os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Make an editing pass through the 2017Q2 report

Browse source
This commit is contained in:
Benjamin Kaduk 2017-09-17 20:45:11 +00:00
parent bd20b25a49
commit a13ec77257
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=50860
1 changed files with 148 additions and 154 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

302
en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml
View file

@ -83,6 +83,12 @@
<description>Miscellaneous</description>
</category>
<category>
<name>third</name>
<description>Third-Party Projects</description>
</category>
<project cat='proj'>
<title>64-bit Inode Numbers</title>
@ -118,7 +124,7 @@
<body>
<p>The 64-bit inode project was completed and merged into
&os;&nbsp; 12 on May 23, 2017. It extends the <tt>ino_t</tt>,
&os;&nbsp;12 on May 23, 2017. It extends the <tt>ino_t</tt>,
<tt>dev_t</tt>, and <tt>nlink_t</tt> types to be 64-bit
integers. It modifies the <tt>struct dirent</tt> layout to
add a <tt>d_off</tt> field, increases the size of
@ -137,10 +143,10 @@
<tt>struct stat</tt> as parameters are broken in backward- and
forward-incompatible ways.</p>
<p>The ABI for <tt>kinfo</tt> sysctl MIBs is changed in a
<p>The ABI for <tt>kinfo</tt>-consuming sysctl MIBs is changed in a
backward-compatible way, but there is no general mechanism to
handle other sysctl MIBS which return structures where the
layout has changed. It was considered that the breakage is
layout has changed. In our consideration, this breakage is
either in management interfaces, where we usually allow ABI
slippage, or is not important.</p>
@ -207,8 +213,8 @@
subjects: how to create a &os; port (presented by jadawin@),
how OVH is using Finite State Machines for managing their
storage system, network high-availability with &os;, and a
jail tutorial by means of a demonstration running 200 OSFP
(using <tt>net/bird</tt>) routers using jail and vnets on a
jail tutorial by means of a demonstration running 200 OSPF
(using <tt>net/bird</tt>) routers using jails and vnets on a
small PC Engines APU2 system with only 4 CPU cores (1Ghz AMD)
and 4GB RAM).</p>
</body>
@ -236,7 +242,7 @@
<body>
<p>FRRouting (FRR), a Quagga fork, is an IP routing protocol
suite for Linux and Unix platforms which includes protocol
daemons for BGP, IS-IS, OSPF and RIP (LPD and PIM need to be
daemons for BGP, IS-IS, OSPF and RIP (LPD and PIM support needs to be
fixed on &os;). FRR is a Linux Foundation Collaborative
Project with contributors including 6WIND, Architecture
Technology Corporation, Big Switch Networks, Cumulus Networks,
@ -258,6 +264,7 @@
</name>
<email>dhw@FreeBSD.org</email>
</person>
<person>
<name>
<given>Larry</given>
@ -265,6 +272,7 @@
</name>
<email>ler@FreeBSD.org</email>
</person>
<person>
<name>
<given>Ryan</given>
@ -272,6 +280,7 @@
</name>
<email>zi@FreeBSD.org</email>
</person>
<person>
<name>
<given>Eygene</given>
@ -279,6 +288,7 @@
</name>
<email>rea@FreeBSD.org</email>
</person>
<person>
<name>
<given>Remko</given>
@ -286,6 +296,7 @@
</name>
<email>remko@FreeBSD.org</email>
</person>
<person>
<name>
<given>Kurt</given>
@ -300,14 +311,13 @@
</links>
<body>
<p> Postmaster handles the mail flow for the &os;
project.</p>
<p> Postmaster handles the mail flow for the &os; project.</p>
<p>Clusteradm provides us with four jails: mailman, mailarchive,
mx1 and mx2. In addition, there is some part of the setup
mx1, and mx2. In addition, there is some part of the setup
running on freefall.FreeBSD.org. The system uses
<tt>postfix</tt>, <tt>mailman</tt>, <tt>spamassassin</tt> and
some other tools from the ports tree to handle the mailflow.
<tt>postfix</tt>, <tt>mailman</tt>, <tt>spamassassin</tt>, and
some other tools from the ports tree to handle the mail flow.
