https://forum.defcon.org/ https://hardenedbsd.org/)]]> en Tue, 16 Jun 2026 14:06:00 GMT vBulletin 60 https://forum.defcon.org/images/misc/rss.png https://forum.defcon.org/ https://forum.defcon.org/node/255799 Mon, 01 Jun 2026 23:37:09 GMT
We have mostly completed the migration from our self-hosted GitLab Enterprise instance to Radicle. There's still further work to be done, but the most crucial bits have made it over. We're also still working on ironing out some kinks in learning "the Radicle way". I hope soon to write an article chronicling our journey thus far.

I wrote documentation on how to bootstrap Radicle's local storage directory with src and ports. If you hope to someday submit issues and/or patches, following these bootstrap instructions will certainly ease the initial pain. I plan to include an export of these Radicle storage bootstrap archives with each official build. The current exports are not signed. I'm going to include the hashes in this signed email. I am working on a candidate patch to our build scripts to perform this export. The archives exported by our builder VMs will be signed with our normal ssh key-based signing method.

Fully fixing the release image generation (chiefly fixing generation of disc1.iso) is my first priority. Radicle bootstrap archive generation is my second priority. Radicle integration in our auto-sync is my third priority. Our commit emails came from GitLab. I need to replicate that functionality but with "the Radicle way." For now, I'm performing the sync myself when time permits (usually multiple times per day.)

The past couple months have also seen a number of FreeBSD security advisories, so we've published new builds for 16-CURRENT and 15-STABLE. Installer image generation is still somewhat broken, though I've seen some success with memstick.img. I plan to continue working on this until we're 100% fixed, though it will take time. It takes quite the number of hours to test even the smallest of changes. I get pretty much at most two attempts at testing fixes per day.

I spent some time studying Reticulum's code. I'm in the process of writing a shim to abstract how its backbone interface implementation uses select and friends. Back when I last looked at it, it required use of epoll. Simultaenously while I was working on that, I did notice the Reticulum project was working on a more portable backbone interface implementation. So I need to restart that research when the time comes.

I also spent a little bit of time with hbsdfw. I started work on forward-porting our 14-stable hbsdfw-specific patches to 15-STABLE. Then GitLab died, and my priorities switched to the Radicle migration. So I need to restart this research, too, when the time comes. I think I might target -CURRENT rather than 15-STABLE. That way, we don't have to periodically forward-port patches: we just maintain our patches against the naturally-evvolving hardened/current/master.

We completed the ISP account migration. Some pain is left to resolve. We lost support for our tunneled IPv6 (via Hurricane Electric's Tunnel Broker). I need to schedule a part of my day to capture some packets and get on the phone with some tech support folks on the side of both my ISP and HE. Until then, I've removed the AAAA DNS records for the relevant bits of infrastructure.

In src:

1. FreeBSD merged llvm 21 into base. We needed to fix one compilation error in HardenedBSD's code caught by llvm 21
2. Replace FreeBSD's README.md with our main wiki-based documentation.
3. Drop the -HBSD suffix in newvers.sh
4. Migrate hbsd-update-build to Radicle
5. Revert the release/ subdirectory to a known good-ish commit. This brought back generation of memstick.img
6. The hardening.pax.kmod_load_disable sysctl node logic was enhanced
7. Fix MK_LLVM_LINK_STATIC_LIBRARIES in src.opts.mk

In ports:

1. multimedia/ffmpeg build was fixed
2. ports-mgmt/pkg was updated to 2.7.5
3. ports-mgmt/poudriere-hbsd was updated to 3.4.8
4. A patch was brought in to fix the graphics/hdr_histogram port
5. hardenedbsd/secadm was updated to account for recent MAC hook changes by FreeBSD
6. Some incredibly basic support was implemented for downloading distfiles via Radicle HTTP
7. ports-mgmt/pkg was migrated to Radicle
8. The default llvm version was bumped to 21 for latest 16-CURRENT users
9. ports-mgmt/poudriere-hbsd was migrated to Radicle
10. COMPAT32 was disable for misc/compat{14,15}
11. PIE was disabled for devel/ccache4
12. net-p2p/reticulum was migrated to Radicle
13. hardenedbsd/secadm was migrated to Radicle

I want to say a heartfelt thank you to the Radicle folks. You've spent a lot of time in helping out. You didn't have to, but you chose to. And for that, I'm incredibly grateful. It's fun to see the Radicle network evolve.

