the GPT: move the secondary table to the end of the disk and resize the table. It’s important to resize here, as FreeBSD does not do that and silently creates partitions that won’t persist across reboots gdisk /dev/vda x e s 4 w y And reboot. (You might actually want to hard reboot here: for some reason on the first reboot from Linux, pressing the any-key to enter the prompt in the loader hangs the console for me.) I didn’t have to go into the ESC menu and choose the local disk in the boot manager, it seems to boot from disk automatically. Now we’re in the FreeBSD EFI loader. For some reason, the (recently fixed? 2) serial autodetection from EFI is not working correctly. Or something. So you don’t get console output by default. To fix, you have to run these commands in the boot loader command prompt: set console=comconsole,efi boot Ignore the warning about comconsole not being a valid console. Since there’s at least one (efi) that the loader thinks is valid, it sets the whole variable.) (UPD: shouldn’t be necessary in the next snapshot) Now it’s a regular installation process! When asked about partitioning, choose Shell, and manually add a partition and set up a root filesystem: gpart add -t freebsd-zfs -a 4k -l zroot vtbd0 zpool create -R /mnt -O mountpoint=none -O atime=off zroot /dev/gpt/zroot zfs create -o canmount=off -o mountpoint=none zroot/ROOT zfs create -o mountpoint=/ zroot/ROOT/default zfs create -o mountpoint=/usr zroot/ROOT/default/usr zfs create -o mountpoint=/var zroot/ROOT/default/var zfs create -o mountpoint=/var/log zroot/ROOT/default/var/log zfs create -o mountpoint=/usr/home zroot/home zpool set bootfs=zroot/ROOT/default zroot exit (In this example, I set up ZFS with a beadm-compatible layout which allows me to use Boot Environments.) In the post-install chroot shell, fix some configs like so: echo 'zfsload="YES"' >> /boot/loader.conf echo 'console="comconsole,efi"' >> /boot/loader.conf echo 'vfs.zfs.arcmax="512M"' >> /boot/loader.conf sysrc zfsenable=YES exit (Yeah, for some reason, the loader does not load zfs.ko’s dependency opensolaris.ko automatically here. idk what even. It does on my desktop and laptop.) Now you can reboot into the installed system!! Here’s how you can set up IPv6 (and root’s ssh key) auto configuration on boot: Pkg bootstrap pkg install curl curl https://raw.githubusercontent.com/scaleway/image-tools/master/bases/overlay-common/usr/local/bin/scw-metadata > /usr/local/bin/scw-metadata chmod +x /usr/local/bin/scw-metadata echo '#!/bin/sh' > /etc/rc.local echo 'PATH=/usr/local/bin:$PATH' >> /etc/rc.local echo 'eval $(scw-metadata)' >> /etc/rc.local echo 'echo $SSHPUBLICKEYS0KEY > /root/.ssh/authorizedkeys' >> /etc/rc.local echo 'chmod 0400 /root/.ssh/authorizedkeys' >> /etc/rc.local echo 'ifconfig vtnet0 inet6 $IPV6ADDRESS/$IPV6NETMASK' >> /etc/rc.local echo 'route -6 add default $IPV6GATEWAY' >> /etc/rc.local mkdir /run mkdir /root/.ssh sh /etc/rc.local And to fix incoming TCP connections, configure the DHCP client to change the broadcast address: echo 'interface "vtnet0" { supersede broadcast-address 255.255.255.255; }' >> /etc/dhclient.conf killall dhclient dhclient vtnet0 Other random notes: keep in mind that -CURRENT snapshots come with a debugging kernel by default, which limits syscall performance by a lot, you might want to build your own 2 with config GENERIC-NODEBUG also disable heavy malloc debugging features by running ln -s ‘abort:false,junk:false’ /etc/malloc.conf (yes that’s storing config in a symlink) you can reuse the installer’s partition for swap * Digital Ocean ** http://do.co/bsdnow ###Easy encrypted backups on OpenBSD with base tools Today’s topic is “Encrypted backups” using only OpenBSD base tools. I am planning to write a bigger article later about backups but it’s a wide topic with a lot of software to cover and a lot of explanations about the differents uses cases, needs, issues an solutions. Here I will stick on explaining how to make reliable backups for an OpenBSD system (my laptop). What we need is the dump command (see man 8 dump for its man page). It’s an utility to make a backup for a filesystem, it can only make a backup of one filesystem at a time. On my laptop I only backup /home partition so this solution is suitable for me while still being easy. Dump can do incremental backups, it means that it will only save what changed since the last backup of lower level. If you do not