Tue, 9 Apr 2024

Sat, 6 Apr 2024

12:10 AM - Update on xz

I've updated the xz version in 3.2-current to 5.4.x and avoided the known vulnerable releases. This aligns with recommendations from several sources.

As far as the calls to switch off xz for everything, that's unlikely in the short term. A lot of software distributed in mports uses tar.xz files. Further, package files generated by mport use it.  Early releases of mport used bzip2 but we migrated many years ago to tar.xz.  We're investigating the possibility of migrating to zstd and are working on updating libarchive to a newer release in base for this purpose.  It will likely not happen for the midnightbsd 3.2 release and will need to happen during a major release cycle.  (4.x? 3.3?) 

The long term risk is that xz isn't taken over or forked by a trustworthy source and CVEs start piling up.  The actual linux specific issues with 5.6.x are not a concern for BSD platforms aside from the real risk of something like this happening again.  (the supply chain attack piece is a danger)  

The harsh reality of open source is that there is a lot of code and it's difficult to review it all.  Companies have been bitten by issues like Amazon Music getting crypto mining node modules years ago or the recent attack on Notepad++ plugins.  It happens.  How we deal with it is what's important.

()

12:02 AM - 3.1.4 release pending

We've tagged 3.1.4 in git for the stable/3.1 branch and have an amd64 ISO on the FTP.  Still need to build i386.  

This includes updated timezone data and some major fixes to mport package manager.  There were a lot of issues in the 3.1.3 release of MidnightBSD with installing and using packages.

()

Sun, 31 Mar 2024

Sat, 30 Mar 2024

4:03 PM - mport 2.6.2

We just released mport 2.6.2; it fixes two bugs with mport list and mport list updates that would cause no output to display.

This has been imported into current and stable/3.1 branches

()

10:11 AM - xz vulnerability

There is an xz vulnerability in 5.6.0 and 5.6.1 that was caused by a malicious payload added via a commit.  https://boehs.org/node/everything-i-know-about-the-xz-backdoor

At this time, I am unaware of anything in libarchive that is considered dangerous as mentioned on that website.  MidnightBSD does not use the affected versions of xz in base. We have 5.2.9 right now.

()

Thu, 28 Mar 2024

8:55 AM - Unbound CVEs

There's two security vulnerabilities in the base system unbound.

We've updated unbound to 1.19.1 in 3.2 CURRENT and 1.19.3 in mports.

()

Tue, 19 Mar 2024

2:37 PM - current focus

We're working on getting mports back in shape on 3.2-current.  At the moment, work is underway on the devel/llvm15 port so we can update mesa

()

Sun, 4 Feb 2024

4:42 PM - perl removed from base

We're in the process of migrating to perl in mports from base.  Perl went into midnightbsd many years ago (around 0.4 i think) 

There are a few reasons for the change but here are a few:

  • Difficulty in updating 

  • Delays between releases

  • Security fixes are easier

  • Less software requires Perl now than when we made the decision

The biggest downsides are with mports as a lot of it still uses Perl.  We're working on that.

()

Fri, 12 Jan 2024

1:47 PM - mport package manager issue on 3.1.3 release

It seems that mport install doesn't work sometimes and gives no output.

Workaround:

mport download pkgname

/usr/libexec/mport.install /var/db/mport/downloads/pkgfilename.mport

where pkgname is something like gmake and pkgfilename.mport is something like gmake-3.8.1.mport

()

1:46 PM -

perl is not correctly setting enabling man pages if a system uses mandoc. It kind of guesses if nroff is present. This causes many perl ports to not build man pages. Fixed in stable/3.1

We're now forcing man1dir/man3dir and man1ext/man3ext settings in build (missed)

()

Tue, 9 Jan 2024

1:51 PM - Project Status 2024

Here are our plans for 2024:

  • 3.2 release - bug fix release with some base system third-party library updates. This is on track to be released in the next few months. TODO: decide if perl will migrate to ports. (likely)

  • 4.0 work started - still planning what will be in this release Updating mesa and llvm ports (llvm 12 recently added)

  • Migrate from svn to git to magus indexer. (done today) Find ways to cut costs month to month. (spending roughly $300 a month on server/cloud plus on prem infra including business internet connection)

  • Determine what we want to do with portsnap. Love to know if you use it.

