Thu, 6 Jun 2024

10:53 AM - Project Update

Project update:

We've been working on restoring the UK mirror after a complete loss of the OS on the server after an update. (it was a freebsd box at ovh) It's been rsyncing for over a week now. We're only getting about 500kbps for some reason. Very slow. At this point, it should have everything but snapshots. 900 files to go.

We've updated amd64 and i386 3.1 packages recently with the latter being the first update since November. We're currently working on building packages for 3.2 amd64.

A 3.2 stable branch was created recently and we plan to fix a few bugs and get updated packages and then do a release off this branch. The original timeline was may but several issues have slowed us down.

One of our VM servers died suddenly in May. It was a consumer Ryzen 5700x box 64GB 3 SSDs. We've replaced it with an HPE dl360 gen9 with e5 xeon v3 24 cores / 48 threads 160GB RAM and 6 SAS SSDs.

We had to do a large refactor on how we handle perl for the new 3.2 version and this caused a lot of 3.1 ports to break. We've fixed these for folks on the latest 3.1.x release, but if you are on an early release, you may experience issues with man page paths for perl ports. We recommend updating to the latest 3.1.5 as of writing. (if you install via packages, it should work OK with other 3.1.x releases)

()

Tue, 7 May 2024

10:53 AM - RavenPorts update

RavenPorts has done a big update with MidnightBSD packages. Highlights include: Xorg Server: 21.1.13 Mesa 24.0.6 Firefox 125.0.3 Thunderbird 115.9.0 LibreOffice 24.2.2.2 Gimp 28.10.38 LLVM 18.1.5 Rust 1.77.2 Go 1.22.2 There's also been a lot of progress on wayland support.

()

Tue, 9 Apr 2024

Sat, 6 Apr 2024

12:10 AM - Update on xz

I've updated the xz version in 3.2-current to 5.4.x and avoided the known vulnerable releases. This aligns with recommendations from several sources.

As far as the calls to switch off xz for everything, that's unlikely in the short term. A lot of software distributed in mports uses tar.xz files. Further, package files generated by mport use it.  Early releases of mport used bzip2 but we migrated many years ago to tar.xz.  We're investigating the possibility of migrating to zstd and are working on updating libarchive to a newer release in base for this purpose.  It will likely not happen for the midnightbsd 3.2 release and will need to happen during a major release cycle.  (4.x? 3.3?) 

The long term risk is that xz isn't taken over or forked by a trustworthy source and CVEs start piling up.  The actual linux specific issues with 5.6.x are not a concern for BSD platforms aside from the real risk of something like this happening again.  (the supply chain attack piece is a danger)  

The harsh reality of open source is that there is a lot of code and it's difficult to review it all.  Companies have been bitten by issues like Amazon Music getting crypto mining node modules years ago or the recent attack on Notepad++ plugins.  It happens.  How we deal with it is what's important.

()

12:02 AM - 3.1.4 release pending

We've tagged 3.1.4 in git for the stable/3.1 branch and have an amd64 ISO on the FTP.  Still need to build i386.  

This includes updated timezone data and some major fixes to mport package manager.  There were a lot of issues in the 3.1.3 release of MidnightBSD with installing and using packages.

()

Sun, 31 Mar 2024

Sat, 30 Mar 2024

4:03 PM - mport 2.6.2

We just released mport 2.6.2; it fixes two bugs with mport list and mport list updates that would cause no output to display.

This has been imported into current and stable/3.1 branches

()

10:11 AM - xz vulnerability

There is an xz vulnerability in 5.6.0 and 5.6.1 that was caused by a malicious payload added via a commit.  https://boehs.org/node/everything-i-know-about-the-xz-backdoor

At this time, I am unaware of anything in libarchive that is considered dangerous as mentioned on that website.  MidnightBSD does not use the affected versions of xz in base. We have 5.2.9 right now.