We use a very small, non-public Subversion repository for
parts of the configuration.</p>
@ -318,7 +328,8 @@
<p>Thanks to Florian for his long service in that role! David
Wolfskill is planning to leave the role as soon as the new
team members are settled. Vsevolod Stakhov plans to provide
us with support to integrate <tt>rspamd</tt> into the setup.</p>
us with support to integrate <tt>rspamd</tt> into the setup,
as well.</p>
<p>The workload for the Postmaster Team is not high, but the
complexity of the setup has its own demands.</p>
@ -402,7 +413,7 @@
desired functionality.</p>
<p>LLD is now used as the default system linker for
&os;/arm64 and can link a working kernel, modules, and
&os;/arm64 and can link a working kernel, kernel modules, and
userland for &os;/amd64. LLD can also link a working
kernel and modules (but not userland) for &os;/arm and
&os;/i386.</p>
@ -411,7 +422,7 @@
as the system linker (either by fixing the port, or
configuring the port to be linked by GNU <tt>ld</tt>).</p>
<p>For &os; 12.0 we expect to use LLD as the system linker for
<p>For &os;&nbsp;12.0 we expect to use LLD as the system linker for
the same set of architectures that use Clang by default:
32- and 64-bit arm and x86.</p>
</body>
@ -423,7 +434,7 @@
command line arguments as for GNU <tt>ld</tt> and
<tt>gold</tt>.</task>
<task>Investigate remaining amd64 and arm64 port
<task>Investigate the remaining amd64 and arm64 port
build failures.</task>
<task>Investigate and improve LLD on i386 and arm, before
@ -451,10 +462,10 @@
<body>
<p>The in-tree DTC (Device Tree Compilator) was switched to use the
<p>The in-tree DTC (Device Tree Compiler) was switched to use the
BSD-licensed version by default. (The previous default DTC is
licensed under the GPL.) The current version supports overlays
and is able to compile every DTS used by the &os; arm
and is able to compile every DTS (Device Tree Source) used by the &os; arm
releases. The ports GPL version was updated to the latest
release (1.4.4). The in-tree GPL version is still present but
the goal is to remove it before &os; 12.0.</p>
@ -522,7 +533,7 @@
bulk build output (the &quot;Ignored ports&quot; portion, in
particular) and see quickly what ports are failing to build
and why. Previously, finding the exact reason why a build
failed needed some research (<tt>portsmon</tt> only models
failed needed some research (<tt>portsmon</tt> only analyzes
failure messages on amd64). Additionally, it is extremely
difficult to work through several hundred logs that simply say
&quot;failed to compile&quot;, &quot;failed to link&quot;, and
@ -537,7 +548,7 @@
output, I have begun reworking some existing
<tt>BROKEN</tt>/<tt>NOT_FOR</tt>/<tt>ONLY_FOR</tt> messages so
that they will sort more easily. This includes sorting the
order of the <tt>ARCH</tt> definitions.</p>
order in which architectures appear in the lists.</p>
<p>Many people have been doing great work on fixing the
individual ports. I hope that my work makes their jobs
@ -571,11 +582,11 @@
</links>
<body>
<p>ENA (Elastic Network Adapter) is a 25G SmartNIC developed by
<p>The ENA (Elastic Network Adapter) is a 25G SmartNIC developed by
Annapurna Labs and is based on a custom ARMv8 chip. This is a
high performance networking card available in the AWS offering.
high-performance networking card available in the AWS offerings.
It introduces enhancements in network utilization scalability
on EC2 machines under control of various operating systems, in
on EC2 machines under the control of various operating systems, in
particular &os;.</p>
<p>The goal of &os; enablement is to provide top performance and
@ -587,7 +598,7 @@
<li>hardware offloads (rx and tx checksum)</li>
<li>admin queue</li>
<li>an admin queue</li>
<li>asynchronous notifications</li>
@ -611,7 +622,7 @@
<sponsor>Annapurna Labs &mdash; an Amazon company</sponsor>
<help>
<task>Add RSS configuration from userspace (sysctls).</task>
<task>Add RSS configuration from userspace (via sysctls).</task>
<task>Add support for LLQ mechanisms.</task>
</help>
@ -640,7 +651,7 @@
<p>I'm working on a third edition of <i>Absolute &os;</i>. This
will be a nearly complete rewrite, thanks to the addition of
little details like ZFS, GPT, <tt>dma</tt>, GELI, new boot
stuff, disk labeling, <tt>pkg(8)</tt>, <tt>blacklistd</tt>,
procedures, disk labeling, <tt>pkg(8)</tt>, <tt>blacklistd</tt>,
jails, etc..</p>
<p>My current (delusional) plan is to have a first draft
@ -678,7 +689,7 @@
&quot;layout&quot; in use specifies how the division occurs, with
metadata operations occurring against the main server, and
bulk data operations (read/write/setattr/etc.) occurring via
a layout-specific scheme between the client and data
a layout-specific scheme between the client and the data
servers.</p>
<p>My first attempt at a pNFS server using GlusterFS was a dud.
