00:04:06 Neat talk from CCC. https://media.ccc.de/v/39c3-escaping-containment-a-security-analysis-of-freebsd-jails 00:20:22 I've had pretty good luck running about everything in hyperv. 00:32:22 i'm testing vm-bhyve to run some bhyve vms, i can't get it to boot anything uefi (openbsd, freebsd, arch, alpine) and yes, I have bhyve-firmware installed 00:34:06 deimosBSD: what about edk2-bhyve ? 00:34:23 and what's the log say / what happens 00:36:26 yeah, i have that 00:36:39 the vm-bhyve.log claims the vm starts fine 00:36:45 deimosBSD: How are you pointing bhyve to the uefi firmware? 00:36:47 yet console is blank as is vnc 00:36:57 vm-bhyve finds it correctly 00:39:00 you should see some efi shiz from watching `vm console` 00:39:19 TommyC: doesn't it just magically find it from /EFI ? i haven't had to do anything like that 00:39:43 just loader="uefi" 00:40:03 Last time I played with bhyve, it did find the bhyve-firmware stuff automagically but it didn't for edk2's firmware. 00:40:51 Dec 31 23:36:52: [bhyve options: -c 1 -m 1G -Hwl bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd -w -U 26d828ee-a834-11ee-bbca-782bcb32b758 -u] 00:41:02 and that file is there, yeah? 00:41:10 here's what I see, all throw away vm, https://paste.zw.is/upload/QdJlva 00:42:32 and yes, the /usr/local/share/uefi-firmware/ points to ../edk2-bhyve/ files correct 00:43:07 i remember i had to do some weird set tty on the openbsd installer 00:43:13 but i don't know if that was fixed 00:45:17 the tty is sorta normal for serial coms, but this is supposed to provide full uefi graphics, right? 00:50:18 fwiw, this is the config from the vm create command: https://paste.zw.is/upload/dJzOvd 00:50:41 which is just based on the template for openbsd.conf 00:53:49 if i remove the graphics lines, i get nothing from console 00:59:03 where should we look for patch level changelog? i wanna see if 14.3-p5 needs to be upgraded to p6 or p7 01:04:02 kerneldove_: i think here, https://www.freebsd.org/releases/14.3R/errata/#errata 01:05:55 also look up a bit for the security advisories 01:15:46 ok ty 01:15:59 rtj rust would have prevented most of those jail escapes 01:18:15 ah ya, rust mentioned in later slide 01:18:20 ivy ^ 01:18:34 How can you oxidase the code? 01:21:11 well like the slide in that talk says, start with adding the infra for rust support, then start writing new code in rust, then over time rewrite old code in rust 01:22:47 Yes, I was just trying to be silly. I guess you could put the code on spinning drives and they'd rust. I'll see myself out. 01:23:05 will you be here all week? :) 01:34:25 perhaps all year 01:34:52 now my test vm is both running and not running 01:35:26 back to reading the source for vm-bhyve 01:38:56 hodapp: I have never really got the container hype... I understand it can help with security, but with my systems just being for friends and family, I've never really felt the need 01:39:50 Sometimes a single podman/docker command to deploy something that would otherwise be complicated can be nice. But most of the times things are straight forward enough I'd rather just do them on the Host OS itself 01:48:44 yeah kind of weird. linux tends to set cores .. but fbsd is all the cores when it comes to throttling with powerd 01:48:45 rust is an unstable language without a formal standard 01:49:29 so it seems like powerd adjusts all cores at once instead of one at a time 01:53:13 SponiX: so, the security argument is meh as their isolation often isn't great, but for me they shine in situations where you need to lock down the exact context something runs in - and that's great for things like reproducible builds where you can guarantee that outside things or previous builds aren't leaking in, or for running unit tests, or for demonstrating a minimum test case for a supposed 01:53:15 bug 01:55:18 SponiX: if you have software that was written like shit in the first place, and it just assumes it can throw things around all over and control the whole OS (without any real excuse for needing this), containers are a really effective way of deploying it while limiting the blast radius. a lot of "real" software is, annoyingly, this. 01:57:07 my problem is when people look at this last effect, and go "oh, since Docker exists, I may as well write the software to completely depend on it!" and throw out the idea of ever picking the right abstraction 02:25:04 zfs question: is a jailed dataset supposed to return permission denied to jail root attempting `zfs snap`? 