hardenedbsd.org Header Art

HardenedBSD December 2025 Status Report

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • shawn.webb
    Organizer
    • Dec 2021
    • 48
    #1

    HardenedBSD December 2025 Status Report

    This status report is going to be a lengthy one. Due to scheduling conflicts, I was unable to get out the November status report, this one will cover the two months November - December 2025.

    A large portion of my focus has been on the infrastructure, getting a build environment for the recently-created hardened/15-stable/main branch. As discussed in a previous mailing list thread[1], the 14-STABLE build infrastructure has now been migrated to 15-STABLE. We have archived the last 14-STABLE package build, which last completed on 24 Dec 2025.

    We self-host nearly the entirety of our infrastructure out of my home. We have only one leased server, from the fine folks at NetActuate (previously RootBSD). This leased server hosts our main website, the hbsd-update build artifacts, and the package repos. Our package repos, naturally, grow over time. Back when we started this, each package repo was at most 75GB in size. Now we're encroaching 135GB.

    We now have a 30TB NAS in the home-based infrastructure. In order to support the growth, we will be migrating the package repo to the home infra. The package repos themselves have already been migrated. The only thing left to do is adjust the various DNS entries. I plan to do that once we have a usable 15-STABLE package repo. We will update this[2] mailing list thread when the migration has completed, DNS records and all. There will likely be a little blip in HTTPS/TLS connections as we regenerate LetsEncrypt certs. There's a delicate dance here. I plan to keep everyone informed as to when I begin and complete the process.

    The 14-STABLE build server (which is now being migrated to 15-STABLE) housed two VMs:
    1. The OS installer/update build VM. This builds the artifacts published at https://installers.hardenedbsd.org/ and mirrors.
    2. The package build VM.
    When we deployed that (stupendously) slow server to test its capabilities as a build server for 15-STABLE, we followed the same pattern: two separate VMs. We are going to keep the 15-STABLE OS installer/update build VM on that slow server. We're going to power off the 14-STABLE OS build VM and increase the resources to the package build VM. This means we should be able to decrease the time it takes for that server to produce a usable package repo. Naturally, this comes at a cost of a slow build time for the OS installer/updates, but that process can tolerate **a lot** of slowness. So long as it can produce its build artifacts in less than 48 hours, I'm satisfied. It's the package building (36,000+ packages) that takes the most resources.

    I spent a lot of time in the ports tree over the past couple months. The focus was on fixing ports broken by the various hardening techniques we employ. The introduction of -Werror=format-security caused a large amount of fallout, which I have been addressing. While addressing those, I figured I might as well fix ports broken by the other techniques.

    I'm working on enhancing libhbsdcontrol with better error handling. I'm hoping to have that work committed in early January 2026.

    I'm hoping in January to spend some time on hbsdfw. The VM I've been using to build hbsdfw has been panicking when the Poudriere build finishes when building the hbsdfw packages. In Q1 2026, I plan to migrate hbsdfw from HardenedBSD 14-STABLE to 16-CURRENT. Following the hardened/current/master src branch will lighten my load in maintaining this little hobby subproject.

    I need to file a bug report upstream in FreeBSD/OpenZFS to track this kernel panic. The panic happens when something during the build checks whether PaX PAGEEXEC is enabled through looking up a filesystem extended attribute. OpenZFS recently changed how filesystem extended attributes work, so it's possible we're hitting a unique edge case.

    In January, I'm going to get two lab environments set up:
    1. Internal Reticulum nodes to test the Reticulum protocol and its potential for use with our censorship- and surveillance-resistant mesh network R&D.
    2. Internal Radicle nodes to start concerted testing to eventually replace GitLab with Radicle.
    I feel somewhat down for not making more progress this year on the censorship- and surveillance-resistant networks. I'm hoping to place more emphasis on this in 2026.

