diff --git a/website/content/en/status/report-2024-07-2024-09/core.adoc b/website/content/en/status/report-2024-07-2024-09/core.adoc index 5e2f809ade..36354bdf5b 100644 --- a/website/content/en/status/report-2024-07-2024-09/core.adoc +++ b/website/content/en/status/report-2024-07-2024-09/core.adoc @@ -1,49 +1,50 @@ === FreeBSD Core Team Contact: FreeBSD Core Team The FreeBSD Core Team is the governing body of FreeBSD. Core welcomes René Ladan (rene@) as their new secretary. ==== Liaisons Core selected new liaisons for the various teams among themselves: * bugmeister: glebius * ci: olivier * clusteradm: mat * doceng: lwhsu * foundation: hrs * portmgr: tcberner * re: dch * secteam: allanjude * srcmgr: glebius ==== DevSummit 202409 * The Core Team was almost fully present at EuroBSDCon 2024 in Dublin. The following people were present: allanjude, dch, glebius, hrs, lwhsu, mat, olivier, rene * Slides are available at link:https://wiki.freebsd.org/DevSummit/202409[] * Core met with the FreeBSD Foundation to have their periodic meeting and take the change to do it in face-to-face. Topics included improving alignment and communications between the two groups and the community. ==== New support timeline for FreeBSD releases * Core approves the proposal by re@ to reduce the support timeline for FreeBSD releases from five to four years, after which the release is supported on a best-effort basis. This proposal is also backed by portmgr and secteam. ==== srcmgr -* Core helped in forming a new srcmgr team. Their charter is not fully set in stone yet, it can be adjusted if needed in 6-12 months from now. +* Core helped in forming a new srcmgr team. + Their charter is not fully set in stone yet, it can be adjusted if needed in 6-12 months from now. * Nominations for new src commit bits should from now on be sent to srcmgr@ instead of core@ * A lurker program is suggested to keep an influx of new members. * Core announced srcmgr during DevSummit 202409 and sent a follow-up to developers@ on September 29. ==== Commit bits * Core welcomes Igor Ostapenko (igoro) as a new src committer. * Core extended the text that the grim reaper script sends to include ways on how to get commit bits of developers re-activated. diff --git a/website/content/en/status/report-2024-07-2024-09/dhclient.adoc b/website/content/en/status/report-2024-07-2024-09/dhclient.adoc index 059e87b390..9d6468aa54 100644 --- a/website/content/en/status/report-2024-07-2024-09/dhclient.adoc +++ b/website/content/en/status/report-2024-07-2024-09/dhclient.adoc @@ -1,16 +1,19 @@ === Changes to dhclient to speed up the FreeBSD boot process Links: + link:https://wiki.freebsd.org/SummerOfCode2024Projects/SpeedingUpTheFreeBSDBootProcess[Speeding up the FreeBSD boot process] URL: link:https://wiki.freebsd.org/SummerOfCode2024Projects/SpeedingUpTheFreeBSDBootProcess[] + link:https://github.com/freebsd/freebsd-src/pull/1368[dhclient Pull Request] URL: link:https://github.com/freebsd/freebsd-src/pull/1368[] + Contact: Isaac Cilia Attard -As part of my Google Summer of Code 2024 project, involving speeding up the FreeBSD boot process, I have worked on decreasing the time it takes for ARP resolution within dhclient to happen. This involved reducing the default ARP resolution timeout from 2000 ms to 250 ms, and adding an option to disable it altogether. The latter is useful within cloud environments, where a node is certain to have an IP address allotted to it. +As part of my Google Summer of Code 2024 project, involving speeding up the FreeBSD boot process, I have worked on decreasing the time it takes for ARP resolution within dhclient to happen. +This involved reducing the default ARP resolution timeout from 2000 ms to 250 ms, and adding an option to disable it altogether. +The latter is useful within cloud environments, where a node is certain to have an IP address allotted to it. -As a consequence of this, connecting to a DHCP network is now faster, including the boot process during which this happens. The speedup experienced is about 2 seconds. +As a consequence of this, connecting to a DHCP network is now faster, including the boot process during which this happens. +The speedup experienced is about 