03:55:40 welp, my openbsd pf rules work "as is" in freebsd pf now 05:49:15 magic 08:21:56 thanks for testing deimosBSD 08:23:29 at least something worked correctly today 08:23:54 ha.. everything works correctly today ;-p 08:56:59 LXGHTNXNG: i think you have to give it permission for zfs 09:36:28 hello guys, what do you think.. will it work to play windows games like WoW, minecraft etc via wine in freebsd? I played WoW for around 15 years ago on linux wine and thats worked fine.. 09:37:33 otherwise I need to upgrade this old computer so I can install newer windows 11 so my kid can play some games atleast :P 09:38:02 LXGHTNXNG: please let me know whether is it possible to access snapdir from the jail 09:38:30 LXGHTNXNG: snaphoting can be done by host's root 09:39:15 snapshoting by jail's root never worked for me, but the problem with accessing snaphot dir from the jails is worse 09:45:27 nwe: wine should work about as good as on linux 09:47:20 nimaje: thanks! at the moment I have some problem with my poor usb-wifi dongle going really slow :P 09:48:28 pkg install chromium going in 32kb/s :P 09:49:06 as in the old days :P 12:06:15 How many of you just run freebsd ? No Linux or Windows in the mix? 12:12:58 why do you ask? Some here I would think, but not really able to guess a number 12:15:35 I recently got into freebsd ,  I just wonder what other setup are like 12:15:54 I have  Windows 10 ,  Debian , Gentoo , freebsd 12:17:03 I have run freebsd and openbsd on the pi ,but not on a normal desktop 12:21:58 I use Windows (just for gaming), Linux (if I contribute to something linux only) and daily driving FreeBSD 12:22:34 Nice setup lockna 12:23:02 So all UEFI based systems? 12:23:42 Yes, everything runs on my PC. Only got a macbook which runs Asahi Linux when I'm off for work. 12:23:54 Why you having two linux distros? 12:26:00 Well, my point is to try to make a system  the way I want. 12:26:32  Gentoo was extreme all command line , small as I could get and still do what I normally do ,  coding , web and watch movies 12:32:00 and what do you use debian fore? 12:33:38 I had been using Ubuntu for most of the 18 years I have been using Linux so , I thought why not try the base 12:33:52 just got it so I could  pick the gui after 12:35:45 Ah, okay 12:35:45 over the years I had tried going down the rabbit  hole distro wise.  and I thought ,  never tried Debian 12:35:54 true, often gets overlooked 12:37:32 What I have done is Ubuntu as my base ,  ventured out ,  void , Arch , Gentoo when I felt like really trying .  One time  Windows , Linux , freebsd 12:38:42 recently last 5 years ,  dual  boot , bios and uefi ,  is that what you call it 13:24:32 hello! I'm building a kernel module from my home directory. it contains a bunch of code not written by myself which has some compile time warnings. I'd like to ignore those warnings ("for now"). what I've tried so far: `make WERROR="-Wno-cast-qual"` - I can see the flag in the compiler command line, but there's also a `-Wcast-qual`, which seems to override it. I've also tried to dabble with /etc/src.conf (WITHOUT_WARNS, WITHOUT_WERROR), but I haven't had any 13:24:32 success (luck) so far. I assume that's a quite easy task if you know the build system a bit better. can somebody help? 13:27:11 hm, something I've tried before, but I might have made a mistake: It seems setting WERROR="" and WARNS="-Wno-cast-qual" in the Makefile helps. let me double check 13:30:28 let me try my crystal ball, maybe that lets me see what build system that kernel module you have from somewhere uses and how it works -- nope, my crystel ball is still broken 14:07:32 ck45: I'm not sure what you mean, compiler warnings should not abort compilation 14:10:52 Remilia: there's a flag that turns