00:26:22 mmlj4: I have 2 (sometimes 3) freebsd hosts with vultr. 2 regularly sends mail; i’ve had no issues. 01:46:28 Good evening gentlemen 01:47:40 I'm trying to install FreeBSD on my Mac mini G4 but I can't connect to the network. "gem0: cannot reset transmitter" "gem0: cannot reset receiver". DHCP fails and I cannot download installation files from the mirror, etc. 01:47:54 Tried on 14.2 and 13.5, same behavior 01:50:27 Before anybody says "PowerPC is a Tier 2 platform" Yes, I am aware. 01:59:02 Can you pastebin the content of 'pciconf -lv' ? 02:37:21 CrtxReavr: https://pastebin.com/RdxeGYWi 03:07:42 cedar: i'm pretty sure you have to build a custom kernel with the hardware support, but maybe that was a intel mini that was for, i don't recall which specific, there was a page explaining what to do years ago 03:10:56 r0ni: https://bsd-hardware.info/?id=pci:106b-0032 03:11:02 seems to be supported... somewhat recently 03:11:35 https://forums.freebsd.org/threads/network-interface-not-working.95225/ 03:11:41 Someone posted about this on the forums recently 03:21:01 huh well i've sadly not touched a ppc mac in over a decade, but my last g5 i did put fbsd on and it did all work then but that had to be like v11 or 12, maybe older 03:59:27 r0ni: i also tried on my G5, couldn't even get the installer to boot 03:59:47 powerpc64 should be a more supported platform though... 10:41:19 i'm setting up a fresh freebsd on a vps. somehow I can log in locally via serial console, but I can't SSH, it tells me password wrong, i'm very sure its right, even accounting for keyboard layouts etc 10:41:34 I have set up several freeBSDs before, and i'm kinda lost :D 10:41:46 yourfate: what does /var/log/auth.log say? 10:43:02 PAM Authentication error for root 10:43:06 from... 10:45:02 I'm just trying to get an ssh key in there somehow, so I can stop using the serial console :D 10:45:19 i'm very close to actually typing an ed25519 key into the serial console lol 10:45:33 did you enable PermitRootLogin in /etc/ssh/sshd_config? i think this might be disabled by default, although i wouldn't expect a PAM error from that 10:46:10 the permit root login line is commented 10:46:21 i'll change it an reboot, but I also doubt that's it 10:46:44 the default is no, so you should uncomment it and change it to yes, then restart sshd, no need to reboot 10:46:49 remember to change it back afterwards 10:47:26 same same 10:47:30 error wise 10:47:44 I have also changed the pw again, just to be extra sure 10:52:38 hmm I created a new user, with the same pw, and could log in 10:52:42 after that I could log in as root too. 10:52:57 I have now uploaded a key and disbaled password auth 11:22:14 yourfate, Almost certainly the previous user was not in the wheel group but the new user is in wheel and can su. 11:22:56 I can now log in with root 11:23:00 which didn't work before 11:23:59 The ssh in as root is as ivy said, the default for PermitRootLogin is No. 11:31:40 I changed that 11:31:50 but it only worked after I createda new user for some reason 11:31:54 even tho I had restarted sshd 11:31:56 anyways, it works now 11:32:06 well, rn it doesn't, but that's b/c I hosed the network config 11:33:38 Computers are like cats. Subtle and quick to anger. 11:45:07 they sense weekness 11:45:10 weak 12:10:24 horses sense weakness too 12:10:36 you show it you're afraid, it will fuck w/ you 14:03:44 my Grandpa always said horses are dangerous in the front and back, and uncomfortable in between. 14:03:47 he's a Farmer. 14:05:16 Old proverb: Don't approach a goat from the front, a horse from the back, or a fool from any side. 14:10:42 ah, but a mule can kick in any direction 18:44:16 hmmm, anyone here run a freebsd server? 18:44:23 I have been looking at https://forums.freebsd.org/threads/unencrypted-usb-stick-for-booting-geli-encrypted-root-disk-with-ufs.96706/ to allow headless booting 18:44:35 but it seems to be a big workaround for it 18:44:51 so do most people run freebsd without FDE (server use)? 18:44:53 hmmm, anyone here run a freebsd server? 18:44:55 no 18:45:01 what's a server 18:45:09 alright dumb question I know 18:45:16 please dont kill me :P 18:45:35 I should have asked, does anyone run a freebsd server with FDE? 18:45:42 better >:) 18:45:57 FDE? Federal Dick Expansion?... 18:46:18 ivy in a trolling mood today? 