2 seconds. This causes FreeBSD systems to boot significantly faster than before. Sponsor: Google LLC (GSoC 2024) diff --git a/website/content/en/status/report-2024-07-2024-09/doceng.adoc b/website/content/en/status/report-2024-07-2024-09/doceng.adoc index dcbd624fe6..2f3f0eee8e 100644 --- a/website/content/en/status/report-2024-07-2024-09/doceng.adoc +++ b/website/content/en/status/report-2024-07-2024-09/doceng.adoc @@ -1,91 +1,92 @@ //// Quarter: Prepared by: Reviewed by: Last edit: $Date$ Version: $Id:$ //// === Documentation Engineering Team Link: link:https://www.freebsd.org/docproj/[FreeBSD Documentation Project] URL: link:https://www.freebsd.org/docproj/[] + Link: link:https://docs.freebsd.org/en/books/fdp-primer/[FreeBSD Documentation Project Primer for New Contributors] URL: link:https://docs.freebsd.org/en/books/fdp-primer/[] + Link: link:https://www.freebsd.org/administration/#t-doceng[Documentation Engineering Team] URL: link:https://www.freebsd.org/administration/#t-doceng[] Contact: FreeBSD Doceng Team The doceng@ team is a body to handle some of the meta-project issues associated with the FreeBSD Documentation Project; for more information, see link:https://www.freebsd.org/internal/doceng/[FreeBSD Doceng Team Charter]. -Benedict Reuschling steps down from doceng@. doceng@ would like to thank bcr@ for his service. +Benedict Reuschling steps down from doceng@. +doceng@ would like to thank bcr@ for his service. ==== Document changes * Handbook: Document the automatic creation of XDG directories starting with FreeBSD 14.1. The VNET config example script has been fixed. * Architecture Handbook: remove K&R prototypes in MAC chapter. * Website: Some improvements regarding the top banner and layout, visually rearrange buttons and more. * Documentation repository: fix of all malformed tables warnings. Removal of deprecated attributes to conform to new gohugo releases. ==== FreeBSD Translations on Weblate Link: link:https://wiki.freebsd.org/Doc/Translation/Weblate[Translate FreeBSD on Weblate] URL: link:https://wiki.freebsd.org/Doc/Translation/Weblate[] + Link: link:https://translate-dev.freebsd.org/[FreeBSD Weblate Instance] URL: link:https://translate-dev.freebsd.org/[] ===== Q3 2024 Status * 17 team languages * 214 registered users 1 new translator joined Weblate: * matthew (id) ===== Languages * Chinese (Simplified) (zh-cn) (progress: 7%) * Chinese (Traditional) (zh-tw) (progress: 3%) * Dutch (nl) (progress: 1%) * French (fr) (progress: 1%) * German (de) (progress: 1%) * Greek (el) (progress: 1%) * Indonesian (id) (progress: 1%) * Italian (it) (progress: 5%) * Korean (ko) (progress: 32%) * Norwegian (nb-no) (progress: 1%) * Persian (fa-ir) (progress: 3%) * Polish (progress: 2%) * Portuguese (progress: 0%) * Portuguese (pt-br) (progress: 24%) * Spanish (es) (progress: 36%) * Turkish (tr) (progress: 2%) We want to thank everyone that contributed, translating or reviewing documents. And please, help promote this effort on your local user group, we always need more volunteers. ==== Packages maintained by DocEng During this quarter the following work was done in packages maintained by doceng@: * textproc/docproj: Bump gohugo dependency to 0.133.1 * www/gohugo: update to 0.134.3 ==== Open issues There are 2 Open PRs in bugzilla assigned to doceng@: * 276923 www/gohugo link error under poudriere * 267274 Please remove the zh-CN Handbook of the current FreeBSD website During this quarter doceng@ closed 3 PRs: * 266107 FreeBSD Handbook and other books: PDF: broken links – crossref * 279815 status reports: ERR_TOO_MANY_REDIRECTS * 281396 handbook: ERROR: : line 149: dropping cells from incomplete row detected diff --git a/website/content/en/status/report-2024-07-2024-09/mac_do.adoc b/website/content/en/status/report-2024-07-2024-09/mac_do.adoc index c06e2933f2..7fb834021b 100644 --- a/website/content/en/status/report-2024-07-2024-09/mac_do.adoc +++ b/website/content/en/status/report-2024-07-2024-09/mac_do.adoc @@ -1,39 +1,40 @@ === mac_do(4), setcred(2), mdo(1) Contact: Olivier Certner Contact: Baptiste Daroussin This project aims at allowing controlled process credentials transitions without using setuid executables but instead leveraging