00:19:42 Not that I know of. 00:19:55 (There's a lot I don't know.) 01:45:33 what is the correct way to add a unionfs (with -o below) mount to fstab? 01:54:56 This doesn't work with fstab: "/mnt/poudriere/data/archive /var/ftp/pub/FreeBSD/pkg unionfs late,below 0 0" 02:52:17 whats the last version of freebsd? 03:01:21 warsoul: https://www.freebsd.org/releases/ 03:01:22 Title: Release Information | The FreeBSD Project 03:17:55 tuaris: i think you will need another option such as rw 03:18:24 it's just a peculiarity of fstab i guess 04:00:46 Mount things manually the way you need, then run: mount -p | grep unionfs >> /etc/fstab 04:31:09 does anyone here use capsicumizer to sandbox firefox? wondering if anyone already has a configuration file that whitelists all of the paths that FF needs to function properly 05:00:15 tm512, what is that? 05:03:30 sfox, It's similar to AppArmor. https://github.com/valpackett/capsicumizer You can read an overview of it here: https://freebsdfoundation.org/wp-content/uploads/2019/11/Capsicum-Update-2019.pdf 05:03:31 Title: GitHub - valpackett/capsicumizer: Run anything (like full blown GTK apps) under Capsicum 05:12:36 What was the default window manager in FreeBSD called again? fvwm or twm? 05:13:57 remiliascarlet: pretty sure X11 ships with twm 05:14:19 Ah yeah, thanks. 05:15:25 but it is not FeeBSD default window manager as there are none of such. twm is part X11 05:16:22 Yeah, I meant "whatever ships with X11". I was still in OpenBSD mode, which ships 3 different window managers out of the box. 05:19:14 I'm wondering just how much capsicumizer would actually help because it wouldn't prevent an exploited browser process from reading anything it wants out of ~/.{cache/,}mozilla for instance 05:19:20 like website login tokens 05:19:32 remiliascarlet, freebsd ships with twm. netbsd ships with ctwm 05:20:16 whereas if FF were actually programmed to properly use capsicum it could leverage much finer-grained control over which processes are allowed to access what 05:23:42 FF isn't even properly programmed to handle malloc() failing. 05:24:49 that seems like a lot ot ask from a corporation more interested in virtue signalling and donating to non-tech related 'influencers' projects then working on improving their own software 05:25:29 not to mention leaving the BSDs in the dust when they switched to using rust 05:26:27 to further mitigate risk I'd have to like, manually separate out websites like keeping financial stuff in its own separate profile and having two (or more) different capsicumized FF instances blacklisted from each others' data, though that sounds like a pain in the ass 05:27:09 tm512, if your really worried you could disable to cache 05:27:20 or disable javascript by default to reduce your attack surface 05:28:22 modern web browsers are kinda of a lost cause though. It may be more useful to prevent an exploited browser from reading and writing to non-web browser related userdata. 05:28:53 the state of chromium is such that when malloc fails, I get warnings about it trying to execut opcodes which do not exist. 05:28:58 I don't know exactly how worried I should be. it's just a shame that browsers on FreeBSD lack such a basic security feature that they've had for years on Linux through stuff like seccomp 05:28:59 this is topic for #freebsd-social 05:29:19 I believe that might mean it is executing non-program data 05:29:54 tm512, the state on Linux isn't that much better 05:30:22 angry_vincent: I'm specifically asking about FreeBSD-related software, not really socializing 05:30:40 this is not FreeBSD related software 05:33:08 how to best secure a browser on FreeBSD, particularly through imposing capsicum on it, or perhaps using jails, is inherently FreeBSD-related. I've never seen anyone ever suggest that talking about FreeBSD is off-topic for this channel 05:33:27 browsers are not related 05:34:13 more over browsers devs perhaps even less interested in FreeBSD at all 05:34:37 specially chromium 05:35:14 you can run browser in jail, this is true. 05:35:36 maybe, it is the most secure one can get 05:37:07 considering browsers are software that can be run on FreeBSD and have security issues on FreeBSD specifically, discussing those issues and how to best address them seems so clearly on-topic for this channel that I'm not even interested in bickering with you regarding this anymore 05:38:01 never seen anyone get chastised in this channel for discussing real-world use of FreeBSD, never seen anyone chastised for talking about anything outside of the base system 05:45:49 "best secure a browser" Are you talking about Lynx? 05:50:30 A browser that ships with a ton of spyware by default, has a billion lines of code, and takes ages to compile is not what I can consider "secure". 