18:46:24 Full Disk Encryption 18:46:27 a little, yes, but only because i know you can take it 18:46:32 but i also have no idea what "FDE" means 18:46:49 weird, I thought FDE was a well-used acronym 18:46:53 it is 18:47:36 i have never heard it before, but i try to avoid anything related to corporate IT, so take that how you will 18:49:25 right... you must also avoid security channels too then eh? >:) 18:49:27 polarian: but to provide a helpful (?) answer, if you want federal dick encryption for zfs etc., you probably want geli 18:49:40 this is, as far as i know, the only encryption system supported in the boot loader 18:49:42 I know how to do FDE, I use it on my laptop 18:49:46 problem is, its attended 18:49:52 and for servers, you dont want to attend the boot 18:49:59 (especially if I am off at EuroBSDCon) 18:50:17 well if your encryption is unattended what is the point of it? 18:50:32 anyway who steals your server can boot it and mount the filesystems 18:50:39 well for servers it helps to easier disposal of disks 18:50:41 s/anyway/anyone/ 18:50:56 polarian: ah, in that case consider zfs native encryption 18:51:02 polarian: there is, to my knowledge, no good (meaning 100% secure) solution to this problem on any operating system 18:51:06 this used to be broken but it was recently fixed 18:51:11 hmm 18:51:26 how would zfs encryption be unattended 18:51:29 doesnt it still need a passphrase? 18:51:30 avoid native zfs encryption, it is shitty and buggy, use geli 18:51:51 (yeah I know about the zfs encryption bugginess --> is useful for per-user home encryption though) 18:51:57 polarian: it will be unattended if you want to mount /myCIAfilesystem and you store the keys in /etc/zfs/keys/cia.key 18:52:02 tykling: well I was looking at this https://forums.freebsd.org/threads/unencrypted-usb-stick-for-booting-geli-encrypted-root-disk-with-ufs.96706/ 18:52:19 polarian: the "zfs encryption bugginess" is supposed to be fixed now which is the only reason i recommend it 18:52:20 polarian: you are just moving the problem 18:52:24 tykling: indeed I am 18:52:39 avoid native zfs encryption, it is shitty and buggy, use geli 18:52:42 I was thinking of also using a rpi as a terminal server and yeah but ugh idk 18:52:42 wrong 18:52:44 I cant decide tbh 18:52:58 tykling: the only known bug in zfs encryption is fixed 18:53:15 running unencrypted is the easiest choice, but also means I have to be more careful handing disks, and to properly destroy them 18:53:35 keyfile encryption can help shift the problem to a more easily destroyed medium 18:54:10 passphrase is obviously the best one, but requires attended boot + secure passphrases (and a lot of them) which inevitably means writing them down or storing them in a password manager, which adds another factor of security to consider 18:54:33 you need to sit down and think about your process and your threat model 18:55:09 because this question reminds me of everyone who is like "i want no one to be able to access my data but i never want to provide a key" 18:55:43 Linux security people all use TPM2 decryption which would link the disk encryption to the hardware, and then they lock the bootloader, but in many cases this can be bypassed as you jump a pin, flash the stock bios back to it and then you can load a os you control and decrypt the disks. 18:55:57 so there is no perfect way 18:56:08 of course not 18:56:14 ivy: I have thought about it for about 6 months and I still cant decide, so I am seeing what others do now >:) 18:56:17 copying peoples homework :P 18:56:55 im in a lot of security paranoid circles, but they are Linux focused, so obviously they shill TPM2 encryption, but even if I wanted to, FreeBSD doesnt have support for it (well actually I heard it does, but just not documented, if anyone knows more about this?) 18:57:07 but anyways TPM isn't ideal anyways 18:57:43 ivy: what do you do then? 18:59:34 what do i do what? 18:59:42 well, you should start with your threat modeling 19:00:31 if you're asking how do i secure my data there are so many answers to that depending on the data in question 19:00:52 e.g. ssh keys, i store those in my password manager, i forward them to certain specific hosts 19:01:22 movies i downloaded from bittorrent, i don't secure those at all, anyone on my network can download them via ftp, rsync, http, etc 19:03:03 nimaje: have done already, currently I dont FDE for this exact annoyance I am discussing right now, I self host so physical security is something I can do myself, but also they are in the open in a REDACTED place, which means anyone who enters my home could smuggle out a disk, so ideally I want to make it as difficult as posisble to ensure family/vistors do not go tamper (family not too worried 19:03:05 about) 19:03:42 I am not going to be able to stop a full squad of armed police from raiding my home and decrypting my disks obviously, but I also dont want to make it as easy as snatching them and mounting them elsewhere 19:04:32 I mean, you can prevent that sort of thing with just a seperate geli partition with zfs which you mount manually after boot, and have all the interesting data on that 19:04:52 I was also interested in keyfile a while back to harden a passphrase protected laptop, as when in public people can overlook you entering your passphrases, unlikely to be a problem, but it was an idea, but