our MAC framework. -Traditional programs for credentials change have to execute preliminary operations as root (if not as the effective UID, at a minimum as the saved UID). Some of these programs (e.g., man:sudo[8]) have lots of lines of codes and comprise features (e.g., loadable security modules) that can be dangerous from a security standpoint. +Traditional programs for credentials change have to execute preliminary operations as root (if not as the effective UID, at a minimum as the saved UID). +Some of these programs (e.g., man:sudo[8]) have lots of lines of codes and comprise features (e.g., loadable security modules) that can be dangerous from a security standpoint. Thus, they have a non-negligible attack surface and are difficult to prove correct. Additionally, in most scenarios, the extra features they bring are not necessary. More generally, the threat model for the man:mac_do[4] kernel module part is that of compromised userland programs, be they credentials changers or credentials providers ones. This stance implies that calls to the kernel's credentials-changing API must be monitored by the kernel without upcalls to userland. In practice, man:mac_do[4] must be configured beforehand by the administrator to indicate which transitions of credentials are valid (through a man:sysctl[8] knob, `security.mac.do.rules`). Currently, the companion userland program, man:mdo[1], is the only one that can be authorized to proceed by man:mac_do[4] (for now, based on the executable path). This tiny program simply establishes the new credentials via calls to man:setuid[2], and optionally man:initgroups[3] (calling man:setgroups[2]) and man:setgid[2] (if `-i` was not passed). The resulting set of groups is either that of the target UID based on the password database, or that before the change in UID (when using `-i`). The second alternative can be a security hazard in some cases (as the effective GID is not changed either), whereas the first contradicts the threat model above. The current man:mac_do[4] rules specification indeed only allows to express simple UID transitions towards explicit UIDs from other explicit UIDs or GIDs, without taking into account groups. Consequently, the kernel module currently cannot check the content of man:setgroups[2] and man:setgid[2] system calls' parameters, relying completely on man:mdo[1] passing the right information. A new version of man:mac_do[4] has been in the works for approximately a month. Besides fixing concurrency, per-jail settings and MAC policies composition problems, it features a revamp of the rules specification in order to make it possible to finely control which groups are allowed in the resulting credentials. Notably, primary and secondary groups can now be specified independently, and for the latter, GIDs can be tagged as allowed, mandatory or forbidden. A special alias, `.`, can be used to indicate the current process' UIDs or GIDs depending on the context. These new features imply that the man:mac_do[4] module is able to apply credentials change at once, since the allowed final credentials depend on the initial ones through the configured rules. The traditional userland interface (e.g., man:setuid[2], man:setuid[2], man:setgroups[2], etc.) is at odds with this requirement as it necessitates multiple calls to reach the desired final credentials, making the process pass by several successive states that themselves may not be allowed by man:mac_do[4]'s rules. We overcome this limitation by introducing a new system call, man:setcred[2], which allows to request arbitrary transitions of credentials at once. Beside its usefulness in conjunction with man:mac_do[4], it has the benefit of simplifying coding of credentials change in userland. Since it is also extensible, it may have the potential to be adopted later by other systems. Pre-requisite changes are currently under review (see in particular revisions link:https://reviews.freebsd.org/D46886[D46886] to link:https://reviews.freebsd.org/D46889[D46889] and link:https://reviews.freebsd.org/D46896[D46896] to link:https://reviews.freebsd.org/D46923[D46923]). The bulk of changes in man:mac_do[4]/man:mdo[1] proper will soon be pushed under review