This status report covers both September and October 2025. The majority of September was spent on creating the new 15-STABLE branch (hardened/15-stable/main) along with the associated bits of infrastructure.

In src:

1. Initial work on supporting pkgbase in the installer. This work is not ready just yet.
2. We now build elftc-ar and elftc-nm again, regardless of whether LLVM is the default compiler toolchain.
3. Trusted Path Execution (TPE) now checks permissions for user-owned vnodes.
4. When mapping the stack, we now use VMFS_NO_SPACE rather than VMFS_ANY_SPACE. No functional change intended.

In ports:

1. net-p2p/heartwood and related were bumped to 1.4.0.
2. net-p2p/heartwood-httpd was bumped to 0.20.0.
3. ports-mgmt/poudriere-hbsd was bumped to to 3.4.2_2.
4. We now apply the same hardening flags to www/forgejo and www/forgejo7 as we do www/gitea.
5. _FORTIFY_SOURCE was disabled for audio/cdparanoia.
6. PIE was disabled for autio/stk.
7. The dependency of lang/gcc11 on lang/gcc12 was removed.
8. LINUX was disabled for x11/nvidia-kmod.

I gave a presentation[1] at BSides Colorado Springs[2] about recent enhancements to libhijack[3].

I have also started working on better error handling in {,lib}hbsdcontrol. I plan to work on that and the censorship- and surveillance-resistant mesh network idea. I would like to have Reticulum deployed in a lab environment.

[1]: https://git.hardenedbsd.org/shawn.webb/presentations/-/blob/master/BSide...
[2]: https://www.bsidescos.org/
[3]: https://git.hardenedbsd.org/SoldierX/libhijack/