@ -686,7 +697,7 @@
usable. This attempt that I call &quot;Plan B&quot;, only
uses &os;, with one &os; server handling the metadata
operations and multiple &os; servers configured to serve
data and is now ready for third party testing. If testing by
data, is now ready for third-party testing. If testing by
third parties goes well, I anticipate the code will be
merged into &os; head in time for &os;&nbsp;12. Fairly
recent &os; or Linux systems should be usable as pNFS
@ -701,7 +712,7 @@
<p>The patched &os; sources may now be accessed for testing
via either Subversion or download of a gzipped tarball.
They consist of a patched kernel plus nfsd daemon and can be
They consist of a patched kernel and <tt>nfsd</tt> and can be
used on any &os;&nbsp;11 or later system.</p>
</body>
@ -730,8 +741,8 @@
</links>
<body>
<p>&os; supports the Xen hypervisor, with DomU support since
&os;&nbsp;8.0 and Dom0 available since &os;&nbsp;11.0. The
<p>&os; supports the Xen hypervisor, with DomU (guest) support since
&os;&nbsp;8.0 and Dom0 (host) available since &os;&nbsp;11.0. The
&os; Handbook was lacking instructions on how to run a Xen
host and VMs. The steps were outlined in the &os; wiki, but
needed some extra bits of text from the upstream Xen wiki in
@ -743,7 +754,7 @@
<p>Reviewers Nikolai Lifanov, Roger Pau Monné, and Warren Block
provided valuable feedback on the initial version in
Phabricator. Additional corrections were found by Björn
Phabricator. Additional corrections were made by Björn
Heidotting while translating the section into German.</p>
</body>
@ -816,11 +827,11 @@
href="https://bugs.FreeBSD.org/bugzilla/show_bug.cgi?id=220290">PR220290</a>)</li>
</ul>
<p>We have created new Subversion tag (<em>4.13</em>) in order
to follow the unstable releases (due to changes in <tt>USES=
xfce</tt> infrastucture, and not backward compatible new API
in <tt>xfconf</tt>). Ports following unstable release
are:</p>
<p>We have created a new Subversion tag (<em>4.13</em>) in order
to follow the unstable releases. The separate tag was
necessary in order to support changes in the <tt>USES=xfce</tt>
infrastucture, and due to some incompatible changes to the
<tt>xfconf</tt> API. Ports following the unstable release are:</p>
<ul>
<li><tt>deskutils/xfce4-tumbler</tt> (0.1.92.1)</li>
@ -888,11 +899,12 @@
merging everything in one big commit, we have been updating
the GNOME ports one at a time or in small groups. For
example, the GTK+ stack and the Evolution Suite were updated
as groups, and all the gnome-games were done in one commit.
It might be a bit more work preparing and testing the
updates, but on the plus side, it easy to keep track of what
is going on, and allows us to pay attention to the details.
And it should be easier to commit smaller changes.</p>
as groups, and all the <tt>gnome-games</tt> components were
done in one commit. It might be a bit more work preparing
and testing the updates, but on the plus side, it easy to
keep track of what is going on, and allows us to pay
attention to the details. It should also make it easier to commit
smaller changes.</p>
<p>This quarter started with the update of GTK+ 3 to 3.22.15,
and the underlying libraries to their latest stable
@ -925,7 +937,7 @@
Unfortunately, GDM is blocking the update because of a
&quot;handoff&quot; bug to the session after login.</task>
<task>Fix the control-center printer sub menu. As a
<task>Fix the printer submenu in <tt>gnome-control-center</tt>. As a
workaround, <tt>system-config-printer</tt> can be used to
configure printers.</task>
@ -973,10 +985,10 @@
learning and AI. There are official binaries for Linux, Mac,
Windows, and Android, but no official support for &os;. For
the last several months, I have done some work to make
TensorFlow available on &os;. Some notable work:</p>
TensorFlow available on &os;. Some notable items include:</p>
<ul>
<li>Patch <tt>bazel</tt> to not depend on <tt>/proc</tt> at
<li><tt>bazel</tt> was patched to not depend on <tt>/proc</tt> at
build time. <tt>bazel</tt> is a build tool made by Google.
