The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

Install NetBSD (Short and Sweet Version).
https://dwarmstrong.org/netbsd-install/

Manual NetBSD Installation with Disk Encryption.
https://dwarmstrong.org/netbsd-encrypt-install/

NetBSD 11 Prepares for Launch with 57 Supported Platforms.
https://theregister.com/2025/08/05/netbsd_11_is_near/

What Can You Do with FreeBSD?
https://youtube.com/watch?v=_iCr6KMEbGM

BastilleBSD – Modern FreeBSD Container Framework.
https://thedistrowriteproject.blogspot.com/2025/08/BastilleBSD-The-Modern-FreeBSD-Container-Framework.html

How Easy is It to Setup OpenBSD Desktop for FreeBSD User?
https://youtube.com/watch?v=ATnMPOg_k6E

Build Terminal User Interfaces (TUIs) with Rust Based Ratatui.
https://github.com/ratatui/ratatui

Comando AWK. [2023]
https://drsaracco.wordpress.com/2023/10/11/comando-awk/

NetBSD Most Secure OS Ever. [2013]
https://betounix.blogspot.com/2013/04/netbsd-most-secure-os-ever.html

StarDict Sends X11 Clipboard to Remote Servers.
https://lwn.net/SubscriberLink/1032732/3334850da49689e1/

Steady in Shifting Open Source World: FreeBSD Enduring Stability.
https://opensource.net/freebsd-steady-shifting-open-source-world/

Introducing Storage Management for Proxmox Nodes and Clusters with Ansible Module.
https://gyptazy.com/introducing-storage-management-for-proxmox-nodes-clusters-with-the-new-ansible-module-proxmox_storage/

New Maple Mono Open Source Monospace Font.
https://github.com/subframe7536/maple-font

Serving Simple Website from FreeBSD Jail with Bastille.
https://journal.bsd.cafe/2025/08/13/serving-a-simple-website-from-a-jail-with-bastille/

Please Do Not Promote Wayland.
https://stoppromotingwayland.netlify.app/

Create Network Enabled Jail in Less than 30s Using Sylve.
https://reddit.com/r/freebsd/comments/1mojyp9/creating_a_networkenabled_jail_in_less_than_30s/

Open Source Political Protest Forks Thriving.
https://lunduke.substack.com/p/open-source-political-protest-forks

You Can Now Test GhostBSD with XLibre X11.
https://x.com/Ericbsd/status/1953204532369846689

Why You Should Not Use Markdown for Documentation.
https://ericholscher.com/blog/2016/mar/15/dont-use-markdown-for-technical-docs/

Quitting GitHub.
https://jpt.sh/posts/quitting-github/

Eighteen Years of Greytrapping – IsWeirdness Finally Paying Off?
https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html

GNU D Compiler Been Broken on FreeBSD 14 for Over Year.
https://briancallahan.net/blog/20250813.html

State of Virtualizing BSDs on Apple Silicon.
https://briancallahan.net/blog/20250222.html

I Revived pkgsrc on AIX.
https://briancallahan.net/blog/20250516.html

FreeBSD jemalloc 5.3.0 Upgrade.
https://lists.freebsd.org/archives/freebsd-current/2025-August/008416.html

From Minix to FreeBSD – My Journey Through Systems/Networks – Building India Own Storage OS.
https://linkedin.com/pulse/from-minix-freebsd-my-journey-through-systems-networks-daniel-prakash-mxh8c/

Implementing Basic Equivalent of OpenBSD pflog(8) Command for Linux nftables Firewall.
https://utcc.utoronto.ca/~cks/space/blog/linux/NftablesImplementingAPflog

Coolest Unix Systems You Never Knew About – OpenIndiana Hipster.
https://youtube.com/watch?v=vqHbjPQ0124

Is OpenBSD 10x Faster than Linux?
https://flak.tedunangst.com/post/is-OpenBSD-10x-faster-than-Linux

RoboNuggie BSD Library.
https://thedistrowriteproject.blogspot.com/2025/08/Robonuggie-BSD-Library.html

LLDP on FreeBSD.
https://freebsd.uw.cz/2025/08/lldp-on-freebsd.html

FreeBSD Router with DNS and DHCP Servers.
https://freebsd.uw.cz/2025/05/freebsd-router-with-dns-and-dhcp-servers.html

X11/Xlibre and Schism at Heart of Open Source.
https://gizvault.com/archives/the-schism-at-the-heart-of-opensource

Game of Trees 0.117 Released.
https://undeadly.org/cgi?action=article;sid=20250818074301

Hardware

AMD EPYC 4545P 16C/32T (2025) is 2.24x Faster Then 1st ZEN CPU – AMD EPYC 7601 32C/64T (2017).
https://phoronix.com/review/amd-epyc-4545p-efficiency/

List of IP KVM.
https://medium.com/@f81337/list-of-ip-kvms-pikvm-alternatives-4d04a1f90ece

Above Book T480s – Configured/Optimized/Secured with Arch Linux.
https://abovephone.com/product/abovebook/

Interim Computer Museum.
https://icm.museum/

68000 Wars – Part 1 – Lorraine.
https://filfre.net/2015/03/the-68000-wars-part-1-lorraine/

68000 Wars – Part 2 – Jack is Back!
https://filfre.net/2015/04/the-68000-wars-part-2-jack-is-back/

68000 Wars – Part 3 – We Made Amiga – They Fucked It Up.
https://filfre.net/2015/04/the-68000-wars-part-3-we-made-amiga-they-fucked-it-up/

68000 Wars – Part 4 – Rock Lobster.
https://filfre.net/2015/11/the-68000-wars-part-4-rock-lobster/

68000 Wars – Part 5 – Age of Multimedia.
https://filfre.net/2017/10/the-68000-wars-part-5-the-age-of-multimedia/

68000 Wars – Part 6 – Unraveling.
https://filfre.net/2020/03/the-68000-wars-part-6-the-unraveling/

Life

Proton Confirms Gradual Exit from Switzerland Over Surveillance Law Fears.
https://cyberinsider.com/proton-confirms-gradual-exit-from-switzerland-over-surveillance-law-fears/

Fight Chat Control – EU Wants to Scan Private Messages/Photos.
https://fightchatcontrol.eu/

Hollywood Stuntman Set on Fire for Pink Floyd Cover Dies Aged 88.
https://bbc.com/news/articles/c05e0z9lj3mo

Other

GitHub Just Got Less Independent from Microsoft After CEO Resignation.
https://theverge.com/news/757461/microsoft-github-thomas-dohmke-resignation-coreai-team-transition

AMIGA Prototype Lorraine Revealed! Incredible 1984 CES Booth Recreation with Dale Luck AMIGA/40.
https://youtube.com/watch?v=T0NvJ8IhNG4

Mozilla Slammed over Battery Draining Garbage> AI in Firefox.
https://www.omgubuntu.co.uk/2025/08/firefox-high-cpu-usage-inference-disable

Winux Operating System – Windows Theme over Linux.
https://winuxos.org/

High Severity Vulnerabilities in Matrix Messaging Protocol.
https://therecord.media/matrix-messaging-protocol-high-severity-vulnerabilities

Bullfrog in the Dungeon.
https://filfre.net/2025/08/bullfrog-in-the-dungeon/

The Year of Peak Might and Magic.
https://filfre.net/2025/07/the-year-of-peak-might-and-magic/

TIOBE Index for August 2025 – Python/C++/C on Podium.
https://tiobe.com/tiobe-index/

Free and Open Source macOS Cursors.
https://github.com/ful1e5/apple_cursor

We are Suing Minecraft in Class Action Lawsuit.
https://youtube.com/watch?v=w_UF_4gZclI

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

BSDSec.
https://bsdsec.net/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

BSDTV.
https://bsky.app/profile/bsdtv.bsky.social

CHATGPT-5 was kann das?

nun das hier z.B. mit ein paar Versuchen...

Ritter‑TD – Anleitung

Ziel: Halte die Goblins vom rechten Kartenrand fern. Jeder, der durchkommt, kostet ein Herz. Für Abschüsse gibt’s Gold → Türme bauen & upgraden.

Start

Steuerung

Türme

Upgrades erhöhen Schaden, Feuerrate und etwas Reichweite (max. Stufe 3).
Verkaufen bringt je nach Stufe 70 % / 85 % / 95 % des Grundpreises zurück (V).

Gegner

• Goblin – Standardziel.
• Schütze – feuert rote Bolzen auf Türme (−40 % Feuerrate ~3.5 s), erleidet nur 50 % Schaden von allen Türmen, außer vom Bogenturm (120 %). Bei Treffer erhält er +25 % Speed für 2.5 s (sichtbar als orangefarbener Ring). Ab Welle 3 aktiv; ab Welle 10 können mehrere pro Welle erscheinen (Quota mit kurzem Abstand).
• Brute – sehr viele HP, langsam; kleine Chance pro Welle, gibt extra Gold.

Wellen, Skalierung & Pfad

• HP steigen deutlich mit der Welle: ca. 28 + 6·Welle + 0.8·Welle².
• Ab Welle 6 wird der Pfad einmal komplexer. Türme, die direkt auf dem neuen Weg stehen, werden entfernt (50 % Gold zurück); alle anderen bleiben stehen.
• Schützen‑Wahrscheinlichkeit skaliert ab Welle 3 (max. 85 %).

Map‑Editor (einfach)

1. E drücken → Editor an.
2. Mit Linksklick Ecken setzen (orthogonal). Rechtsklick/Backspace löscht die letzte Ecke.
3. „Pfad übernehmen“: Neuer Weg wird aktiv. Gegner/Projektile werden zurückgesetzt; der Run pausiert.

Tipps

• Früh 1–2 Magier an Engstellen setzen (Zeit kaufen).
• Mindestens ein Bogenturm gegen Schützen in Reichweite behalten.
• Kanonen hintereinander staffeln → Splash‑Zonen überlappen gut.
• Teure Upgrades früh nur, wenn sie die nächste Welle tatsächlich drehen; sonst lieber einen zusätzlichen günstigen Turm setzen.

Technik

• Kein Server, keine Assets – reine HTML/JS.
• Audio via WebAudio (aktiviert sich beim ersten Klick/Tastendruck).
• Getestet mit Firefox & Chromium unter Linux.

This is mostly for my future reference, for when this happens the next time. I hope it saves me 10-15 minutes of pondering.

I noticed this problem a few days ago. I was clicking on links in an email from Disney. The hostname didn’t resolve.

I passed it off as: well, they got problems…

It happened again today. Hold on, this isn’t likely. I tried the link again, from my phone, with wifi switched off (so as to not be using my home DNS). The link worked.

It took me a few looks around to figure out was going on.

From my laptop:

[16:59 pro05 dvl ~] % host t.visit.disneydestinations.com
Host t.visit.disneydestinations.com not found: 3(NXDOMAIN)

I went to my gateway / firewall host (gw01) and looked around.

named logs

This is what I found in the logs:

17-Aug-2025 21:08:04.050 client @0x37a55c21bc90 10.8.1.200#49498 (t.visit.disneydestinations.com): query: t.visit.disneydestinations.com IN A + (10.55.0.1)

*** /var/log/named/default.log ***
17-Aug-2025 21:08:04.050 client @0x37a55c21bc90 10.8.1.200#49498 (t.visit.disneydestinations.com): rpz QNAME NXDOMAIN rewrite t.visit.disneydestinations.com/A/IN via t.visit.disneydestinations.com.rpz

OK, that’s clearly something local. rpz? That sounds familiar.

Nothing in here:

[21:01 gw01 dvl /var/db] % sudo grep -r t.visit.disneydestinations.com adguardhome

I searched my email for rpz, because I’m sure I now this. I found an email thread with Morgan Davis. I implemented dns-blackhole back in April 2025. That led me to crontabs.

Crontab?

Let’s look over here:

[21:01 gw01 dvl /var/db] % cd /usr/local/etc/cron.d
[21:01 gw01 dvl /usr/local/etc/cron.d] % ls -l
total 10
-rw-r--r--  1 root wheel  68 2025.01.28 17:12 dma
-rw-r--r--  1 root wheel 441 2025.08.01 12:26 dns-blocker
-rw-r--r--  1 root wheel 557 2025.03.29 16:41 sanoid
[21:01 gw01 dvl /usr/local/etc/cron.d] % cat dns-blocker 
# Ansible managed. Template: /usr/local/etc/ansible/roles/named/templates/dns-blocker.crontab.j2
#
# mail any output to `dan', no matter whose crontab this is
MAILTO=dan@langille.org

PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin

#
#minute hour    mday    month   wday	who  command
#

15      4       *       *       *       root /usr/local/etc/dns-blackhole/dns-blackhole.sh update 2>&1 | mail -s "update DNS blackhole zone" root

I remember this, I recently enabled it because it was commented out. I’m getting daily emails about it.

What does this file do?

It’s part of https://github.com/morganwdavis/dns-blackhole but it’s not part of a package. I’m not sure why. I think I’ll have to create one. If you look at the source https://github.com/morganwdavis/dns-blackhole/blob/main/dns-blackhole.sh you’ll find references to rpz.

I think I’m onto something. What files are over here:

[21:36 gw01 dvl /usr/local/etc/dns-blackhole] % ls -l
total 52
drwxr-xr-x  2 root bind    20 2025.04.28 12:32 OLD/
-rw-r--r--  1 root wheel  132 2025.08.17 21:15 allowed_hosts
-rw-r--r--  1 root wheel  875 2025.08.17 21:21 dns-blackhole.conf
-rw-r--r--  1 root wheel 1045 2025.04.29 00:28 dns-blackhole.conf.84849.2025-08-17@21:21:02~
-rwxr-xr-x  1 root wheel 4726 2025.04.28 23:14 dns-blackhole.sh
-rwxr-xr-x  1 root bind  6476 2025.04.29 00:28 dns-blackhole.sh.mine
-rw-r--r--  1 root wheel 1404 2025.04.28 12:32 local_blocked_hosts

All, look at that, allowed_hosts. Let’s add to that:

[21:36 gw01 dvl /usr/local/etc/dns-blackhole] % cat allowed_hosts 
# Ansible managed. Template: /usr/local/etc/ansible/roles/named/templates/allowed_hosts.j2
apple.com
t.visit.disneydestinations.com

Once I added my entry, I ran the update script:

[21:16 gw01 dvl /usr/local/etc/dns-blackhole] % sudo /usr/local/etc/dns-blackhole/dns-blackhole.sh update
Fetching master host list...
Optimizing hosts list...
Excluding allowed hosts...
Building enabled RPZ zone file...
Building included zone file...
Cleaning up...
Stopping named.
Waiting for PIDS: 95489.
Starting named.

Now it works:

[17:08 pro05 dvl ~] % host t.visit.disneydestinations.com
t.visit.disneydestinations.com is an alias for wdpro-mid-prod1-cpgnreq-124527-1158115363.us-west-2.elb.amazonaws.com.
wdpro-mid-prod1-cpgnreq-124527-1158115363.us-west-2.elb.amazonaws.com has address 54.68.12.18
wdpro-mid-prod1-cpgnreq-124527-1158115363.us-west-2.elb.amazonaws.com has address 35.155.230.251

Thank you for coming to my TED talk.

This post shows how I used a git spare checkout to build vuxml files without having the whole ports tree present.

In this post:

• FreeBSD 14.2
• FreeBSD 14.3-STABLE
• git-2.50.1
• git-tiny-2.50.1

This came about when recent commits to security/vuxml weren’t showing up on in my host, despite doing pkg audit -F – this was several hours after the commit.

trouble told me to check this jail on that host. Eventually I figured out the problem was a Makefile target of vuln.xml – I suspect the problem is related to that file being split up into multiple files. Let’s use a different ..

and as I type this, I realize this idea won’t work.

I was going to run make vuln-flat.xml – and generate a new flat file.

That new flat file will always have a recent build date, which will build new files and ship them out.

No, I think I’ll have to take a different approach.

But I still want that sparse checkout.

Let’s try this:

[dvl@freefall ~/vuxmlbuild]$ git clone --filter=tree:0 --no-checkout --depth 1 https://git.FreeBSD.org/ports.git vuxml-git
Cloning into 'vuxml-git'...
remote: Enumerating objects: 1, done.
remote: Counting objects: 100% (1/1), done.
remote: Total 1 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (1/1), done.

[dvl@freefall ~/vuxmlbuild]$ cd vuxml-git/
[dvl@freefall ~/vuxmlbuild/vuxml-git]$ git sparse-checkout init --no-cone

[dvl@freefall ~/vuxmlbuild/vuxml-git]$ git sparse-checkout set path security/vuxml

[dvl@freefall ~/vuxmlbuild/vuxml-git]$ git checkout
remote: Enumerating objects: 44211, done.
remote: Counting objects: 100% (44211/44211), done.
remote: Compressing objects: 100% (39645/39645), done.
remote: Total 44211 (delta 45), reused 25651 (delta 14), pack-reused 0 (from 0)
Receiving objects: 100% (44211/44211), 7.07 MiB | 8.14 MiB/s, done.
Resolving deltas: 100% (45/45), done.
remote: Enumerating objects: 35, done.
remote: Counting objects: 100% (35/35), done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 35 (delta 15), reused 6 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (35/35), 1.78 MiB | 5.98 MiB/s, done.
Resolving deltas: 100% (15/15), done.
Updating files: 100% (35/35), done.
Your branch is up to date with 'origin/main'.

[dvl@freefall ~/vuxmlbuild/vuxml-git]$ ls -l security/vuxml/
total 62
-rw-r--r--  1 dvl dvl 3672 Aug  1 19:56 Makefile
-rw-r--r--  1 dvl dvl  901 Aug  1 19:56 distinfo
drwxr-xr-x  2 dvl dvl    9 Aug  1 19:56 files
-rw-r--r--  1 dvl dvl  267 Aug  1 19:56 pkg-descr
-rw-r--r--  1 dvl dvl  255 Aug  1 19:56 pkg-plist
drwxr-xr-x  2 dvl dvl   25 Aug  1 19:56 vuln
-rw-r--r--  1 dvl dvl 4124 Aug  1 19:56 vuln.xml
[dvl@freefall ~/vuxmlbuild/vuxml-git]$ 

Done. Just what I need for this test.

After a bit of testing, I found I needed this command:

[dvl@freefall ~/vuxmlbuild/vuxml-git]$ git sparse-checkout set path Mk security/vuxml lang/python311 ports-mgmt/pkg textproc/xmlcatmgr textproc/libxslt textproc/xhtml-modularization textproc/xhtml-basic

With that, I could do this:

[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ make vuln-flat.xml
xmllint -noent /home/dvl/src/vuxmlbuild/vuxml-git/security/vuxml/vuln.xml > vuln-flat.xml

[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ git status
On branch main
Your branch is up to date with 'origin/main'.

