Is there an easy way to figure out which commit a kernel was compiled from?

_xor: Hrm, I don't have something that's not installed by freebsd-update here, but what's strings /boot/kernel/kernel | tail give you?

The theory goes that "freebsd-version -kru" should return the installed kernel, running kernel, userland versions.

I don't know how that maps to git commit hashes or git tags though. I would hope it would map to "git tag -l" and "git log release/13.1.0" though.

Not necessairly, it's more complex than that. You also have patchlevels, etc.

mason: Good thinking on strings.

mason: I may have a lead here - "stable/13-5c55abaf0"

Yaaaas, looks like I found it :)

Oh I am such an idiot.

I forgot that I built the image for this version using poudriere.

Could just have checked the poudriere jail version.

Every year that I get older I keep realizing how dumb I was last year.

But since you're realizing it, aren't you getting smarter? :P

Also, I just noticed that the two hashes don't match :/

The dumbest thing we all did as a kid was wish we were an adult. And now look at us!

I was just telling my buddy something like that the other day. Over the past 20 years, when looking at something, the change in mentality went something like this...

"What the heck? That's stupid, you should just do this..." -> "Hmm, that's strange, but there's probably a reason it's done like that..." -> "That doesn't seem like the best way, but I might be missing something...but then again, I've seen stupid stuff before."

Your line reminds me of that classic joke: "Everyone laughed at me when I told them I wanted to be a stand-up comedian. Well guess what? They're not laughing now!"

Hmm, I wonder how "exact" these versions have to match. I want to give blued a go, but I need to patch ng_hci.so first.

_xor: Back when CVS roamed the earth, the BSDs embedded RCS IDs and similar in strings at the top of files for just your purpose. Shame it's not still done.

I wonder why it was removed.

i really wish we had tags for each release and each patch

Hi

i had a strange behaviour this morning

i configured dma with a gmail account few month ago to get mails from my server

as i didn't set up 2fa, google blocked my account

i solved this and mails worked again

but this morning, I receivre a mail from dma, which said that smtp authentication failed

from root@myserver

and not the gmail account

can dma deliver mails live postfix without external account ?

s/live/like

where can i read up on what kind of file/partition encryption you have? do you use bioctl like openbsd? can i select encryption stuff like with cryptsetup in linux? do you have pledge and veil like openbsd? Also what filesystems are supported? sorry for the dumb questions. i'm trying to set up a backup storage box, and i was already set on linux, but now i'm thinking maybe i should try this freebsd instead.

lavaball: docs.freebsd.org/en/books/handbook/disks

Title: Chapter 18. Storage | FreeBSD Documentation Portal

no, we do not have pledge and unveil, but we have capsicum if you want to read on that

Read also sections 19,20,21 regarding file systems

And it seems to be an issue they WONTFIX, because it's by design?

GEOM and GBDE are the encryptions traditionally used in FreeBSD, although ZFS has native encryption there's some indications it is to be avoided at present.

Well, there's more closed items on docs.google.com/spreadsheets/d/1OfR…DGK6swwBZXgXwdCPKgp4SbPZwTexCg/view now than there were before, so that's good.

Title: OpenZFS open encryption bugs (public RO) - Google Sheets

Sorry, I meant GELI, not GEOM.

GELI and GBDE are both options that're part of GEOM.

In addition to Capsicum, we also have jails and the MAC framework, both of which can be used to lock down a process, as well as whole-system auditing using OpenBSM.

Capsicum, jails, and MAC can all be used in conjunction (and you can also add securelevel on top of that, although that exists in the other BSDs too).

The filesystem filewall that can be implemented via MAC isn't super well-known, but it's incredibly powerful.

The MAC framework is kinda interesting in and of itself, and if there's someone who needs something to do, I recommend reading docs.freebsd.org/en/books/arch-handbook/mac

Title: Chapter 6. The TrustedBSD MAC Framework | FreeBSD Documentation Portal

The handbook also has a section: docs.freebsd.org/en/books/handbook/mac

Title: Chapter 16. Mandatory Access Control | FreeBSD Documentation Portal

s/encryptions/data encryption methods/

steew, thanks a bunch.

this all looks very nice, with the zfs and the pf. would you recommend using freebsd as a encrypted file server thingy or is there a better solution?

lavaball: Not FreeBSD specific, but you can check out Ceph as well, if only for comparing options.

never hard of it. wasn't that the end boss of street fighter 4?

i don't see anything about bsd there. just linux platforms and that the kernel should be newer.

this ceph seems a big much for my use case. thanks though.

the pf isnt the pf you know from openbsd

(its similar and has the same root, but its hasnt been the same for a while)

similar enough. i'll figure it out. thanks though.

oh, do you have bind mounts?

lavaball: are those for overlaying filesystems?

In the Linux kernel a "mount -o bind /home /mnt/home" will overlay the first onto the second, often used to make directories available inside a chroot and other purposes.

yeah. i looked around. openbsd really has nothing, but you guys have the null_fs option.

or nullfs. something with 0.

how is the kernel doing security wise? i just saw some guy on youtube talking about the three big BSDs and openbsd people were the only ones fixing the bugs consistently. no offense, obviously. or wait, no: asking for a friend.

yep, we try to put all the bugs in freebsd that we can

because it makes freebsd faster

i was hoping for something along the lines of: wasn't that the "all bsd equal" talk? we saw that. things have picked up since then".

i'm not sure what bugs you're talking about

anyone using puppet, and finding that manifests just die because if you're not online the package calls all fail trying to update?

Demosthenex: yes, the pkg provider get's touchy when offline

Demosthenex: you can maybe tell it not to update

but I don't remember if or how

meena: i was trying to find a way

hadn't seen any docs yet, i'll read the module tomorrow

moin

Demosthenex: use a fact to determine if you can reach them or the "internet" and when you can't, don't declare those resources