warnings into errors: https://clang.llvm.org/docs/UsersManual.html#cmdoption-Werror - it makes sense to be stricter e.g. for the kernel code. I think the flag is added here: https://github.com/lattera/freebsd/blob/master/share/mk/bsd.sys.mk#L35C1-L35C11 but I have/had some trouble disabling it 14:12:07 oh 14:16:12 I thiink WITHOUT_WERROR=1 worked fine for me before yeah 14:17:21 but that was in the past 14:20:46 did you pass it to make or in src.conf? 14:22:27 well, seems I have found an equilibrium and it now works. I will check a bit later if it's reproducible 15:21:40 Tell the makers of freebsd thanks from me 16:34:23 tarel2: you can also do https://www.freebsd.org/donations/ 16:38:49 sure, you can, you can give a few bucks and it will make you happier tarel2 16:57:13 i just saw this as #freewilly 16:57:18 #freebsd! 16:58:44 not as in beer, not as in speech, but as a verb, et tu 18:14:56 Why chose freebsd over Linux?  Both unix like but freebsd is smaller. Do you just stick to the few thing you do and not venture out? Or more like  freebsd , some Linux when need and Windows when you want to play games? 18:25:52 tarel2: neither is UNIX 18:26:06 they are Unix-like and partially POSIX-compliant 18:26:07 well, freebsd has one of the largest package repos, so why would the smaller base be a disadvantage? 18:26:07 sorry for non-topic: hi there, does anybody know how can I make the make env "I_DONT_CARE_IF_MY_BUILDS_TARGET_THE_WRONG_RELEASE" work in the poudriere? 18:26:14 So what is a real unix? 18:26:48 a real UNIX system is anything Open Group has certified as UNIX 18:26:57 AIX would be an example 18:27:30 a UNIX has to conform to POSIX and SUS 18:27:37 *real -> official 18:27:40  Looking at say Windows , more app ,  Linux not as many , Mac less , keep going down ,  where does freebsd land. That is my only point 18:29:37 some version of apples mac os was certified UNIX 18:29:53 nimaje: all versions since 10.5 excluding 10.6 18:30:16 That is odd to me finding out Mac is like based on freebsd or something like that unix-like os 18:31:21 Mac OS uses a mach-like kernel with heavily modified parts of FreeBSD userland 18:32:25 well, it was originally Mach but they introduced a whole lot of changes so it is no longer fully microkernel (then again this is off topic) 18:32:50 The one time , I ran mac on their pc , it was ok. 18:33:32 freebsd a modded version run the ps 4 ? 18:34:08 I would love to look under the hood , not I  have run os and knew what I am doing 20:03:31 https://media.ccc.de/v/39c3-escaping-containment-a-security-analysis-of-freebsd-jails welp that aint good 20:07:45 on the contrary, it's way better when responsible security researchers find and thisclose the information, like they did here 20:07:54 *disclose 20:10:56 yes, crest has done a very good job with this. as well as the people who responded to it. 20:11:09 hey crest you are popular. again. yeeeeey. 20:11:25 ? 20:11:33 what have i done this time? 20:11:50 the important part there is "We’ve responsibly disclosed our findings to the FreeBSD security team and are collaborating with them on fixes." 20:11:59 i just asked if they're willing to document their dev setup 20:12:11 which they promised a writeup on 20:12:45 i'm a bit pissed by how much worse my communication with the security team went 20:19:33 it felt like screaming into a black hole that didn't even acknowledge my report 20:20:23 despite including an already weaponized exploit as PoC 20:20:31 *sigh* 21:14:27 polarian: iirc, most of the risk was in the old ipfilter firewall code and interfaces 21:15:31 deimosBSD: classic freebsd not removing legacy code then? 21:15:33 shame 21:16:46 ipfilter is oldest one, and when Darren was writing the code, there were different times 21:17:19 * mzar wonders who really uses ipfilter in 2025 21:18:10 i'm sure someone, somewhere uses ipfilter still, which is why the code still exists 21:18:17 but i could be wrong about the whole topic 21:18:40 maybe it's the secret bypass_kernel_security_for_perf() syscall in jails. ;) 21:19:19 is ipfilter even loaded by default 21:22:04 Remilia: no, neither it's exposed to the jails 21:22:53 I really wish there was a transcript of this talk with slides, not making me actually watch the video. 