understand this, please refer to the dump man page. What is very interesting with dump is that it honors nodump flag which is an extended attribute of a FFS filesystem. One can use the command chflags nodump /home/solene/Downloads to tells dump not do save that folder (under some circumstances). By default, dump will not save thoses files, EXCEPT for a level 0 backup. Important features of this backup solution: save files with attributes, permissions and flags can recreate a partition from a dump, restore files interactively, from a list or from its inode number (useful when you have files in lost+found) one dump = one file My process is to make a huge dump of level 0 and keep it on a remote server, then, once a week I make a level 1 backup which will contain everything changed since the last dump of level 0, and everyday I do a level 2 backup of my files. The level 2 will contain latest files and the files changing a lot, which are often the most interesting. The level 1 backup is important because it will offload a lot of changes for the level 2. Let me explain: let says my full backup is 60 GB, full of pictures, sources files, GUI applications data files etc… A level 1 backup will contain every new picture, new projects, new GUI files etc… since the full backup, which will produce bigger and bigger dump over time, usually it is only 100 MB to 1GB. As I don’t add new pictures everyday or use new software everyday, the level 2 will take care of most littles changes to my data, like source code edited, little works on files etc… The level 2 backup is really small, I try to keep it under 50 MB so I can easily send it on my remote server everyday. One could you more dump level, up to level 9, but keep in mind that those are incremental. In my case, if I need to restore all my partition, I will need to use level 0, 1 and 2 to get up to latest backup state. If you want to restore a file deleted a few days ago, you need to remember in which level its latest version is. History note: dump was designed to be used with magnetic tapes. See the article for the remainder of the article ##News Roundup Status of DFly server storage upgrades (Matt Dillon) Last month we did some storage upgrades, particularly of internet-facing machines for package and OS distribution. Yesterday we did a number of additional upgrades, described below. All using funds generously donated by everyone! The main repository server received a 2TB SSD to replace the HDDs it was using before. This will improve access to a number of things maintained by this server, including the mail archives, and gives the main repo server more breathing room for repository expansion. Space was at a premium before. Now there’s plenty. Monster, the quad socket opteron which we currently use as the database builder and repository that we export to our public grok service (grok.dragonflybsd.org) received a 512G SSD to add swap space for swapcache, to help cache the grok meta-data. It now has 600GB of swapcache configured. Over the next few weeks we will also be changing the grok updates to ping-pong between the two 4TB data drives it received in the last upgrade so we can do concurrent updates and web accesses without them tripping over each other performance-wise. The main developer box, Leaf, received a 2TB SSD and we are currently in the midst of migrating all the developer accounts in /home and /build from its old HDDs to its new SSD. This machine serves developer repos, developer web stuff, our home page and wiki, etc, so those will become snappier as well. Hard drives are becoming real dinosaurs. We still have a few left from the old days but in terms of active use the only HDDs we feel we really need to keep now are the ones we use for backups and grok data, owing to the amount of storage needed for those functions. Five years ago when we received the blade server that now sits in the colo, we had a small 256G SSD for root on every blade, and everything else used HDDs. To make things operate smoothly, most of that 256G root SSD was assigned to swapcache (200G of it, in fact, in most cases). Even just 2 years ago replacing all those HDDs with SSDs, even just the ones being used to actively serve data and support developers, would have been cost prohibitive. But today it isn’t and the only HDDs we really need anywhere are for backups or certain very large bits of bulk data (aka the grok source repository and