spork_css: If on desktop use NoScript and ddg will not scroll.

I hate that too, would much rather click through pages I could go back through easily.

It's rare for the thing I need to not be within the first dozen hits so I'm not sure if I see infinite scrolling or not.

anyone running ceph on freebsd? I see it's available and working, but I'd like to know are there performance considerations to be aware of vs a linux based system?

vs a linux based ceph cluster that is. I may have to just build both out on the same hardware and do some performance testing to see.

nevermind, I'll just do that.

Sadly, much of the web relies on only javascript to function. And as a result of it, much of it is infested with (google) analytics backends too.

so add it to your ublock

I think ublock already does that very well. But unfortunately, that doesn't solve the "fingerprinting" issue though. The best way to do that is to turn off javascript completely. But if you do that, much of the web becomes broken. Also, adding browser extensions (such as ublock) only makes your fingerprint more unique. The more you add, the more you will stand out. Thus you will still be tracked across the web to some high degree of accuracy. Granted, there

are special ways to block fingerprinting but doing so makes the browsing UX more painful imo. Anyway sorry about my offtopic, I'll let it go now.

kenrap: yep. it's not actually paranoia if they actually are after you

Sigh...

Hmm, in regards to using CURRENT, would this commit be a good reason to do an upgrade? cgit.freebsd.org/src/commit/?id=b37…f156ab9d88450e9bc0440df522aec88cc44

Title: src - FreeBSD source tree

are you now or have you ran current before?

"are you now, or have you ever been a member of the -CURRENT party?"

<rimshot> (sorry)

Hey guys, so bsd.to is still down?

Title: dpaste

I am wondering is it affiliated with FreeBSD.org or is it just a another random public website hosted by someone ?

dosn't seem down. not affiliated to my knowledge

JaskieMe: it's just a site set up by someone in the FreeBSD community.

Anything that isn't freebsd.org or on a subdomain is set up by a community member.

Anything on freebsd.org or a subdomain is run by the cluster admins.

CCFL_Man: labelclear is useful if you want to use the disk for a different pool in the future, without having to zero all of it (because the labels are stored in multiple places on-disk.

But I always get 500 error when I paste something

JaskieMe: bsd.to/Os6X/raw was created just now

The website itself is running and up, but pasting and get back a paste seems down

Title: Os6X

same. i just pasted something too

if you drop /raw at the end it won't open, which is supposed to present after you paste something.

maybe you found the 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X' of dpaste

CCFL_Man: as for IT mode, it's short for "initiator target" mode, and is traditionally used to pass disks through to an iSCSI initiator - however its function, in terms of the HBA, is to bypass any form of RAID functionality, which is desirable because ZFS has its own RAID functionality and also needs control over the disk cache behaviour (to ensure a flush whenever a transaction group is written to

disk).

JaskieMe: what are you trying to paste? Do you have javascript blocked?

freshbsd.org/freebsd/src/commit/b370ef156ab9 huh

Title: FreeBSD / src / b370ef1 / libthr: Patch to reduce latency to acquire+release a pthread mutex. - FreshBSD

I am just trying to paste a raw markdown text file. I paste all text in the box and click paste, it went to something like bsd.to/Os6X, which weill say Server Error (500). But if you apend /raw to the end of the address it opens

So I was wrong, the website is not down. It's just not working as expected I suppose

JaskieMe: not sure what to say; it's working fine for me in all the cases you've mentioned

well I am confused. but since I now know it works it's OK for me. Thanks

bsd.to/e3vn - random text just added

Title: dpaste/e3vn (Plain Text)

JaskieMe: if you're using a browser that supports different profiles, can you try creating a new one?

supports multiple profiles, I should say

seems like it's related to the markdown format. I pasted your text (xndsfk;lfkds;) as text it works, but Server Error (500) when I choose Markdown format

Tested in Firefox and Chrome browser, seem results

same results

JaskieMe, Yup, same 500 error with "Markdown" -- perhaps the backend is not enabled or broken

I remembered it used to work with markdown, that's why I thought it's down.

Ah

hey

so mac_bsdextended(4) is actually cool for rootless chroots and jails

but are there plans for something more advanced like firejail for linux?

for example, with ugidfw you can't set rules for individual files, only mount points

example use-case: unbound startup script creates device nodes inside the devfs mount. a firejail-like chroot would allow to ban all da* and ada* from unbound (even with high securelevel, it can access them in read-only mode)

and jails have the problem of not being rootless

I could make a rootless jail but there's no infrastructure for it

and if I actually wanted to extend mac_bsdextended(4), would somebody be willing to answer simple kernel programming questions?