05:57:36 the problem is that on FreeBSD, every single browser process has unrestricted access to everything my user has access to, whereas on the "Big 3" this is not the case, because browsers care enough to write OS-specific sandboxing backends for those OSes 05:58:13 I guess OpenBSD + chromium is the exception for sandboxed browsers on the BSDs, because chromium has support for unveil 05:59:12 but that would require me to run both OpenBSD and chromium, neither of which are my preference 06:06:50 I'm probably going to see if capsicumizer works with Firefox, if not, I'll stick with this other route of running it in a separate user and granting that user access to my X server, and adding my main user to that separate user's group, but I ran into some annoying permissions issues with files downloaded into /tmp 06:12:09 Maybe consider chmod 600'ing important files and directories. 06:21:23 doesn't really help if a compromised browser is running as the user that has access, though running the browser as a separate user and not providing that user access to my main user's home directory does basically solve that issue 06:23:40 are you still paranoid about your desktop browser? 06:24:15 The alternative is to just use Lynx for your daily browsing. 06:24:36 Or Netsurf if it has to be graphical. 06:24:39 why would anyone want to target a freebsd desktop, with what, like .001% of the browser market 06:26:21 if you're really that paranoid, then don't run a browser on your computer, or run it in a VM that's reset to a pristine state each time, with none of your personal files 06:27:09 but it sounds like you're sure making a lot of work or inconvenience for yourself 06:28:21 I dunno how much of this would have to be tailored for FreeBSD specifically, don't really know the internals of Firefox. also dunno how I feel about being called paranoid for wanting a fraction of the security that I've had on Linux for years and just take for granted 06:29:11 The most balanced way would be to just deactivate all the spyware, install uBlock Origin to make webpages more sane and secure, and install Dark Reader to make websites easier on your eyes, and just leave it at that. 06:29:55 And disable Javascript by default to mitigate 99% of all possible browser exploits. 06:33:39 uBlock Origin is already a given. on the very rare occasion I use a browser without installing it right away, I just end up shocked by how unusable the web is without it. as for something like NoScript, eh, what I'm worried is going to happen is that I get annoyed by constantly needing to whitelist javascript that I just end up feeling like it's not worth the effort 06:34:07 No need for NoScript. 06:34:26 uBlock Origin has a Javascript on/off toggle built-in that works just fine. 06:34:46 that's like exactly my experience with trying to use duckduckgo several years back. it gave such useless search results on such a consistent basis, forcing me to go to google over and over again, eventually it just ended up not being worth the hassle 06:35:10 Because DuckDuckGo is broken by design. 06:36:05 I can recommend a decent SearXNG instance, which'll use both and many other engines without the need to have JS enabled. 06:36:18 from what I hear, nowadays they just scrape Bing search results. maybe better than what it used to be, but still 06:37:16 I've heard decent things about searx, as long as you can find a trusted instance 06:37:54 https://opnxng.com/ This one has never failed for me thus far. 06:37:55 Title: searxng 06:38:55 I do recommend you set HTTP method to "GET" if you intend on setting it as the default search engine. 06:40:13 I still use DuckDuckGo for image search, because SearXNG still doesn't have any all the useful features found in the big search engines for some reason. 06:42:33 as you say, you don't understand firefox internals, what do you think a sandbox of sort protects you against 06:44:39 from what I do understand of how the sandboxing works, it prevents each browser process from accessing any files other than those it's directly concerned with, like that specific website's cookies, cache, etc 06:45:42 so have you raised this issue with firefox? 