00:24:52 Lovis_IX, 13.2-RELEASE is available already through the mirrors 00:25:06 $ uname -a 00:25:07 FreeBSD mercury 13.2-RELEASE FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC amd64 00:44:11 hey, bsdinstall chokes on distextract with "can't create 'root/.profile'", but i can create that file manually in /mnt/root/.profile 00:44:27 what gives? is there a more verbose log somewhere, than /tmp/bsdinstall_log 00:44:30 Mercury is a hot name for a computer, RoyalYork 00:44:51 iswydt 00:45:20 ixmpp: no, you don't 00:45:29 I like it, nothing more, nothing less 00:47:08 Reinhilde, you think mercury is hot, wait till you checkout VENUS on my lan 00:48:14 atmosphere of acid 00:48:46 relevant... 00:48:59 uh? 00:52:36 aha, did it manually, cross-device link... 01:29:47 hello 01:29:54 how do I upgrade to version 13.2? 01:30:56 nevermind I found the answer 01:33:19 At least on update2.freebsd.org, 13.2-RELEASE is already available, so if you want to try something fancy, just be aware `freebsd-update -r 13.2-RELEASE upgrade` works fine. 01:34:19 yes it's working sorry about the question I found a link online with the answer, thank you.. 01:35:24 Release notes are also already published, even if not linked: https://www.freebsd.org/releases/13.2R/relnotes/ 01:35:25 Title: FreeBSD 13.2-RELEASE Release Notes | The FreeBSD Project 01:39:13 ok thank you 01:42:40 RIP OPIE 01:43:37 also RIP DSL 01:51:23 my memory is hazy, can i have nfs exports rw for one host, and ro for another subnet? can i just chain together -r[ow] -network -mask as many times as i need on one line? 01:54:29 Reinhilde: I think last time I played with OPIE was 2011 01:54:54 I think i'd it deployed on some systems as late as '20? 01:55:03 but yeah reading the notes I was like snif one weird OTP less (OK with SSH keys proper management we don't need that anymore...) 01:55:59 it seemed like it could be cool when i used a sketchy internet cafe full of spyware in 2005 01:56:03 but in practice ... yeah 01:57:35 there was also a Python 2 implementation, https://code.google.com/archive/p/orthrus/ 01:58:14 hmmm it's documented to be a regular PAM module in C 01:59:34 site_scons/site_tools/hashfile.py ok the Python dependency was pretty minor 02:01:19 There is also a security/opie port 02:47:58 https://www.redmine.org/projects/redmine/wiki/RedmineInstall <-- any one have time to help me to install it to zero, i can't arrive since one month 02:48:00 Title: RedmineInstall - Redmine 03:25:41 fusefs-lkl is such an awesome project 06:53:55 does the Fdn have a legal retainer? 07:10:13 What the hell is a "Fdn"? 07:23:04 foundation 07:30:34 what is a legal retainer? 07:31:34 I see. So "FreeBSD Foundation" 07:40:37 meena: a lawyer kept on standby 08:30:45 listening to last weeks BSD Now, been busy watching demoparties over easter 08:32:17 Happy Easter! 08:38:24 ox1eef_: same to you 09:06:29 RoyalYork: ok thanks, I just have to be patient. 09:16:02 i am strangely excited over all the bugs zlei is finding in if_bridge(4) and epair(4): https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270559#c10 09:16:04 Title: 270559 – if_bridge: does not forward packets properly for vlan 1 09:24:38 When it comes to FreeBSD and nginx&php 8.x performance, what CPU would you prefer for building a server? Intel Xeon Gold 6312U - 24c/48t - 2.4 GHz/3.6 GHz - or AMD Epyc 7413 - 24c/48t - 2.65 GHz/3.6 GHz? And why? Thanks a lot. 09:26:26 performance depends on the workload 09:26:49 more than anything else 09:26:52 I would always choose AMD over Intel. Because Intel have had too many security issues with their chips lately. I can't speak to Intel Xeon, but that would be my first thoughts going into it. 09:28:22 meena: Well, a busy Wordpress website with big PDF files (>20 MB per each).. Maria-DB running behind, as well, on the same server. 09:28:28 they also so disgustingly stupi about cpu instructions 09:28:38 heh i personally prefer AMD for more insidious reasons.. AMD hasn't been proven to have put an NSA backdoor into their CPUs, unlike Intel.. 09:40:21 if I do a freebsd-update fetch followed by a freebsd-update install and then reboot should uname -a return then new patched version, I am not seeing freebsd13.0 RELEASE p7 but p6 however freebsd version shows p7 09:46:45 freebsd-version -ru 09:46:56 There's the kernel version, and the userland version. 09:47:36 If you're up to date, -r should return p6, and -u should return p7. 09:48:19 tercaL: so then the question isn't just CPU, it's also about RAM and storage (size, speed and latencies) 09:48:40 cheers 09:48:52 No worries. 09:54:04 tercaL: You have three applications (nginx, php, and mariadb) doing three different things. WordPress will be CPU and RAM bound, MariaDB will be RAM and disk bound, and nginx will hopefully just be bandwidth bound and disk bound (you can flip that towards CPU, RAM *and* Disk bound if you disregard caching…) 09:56:55 ah, yeah, next one https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270736 ! 09:56:58 Title: 270736 – if_epair(4): Unexpected double tagged ICMP requests 10:00:17 and, BTW, these are just my (educated) guesses as to where which application will have their bottleneck. 10:13:29 meena: Important details. Thanks a lot.. Should read and research further on all these. 