()

Thu, 28 Mar 2024

8:55 AM - Unbound CVEs

There's two security vulnerabilities in the base system unbound.

We've updated unbound to 1.19.1 in 3.2 CURRENT and 1.19.3 in mports.

()

Tue, 19 Mar 2024

2:37 PM - current focus

We're working on getting mports back in shape on 3.2-current.  At the moment, work is underway on the devel/llvm15 port so we can update mesa

()

Sun, 4 Feb 2024

4:42 PM - perl removed from base

We're in the process of migrating to perl in mports from base.  Perl went into midnightbsd many years ago (around 0.4 i think) 

There are a few reasons for the change but here are a few:

  • Difficulty in updating 

  • Delays between releases

  • Security fixes are easier

  • Less software requires Perl now than when we made the decision

The biggest downsides are with mports as a lot of it still uses Perl.  We're working on that.

()

Fri, 12 Jan 2024

1:47 PM - mport package manager issue on 3.1.3 release

It seems that mport install doesn't work sometimes and gives no output.

Workaround:

mport download pkgname

/usr/libexec/mport.install /var/db/mport/downloads/pkgfilename.mport

where pkgname is something like gmake and pkgfilename.mport is something like gmake-3.8.1.mport

()

1:46 PM -

perl is not correctly setting enabling man pages if a system uses mandoc. It kind of guesses if nroff is present. This causes many perl ports to not build man pages. Fixed in stable/3.1

We're now forcing man1dir/man3dir and man1ext/man3ext settings in build (missed)

()

Tue, 9 Jan 2024

1:51 PM - Project Status 2024

Here are our plans for 2024:

  • 3.2 release - bug fix release with some base system third-party library updates. This is on track to be released in the next few months. TODO: decide if perl will migrate to ports. (likely)

  • 4.0 work started - still planning what will be in this release Updating mesa and llvm ports (llvm 12 recently added)

  • Migrate from svn to git to magus indexer. (done today) Find ways to cut costs month to month. (spending roughly $300 a month on server/cloud plus on prem infra including business internet connection)

  • Determine what we want to do with portsnap. Love to know if you use it.

()

Thu, 26 Oct 2023

3:56 PM - mports status

Packages for i386 and amd64 MidnightBSD 3.1 have been released this month.  We're currently trying to fix a number of vulnerable mports with updates and also add support for PHP 8.3.

()

Tue, 5 Sep 2023

Tue, 29 Aug 2023

11:39 AM - Ravenports

MidnightBSD 3.1.0 now includes the keys and the install will bootstrap Ravenports.  This will create a /raven directory and allow you to install software using /raven/sbin/ravensw

Refer to the Ravenports website for more information on how to use http://www.ravenports.com/

Please note that we don't setup paths for /raven/bin, /raven/sbin, etc, automatically.  You'll need to do that to make it easier to run apps there.

tags: ravenports

()

11:36 AM - mport 2.4.4

MidnightBSD 3.1 includes mport 2.4.3

mport clean now removes temporary files that might get left behind by other operations

mport clean now removes left over /var/db/mport/infrastructure/* folders that might get left behind prior to a fix for mtree files last year. (mostly for older systems)

mport's internal rmtree functionality has been modified to use native C routines rather than executing rm -r as a system command. (Please report any issues with removing files in packages on delete with this) This is slightly faster with very large packages. (0.03 seconds or so)

mport list updates will now give you better information about why a package is not found in the index. If the package is listed in the MOVED file in mports repository, it will tell you if it's removed/expired or moved to another location.

Now that MOVED file contents are part of the index, we can start doing smarter updates in the future. The first package build to include this data is the latest amd64 3.1 build that is likely going to be used for the upcoming midnightbsd 3.1 release.

We've tagged 2.4.4 in git with additional improvements

  • Adds mport config list to display all configured values

  • Fixes a bug with non-interactive console messages when downloading a file. (Uses percent and cuts down on output)

()