06:46:21 there's already a ticket on their bug tracker regarding capsicum support, with work apparently abandoned 06:48:30 ok then 06:50:10 specifically, https://bugzilla.mozilla.org/show_bug.cgi?id=1607980 06:50:11 Title: 1607980 - Implement sandboxing on FreeBSD with Capsicum 06:51:58 anybody got twitch.tv working in a browser on FreeBSD? 06:53:29 as for the whole thing about inconvenience, I'm specifically trying to find the solution that gives the most security as transparently as possible, like the solution I arrived at currently is having a shell script just called "firefox" higher up in my path than the actual binary, and that shell script launches firefox as another user, granting that user X11 privs before launching, and revoking them after 06:53:35 FF closes 06:53:46 dch: works here 06:53:52 dch: twitch doesn't already just work? 06:54:42 nope, login reports "Your browser is not currently supported. Please use a recommended browser or learn more here." 06:54:59 has done for a long time, IIRC. I used to watch code streamers a fair bit. 06:55:09 doesn't work in ungoogle-chromium, nor vanilla firefox 06:55:30 la_mettrie: what browser, and do you have to do any user agent hacking? 06:55:44 as a hunch, do you have H.264 support built-in to ffmpeg? 06:56:02 I just have whatever comes from pkg.freebsd.org 06:56:02 dch: firefox 122.0, i don't recall doing any agent hacking 06:56:04 albeit on current 06:56:36 I seem to recall that error message showing up when I was trying to get Linux set up on my friend's laptop recently, and it was because OpenSUSE does not package ffmpeg with patented codecs 06:56:46 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0 06:56:55 is my UA according to firefox 06:57:14 hmm well here on 14-STABLE with the packages, H.264 was working just fine on youtube at least 06:58:30 looks like by default, ffmpeg has OpenH264 off andX264 on, as one would expect. 06:58:50 If it were to read "FreeBSD" instead of "Linux", more websites made by complete amateurs would probably display a "this system or browser is unsupported" message, which they do because they don't know how to make websites correctly. 06:59:06 x264 is an encoder library, I don't think it has a decoder, libavcodec has its own 06:59:16 la_mettrie: if you can, what's your user agent? 06:59:27 dch: ffmpeg -decoders | grep h264 07:02:00 also, whether the browser is trying to leverage hardware accel and failing might have something to do with the issue? though, I'd really expect it to seamlessly fall back to software 07:02:32 dch: 42e5f1a60d9445aba3650b7261c0a5f5 07:02:37 yeah this is a box that can play youtube video etc without issue 07:03:28 la_mettrie: whats that? I'd expected something like 'Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0' 07:04:40 dch: Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0 07:04:53 huh and it works OOTB 07:05:23 la_mettrie: thanks! thats very weird, its the same as mine, albeit I'm +1 firefox version, which makes no difference 07:06:06 maybe its our DNS blocking... nope not that either 07:06:46 just a fresh install of firefox on this laptop I'm setting up has twitch working out of the box 07:06:54 twitch work for me too in ff 123 07:08:27 yeah, FF 123 here as well for what it's worth 07:08:31 thanks for the testing! 07:08:35 what I see here is this: 07:09:21 I don't have any hardware decoding available though, according to about:support 07:09:34 I guess I have to install the AMD libva drivers first 07:09:57 fails with 400: POST https://passport.twitch.tv/integrity 07:10:10 I will scrounge up a 14.0-RELEASE and see if it works 07:13:45 nope neither 07:26:04 not even with a fresh profile 07:26:17 it looks like this integrity check fails with 400, and other people report the same issue 07:28:50 the whole passport.twitch.tv thing reminds me of this issue where I couldn't log in to twitch from FF (on Linux) at all for like a month and had to use chromium. I may be getting details confused, though 07:29:11 the site still worked, I think it was just the login that was broken 07:31:07 https://www.reddit.com/r/Twitch/comments/xmwj76/something_went_wrong_please_try_again_firefox/ ctrl-F "passport" and yeah, I wasn't misremembering 07:36:22 dch: one commenter