I have no kernel-level programming experience

1. can a MAC module not worry about sleeping, having to hold locks in order to do something as simple as the kernel equivalent of realpath(3)

2. I know how to set up linux/windows cross toolchains, can I set one up for FreeBSD from Windows msys2/cygwin?

sthalik: by default, a jail doesn't have access to disk access devices

debdrup, in my opinion, rootles chroot + sysctl hardening is more secure than a rootful jail

chroot doesn't provide the kind of isolation that jails do

debdrup, yeah, but a script kitten can't execve /bin/sh or write a binary to be executed, or launch a script interpreter...

chroot was never designed for isolation, it was purely a way to build in a clean environment

is there infrastructure for making rootless jails easy?

jails, on the other hand, were explicitly designed for isolation

for example, replacing unbound chroot with a jail

rootless jail doesn't make sense, because jail was made to confine the root user

and you can't simply filter out uncommon syscalls with jails

which would be great

"confining the omnipotent root" is, both demonstrably and literally, the subtitle of the jail paper ;)

yeah right, but then you have stuff like docker or linoox namespaces and they have a ton of exploits on them

because they were never built for isolation to begin with

it's not like freebsd jails had zero cve's (they had a few)

sure, they had a few, but the design still informs the feature

i think there's been two jail escapes since 1999 when it was invented

so jail + rootless chroot inside the jail is better than a simple rootless chroot, then

what makes rootless chroot secure is the privilege separation though

you can get that without using chroot

daemon(8) to be specific

the daemon has to implement chrooting in itself, so that the chroot is rootless

otherwise it requires things like libraries, maybe even a dynamic linker

that's an entirely separate thing

can I show you some pastebin'd ugidfw rules?

you can statically compile something (or even use something interpreted) with daemon(8) to drop its privileges

it's been over a decade since i used ugidfw, so i'm probably fairly rusty, but sure

yeah, and then have to integrate compiling it into the static binary with ports, pkgng won't work with it

what?

Title: gist:827ffd0744b8da27af05951a2911030c · GitHub

with a setup that's not as involved as patching and building static binaries, it nicely integrates with upgrading via pkg(1)

as well as existing startup scripts for unbound, etc

note: nitter is launched through daemon(8)

so note that /var/tmp, /tmp et al. are all mounted noexec, nodev, etc.

doesn't WITH_STATIC exist anymore?

and there's some nullfs usage to enforce noexec et al. for temporary directories inside the chroots

pkg(1) is better to use for ssd-based systems and SoC's

but yeah, ports are more flexible

also a company with large infra can set up a pourdiere (sp?) instance, a smaller user technically can but it's overkill

i'm a company? :P

quite a few people run poudriere for their own package repos

I can't for the next few years, due to EU electricity soft-'rationing' and subsidies for low usage

it sounds like you have the best use-case for it, which is that you need a custom environment

debdrup, that's why mac_bsdextended should be more flexible

I'm Danish, we have the highest electricity cost in the world.

well, go extend mac_bsdextended then :3

but you have also more disposable income than CEE

us Danes, or me personally? because i'm on the absolutely minimum benefit because I got cancer in 2016 and haven't been able to work since due to chronic extreme exhaustion

anyway, this is getting off-topic

i don't think mac_bsdextended can do what you want, but if someone wanted to add that feature i don't see a problem with it

like i intimated before, i'm also not sure i see the usefulness of it if you combine mac_bsdextended with jails and daemon(8) for dropping privilege, but that's something i suspect we're going to have to agree to disagree on

debdrup, it's meant to provide defense in depth, imagine falling into a coma for 3 to 5 years or something, with the machines still running

I'm gonna look into mac_bsdextended soon

extneding it, that is'

sthalik: a machine can't be expected to run for 3-5 years in a modern threat landscape

debdrup, my Alix did

then your alix was probably vulnerable to a fair number of security exploits. ;)

went through errata, port errata, decided things don't apply for possible threat vectors

like, it wasn't running nfsd at all, so all nfs issues were ignored

mitigations were ignored when openssl and sshd implemented their own hardening, etc

but it really depends on the amount of services that are being provided

sure, but 3-5 years seems too long for nothing to have affected you

unless you happened to run into a coincidence of a period of time where that was just barely possible

my point is more that it's not something you can _rely_ on happening, only observe that it may have happened in the past.