21:23:00 same 21:23:14 i hear "ai" solves this. 21:23:19 ;) 21:23:44 the video has 'auto' captions which are terrible 21:23:54 'a security analysis of Freebies EJLs' 21:24:16 it was a nice talk, a lot of work was needed to complete this PoC breakout, and it should be highly appreciated that those guys have taken whole effort 21:26:30 deimosBSD: mentions ipsec, carp, wifi (lol), NFS, pf, ipfilter and ipfw at least 21:26:38 plus interface ioctls 21:27:14 don't watch the video 39c3 videos on youtube *sigh* 21:27:38 crest: what do you mean? 21:28:09 I can't parse your sentence, sorry :( 21:28:17 * Remilia is English-as-4th-language 21:29:26 there's a superfluous word «video» before «39c3», Remilia 21:29:48 oh 21:30:01 «don't watch the 39c3 videos on youtube» 21:30:01 well, I am watching it on media.ccc.de 21:30:05 very good 21:30:15 What's wrong with watching it on YouTube? 21:30:16 and that is where the 'auto' captions are from 21:33:40 freebsie ejls 21:33:44 freebies ejls* 21:33:47 hilarious 21:34:00 i'm downloaded it and am watching with mpv 21:34:11 (imagine that is correct english) 21:34:21 s/i'm/i/ 21:36:39 I feel like automated captions should be last resort when it's anything outside typical time-wasting stand-up type meeting thing 21:37:11 and lack of proper CCs is a show of disrespect to people with hearing issues 21:37:18 "Translators are expensive." -- upper management 21:37:28 this isn't even about translation 21:37:32 just closed captions 21:37:48 * Remilia is a translator by education and trade 21:38:21 also yeah… expensive… €0.045 per source word ahahaha 21:38:24 TommyC: Who needs translations, when you can just set the captioning to the wrong language? :D I sometimes attend such meetings, and have to hold my temper from cracking up at times 21:38:46 DaliborFox: I sometimes like to read Dutch because the language itself can be funnny. :3 21:38:50 DaliborFox: you don't even need wrong language, you need non-native speaker accents 21:39:08 and Teams and Meet both descend into chaos 21:39:19 (also, uncommon/non-English names) 21:41:49 Remilia: sorry i'm operating on 2 hours of sleep 21:42:18 crest: it's time to hit the sack, your shift here is over ! 21:43:07 i assumed the bad auto subs where added by youtube because people tend to watch it there instead of on media.ccc.de or the live/timeshift streaming service 21:44:38 mzar: too bad my train from hamburg to berlin took a "little" detour because on track is closed by construction 21:45:52 ha... it happens, I am sorry to hear that, and I hope you'll be able to have at least nap there 21:46:07 and on the other some damned idiot decided that today is a great day for suicide by train 21:47:18 it's end of the year, a week after solstice, people suffer from lack of sunlight and it happens 21:48:03 * ant-x looks for a bottle of Vitamin D3 21:48:26 so the train had to detour via hannover 21:50:15 that's not so bad, you still could have severe winter storm or terrorist attack, let's hope it will get solved and you'll be able to get back home before end of the year 21:50:17 if you have to use a vehicle use your own and don't fuck up a train driver's life on your way out 21:57:07 deimosBSD: the perfect tense in the active voice is formed with «to have». so it'd be «i've downloaded it». 22:01:53 interesting English 101 ongoing here 22:08:39 LXGHTNXNG: grazie 22:09:18 we don't have a two-auxiliary system like italian 22:10:42 but both are indo-european languages, so learning is easy 22:11:15 overstated 22:11:29 the lexicon is almost completely different when you move away from sciencey words 22:11:48 but this has already gone too far for here, let's go to #freebsd-social if we want to continue 22:14:50 hha... yep, but this channel could also become #social, we are building wider community 22:26:45 mzar: you're welcome to easily learn Basque or Finnish/Estonian 22:27:18 or Russian (at a level that does not make people point and laugh) 22:27:41 at least Russian only has 6-7 grammatical cases unlike