It uses <tt>/proc</tt> to get path-to-self when building C++
code, but mounting <tt>/proc</tt> is usually not allowed
@ -1016,7 +1028,7 @@
<task>Review, test, comment, and most importantly, commit to the
Ports Collection.</task>
<task>Fix the OpenCL support on &os;.</task>
<task>Fix OpenCL (GPU acceleration) support on &os;.</task>
<task>Port <tt>tensorflow-serving</tt>, which is a flexible,
high-performance serving system for machine learning models
@ -1073,8 +1085,8 @@
<p>I started looking into Ceph because the HAST solution with
CARP and <tt>ggate</tt> did not really do what I was looking
for. But I aim to run a Ceph storage cluster of storage nodes
that are running ZFS. User stations would be running
for. I aim to run a Ceph storage cluster of storage nodes
that are running ZFS, with user workstations running
<tt>bhyve</tt> on RBD disks that are stored in Ceph.</p>
<p>Compiling for &os; will now build most of the tools
@ -1093,9 +1105,9 @@
<li><tt>rbd-ggate</tt> is available to create a Ceph
<tt>rdb</tt> backed device. <tt>rbd-ggate</tt> was
submitted by Mykola Golub. That works in a rather simple
fashion, once a cluster is functioning, with <tt>rdb
import</tt> and <tt>rdb-gate map</tt> creating
submitted by Mykola Golub. It works in a rather simple
fashion: once a cluster is functioning, <tt>rdb
import</tt> and <tt>rdb-gate map</tt> are used to create
<tt>ggate</tt>-like devices backed by the Ceph cluster.</li>
</ul>
@ -1114,9 +1126,9 @@
&mdash;only <tt>/bin/bash</tt> is there to stay.</li>
</ul>
<p>Looking forward, the next official release of Ceph is called
<p>The next forthcoming official release of Ceph is called
Luminous (v12.1.0). As soon as it is available from upstream,
a port will be made provided for &os;.</p>
a port will be provided for &os;.</p>
<p>To get things running on a &os; system, run <tt>pkg install
net/ceph-devel</tt> or clone <a
@ -1129,7 +1141,7 @@
<ul>
<li>KRBD &mdash; but <tt>rbd-ggate</tt> is usable in its
stead</li>
stead.</li>
<li>BlueStore &mdash; &os; and Linux have different AIO APIs,
and that incompatibility needs to be resolved somehow.
@ -1145,7 +1157,7 @@
<task>Investigate the keystore, which can be embedded in the
kernel on Linux and currently prevents building Cephfs and
some other parts. The first question is whether it is really
required, or only KRBD requires it.</task>
required, or if only KRBD requires it.</task>
<task>Scheduler information is not used at the moment, because the
schedulers work rather differently between Linux and &os;.
@ -1159,7 +1171,7 @@
<task>Build a test cluster and start running some of the
teuthology integration tests on it. Teuthology wants to build
its own <tt>libvirt</tt> and that does not quite work with all
its own <tt>libvirt</tt>, and that does not quite work with all
the packages &os; already has in place. There are many
details to work out here.</task>
@ -1169,7 +1181,7 @@
</project>
<project cat="ports">
<title>A New USES Macro for Porting Cargo-Based Rust Applications</title>
<title>A New <tt>USES</tt> Macro for Porting Cargo-Based Rust Applications</title>
<contact>
<person>
@ -1242,24 +1254,24 @@
</contact>
<body>
<p>Work proceeds to finalize the upstreaming process of support
for the Marvell Armada38x platform to &os;-HEAD.</p>
<p>Work proceeds to finalize the process of bringing support
for the Marvell Armada38x platform into &os;-HEAD.</p>
<p>The most important bits of the recent effort are:</p>
<p>The most important parts of the recent effort are:</p>
<ul>
<li>Add the network driver (NETA)</li>
<li>Enable coherent <tt>busdma</tt> operation for all ARMv7 SoCs</li>
<li>Add various low-level optimisations, such as L1 cache
<li>Add various low-level optimizations, such as L1 cache
prefetch and MBUS quirks</li>
<li>Enable PL310 L2 cache controller</li>
<li>Add SDHCI support</li>
<li>Fixes for the <tt>e6000sw</tt> driver and rework of its
<li>Fixes for the <tt>e6000sw</tt> driver and a rework of its
PHY handling</li>
<li>Support multi-port PCIe operation</li>
@ -1293,7 +1305,7 @@
<links>
<url href="http://www.sndio.org">Sndio Homepage</url>
<url href="https://www.openbsd.org/papers/asiabsdcon2010_sndio.pdf">Sndio Paper</url>
<url href="https://www.bsdfrog.org/pub/events/my_bsd_sucks_less_than_yours-AsiaBSDCon2017-paper.pdf">Comprehensive and biased comparison of OpenBSD and &os; (section 17)</url>