I upgraded it once every 2 or so years but if I was in a coma for 3 years it's still unlikely that anything would've compromised it

agreed

i'm not sure i'd make that assumption.

but you can't rely on anything at all with modern, complex hardware

but then it gets too paranoid when you start considering things like hard disk firmware viruses

when i spent a few months dealing with cancer and for the first year or so after, i didn't assume my system was safe when i came back

that was like 18 months in total

I'm sorry, it must be hard to deal with

it wasn't great, but i'm in remission now

that's good

hey I need help with my sound. I only ever use headphones. clbin.com/7v8RY

I tried this in /boot/device.hints with no luck

hint.hdaa.0.cad1.nid33.config="as=0"

hint.hdaa.0.cad1.nid33.config="as=0 seq=15"

what should it be?

back

o/

Plasmoduck: did you try sysctl hw.snd.device_default = <device number from /dev/sndstat?

sysctl hw.snd.device_default = pcm1

sysctl: unknown oid 'hw.snd.device_default'

etc

Lovis_IX:

Plasmoduck: excuse me, it's sysctl hw.snd.default_unit

Lovis_IX: I don't think this is right

its saying the same thing

cat /dev/sndstat shows

pcm0: <Realtek ALC294 (Analog)> (play/rec) default

pcm1: <Realtek ALC294 (Front Analog)> (play/rec)

so I've tried sysctl hw.snd.default_unit = pcm0 and sysctl hw.snd.default_unit = pcm1

hw.snd.default_unit: 0

sysctl: unknown oid ''

sysctl: unknown oid 'pcm1'

I hate dealing with sound on FreeBSD it's terrible

why doesn't it just work properly like in Linux

it's crazy

I feel like audio and wifi are FreeBSD's biggest weakness

sysctl hw.snd.default_unit=0

no spaces around the =

which computer models have audio issues? (my thinkpad does not)

sysctl hw.snd.default_unit

sysctl hw.snd.default_unit=pcm1

sysctl: invalid integer 'pcm1'

=1 not pcm1

Okay nice that works

Now how to make it perminant>

should I just put that command in my .xinitrc?

hw.snd.default_unit=1 in sysctl.conf if you want to have it set system-wide on boot

thanks

brb

rebooting

hey, im planning to start building my own ports and submitting to the ports tree

would you recommend me to upgrade my system from 13.2 release to 14.0 current if i want to start porting programs to freebsd?

you might want a 14.0 VM, but you probably don't want to run on -current

i see... so itd be like 14-stable on bhyve then right

14 is still -current last I looked

i see

(it was supposed to be branched by now, but the switch to openssl 3.x and llvm16 has delayed things

i see

so i should then set up bhyve for a 14.0 vm then?

i've been building my 13.2 packages in poudriere through bare metal for a while already

how much RAM do you have?

16gb

planning to upgrade to 64gb but i wont do that before adressing my storage isuses first

then yes, set up a 14-current vm

cool! how much ram and space would i need

8gb of ram and enough space for whatever ports i want to build right (rn just one)

depends how impatient you are

does your port depend on anything substantial?

not really, its just a gemini browser

might pick up a few other ports but only if the gamini browser goes well

i cant help think that major companies might move back to freebsd because they want to sell both the product and service. Sony originally shipped the old Ps2 with GNU Linux software called other os. But Sony moved to FreeBSD for ps3/ps4/ps5. We've been conditioned that free is free instead now its free as a subscription

Though companies don't have to fully fork from FreeBSD to create their custom firmware OS. They could also cherry pick pieces from the kernel to integrate into their system, much like how Nintendo took from FreeBSD's network stack and integrated it into their own OS for the Switch.

companies will use whatever they *can* use. most of all, they like to already have engineers knowledgeable in the technology. you don't see many job listings for junior kernel engineer

I was only remarking on how companies can take pieces of FreeBSD rather than being a full derivative in order to give FreeBSD that "street cred". However companies want to allocate their business resources is their prerogative and not what I was talking about.

hi

is there any tool like debian unattended_upgrades to automate upgrade process and reboot when kernel upgrade ?

Hello

What is the difference between linux and bsd? I think, both use open source softwares.

easyme: Licensing, pacing, the place of tradition in planning.

easyme: camp Linux focuses on copyleft, camp BSD focuses on permissive licensing

In regards to pacing, Linux development is more chaotic and wild-west, BSD development is more structured and thoughtout.

Or are you asking about user-visible differences?

there are rather many differences between linux & BSDs. reading an article about it might be a good idea to get a complete picture

or historical roots?

the licensing issue is often given too much weight. it's just one aspect

eoli3n: i don't think so

eoli3n, if you're using binary updates, there's "freebsd-update cron" and "freebsd-update updatesready", but you still need to install manually.

eoli3n, Some do install phase themselves to avoid a reboot; look up on that to script that

ok thanks, then i'll script

Realize that "do install phase themselves" is not putting "freebsd-update install" in a script but create a new environment to extract the updates. As I have not been interested in that, have not closely looked at all the moving parts

That was neat - Vultr's default FreeBSD install uses UFS - using the "custom ISO" feature and feeding it 13.2-RELEASE and running the installer in VNC took me maybe all of 15 minutes.

