Conversation

Notices

1. Embed this notice
   Ed Maste (emaste@mastodon.social)'s status on Friday, 12-May-2023 04:34:58 JST Ed Maste

   What security features/improvements would you like to see in #FreeBSD in 2023?

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 12-May-2023 04:34:55 JST feld

     in reply to
     fix these things so we don't have to do it ourselves and people can stop linking to this blog post
     
     https://vez.mrsk.me/freebsd-defaults.html
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 12-May-2023 23:17:22 JST feld

     in reply to

     • stephen-fox
     OpenBSD's ntpd (openntpd) is not suitable as a replacement for a lot of reasons, especially as the timekeeping algorithm is not very good either.
     
     In FreeBSD we now have mac_ntpd(4) which gives us the ability to run ntpd without root. This is the default configuration now. It's not really a security concern anymore.
   • Embed this notice
     stephen-fox (stephen0x2dfox@hachyderm.io)'s status on Friday, 12-May-2023 23:17:29 JST stephen-fox

     in reply to

     • feld

     @feld @emaste Thanks for sharing. That blog post was a great read. I wonder if the OpenBSD ntpd could be included in the FreeBSD install if the existing daemon is in such bad shape.

     The CCC presentation linked in that post is a worthwhile watch too (https://www.youtube.com/watch?v=rRg2vuwF1hY). A third-party audit of (say) the TCP/IP stack would be really interesting.

     It looks like there is already some automated kernel fuzzing in place which is really great to see.