<url href="https://www.bsdfrog.org/pub/events/my_bsd_sucks_less_than_yours-AsiaBSDCon2017-paper.pdf">Comprehensive and Biased Comparison of OpenBSD and &os; (Section 17)</url>
</links>
<body>
@ -1314,7 +1326,7 @@
recording through it. To that end, I submitted several patches
to various ports over the course of the last year.</p>
<p>A short selection of ports that now support <tt>sndio</tt> in
<p>Here's a short selection of ports that now support <tt>sndio</tt> in
the &os; Ports Collection:</p>
<ul>
@ -1354,7 +1366,7 @@
the Ports Collection.</task>
<task>If you maintain or use an audio-related port, consider
checking if it includes an <tt>sndio</tt> backend and adding
checking whether it includes an <tt>sndio</tt> backend, and adding
an <tt>SNDIO</tt> option. Thanks to the OpenBSD developers,
several open-source projects already include one, so adding it
might be very easy to do.</task>
@ -1382,12 +1394,12 @@
</links>
<body>
<p>The KDE on &os; team focuses on packaging and making sure
that the experience of KDE and Qt on &os; is as good as
<p>The KDE on &os; team focuses on packaging KDE and Qt, and making sure
that their experience on &os; is as good as
possible.</p>
<p>This quarter, in addition to the regular updates to the KDE,
Qt and related ports, there have also been some changes behind
Qt, and related ports, there have also been some changes behind
the scenes: our development repository has moved to GitHub,
and &os; is now part of KDE's official continuous integration
(CI infrastructure).</p>
@ -1409,8 +1421,8 @@
from KDE's git repositories. There is strong commitment from
upstream and the downstream KDE-&os; team to reduce the amount
of patching in the KDE ports to as little as possible. The
first effects are being felt in expanding unittests to
&os;-specific situations, and in extending Qt to handle &os;
first effects are being felt in expanding the set of unit tests to
include &os;-specific situations, and in extending Qt to handle &os;
filesystems better. In addition to the KDE sysadmins, we
would also like to extend our thanks to Adriaan de Groot, who
is both a KDE committer and part of our KDE on &os; team, for
@ -1422,7 +1434,7 @@
<ul>
<li>CMake was updated to 3.8.0 and 3.8.2</li>
<li>KDE Frameworks were updated to 5.33, 5.34 and 5.35</li>
<li>KDE Frameworks was updated to 5.33, 5.34 and 5.35</li>
<li>The Calligra office suite was updated to 3.0.1, the first
release in the ports tree to be based on KDE Frameworks 5,
@ -1489,10 +1501,10 @@
non-standard PHP-configurations or describe your exotic
setups! These can be as simple as changed default versions,
like LibreSSL instead of OpenSSL or the GCC version used for
compiling. I, for example, use always another
PostgreSQL-version than default (and always PHP 7.1). Of
course, this also covers options set in an non-default way or
setups changing variables to allow for multiple PHP
compiling. I, for example, always use another
PostgreSQL-version than the default (and always PHP 7.1). Of
course, this also covers port options set in an non-default way or
setups that change variables to allow for multiple PHP
installations, etc..</p>
<p>I plan to test on all supported &os; versions, so you only
@ -1524,7 +1536,7 @@
</contact>
<links>
<url href="https://github.com/NuxiNL/arpc">ARPC: GRPC-Like RPC Library That Wupports File Descriptor Passing</url>
<url href="https://github.com/NuxiNL/arpc">ARPC: GRPC-Like RPC Library That Supports File Descriptor Passing</url>
<url href="https://github.com/NuxiNL/flower">Flower: A Label-Based Network Backplane</url>
</links>
@ -1535,9 +1547,9 @@
<tt>connect()</tt> and <tt>sendto()</tt> are disabled. Though
we can sometimes work around this by ensuring that the
sandboxed process already possesses socket file descriptors on
startup, this doesn't allow the destination process to be
startup, this does not allow the destination process to be
restarted, moved to a different network address, be load
balanced, etc.</p>
balanced, etc..</p>
<p>Coming up with a solution for this is quite important for me,
as I am currently working on making CloudABI work on top of
@ -1601,9 +1613,9 @@
<links>
<url href="https://www.FreeBSD.org/ports/">About &os; Ports</url>
<url href="https://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing/ports-contributing.html">Contributing to ports</url>
<url href="https://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing/ports-contributing.html">Contributing to Ports</url>