You are in a sparse checkout with 1% of tracked files present.

nothing to commit, working tree clean
[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ ls -l
total 3138
-rw-r--r--  1 dvl dvl    3672 Aug  1 20:16 Makefile
-rw-r--r--  1 dvl dvl     901 Aug  1 20:16 distinfo
drwxr-xr-x  2 dvl dvl       9 Aug  1 20:16 files
-rw-r--r--  1 dvl dvl     267 Aug  1 20:16 pkg-descr
-rw-r--r--  1 dvl dvl     255 Aug  1 20:16 pkg-plist
drwxr-xr-x  2 dvl dvl      25 Aug  1 20:16 vuln
-rw-r--r--  1 dvl dvl 8782882 Aug  1 20:18 vuln-flat.xml
-rw-r--r--  1 dvl dvl    4124 Aug  1 20:16 vuln.xml

Running the command again, without changes to files, yields no changes:

[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ make vuln-flat.xml
`vuln-flat.xml' is up to date.
[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ ls -l
total 3138
-rw-r--r--  1 dvl dvl    3672 Aug  1 20:16 Makefile
-rw-r--r--  1 dvl dvl     901 Aug  1 20:16 distinfo
drwxr-xr-x  2 dvl dvl       9 Aug  1 20:16 files
-rw-r--r--  1 dvl dvl     267 Aug  1 20:16 pkg-descr
-rw-r--r--  1 dvl dvl     255 Aug  1 20:16 pkg-plist
drwxr-xr-x  2 dvl dvl      25 Aug  1 20:16 vuln
-rw-r--r--  1 dvl dvl 8782882 Aug  1 20:18 vuln-flat.xml
-rw-r--r--  1 dvl dvl    4124 Aug  1 20:16 vuln.xml

Touching one of the file, altering the date, gives us a new file:

[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ touch vuln/2025.xml 
[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ make vuln-flat.xml
xmllint -noent /home/dvl/src/vuxmlbuild/vuxml-git/security/vuxml/vuln.xml > vuln-flat.xml
[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ ls -l
total 3138
-rw-r--r--  1 dvl dvl    3672 Aug  1 20:16 Makefile
-rw-r--r--  1 dvl dvl     901 Aug  1 20:16 distinfo
drwxr-xr-x  2 dvl dvl       9 Aug  1 20:16 files
-rw-r--r--  1 dvl dvl     267 Aug  1 20:16 pkg-descr
-rw-r--r--  1 dvl dvl     255 Aug  1 20:16 pkg-plist
drwxr-xr-x  2 dvl dvl      25 Aug  1 20:16 vuln
-rw-r--r--  1 dvl dvl 8782882 Aug  1 20:20 vuln-flat.xml
-rw-r--r--  1 dvl dvl    4124 Aug  1 20:16 vuln.xml
[dvl@freefall ~/vuxmlbuild/vuxml-git/security/vuxml]$ 

I think we can use this for distributing the vuxml database files.

Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.

Image: Shutterstock, WhataWin.

This so-called ‘ramp and dump‘ scheme borrows its name from age-old “pump and dump” scams, wherein fraudsters purchase a large number of shares in some penny stock, and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, which usually then causes a sharp drop in the value of the shares for legitimate investors.

With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media. Rather, they will preposition themselves in the stock that they wish to inflate, using compromised accounts to purchase large volumes of it and then dumping the shares after the stock price reaches a certain value. In February 2025, the FBI said it was seeking information from victims of this scheme.

“In this variation, the price manipulation is primarily the result of controlled trading activity conducted by the bad actors behind the scam,” reads an advisory from the Financial Industry Regulatory Authority (FINRA), a private, non-profit organization that regulates member brokerage firms. “Ultimately, the outcome for unsuspecting investors is the same—a catastrophic collapse in share price that leaves investors with unrecoverable losses.”

Ford Merrill is a security researcher at SecAlliance, a CSIS Security Group company. Merrill said he has tracked recent ramp-and-dump activity to a bustling Chinese-language community that is quite openly selling advanced mobile phishing kits on Telegram.

“They will often coordinate with other actors and will wait until a certain time to buy a particular Chinese IPO [initial public offering] stock or penny stock,” said Merrill, who has been chronicling the rapid maturation and growth of the China-based phishing community over the past three years.

“They’ll use all these victim brokerage accounts, and if needed they’ll liquidate the account’s current positions, and will preposition themselves in that instrument in some account they control, and then sell everything when the price goes up,” he said. “The victim will be left with worthless shares of that equity in their account, and the brokerage may not be happy either.”

Merrill said the early days of these phishing groups — between 2022 and 2024 — were typified by phishing kits that used text messages to spoof the U.S. Postal Service or some local toll road operator, warning about a delinquent shipping or toll fee that needed paying. Recipients who clicked the link and provided their payment information at a fake USPS or toll operator site were then asked to verify the transaction by sharing a one-time code sent via text message.

In reality, the victim’s bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim’s card details into a mobile wallet. If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers.

The phishing gangs typically load multiple stolen cards to digital wallets on a single Apple or Android device, and then sell those phones in bulk to scammers who use them for fraudulent e-commerce and tap-to-pay transactions.

An image from the Telegram channel for a popular Chinese mobile phishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different financial institutions.

This China-based phishing collective exposed a major weakness common to many U.S.-based financial institutions that already require multi-factor authentication: The reliance on a single, phishable one-time token for provisioning mobile wallets. Happily, Merrill said many financial institutions that were caught flat-footed on this scam two years ago have since strengthened authentication requirements for onboarding new mobile wallets (such as requiring the card to be enrolled via the bank’s mobile app).

But just as squeezing one part of a balloon merely forces the air trapped inside to bulge into another area, fraudsters don’t go away when you make their current enterprise less profitable: They just shift their focus to a less-guarded area. And lately, that gaze has settled squarely on customers of the major brokerage platforms, Merrill said.

THE OUTSIDER

Merrill pointed to several Telegram channels operated by some of the more accomplished phishing kit sellers, which are full of videos demonstrating how every feature in their kits can be tailored to the attacker’s target. The video snippet below comes from the Telegram channel of “Outsider,” a popular Mandarin-speaking phishing kit vendor whose latest offering includes a number of ready-made templates for using text messages to phish brokerage account credentials and one-time codes.

According to Merrill, Outsider is a woman who previously went by the handle “Chenlun.” KrebsOnSecurity profiled Chenlun’s phishing empire in an October 2023 story about a China-based group that was phishing mobile customers of more than a dozen postal services around the globe. In that case, the phishing sites were using a Telegram bot that sent stolen credentials to the “@chenlun” Telegram account.

Chenlun’s phishing lures are sent via Apple’s iMessage and Google’s RCS service and spoof one of the major brokerage platforms, warning that the account has been suspended for suspicious activity and that recipients should log in and verify some information. The missives include a link to a phishing page that collects the customer’s username and password, and then asks the user to enter a one-time code that will arrive via SMS.

The new phish kit videos on Outsider’s Telegram channel only feature templates for Schwab customers, but Merrill said the kit can easily be adapted to target other brokerage platforms. One reason the fraudsters are picking on brokerage firms, he said, has to do with the way they handle multi-factor authentication.

Schwab clients are presented with two options for second factor authentication when they open an account. Users who select the option to only prompt for a code on untrusted devices can choose to receive it via text message, an automated inbound phone call, or an outbound call to Schwab. With the “always at login” option selected, users can choose to receive the code through the Schwab app, a text message, or a Symantec VIP mobile app.

In response to questions, Schwab said it regularly updates clients on emerging fraud trends, including this specific type, which the company addressed in communications sent to clients earlier this year.

The 2FA text message from Schwab warns recipients against giving away their one-time code.

“That message focused on trading-related fraud, highlighting both account intrusions and scams conducted through social media or messaging apps that deceive individuals into executing trades themselves,” Schwab said in a written statement. “We are aware and tracking this trend across several channels, as well as others like it, which attempt to exploit SMS-based verification with stolen credentials. We actively monitor for suspicious patterns and take steps to disrupt them. This activity is part of a broader, industry-wide threat, and we take a multi-layered approach to address and mitigate it.”

Other popular brokerage platforms allow similar methods for multi-factor authentication. Fidelity requires a username and password on initial login, and offers the ability to receive a one-time token via SMS, an automated phone call, or by approving a push notification sent through the Fidelity mobile app. However, all three of these methods for sending one-time tokens are phishable; even with the brokerage firm’s app, the phishers could prompt the user to approve a login request that they initiated in the app with the phished credentials.

Vanguard offers customers a range of multi-factor authentication choices, including the option to require a physical security key in addition to one’s credentials on each login. A security key implements a robust form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by connecting an enrolled USB or Bluetooth device and pressing a button. The key works without the need for any special software drivers, and the nice thing about it is your second factor cannot be phished.

THE PERFECT CRIME?

Merrill said that in many ways the ramp-and-dump scheme is the perfect crime because it leaves precious few connections between the victim brokerage accounts and the fraudsters.

“It’s really genius because it decouples so many things,” he said. “They can buy shares [in the stock to be pumped] in their personal account on the Chinese exchanges, and the price happens to go up. The Chinese or Hong Kong brokerages aren’t going to see anything funky.”

Merrill said it’s unclear exactly how those perpetrating these ramp-and-dump schemes coordinate their activities, such as whether the accounts are phished well in advance or shortly before being used to inflate the stock price of Chinese companies. The latter possibility would fit nicely with the existing human infrastructure these criminal groups already have in place.

For example, KrebsOnSecurity recently wrote about research from Merrill and other researchers showing the phishers behind these slick mobile phishing kits employed people to sit for hours at a time in front of large banks of mobile phones being used to send the text message lures. These technicians were needed to respond in real time to victims who were supplying the one-time code sent from their financial institution.

The ashtray says: You’ve been phishing all night.

“You can get access to a victim’s brokerage with a one-time passcode, but then you sort of have to use it right away if you can’t set new security settings so you can come back to that account later,” Merrill said.

The rapid pace of innovations produced by these China-based phishing vendors is due in part to their use of artificial intelligence and large language models to help develop the mobile phishing kits, he added.

“These guys are vibe coding stuff together and using LLMs to translate things or help put the user interface together,” Merrill said. “It’s only a matter of time before they start to integrate the LLMs into their development cycle to make it more rapid. The technologies they are building definitely have helped lower the barrier of entry for everyone.”

Original title: 'Not about crime': Maddow CRACKS OPEN Trump's real motives in deploying the National Guard to D.C.

Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

August’s patch batch from Redmond includes an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server Subscription Edition.

Ben McCarthy, lead cyber security engineer at Immersive, said a rough search reveals approximately 29,000 Exchange servers publicly facing on the internet that are vulnerable to this issue, with many of them likely to have even older vulnerabilities.

McCarthy said the fix for CVE-2025-53786 requires more than just installing a patch, such as following Microsoft’s manual instructions for creating a dedicated service to oversee and lock down the hybrid connection.

“In effect, this vulnerability turns a significant on-premise Exchange breach into a full-blown, difficult-to-detect cloud compromise with effectively living off the land techniques which are always harder to detect for defensive teams,” McCarthy said.

CVE-2025-53779 is a weakness in the Windows Kerberos authentication system that allows an unauthenticated attacker to gain domain administrator privileges. Microsoft credits the discovery of the flaw to Akamai researcher Yuval Gordon, who dubbed it “BadSuccessor” in a May 2025 blog post. The attack exploits a weakness in “delegated Managed Service Account” or dMSA — a feature that was introduced in Windows Server 2025.

Some of the critical flaws addressed this month with the highest severity (between 9.0 and 9.9 CVSS scores) include a remote code execution bug in the Windows GDI+ component that handles graphics rendering (CVE-2025-53766) and CVE-2025-50165, another graphics rendering weakness. Another critical patch involves CVE-2025-53733, a vulnerability in Microsoft Word that can be exploited without user interaction and triggered through the Preview Pane.

One final critical bug tackled this month deserves attention: CVE-2025-53778, a bug in Windows NTLM, a core function of how Windows systems handle network authentication. According to Microsoft, the flaw could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Microsoft rates the exploitation of this bug as “more likely,” although there is no evidence the vulnerability is being exploited at the moment.

Feel free to holler in the comments if you experience problems installing any of these updates. As ever, the SANS Internet Storm Center has its useful breakdown of the Microsoft patches indexed by severity and CVSS score, and AskWoody.com is keeping an eye out for Windows patches that may cause problems for enterprises and end users.

GOOD MIGRATIONS

Windows 10 users out there likely have noticed by now that Microsoft really wants you to upgrade to Windows 11. The reason is that after the Patch Tuesday on October 14, 2025, Microsoft will stop shipping free security updates for Windows 10 computers. The trouble is, many PCs running Windows 10 do not meet the hardware specifications required to install Windows 11 (or they do, but just barely).

If the experience with Windows XP is any indicator, many of these older computers will wind up in landfills or else will be left running in an unpatched state. But if your Windows 10 PC doesn’t have the hardware chops to run Windows 11 and you’d still like to get some use out of it safely, consider installing a newbie-friendly version of Linux, like Linux Mint.

Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.

There are many versions of Linux available, but Linux Mint is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.

If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. Here’s a fairly thorough tutorial that walks through exactly how to do all this.

And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.

Cheap and integrated CO2 sensors are finally available. I got mine from Athom . They cost $25 per device.

The device uses an ESC32C3 (4M) as a foundation and sports a Sensirion SCD 40. It does measure CO2 in range from 400-2000 ppm with 5% accuracy (that’s the Sensirion Spec), and also acts as a Bluetooth Proxy (because the ESP32 can do that).

Unpacking is easy enough. Connecting to the Wifi AP offered by the unconfigured device with an iPhone did not work (“Cannot join …”), but configuration via Bluetooth is even easier and better.

For this you need to run the Home Assistant App with an Admin account, on a device with Bluetooth support, for example an iPhone, or in my case, a Mac mini Desktop.

The new device is autodetected in Bluetooth, and you can select it in Settings->Devices. Enter the Wifi Credentials, and it joins the Wifi and will be autodetected as a new ESPHome Device. It can then be integrated, and delivers measurements.

type: vertical-stack
cards:
  - chart_type: line
    period: 5minute
    type: statistics-graph
    entities:
      - entity: sensor.athom_co2_sensor_b33722_co2
        name: Bibliothek CO2
    stat_types:
      - mean
      - max
      - min
    hide_legend: false
    title: Bibliothek CO2
    days_to_show: 2
    logarithmic_scale: false
  - show_name: true
    show_icon: true
    show_state: true
    type: glance
    entities:
      - entity: sensor.athom_co2_sensor_b33722_co2
        name: Bibliothek
    state_color: false

The device has an Air Quality LED. This one has an entity, and you can turn it off or dim it – for 5 seconds. The LED is also controlled by the firmware, and your settings will be overwritten within a few seconds. This means the LED is always on at 50% in green, yellow or red, depending on CO2 level. This is less bad than it sounds, because the dark see-through case dims the LED.

The entire assembly of “USB Power Supply” plus “Stick with the sensor on top” is rather large. You will need to find a safe wall socket to stick it into, so that nobody catches the device and breaks it off. Or find a USB power Supply with an angled USB Socket.

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

NetBSD 11.0 Release Process Underway.
https://blog.netbsd.org/tnf/entry/netbsd_11_0_release_process

Look at Kgeotag on FreeBSD.
https://youtube.com/watch?v=V3WDCKqL3Mo

porch(1) is Not What You expect(1).
https://youtube.com/watch?v=Drbk4rEH1sk

Improvements to FreeBSD KASAN.
https://youtube.com/watch?v=pwwSdQi0NUI

New NetBSD Build Cluster Speeds Up Daily Autobuilds.
https://blog.netbsd.org/tnf/entry/new_build_cluster_speeds_up

BSD Now and Then.
https://freebsdfoundation.org/our-work/journal/browser-based-edition/downstreams/bsd-now-and-then/

Counter-Strike 2 Switched to Wayland for One Day and Switched Back to X11.
https://youtube.com/watch?v=Y0l4W-LYYdc

Running syslog-ng in BastilleBSD.
https://syslog-ng.com/community/b/blog/posts/running-syslog-ng-in-bastillebsd-1138361719

FreeBSD Foundation – Installer Usability.
https://freebsdfoundation.org/our-work/journal/browser-based-edition/networking-3/installer-usability/

NetBSD 11.0 Preparing for Release with Improved Linux Emulation and Better RISC-V Support.
https://phoronix.com/news/NetBSD-11.0-Released

Replacing Proxmox with FreeBSD and Bhyve.
https://abnml.com/blog/2024/11/26/replacing-proxmox-with-freebsd-and-bhyve/

FreeBSD Foundation Laptop 2025/07 Update.
https://github.com/FreeBSDFoundation/proj-laptop/blob/main/monthly-updates/2025-07.md

4 Fun (and 1 Terrible) Operating Systems You Can Try Out by Booting from USB.
https://xda-developers.com/fun-operating-systems-you-can-try-out-by-booting-from-a-usb/

Call for Testing: USB Webcams on OpenBSD.
https://undeadly.org/cgi?action=article;sid=20250808083341

BSD Now 623 – Two Interviews.
https://bsdnow.tv/623

DragonflyBSD Next Generation dm_target_crypt is Now Default.
https://lists.dragonflybsd.org/pipermail/commits/2025-July/923582.html

Sleep on FreeBSD: Bedtime Story About S0ix.
https://youtube.com/watch?v=RCjPc4X2Edc

Additional Intel Linux Drivers Left Orphaned and Maintainers Let Go.
https://phoronix.com/news/Intel-More-Orphans-Maintainers

Hardware

This Revolutionary Two Stroke Engine Design Challenges EV Future.
https://howtogeek.com/this-new-engine-design-has-the-potential-to-slow-the-ev-transition/

My Non Stop Running Devices at 8 Years.
https://youtube.com/watch?v=EEn38xo0BU4

I Fixed My MacBook Air and It Was Kind of Nightmare.
https://82mhz.net/posts/2025/08/i-fixed-my-macbook-air-and-it-was-kind-of-a-nightmare/

Life

Man Carrying Home His Gardening Tools Arrested by Armed Police in UK/Manchester.
https://theguardian.com/uk-news/2025/jul/28/man-allotment-gardening-tools-arrest-armed-police-manchester

Makers Schedule and Managers Schedule.
https://paulgraham.com/makersschedule.html

I Do Not Want to Make This Video.
https://youtube.com/watch?v=-iVkfYuXN7M

Japan: Apple Must Lift Browser Engine Ban by December.
https://open-web-advocacy.org/blog/japan-apple-must-lift-engine-ban-by-december/

EU Could Scan Your Chats by 2025/10.
https://techradar.com/computing/cyber-security/the-eu-could-be-scanning-your-chats-by-october-2025-heres-everything-we-know

Japan Biggest Charity Speedrun Event Will Not Have Nintendo Games.
https://eurogamer.net/japans-biggest-charity-speedrunning-event-wont-have-nintendo-games-because-nintendo-couldnt-help-but-nintendo

Other

AWS Deleted My 10 Year Account and All Data without Warning.
https://seuros.com/blog/aws-deleted-my-10-year-account-without-warning/

AWS Restored My 10 Year Account: Human Who Made the Difference.
https://seuros.com/blog/aws-restored-account-plot-twist/

DragonflyBSD DRM Updated to Match Linux 4.20.17 Version.
https://dragonflydigest.com/2025/07/31/dragonfly-drm-updated/

Lazy Reading for 2025/08/03.
https://dragonflydigest.com/2025/08/03/lazy-reading-for-4/

Why I Prefer Human Readable File Formats.
https://adele.pages.casa/md/blog/why-I-prefer-human-readable-file-formats.md

Reddit Drops Private Messages in Favor of Chat.
https://support.reddithelp.com/hc/en-us/articles/34720093903764

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

BSDSec.
https://bsdsec.net/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

BSDTV.
https://bsky.app/profile/bsdtv.bsky.social

It has now been two years since we got the Megane e-Tech .

