@tris #HardenedBSD ships with sample #Tor configuration files for its package repos. This section of the documentation is about enabling use of those .onion endpoints.

For the OS updating mechanism (hbsd-update): https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/blob/hardened/current/master/usr.sbin/hbsd-update/hbsd-update.tor.conf?ref_type=heads

For the package repo: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/blob/hardened/current/master/usr.sbin/pkg/HardenedBSD.tor.conf?ref_type=heads

I've added some basic instructions on accessing #HardenedBSD resources (package repos and OS binary updates) over #Tor here: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#accessing-hardenedbsd-resources-through-tor

I think some refinements could be made, but this is at least an initial draft. If anyone has any ideas for further refinement, please let me know.

#HumanRightsTech

Thankfully, the #HardenedBSD infrastructure seems to have survived unscathed. That's the important bit.

#BSDCan 2025 conference videos are posted to Youtube.

If you wanted to learn more about #FreeBSD, #OpenBSD, #NETBSD, #HardenedBSD or #DragonflyBSD this is collection of videos is a good place to browse and sample some of the features as they are explained.

https://youtube.com/playlist?list=PLeF8ZihVdpFe4u2cwVY8GgxjoFICIYyfY&feature=shared

I wonder if someone would be interested in finishing the pkgbase work in #HardenedBSD I've started on. I'd like to get back to working on the censorship- and surveillance-resistant mesh network, which is becoming all the more important.

would anyone be interested in working on pkgbase? I could step you through what I've already done, and what's left to be figured out and completed.

#infosec #opsec #FreeBSD #pkgbase #HumanRights

Ouch. We're not even in the hottest part of the summer. I suspect our electric bill will be pretty expensive this summer. Note that this comes out of personal finances, not from HardenedBSD Foundation.

I love you all and think it's worth it, but ouchies.

#HardenedBSD

@pertho That would be neat. Have not encountered a tunable like this in FreeBSD. #HardenedBSD might have some offerings related to this, though.

For some reason, trying to build #HardenedBSD installer images with #FreeBSD #pkgbase built-in is failing for me.

Here's the work-in-progress patch against HardenedBSD's hardened/current/master branch: https://hardenedbsd.org/~shawn/pkgbase-r01.patch.txt

If anyone has any ideas, please let me know.

The final schedule for @bsdcan has been published: https://www.bsdcan.org/2025/timetable/timetable-all.html

#BSDCan #RunBSD #FreeBSD #NetBSD #OpenBSD #DragonflyBSD #HardenedBSD

All of a sudden, the #HardenedBSD #GitLab instance is being DDoS'd by your not-so-friendly AI scrapers.

I've been resisting the urge so far, but I might just need to deploy #Anubis.

Updated the #Radicle ports in #HardenedBSD:

1. https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/c2917e7c3d828716e13f7e2a4fc90dd2d437e5cb
2. https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/12061e39a19376896641ceaf228f92d71f2d7566

Test #HardenedBSD 15-CURRENT #pkgbase build is here: http://installers.hardenedbsd.org/pkgbase/FreeBSD:15:amd64/latest/

With any luck, our next quarterly installer/update build will include our first real pkgbase repo.

That test link above will eventually be switched to something more permanent, so please don't rely on that link for production use.

I likely will create a new subdomain (pkgbase.hardenedbsd.org or something) to be able to handle future changes/migrations to the servers.

I've published a new, untested build of #hbsdfw (a #HardenedBSD 14-STABLE based fork of #OPNsense ).

Your update process is, as usual:

1. Backup your existing config
2. Reinstall with the new image
3. Restore your config

Default username: root
Default password: hbsdfw

https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_14.3-20250602-112258.iso.xz

#infosec

I think I got it working.

#FreeBSD #HardenedBSD #pkgbase

Working on #pkgbase for #HardenedBSD. The thing I'm not sure about is how to properly sign the pkgbase repo.

The #FreeBSD build(7) manual page does not address how to sign the pkgbase repo. It correctly describes the basics of creating the repo, but not for signing it.

Reading Makefile.inc1, I see a reference to ${PKG_REPO_SIGNING_KEY}, but I'm not entirely sure what to set that to because of the weird way pkg repo is supposed to be invoked when repo signing is desired.

Before, when building package repos with Poudriere, we used to reference the package signing key directly. Now, we use Poudriere's SIGNING_COMMAND variable. It appears pkgbase does not support the same variable.

Note that, like FreeBSD, HardenedBSD's pkg repos are set to use the fingerprints repo signing method.

Oh how confused I am. At the very least, it would be appreciated if build(7) was updated to show how to properly set the right variables.

Figured out the #HardenedBSD RTLD regression. Commit coming in soon.

Looks like a regression was recently introduced with regards to the #HardenedBSD RTLD hardening feature. I'll take a look at that this weekend.

For some reason, the RTLD thinks hardening is enabled, even when it's explicitly disabled.

#JPMorganChase singing the same song #HardenedBSD has been singing for years now: https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers

#infosec

#HardenedBSD is now on #LiberaPay: https://liberapay.com/hardenedbsd-finances

Interesting #HardenedBSD feature request from Ali Polatel of the #SydLinux distro: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/117

I like the idea of this as it would help mitigate file descriptor reuse attacks. However, we can't implement it as a syscall since HardenedBSD must remain syscall-compatible with #FreeBSD.

I wonder if we could implement it as a sysctl node (using SYSCTL_PROC(9) instead). The libc wrapper would call sysctlbyname behind-the-scenes.

this coming week, I'm gonna be focused on other parts of HardenedBSD. I need to get pkgbase repos deployed before the next automated builds. After I finish that and a few other things, I'll take a look at this feature request.

#infosec