<url href="http://portsmon.freebsd.org/index.html">&os; Ports Monitoring</url>
<url href="https://www.freebsd.org/portmgr/index.html">Ports Management Team</url>
<url href="https://www.freebsd.org/portmgr/index.html">Ports Management Team Website</url>
<url href="https://twitter.com/freebsd_portmgr/">&os; portmgr on Twitter (@freebsd_portmgr)</url>
<url href="https://www.facebook.com/portmgr">&os; Ports Management Team on Facebook</url>
<url href="https://plus.google.com/communities/108335846196454338383">&os; Ports Management Team on Google+</url>
@ -1611,7 +1623,7 @@
<body>
<p>This quarter, 2017Q2, broke the 30,000 ports landmark for the
first time. The PR count is currently just under 2,500 with
first time. The PR count is currently just under 2,500, with
almost 600 of them unassigned. This quarter saw almost 7,400
commits from 171 committers. More PRs got closed this
quarter, but also more PRs got sent in, both of which are good
@ -1637,7 +1649,7 @@
binaries using the <tt>cargo</tt> command (also covered
separately in this report).</li>
<li><tt>groff</tt>, to handle the dependency on the
<li><tt>groff</tt>, to handle a dependency on the
<tt>groff</tt> document formatting system, that has been
removed from the base system for &os; 12.</li>
@ -1749,7 +1761,7 @@
RAM.</p>
<p>The default linker on arm64 is now <tt>lld</tt>. This
means &os; is able to build itself with just the components
means that &os; is able to build itself with just the components
in the base system, a big milestone!</p>
</body>
</project>
@ -1768,7 +1780,7 @@
<url href="https://wiki.FreeBSD.org/Rust">Wiki Portal</url>
<url href="https://gist.github.com/dumbbell/b587da50ef014078da9e732a4331ebad">Guide to Bootstrap Rust on &os;</url>
<url href="https://bugs.FreeBSD.org/bugzilla/show_bug.cgi?id=216143">Bug Report to Track Progress on Bootstrapping</url>
<url href="https://internals.rust-lang.org/t/pre-rfc-target-extension-dealing-with-breaking-changes-at-os-level/5289">Upstream Discussion of API/ABI Breaking Changes</url>
<url href="https://internals.rust-lang.org/t/pre-rfc-target-extension-dealing-with-breaking-changes-at-os-level/5289">Upstream Discussion of API/ABI-Breaking Changes</url>
</links>
<body>
@ -1861,7 +1873,7 @@
</body>
</project>
<project cat='proj'>
<project cat='third'>
<title>HardenedBSD</title>
<contact>
@ -1883,7 +1895,7 @@
</contact>
<links>
<url href="https://hardenedbsd.org/">HardenedBSD</url>
<url href="https://hardenedbsd.org/">HardenedBSD Homepage</url>
<url href="http://clang.llvm.org/docs/SafeStack.html">SafeStack</url>
<url href="http://t3a73imee26zfb3d.onion/">HardenedBSD Tor Hidden Service</url>
<url href="https://github.com/HardenedBSD/hardenedBSD/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22">Projects HardenedBSD Would Like Help With</url>
@ -1891,54 +1903,34 @@
<body>
<p>HardenedBSD is a derivative of &os; that gives special attention to
security related enhancements and exploit-mitigation
technologies. The project started with Address Space Layout
Randomization (ASLR) as an initial focal point and is now
implementing further exploit mitigation techniques.</p>
security-related enhancements and exploit-mitigation
technologies. From an initial focus on Address Space Layout
Randomization (ASLR), it has now branched out to explore
additional exploit mitigation techniques.</p>
<p>It has been a long while since HardenedBSD's last appearance
in a quarterly status report, with the last status report
being from December of 2015. Accordingly, this status report
will be a long one!</p>
<p>It has been a long while since HardenedBSD's last entry
in a quarterly status report, back in 2015Q4. The
intervening year saw HardenedBSD gain new developers
Bernard Spil and Franco Fichtner, import LibreSSL and
OpenNTPd into base as the default crypto library and NTP
client, respectively, and introduce the <tt>hbsd-update</tt>
binary update mechanism for the base system. The
<tt>secadm</tt> application got a rewrite and Trusted Path
Execution (TPE). PIE is now enabled for the base system for
arm64 and amd64 as well as the bulk of the ports tree, and the
ports tree also gained RELRO and BIND_NOW. Integriforce
(similar to NetBSD's verified exec, <tt>veriexec</tt>) was
introduced for the base system, as well as SafeStack, a
technology for protection against stack-based buffer
overflows that's developed by the Clang/LLVM community.