as well. An older version of the full series can be seen on link:https://github.com/OlCe2/freebsd-src/tree/oc-mac_do[GitHub]. Sponsor: The FreeBSD Foundation diff --git a/website/content/en/status/report-2024-07-2024-09/pinephone.adoc b/website/content/en/status/report-2024-07-2024-09/pinephone.adoc index ca2095c1e1..31b82dad25 100644 --- a/website/content/en/status/report-2024-07-2024-09/pinephone.adoc +++ b/website/content/en/status/report-2024-07-2024-09/pinephone.adoc @@ -1,22 +1,23 @@ === Pinephone Pro Support Links: + link:https://codeberg.org/Honeyguide/freebsd-pinephonepro[Repository on Codeberg] URL: link:https://codeberg.org/Honeyguide/freebsd-pinephonepro[] Contact: Toby Kurien A new project trying to make FreeBSD usable on the Pinephone Pro has been started during August. The current FreeBSD RELEASE images already boot on a Pinephone Pro, but no screen output or other devices are supported. The aim is to step by step support additional components so that the device one day might be usable as a highly mobile FreeBSD device. Over the last few weeks, the groundwork has been implemented like getting used to the device, cross-compiling and booting a 15.0-CURRENT custom kernel as well as toggling the LEDs (red/green/blue in the front). Also, the LCD backlight can be turned on already and the USB-C hub is enabled even though it is not yet functional due to missing power management support. The next step is to write a driver for the RK818 power management chip. -Without it, most of the hardware will not power on like the USB-C port above. This will be done by trying to modify the existing RK808 driver. +Without it, most of the hardware will not power on like the USB-C port above. +This will be done by trying to modify the existing RK808 driver. RK818 support should then make it possible to access a lot more of the devices, e.g. allowing to enable the screen, USB peripherals or WiFi. Additional feedback and testers are welcome. Sponsor: Honeyguide Group diff --git a/website/content/en/status/report-2024-07-2024-09/pot.adoc b/website/content/en/status/report-2024-07-2024-09/pot.adoc index 43e02f0d25..220704d40e 100644 --- a/website/content/en/status/report-2024-07-2024-09/pot.adoc +++ b/website/content/en/status/report-2024-07-2024-09/pot.adoc @@ -1,23 +1,24 @@ === Containers and FreeBSD: Pot, Potluck and Potman Links: + link:https://github.com/bsdpot[Pot organization on GitHub] URL: link:https://github.com/bsdpot[] Contact: Luca Pizzamiglio (Pot) + Contact: Bretton Vine (Potluck) + Contact: Michael Gmelin (Potman) Pot is a jail management tool that link:https://www.freebsd.org/news/status/report-2020-01-2020-03/#pot-and-the-nomad-pot-driver[also supports orchestration through Nomad]. Potluck aims to be to FreeBSD and Pot (and potentially one day also Podman) what Dockerhub is to Linux and Docker: a repository of container descriptions and complete container images for usage with Pot and in many cases Nomad. During this quarter, there were two bugfixes to link:https://github.com/bsdpot/pot[Pot] that will be released soon. Potluck images saw some updates again. -All images have been rebuilt again to include the latest fixes and quarterly packages. Additionally, some images like link:https://github.com/bsdpot/potluck/tree/master/loki[Loki] or link:https://github.com/bsdpot/potluck/tree/master/vault[Vault] have also received additional updates and bugfixes. +All images have been rebuilt again to include the latest fixes and quarterly packages. +Additionally, some images like link:https://github.com/bsdpot/potluck/tree/master/loki[Loki] or link:https://github.com/bsdpot/potluck/tree/master/vault[Vault] have also received additional updates and bugfixes. Also, we have done some research regarding potential future support of OCI, Buildah and Podman images in Potluck. Two blog posts, one describing link:https://honeyguide.eu/posts/build-own-containers-buildah-podman-freebsd/[a basic Buildah and Podman setup] and one describing link:https://honeyguide.eu/posts/micropod-blog-post/[how to orchestrate Podman containers with Nomad and Consul] have been published. As always, feedback and patches are welcome. Sponsors: Nikulipe UAB, Honeyguide Group