    In src:
    1. Always build elftc-nm and elft-ar
    2. TPE: Ensure user-owned vnodes are unwritable
    3. ASLR: Use VMFS_NO_SPACE to map the stack
    4. Add various C/C++ hardening flags:
      1. -fno-delete-null-pointer-checks
      2. -Werror=format-security
    5. Unlock the sound mutex on error
    6. Fix branch detection in release
    7. Disable SafeStack for the Unbound daemon
    8. Some pkgbase-related work
    In ports (this is gonna be a long list (our longest to date)):
    1. Disable LINUX for x11/nvidia-kmod
    2. ftp/curl: Fixup .onion patch
    3. Add "general compilation hardening" USES
    4. Delete unneeded patch for databases/redis
    5. Fix archivers/zip
    6. Disable hardcflags for devel/m4
    7. Disable hardcflags for lang/gcc13
    8. Disable HARDCFLAGS for devel/t1lib
    9. Fix HARDCFLAGS errors for devel/ctags
    10. Disable HARDCFLAGS for archivers/unzip
    11. Fix HARDCFLAGS for net-mgmt/libsmi
    12. Disable HARDCFLAGS for x11-toolkits/open-motif
    13. Disable HARDCFLAGS for devel/expect
    14. Fix the devel/ivykis port
    15. Fix HARDCFLAGS for multimedia/webcamd
    16. Disable HARDCFLAGS for lang/gcc12
    17. Disable HardenedBSD features for lang/gcc14
    18. Disable HardenedBSD features for lang/gcc15
    19. Disable HardenedBSD features for lang/gcc16-devel
    20. Fix HARDCFLAGS for multimedia/smpeg
    21. Disable HARDCFLAGS for devel/elfutils
    22. Fix HARDCFLAGS for converters/recode
    23. Disable fortifysource for graphics/netpbm
    24. Fix hardcflags for devel/fortytwo-encore
    25. Fix HARDCFLAGS for graphics/libvisual04
    26. Disable HARDCFLAGS for devel/kBuild
    27. Fix HARDCFLAGS for devel/libbegemot
    28. Fix HARDCFLAGS for games/pmars-sdl
    29. Disable FORTIFYSOURCE for security/signify
    30. Disable HARDCFLAGS for mail/mailutils
    31. Fix HARDCFLAGS for devel/ta-lib
    32. Fix HARDCFLAGS for math/spooles
    33. Fix HARDCFLAGS for textproc/wv
    34. Fix HARDCFLAGS for databases/sqlite2
    35. Disable HARDCFLAGS for graphics/lensfun
    36. Fix HARDCFLAGS for devel/rlwrap
    37. Disable fortifysource for mail/opensmtpd
    38. Fix HARDCFLAGS for x11-toolkits/unique
    39. Fix HARDCFLAGS for devel/efivar
    40. Fix HARDCFLAGS for lang/f2c
    41. Fix HARDCFLAGS for textproc/scim-table-imengine
    42. Disable FORTIFYSOURCE and HARDCFLAGS for sysutils/fwupd-efi
    43. Fix HARDCFLAGS for games/libmt_client
    44. Disable HARDCFLAGS for games/gnugo
    45. Fix HARDCFLAGS for comms/rxtx
    46. Disable PIE and RELRO for databases/redis
    47. Fix build for devel/omniORB
    48. Fix build of security/rubygem-bcrypt_pbkdf
    49. Fix HARDCFLAGS for math/grace
    50. Fix HARDCFLAGS for audio/libbs2b
    51. Disable HARDCFLAGS for graphics/plotutils
    52. Fix HARDCFLAGS for emulators/libretro-reicast
    53. Add -Wformat for HARDCFLAGS
    54. Disable HARDCFLAGS for graphics/gracula
    55. Fix HARDCFLAGS for mail/spmfilter
    56. Add cheat support in games/ioquake3
    57. Fix HARDCFLAGS for print/catdvi
    58. Fix HARDCFLAGS for graphics/seom
    59. Fix HARDCFLAGS for deskutils/presage
    60. Fix HARDCFLAGS for graphics/alpng
    61. Enable SLH for games/ioquake3
    62. Fix -Werror=format-security bug in games/ioquake3
    63. Fix HARDCFLAGS for x11-toolkits/fox16
    64. Disable HARDCFLAGS for graphics/glslang
    65. Re-enable PIE and RELRO for databases/redis
    66. Fix HARDCFLAGS for converters/uudeview
    67. Fix HARDCFLAGS for textproc/gdome2
    68. Disable FORTIFYSOURCE for misc/mbuffer
    69. Disable HARDCFLAGS for archivers/unarj
    70. Disable FORTIFYSOURCE for misc/amanda-{client,server}
    71. Disable FORTIFYSOURCE for net/dante
    72. Fix HARDCFLAGS for archivers/sharutils
    73. Fix HARDCFLAGS for lang/squeak
    74. Disable FORTIFYSOURCE for devel/socket_wrapper
    75. Fix HARDCFLAGS for net/pvm
    76. Fix HARDCFLAGS for audio/snack
    77. Fix HARDCFLAGS for textproc/sgmlformat
    78. Fix HARDCFLAGS for cad/iverilog
    79. Fix HARDCFLAGS for sysutils/genisoimage
    80. Disable HARDCFLAGS for games/libretro-boom3
    81. Fix HARDCFLAGS for math/testu01
    82. Disable FORTIFYSOURCE for devel/pcc-libs
    83. Disable PIE for security/cryptlib
    84. Fix HARDCFLAGS for mail/addresses-goodies
    85. Fix build of devel/ivykis on 14-stable
    86. Disable HARDCFLAGS for security/pgpin
    87. (0x1eef) Fix grub2-bhyve build error
    88. Disable HARDCFLAGS for devel/cunit
    89. Disable FORTIFYSOURCE for editors/dte
    90. Disable FORTIFYSOURCE for mail/akpop3d
    91. Disable HARDCFLAGS for emulators/x48
    92. Fix HARDCFLAGS for net/osrtspproxy
    93. Fix HARDCFLAGS for mail/qmailmrtg7
    94. Fix HARDCFLAGS for print/transfig
    95. Disable PIE for graphics/nsxiv
    96. Disable FORTIFYSOURCE for devel/uid_wrapper
    97. Disable HARDCFLAGS for devel/cweb
    98. Fix FORTIFYSOURCE for multimedia/ffmpeg
    99. Fix build of lang/gcc14
    100. Fix FORTIFYSOURCE for devel/tex-libtexluajit
    101. Disable FORTIFYSOURCE and HARDCFLAGS for security/barnyard2
    102. Fix build of lang/gcc12
    103. Fix build of databases/arrow
    [1]: https://groups.google.com/a/hardenedbsd.org/g/users/c/51IARO8noYo/m/asRq...
    [2]: https://groups.google.com/a/hardenedbsd.org/g/users/c/G6HbsE8DA5w/m/I4ou...
    Tags: None
    Previous template Next
    Working...