SafeStack relies and builds on top of Address Space Layout
Randomization (ASLR), and is strengthened by the presence of
PaX NOEXEC. Certain high-profile ports also have SafeStack
enabled.</p>
<p>HardenedBSD has gained Bernard Spil and Franco Fichtner
as developers on the project. Bernard has imported both
LibreSSL and OpenNTPd into base. OpenNTPd and LibreSSL have
been set as the default <tt>ntp</tt> daemon and crypto library
respectively on HardenedBSD 12-CURRENT. Franco has given the
ports hardening framework a much-needed refactor.</p>
<p>We introduced a new secure binary update mechanism for the
base system, <tt>hbsd-update</tt>. Our <tt>secadm</tt>
application was rewritten to be made more efficient &mdash; it
now includes a feature called Integriforce, which is similar
in scope as NetBSD's verified exec (<tt>veriexec</tt>).
Trusted Path Execution (TPE) was also introduced into
<tt>secadm</tt>.</p>
<p>Through extremely generous donations from G2, Inc,
HardenedBSD has a dedicated package building server, a
dedicated binary update publishing server, and several
development and test servers.</p>
<p>In April of 2016, we introduced full PIE support for the base
system on arm64 and amd64. In June of 2016, we started
shipping Integriforce rules for the base system in the binary
updates distributed via <tt>hbsd-update</tt>. In August of
2016, PIE, RELRO, and BIND_NOW were enabled for the entire
ports tree, with the exception of a number of ports that have
one or more of those features explicitly disabled.</p>
<p>In November of 2016, we introduced SafeStack into the base
system. SafeStack is an exploit mitigation technique that
helps protect against stack-based buffer overflows. It is
developed by the Clang/LLVM community and is included, but not
used, in &os;. In order to be effective, SafeStack relies and
builds on top of Address Space Layout Randomization (ASLR).
Additionally, SafeStack is made stronger with HardenedBSD's
port of PaX NOEXEC. SafeStack is also enabled by default for
a number of high-profile ports in HardenedBSD's ports
tree.</p>
<p>Extremely generous hardware donations from G2, Inc. have
provided for dedicated package building and binary update
servers, as well as development and test servers.</p>
<p>In March of 2017, we added Control Flow Integrity (CFI) to
the base system. CFI is an exploit mitigation technique that
@ -1957,7 +1949,7 @@
all DSOs in a process. Currently only the former is
implemented, but we are working hard to enable cross-DSO CFI.
As is the case for SafeStack, cross-DSO CFI requires both ASLR
and PaX NOEXEC in order to be effective. If the attacker
and PaX NOEXEC in order to be effective. If an attacker
knows the memory layout of an application, the attacker might
be able to craft a data-only attack, modifying the CFI control
data.</p>
@ -1991,7 +1983,7 @@
<task>Integrate Cross-DSO CFI.</task>
<task>Documentation via the HardenedBSD Handbook.</task>
<task>Add documentation to the HardenedBSD Handbook.</task>
<task>Start porting grsecurity's RBAC.</task>
</help>
@ -2020,7 +2012,8 @@
<links>
<url href="https://gcc.gnu.org">GCC Homepage</url>
<url href="https://bugs.FreeBSD.org/bugzilla/show_bug.cgi?id=219275">Issue Tracking the Update to GCC 6</url>
<url
href="https://bugs.FreeBSD.org/bugzilla/show_bug.cgi?id=219275">Issue Tracker Entry for the Update to GCC 6</url>
<url href="https://gcc.gnu.org/gcc-5/changes.html">GCC 5 Changelog</url>
<url href="https://gcc.gnu.org/gcc-5/porting_to.html">GCC 5 Porting Issues</url>
</links>
@ -2028,12 +2021,13 @@
<body>
<p>The default version of GCC in the Ports Collection (the one
requested by <tt>USE_GCC=yes</tt> and various
<tt>USES=compiler</tt> invocations) has been updated from from
<tt>USES=compiler</tt> invocations) has been updated from
GCC 4.9.4 to GCC 5.4.</p>
<p>This new major version brings many new capabilities and
improvements, as well as some changes that may require
adjustments, including many new compiler warnings, significant
adjustments. The latter category includes many new compiler
warnings, significant
improvements to inter-procedural optimizations, and link-time
optimization.</p>
@ -2052,9 +2046,9 @@
binaries.</p>
<p>This is the end of a long journey establishing this infrastructure,
which is now similar that of the python ports, for example.