For sh*ts and giggles, I also enabled GELI encryption. Might be a pain with upgrades (always have to get on the Vultr console to type the phrase), but the installer support for zfs/geli encryption is solid. Very easy setup.

spork_css: Heh, I just sent up a new FreeBSD box on Vultr a couple hours ago. Good day for it.

I just took their default install of it and upgraded.

upgraded to zfs?

:P

Nah, not enough memory to do that and run other stuff. Just updated everything.;

why is the default install UFS it seems so strange if you have more than two gigs of RAM

Only one gig on the one I got.

I guess if you're doing the cloud thing of destroying the machine every time you change anything, you don't need bectl, do UFS is good enough

Nah, I just make regular back-ups. No destruction imminent.

I need to destroy and rebuild this machine

but… i would just rather rebuild it as aarch64

aarch64 is such a gay name for arm holy shit

as soon as we boot in Hetzner, I'll do it

Derogatory language usage isn't generally acceptable here.

:D

I know pride month is over, but, did you know that the original arm architecture was developed by a trans woman?

what was his name?

!ops

nope.

hm, no such command

what was that supposed to do?

a failed attempt to summon the ops to kick and ban you

we'll get there, in the meantime, we'll put you on ignore 🤷🏻‍♀️

I am morally and intellectually stronger than you. There is no remedy against me

You can only ban me

what's the problem?

meena is just sperging out over "his" word

chud: Use of "gay" and "him" in ways intended to be hate speech.

yikes

oy vey

we don't like people hating to the gays and the transes, and not just because they are pillars of our community, but also… because it's mean, and we don't need that

maybe if you stopped worrying about such trivial matters apple would actually start funding your project

you could stop after "hating"

As a rust user I agree with meena, we have to be inclusive

i ain't hating though, i just thought aarch64 sounds kind of gay

you mean like happy?

i agree, aarch64 makes me happy

:)

now would be a good time to let this drop

yeah, yuripv is right, i could put lots of categories after, and it would never be exhaustive and people still find reasons to hate specific groups, and we don't need and don't want hate. it's not great for building community

aarch64 being gay would mean it is superior to amd64

anyway, yes. let's drop it

can't argue with that tbh chud

sounds like this conversation needs to goto #freebsd-social. #freebsd is basically a support channel for freebsd

drop(problem); 💪🏿💪🏿💪🏿

if this is tech support, i can't imagine how #freebsd-social looks like

anyways do you need any help with freebsd temp64?

curious, what's the most jails anyone has running?

over 9000

how many are there in the us?

9000???

wow

here i am proud of my 7

lol

heard black people get locked up there left and right

I know I run many jails at the domestic and federal level

markmcb: jails are pretty lightweight. it's easy to spawn a lot

try it out in a loop with /rescue as root

ooh, what's /rescue? another corner of the OS to explore

one huge static binary containing a lot of utilities

niggas legit reinvented busybox, i'm impressed

nice, seems pretty handy

Title: rescue(8)

meena: so if i understand correctly, i could config a lightweight jail with path = "/rescue"?

markmcb: lemme draw up a shell script

It was a great night, it was a Homocaust

Bona fide homocide, 50 lives lost

No Pulse, just Blood on the Dance Floor

Now the fags are more butthurt than before

 

Look here, a muslim walks into a bar

And orders shots for everybody, hardy har har

And he should've killed more but he was not a straight shooter

Almost makes you wanna cry like that bitch Anderson Cooper

 

It's a tragedy, too many faggots got away

So instead of Islam they're gonna die from AIDS

If survivors wanna feel guilty, that's their prerogative

inb4 a banning

meena@websrv2-hel1 ~> for j in (seq 1000) sudo -H jail -c persist ; end

markmcb: this took about ten seconds to execute

and about a minute to write, because I'm doing it on my mobile phone, which after 23:00 Turns black and white

meena: cool, I'll give that a whirl

A_Dragon: might be worth banning the /64

`<-- ╡ temp64 (~temp64@2a02:a314:8348:100:6e87:87c5:8ae1:7636) has quit (K-Lined)`.

heh

Thank you.

markmcb: jls now shows 1006 jails running, but since they're not doing anything, top is unaffected. all I've done is created 1000 additional process name spaces (which all map to the same file system name space (/rescue) and network name space (none))

i got my paste wrong

meena@websrv2-hel1 ~> for j in (seq 1000) sudo -H jail -c persist path=/rescue

end

very cool ... i have much to explore :)

like, jail -r

that works

A_Dragon: thanks for the assist

no problem, sorry for stepping on your channel

no, you were right to - i was in bed trying to fall asleep (unsuccessfully), so i wouldn't have noticed had i not gotten up