==== BEGIN ARTIFACT HASHES ====
$ sha256 ports.tar.xz
SHA256 (ports.tar.xz) = b12f303b96b02b16744c1286868726ab4df43a06f6d28de3c2 47d4d1598f743b
$ wc -c ports.tar.xz
1472685664 ports.tar.xz
$ sha256 src.tar.xz
SHA256 (src.tar.xz) = 00301a70910127f4fd9564dca1be948e6b9909e864053a76b9 197565768345cf
$ wc -c src.tar.xz
2069117660 src.tar.xz
==== END ARTIFACT HASHES ====
]]> HardenedBSD shawn.webb https://forum.defcon.org/node/255799 https://forum.defcon.org/node/255479 Wed, 04 Mar 2026 21:39:21 GMT
As I write this, I'm narrowing that down further to the specific commit. I'm hoping to have this resolved this month. If I find and fix the problem this week, I will create new builds for folks to use. Otherwise, the next scheduled regular quarterly build is for 01 Apr 2026.

I appreciate everyone's patience on this. This has been a tricky bug (at times, it fit the description of a "heisenbug"). My spare time is limited (I have a rather large amount of tasks/obligations in everyday ${LIFE} right now), so it has naturally taken a long while to get to this point.

While inbetween clients at my dayjob, I have been granted the opportunity to research meshtastic and other mesh networking projects. I'm getting a lot closer in my censorship- and surveillance-resistant mesh network proof-of-concept. I'm now at the point where I need to port Linux-specific code to HardenedBSD. I'm hoping to get normal tcp/ip packets flowing through Reticulum nodes on the inside of six months. This project, announced in partnership with Protectli one-and-a-half years ago[1], is starting to move along at a nice pace. I will have more to share on that by the next status report.

On Saturday, 28 Feb 2026, I had given my local Hackers N' Hops chapter a little show & tell of Meshtastic, Reticulum, and HardenedBSD. I met with a bunch of really cool hacckers there, and demoed two Reticulum RNodes backed by Reticulum instances on two HardenedBSD laptops. I demoed an exec-over-meshtastic Python script I wrote the day prior. The script is available on Radicle as rad:z44pvAJS7SiQf2CGtpn8hY44GDMyu.

Speaking of Radicle, I plan to migrate some of my personal repos away from our self-hosted GitLab and onto the Radicle network. With time, I'm hoping to migrate us completely towards Radicle. Now would be a good time for those who want to contribute to HardenedBSD to start playing around and experimenting with Radicle.

In src:

1. Contributor "gmg" hardened the kernel crashdump interface.
2. Opt zlib kernel module into -ftrivial-var-auto-init=zero.
3. bsdinstall(8): Align us more closely with FreeBSD.

In ports:

1. net-p2p/reticulum was updated to 1.1.3_2
2. Disable PaX PAGEEXEC and PaX NOEXEC for science/zotero
3. Bring in candidate patch to fix dns/unbound
4. Hook hardenedbsd/ctrl into the build
5. 0x1eef added a new port: hardenedbsd/ctrl
6. Bump ports-mgmt/pkg to 3.5.1_1
7. 0x1eef updated a port: portzap v2.1.1
8. 0x1eef updated a port: sourcezap v2.1.1

Once I have figured out what's going on with the 15-STABLE panic and have a proper fix in place, I plan to quickly switch gears towards hbsdfw. I haven't produced a working hbsdfw build in a long time, and it's far past due. After that, I plan to switch right back to the Reticulum research and development.

I'll make sure to keep the community informed of the 15-STABLE findings and fixes.
]]> HardenedBSD shawn.webb https://forum.defcon.org/node/255479