Having the new infrastructure makes upgrading the default as
well as locally adjusting the default version a lot
which is now similar that used by the python ports, for example.
Having the new infrastructure makes upgrading the default, as
well as locally adjusting the default version, a lot
easier.</p>
<p><tt>gcc8-devel</tt> has been added, and armv6hf support removed,
@ -2153,12 +2147,12 @@
not to me. In fairness, the removal of version strings from the
FDP Primer alone is a small change in a tiny corner of the
project. Looking at it another way, it might be that some
things that seem to be necessary are more about comfort in
things that seem to be necessary are more about the comfort of
familiarity than actual utility.</p>
<p>At present, this is strictly a change to the documentation
build toolchain and a single documentation book. However, there
do not appear to be any reasons it could not be extended to the
do not appear to be any reason why it could not be extended to the
rest of the documents. It might even serve as tiny test of
whether the expansion of <tt>&dollar;FreeBSD&dollar;</tt> tags
is needed throughout the rest of the &os; tree.</p>
@ -2212,7 +2206,7 @@
<p>Q2 Development Projects Summary</p>
<p>The hard work continues into the 2nd quarter on 2017.
<p>Our hard work continues into the 2nd quarter on 2017.
Please take a look at the highlights from our more recent
Development Projects summaries.</p>
@ -2252,7 +2246,7 @@
<p>The proposal submission deadline was July 14, 2017, but as
mentioned above, people are welcome to submit proposals at
anytime.</p>
any time.</p>
<p>Although proposals may address any &os; subsystem or
infrastructure, we are particularly interested in receiving
@ -2260,22 +2254,22 @@
<ul>
<li>Improvements to the security of &os; itself, or of
applications running on &os;.</li>
applications running on &os;</li>
<li>New test cases, improved test infrastructure, and
quality assurance.</li>
quality assurance</li>
<li>Improved software development tools.</li>
<li>Projects to improve community collaboration and
communication.</li>
communication</li>
<li>Improving the &os; &quot;out of the box&quot; experience
for new users on various hardware platforms.</li>
for new users on various hardware platforms</li>
<li>Establishing &os; as a leader in advancing projects of
shared interest (such as ZFS, LLVM, or
<tt>libarchive</tt>).</li>
<tt>libarchive</tt>)</li>
</ul>
<p>More details can be found at <a
@ -2287,7 +2281,7 @@
<p>Please do not hesitate to contact
proposals@FreeBSDfoundation.org with any questions.</p>
<p>Announcing New Partnership Program (contributed by Deb
<p>Announcing the New Partnership Program (contributed by Deb
Goodkin)</p>
<p>I'm excited to announce our new FreeBSD Foundation
@ -2324,8 +2318,8 @@
providing &os; education and training, and recruiting more
contributors to the Project. We can only provide the above
support with your donations, and we need your help to
connect us with your companies. Please consider sharing our
new Partnership Program with your organization and helping
connect us with your companies. Please consider alerting
your organization to our new Partnership Program and helping
to connect us with the appropriate contacts at your
company.</p>
@ -2447,7 +2441,7 @@
assistance with travel expenses for attending conferences
related to &os; development and advocacy. Please note: the
travel grant policy has been recently updated. Please
carefully review before submitting your application.</p>
carefully review it before submitting your application.</p>
<p>More information about travel grants is available at: <a
href="https://www.FreeBSDfoundation.org/what-we-do/grants/travel-grants/">https://www.FreeBSDfoundation.org/what-we-do/grants/travel-grants/</a>.</p>
@ -2529,7 +2523,7 @@
with the Project, if not become more deeply involved.</p>
<p>The naming for the new group of non-committer Project members
took a few tries to get right: having tried, and rejected
took a few tries to get right: having tried, and rejected,
&quot;Contributor&quot; and then &quot;Associate&quot;, Core
took the view that since what they were offerring was formal
Project Membership, then that was the right thing to call it.
@ -2610,7 +2604,7 @@
<li>Jordan Hubbard</li>
</ul>
<p>It is always unsettling when one of the Project's founder
<p>It is always unsettling when one of the Project's founding
members decides to move on, but Jordan's interests have
migrated away from &os; related projects and he has decided to
hang up his bit once and for all.</p>