Energy

On long-distance drives in the Netherlands, we use about 14.4 kWh/100 km at the maximum allowed speed of 100 km/h. In Germany I usually dial in 115 km/h, and we end up at about 15.8 kWh/100 km.

In the city, energy consumption varies, and we see anywhere between 14.5 and 15.5 kWh/100 km.

A liter of diesel contains about 10 kWh of energy, so that’s roughly equivalent to 1.5 liters of diesel per 100 km.

For the first few months with the Megane we did not have a charge point at home. Instead, we charged at a local Vattenfall charge point. That involved parking around 400 m away (two corners). The charge point (two connectors) was usually free, and charging did not require planning. We paid around 0.32 EUR/kWh for that.

Since we got our own charge point the car is usually connected when arriving at home and is kept at 80% state of charge (SoC). Doing that takes about 15 seconds on arrival, and another 15 seconds on departure. So I can say that “keeping an electric car charged” takes about 30 seconds. The rest happens automatically, and I do not have to bother.

On the Autobahn, we stop approximately every 2 to 2.5 hours. Getting a coffee, finding a toilet, or buying a sandwich usually takes longer than recharging the car at a fast charger to 80%. In the Netherlands, this is almost invariably a Fastned station, and I have yet to encounter a situation where at least one connector wasn’t immediately free. In Germany, the situation is less homogeneous, but generally not critical at all.

Fast charging can be expensive, but so far we have two charge cards, and that seems to cover us well in the Netherlands and Germany.

Reliability and Service

Some people report higher tire wear in their electric cars, but I cannot confirm that for the Megane. The car weighs 1.6 tonnes including the battery, which is pretty much the same as the Grand Scenic we had before. It is not a particularly heavy car, and consequently I do not expect higher tire wear.

We bought this car pre-owned. It was a demonstrator at the dealership, which we got at a good price. There were several problems with the car, which took a long time to resolve: several missing software updates and, consequently, a lighting system malfunction; a problem with the driver profile (the car would not store seat positions); and several other comfort features.

It turned out that the dealership did an incomplete change of ownership, because identity and car records are stored in many different systems: in the car, at Google, at Renault, and at Orange, the internet provider used by the car. Debugging that took them several months, and then a two-day repair stopover at the dealership to resolve it. It seems the process is better documented because of that, which is good, I guess.

Since this intervention, the car has had zero problems.

Driving electric is a revelation. It is silent. Power is just there—no delay, no issues at low speeds, and then continuously as you accelerate.

Accelerating in Sport mode is hilarious, and uses insane amounts of energy. It is fun, though, to leave a car four times the price in the dust at a traffic light.

Summary

This is a modern car. That means it is a rolling bunker. Outward visibility is poor: the A-pillar is so wide it creates blind spots, and vision through the tiny window in the back is so bad that the rear mirror is a camera system.

I understand why: EU regulation (GSR-2) demands it, but it still sucks. There are a sufficient number of cameras, collision warnings and similar things to compensate, but you really do need these things in order to drive safely.

In the end I do not really think it’s a win, but it works.

Sometimes I go to Germany in a rental car because my wife needs the Megane at home. This is usually a car with a combustion engine. That sucks—driving electric spoils you. It is so much more convenient and comfortable.

We will never go back to combustion. This is so much better.

A new documentary series about cybercrime airing next month on HBO Max features interviews with Yours Truly. The four-part series follows the exploits of Julius Kivimäki, a prolific Finnish hacker recently convicted of leaking tens of thousands of patient records from an online psychotherapy practice while attempting to extort the clinic and its patients.

The documentary, “Most Wanted: Teen Hacker,” explores the 27-year-old Kivimäki’s lengthy and increasingly destructive career, one that was marked by cyber attacks designed to result in real-world physical impacts on their targets.

By the age of 14, Kivimäki had fallen in with a group of criminal hackers who were mass-compromising websites and milking them for customer payment card data. Kivimäki and his friends enjoyed harassing and terrorizing others by “swatting” their homes — calling in fake hostage situations or bomb threats at a target’s address in the hopes of triggering a heavily-armed police response to that location.

On Dec. 26, 2014, Kivimäki and fellow members of a group of online hooligans calling themselves the Lizard Squad launched a massive distributed denial-of-service (DDoS) attack against the Sony Playstation and Microsoft Xbox Live platforms, preventing millions of users from playing with their shiny new gaming rigs the day after Christmas. The Lizard Squad later acknowledged that the stunt was planned to call attention to their new DDoS-for-hire service, which came online and started selling subscriptions shortly after the attack.

Finnish investigators said Kivimäki also was responsible for a 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a Twitter post from the Lizard Squad, after Smedley mentioned some upcoming travel plans online. But according to Smedley and Finnish investigators, the bomb threat started with a phone call from Kivimäki.

Julius “Zeekill” Kivimaki, in December 2014.

The creaky wheels of justice seemed to be catching up with Kivimäki in mid-2015, when a Finnish court found him guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, and operating a global botnet of hacked computers. Unfortunately, the defendant was 17 at the time, and received little more than a slap on the wrist: A two-year suspended sentence and a small fine.

Kivimäki immediately bragged online about the lenient sentencing, posting on Twitter that he was an “untouchable hacker god.” I wrote a column in 2015 lamenting his laughable punishment because it was clear even then that this was a person who enjoyed watching other people suffer, and who seemed utterly incapable of remorse about any of it. It was also abundantly clear to everyone who investigated his crimes that he wasn’t going to quit unless someone made him stop.

In response to some of my early reporting that mentioned Kivimäki, one reader shared that they had been dealing with non-stop harassment and abuse from Kivimäki for years, including swatting incidents, unwanted deliveries and subscriptions, emails to her friends and co-workers, as well as threatening phonecalls and texts at all hours of the night. The reader, who spoke on condition of anonymity, shared that Kivimäki at one point confided that he had no reason whatsoever for harassing her — that she was picked at random and that it was just something he did for laughs.

Five years after Kivimäki’s conviction, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.

Ransom_man, a.k.a. Kivimäki, announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.

In October 2022, Finnish authorities charged Kivimäki with extorting Vastaamo and its patients. But by that time he was on the run from the law and living it up across Europe, spending lavishly on fancy cars, apartments and a hard-partying lifestyle.

In February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.

In April 2024, Kivimäki was sentenced to more than six years in prison after being convicted of extorting Vastaamo and its patients.

The documentary is directed by the award-winning Finnish producer and director Sami Kieski and co-written by Joni Soila. According to an August 6 press release, the four 43-minute episodes will drop weekly on Fridays throughout September across Europe, the U.S, Latin America, Australia and South-East Asia.

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

An unnamed 38-year-old man was arrested in Kiev last month on suspicion of administering the cybercrime forum XSS. Image: ssu.gov.ua.

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

CROSS-SITE GRIFTING

Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

A 2008 snapshot of a domain registered to toschka2003@yandex.ru and to Anton Medvedovsky in Kiev. Note the message at the bottom left, “Protected by Exploit,in.” Image: archive.org.

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

In early 2024, the leader of the Lockbit ransomware group — Lockbitsupp — asked for help investigating the identity of the XSS administrator Toha, which he claimed was a Russian man named Anton Avdeev.

Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

A FLY ON THE WALL

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

WHO IS TOHA?

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

GordonBellford continued:

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

In a World of Wayland… Be Xorg.
https://youtube.com/watch?v=JyoLieNoc_w

Installing Mastodon 4.4 Inside FreeBSD Jail – Comprehensive Guide.
https://it-notes.dragas.net/2022/11/23/installing-mastodon-on-a-freebsd-jail/

Text Adventure on FreeBSD.
https://youtube.com/watch?v=uGEBP0szq5Q

FreeBSD Promises Full Desktop Installer.
https://linux-magazine.com/Online/News/FreeBSD-Promises-a-Full-Desktop-Installer

State of 3D Printing from OpenBSD.
https://youtube.com/watch?v=q8K9VH76c8o

Sandbox Your Program Using FreeBSD Capsicum.
https://youtube.com/watch?v=Ne4l5U_ETAw

My Favorite GUI Programs – Part II.
https://rldane.space/my-favorite-gui-programs-part-ii.html

Tracing Bugs Across Kernels: SMB Vulnerabilities in macOS and FreeBSD.
https://github.com/wangtielei/Slides/blob/main/SMB_Vulnerability_Analysis.md

The Bard and The Shell.
https://journal.bsd.cafe/2025/07/28/the-bard-and-the-shell/

Vermaden Archives Compendium – FreeBSD User Guiding Star.
https://thedistrowriteproject.blogspot.com/2025/07/Vermaden-Archives-Compendium-A-FreeBSD-User-s-Guiding-Star.html

ArchiveBox is Open Source Self Hosted Web Archiving.
https://github.com/ArchiveBox/ArchiveBox

Homepage is Modern/Static/Fast/Secure/Customizable Dashboard with 100 Services Integrations.
https://gethomepage.dev/

Progress on Graphics of FreeBSD/arm64 Handheld.
https://linkedin.com/posts/onewilshire_progress-on-the-graphics-part-of-my-freebsd-activity-7355181326137729024-AXKs

Why are You (Still) Using OpenBSD?
https://tumfatig.net/2025/why-are-you-still-using-openbsd/

Make Your Own Backup System – Part 2 – Forging FreeBSD Backup Stronghold.
https://it-notes.dragas.net/2025/07/29/make-your-own-backup-system-part-2-forging-the-freebsd-backup-stronghold/

From Minecraft to Markets: Java Hiding in Plain Sight.
https://freebsdfoundation.org/blog/from-minecraft-to-markets-java-hiding-in-plain-sight/

XLibre X11 Xserver 25.0.0.7 Released.
https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.0.0.7

XLibre X11 Xserver Enableds udev for FreeBSD.
https://github.com/X11Libre/xserver/commit/fa72f05928083e20424109540a41ce069bfa27fe

Can You Solve This Strange FreeBSD Mail Mystery?
https://youtube.com/watch?v=Y-xtxEpl_yM

Classic CDE (Common Desktop Environment) Coming to OpenBSD.
https://undeadly.org/cgi?action=article;sid=20250730080301

PKGBASE Removes FreeBSD Base System Feature.
https://lists.freebsd.org/archives/freebsd-pkgbase/2025-July/000590.html
https://lists.freebsd.org/archives/freebsd-pkgbase/2025-July/000596.html

GNUBSD 404 – Compile Omega on FreeBSD 14.3.
https://www.youtube.com/watch?v=o8mcuSSvljk

Massive Memory Leaks in System76 Cosmic Desktop (written in Memory Safe Rust).
https://rumble.com/v68aewv-massive-memory-leaks-in-system76s-cosmic-desktop-written-in-memory-safe-rus.html

DragonFly BSD 6.4.2: Fresh Flight.
https://thedistrowriteproject.blogspot.com/2025/07/DragonFly-BSD-6-4-2-A-Fresh-Flight.html#8628188388318868938

Quick GhostBSD Build.
https://youtube.com/watch?v=F04marxM_V0

Speed Up Suspend/Resume for FreeBSD.
https://eugene-andrienko.com/it/2025/07/28/speed-up-suspend-resume-freebsd.html

FreeBSD 1.0 on 86Box.
https://officialaptivi.wordpress.com/2025/07/31/freebsd-1-0-on-86box-with-socket-3-1994/

Call for Testing: Improved 802.11g AP Compatibility Check on OpenBSD.
https://undeadly.org/cgi?action=article;sid=20250731111632

Meet tarBSD is Minimal FreeBSD Image that Boots to Memory.
https://github.com/pavetheway91/tarbsd

Neovim Config for Ansible and Python.
https://codeberg.org/Larvitz/nvim-ansible

Unleash Your Network Potential – Introducing OPNsense.
https://thedistrowriteproject.blogspot.com/2025/08/Unleash-Your-Network-Potential-Introducing-OPNsense.html

Deciso DEC2770 – Official OPNsense Hardware Unboxing and Setup.
https://youtube.com/watch?v=cMWEiYHZPlw

Ansible FreeBSD Jail Connection Plugin.
https://github.com/chofstede/ansible_jailexec

New bhyve-cli Advanced Bhyve VM Management.
https://github.com/alifgufron/bhyve-cli

Packet Journey Through pf(4) Firewall.
https://youtube.com/watch?v=JtSg6ylDALo

DJ-BSD: DJ-ing and Music Production in FreeBSD.
https://youtube.com/watch?v=Edf80gLVL3A

Keynote: Hardware Support for Memory Hungry Applications.
https://youtube.com/watch?v=OCWaGRcPO8E

Distributed Filesystem for OpenBSD.
https://youtube.com/watch?v=6DQqTG3QGZc

ABI Stability in FreeBSD.
https://youtube.com/watch?v=vzU6vKd1OFM

Hardware Accelerated Program Tracing on FreeBSD.
https://youtube.com/watch?v=NrBGw8N4qL4

Use FreeBSD Installer in Non-Interactive Mode.
https://siberoloji.com/how-to-use-the-freebsd-installer-in-non-interactive-mode/

Straight Forward Guide for Poudriere on FreeBSD.
https://i-bsd.com/poudriere-guide/

XLibre Added to GhostBSD Ports.
https://github.com/ghostbsd/ghostbsd-ports/pull/102

Why POSIX Systems are Developers Best Friend.
https://furkanbaytekin.dev/blogs/software/why-posix-systems-are-a-developers-best-friend

GhostBSD 2025/06 Finance Report.
https://ghostbsd.org/news/June_2025_Finance_Report

Hardware

Why Intel Processors Draw More Power Than Expected – TDP and Turbo Explained.
https://anandtech.com/show/13544/why-intel-processors-draw-more-power-than-expected-tdp-turbo

Dodge Brings Back Hemi V8.
https://theautowire.com/2024/12/23/dodge-brings-back-the-hemi-v8/

Life

I Teach Creative Writing – This is What A. I. Does to Students.
https://nytimes.com/2025/07/18/opinion/ai-chatgpt-school.html?unlocked_article_code=1.X08.G9EK.3p_VSeTC8VFO

Even OpenAI CEO Says Be Careful What You Share with ChatGPT.
https://cnet.com/tech/services-and-software/even-openais-ceo-says-be-careful-what-you-share-with-chatgpt/

Can Country Be Too Rich? Norway is Finding Out.
https://bloomberg.com/news/articles/2025-07-25/can-a-country-be-too-rich-norway-is-finding-out-essay

Britain is Losing its Free Speech and America Could be Next.
https://currentaffairs.org/news/britain-is-losing-its-free-speech-and-america-could-be-next

Testosterone Eliminates Strategic Prosocial Behavior Through Impacting Choice Consistency in Healthy Males.
https://nature.com/articles/s41386-023-01570-y

Other

Heroes III Will Outlive Humanity by Being Preserved on 5D Disc.
https://80.lv/articles/heroes-iii-will-outlive-humanity-by-being-preserved-on-a-5d-disc

2025 Stack Overflow Developer Survey.
https://survey.stackoverflow.co/2025

Microsoft Bans LibreOffice Developer Account without Warning.
https://neowin.net/news/microsoft-bans-libreoffice-developers-account-without-warning-rejects-appeal/

I Tried Servo – Web Browser Engine Written in Rust.
https://spacebar.news/servo-undercover-web-browser-engine/

Steam Hardware and Software Survey 2025/07.
https://store.steampowered.com/hwsurvey/Steam-Hardware-Software-Survey-Welcome-to-Steam

Microsoft: Anybody Home?
https://mikekaganski.wordpress.com/2025/07/25/microsoft-anybody-home/

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

BSDSec.
https://bsdsec.net/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites.

The scam begins with deceptive ads posted on social media that claim the wagering sites are working in partnership with popular social media personalities, such as Mr. Beast, who recently launched a gaming business called Beast Games. The ads invariably state that by using a supplied “promo code,” interested players can claim a $2,500 credit on the advertised gaming website.

An ad posted to a Discord channel for a scam gambling website that the proprietors falsely claim was operating in collaboration with the Internet personality Mr. Beast. Image: Reddit.com.

The gaming sites all require users to create a free account to claim their $2,500 credit, which they can use to play any number of extremely polished video games that ask users to bet on each action. At the scam website gamblerbeast[.]com, for example, visitors can pick from dozens of games like B-Ball Blitz, in which you play a basketball pro who is taking shots from the free throw line against a single opponent, and you bet on your ability to sink each shot.

The financial part of this scam begins when users try to cash out any “winnings.” At that point, the gaming site will reject the request and prompt the user to make a “verification deposit” of cryptocurrency — typically around $100 — before any money can be distributed. Those who deposit cryptocurrency funds are soon asked for additional payments.

However, any “winnings” displayed by these gaming sites are a complete fantasy, and players who deposit cryptocurrency funds will never see that money again. Compounding the problem, victims likely will soon be peppered with come-ons from “recovery experts” who peddle dubious claims on social media networks about being able to retrieve funds lost to such scams.

KrebsOnSecurity first learned about this network of phony betting sites from a Discord user who asked to be identified only by their screen name: “Thereallo” is a 17-year-old developer who operates multiple Discord servers and said they began digging deeper after users started complaining of being inundated with misleading spam messages promoting the sites.

“We were being spammed relentlessly by these scam posts from compromised or purchased [Discord] accounts,” Thereallo said. “I got frustrated with just banning and deleting, so I started to investigate the infrastructure behind the scam messages. This is not a one-off site, it’s a scalable criminal enterprise with a clear playbook, technical fingerprints, and financial infrastructure.”

After comparing the code on the gaming sites promoted via spam messages, Thereallo found they all invoked the same API key for an online chatbot that appears to be in limited use or else is custom-made. Indeed, a scan for that API key at the threat hunting platform Silent Push reveals at least 1,270 recently-registered and active domains whose names all invoke some type of gaming or wagering theme.

The “verification deposit” stage of the scam requires the user to deposit cryptocurrency in order to withdraw their “winnings.”

Thereallo said the operators of this scam empire appear to generate a unique Bitcoin wallet for each gaming domain they deploy.

“This is a decoy wallet,” Thereallo explained. “Once the victim deposits funds, they are never able to withdraw any money. Any attempts to contact the ‘Live Support’ are handled by a combination of AI and human operators who eventually block the user. The chat system is self-hosted, making it difficult to report to third-party service providers.”

Thereallo discovered another feature common to all of these scam gambling sites [hereafter referred to simply as “scambling” sites]: If you register at one of them and then very quickly try to register at a sister property of theirs from the same Internet address and device, the registration request is denied at the second site.

“I registered on one site, then hopped to another to register again,” Thereallo said. Instead, the second site returned an error stating that a new account couldn’t be created for another 10 minutes.

The scam gaming site spinora dot cc shares the same chatbot API as more than 1,200 similar fake gaming sites.

“They’re tracking my VPN IP across their entire network,” Thereallo explained. “My password manager also proved it. It tried to use my dummy email on a site I had never visited, and the site told me the account already existed. So it’s definitely one entity running a single platform with 1,200+ different domain names as front-ends. This explains how their support works, a central pool of agents handling all the sites. It also explains why they’re so strict about not giving out wallet addresses; it’s a network-wide policy.”

