HardenedBSD December 2025 Status Report

Submitted by Shawn Webb on

This status report is going to be a lengthy one. Due to scheduling conflicts, I was unable to get out the November status report, this one will cover the two months November - December 2025.

A large portion of my focus has been on the infrastructure, getting a build environment for the recently-created hardened/15-stable/main branch. As discussed in a previous mailing list thread[1], the 14-STABLE build infrastructure has now been migrated to 15-STABLE. We have archived the last 14-STABLE package build, which last completed on 24 Dec 2025.

We self-host nearly the entirety of our infrastructure out of my home. We have only one leased server, from the fine folks at NetActuate (previously RootBSD). This leased server hosts our main website, the hbsd-update build artifacts, and the package repos. Our package repos, naturally, grow over time. Back when we started this, each package repo was at most 75GB in size. Now we're encroaching 135GB.

We now have a 30TB NAS in the home-based infrastructure. In order to support the growth, we will be migrating the package repo to the home infra. The package repos themselves have already been migrated. The only thing left to do is adjust the various DNS entries. I plan to do that once we have a usable 15-STABLE package repo. We will update this[2] mailing list thread when the migration has completed, DNS records and all. There will likely be a little blip in HTTPS/TLS connections as we regenerate LetsEncrypt certs. There's a delicate dance here. I plan to keep everyone informed as to when I begin and complete the process.

The 14-STABLE build server (which is now being migrated to 15-STABLE) housed two VMs:

  1. The OS installer/update build VM. This builds the artifacts published at https://installers.hardenedbsd.org/ and mirrors.
  2. The package build VM.

When we deployed that (stupendously) slow server to test its capabilities as a build server for 15-STABLE, we followed the same pattern: two separate VMs. We are going to keep the 15-STABLE OS installer/update build VM on that slow server. We're going to power off the 14-STABLE OS build VM and increase the resources to the package build VM. This means we should be able to decrease the time it takes for that server to produce a usable package repo. Naturally, this comes at a cost of a slow build time for the OS installer/updates, but that process can tolerate **a lot** of slowness. So long as it can produce its build artifacts in less than 48 hours, I'm satisfied. It's the package building (36,000+ packages) that takes the most resources.

I spent a lot of time in the ports tree over the past couple months. The focus was on fixing ports broken by the various hardening techniques we employ. The introduction of -Werror=format-security caused a large amount of fallout, which I have been addressing. While addressing those, I figured I might as well fix ports broken by the other techniques.

I'm working on enhancing libhbsdcontrol with better error handling. I'm hoping to have that work committed in early January 2026.

I'm hoping in January to spend some time on hbsdfw. The VM I've been using to build hbsdfw has been panicking when the Poudriere build finishes when building the hbsdfw packages. In Q1 2026, I plan to migrate hbsdfw from HardenedBSD 14-STABLE to 16-CURRENT. Following the hardened/current/master src branch will lighten my load in maintaining this little hobby subproject.

I need to file a bug report upstream in FreeBSD/OpenZFS to track this kernel panic. The panic happens when something during the build checks whether PaX PAGEEXEC is enabled through looking up a filesystem extended attribute. OpenZFS recently changed how filesystem extended attributes work, so it's possible we're hitting a unique edge case.

In January, I'm going to get two lab environments set up:

  1. Internal Reticulum nodes to test the Reticulum protocol and its potential for use with our censorship- and surveillance-resistant mesh network R&D.
  2. Internal Radicle nodes to start concerted testing to eventually replace GitLab with Radicle.

I feel somewhat down for not making more progress this year on the censorship- and surveillance-resistant networks. I'm hoping to place more emphasis on this in 2026.

In src:

  1. Always build elftc-nm and elft-ar
  2. TPE: Ensure user-owned vnodes are unwritable
  3. ASLR: Use VMFS_NO_SPACE to map the stack
  4. Add various C/C++ hardening flags:
    1. -fno-delete-null-pointer-checks
    2. -Werror=format-security
  5. Unlock the sound mutex on error
  6. Fix branch detection in release
  7. Disable SafeStack for the Unbound daemon
  8. Some pkgbase-related work

In ports (this is gonna be a long list (our longest to date)):