Finnish 22:33:24 Remilia Finnish/Estonian/Hungarian are from different family, Basque - too far for me to go there 22:34:18 mzar: I'm not sure what you mean, they are Indo-European 22:34:23 they aren't. 22:34:37 Finnish and the gang are Finno-Ugric, which is only related by a couple of loanwords to IE 22:34:56 oh wait, right, Uralic 22:35:09 I am running on a 40 minute nap 22:35:58 though to me they are all weird because my native language is Ainu :D 22:37:57 Basque is a paleo-european language of the Vasconic family (of which it's the only surviving descendant as well as one of like four or five descendants of which we have any records at all), one of the last remnants of the languages once spoken by archaic Europeans before the proto-Ukrainians arrived with their bubonic plague and their indo-european languages. Etruscan, which we do not have 22:37:59 complete records of and which is extinct, is either a language isolate or of a "Tyrsenian" (if I spelled that right) family, not related to the Vasconic languages 23:01:07 wtf are 'proto-Ukrainians' 23:08:02 Remilia, 0.045 per source word? Poor human ranlators, having to complete with the artificial idiot... 23:08:41 * compete 23:09:10 ant-x: sometimes you can get 0.055 but 0.045 is very common for freelance work in my original language pair (RU→JA) and also in EN→RU 23:09:43 getting anything RU→JA consistently is a pipe dream outside government work anyway 23:10:07 should not have majored in Russian :D 23:13:34 I am Russian. Which language is JA? Not Japanese? 23:16:12 ^ So it /is/ Japanese, and not jp. 23:19:15 Remilia, I misread 0.045 for 0.0045. 20 words to a Euro actally sounds good to me. 23:27:00 ant-x: yeah you typically can earn around 400-500 a month if you are lucky 23:27:41 Remilia: I am referring to the Indo-Europeans who had domesticated horses but not invented agriculture and lived in what's now southern Ukraine and southwestern Russia, before moving north, west and east 23:28:11 it's a misleading term 23:28:11 LXGHTNXNG: https://history.stackexchange.com/a/17399 see here and forget that bs 23:28:23 has maps included and full explanation 23:28:46 Remilia, I remember that in the 1930ies writers of weird fiction (Lovecraft and friends) were paid 0.01$ per word for original fiction rather than translation. 23:29:08 respectfully, "indo-europeans out from yamnaya is bullshit" is not a conversation for #freebsd. 23:29:14 ant-x: you are always paid per source of course 23:29:44 But nowadays you are allowed to cheat with GoogleTranslatin &c? 23:30:01 why would you ever do that 23:30:24 /I/ would not, but peole routinly do it to save effort. 23:31:08 LXGHTNXNG: there are Strange People pushing 'proto-Ukrainians' pseudoscientific stuff that was thoroughly debunked before 23:31:26 ^ They would run the entire text through Google Translate, make a few amendments, and call it a job done. 23:31:41 and indeed, pseudoscience should be off topic anywhere 23:32:10 You talking about the great ancient civilisation that dug out the black sea :-? 23:32:34 ant-x: I'd share my thoughts on MTL but this is not the right channel and you aren't in #freebsd-social 23:32:53 Right. 23:33:09 Perhaps, I'll see you there sometime. 23:33:38 Cripes. 23:34:48 Is anyone here using the X11's starndard windows manage, twm, on their FreeBSD machine? 23:34:56 * window manager 23:36:47 1. why would i 2. maybe i should (re?) try it sometime 23:38:19 LXGHTNXNG, small & beautiful & ususual: . 23:39:07 I simply remain a windowmaker user 23:39:38 Better than widomaker :-) 23:39:48 ^ as I frequently mistype the word. 23:39:49 I think it was the nicest WM I tried in 1998 and it stuck 23:40:09 (that is, nicest after IID) 23:40:23 but you can't have IID on FreeBSD so 23:40:39 * ant-x loves Windows 98 interface, and GTK2. 23:41:57 was IID's window manager called 4Dwm I forgot 23:41:59 I asked about twm because I have problems with using it with complicated software such as Firefox. 23:42:10 What is IID? 23:42:18 IRIX Interactive Desktop 23:43:51 ^ It is a beauty, confirmed. 23:44:38 I dislike vector interfaces, and most of the time vector fonts as well.