In many ways, these scambling sites borrow from the playbook of “pig butchering” schemes, a rampant and far more elaborate crime in which people are gradually lured by flirtatious strangers online into investing in fraudulent cryptocurrency trading platforms.

Pig butchering scams are typically powered by people in Asia who have been kidnapped and threatened with physical harm or worse unless they sit in a cubicle and scam Westerners on the Internet all day. In contrast, these scambling sites tend to steal far less money from individual victims, but their cookie-cutter nature and automated support components may enable their operators to extract payments from a large number of people in far less time, and with considerably less risk and up-front investment.

Silent Push’s Zach Edwards said the proprietors of this scambling empire are spending big money to make the sites look and feel like some fancy new type of casino.

“That’s a very odd type of pig butchering network and not like what we typically see, with much lower investments in the sites and lures,” Edwards said.

Here is a list of all domains that Silent Push found were using the scambling network’s chat API.

I have not been doing PHP in a long time, and so I am writing this here as a memo to self, in order to remind me what features are “new” in PHP, with “new” meaning 7.0 and newer.

Here is the 8.x edition.

Features

8.0 (2020)

Named arguments

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

function greet($name, $title = 'Mr', $punctuation = '!') {
    echo "Hello, {$title} {$name}{$punctuation}\n";
}

greet(name: "Kris", punctuation: "!!");
$ php probe.php
Hello, Mr Kris!!

Attributes (annotations)

Instead of docstrings, you can now use Attributes, a structured way to add metadata to classes, functions, methods, and properties. Attributes are first-class language constructs, so they are parsed by PHP. They can be accessed through the Reflection API, making them more reliable and easier to work with than parsing comment blocks.

<?php

#[Attribute]
class Route {
    public function __construct(
        public string $path,
        public array $methods = ['GET']
    ) {}
}

#[Route('/home', methods: ['GET', 'POST'])]
class HomeController {
    public function index() {
        return 'Hello from HomeController';
    }
}

// Using reflection to read attributes:
$reflectionClass = new ReflectionClass(HomeController::class);
foreach ($reflectionClass->getAttributes(Route::class) as $attribute) {
    $routeInstance = $attribute->newInstance();
    echo "Path: {$routeInstance->path}\n";
    echo "Methods: " . implode(', ', $routeInstance->methods) . "\n";
}

• Define a class usable as an Attribute using #[Attribute].
• Use the attribute (with parameters) on another class (use #[Route] on HomeController)
• Use Reflection to extract Attributes (->getAttributes() does all the work for us)

Constructor property promotion

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

class User {
    public function __construct(
        public string $name,
        private int $age,
    ) {}
}

$u = new User("Kris", 57);
print_r($u);
$ php probe.php
User Object
(
    [name] => Kris
    [age:User:private] => 57
)

This saves writing a lot of boilerplate assignments of the $this->name = $name kind.

Union types

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

function giveInt(?string $future_int): int {
  return (int) $future_int;
}

echo giveInt("30"), "\n";
echo giveInt(null), "\n";
$ php probe.php
30
0

This is using ?string as a shorthand for string|null.

Nullsafe operator (?->)

$ cat probe.php
#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

class Profile {
  function __construct (public string $name) {}
}

class User {
  function __construct (public ?Profile $profile) {}
}

$profile = new Profile("Kris");
$user = new User($profile);

$user2 = new User(null);

echo "{$user?->profile?->name}\n";
echo "{$user2?->profile?->name}\n";

echo "{$user->profile->name}\n";
echo "{$user2->profile->name}\n";
$ php probe.php
Kris

Kris
PHP Warning:  Attempt to read property "name" on null in /Users/kris/probe.php on line 22

Warning: Attempt to read property "name" on null in /Users/kris/probe.php on line 22

Strangely, this is by default only a warning and not a full-blown exception.

throw as expression

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

function requireEnv(string $key): string {
    return $_ENV[$key] ?? throw new RuntimeException("Missing env: $key");
}

// throws immediately if FOO is not set
$foo = requireEnv('FOO');

JIT compiler

PHP 8.0 introduced a JIT (Just-In-Time) compiler in Opcache. It can speed up CPU-bound code (e.g., numeric loops) but typically doesn’t affect IO-bound web apps much. Enable and tune via php.ini (opcache.enable=1, opcache.jit=...); behavior is otherwise transparent to userland code.

Match expression

Match is an expression (it returns a value) with strict comparisons (===), no fallthrough and no implicit type juggling. Arms can have multiple comma-separated conditions and can execute expressions. If nothing matches and there is no default, it throws an UnhandledMatchError.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$code = 200;
$message = match ($code) {
    200, 201 => 'OK',
    400 => 'Bad Request',
    404 => 'Not Found',
    500, 502, 503 => 'Server Error',
    default => 'Unknown',
};

echo $message, "\n";
// $ php probe.php
// OK

Strict matching (no type juggling):

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$val = '2';
$result = match ($val) {
    2       => 'int two',
    '2'     => 'string two',
    default => 'other',
};

echo $result, "\n";
// $ php probe.php
// string two

You can also use it like a concise if/elseif chain with match (true), because each arm condition is compared strictly to true:

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

function grade(int $score): string {
    return match (true) {
        $score >= 90 => 'A',
        $score >= 75 => 'B',
        $score >= 60 => 'C',
        default      => 'F',
    };
}

echo grade(82), "\n";
// $ php probe.php
// B

If no arm matches and you omit default, PHP throws an UnhandledMatchError.

8.1 (2021)

Intersection types (A&B)

interface A { public function foo(): void; }
interface B { public function foo(): void; }

function needsAandB(A&B $x): void { $x->foo(); }

Array unpacking with string keys

$a = ['a' => 1];
$b = ['b' => 2];
$c = ['a' => 3];
$merged = ['x' => 0, ...$a, ...$b, ...$c]; // later entries overwrite earlier ones

Enums

enum Status: string { case Open = 'open'; case Closed = 'closed'; }

function isOpen(Status $s): bool { return $s === Status::Open; }

Readonly properties

class Point { public function __construct(public readonly int $x, public readonly int $y) {} }
$p = new Point(1,2);
// $p->x = 3; // Error

First-class callable syntax (obj::method(…))

class Greeter { public function hi(string $n): string { return "Hi, $n"; } }
$g = new Greeter();
$cb = $g->hi(...); // callable to instance method
echo $cb('Kris');

never return type

function fail(string $msg): never { throw new RuntimeException($msg); }

Fibers (coroutines)

$f = new Fiber(function(): void { Fiber::suspend('hello'); });
$val = $f->start(); // 'hello'
$f->resume();

8.2 (2022)

Constants in Traits

trait T { public const VERSION = 1; }
class C { use T; }
echo C::VERSION; // 1

true/false/null standalone types

function ok(): true { return true; }
function maybe(): null { return null; }

Random extension (Randomizer API)

$r = new \Random\Randomizer();
echo $r->getInt(1, 6), "\n"; // uniform int in [1,6]

#[SensitiveParameter] attribute

function login(#[SensitiveParameter] string $password): void {}
// Sensitive parameters are redacted from stack traces and error logs.

Readonly classes

readonly class Config { public function __construct(public string $dsn) {} }

Disjunctive Normal Form types (DNF)

function f((A&B)|(C&D) $x): void {}

8.3 (2023)

Typed class constants

class X { public const int LIMIT = 10; }

Explicit callables

function handler(int $x): void {}
$cb = Closure::fromCallable('handler');

#[Override] attribute

class Base { public function foo(): void {} }
class Child extends Base { #[Override] public function foo(): void {} }

json_validate()

if (json_validate('{"a":1}')) { /* valid */ }

8.4 (2024)

Autovivification support

Arrays now autovivify on nested assignments in more cases (e.g., $a['x']['y'][] = 1; without prior checks).

Property hooks (__get/__set override without magic)

Property access can define inline get/set hooks on a property without global magic methods.

class User {
    public string $name {
        get => $this->name;
        set => $this->name = trim($value);
    }
}

Asymmetric visibility (get/set modifiers)

class Counter {
    public int $value { get; private set; }
}

array_find(), array_first(), array_last()

$xs = [1,2,3];
array_first($xs); // 1
array_last($xs);  // 3
array_find($xs, fn($v) => $v % 2 === 0); // 2

8.5 (2025)

Closures and callables in constant expressions

Allows using closures/callables in const contexts (e.g., as default values in attributes or constants where evaluated at compile time if possible).

Pipe operator (|>)

function trimToInt(string $s): int { return (int) trim($s); }

$result = " 42 " |> trimToInt($$);

Fatal error backtraces

Fatal errors now include backtraces to aid debugging (CLI and logs).

#[NoDiscard]

Marks a function/method return value as important; discarding it can trigger a warning.

I have not been doing PHP in a long time, and so I am writing this here as a memo to self, in order to remind me what features are “new” in PHP, with “new” meaning 7.0 and newer.

Features

7.0 (2015)

Strict Types, Scalar Type Declarations and Return Type Declarations

#! /opt/homebrew/bin/php
<?php
  declare(strict_typing=1);
  
  function add(int $a, int $b): int {
    return $a + $b;
  }
echo add("30", 3), "\n";
$ php probe.php
PHP Fatal error:  Uncaught TypeError: add(): Argument #1 ($a) must be of type int, string given, called in /Users/kris/probe.php on line 10 and defined in /Users/kris/probe.php:5

?? - Null Coalescing Operator

A shorthand for isset() and offering a default value.

$username = $_GET['user'] ?? 'guest';
// previously
// $username = isset($_GET['user']) ? $_GET['user'] : 'guest';

Anonymous Classes

$logger = new class {
  public function log(string $msg) {
    echo "[LOG] {$msg}\n";
};

$logger>log("Hi!");

Useful for throwaway classes, often used in tests.

Throwable and Error hierarchy, unifying Exceptions and Errors

Adds an Interface Throwable, allows you to catch Errors, not just Exceptions.

try {
  throw new Error("Argh!");
} catch (Throwable $e) {
  echo "Caucht {$e->getMessage()}\n";
}

7.1 (2016)

Iterable Pseudo-Type

Normally, Iterable would be an Interface, and you’d declare the parameter type or return type of a function to be like that. For historical reasons that wasn’t possible, there is array for non-objects, and Traverable for Objects. Both can be passed to foreach, and their elements can be yield‘ed.

The keyword Iterable is reserved, as is the function name is_iterable().

It can be used like a type in signatures, and unifies these two behaviors. It is a shortcut for array|Traversable.

function iterate_something(iterable $it) {
  foreach ($it as $element) {
    // ...
  }
}

function generate_something(): iterable {
  yield 1;
  yield 2;
  yield 3;
}

Nullable Types, Void Type

Introduces the type prefix ? as a prefix for the type t so that ?t is short for t|null. So you get

function eight_ball(string $question): ?string { // null if we don't know the answer
   ...
   return null; // allowed
}

For return types, a subclass or implementation of an Interface can be stricter, that is, remove nullability from the return type.

For parameter types, a subclass or implementation of an Interface may be looser, that is, add nullability to a parameter type.

A function with a nullable type still needs a parameter, there is no null default. It is valid to provide a default value to a nullable parameter, and that default may be null.

We also get the void return type. In a function declared with : void, you may not return a value. You must use return; without a value. null is a value, so return null; is invalid for void functions.

function no_result(): void {
  return 1; // invalid
}

Short array deconstruction syntax, using keys in list (“to_dict”)

You can construct arrays and dicts in PHP with the array() constructor, and since 5.4 also with [ ].

$a = array(1, 2, 3);  
  // also $a = [1, 2, 3]
$d = array("one" => 1, "two" => 2, "three" => 3); 
  // also $d = [ "one" => 1, "two" => 2, "three" => 3 ];

Deconstruction is possible with list(), and newly added is the use of keys in list to convert an array to a dict.

list($a, $b, $c) = $some_array;
list("a" => $a, "b" => $b, "c" => $c) = $some_array // to dict

This is now also possible using [ ] on the LHS of an assignment.

[ $a, $b, $c ] = $some_array;
[ "a" => $a, "b" => $b, "c" => $c ] = $some_array // to_dict

Nested, mixed use of list() and [ ] is explicitly not allowed. You can nest, but you must consistently use either one or the other syntax.

Multiexception

try {
   // Some code...
} catch (ExceptionType1 | ExceptionType2 $e)

instead of

try {
   // Some code...
} catch (ExceptionType1 $e) {
   // Code to handle the exception
} catch (ExceptionType2 $e) {
   // Same code to handle the exception

Class Constant Visibility Modifiers

class Token {
  const PUBLIC_CONST = 0; // default is public
  
  private const PRIVATE_CONST = 0;
  protected const PRIVATE_CONST = 0;
  public const PRIVATE_CONST = 0;
}

const can now use visibility in classes. In Interfaces, they must be public.

Other changes

The variable name $this is now reserved and can no longer be used as a parameter, static variable, global variable, catch variable, or foreach counter. It can also no longer be unset, reassigned directly, through $$ (variable variables) or through references, through extract or parse_str().

Consequently, you can’t use $this when you are not in an object context.

Negative string offsets now can be used everywhere consistently and will reference glyphs from the right. The last glyph in a string is at offset -1.

7.2 (2017)

Proper Key Conversion for Object/Array Casts

When converting between arrays and objects, keys now follow the same, consistent key-casting rules used by arrays:

• Only int and string keys are allowed.
• Numeric strings become ints (“42” -> 42).
• Floats are truncated to int (1.7 -> 1).
• Booleans become 1/0, null becomes the empty string “”.

This mainly affects odd cases when you cast arrays to objects and back, or when you create properties with unusual names and then cast to an array.

#! /opt/homebrew/bin/php
<?php
$a = ["42" => 'x', 1.7 => 'y', true => 't', null => 'n'];
$o = (object)$a;           // properties named "42", "1", "1", ""
$b = (array)$o;            // keys are re-cast just like array keys

var_export($b);
/* Result: numeric string -> 42, float -> 1, true -> 1, null -> ""
array (
  42 => 'x',
  1 => 'y',   // overwrote true => 1
  '' => 'n',
)*/

Counting Uncountable Things is now forbidden

Calling count() on something that is not an array and not Countable now raises a warning. Guard your calls, or implement Countable on your classes.

#! /opt/homebrew/bin/php
<?php
// Before 7.2 this often silently returned 1 or 0 in odd ways.
// With 7.2 you get a warning:
$x = 123;
var_dump(count($x));  // Warning: count(): Parameter must be an array or an object that implements Countable

$y = new ArrayObject([1,2,3]);
var_dump(count($y));  // 3 (Countable)

Object typehint for parameters and return types

You can now require an object in signatures, without specifying a particular class or interface.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

function touch_object(object $o): object {
    // do something with $o
    return $o;
}

class C {}

var_dump(touch_object(new C()));

Cryptography updates

• allow Argon2 in password_\* functions.
• Sane TLS defaults
• Removal of abandoned mcrypt extension.
• Add sodium as a core extension.

Trailing commas in list()

You can finally add a trailing comma in list() and array destructuring, which makes diffs cleaner.

#! /opt/homebrew/bin/php
<?php
[$a, $b,] = [1, 2];
list($x, $y,) = [3, 4];
var_dump($a, $b, $x, $y);

7.3 (2018)

Flexible heredoc/nowdoc indentation

Heredoc and nowdoc syntax became more flexible. You can indent the closing identifier and the content will be de‑indented accordingly, making multi‑line strings easier to embed in indented code.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

function emailBody(string $name): string {
    $indent = "    ";
    $body = <<<MAIL
        Hello $name,
        
        this is an indented heredoc.
        The indentation before the closing marker is ignored.
        
        Regards,
        Admin
        MAIL;
    return $body;
}

echo emailBody("Kris"), "\n";

Trailing commas in function calls

You can add a trailing comma to function and method calls. This helps with cleaner diffs when adding more arguments.

#! /opt/homebrew/bin/php
<?php
function sum($a, $b, $c) { return $a + $b + $c; }

// Note the trailing comma after the last argument
var_dump(sum(
    1,
    2,
    3,
));

JSON_THROW_ON_ERROR

json_encode() and json_decode() can now throw JsonException instead of returning false and setting json_last_error(). \Use the JSON_THROW_ON_ERROR flag.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$broken = "{ invalid json }";
try {
    json_decode($broken, true, 512, JSON_THROW_ON_ERROR);
} catch (JsonException $e) {
    echo "Decoding failed: ", $e->getMessage(), "\n";
}

try {
    $data = ["a" => INF]; // not representable in JSON by default
    json_encode($data, JSON_THROW_ON_ERROR);
} catch (JsonException $e) {
    echo "Encoding failed: ", $e->getMessage(), "\n";
}

is_countable()

A helper to check if a value is countable before calling count().

#! /opt/homebrew/bin/php
<?php
$x = 123;
$y = [1,2,3];

var_dump(is_countable($x)); // false
var_dump(is_countable($y)); // true

if (is_countable($x)) {
    echo count($x), "\n";
}

7.4 (2019)

Typed properties

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

class Counter {
    public int $count = 0;      // typed property
    private ?string $name = null; // nullable type
}

$c = new Counter();
$c->count = 42;           // OK
$c->name = "demo";        // OK

try {
    // TypeError at runtime (assignment must match declared type)
    $c->count = "not an int";
} catch (TypeError $e) {
    echo $e->getMessage(), "\n";
}

Arrow functions (fn())

Short syntax for anonymous functions. Automatic access to closure values, and to outer values.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$factor = 2;
$nums = [1, 2, 3];
$doubled = array_map(fn(int $n): int => $n * $factor, $nums);
print_r($doubled);
// [2, 4, 6]

Spread operator in array expressions

You can unpack arrays into other arrays using .... In PHP 7.4 only arrays with numeric keys can be spread (string keys are supported from 8.1).

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$a = [2, 3];
$b = [1, ...$a, 4];
print_r($b);
// [1, 2, 3, 4]

Limited covariance and contravariance

Return types may be more specific (covariant), parameter types may be more general (contravariant) in child (subclass) methods.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

class Base {
    public function getIterator(): Traversable { return new ArrayIterator([]); }
    public function setIterator(Iterator $it): void {}
}

class Child extends Base {
    // Return type covariance: Traversable -> Iterator (more specific)
    public function getIterator(): Iterator { return new ArrayIterator([1,2]); }
    // Param type contravariance: Iterator -> Traversable (more general)
    public function setIterator(Traversable $it): void {}
}

$child = new Child();
var_dump(get_class($child->getIterator())); // ArrayIterator

Numeric literal separator _

Use underscores in numeric literals for readability.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$oneMillion = 1_000_000;
$hex = 0xFF_FF;
$bin = 0b1010_1010;
var_dump($oneMillion, $hex, $bin);

Null coalescing assignment operator (??=)

Shorthand to assign a default only if the variable is null or not set.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$options = [];
$options['timeout'] ??= 30; // sets to 30 because key is not set
$options['timeout'] ??= 10; // keeps 30, because already set and not null
var_dump($options);

Weak references

Hold references to objects that do not prevent their garbage collection.