  1. Disable LINUX for x11/nvidia-kmod
  2. ftp/curl: Fixup .onion patch
  3. Add "general compilation hardening" USES
  4. Delete unneeded patch for databases/redis
  5. Fix archivers/zip
  6. Disable hardcflags for devel/m4
  7. Disable hardcflags for lang/gcc13
  8. Disable HARDCFLAGS for devel/t1lib
  9. Fix HARDCFLAGS errors for devel/ctags
  10. Disable HARDCFLAGS for archivers/unzip
  11. Fix HARDCFLAGS for net-mgmt/libsmi
  12. Disable HARDCFLAGS for x11-toolkits/open-motif
  13. Disable HARDCFLAGS for devel/expect
  14. Fix the devel/ivykis port
  15. Fix HARDCFLAGS for multimedia/webcamd
  16. Disable HARDCFLAGS for lang/gcc12
  17. Disable HardenedBSD features for lang/gcc14
  18. Disable HardenedBSD features for lang/gcc15
  19. Disable HardenedBSD features for lang/gcc16-devel
  20. Fix HARDCFLAGS for multimedia/smpeg
  21. Disable HARDCFLAGS for devel/elfutils
  22. Fix HARDCFLAGS for converters/recode
  23. Disable fortifysource for graphics/netpbm
  24. Fix hardcflags for devel/fortytwo-encore
  25. Fix HARDCFLAGS for graphics/libvisual04
  26. Disable HARDCFLAGS for devel/kBuild
  27. Fix HARDCFLAGS for devel/libbegemot
  28. Fix HARDCFLAGS for games/pmars-sdl
  29. Disable FORTIFYSOURCE for security/signify
  30. Disable HARDCFLAGS for mail/mailutils
  31. Fix HARDCFLAGS for devel/ta-lib
  32. Fix HARDCFLAGS for math/spooles
  33. Fix HARDCFLAGS for textproc/wv
  34. Fix HARDCFLAGS for databases/sqlite2
  35. Disable HARDCFLAGS for graphics/lensfun
  36. Fix HARDCFLAGS for devel/rlwrap
  37. Disable fortifysource for mail/opensmtpd
  38. Fix HARDCFLAGS for x11-toolkits/unique
  39. Fix HARDCFLAGS for devel/efivar
  40. Fix HARDCFLAGS for lang/f2c
  41. Fix HARDCFLAGS for textproc/scim-table-imengine
  42. Disable FORTIFYSOURCE and HARDCFLAGS for sysutils/fwupd-efi
  43. Fix HARDCFLAGS for games/libmt_client
  44. Disable HARDCFLAGS for games/gnugo
  45. Fix HARDCFLAGS for comms/rxtx
  46. Disable PIE and RELRO for databases/redis
  47. Fix build for devel/omniORB
  48. Fix build of security/rubygem-bcrypt_pbkdf
  49. Fix HARDCFLAGS for math/grace
  50. Fix HARDCFLAGS for audio/libbs2b
  51. Disable HARDCFLAGS for graphics/plotutils
  52. Fix HARDCFLAGS for emulators/libretro-reicast
  53. Add -Wformat for HARDCFLAGS
  54. Disable HARDCFLAGS for graphics/gracula
  55. Fix HARDCFLAGS for mail/spmfilter
  56. Add cheat support in games/ioquake3
  57. Fix HARDCFLAGS for print/catdvi
  58. Fix HARDCFLAGS for graphics/seom
  59. Fix HARDCFLAGS for deskutils/presage
  60. Fix HARDCFLAGS for graphics/alpng
  61. Enable SLH for games/ioquake3
  62. Fix -Werror=format-security bug in games/ioquake3
  63. Fix HARDCFLAGS for x11-toolkits/fox16
  64. Disable HARDCFLAGS for graphics/glslang
  65. Re-enable PIE and RELRO for databases/redis
  66. Fix HARDCFLAGS for converters/uudeview
  67. Fix HARDCFLAGS for textproc/gdome2
  68. Disable FORTIFYSOURCE for misc/mbuffer
  69. Disable HARDCFLAGS for archivers/unarj
  70. Disable FORTIFYSOURCE for misc/amanda-{client,server}
  71. Disable FORTIFYSOURCE for net/dante
  72. Fix HARDCFLAGS for archivers/sharutils
  73. Fix HARDCFLAGS for lang/squeak
  74. Disable FORTIFYSOURCE for devel/socket_wrapper
  75. Fix HARDCFLAGS for net/pvm
  76. Fix HARDCFLAGS for audio/snack
  77. Fix HARDCFLAGS for textproc/sgmlformat
  78. Fix HARDCFLAGS for cad/iverilog
  79. Fix HARDCFLAGS for sysutils/genisoimage
  80. Disable HARDCFLAGS for games/libretro-boom3
  81. Fix HARDCFLAGS for math/testu01
  82. Disable FORTIFYSOURCE for devel/pcc-libs
  83. Disable PIE for security/cryptlib
  84. Fix HARDCFLAGS for mail/addresses-goodies
  85. Fix build of devel/ivykis on 14-stable
  86. Disable HARDCFLAGS for security/pgpin
  87. (0x1eef) Fix grub2-bhyve build error
  88. Disable HARDCFLAGS for devel/cunit
  89. Disable FORTIFYSOURCE for editors/dte
  90. Disable FORTIFYSOURCE for mail/akpop3d
  91. Disable HARDCFLAGS for emulators/x48
  92. Fix HARDCFLAGS for net/osrtspproxy
  93. Fix HARDCFLAGS for mail/qmailmrtg7
  94. Fix HARDCFLAGS for print/transfig
  95. Disable PIE for graphics/nsxiv
  96. Disable FORTIFYSOURCE for devel/uid_wrapper
  97. Disable HARDCFLAGS for devel/cweb
  98. Fix FORTIFYSOURCE for multimedia/ffmpeg
  99. Fix build of lang/gcc14
  100. Fix FORTIFYSOURCE for devel/tex-libtexluajit
  101. Disable FORTIFYSOURCE and HARDCFLAGS for security/barnyard2
  102. Fix build of lang/gcc12
  103. Fix build of databases/arrow

[1]: https://groups.google.com/a/hardenedbsd.org/g/users/c/51IARO8noYo/m/asRq...
[2]: https://groups.google.com/a/hardenedbsd.org/g/users/c/G6HbsE8DA5w/m/I4ou...