()

Thu, 26 Oct 2023

3:56 PM - mports status

Packages for i386 and amd64 MidnightBSD 3.1 have been released this month.  We're currently trying to fix a number of vulnerable mports with updates and also add support for PHP 8.3.

()

Tue, 5 Sep 2023

Tue, 29 Aug 2023

11:39 AM - Ravenports

MidnightBSD 3.1.0 now includes the keys and the install will bootstrap Ravenports.  This will create a /raven directory and allow you to install software using /raven/sbin/ravensw

Refer to the Ravenports website for more information on how to use http://www.ravenports.com/

Please note that we don't setup paths for /raven/bin, /raven/sbin, etc, automatically.  You'll need to do that to make it easier to run apps there.

tags: ravenports

()

11:36 AM - mport 2.4.4

MidnightBSD 3.1 includes mport 2.4.3

mport clean now removes temporary files that might get left behind by other operations

mport clean now removes left over /var/db/mport/infrastructure/* folders that might get left behind prior to a fix for mtree files last year. (mostly for older systems)

mport's internal rmtree functionality has been modified to use native C routines rather than executing rm -r as a system command. (Please report any issues with removing files in packages on delete with this) This is slightly faster with very large packages. (0.03 seconds or so)

mport list updates will now give you better information about why a package is not found in the index. If the package is listed in the MOVED file in mports repository, it will tell you if it's removed/expired or moved to another location.

Now that MOVED file contents are part of the index, we can start doing smarter updates in the future. The first package build to include this data is the latest amd64 3.1 build that is likely going to be used for the upcoming midnightbsd 3.1 release.

We've tagged 2.4.4 in git with additional improvements

  • Adds mport config list to display all configured values

  • Fixes a bug with non-interactive console messages when downloading a file. (Uses percent and cuts down on output)

()

Wed, 5 Jul 2023

1:35 AM - Magus changes

I started working on some changes for Magus to parse the MOVED file. In MidnightBSD, a lot of tools don't do much with that file so it's never been consistently managed. 

The idea is that we can index it with each magus run and then provide the data in the index file generated for packages.  This would provide hints about packages that were really removed vs renamed.  We could then install the renamed/moved package on upgrades and when using the mport list command, it could more accurately guess if packages were removed or just unavailable. 

This solves a problem that's bugged me for awhile with mport.  Of course, we're only working on the first step now.  

The steps for this are:

1. add it to the magus indexer.  (needs testing)

2. Export the data during a magus bless from the new MOVED table in the postgresql database to a table in the generated sqlite index files for mport to use.  (need to update magus bless utility)

3. Modify mport package manager to read the data from the table in the index 

4. Update the mport list command to display more accurate data about packages that have expired, will expire, or are deleted/removed

5. Modify the mport info command to display information about package expiry etc 

6. Modify the upgrade command (and possibly update) to make more intelligent decisions about package renames and possibly ask a question on upgrade/update/install paths about packages that are deprecated.

()

Fri, 2 Jun 2023

1:39 PM - Ravenports

The Ravenports folks are looking into supporting MidnightBSD so there'd be an additional source of packages for the OS available.

We've done some work on the firstboot script in Current to support this experimental bootstrap/integration.

https://ravenports.com

This is certainly not final yet, but looking promising. There are a number of packages available via Ravenports that aren't available in mports.

For example: recent firefox releases!

We won't be discontinuing mports, and consider this an additional package manager / repository. However, we will try to make it easy to use on a fresh install and support it as much as we can.

()