#! /opt/homebrew/bin/php
<?php
declare(strict_types=1);

$o = new stdClass();
$wr = WeakReference::create($o);

var_dump($wr->get() !== null); // true
unset($o);                      // drop the strong reference
var_dump($wr->get() === null);  // true (target was collected)

Preloading (Opcache)

Allows loading PHP files into Opcache on server startup so classes/functions are available to all requests without requiring them each time.

• php.ini:

opcache.preload=/path/to/preload.php
opcache.preload_user=www-data

• preload.php:

<?php
opcache_compile_file(__DIR__ . '/src/Autoload.php');
opcache_compile_file(__DIR__ . '/src/Domain/Model.php');

Deprecations in 7.4 (selection)

• Curly brace array/string offset access: $str{0} and $arr{0} — use $str[0], $arr[0].
• Nested ternary without explicit parentheses emits a deprecation warning.
• Real type alias real is deprecated; use float.
• implode() parameter order confusion warnings (use implode(string $glue, array $pieces)).

See PHP 7.4 RFCs for the full list: https://wiki.php.net/rfc#php_74

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

FreeBSD Configure and Run Podman (Awesome Docker Alternative).
https://youtube.com/watch?v=L5z1_T4nHSU

WordPress on FreeBSD with BastilleBSD: Secure Alternative to Linux/Docker.
https://journal.bsd.cafe/2025/07/21/wordpress-on-freebsd-with-bastillebsd-a-secure-alternative-to-linux-docker/

The tarBSD is Minimal FreeBSD Boots to Memory Image.
https://github.com/pavetheway91/tarbsd

Finally zfsd(8) on FreeBSD with Needed Patches for SAN/FC Networks.
https://cgit.freebsd.org/src/commit/?id=89f4f91dbfdcabe65bc7476bc5f13dfb837870fe

The mkcert Simple Tool to Make Local Trusted Development Certs.
https://github.com/FiloSottile/mkcert

Self Hosted BSD Native Gemini Protocol Server Stack.
https://journal.bsd.cafe/2025/07/22/a-self-hosted-bsd-native-gemini-protocol-server-stack/

FreeBSD 15.0 Aims to Have KDE/Plasma Desktop Install Option.
https://www.phoronix.com/news/FreeBSD-15-KDE-Install-Plan

Pogocache 1.0 Released with Better Performance Than Memcache/Valkey/Redis.
https://phoronix.com/news/Pogocache-1.0-Released

FreeBSD 15 Makes Graphical Installation Easier.
https://officialaptivi.wordpress.com/2025/07/23/freebsd-15-makes-graphical-installation-easier/

FreeBSD Journal – 2025/04-05 – Networking.
https://freebsdfoundation.org/our-work/journal/browser-based-edition/networking-3/

FreeBSD 15.0 Installer to Gain Option to Install Full KDE/Plasma Desktop Environment.
https://osnews.com/story/142871/freebsd-15-0s-installer-to-gain-option-to-install-a-full-kde-plasma-desktop-environment/

2 FOR 1 – Learn Three GhostBSD Things – Some LO Shortcuts.
https://youtube.com/watch?v=lhFSMFHNX1E

Installing FreeBSD without Internet.
https://youtube.com/watch?v=vR4oP8CRgVU

Controlled Credentials Transitions without Privileges on FreeBSD.
https://youtube.com/watch?v=Wl2hewfxcKM

GoToSocial Adventures: Migrate from Pixelfed.
https://tumfatig.net/2025/gotosocial-adventures-migrate-from-pixelfed/

GoToSocial Adventures: Migrate from Mastodon.
https://tumfatig.net/2025/gotosocial-adventures-migrate-from-mastodon/

GoToSocial Adventures: Run on OpenBSD.
https://tumfatig.net/2025/gotosocial-adventures-run-on-openbsd/

Plain WM Ahead of XFCE and KDE Lead Among FreeBSD Desktop Users.
https://reddit.com/r/freebsd_desktop/comments/1m7mnpv/xfce_and_kde_retain_lead_among_freebsd_desktop/

OPNsense 25.7 Brings Revamped GUI and New Firewall Tools.
https://linuxiac.com/opnsense-25-7-brings-revamped-gui-and-new-firewall-tools/

Guide to Configuring Additional IPv4/IPv6 IP Addresses in FreeBSD VPS.
https://blog.radwebhosting.com/guide-to-configuring-additional-ip-addresses-in-freebsd-vps/

OPNsense 25.7 Brings Revamped GUI and New Firewall Tools.
https://linuxiac.com/opnsense-25-7-brings-revamped-gui-and-new-firewall-tools/

FreeBSD 15 Installer to Offer Minimal KDE Desktop.
https://theregister.com/2025/07/25/freebsd_15_installer_offers_kde/

Sad State of Font Rendering on Linux.
https://pandasauce.org/post/linux-fonts/

FreeBSD Foundation – Installer Usability.
https://freebsdfoundation.org/our-work/journal/browser-based-edition/networking-3/installer-usability/

Game of Trees 0.116 Released.
https://undeadly.org/cgi?action=article;sid=20250726073234

Why I Use Xorg over Wayland.
https://orbitalmartian.vercel.app/blog/2025-07-27-xorg-over-wayland/

OPNsense® 25.7 Launches with Smarter Security and Faster Setup.
https://deciso.com/opnsense-25-7-visionary-viper-launches-with-smarter-security-and-faster-setup/

Hardware

USB-C-ing All the Things.
https://hackaday.com/2025/07/22/usb-c-ing-all-the-things/

Efficient Computer Electron E1 CPU – 100x More Efficient than ARM.
https://morethanmoore.substack.com/p/efficient-computers-electron-e1-cpu

DIY Dual Screen Cyberdeck – Sleek Design and Ultimate Functionality.
https://youtube.com/watch?v=cigAxzQGeLg

Other

How to Firefox.
https://kau.sh/blog/how-to-firefox/

uBlock Origin Works Best on Firefox.
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-best-on-Firefox

Ladybird Proves You CAN Just Build a New Web Browser.
https://youtube.com/watch?v=GlbTV2rID_8

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

BSDSec.
https://bsdsec.net/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

Quote(s) of the Week

Well, I don’t want no Jesus freak to tell me what it’s all about
No black magician telling me to cast my soul out
Don’t believe in violence, I don’t even believe in peace
I’ve opened the door, now my mind’s been released

Well, I don’t want no preacher telling me about the god in the sky
No, I don’t want no one to tell me where I’m gonna go when I die
I wanna live my life, I don’t want people telling me what to do
I just believe in myself ’cause no one else is true

So believe what I tell you, it’s the only way to fight in the end
Just believe in yourself, you know you really shouldn’t have to pretend
Don’t let those empty people try and interfere with your mind
Just live your life and leave them all behind

Black Sabbath
Under the Sun

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

Image: Shutterstock, Mr. Teerapon Tiuekhom.

A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive’s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company’s customers and partners.

Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer’s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive’s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.

The reader also shared that the email addresses in the registration records for the imposter domain — roomservice801@gmail.com — is tied to many such phishing domains. Indeed, a search on this email address at DomainTools.com finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for this email address reveals a humorous blog post from 2020 on the Russian forum hackware[.]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We’ll come back to this research in a moment.

JUSTY JOHN

DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for alhhomaidhicentre[.]biz reference the technical contact of “Justy John” and the email address justyjohn50@yahoo.com.

A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn’t yet have enough information to draw any solid conclusions.

DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain axisupdate[.]net — 7902 Pelleaux Road in Knoxville, TN — also appears in the registration records for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one point included the email address rsmith60646@gmail.com.

That Rsmith Gmail address is connected to the 2012 phishing domain alibala[.]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records — 1.7736491613 — reveals even more phishing domains as well as the Nigerian phone number “2348062918302” and the email address michsmith59@gmail.com.

DomainTools shows michsmith59@gmail.com appears in the registration records for the domain seltrock[.]com, which was used in the phishing attack documented in the 2020 Russian blog post mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.

The same Nigerian phone number shows up in dozens of domain registrations that reference the email address sebastinekelly69@gmail.com, including 26i3[.]net, costamere[.]com, danagruop[.]us, and dividrilling[.]com. A Web search on any of those domains finds they were indexed in an “indicator of compromise” list on GitHub maintained by Palo Alto Networks‘ Unit 42 research team.

SILVERTERRIER

According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “SilverTerrier” back in 2014. In an October 2021 report, Palo Alto said SilverTerrier excels at so-called “business e-mail compromise” or BEC scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by Interpol. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.

BEC scams were the 7th most reported crime tracked by the FBI’s Internet Crime Complaint Center (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with nearly $2.8 billion in claimed losses. In its 2025 Fraud and Control Survey Report, the Association for Financial Professionals found 63 percent of organizations experienced a BEC last year.

Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto’s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.

Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.

“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.

FINANCIAL FRAUD KILL CHAIN

Palo Alto has published a useful list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.

But one recommendation — getting familiar with a process known as the “financial fraud kill chain” or FFKC — bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don’t know it exists until it is too late.

Image: ic3.gov.

As explained in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network (FinCEN).

The FBI noted in its IC3 annual report (PDF) that the FFKC had a 66 percent success rate in 2024. Viable ic3.gov complaints involve losses of at least $50,000, and include all records from the victim or victim bank, as well as a completed FFKC form (provided by FinCEN) containing victim information, recipient information, bank names, account numbers, location, SWIFT, and any additional information.

Last weekend, I visited my brother-in-law’s family. After being enthusiastically greeted by my niece and nephew, they quickly returned to their game on the PlayStation.

“What are you playing?” I asked.

“Minecraft!” they shouted.

If you already know where this is going, you’re ahead of me. But if not, allow me to take you on the same journey of discovery that I have been on only recently.

Wait… Java?

When I was working in investment banking over a decade ago, Java was the language to code in. Almost every trading app I encountered used Java. These days, you’ll more often hear developers talking about Python, Rust, or Go. Borrowing from a previous post and using the tenuous ‘story shaper’ of Google Trends, you might even think Java is slowly fading away:

But that’s the thing about numbers — they don’t tell the whole story.

Beneath the surface of many major technologies, Java is still quietly doing what it’s always done: powering large-scale, indispensable applications. FreeBSD developers I spoke with recently reminded me just how many tools and services still rely on Java today, from Elasticsearch and Tomcat to LibreOffice (which, referring to current news, is at the heart of Denmark’s decision to move away from Microsoft Office).

And yes, Minecraft, the best-selling video game of all time, is written in Java.

Why It Matters

This brings us to the OpenJDK project. You may not see headlines about it every day, but behind the scenes, it’s the backbone of countless systems around the world. That’s why the FreeBSD Foundation has long supported the ongoing maintenance of OpenJDK on FreeBSD — and why this work is so important.

Thanks to the recent excellent work by Harald Eilertsen, OpenJDK on FreeBSD is now fully up to date. His work ensures FreeBSD users, from enterprise to game developers, can rely on Java without compromise.

It’s the kind of work that doesn’t grab headlines — no flashy interface or viral buzz — but it’s the quiet foundation that allows many other projects to thrive.

Full Circle

Back to the living room, watching my niece and nephew shouting with delight, made me think of the work Harald has been doing of late, and of the recent trip to a Hackathon in Berlin. Here was literal joy, in the form of two small humans playing a computer game. A game written in Java, running on a platform developed on top of FreeBSD. Supported by volunteers and professionals who care deeply about keeping essential tools alive and modern.

So the next time someone asks you, “Isn’t Java kind of outdated?” or “Is FreeBSD still a thing?”, think of those two kids. Think of joy, code, and community. Think of the people working behind the scenes to ensure that the foundations of our digital world remain solid.

Outdated? Hardly. Essential? Absolutely.

Contributed by Mark Phillips

The post From Minecraft to Markets: Java Hiding in Plain Sight first appeared on FreeBSD Foundation.

The so called PKGBASE is the future of packaging the FreeBSD Base system – and its already implemented and tested in the upcoming 15.0-RELEASE version that will come later this year. You can even decide at the bsdinstall(8) stage if you want to install FreeBSD the ‘classic’ way or the PKGBASE way.

The PKGBASE is also well documented and you can run your Personal FreeBSD PKGBASE Update Server without a problem.

Right now there are only latest 15-CURRENT images that you can use and try all of that … but there is also FreeBSD Foundation sponsored pkgbasify(8) tool – it will literally convert your FreeBSD 14.x or 15.x installation into a PKGBASE install.

The instructions to do sa are really simple – download it – make it executable – execute it.

FreeBSD # fetch https://github.com/FreeBSDFoundation/pkgbasify/raw/refs/heads/main/pkgbasify.lua
FreeBSD # chmod +x ./pkgbasify.lua
FreeBSD # ./pkgbasify.lua

You will be asked several questions – including quite important one about creating a backup ZFS Boot Environment before you start the process – make sure your answer to that one is a big and fat YES.

Here is how the ‘upgrade’ process looks like.

I have placed (...) leaving only first and last 3 messages of the same type – to not have a mile/kilometer long output here.

FreeBSD # ./pkgbasify.lua
Running this tool will irreversibly modify your system to use pkgbase.
This tool and pkgbase are experimental and may result in a broken system.
It is highly recommend to backup your system before proceeding.
Do you accept this risk and wish to continue? (y/n) y
Updating FreeBSD-base repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01    
Fetching data.pkg: 100%   53 KiB  54.6kB/s    00:01    
Processing entries: 100%
FreeBSD-base repository update completed. 561 packages processed.
All repositories are up to date.
System has older __FreeBSD_version than remote pkgbase packages (1500046 vs 1500051).
It is recommended to update your system before running pkgbasify.
Ignore the osversion and continue anyway? (y/n) y
Create a boot environment before conversion? (y/n) y
Creating /usr/local/etc/pkg/repos/FreeBSD-base.conf
Adding BACKUP_LIBRARIES=yes to /usr/local/etc/pkg.conf
Updating FreeBSD-base repository catalogue...
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01    
Fetching data.pkg: 100%   53 KiB  54.6kB/s    00:01    
Processing entries:   0%
Processing entries: 100%
FreeBSD-base repository update completed. 561 packages processed.
FreeBSD-base is up to date.
The following 292 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        FreeBSD-acct: 15.snap20250707041723 [FreeBSD-base]
        FreeBSD-acct-man: 15.snap20241026125659 [FreeBSD-base]
        FreeBSD-acpi: 15.snap20250707041723 [FreeBSD-base]
        (...)
        FreeBSD-zfs-dev: 15.snap20250707041723 [FreeBSD-base]
        FreeBSD-zfs-man: 15.snap20250711002650 [FreeBSD-base]
        FreeBSD-zoneinfo: 15.snap20250521200023 [FreeBSD-base]

Number of packages to be installed: 292

The process will require 2 GiB more space.
530 MiB to be downloaded.
[1/292] Fetching FreeBSD-libbsm-15.snap20250707041723.pkg: 100%   37 KiB  37.6kB/s    00:01    
[2/292] Fetching FreeBSD-libsqlite3-dev-15.snap20250708002345.pkg: 100%    2 MiB   1.1MB/s    00:02    
[3/292] Fetching FreeBSD-libldns-dev-15.snap20250707041723.pkg: 100%  666 KiB 682.5kB/s    00:01    
(...)
[290/292] Fetching FreeBSD-clibs-dev-15.snap20250713141730.pkg: 100%   16 MiB   2.1MB/s    00:08    
[291/292] Fetching FreeBSD-libstdbuf-dev-15.snap20250611191401.pkg: 100%    4 KiB   4.5kB/s    00:01    
[292/292] Fetching FreeBSD-wpa-man-15.snap20241026125659.pkg: 100%   14 KiB  14.2kB/s    00:01    
Checking integrity... done (0 conflicting)
Checking integrity... done (0 conflicting)
The following 292 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        FreeBSD-acct: 15.snap20250707041723 [FreeBSD-base]
        FreeBSD-acct-man: 15.snap20241026125659 [FreeBSD-base]
        FreeBSD-acpi: 15.snap20250707041723 [FreeBSD-base]
        (...)
        FreeBSD-zfs-dev: 15.snap20250707041723 [FreeBSD-base]
        FreeBSD-zfs-man: 15.snap20250711002650 [FreeBSD-base]
        FreeBSD-zoneinfo: 15.snap20250521200023 [FreeBSD-base]

Number of packages to be installed: 292

The process will require 2 GiB more space.
[1/292] Installing FreeBSD-acct-15.snap20250707041723...
[1/292] Extracting FreeBSD-acct-15.snap20250707041723: 100%
[2/292] Installing FreeBSD-acct-man-15.snap20241026125659...
(...)
[291/292] Extracting FreeBSD-zfs-man-15.snap20250711002650: 100%
[292/292] Installing FreeBSD-zoneinfo-15.snap20250521200023...
[292/292] Extracting FreeBSD-zoneinfo-15.snap20250521200023: 100%
Merged /etc/master.passwd
Merged /etc/rc.shutdown
Merged /etc/mtree/BSD.tests.dist
Merged /etc/mtree/BSD.usr.dist
Merged /etc/mtree/BSD.include.dist
Merged /etc/rc
Merged /etc/regdomain.xml
Merged /etc/sysctl.conf
Merged /etc/ssh/sshd_config
Merged /etc/group
Merged /etc/pccard_ether
Merged /etc/hosts
Merged /etc/rc.d/routing
Merged /etc/rc.d/nuageinit_user_data_script
Merged /etc/rc.d/mountcritlocal
Merged /etc/rc.d/kdc
Merged /etc/rc.d/zfsbe
Merged /etc/rc.d/zfs
Merged /etc/rc.d/zpool
Merged /etc/rc.d/hostname
Merged /etc/defaults/rc.conf
Merged /etc/rc.subr
Merged /etc/shells
Merged /etc/network.subr
Restarting sshd
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 12314, 12314.
Performing sanity check on sshd configuration.
Starting sshd.
Conversion finished.

Please verify that the contents of the following critical files are as expected:
/etc/master.passwd
/etc/group
/etc/ssh/sshd_config

After verifying those files, restart the system.

FreeBSD # reboot

All of the above would usually last about 10 minutes – it will be a lot faster if you have a really fast connection to the Internet.

After the conversion the system pkg(8) information looks as follows – including some ‘regular’ packages.

