NetBSD 7.0.2 released
Why 7.0.2? Following
NetBSD's release scheme,
there are major releases (e.g. 7.0) with subsequent updates (e.g. 7.1).
Those "major" release and their updates include both new features
as well as bug fixes - the latter one again with and without security
relevance. New code, new risks - as a result for getting updates,
existing interfaces may change and lead to incompatibiltites.
This may affect either binary compatibility between programs
and their required shared libraries, as well - though rare - incompatible
chances on the source code level.
NetBSD takes quite some effort to keep such incompatibilites
low, yet they happen. The only real solutions is: no updates.
"Never change a running system" is nice for availability,
but it poses security risks. The time when a big server uptime
was considered a sign of good system administration are gone.
Today, a long update means the system (probably) runs outdated
and as such vulnerable code.
So to solve the problem a compromise is needed: little updates,
but crucial security updates do get done. Which is where
NetBSD's "minor" release like NetBSD 7.0.2 come into play.
With its set of changes, a number of external software packages
got security-related updates (e.g. OpenSSL, NTP, BIND, X),
and a smaller number of security related changes were also added,
e.g. a race condition in mail.local(8), crashes in the Networking
File System (NFS) and the native Fast File System (FFS) plus
some platform-specific crashes on MIPS, PowerPC and SPARC64.
For more information on downloading and installation see
the release announcement
as well as the platform-specific install documentation,
e.g. for NetBSD 7.0.2/arm64's INSTALL.html file.
[Tags: bind, mips, ntp, openssl, powerpc, Releases, sparc64]
Interview with spz@ on BSDnow
There is an
interview of Petra "spz@"
She talks about how she got into Unix and NetBSD,
and talks about all the different hats she has
in the NetBSD Project and The NetBSD Foundation, TNF.
The interview starts at Minute 26 -
have a look!
[Tags: bsdnow, spz]
Catching up: audio-mixing, arm, x86 and amd64 platform improvements and security
A few noteworthy things have happened in NetBSD land,
and being lazy I will collect them in one blog posting.
Here we go:
- In-kernel audio mixing:
So far, NetBSD's audio device can only be opened once.
If more than one application wants to play sound, the first one wins.
This is suboptimal if you want to (say) play some MP3s
but also get some occasional noise from your webbrowser.
Now, Nathanial Sloss has made a stab at this, providing
several implementation choices. Challenges in the task
are that sounds with different quality (sampling rate,
mono/stereo etc.) need to be brought to one common
quality before mixing and passing on to the actual audio
hardware. Further fun is added by the delay this process
See the discussion on tech-kern
for all the gory details!
- Freescale i.MX7 support:
Ryo Shimizu has committed support for the
Freescale i.MX7 processor
and the Atmark Techno Armadillo-IoT G3 board.
his posting to port-arm (dmesg included),
UART, Ethernet, USB, SDHC, RTC, GPIO, WDOG and MULTIPROCESSOR work.
Interesting thing of the platform is that is has
two Cortex-A7 cores and one Cortex-M4 core, the latter without
MMU. Ideas on how to use the latter are welcome! :)
- PIE binaries with PaX, ASLR+MPROTECT are now the default for i386.
ASLR and MPROTECT can be turned off either globally
or per-binary if any problems should arise. Be sure to
document those exceptions in your risk management! :-)
- Platform improvements for
amd64. For amd64, Maxime Villard writes:
- I cleaned up the asm code and fixed several comments, which makes the
boot process much easier to understand.
- I fixed the alignment for the text segment, so that it can be covered by
more large pages  - thereby reducing TLB contention.
- I fixed a bug in the way the secondary CPUs are launched , which
caused them to crash if they tried to access an X-less page.
- I took rodata out of the text+rodata chunk, and put it in the data+bss+
PRELOADED_MODULES+BOOTSTRAP_TABLES chunk . rodata was no longer large
page optimized, and had RWX permissions.
- I retook rodata out of the rodata+data+bss+PRELOADED_MODULES+
BOOTSTRAP_TABLES chunk, and made the kernel map it independently without
the W permision .