index). The way things are going, even the backup drives will probably become SSDs over the next two years. ###iX ad spot OSCON 2018 Recap ###zpool checkpoints In March, to FreeBSD landed a very interesting feature called ‘zpool checkpoints’. Before we jump straight into the topic, let’s take a step back and look at another ZFS feature called ‘snapshot’. Snapshot allows us to create an image of our single file systems. This gives us the option to modify data on the dataset without the fear of losing some data. A very good example of how to use ZFS snapshot is during an upgrade of database schema. Let us consider a situation where we have a few scripts which change our schema. Sometimes we are unable to upgrade in one transaction (for example, when we attempt to alter a table and then update it in single transaction). If our database is on dataset, we can just snapshot it, and if something goes wrong, simply rollback the file system to its previous state. The problem with snapshot is that it works only on a single dataset. If we added some dataset, we wouldn’t then be able to create the snapshot which would rollback that operation. The same with changing the attributes of a dataset. If we change the compression on the dataset, we cannot rollback it. We would need to change that manually. Another interesting problem involves upgrading the whole operating system when we upgrade system with a new ZFS version. What if we start upgrading our dataset and our kernel begins to crash? (If you use FreeBSD, I doubt you will ever have had that experience but still…). If we rollback to the old kernel, there is a chance the dataset will stop working because the new kernel doesn’t know how to use the new features. Zpool checkpoints is the solution to all those problems. Instead of taking a single snapshot of the dataset, we can now take a snapshot of the whole pool. That means we will not only rollback the data but also all the metadata. If we rewind to the checkpoint, all our ZFS properties will be rolled back; the upgrade will be rolledback, and even the creation/deletion of the dataset, and the snapshot, will be rolledback. Zpool Checkpoint has introduced a few simple functions: For a creating checkpoint: zpool checkpoint Rollbacks state to checkpoint and remove the checkpoint: zpool import -- rewind-to-checkpoint Mount the pool read only - this does not rollback the data: zpool import --read-only=on --rewind-to-checkpoint Remove the checkpoint zpool checkpoint --discard or zpool checkpoint -d With this powerful feature we need to remember some safety rules: Scrub will work only on data that isn’t in checkpool. You can’t remove vdev if you have a checkpoint. You can’t split mirror. Reguid will not work either. Create a checkpoint when one of the disks is removed… For me, this feature is incredibly useful, especially when upgrading an operating system, or when I need to experiment with additional data sets. If you speak Polish, I have some additional information for you. During the first Polish BSD user group meeting, I had the opportunity to give a short talk about this feature. Here you find the video of that talk, and here is the slideshow. I would like to offer my thanks to Serapheim Dimitropoulos for developing this feature, and for being so kind in sharing with me so many of its intricacies. If you are interested in knowing more about the technical details of this feature, you should check out Serapheim’s blog, and his video about checkpoints. ###g2k18 Reports g2k18 hackathon report: Ingo Schwarze on sed(1) bugfixing with Martijn van Duren, and about other small userland stuff g2k18 hackathon report: Kenneth Westerback on dhcpd(8) fixes, disklabel(8) refactoring and more g2k18 Hackathon Report: Marc Espie on ports and packages progress g2k18 hackathon report: Antoine Jacoutot on porting g2k18 hackathon report: Matthieu Herrb on font caches and xenodm g2k18 hackathon report: Florian Obser on rtadvd(8) -> rad(8) progress (actually, rewrite) g2k18 Hackathon Report: Klemens Nanni on improvements to route(8), pfctl(8), and mount(2) g2k18 hackathon report: Carlos Cardenas on vmm/vmd progress, LACP g2k18 hackathon report: Claudio Jeker on OpenBGPD developments Picture of the last day of the g2k18 hackathon in Ljubljana, Slovenia ##Beastie Bits Something blogged (on pkgsrcCon 2018) GSoC 2018 Reports: Configuration files versioning in pkgsrc, Part 1 There should be a global ‘awareness’ week for developers Polish BSD User Group – Upcoming Meeting: Aug 9th 2018 London BSD User Group – Upcoming Meeting: Aug 14th 2018 Phillip Smith’s collection of reasons why ZFS is better so that he does not have to repeat himself all the time EuroBSDCon 2018: Sept 20-23rd in Romania – Register NOW! MeetBSD 2018: Oct 19-20 in Santa Clara, California. Call for Papers closes on Aug 12 Tarsnap ##Feedback/Questions Dale - L2ARC recommendations & drive age question Todd - ZFS & S3 efraim - License Poem Henrick - Yet another ZFS question Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Всё что вы хотели узнать о OpenBSD и даже намного больше информации ждёт вас в 69-м выпуске SDCast'а! У меня в гостях Миша Белопухов, разработчик OpenBSD. В начале Миша рассказал про то, как он сам познакомился с OpenBSD, как начал изучать операционные системы и как его интерес неожиданно превратился во вполне оплачиваемую работу :) Миша адаптировал OpenBSD для работы на различном железе и в различном окружении, в том числе и виртуальном, поэтому он портировал разные драйвера устройств. Миша рассказал интересные истории из своего опыта портирования, как работают различные драйверы, механизмы взаимодействия с железом и ядром ОС. Обсудили мы и в целом операционную систему OpenBSD, как она устроена, на каких принципах построена, как работает ядро системы, драйвера и user space код. Обсудили вопросы, связанные с безопасностью и защищенностью, как самой ОС, так и прикладного кода, работающего в системе. OpenBSD известна своим слоганом “Secure by Default” и тем, что вопросам безопасности там уделяется большое внимание. Миша рассказал про различные подсистемы обеспечения безопасности, применяемые в OpenBSD, такие как: * Рандомизация адресного пространства ядра, KARL (Kernel Address Randomized Link) * Рандомизация размещения адресного пространства, ASLR (address space layout randomization) * strlcpy() и strlcat() - нестандартные функции, созданные в качестве замены часто используемых некорректным образом аналогов стандартной библиотеки * fork+exec, PIE, pledge и другие. Отдельно поговорили о криптографических алгоритмах, способах их реализации с использованием возможностей современных процессоров, таких как SIMD, а так же о их применении в SSH и SSL. Ссылки на ресурсы по темам выпуска: * Доклад Михаила “Implementation of Xen PVHVM drivers in OpenBSD” с BSDCan (видео (https://www.youtube.com/watch?v=GWwhgIPdKH0), слайды (https://www.openbsd.org/papers/bsdcan2016-xen.pdf)) * Доклад Тео де Раадта про Pledge с EuroBSDCon 2017 (видео (https://www.youtube.com/watch?v=FzJJbNRErVQ), слайды (https://www.openbsd.org/papers/eurobsdcon2017-pledge.pdf)) * Доклад Тео де Раадта "arc4random - randomization for all occasions" с Hackfest 2014 (видео (https://www.youtube.com/watch?v=aWmLWx8ut20), слайды (https://www.openbsd.org/papers/hackfest2014-arc4random/index.html)) * Доклад Ilja van Sprundel “Are all BSDs created equally? A survey of BSD kernel vulnerabilities” с DEF CON (видео (https://www.youtube.com/watch?v=1j1UaLsPv3k), слайды (https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf)) * Статья про сравнение защищённости OpenBSD и FreeBSD (https://networkfilter.blogspot.ru/2014/12/security-openbsd-vs-freebsd.html) * Слайды “Security features in the OpenBSD operating system (https://homepages.laas.fr/matthieu/talks/min2rien-openbsd.pdf)” от Matthieu Herrb * Описание технологии ASLR от Pax Team (https://pax.grsecurity.net/docs/aslr.txt) * Статья-заметка “KASLR: An Exercise in Cargo Cult Security” (https://forums.grsecurity.net/viewtopic.php?f=7&t=3367&sid=c757c2f8e8db817dabb7b7c501156fc0) от Brad "spender" Spengler * Видео доклада Михаила “OpenBSD: Куда катится крипто?” (https://events.yandex.ru/lib/talks/1489/) * Пост “AES timing attacks on OpenSSL (https://access.redhat.com/blogs/766093/posts/1976303)” от Redhat * Whitepaper “Cache Games – Bringing Access-Based Cache Attacks on AES to Practice (https://eprint.iacr.org/2010/594.pdf)” * 130+ уязвимостей в tcpdump (https://www.cvedetails.com/vulnerability-list/vendor_id-6197/Tcpdump.html) * Книга “The Design and Implementation of the 4.4BSD Operating System” Marshall Kirk McKusick и др. Вторая глава доступна бесплатно (https://www.freebsd.org/doc/en/books/design-44bsd/index.html). Понравился выпуск? — Поддержи подкаст на patreon.com/KSDaemon (https://www.patreon.com/KSDaemon) а так же ретвитом, постом и просто рассказом друзьям!