FreeBSD # pkg info
FreeBSD-acct-15.snap20250707041723 System Accounting Utilities
FreeBSD-acct-man-15.snap20241026125659 System Accounting Utilities (Manual Pages)
FreeBSD-acpi-15.snap20250707041723 ACPI Utilities
FreeBSD-acpi-man-15.snap20241026125659 ACPI Utilities (Manual Pages)
FreeBSD-apm-15.snap20250707041723 APM Utilities
FreeBSD-apm-man-15.snap20241026125659 APM Utilities (Manual Pages)
FreeBSD-at-15.snap20250707041723 AT Utilities
FreeBSD-at-man-15.snap20241026125659 AT Utilities (Manual Pages)
FreeBSD-audit-15.snap20250707041723 OpenBSM auditing utilities
FreeBSD-audit-dev-15.snap20250707041723 OpenBSM auditing utilities (Development Files)
FreeBSD-audit-man-15.snap20241026125659 OpenBSM auditing utilities (Manual Pages)
FreeBSD-autofs-15.snap20250707041723 Autofs Utilities
FreeBSD-autofs-man-15.snap20241026125659 Autofs Utilities (Manual Pages)
FreeBSD-bhyve-15.snap20250707041723 Bhyve Utilities
FreeBSD-bhyve-man-15.snap20250521163614 Bhyve Utilities (Manual Pages)
FreeBSD-blocklist-15.snap20250707041723 Blocklist Utilities
FreeBSD-blocklist-dev-15.snap20250707041723 Blocklist Utilities (Development Files)
FreeBSD-blocklist-man-15.snap20250203152159 Blocklist Utilities (Manual Pages)
FreeBSD-bluetooth-15.snap20250713095951 Bluetooth Utilities
FreeBSD-bluetooth-dev-15.snap20250707041723 Bluetooth Utilities (Development Files)
FreeBSD-bluetooth-man-15.snap20250130000845 Bluetooth Utilities (Manual Pages)
FreeBSD-bootloader-15.snap20250711053733 Bootloader
FreeBSD-bootloader-dev-15.snap20250711053733 Bootloader (Development Files)
FreeBSD-bsdinstall-15.snap20250707041723 BSDInstall Utilities
FreeBSD-bsdinstall-man-15.snap20250428171657 BSDInstall Utilities (Manual Pages)
FreeBSD-bsnmp-15.snap20250712134400 BSNMP Utilities
FreeBSD-bsnmp-dev-15.snap20250707041723 BSNMP Utilities (Development Files)
FreeBSD-bsnmp-man-15.snap20241026125659 BSNMP Utilities (Manual Pages)
FreeBSD-caroot-15.snap20250313075117 SSL Certificates
FreeBSD-ccdconfig-15.snap20250705072435 ccdconfig package
FreeBSD-ccdconfig-man-15.snap20250123170723 ccdconfig package (Manual Pages)
FreeBSD-certctl-15.snap20250117230744 SSL Certificate Utility
FreeBSD-certctl-man-15.snap20241026125659 SSL Certificate Utility (Manual Pages)
FreeBSD-clang-15.snap20250707041723 Clang Utilities
FreeBSD-clang-dev-15.snap20250707041723 Clang Utilities (Development Files)
FreeBSD-clang-man-15.snap20250505204745 Clang Utilities (Manual Pages)
FreeBSD-clibs-15.snap20250711204811 Core C Libraries
FreeBSD-clibs-dev-15.snap20250713141730 Core C Libraries (Development Files)
FreeBSD-clibs-man-15.snap20250709212429 Core C Libraries (Manual Pages)
FreeBSD-console-tools-15.snap20250707041723 Console Utilities
FreeBSD-console-tools-man-15.snap20241026125659 Console Utilities (Manual Pages)
FreeBSD-cron-15.snap20250707041723 cron(8) and crontab(1)
FreeBSD-cron-man-15.snap20241026125659 cron(8) and crontab(1) (Manual Pages)
FreeBSD-csh-15.snap20250709192127 C Shell
FreeBSD-csh-man-15.snap20241026125659 C Shell (Manual Pages)
FreeBSD-ctf-tools-15.snap20250707041723 CTF Utilities
FreeBSD-ctf-tools-man-15.snap20250616132851 CTF Utilities (Manual Pages)
FreeBSD-ctl-15.snap20250709143654 ctl package
FreeBSD-ctl-man-15.snap20250528033824 ctl package (Manual Pages)
FreeBSD-cxgbe-tools-15.snap20250707041723 Chelsio cxbge Utilities
FreeBSD-cxgbe-tools-man-15.snap20250519031828 Chelsio cxbge Utilities (Manual Pages)
FreeBSD-devd-15.snap20250707041723 Devd Utility and scripts
FreeBSD-devd-man-15.snap20250709143654 Devd Utility and scripts (Manual Pages)
FreeBSD-devmatch-15.snap20250707041723 Devmatch Utility
FreeBSD-devmatch-dev-15.snap20250611191401 Devmatch Utility (Development Files)
FreeBSD-devmatch-man-15.snap20250130000845 Devmatch Utility (Manual Pages)
FreeBSD-dhclient-15.snap20250707041723 DHCP Client
FreeBSD-dhclient-man-15.snap20241026125659 DHCP Client (Manual Pages)
FreeBSD-dma-15.snap20250707041723 DMA Mail Agent Utilities
FreeBSD-dma-man-15.snap20241026125659 DMA Mail Agent Utilities (Manual Pages)
FreeBSD-dtrace-15.snap20250707211642 Dtrace Utilities
FreeBSD-dtrace-dev-15.snap20250707211642 Dtrace Utilities (Development Files)
FreeBSD-dtrace-man-15.snap20250712093938 Dtrace Utilities (Manual Pages)
FreeBSD-dwatch-15.snap20241026125659 Dwatch Utilities
FreeBSD-dwatch-man-15.snap20250419184622 Dwatch Utilities (Manual Pages)
FreeBSD-ee-15.snap20250707041723 Easy Editor Utilities
FreeBSD-ee-man-15.snap20241026125659 Easy Editor Utilities (Manual Pages)
FreeBSD-efi-tools-15.snap20250707041723 UEFI Utilities
FreeBSD-efi-tools-dev-15.snap20250707041723 UEFI Utilities (Development Files)
FreeBSD-efi-tools-man-15.snap20241026125659 UEFI Utilities (Manual Pages)
FreeBSD-examples-15.snap20250710194216 Examples in /usr/share/examples
FreeBSD-fd-15.snap20250707041723 Floppy disk support
FreeBSD-fd-man-15.snap20250515020636 Floppy disk support (Manual Pages)
FreeBSD-fetch-15.snap20250707041723 Fetch Utility
FreeBSD-fetch-dev-15.snap20250707041723 Fetch Utility (Development Files)
FreeBSD-fetch-man-15.snap20241026125659 Fetch Utility (Manual Pages)
FreeBSD-firmware-iwm-15.snap20241216095300 iwm(4) firmwares
FreeBSD-ftp-15.snap20250707041723 FTP Utilities
FreeBSD-ftp-man-15.snap20241026125659 FTP Utilities (Manual Pages)
FreeBSD-ftpd-15.snap20250707041723 FTP Daemon
FreeBSD-ftpd-man-15.snap20250626130045 FTP Daemon (Manual Pages)
FreeBSD-fwget-15.snap20250619004001 FWGET Utility
FreeBSD-fwget-man-15.snap20241026125659 FWGET Utility (Manual Pages)
FreeBSD-games-15.snap20250705234744 Games
FreeBSD-games-man-15.snap20241026125659 Games (Manual Pages)
FreeBSD-geom-15.snap20250707041723 GEOM Utilitites
FreeBSD-geom-man-15.snap20250428160923 GEOM Utilitites (Manual Pages)
FreeBSD-ggate-15.snap20250707041723 GEOM Gate Utilities
FreeBSD-ggate-man-15.snap20241026125659 GEOM Gate Utilities (Manual Pages)
FreeBSD-hast-15.snap20250707041723 Highly Available Storage daemon
FreeBSD-hast-man-15.snap20241026125659 Highly Available Storage daemon (Manual Pages)
FreeBSD-hostapd-15.snap20250707041723 802.11 Access Point Daemon an Utilities
FreeBSD-hostapd-man-15.snap20241026125659 802.11 Access Point Daemon an Utilities (Manual Pages)
FreeBSD-hyperv-tools-15.snap20250707041723 Microsoft HyperV Utilities
FreeBSD-hyperv-tools-man-15.snap20241026125659 Microsoft HyperV Utilities (Manual Pages)
FreeBSD-inetd-15.snap20250707041723 Internet super-server
FreeBSD-inetd-man-15.snap20241026125659 Internet super-server (Manual Pages)
FreeBSD-ipf-15.snap20250708002345 ipf package
FreeBSD-ipf-man-15.snap20250304221631 ipf package (Manual Pages)
FreeBSD-ipfw-15.snap20250709090258 ipfw package
FreeBSD-ipfw-man-15.snap20250418123705 ipfw package (Manual Pages)
FreeBSD-iscsi-15.snap20250707041723 iscsi package
FreeBSD-iscsi-man-15.snap20250528033824 iscsi package (Manual Pages)
FreeBSD-jail-15.snap20250707041723 Jail Utilities
FreeBSD-jail-man-15.snap20250616132851 Jail Utilities (Manual Pages)
FreeBSD-kerberos-15.snap20250707041723 Kerberos Utilities
FreeBSD-kerberos-lib-15.snap20250708002345 Kerberos Libraries
FreeBSD-kerberos-lib-dev-15.snap20250708002345 Kerberos Libraries (Development Files)
FreeBSD-kerberos-lib-man-15.snap20241026125659 Kerberos Libraries (Manual Pages)
FreeBSD-kerberos-man-15.snap20241028160252 Kerberos Utilities (Manual Pages)
FreeBSD-kernel-generic-15.snap20250714080908 FreeBSD GENERIC kernel 
FreeBSD-lib9p-15.snap20250707041723 lib9p package
FreeBSD-lib9p-dev-15.snap20250707041723 lib9p package (Development Files)
FreeBSD-libarchive-15.snap20250709192127 libarchive package
FreeBSD-libarchive-dev-15.snap20250707041723 libarchive package (Development Files)
FreeBSD-libarchive-man-15.snap20250601213626 libarchive package (Manual Pages)
FreeBSD-libbegemot-15.snap20250705234744 libbegemot package
FreeBSD-libbegemot-dev-15.snap20250612001522 libbegemot package (Development Files)
FreeBSD-libbegemot-man-15.snap20241026125659 libbegemot package (Manual Pages)
FreeBSD-libblocksruntime-15.snap20250616183901 libblocksruntime package
FreeBSD-libblocksruntime-dev-15.snap20250611191401 libblocksruntime package (Development Files)
FreeBSD-libbsdstat-15.snap20250616183901 libbsdstat package
FreeBSD-libbsdstat-dev-15.snap20250611191401 libbsdstat package (Development Files)
FreeBSD-libbsm-15.snap20250707041723 libbsm package
FreeBSD-libbsm-dev-15.snap20250707041723 libbsm package (Development Files)
FreeBSD-libbsm-man-15.snap20241026125659 libbsm package (Manual Pages)
FreeBSD-libbz2-15.snap20250616183901 libbz2 package
FreeBSD-libbz2-dev-15.snap20250611191401 libbz2 package (Development Files)
FreeBSD-libcasper-15.snap20250707041723 libcasper package
FreeBSD-libcasper-dev-15.snap20250612202243 libcasper package (Development Files)
FreeBSD-libcasper-man-15.snap20241026125659 libcasper package (Manual Pages)
FreeBSD-libcompat-dev-15.snap20250707041723 libcompat package (Development Files)
FreeBSD-libcompat-man-15.snap20241026125659 libcompat package (Manual Pages)
FreeBSD-libcompiler_rt-dev-15.snap20250612001522 libcompiler_rt package (Development Files)
FreeBSD-libcuse-15.snap20250707041723 libcuse package
FreeBSD-libcuse-dev-15.snap20250707041723 libcuse package (Development Files)
FreeBSD-libcuse-man-15.snap20241026125659 libcuse package (Manual Pages)
FreeBSD-libdwarf-15.snap20250705072435 libdwarf package
FreeBSD-libdwarf-dev-15.snap20250612030328 libdwarf package (Development Files)
FreeBSD-libdwarf-man-15.snap20241026125659 libdwarf package (Manual Pages)
FreeBSD-libevent1-15.snap20250707041723 libevent1 package
FreeBSD-libevent1-dev-15.snap20250707041723 libevent1 package (Development Files)
FreeBSD-libexecinfo-15.snap20250707041723 libexecinfo package
FreeBSD-libexecinfo-dev-15.snap20250707041723 libexecinfo package (Development Files)
FreeBSD-libexecinfo-man-15.snap20241026125659 libexecinfo package (Manual Pages)
FreeBSD-libipt-15.snap20250707041723 libipt package
FreeBSD-libipt-dev-15.snap20250707041723 libipt package (Development Files)
FreeBSD-libldns-15.snap20250707041723 libldns package
FreeBSD-libldns-dev-15.snap20250707041723 libldns package (Development Files)
FreeBSD-liblzma-15.snap20250705072435 liblzma package
FreeBSD-liblzma-dev-15.snap20250612001522 liblzma package (Development Files)
FreeBSD-libmagic-15.snap20250707041723 libmagic package
FreeBSD-libmagic-dev-15.snap20250707041723 libmagic package (Development Files)
FreeBSD-libmagic-man-15.snap20241208191210 libmagic package (Manual Pages)
FreeBSD-libpathconv-15.snap20250616183901 libpathconv package
FreeBSD-libpathconv-dev-15.snap20250611191401 libpathconv package (Development Files)
FreeBSD-libpathconv-man-15.snap20241026125659 libpathconv package (Manual Pages)
FreeBSD-librpcsec_gss-15.snap20250705234744 librpcsec_gss package
FreeBSD-librpcsec_gss-dev-15.snap20250612001522 librpcsec_gss package (Development Files)
FreeBSD-librpcsec_gss-man-15.snap20241026125659 librpcsec_gss package (Manual Pages)
FreeBSD-librss-15.snap20250707041723 librss package
FreeBSD-librss-dev-15.snap20250707041723 librss package (Development Files)
FreeBSD-libsdp-15.snap20250707041723 libsdp package
FreeBSD-libsdp-dev-15.snap20250707041723 libsdp package (Development Files)
FreeBSD-libsdp-man-15.snap20241026125659 libsdp package (Manual Pages)
FreeBSD-libsqlite3-15.snap20250708002345 libsqlite3 package
FreeBSD-libsqlite3-dev-15.snap20250708002345 libsqlite3 package (Development Files)
FreeBSD-libstdbuf-15.snap20250616183901 libstdbuf package
FreeBSD-libstdbuf-dev-15.snap20250611191401 libstdbuf package (Development Files)
FreeBSD-libstdbuf-man-15.snap20241026125659 libstdbuf package (Manual Pages)
FreeBSD-libstdthreads-15.snap20250707041723 libstdthreads package
FreeBSD-libstdthreads-dev-15.snap20250611191401 libstdthreads package (Development Files)
FreeBSD-libstdthreads-man-15.snap20241026125659 libstdthreads package (Manual Pages)
FreeBSD-libthread_db-15.snap20250705072435 libthread_db package
FreeBSD-libthread_db-dev-15.snap20250616132851 libthread_db package (Development Files)
FreeBSD-libucl-15.snap20250707041723 libucl package
FreeBSD-libucl-dev-15.snap20250707041723 libucl package (Development Files)
FreeBSD-libucl-man-15.snap20241026125659 libucl package (Manual Pages)
FreeBSD-libufs-15.snap20250707041723 libufs package
FreeBSD-libufs-dev-15.snap20250707041723 libufs package (Development Files)
FreeBSD-libufs-man-15.snap20250505161221 libufs package (Manual Pages)
FreeBSD-libvgl-15.snap20250705234744 libvgl package
FreeBSD-libvgl-dev-15.snap20250612001522 libvgl package (Development Files)
FreeBSD-libvgl-man-15.snap20241026125659 libvgl package (Manual Pages)
FreeBSD-libvmmapi-15.snap20250707041723 libvmmapi package
FreeBSD-libvmmapi-dev-15.snap20250707041723 libvmmapi package (Development Files)
FreeBSD-liby-dev-15.snap20250611191401 liby package (Development Files)
FreeBSD-libyaml-15.snap20250626114931 libyaml package
FreeBSD-libyaml-dev-15.snap20250626114931 libyaml package (Development Files)
FreeBSD-libzfs-15.snap20250707041723 libzfs package
FreeBSD-libzfs-dev-15.snap20250707041723 libzfs package (Development Files)
FreeBSD-lld-15.snap20250705072435 lld package
FreeBSD-lld-man-15.snap20241026125659 lld package (Manual Pages)
FreeBSD-lldb-15.snap20250707041723 lldb package
FreeBSD-lldb-dev-15.snap20250425182925 lldb package (Development Files)
FreeBSD-lldb-man-15.snap20241026125659 lldb package (Manual Pages)
FreeBSD-locales-15.snap20241113231628 locales package
FreeBSD-lp-15.snap20250707041723 Printer subsystem
FreeBSD-lp-man-15.snap20241026125659 Printer subsystem (Manual Pages)
FreeBSD-mlx-tools-15.snap20250707041723 Mellanox Utilities
FreeBSD-mlx-tools-man-15.snap20241026125659 Mellanox Utilities (Manual Pages)
FreeBSD-mtree-15.snap20250707041723 MTREE Files
FreeBSD-mtree-man-15.snap20241026125659 MTREE Files (Manual Pages)
FreeBSD-natd-15.snap20250707041723 natd package
FreeBSD-natd-dev-15.snap20250707041723 natd package (Development Files)
FreeBSD-natd-man-15.snap20250204215803 natd package (Manual Pages)
FreeBSD-netmap-15.snap20250707041723 Netmap Library and Utilities
FreeBSD-netmap-dev-15.snap20250707041723 Netmap Library and Utilities (Development Files)
FreeBSD-netmap-man-15.snap20241026125659 Netmap Library and Utilities (Manual Pages)
FreeBSD-newsyslog-15.snap20250705072435 Newsyslog Utility
FreeBSD-newsyslog-man-15.snap20241129050736 Newsyslog Utility (Manual Pages)
FreeBSD-nfs-15.snap20250707041723 NFS Utilities
FreeBSD-nfs-man-15.snap20250609160437 NFS Utilities (Manual Pages)
FreeBSD-ntp-15.snap20250707041723 Network Time Protocol server and client
FreeBSD-ntp-man-15.snap20241112035500 Network Time Protocol server and client (Manual Pages)
FreeBSD-nuageinit-15.snap20250705145802 CloudInit support scripts
FreeBSD-nuageinit-man-15.snap20250626130045 CloudInit support scripts (Manual Pages)
FreeBSD-nvme-tools-15.snap20250709143654 NVME Utilities
FreeBSD-nvme-tools-man-15.snap20250709143654 NVME Utilities (Manual Pages)
FreeBSD-openssl-15.snap20250707041723 OpenSSL Utility
FreeBSD-openssl-lib-15.snap20250707041723 OpenSSL Libraries
FreeBSD-openssl-lib-dev-15.snap20250707041723 OpenSSL Libraries (Development Files)
FreeBSD-openssl-lib-man-15.snap20241104155004 OpenSSL Libraries (Manual Pages)
FreeBSD-openssl-man-15.snap20241104155004 OpenSSL Utility (Manual Pages)
FreeBSD-periodic-15.snap20250515020636 Periodic Utility
FreeBSD-periodic-man-15.snap20241026125659 Periodic Utility (Manual Pages)
FreeBSD-pf-15.snap20250712134400 pf package
FreeBSD-pf-dev-15.snap20250712134400 pf package (Development Files)
FreeBSD-pf-man-15.snap20250712134400 pf package (Manual Pages)
FreeBSD-pkg-bootstrap-15.snap20250707041723 pkg bootstrap Utility
FreeBSD-pkg-bootstrap-man-15.snap20250430011047 pkg bootstrap Utility (Manual Pages)
FreeBSD-ppp-15.snap20250707041723 ppp package
FreeBSD-ppp-man-15.snap20250204215803 ppp package (Manual Pages)
FreeBSD-quotacheck-15.snap20250707041723 quotacheck package
FreeBSD-quotacheck-man-15.snap20241026125659 quotacheck package (Manual Pages)
FreeBSD-rc-15.snap20250712171839 RC Scripts
FreeBSD-rc-man-15.snap20250612160001 RC Scripts (Manual Pages)
FreeBSD-rcmds-15.snap20250707041723 BSD/SunOS remote status commands
FreeBSD-rcmds-man-15.snap20250505161221 BSD/SunOS remote status commands (Manual Pages)
FreeBSD-rdma-15.snap20250707041723 RDMA Utilities
FreeBSD-rdma-man-15.snap20241026125659 RDMA Utilities (Manual Pages)
FreeBSD-rescue-15.snap20250712134400 Rescue Utilities
FreeBSD-resolvconf-15.snap20241026125659 Resolvconf Utility and scripts
FreeBSD-resolvconf-man-15.snap20241026125659 Resolvconf Utility and scripts (Manual Pages)
FreeBSD-runtime-15.snap20250713130127 FreeBSD Base System
FreeBSD-runtime-dev-15.snap20250710171124 FreeBSD Base System (Development Files)
FreeBSD-runtime-man-15.snap20250711235756 FreeBSD Base System (Manual Pages)
FreeBSD-sendmail-15.snap20250707041723 Sendmail Utilities
FreeBSD-sendmail-dev-15.snap20250707041723 Sendmail Utilities (Development Files)
FreeBSD-sendmail-man-15.snap20241026125659 Sendmail Utilities (Manual Pages)
FreeBSD-smbutils-15.snap20250707041723 SMB Utilities
FreeBSD-smbutils-dev-15.snap20250707041723 SMB Utilities (Development Files)
FreeBSD-smbutils-man-15.snap20241026125659 SMB Utilities (Manual Pages)
FreeBSD-src-15.snap20250713215434 FreeBSD Userland Sources
FreeBSD-src-sys-15.snap20250714080908 FreeBSD Kernel Sources
FreeBSD-ssh-15.snap20250707041723 Secure Shell Utilities
FreeBSD-ssh-dev-15.snap20250707041723 Secure Shell Utilities (Development Files)
FreeBSD-ssh-man-15.snap20250219191646 Secure Shell Utilities (Manual Pages)
FreeBSD-syscons-data-15.snap20241026125659 syscons-data package
FreeBSD-syslogd-15.snap20250707041723 Syslog Daemon
FreeBSD-syslogd-man-15.snap20241223174616 Syslog Daemon (Manual Pages)
FreeBSD-tcpd-15.snap20250707041723 TCP Wrapper utilities
FreeBSD-tcpd-dev-15.snap20250707041723 TCP Wrapper utilities (Development Files)
FreeBSD-tcpd-man-15.snap20241026125659 TCP Wrapper utilities (Manual Pages)
FreeBSD-telnet-15.snap20250707041723 Telnet client
FreeBSD-telnet-man-15.snap20241026125659 Telnet client (Manual Pages)
FreeBSD-tests-15.snap20250713190803 Test Suite
FreeBSD-tests-dbg-15.snap20250713190803 Test Suite (Debugging Symbols)
FreeBSD-tests-dev-15.snap20250707041723 Test Suite (Development Files)
FreeBSD-tests-man-15.snap20250616132851 Test Suite (Manual Pages)
FreeBSD-toolchain-15.snap20250707041723 Utilities for program development
FreeBSD-toolchain-dev-15.snap20250528033824 Utilities for program development (Development Files)
FreeBSD-toolchain-man-15.snap20250616224003 Utilities for program development (Manual Pages)
FreeBSD-ufs-15.snap20250707041723 UFS Libraries and Utilities
FreeBSD-ufs-man-15.snap20250505161221 UFS Libraries and Utilities (Manual Pages)
FreeBSD-unbound-15.snap20250707041723 Unbound DNS Resolver
FreeBSD-unbound-dev-15.snap20250707041723 Unbound DNS Resolver (Development Files)
FreeBSD-unbound-man-15.snap20241026125659 Unbound DNS Resolver (Manual Pages)
FreeBSD-utilities-15.snap20250713215434 Non-vital programs and libraries
FreeBSD-utilities-dev-15.snap20250711053733 Non-vital programs and libraries (Development Files)
FreeBSD-utilities-man-15.snap20250713175247 Non-vital programs and libraries (Manual Pages)
FreeBSD-vi-15.snap20250709192127 Vi Editor
FreeBSD-vi-man-15.snap20250102090848 Vi Editor (Manual Pages)
FreeBSD-vt-data-15.snap20250617031524 vt-data package
FreeBSD-wpa-15.snap20250707041723 802.11 Supplicant
FreeBSD-wpa-man-15.snap20241026125659 802.11 Supplicant (Manual Pages)
FreeBSD-yp-15.snap20250707041723 Yellow Pages programs
FreeBSD-yp-man-15.snap20241026125659 Yellow Pages programs (Manual Pages)
FreeBSD-zfs-15.snap20250712171839 ZFS Libraries and Utilities
FreeBSD-zfs-dev-15.snap20250707041723 ZFS Libraries and Utilities (Development Files)
FreeBSD-zfs-man-15.snap20250711002650 ZFS Libraries and Utilities (Manual Pages)
FreeBSD-zoneinfo-15.snap20250521200023 zoneinfo package
beadm-1.3.5_1                  Solaris-like utility to manage Boot Environments on ZFS
brotli-1.1.0,1                 Generic-purpose lossless compression algorithm
ccache4-4.10.2                 Tool to minimize the compile time of C/C++ programs
curl-8.14.0                    Command line tool and library for transferring data with URLs
expat-2.7.1                    XML 1.0 parser written in C
freebsd-release-manifests-20250531 FreeBSD release manifests
gettext-runtime-0.23.1         GNU gettext runtime libraries and programs
git-lite-2.49.0                Distributed source code management tool (lite flavor)
htop-3.4.0                     Better top(1) - interactive process viewer
indexinfo-0.3.1_1              Utility to regenerate the GNU info page index
libfmt-10.2.1                  Formatting library for C++
libidn2-2.3.8                  Implementation of IDNA2008 internationalized domain names
liblz4-1.10.0,1                LZ4 compression library, lossless and very fast
libnghttp2-1.65.0              HTTP/2 C Library
libpsl-0.21.5_2                C library to handle the Public Suffix List
libssh2-1.11.1,3               Library implementing the SSH2 protocol
libunistring-1.3               Unicode string library
lsblk-4.0                      Lists information about block devices in the system
nginx-1.28.0_1,3               Robust and small WWW server
pcre2-10.45_1                  Perl Compatible Regular Expressions library, version 2
perl5-5.40.2_2                 Practical Extraction and Report Language
pkg-2.1.4                      Package manager
portconfig-0.6.2               Utility to set up FreeBSD port options
poudriere-devel-3.4.99.20250601 Port build and test system
screen-5.0.1_4                 Multi-screen window manager
tree-2.2.1                     Display a tree-view of directories with optional color or HTML output
xxhash-0.8.3                   Extremely fast non-cryptographic hash algorithm
zsh-5.9_5                      The Z shell
zsh-autosuggestions-0.7.1      Fish-like autosuggestions for Zsh
zsh-completions-0.35.0         Additional completion definitions for Zsh
zsh-syntax-highlighting-0.8.0,1 Fish shell syntax highlighting for Zsh
zstd-1.5.7                     Fast real-time compression algorithm