- I made the kernel map rodata without the X permission, by using the NOX
bit on its pages  (now that the secondary CPUs could handle that
- I took the data+bss chunk out of the data+bss+PRELOADED_MODULES+
BOOTSTRAP_TABLES chunk, and made the kernel map it independently without
X permission .
- I made the kernel remap rodata and data+bss with large pages and proper
permissions  - which reduces once again TLB contention.
See Maxime's posting to tech-kern
for all the footnotes. Likewise, Maxime also
tackled i386, and besides the changes from amd64, here is
the list of changes from his email:
- on non-PAE i386, NOX does not exist. Therefore the mappings all have an
additional X permission. To benefit from X-less mappings, your CPU must
support PAE, and your kernel must be GENERIC_PAE.
- the segments are not large-page-aligned, which means that probably some
parts of the segments are still mapped with normal pages. It is still more
optimized than it used to be, but not as much as amd64 is.
[Tags: aslr, audio, dmesg, freescale, imx7, mprotect, pax, pie, Security]
Bootstrap pkgsrc under 'bash on Windows'
Much bruha was made about
Windows running Linux userland recently.
Leaving out the fact that emulating other operating systems
is something that NetBSD does for ages, there is one
real challenge that every Linux user faces when he has set up
his operating system: getting software installed easily.
And of course there is only one truely portable answer to
that question: use pkgsrc, of course!
The process is pretty much straight forward,
and Ryo ONODERA has verified the prerequired
Windows versions and Linux packages, and has sent
instructions on how to bootstrap pkgsrc on Windows 10.
Now who's the first one to post a screenshot with
output of pkgsrc/misc/cowsay running "cowsay hello pkgsrc"? :-)
[Tags: bash, linux, microsoft, windows]
OpenHUB's NetBSD Project Statistics
This flew by on Twitter
(thanks ajcc @6LR61!), and I think it's neat
so I point to it here:
BlackDuck's OpenHUB has a number of NetBSD project statistics,
Statis include activity and vulnerability reports,
languages, lines-of-code statistics (with comment and blank lines),
30 day and 12 month activity reports with commit and contributor
numbers, number of contributers per month since 1993 and more.
In a nutshell, NetBSD consists of 5902 years of effort.
Have a look!
NetBSD and Google's Summer of Code 2016: Projects announced
This year, NetBSD is part of Google's
Summer of Code again, and
the students that will work on NetBSD projects
and what their project proposals this year are
Have a look at the links to learn more about the
students and the projects. To all the students - welcome to
Two more NetBSD Security Advisories: compatibility layers, Bozohttpd
Two more security advisories have been released:
[Tags: bozohttpd, compat, Security]
NetBSD Security Advisories: ntp, libXfont, calendar
NetBSD has released a number of security advisories:
See the advisories for more information on
NetBSD releases that are and are not affected,
the severity of the vulnerability as well as the date
by which which NetBSD release branch was fixed.
- 2016-001: Multiple vulnerabilities in ntp daemon
- 2016-002: BDF file parsing issues in libXfont
- 2016-003: Privilege escalation in calendar(1)
The advisories also contain an abstract of the problem
as well as in-depth technicals with solutions and
workarounds. Go and have a look!
[Tags: calendar, ntp, Security]
Article: The Complexity of Doing Things Right in Distributed Board Elections
David Maxwell has volunteered to guide the election process
of the NetBSD Foundation's Board of Directors for the upcoming election.
this article on LinkedIn
David writes about the challenges of voting in a distributed project,
and how they are adressed in the early stages of the
``A secure voting process shares a lot in common with cryptography. The creators have to understand the inputs, the quality of the randomness supplied, and the transformations applied to the data. The designer also needs to understand the properties which are meant to be guaranteed by the process, such as transparency and individual confirmation of the entire process in this case.''
for more information.
[Tags: board, linkedin]
Using GPIO on the Raspberry Pi
asked on port-arm
how to get GPIO ports going with NetBSD on the Raspberry Pi,
has collected the answers and
the link to the document
to the list.
In short, the key is to enable GPIO ports during boot
when the system has not raised the securelevel yet.
[Tags: gpio, raspberrypi]