storing keyfile on a different device seems to be a difficult task so I just use passphrase 19:04:58 noone in that threat model is going to be backdooring your geli executables while you are out and about 19:05:51 evil geli maid 19:05:58 "there is, to my knowledge, no good (meaning 100% secure)" - basically any reference to "100% secure" as a meaningful bar for comparison negates any other point a person may have 19:06:14 oh thanks 19:06:26 hmmm 19:07:25 that brings up more issues though, services which store data on $encrypted_partition would then fail to start on boot, which means each boot you would need to ssh in and mount it, I guess you could write a "startservices.sh" script which onestart's all the services after decryption 19:07:43 its a good work around, but adds complexity 19:08:00 also you have the consideration of data leaks in logs (so possibly /var/log should be encrypted) 19:08:15 polarian: i am sorry but no one is going to give you a good answer when you ask technical but extremely basic questions like this 19:08:35 ivy: "technical but extremly basic" --> elaborate? 19:09:08 polarian: you ask questions from a technical point of view (e.g., talking about /var/log) but you seem to have no understand of threat model as it relates to disk encryption 19:10:03 the best advice i can office is, on a desktop, buy a Mac, on a server, use geli as offered in the freebsd installer 19:10:07 s/office/offer/ 19:12:29 I would rather die than use a macbook 19:12:33 also I do have a threat model for it 19:12:48 just... im a little lazy to explain 19:13:27 polarian: you know Thatcher used a MacBook? 19:13:39 and? 19:13:49 aren't you required to copy her? 19:13:51 no 19:13:56 free will 19:14:07 polarian: Atlas used a MacBook 19:14:24 I cracked open a cold beer now, gotta be productive tonight :P 19:15:08 anyways, I have done the software security shit 19:17:35 it's kind of frustrating that i spend so long getting reviews on bridge(4) changes and them soneone feels fine sending an email like "bridge gone wrong" 19:18:06 the main issue I have is the exact situation I explained above, I want to protect more against vistors tampering... but it does seem after further thinking that this is a situation where if I want it to be simple, I either pick unencrypted or use passphrase and attend the boot. tykling's solution is more compicated but is a compromise between the two... and because I would like to share this 19:18:08 server it does mean others can attend the boot remotely over ssh provided I securely share the decryption key. My problem is, I am the worst for aiming for perfection which is exactly why I came here this evening 19:18:20 if I keep on thinking I will never *do* 19:18:39 and something, even if it is not the best, is better than *nothing* 19:19:12 ivy: ah you patch FreeBSD network stack/ 19:19:15 ? 19:20:20 polarian: not sure about "network stack" but i'm basically the only person maintaining if_bridge 19:21:52 hey ivy getz wanted me to ask whether you are coming to EuroBSDCon cause hes too shy to ask himself :) 19:21:59 indeed 19:22:05 i am not 19:22:11 i have been training polarian in the way of the blade the past 6 months 19:22:19 blade!?!? 19:22:50 ivy: Well I guess we can nickname you IvyBridge then can't we >:) 19:22:56 this is gonna turn into #freebsd-offtopic real soon 19:23:03 polarian: excellent joke 19:23:33 funny enough I am using an ivy bridge cpu right now :P 19:23:49 i am using a Raptor Lake CPU which is much more exciting 19:23:50 getz: its still ontopic... mostly :P 19:23:55 will it break? randomly crash? who knows 19:24:13 russian roulette, FreeBSD edition! 19:26:37 hmmm... yk what fuck it, the board has serial, I will do FDE and later plug an OpenBSD'd RPI into the serial and use it as a terminal server over shs 19:26:39 ssh* 19:27:13 thanks for the help with me being indecisive ivy and tykling 19:30:16 polarian: remember to not use default passwords ;) 19:30:59 getz: haha funny 19:31:19 if Ivy doesnt matter I will nickname them IvyBridge for now on for the giggles 19:31:21 I like it too much 19:31:54 getz: dont you have patches to be writing 19:32:17 Aymeric is not a committer, and you are not... obviously haven't been doing enough work have you getz tut tut tut 19:32:26 s/not/now/ 19:49:16 polarian: aymeric got his commit bit a few days ago 19:52:43 getz: ik 19:53:04 wheres yours? 20:36:05 he's being smart and avoids punishment 20:57:03 FreeBSD bareMetalFreeBSD 15.0-CURRENT FreeBSD 15.0-CURRENT #0 main-n279073-763d1bc05a71: Fri Jul 25 19:55:24 CDT 2025 root@bareMetalFreeBSD:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 1500054 1500054 20:57:18 how do you get poudriere to retry the ones from your bulk that failed prior? 