urn:jj:justjournal.com:atom1:mbsdMidnightBSD Developer JournalLucas2024-04-10T21:20:29.021Zurn:jj:justjournal.com:atom1:mbsd:33976Unbound updated in stable/3.1 branch (will be part of 3.1.5)2024-04-09T15:55:47.000Z2024-04-09T15:55:47.000ZI just updated unbound to 1.19.3 in the stable/3.1 branch. This fixes a number of CVEs. Anyone using it on 3.1 should consider updating the base system or use the mports version.urn:jj:justjournal.com:atom1:mbsd:33975MidnightBSD 3.1.4 release2024-04-06T20:11:07.000Z2024-04-06T20:11:07.000ZMidnightBSD 3.1.4 release
Fixes issues with mport and updates timezone data.
"https://github.com/MidnightBSD/src/releases/tag/3.1.4" (https://github.com/MidnightBSD/src/releases/tag/3.1.4)urn:jj:justjournal.com:atom1:mbsd:33974Update on xz2024-04-06T16:10:41.000Z2024-04-06T16:10:41.000ZI've updated the xz version in 3.2-current to 5.4.x and avoided the known vulnerable releases. This aligns with recommendations from several sources.
As far as the calls to switch off xz for everything, that's unlikely in the short term. A lot of software distributed in mports uses tar.xz files. Further, package files generated by mport use it. Early releases of mport used bzip2 but we migrated many years ago to tar.xz. We're investigating the possibility of migrating to zstd and are working on updating libarchive to a newer release in base for this purpose. It will likely not happen for the midnightbsd 3.2 release and will need to happen during a major release cycle. (4.x? 3.3?)Â
The long term risk is that xz isn't taken over or forked by a trustworthy source and CVEs start piling up. The actual linux specific issues with 5.6.x are not a concern for BSD platforms aside from the real risk of something like this happening again. (the supply chain attack piece is a danger) Â
The harsh reality of open source is that there is a lot of code and it's difficult to review it all. Companies have been bitten by issues like Amazon Music getting crypto mining node modules years ago or the recent attack on Notepad++ plugins. It happens. How we deal with it is what's important.urn:jj:justjournal.com:atom1:mbsd:339733.1.4 release pending2024-04-06T16:02:23.000Z2024-04-06T16:02:23.000ZWe've tagged 3.1.4 in git for the stable/3.1 branch and have an amd64 ISO on the FTP. Still need to build i386. Â
This includes updated timezone data and some major fixes to mport package manager. There were a lot of issues in the 3.1.3 release of MidnightBSD with installing and using packages.urn:jj:justjournal.com:atom1:mbsd:339723.2 amd64 ISO snap available2024-03-31T19:06:01.000Z2024-03-31T19:06:01.000ZI'm uploading a 3.2 amd64 snapshot to the primary FTP server for MidnightBSDurn:jj:justjournal.com:atom1:mbsd:33970mport 2.6.22024-03-30T20:03:30.000Z2024-03-30T20:03:30.000ZWe just released mport 2.6.2; it fixes two bugs with mport list and mport list updates that would cause no output to display.
This has been imported into current and stable/3.1 branchesurn:jj:justjournal.com:atom1:mbsd:33969xz vulnerability2024-03-30T14:11:18.000Z2024-03-30T14:11:18.000ZThere is an xz vulnerability in 5.6.0 and 5.6.1 that was caused by a malicious payload added via a commit.  "https://boehs.org/node/everything-i-know-about-the-xz-backdoor" (https://boehs.org/node/everything-i-know-about-the-xz-backdoor)
At this time, I am unaware of anything in libarchive that is considered dangerous as mentioned on that website. MidnightBSD does not use the affected versions of xz in base. We have 5.2.9 right now.urn:jj:justjournal.com:atom1:mbsd:33968Unbound CVEs2024-03-28T12:55:00.000Z2024-03-28T12:55:00.000ZThere's two security vulnerabilities in the base system unbound.
We've updated unbound to 1.19.1 in 3.2 CURRENT and 1.19.3 in mports.urn:jj:justjournal.com:atom1:mbsd:33967current focus2024-03-19T18:37:43.000Z2024-03-19T18:37:43.000ZWe're working on getting mports back in shape on 3.2-current. At the moment, work is underway on the devel/llvm15 port so we can update mesaurn:jj:justjournal.com:atom1:mbsd:33965perl removed from base2024-02-04T21:42:00.000Z2024-02-04T21:42:00.000ZWe're in the process of migrating to perl in mports from base. Perl went into midnightbsd many years ago (around 0.4 i think)Â
There are a few reasons for the change but here are a few:
* Difficulty in updatingÂ
* Delays between releases
* Security fixes are easier
* Less software requires Perl now than when we made the decision
The biggest downsides are with mports as a lot of it still uses Perl. We're working on that.urn:jj:justjournal.com:atom1:mbsd:33964mport package manager issue on 3.1.3 release2024-01-12T18:47:23.000Z2024-01-12T18:47:23.000ZIt seems that mport install doesn't work sometimes and gives no output.
Workaround:
mport download pkgname
/usr/libexec/mport.install /var/db/mport/downloads/pkgfilename.mport
where pkgname is something like gmake and pkgfilename.mport is something like gmake-3.8.1.mporturn:jj:justjournal.com:atom1:mbsd:339632024-01-12T18:46:07.000Z2024-01-12T18:46:07.000Zperl is not correctly setting enabling man pages if a system uses mandoc. It kind of guesses if nroff is present. This causes many perl ports to not build man pages. Fixed in stable/3.1
We're now forcing man1dir/man3dir and man1ext/man3ext settings in build (missed)urn:jj:justjournal.com:atom1:mbsd:33961Project Status 20242024-01-09T18:51:17.000Z2024-01-09T18:51:17.000ZHere are our plans for 2024:
* 3.2 release - bug fix release with some base system third-party library updates. This is on track to be released in the next few months. TODO: decide if perl will migrate to ports. (likely)
* 4.0 work started - still planning what will be in this release Updating mesa and llvm ports (llvm 12 recently added)
* Migrate from svn to git to magus indexer. (done today) Find ways to cut costs month to month. (spending roughly $300 a month on server/cloud plus on prem infra including business internet connection)
* Determine what we want to do with portsnap. Love to know if you use it.urn:jj:justjournal.com:atom1:mbsd:33951mports status2023-10-26T19:56:55.000Z2023-10-26T19:56:55.000ZPackages for i386 and amd64 MidnightBSD 3.1 have been released this month. We're currently trying to fix a number of vulnerable mports with updates and also add support for PHP 8.3.urn:jj:justjournal.com:atom1:mbsd:33946xfce 4.18 now in mports2023-09-06T00:36:44.000Z2023-09-06T00:36:44.000ZWe updated xfce desktop to 4.18 in mports.