10:21:01 5hr30 minute uptime of trying to speedrun configure my system before my wife starts yelling at me 10:46:50 tercaL: first find out where the bottleneck(s) is right now, and figure out if scaling vertically (getting bigger Hardware) is cheaper than scaling horizontally (spreading the components onto smaller more specialised machines) 14:54:08 ls 14:54:11 oops 14:56:07 /lib /etc /root /sbin /bin /lib 15:04:50 lmao 15:08:56 ha! 15:09:07 at least it wasn't a login pass this time 15:15:35 passwd: 15:15:38 :-) 15:30:21 is there a guide for recommended options to secure FreeBSD ? I've read https://man.freebsd.org/cgi/man.cgi?security but towards the bottom there's like 20 sysctl variables and I'm unsure if I should touch them 15:30:23 Title: security 15:30:47 stuff like: security.bsd.conservative_signals 15:32:47 it depends on your threat model 15:33:07 there's an entire industry built around this, it's impossible to sum up in a single article. 15:34:30 Just becaust you thing that "they" are not out to get yoy does not mean that "they" are not out to get you. 15:34:38 😎 15:38:42 I want the best combo of options to make my server the most secure possible :) 15:38:49 I'll enable them all and see if anything breaks 15:39:11 well, the good news is that if you enable MAC without understanding things, you will break things. 15:39:28 that's generally how security systems work. 15:44:21 last1: Why not start with to only enable the services that you really need. Once you have done that you can rate limit connections to those services with pf. 15:44:44 That will give most people that just brute forece a hard time 15:45:29 You can then move on to run "nasty" things like IRC-clients in jails so that when, not if, they get hacked you can just discard the jail and start over without a lot of hastle. 15:46:03 you should, at minimum, run everything in a jail. 15:46:27 "everything" :-) 15:57:13 last1: another good thing to do, at least in my opinion, is to install a monitoring software like "monit" on your system and use it to send push notifications via "pushover.net" or similar to your mobile if files change checksum, processes die or there are not security patches available for your system. 15:57:48 last1: Security is more about being engaged instead of putting in much effort in to a single effort. 16:03:23 last1: sudo rkhunter --check --report-warnings-only --pkgmgr BSDng 16:04:14 there is so much "fun" things to do onece you have a machine that is directly connected to the internet. 16:04:34 Whatever you do do not start to use a IDS, that will get your paranoid. 16:57:56 hi im having trouble getting cuse to work. the module loads without errors and i can see it in kldstat but every time a program tries to interface with it i get an eror. i wrote a little test program to see which error i'm getting and it seems to be CUSE_ERR_INVALID for both init and uninit, signifying that /dev/cuse can't be opened for rw. i cant find anything about this online, does anyone else have any ideas? 16:59:16 here's the program incase i did anything wrong during testing: https://termbin.com/q1g2 17:14:40 Zenithium: what's the ownership of /dev/cuse look like? 17:15:11 meena: crw------- 1 root operator 0x4 Apr 10 18:46 /dev/cuse 17:15:11 17:28:39 Zenithium: my gut feeling tells me that should belong to group cuse, and be rw for that group 17:30:31 meena: maybe, but i tried to `chmod +rw /dev/cuse` and after that `cat /dev/cuse` returns `cat: /dev/cuse: Device not configured`. so idk if it would make a difference 17:33:54 thorre: thanks for the advice! 17:34:18 hello everyone how can I debug xfce-panel ? 17:34:20 my biggest worry is crap applications that I *have* to allow like wordpress 17:34:34 it seems they find 0-day exploits for it every other day 17:44:43 for example, looking at this option: hw.mds_disable : amd64 and i386. Controls Microar-architectural Data Sampling hardware information leak mitigation. 17:44:56 is this still relevant, if so, is it just for physical machines or also vms ? 18:24:24 https://vez.mrsk.me/freebsd-defaults.html 18:24:25 Title: FreeBSD - a lesson in poor defaults 18:24:37 this guy doesn't seem to like the FreeBSD defaults too much 18:27:28 imagine how long that would have been if talking about a linux distro 18:38:24 imagine how long it would be if it actually took the claims of security seriously 18:39:20 it'd have to cover jails, MAC, securelevel, capsicum, firewalling, and probably a bunch of things i'm forgetting because i haven't been in infosec in about a decade 18:39:37 oh wait, most of those are covered in the handbook 20:47:08 trying to change randompid: sysctl -w kern.randompid=1 => kern.randompid: 0 -> 0 20:47:29 I also tried putting it in /etc/sysctl.conf but it's still on 0 21:41:41 well, wordpress is not a good idea indeed 21:42:23 maybe we will see some kind of automatized 0day testing for wordpress 21:43:48 fuzzing by generative model? 22:07:18 last1: that's weird, what version? (BTW, -w is no-op for like 20+ years) 22:28:35 Don't think I came across https://vez.mrsk.me/freebsd-defaults.html before. He/She must be an OpenBSD developer 22:28:36 Title: FreeBSD - a lesson in poor defaults 22:29:35 puffi: correct, he is (was?) an OpenBSD docs dev 22:29:47 Just joined the channel again a few minutes ago, so I may be missing context 22:31:12 yuripv: I guess I must have been using FreeBSD a long time :) 22:34:09 xtile: I think it came from discussion around hardening to prevent wordpress 0-day exploits 22:34:39 yes, I am the one that started this thread, in trying to harden up the base system 22:36:32 It didn't come across as someone who just wanted to provide advice on hardening. More Theo light rant 22:39:00 I don't know the guy, was just googling for advice 23:28:47 wasn't there in FreeBSD some file in /var or somewhere that holds old/stale rpc/nfs info ? 23:28:50 like old mounts or something ? 23:43:44 is there a quick way to upgrade to current now that up.bsd.lv is out of commission? 23:50:43 every time i run freebsd-update, i get flashbacks to Solaris