HardenedBSD April 2023 Status Report

April was busy from an administrative perspective, with me working to get the Foundation and the Project ready to move to Colorado. We have around 90% of what we need to file as a not-for-profit, tax-exempt charitable organization in Colorado. We're hoping to file by the end of 05 May 2023.

Once the Colorado organization is live, we'll switch the federal side to point the headquarters to the new, yet-to-be-determined Colorado address. I believe once that's done, we should be fully re-headquartered.

On 02 June 2023, I plan to do our last pre-move code sync. Remember, we provide read-only mirrors on GitHub (listed below) for our base and ports repositories.

On 03 June 2023, I plan to take the build infrastructure down for the move. We do not have an ETA for bringing it back up, but bringing up the infrastructure will be of highest priority. I'll be unpacking and powering on equipment before I unpack the kitchen. ;-)

Package repos will remain online even during the move. However, we will need to rely on our mirrors (link to the mirrors page below) to provide installation media. We are grateful for those who provide public mirrors.

Please reach out to us (core@hardenedbsd.org or netops@hardenedbsd.org) to get set up as a public mirror if you're interested. The sooner we can get new mirrors launched, the better poised we (the community) are for the move.

Let's get to the changes! In src:

  1. The installer will no longer ask to install the kernel debug distset. We do not support downloading the distsets at install time.
  2. FreeBSD kept trying various methods to enable Netlink support in the kernel. Given our concerns about Netlink's current code quality, we kept trying to follow in disabling Netlink by default.

In ports:

  1. MrUnix disabled the JIT in www/chromium and www/iridium, which switches the default javascript engine to one that's PaX MPROTECT-safe.
  2. MrUnix fixed multimedia/obs-studio
  3. MrUnix disabled PaX MPROTECT for www/node18
  4. MrUnix disabled PaX MPROTECT for www/node19
  5. MrUnix disabled PaX PAGEEXEC for devel/valgrind and devel/valgrind-devel

I have decided to punish myself by running HardenedBSD 14-CURRENT/amd64 with Cross-DSO CFI enabled for base on my primary laptop. My goal here is to see if I can effectuate the move to Colorado while running with Cross-DSO CFI. The first problem I experienced was i3wm, which would crash upon launching any command. Interestintly, xfce4 mostly works. The xfce4-panel application crashes, but the rest of xfce4 seems to work just fine and dandy.

We are grateful for the past, present, and future contributions from the community. There are many ways to contribute to the project. You don't have to be a security expert or even know how to program! We appreciate contributions in any form they come in, like advocacy, monetary donations, documentation, bug reports, etc. Thank you for making this project possible!

GitHub src repo: https://github.com/HardenedBSD/hardenedBSD
GitHub ports repo: https://github.com/hardenedBSD/ports
Installation media mirrors: https://hardenedbsd.org/content/mirrors