An interview recorded by Michael Dexter at EuroBSDCon 2012 in Poland.  He speaks with Matthieu Herrb about what Xenocara is and what it is not.  More info at http://www.xenocara.org/File Info: 11Min, 5MB.Ogg Link:https://archive.org/download/bsdtalk221/bsdtalk221.ogg

Interview with Matthieu Herrb about Xenocara.File info: 7MB, 14 Min.Ogg Link:https://archive.org/download/bsdtalk106/bsdtalk106.oggTranscript:http://cisx1.uma.maine.edu/~wbackman/bsdtalk/transcript-106.txt

It's our 50th episode, and we're going to show you how to protect your internet traffic with a BSD-based VPN. We'll also be talking to Robert Watson, of the FreeBSD core team, about security research, exploit mitigation and a whole lot more. The latest news and answers to all of your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines MeetBSD 2014 is approaching (http://www.ixsystems.com/whats-new/ixsystems-to-host-meetbsd-california-2014-at-western-digital-in-san-jose/) The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California MeetBSD has an "unconference" format, which means there will be both planned talks and community events All the extra details will be on their site (https://www.meetbsd.com/) soon It also has hotels and various other bits of useful information - hopefully with more info on the talks to come Of course, EuroBSDCon is coming up before then *** First experiences with OpenBSD (https://www.azabani.com/2014/08/09/first-experiences-with-openbsd.html) A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before" The author read the famous "BSD for Linux users (http://www.over-yonder.net/~fullermd/rants/bsd4linux/01)" series (that most of us have surely seen) and decided to give BSD a try He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software" From there, it talks about how he used the OpenBSD USB image and got a fully-working system He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! *** NetBSD rump kernels on bare metal (and Kansai OSC report) (https://blog.netbsd.org/tnf/entry/an_internet_ready_os_from) When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right However, NetBSD's rump kernels - a very unique concept - make this process a lot easier This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week Also have a look back at episode 8 (http://www.bsdnow.tv/episodes/2013_10_23-a_brief_intorduction) for our interview about rump kernels and what exactly they do While on the topic of NetBSD, there were also a couple of very detailed reports (http://mail-index.netbsd.org/netbsd-advocacy/2014/08/09/msg000658.html) (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference (http://d.hatena.ne.jp/mizuno-as/20140806/1407307913) that we wanted to highlight *** OpenSSL and LibreSSL updates (https://www.openssl.org/news/secadv_20140806.txt) OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!) Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more LibreSSL released a new version (http://marc.info/?l=openbsd-tech&m=140752295222929&w=2) to address most of the vulnerabilities, but wasn't affected by some of them Whichever version of whatever SSL you use, make sure it's patched for these issues DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) *** Interview - Robert Watson - rwatson@freebsd.org (mailto:rwatson@freebsd.org) FreeBSD architecture, security research techniques, exploit mitigation Tutorial Protecting traffic with a BSD-based VPN (http://www.bsdnow.tv/tutorials/openvpn) News Roundup A FreeBSD-based CGit server (https://lechindianer.de/blog/2014/08/06/freebsd-cgit/) If you use git (like a certain host of this show) then you've probably considered setting up your own server This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend It even shows you how to set up multiple repos with key-based user separation and other cool things The author of the post is also a listener of the show, thanks for sending it in! *** Backup devices for small businesses (http://www.smallbusinesscomputing.com/biztools/6-data-backup-devices-for-small-businesses.html) In this article, different methods of data storage and backup are compared After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers It also goes over some of the hardware specifics in the FreeNAS Mini *** A new Xenocara interview (http://blog.bronevichok.ru/2014/08/06/testing-of-xorg.html) As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there *** Building a high performance FreeBSD samba server (https://not.burntout.org/blog/high_performance_samba_server_on_freebsd/) If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution? FreeBSD, ZFS and Samba obviously! The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding) It doesn't even require the newest or best hardware with the right changes, pretty cool *** Feedback/Questions An interesting Reddit thread (http://www.reddit.com/r/BSD/comments/2ctlt4/switched_from_arch_linux_to_openbsd_reference/) (or two (http://www.reddit.com/r/BSD/comments/2dcig9/thinking_about_coming_to_bsd_from_arch)) PB writes in (http://slexy.org/view/s21t7L5bqO) Sean writes in (http://slexy.org/view/s20MFywDqZ) Steve writes in (http://slexy.org/view/s2Td6nq11J) Lachlan writes in (http://slexy.org/view/s215MlpJYV) Justin writes in (http://slexy.org/view/s2N4JKkoKt) ***