The pkg(8) repositories information.

FreeBSD # pkg repos  
FreeBSD: { 
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:15:amd64/latest",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }
FreeBSD-kmods: { 
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:15:amd64/kmods_latest",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }
FreeBSD-base: { 
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:15:amd64/base_latest",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }

As expected the FreeBSD-base is added to the list.

PKGBASE Base System Upgrade

Several days later I decided to update/upgrade my system – here is how it went.

FreeBSD # pkg upgrade            
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating FreeBSD-kmods repository catalogue...
FreeBSD-kmods repository is up to date.
Updating FreeBSD-base repository catalogue...
FreeBSD-base repository is up to date.
All repositories are up to date.
Checking for upgrades (31 candidates): 100%
Processing candidates (31 candidates): 100%
The following 32 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        FreeBSD-clibs-lib32: 15.snap20250715212405 [FreeBSD-base]

Installed packages to be UPGRADED:
        FreeBSD-bhyve: 15.snap20250707041723 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-bluetooth: 15.snap20250713095951 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-bootloader: 15.snap20250711053733 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-bootloader-dev: 15.snap20250711053733 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-bsdinstall: 15.snap20250707041723 -> 15.snap20250715191524 [FreeBSD-base]
        FreeBSD-bsnmp: 15.snap20250712134400 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-clang: 15.snap20250707041723 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-clang-dev: 15.snap20250707041723 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-clibs: 15.snap20250711204811 -> 15.snap20250715212405 [FreeBSD-base]
        FreeBSD-clibs-dev: 15.snap20250713141730 -> 15.snap20250716035604 [FreeBSD-base]
        FreeBSD-cxgbe-tools: 15.snap20250707041723 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-dtrace-man: 15.snap20250712093938 -> 15.snap20250716103437 [FreeBSD-base]
        FreeBSD-hyperv-tools: 15.snap20250707041723 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-inetd: 15.snap20250707041723 -> 15.snap20250715051601 [FreeBSD-base]
        FreeBSD-ipfw: 15.snap20250709090258 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-jail: 15.snap20250707041723 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-kernel-generic: 15.snap20250714080908 -> 15.snap20250716085830 [FreeBSD-base]
        FreeBSD-pf: 15.snap20250712134400 -> 15.snap20250715150641 [FreeBSD-base]
        FreeBSD-pf-dev: 15.snap20250712134400 -> 15.snap20250715101340 [FreeBSD-base]
        FreeBSD-rescue: 15.snap20250712134400 -> 15.snap20250715101340 [FreeBSD-base]
        FreeBSD-runtime: 15.snap20250713130127 -> 15.snap20250715212405 [FreeBSD-base]
        FreeBSD-runtime-dev: 15.snap20250710171124 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-runtime-man: 15.snap20250711235756 -> 15.snap20250715201916 [FreeBSD-base]
        FreeBSD-smbutils: 15.snap20250707041723 -> 15.snap20250714223419 [FreeBSD-base]
        FreeBSD-src: 15.snap20250713215434 -> 15.snap20250716113846 [FreeBSD-base]
        FreeBSD-src-sys: 15.snap20250714080908 -> 15.snap20250716085830 [FreeBSD-base]
        FreeBSD-tests: 15.snap20250713190803 -> 15.snap20250715212405 [FreeBSD-base]
        FreeBSD-tests-dbg: 15.snap20250713190803 -> 15.snap20250715212405 [FreeBSD-base]
        FreeBSD-utilities: 15.snap20250713215434 -> 15.snap20250715212405 [FreeBSD-base]
        FreeBSD-utilities-dev: 15.snap20250711053733 -> 15.snap20250715161419 [FreeBSD-base]
        FreeBSD-utilities-man: 15.snap20250713175247 -> 15.snap20250716103437 [FreeBSD-base]

Number of packages to be installed: 1
Number of packages to be upgraded: 31

The process will require 4 MiB more space.
464 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/32] Fetching FreeBSD-bluetooth-15.snap20250715161419.pkg: 100%  182 KiB 186.6kB/s    00:01    
[2/32] Fetching FreeBSD-runtime-15.snap20250715212405.pkg: 100%    2 MiB   1.3MB/s    00:02    
[3/32] Fetching FreeBSD-bhyve-15.snap20250715161419.pkg: 100%  233 KiB 238.4kB/s    00:01    
(...)    
[30/32] Fetching FreeBSD-clibs-15.snap20250715212405.pkg: 100%    2 MiB 406.0kB/s    00:04    
[31/32] Fetching FreeBSD-ipfw-15.snap20250715161419.pkg: 100%   85 KiB  86.7kB/s    00:01    
[32/32] Fetching FreeBSD-clibs-dev-15.snap20250716035604.pkg: 100%   16 MiB   1.7MB/s    00:10    
Checking integrity... done (0 conflicting)
[1/44] Deinstalling FreeBSD-bootloader-dev-15.snap20250711053733...
[1/44] Deleting files for FreeBSD-bootloader-dev-15.snap20250711053733: 100%
[2/44] Deinstalling FreeBSD-clang-dev-15.snap20250707041723...
(...)
[43/44] Extracting FreeBSD-utilities-dev-15.snap20250715161419: 100%
[44/44] Installing FreeBSD-utilities-man-15.snap20250716103437...
[44/44] Extracting FreeBSD-utilities-man-15.snap20250716103437: 100%

After that my system was up to date – upgraded – with PKGBASE concept of the FreeBSD Base System.

Fresh Start Test

I was really positively surprised how well the pkgbasify(8) tool works – so I wanted to do another test – which means:

• Install FreeBSD 15-CURRENT with PKGBASE packages from the bsdinstall(8) installer.
• Convert FreeBSD 15-CURRENT classic bsdinstall(8) install with pkgbasify(8) tool.

I used FreeBSD 15-CURRENT image from 2025/06/12 that I already had on the disk.

With ‘classic’ install I selected only BASE and KERNEL to install.

After both installation finished and rebooted – and after I converted the ‘classic’ one into PKGBASE I compared the Base packages installed.

• • BASE INSTALL: 286
  • BASE CONVERT: 290

The pkgbasify(8) conversion went the same as in my other system. I just needed to destroy some leftovers.

FreeBSD # find / -name \*.pkgsave -delete 
FreeBSD # rm -rf /tmp/pkgbasify.*
FreeBSD # rm -rf /var/db/etcupdate

Nothing more I believe.

Things to Watch

For some reason unknown to me – all of the ORIGIN names for Base System packages use base instead of base-part-name convention.

FreeBSD # pkg info -qoa | uniq -c
 290 base
   1 print/indexinfo
   1 ports-mgmt/pkg
   1 sysutils/screen

Other thing that was curious to me was that the FreeBSD that I installed as PKGBASE from the bsdinstall(8) installer did not had the pkg(8) tool initialized … which is strange because the same pkg(8) tool fetched needed Base System packages and installed them.

FreeBSD # pkg info
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:15:amd64/latest, please wait...

While I installed the ‘classic’ way of FreeBSD with only BASE and KERNEL selected – the pkgbasify(8) tool decided to also install tests packages in the process – so I decided to delete it.

FreeBSD # pkg delete \
            FreeBSD-tests-15.snap20250718205142 \
            FreeBSD-tests-dbg-15.snap20250718205142 \
            FreeBSD-tests-dev-15.snap20250707041723 \
            FreeBSD-tests-man-15.snap20250616132851 

After some comparisons with diff(1) command – as parts of it shown below.

… I noticed that the shar(1) command is missing.

CONVERT # shar
usage: shar file ...

PKGBASE # shar
-sh: shar: not found

After some digging I have come to the following conclusions.

First – the shar(1) has been deprecated – https://lists.freebsd.org/archives/dev-commits-src-all/2025-January/050131.html – details in the link – so it makes sense that its not longer available.

Second – if you still need shar(1) command for any reason – https://github.com/cschuber/FreeBSD-shar – its here if needed.

Third – FreeBSD CURRENT moves – and sometimes it moves (and evolves) fast – keep that in mind. Its one of the reason most of use should just use RELEASE or STABLE and use CURRENT only if you know what you are signing for.

That is all from my side for this article – feel free to share your thoughts on this one

On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the SharePoint flaw to breach U.S. federal and state agencies, universities, and energy companies.

Image: Shutterstock, by Ascannio.

In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, 2025 security update.

The Cybersecurity & Infrastructure Security Agency (CISA) concurred, saying CVE-2025-53770 is a variant on a flaw Microsoft patched earlier this month (CVE-2025-49706). Microsoft notes the weakness applies only to SharePoint Servers that organizations use in-house, and that SharePoint Online and Microsoft 365 are not affected.

The Washington Post reported on Sunday that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. The Post reports at least two U.S. federal agencies have seen their servers breached via the SharePoint vulnerability.

According to CISA, attackers exploiting the newly-discovered flaw are retrofitting compromised servers with a backdoor dubbed “ToolShell” that provides unauthenticated, remote access to systems. CISA said ToolShell enables attackers to fully access SharePoint content — including file systems and internal configurations — and execute code over the network.

Researchers at Eye Security said they first spotted large-scale exploitation of the SharePoint flaw on July 18, 2025, and soon found dozens of separate servers compromised by the bug and infected with ToolShell. In a blog post, the researchers said the attacks sought to steal SharePoint server ASP.NET machine keys.

“These keys can be used to facilitate further attacks, even at a later date,” Eye Security warned. “It is critical that affected servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Patching alone is not enough. We strongly advise defenders not to wait for a vendor fix before taking action. This threat is already operational and spreading rapidly.”

Microsoft’s advisory says the company has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but that it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016.

CISA advises vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, to deploy Microsoft Defender AV on all SharePoint servers, and to disconnect affected products from the public-facing Internet until an official patch is available.

The security firm Rapid7 notes that Microsoft has described CVE-2025-53770 as related to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May 2025. That exploit chain invoked a second SharePoint weakness — CVE-2025-49706 — which Microsoft unsuccessfully tried to fix in this month’s Patch Tuesday.

Microsoft also has issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706.

This is a rapidly developing story. Any updates will be noted with timestamps.