in this thread was recommending setting network.http.referer.XOriginPolicy to 1 in about:config, though this is a pretty old thread 07:37:21 and it seems like the concrete solutions that people propose in this thread work for some and not others 07:56:48 tm512: mmm, thats the default, so my `firefox --profile $(mktemp -d -t firefox) &` has it 07:56:49 wow 07:57:42 twitch's CSP is crazy: allows recaptcha.net (IIRC google), facebook, cloudflare cdn, googleapis.com, bootstrapcdn, authy.com 07:57:47 thats basically everybody 09:04:03 so I installed mesa's VDPAU drivers, as well as the libva VDPAU wrapper, still don't get hardware codec support in firefox :| 09:05:58 this is a Vega 8 iGPU, with Video Core Next 1.0, so it should have decoders for up to VP9 09:11:47 I'll try to inspect further with vainfo, dunno if I will get around to that tonight though. I really don't have much experience with AMD's stuff, and never used VDPAU 13:04:34 hi. i'm having big problems with running win 10 on bhyve. it keeps exiting with error 137. evidently it means out of memory 13:08:48 i tried with all kinds of memory wired to vm 4g/8g/12g and it's always the same. host has 16gb ram. i reduced zfs arc to 2gb 13:09:00 usually stops within a few hours to a couple of days 13:09:13 download more ram ? 13:09:29 :p 13:09:42 if i can't run a 4gb vm on 16gb ram, soemthing is wrong, no? 13:10:04 depends what else the host is doing 13:10:16 what is returning "error 137" ? 13:10:17 supposed to be doing nothing at all 13:10:33 Feb 26 14:40:42: bhyve exited with status 137 13:13:37 i'm monitoring top now, just restarted vm, gonna see if i see anything suspicious 13:13:51 so far it's 7gb free mem 13:14:29 vm seems to be creeping up in mem use tho 13:14:49 bhyve that is 13:19:02 not sure how the oom killer works :/ 13:24:31 it kills things it does not like;) 13:46:31 yea bhyve keeps allocating memory. it's up to 9.5gb now 13:52:17 11gb now :/ what amount of memory should i expect bhyve to use? 14:33:28 the limit you set in your config 14:37:12 not sure you're following :p 14:37:43 i've set 4gb on the vm. but bhyve is using 11.3gb 14:38:06 and rising 14:47:49 you mean u have set 4GB on guest? 14:47:58 or 4GB on bhyve conf? 14:54:42 i haven't found any setting that regulates bhyve memory usage 15:30:53 i'm starting to suspect pci passthru bug 15:42:02 I would assume bhyve to have a small constant overhead additional to the guest memory size specified via -m, reads like a bug somewhere to me 15:48:28 rebooted host and all is normal 15:48:48 noticed before i rebooted that vm ethernet was down, passthru not working anymore 15:49:00 it's happened before. need to find out what causes it 16:05:16 I have service written in golang daemonized with /usr/sbin/daemon . I just noticed that it seems to be 2-3x faster if I just leave it running in tmux rather than using daemon. What might cause this weird behaviour? is there any known issues with daemon and go concurrency ? 16:11:40 you probably would want to profile it to see where the time is spent... 18:40:24 Is it somehow not possible to do DHCP and assign a static IP alias to an interface? I can't seem to get the to work on 14.0 18:42:18 you want a static IP and the one DHCP gives you? 19:18:11 nimaje, yes 20:07:25 Hi all. Does ThinkPad UltraBase 3 Dock run on FreeBSD? 20:14:47 does that need some special operating system support? shouldn't that just look like generic hardware to the OS? 20:32:48 nimaje, yes, it is, but all users on different devices work in different ways. Maybe someone has experience specifically with this device ... 20:55:13 morning 20:57:33 I need someone with freebsd 13 and dig (from dns/bind-tools) installed to test something for me real quick, run this command: "dig @9.9.9.9 cname id.server.on.quad9.net +tls" and tell me if it works or not, I suspect freebsd 13 will not work and freebsd 14 will work but I would like confirmation 21:02:13 by "work" I mean the dig command returns the lookup results as normal, "not work" is either a timeout or no output at all from dig 21:02:14 tykling: https://www.le-fay.org/tmp/30d/dig.txt 21:02:48 both work! thank you very much lw 21:02:58 the plot thickens 21:05:06 lw: does it work consistently on 13 if you try a few times in a row? 21:05:11 just 2-3 times? 21:08:02 tykling: https://www.le-fay.org/tmp/30d/LkOSFy.txt 21:08:49 thanks again! 21:09:24 much appreciated :)