20:58:41 sponix2ipfw: just rerun it as you can it before. it'l find what's missing and rebuild 20:58:51 er s/can/did/ 20:59:20 hmm, I had that with llvm19 and it never would actually even try it again, even when I specified it 20:59:34 are you sure it failed? 20:59:37 odd part is, it didn't generate any errors after the 1st fail either LOL 20:59:50 it might have successfully built the time after 20:59:51 zi: yeah, it got killed for taking too long on the 1st run 20:59:54 check the packages directory 21:01:58 175G of Ram used lol https://cdn.discordapp.com/attachments/727023752348434436/1399494403999141959/IMG_2843.jpg?ex=6889343b&is=6887e2bb&hm=330b7457996ffa2d7ee0f64b46aa4400ad630d4f117d70cabafddfd99b560ace& 21:07:07 PROBLEM DRINKER: 21:07:08 A man who never buys. 21:10:26 sponix2ipfw: does poudriere actually kill builds by timeout? I've never seen that happen before… 21:10:53 99% of the time my llvm builds fail due to OOM kills :D 21:11:01 Remilia: there is a value for it in its configuration file, and yes -- mine did -- it was like 18+ hours 21:11:03 since the poudriere VM only has 16 GB RAM 21:11:14 Remilia: your box may not have 256G of ram ;) 21:11:30 it has 32, it is my desktop PC from 2019 haha 21:11:44 mine is from 2015/2016 21:11:47 I run poudriere in Hyper-V 21:11:51 X99 for LIFE 21:11:59 Remilia: you are sick and twisted 21:12:32 perhaps, but I also need to be able to do my job and also engage in my hobbies 21:13:43 I'm just giving you shit ;) 21:15:16 my day job is watching Microsoft stuff crash at the gas station and getting paid to reboot it over and over 21:17:08 my day job is localisation which revolves around Excel 21:18:38 sponix2ipfw: more importantly *nix systems as desktop/primary interfaces for me only worked with IRIX and Solaris, and this is entirely my fault 21:18:38 I was IT, but sucked at trying to keep Microsoft running -- so I gave up 21:18:49 since I need accessibility tools 21:20:43 and accessibility has been an issue in *BSD and Linux for me since like 1990s 21:22:00 Yeah, it is still a weak spot in X11 let alone Wayland 21:22:16 improving slowly I hear, but I don't depend on it, so have no real ideas 21:22:31 closest thing for me is larger fonts because my vision isn't the best in my old age 21:22:41 it is improving but the issue is that it was always an afterthought until very recently haha 21:23:37 I don't hard-require accessibility stuff but it is very nice to have when I take my contact lenses off 21:24:04 plus in localisation you sometimes have to test that stuff too 21:24:23 ...and 99% of accessibility framework users are on Windows/Mac OS 21:25:18 speaking of, I need to swap my hexchat over to dark mode before it drives me nuts 21:25:38 my systems are in the bedroom with light and noise to a min -- so team headphones and dark mode always 21:26:43 I might have to swap over to my Linux box -- this build stuff is starting to make this one lag a bit 21:29:52 much better 21:30:03 kinda dumb that you have to restart the app for that, but whatever 21:37:29 I'd need to by Excedrine Migraine in bulk if I worked with Excel as my day job 21:41:04 sponix2ipfw: such is life in localisation, it's basically the common exchange format and everything else also relies on it because it is already in use 21:41:46 Excel, the real noSQL database 21:45:22 yeah, end up with a lot of legacy stuff like that in IT -- it is just still used because that is how it has always been, and it would take tons of effort to do it another way 21:46:30 like depending on Microsoft SQL and Sharepoint for the Military information portal. Not ideal, and when the db grows to large it becomes unstable as hell, but keep tossing more hardware at it and apply as many patches of duct tape as possible 21:47:13 exchange -- same way, end up spending all your time migrating data from one store to another to attempt to balance boxes and keep the whole things floating 21:48:09 better solutions to all of this exist, but they would all take folks with skills/training, instead of folks that can click around in circles 21:48:40 and with a high turn over rate, easier to again -- toss more hardware at it 21:49:23 we had hundreds of thousands of dollars worth of gear in our server room to do less than what my current home systems can :) 21:55:37 well, Bank of Tokyo still runs its mission critical stuff written in COBOL, on the same mainframe they got in the 70s 21:56:03 it works and they have unsuccessfully tried to move it over to modern hardware several times already 22:20:53 I wish this true more often in tech 23:04:51 hey, is it possible to boot FreeBSD with grub? 23:06:15 I have a single internal SSD. I would like to have a single EFI partition and have options to boot either Linux or BSD 23:23:21 grub cant properly boot BSD 23:23:26 BSD's come with their own loader... 23:24:00 also BSD loader is needed for geli 23:27:57 a EFI partition can hold multiple boot loaders, how about using that?