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

What Can You Do with FreeBSD? (Redux)
https://youtube.com/watch?v=_iCr6KMEbGM

How to Install and Configure Forgejo on FreeBSD.
https://subnetspider.com/2025/07/13/how-to-install-and-configure-forgejo-on-freebsd.html

Running Gitea Locally.
https://bsdbox.de/en/artikel/gitea/gitea-lokal

Dedicated mDNS-SD Bridge in FreeBSD Jail.
https://eldapper.wordpress.com/2025/07/14/mdns-bridge/

Almost Catastrophic OpenZFS Bug and Humans That Made It.
https://despairlabs.com/blog/posts/2025-07-10-an-openzfs-bug-and-the-humans-that-made-it/

What People Said About OpenZFS Bug.
https://despairlabs.com/blog/posts/2025-07-13-an-openzfs-bug-and-the-humans-that-made-it-comments/

Introduction to FreeBSD Periodic System.
https://freebsdfoundation.org/blog/an-introduction-to-freebsds-periodic-system/

New DTrace d(7) Man Page on FreeBSD.
https://mastodon.social/@mpts/114856286952147362

BastilleBSD ISO Images with Lots of Useful Tools.
https://mastodon.social/@BastilleBSD@fosstodon.org/114854541240022666

FreeBSD Has New DTrace d(7) Man Page.
https://mastodon.social/@mpts/114856286952147362

Setup Mullvad VPN on OpenBSD via WireGuard.
https://btxx.org/posts/openbsd-mullvad/

Configure Additional IP (IPv4/IPv6) Addresses in FreeBSD VPS.
https://blog.radwebhosting.com/guide-to-configuring-additional-ip-addresses-in-freebsd-vps/

Font Caching No Longer Runs as root on OpenBSD.
https://undeadly.org/cgi?action=article;sid=20250717061920

Deep Dive for pledge() in OpenBSD.
https://mateorfz.ir/posts/pledge-in-open-bsd

Local RAG with Chatbot and FreeBSD Knowledge – FreeBSD Edition.
https://hackacad.net/post/2025-07-15-local-chatbot-rag-with-freebsd-knowledge-freebsd-host/

Full GNAT Ada 2022 Toolchain Available on FreeBSD.
https://reddit.com/r/freebsd/comments/1m21t7o/ann_full_ada_programming_toolchain_now_on_freebsd/

2.5 Admins 256 – Why ZFS.
https://2.5admins.com/2-5-admins-256/

OPNsense 25.1.11 Last Maintenance Release Before 25.7 Version.
https://heise.de/en/news/OPNsense-25-1-11-Last-maintenance-release-before-version-25-7-10492736.html

Running NetBSD on My Amiga 4000.
https://sandervanderburg.blogspot.com/2025/02/running-netbsd-on-my-amiga-4000.html

Intel Shuts Down Clear Linux.
https://phoronix.com/news/Intel-Ends-Clear-Linux

Healthchecks is Cron Job Monitoring Service.
https://github.com/healthchecks/healthchecks

Bento is Elegant and Secure FreeBSD Package Manager.
https://github.com/SakamataDenji/bento-bsd

In the Long Run GPL Code Becomes Irrelevant.
https://josephg.com/blog/in-the-long-run-gpl-code-becomes-irrelevant/

When Root Meets Immutable: OpenBSD chflags(8) vs. Log Tampering.
https://undeadly.org/cgi?action=article;sid=20250718072438

Hello System 3 (Based on FreeBSD 14).
https://youtube.com/watch?v=6ZD0svp3wUA

FreeBSD PKGBASE pkgbasify(8) Tool.
https://vermaden.wordpress.com/2025/07/20/freebsd-pkgbase-pkgbasify-tool/

On OpenBSD stdio(3) Change: FILE is Now Opaque.
https://undeadly.org/cgi?action=article;sid=20250717103345

FreeBSD Foundation – UnionFS Stability and Enhancement.
https://freebsdfoundation.org/project/unionfs-stability-and-enhancement/

Lazy Reading for 2025/07/20.
https://dragonflydigest.com/2025/07/20/lazy-reading-for-2025-07-20/

Lazy Reading for 2025/07/13.
https://dragonflydigest.com/2025/07/13/lazy-reading-for-2025-07-13/

Lazy Reading for 2025/07/06.
https://dragonflydigest.com/2025/07/06/lazy-reading-for-2025-07-06/

Lazy Reading for 2025/06/29.
https://dragonflydigest.com/2025/06/29/lazy-reading-for-2025-06-29/

Lazy Reading for 2025/06/22.
https://dragonflydigest.com/2025/06/22/lazy-reading-for-2025-06-22/

Lazy Reading for 2025/06/15.
https://dragonflydigest.com/2025/06/15/lazy-reading-for-2025-06-15/

Lazy Reading for 2025/06/08.
https://dragonflydigest.com/2025/06/08/lazy-reading-for-2025-06-08/

Hardware

Seagate Massive 30TB $600 HDDs are Now Available.
https://arstechnica.com/gadgets/2025/07/seagates-massive-30tb-600-hard-drives-are-now-available-for-anyone-to-buy/

Life

Black Sabbath: Ozzy Perspective.
https://youtube.com/watch?v=z8nkr64JuT8

Companies That Tried to Save Money with AI are Now Spending Fortune Hiring People to Fix Its Mistakes.
https://futurism.com/companies-fixing-ai-replacement-mistakes

Why Writing by Hand is Better for Memory and Learning.
https://scientificamerican.com/article/why-writing-by-hand-is-better-for-memory-and-learning/

Erythritol Popular Sugar Substitute Linked to Brain Cell Damage and Stroke Risk.
https://sciencedaily.com/releases/2025/07/250718035156.htm

Other

Make Your Own Backup System – Part 1 – Strategy Before Scripts.
https://it-notes.dragas.net/2025/07/18/make-your-own-backup-system-part-1-strategy-before-scripts/

Servo Web Engine Further Tuning Performance – Screen Reader – Other New Features.
https://phoronix.com/news/Servo-June-2025-Highlights

Comic Mono Font – Monospace Comic Sans Brother.
https://dtinth.github.io/comic-mono-font/

LibreOffice Calls Out Microsoft for Using Complex File Formats to Lock in Office Users.
https://neowin.net/news/libreoffice-calls-out-microsoft-for-using-complex-file-formats-to-lock-in-office-users/

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

BSDSec.
https://bsdsec.net/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

Original title: Adele at the BBC: When Adele wasn't Adele... but was Jenny!

Security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald’s was exposed after they guessed the password (“123456”) for the fast food chain’s account at Paradox.ai, a company that makes artificial intelligence based hiring chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight was an isolated incident that did not affect its other customers, but recent security breaches involving its employees in Vietnam tell a more nuanced story.

A screenshot of the paradox.ai homepage showing its AI hiring chatbot “Olivia” interacting with potential hires.

Earlier this month, security researchers Ian Carroll and Sam Curry wrote about simple methods they found to access the backend of the AI chatbot platform on McHire.com, the McDonald’s website that many of its franchisees use to screen job applicants. As first reported by Wired, the researchers discovered that the weak password used by Paradox exposed 64 million records, including applicants’ names, email addresses and phone numbers.

Paradox.ai acknowledged the researchers’ findings but said the company’s other client instances were not affected, and that no sensitive information — such as Social Security numbers — was exposed.

“We are confident, based on our records, this test account was not accessed by any third party other than the security researchers,” the company wrote in a July 9 blog post. “It had not been logged into since 2019 and frankly, should have been decommissioned. We want to be very clear that while the researchers may have briefly had access to the system containing all chat interactions (NOT job applications), they only viewed and downloaded five chats in total that had candidate information within. Again, at no point was any data leaked online or made public.”

However, a review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device that stole usernames and passwords for a variety of internal and third-party online services. The results were not pretty.

The password data from the Paradox.ai developer was stolen by a malware strain known as “Nexus Stealer,” a form grabber and password stealer that is sold on cybercrime forums. The information snarfed by stealers like Nexus is often recovered and indexed by data leak aggregator services like Intelligence X, which reports that the malware on the Paradox.ai developer’s device exposed hundreds of mostly poor and recycled passwords (using the same base password but slightly different characters at the end).

Those purloined credentials show the developer in question at one point used the same seven-digit password to log in to Paradox.ai accounts for a number of Fortune 500 firms listed as customers on the company’s website, including Aramark, Lockheed Martin, Lowes, and Pepsi.

Seven-character passwords, particularly those consisting entirely of numerals, are highly vulnerable to “brute-force” attacks that can try a large number of possible password combinations in quick succession. According to a much-referenced password strength guide maintained by Hive Systems, modern password-cracking systems can work out a seven number password more or less instantly.

Image: hivesystems.com.

In response to questions from KrebsOnSecurity, Paradox.ai confirmed that the password data was recently stolen by a malware infection on the personal device of a longtime Paradox developer based in Vietnam, and said the company was made aware of the compromise shortly after it happened. Paradox maintains that few of the exposed passwords were still valid, and that a majority of them were present on the employee’s personal device only because he had migrated the contents of a password manager from an old computer.

Paradox also pointed out that it has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its partners. Still, a review of the exposed passwords shows they included the Vietnamese administrator’s credentials to the company’s SSO platform — paradoxai.okta.com. The password for that account ended in 202506 — possibly a reference to the month of June 2025 — and the digital cookie left behind after a successful Okta login with those credentials says it was valid until December 2025.

Also exposed were the administrator’s credentials and authentication cookies for an account at Atlassian, a platform made for software development and project management. The expiration date for that authentication token likewise was December 2025.

Infostealer infections are among the leading causes of data breaches and ransomware attacks today, and they result in the theft of stored passwords and any credentials the victim types into a browser. Most infostealer malware also will siphon authentication cookies stored on the victim’s device, and depending on how those tokens are configured thieves may be able to use them to bypass login prompts and/or multi-factor authentication.

Quite often these infostealer infections will open a backdoor on the victim’s device that allows attackers to access the infected machine remotely. Indeed, it appears that remote access to the Paradox administrator’s compromised device was offered for sale recently.

In February 2019, Paradox.ai announced it had successfully completed audits for two fairly comprehensive security standards (ISO 27001 and SOC 2 Type II). Meanwhile, the company’s security disclosure this month says the test account with the atrocious 123456 username and password was last accessed in 2019, but somehow missed in their annual penetration tests. So how did it manage to pass such stringent security audits with these practices in place?

Paradox.ai told KrebsOnSecurity that at the time of the 2019 audit, the company’s various contractors were not held to the same security standards the company practices internally. Paradox emphasized that this has changed, and that it has updated its security and password requirements multiple times since then.

It is unclear how the Paradox developer in Vietnam infected his computer with malware, but a closer review finds a Windows device for another Paradox.ai employee from Vietnam was compromised by similar data-stealing malware at the end of 2024 (that compromise included the victim’s GitHub credentials). In the case of both employees, the stolen credential data includes Web browser logs that indicate the victims repeatedly downloaded pirated movies and television shows, which are often bundled with malware disguised as a video codec needed to view the pirated content.

If you haven’t read part 1 already, please do so. Else you will not understand what this is about (I don’t repeat the basics here).

The following graphs show the FMFI with D45043, D45045 and D45046 applied.

When you look at the graphs, keep in mind that I updated FreeBSD on 2024–05-27–120546 and 2024–06-04–105830. None of those updates introduced changes in the memory allocation area, so the results should be somewhat comparable.

I used the same workloads as in part 1 (not a deterministic benchmark, real world use case with 30 jails and various package build runs).

First the 2nd last of the graphs from part 1 to have something to compare against:

Now with the 3 changes listed above:

Just by looking at the graphs, and given that I don’t run a fixed benchmark but this is plotted from real-world use, I don’t think we can draw a conclusion by looking at the FMFI which is plotted here (other than it does no bad for my workload).

The comment in the D45046 review about the reduced number of reservations with at least one NOFREE page (= a page which will never be freed) looks good. Having about 20 times less reservations with NOFREE pages means 20 times less NOFREE pages scattered around in memory. Those NOFREE pages can get in the way for larger allocations. Theoretically more memory areas can be combined (if needed). Practically this is not the case yet. There is a slight hint in the measurement in the comment in the review that there are some more PDE (“Page Directory Entry”) promotions, but they scratch at the 1–2% margin. I do not expect this results in a noticeable effect on performance.

Nevertheless, this looks very promising. It paves the way for further work as there are less NOFREE pages scattered around. This may make memory defragmentation / compaction techniques more useful. Once those are mature enough to be tested on real world stuff, I will generate some plots.

Share/Save

The post Plotting the FreeBSD memory fragmentation – part 2 first appeared on Alexander Leidinger.

Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a private key that allowed anyone to interact directly with more than four dozen large language models (LLMs) developed by Musk’s artificial intelligence company xAI.

Image: Shutterstock, @sdx15.

On July 13, Mr. Elez committed a code script to GitHub called “agent.py” that included a private application programming interface (API) key for xAI. The inclusion of the private key was first flagged by GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardian’s systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.

Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, said the exposed API key allowed access to at least 52 different LLMs used by xAI. The most recent LLM in the list was called “grok-4-0709” and was created on July 9, 2025.

Grok, the generative AI chatbot developed by xAI and integrated into Twitter/X, relies on these and other LLMs (a query to Grok before publication shows Grok currently uses Grok-3, which was launched in Feburary 2025). Earlier today, xAI announced that the Department of Defense will begin using Grok as part of a contract worth up to $200 million. The contract award came less than a week after Grok began spewing antisemitic rants and invoking Adolf Hitler.

Mr. Elez did not respond to a request for comment. The code repository containing the private xAI key was removed shortly after Caturegli notified Elez via email. However, Caturegli said the exposed API key still works and has not yet been revoked.

“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli told KrebsOnSecurity.

Prior to joining DOGE, Marko Elez worked for a number of Musk’s companies. His DOGE career began at the Department of the Treasury, and a legal battle over DOGE’s access to Treasury databases showed Elez was sending unencrypted personal information in violation of the agency’s policies.

While still at Treasury, Elez resigned after The Wall Street Journal linked him to social media posts that advocated racism and eugenics. When Vice President J.D. Vance lobbied for Elez to be rehired, President Trump agreed and Musk reinstated him.

Since his re-hiring as a DOGE employee, Elez has been granted access to databases at one federal agency after another. TechCrunch reported in February 2025 that he was working at the Social Security Administration. In March, Business Insider found Elez was part of a DOGE detachment assigned to the Department of Labor.

Marko Elez, in a photo from a social media profile.

In April, The New York Times reported that Elez held positions at the U.S. Customs and Border Protection and the Immigration and Customs Enforcement (ICE) bureaus, as well as the Department of Homeland Security. The Washington Post later reported that Elez, while serving as a DOGE advisor at the Department of Justice, had gained access to the Executive Office for Immigration Review’s Courts and Appeals System (EACS).

Elez is not the first DOGE worker to publish internal API keys for xAI: In May, KrebsOnSecurity detailed how another DOGE employee leaked a private xAI key on GitHub for two months, exposing LLMs that were custom made for working with internal data from Musk’s companies, including SpaceX, Tesla and Twitter/X.

Caturegli said it’s difficult to trust someone with access to confidential government systems when they can’t even manage the basics of operational security.

“One leak is a mistake,” he said. “But when the same type of sensitive key gets exposed again and again, it’s not just bad luck, it’s a sign of deeper negligence and a broken security culture.”

In recent posts:

1. Doing a bit of stress work on a new HDD
2. x8dtu: adding in the smaller drive
3. Swapping zpools – moving from using main_tank to using data

If you have a look over those posts, you’ll see why you never want to downsize a zpool.

In this post:

• FreeBSD 14.2
• removing the zfs labels from an drive which was part of a zpool which is no longer in use
• destroying the partitions
• creating a new partition
• adding that drive to a recently created single-drive zpool to create a mirror

Identify the drive

The drive I want is ada, as seen in zpool status and log entries from the posts mentioned above.

[18:50 x8dtu dvl ~] % gpart show ada2
=>         6  1220942635  ada2  GPT  (4.5T)
           6  1220280320     1  freebsd-zfs  (4.5T)
  1220280326      662315        - free -  (2.5G)

[18:50 x8dtu dvl ~] % 

[19:03 x8dtu dvl ~] % sudo diskinfo -v /dev/ada2
/dev/ada2
	4096        	# sectorsize
	5000981078016	# mediasize in bytes (4.5T)
	1220942646  	# mediasize in sectors
	0           	# stripesize
	0           	# stripeoffset
	1211252     	# Cylinders according to firmware.
	16          	# Heads according to firmware.
	63          	# Sectors according to firmware.
	TOSHIBA MG04ACA500A	# Disk descr.
	44E1K00HFK7A	# Disk ident.
	ahcich2     	# Attachment
	id1,enc@n3061686369656d30/type@0/slot@3/elmdesc@Slot_02	# Physical path
	No          	# TRIM/UNMAP support
	7200        	# Rotation rate in RPM
	Not_Zoned   	# Zone Mode

[19:03 x8dtu dvl ~] % 

Yes, that’s the one, the 5TB drive.

zpool labelclear

Why am I running labelclear? TO remove any evidence that this drive was part of a zpool. Sometimes things get messy when old labels are still around.

[18:57 x8dtu dvl ~] % sudo zpool labelclear ada2p1 
use '-f' to override the following error:
/dev/ada2p1 is a member of exported pool "main_tank"
[18:57 x8dtu dvl ~] % sudo zpool labelclear -f ada2p1

Destroy the old partitions

Here we go:

[18:57 x8dtu dvl ~] % sudo gpart destroy ada2
gpart: Device busy
[18:59 x8dtu dvl ~] % sudo gpart destroy -F ada2
ada2 destroyed

I’m sure I could have just deleted the partitions and created my new one. I prefer to do it this way.

Creating a new partition

First, I had to do the math, I’ll show that later.

[19:05 x8dtu dvl ~] % sudo gpart add -i 1 -t freebsd-zfs -a 4k -l SLOT_2_TO_44E1K00HFK7A -s 976754636 ada2 
ada2p1 added
[19:10 x8dtu dvl ~] % gpart show ada2 ada3
=>         6  1220942635  ada2  GPT  (4.5T)
           6   976754636     1  freebsd-zfs  (3.6T)
   976754642   244187999        - free -  (932G)

=>        40  7814037088  ada3  GPT  (3.6T)
          40  7814037088     1  freebsd-zfs  (3.6T)

[19:10 x8dtu dvl ~] % gpart show -l ada2 ada3
=>         6  1220942635  ada2  GPT  (4.5T)
           6   976754636     1  SLOT_2_TO_44E1K00HFK7A  (3.6T)
   976754642   244187999        - free -  (932G)

=>        40  7814037088  ada3  GPT  (3.6T)
          40  7814037088     1  SLOT_3_TO_382AK6KIFJKA  (3.6T)

[19:10 x8dtu dvl ~] % 

I know it’s slot, from using sesutil in previous post. And because the diskinfo output says so.

To know the size to specify:

ada3 has 7814037088 sectors of 512 bytes = 4000786989056 bytes. We need the right number of 4096 sectors to make ada2 have the same partition size: 4000786989056 / 4096 = 976754636, the magic number used when creating the partition.

Adding the drive to the zpool

This part always gives me concern. I fear creating a stripe instead of a mirror.

[19:20 x8dtu dvl ~] % sudo zpool attach data gpt/SLOT_3_TO_382AK6KIFJKA gpt/SLOT_2_TO_44E1K00HFK7A
[19:21 x8dtu dvl ~] % 

gpt/SLOT_3_TO_382AK6KIFJKA is what you see in the existing zpool status output:

[19:18 x8dtu dvl ~] % zpool status data
  pool: data
 state: ONLINE
  scan: scrub in progress since Sun Jul 13 17:06:50 2025
	1.22T / 1.22T scanned, 1.07T / 1.22T issued at 146M/s
	0B repaired, 87.76% done, 00:17:55 to go
config:

	NAME                          STATE     READ WRITE CKSUM
	data                          ONLINE       0     0     0
	  gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0

errors: No known data errors

gpt/SLOT_2_TO_44E1K00HFK7A is the label I created in the previous section.

And here we have a resilver:

[19:21 x8dtu dvl ~] % zpool status data
  pool: data
 state: ONLINE
status: One or more devices is currently being resilvered.  The pool will
	continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
  scan: resilver in progress since Sun Jul 13 19:21:05 2025
	1.22T / 1.22T scanned, 13.2G / 1.22T issued at 138M/s
	13.3G resilvered, 1.05% done, 02:33:26 to go
config:

	NAME                            STATE     READ WRITE CKSUM
	data                            ONLINE       0     0     0
	  mirror-0                      ONLINE       0     0     0
	    gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0
	    gpt/SLOT_2_TO_44E1K00HFK7A  ONLINE       0     0 1.36K  (resilvering)

errors: No known data errors
[19:24 x8dtu dvl ~] % 

These are the log messages it generated:

Jul 13 19:21:00 x8dtu kernel: vdev_geom_open_by_path:799[1]: Found provider by name /dev/gpt/SLOT_2_TO_44E1K00HFK7A.
Jul 13 19:21:00 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_2_TO_44E1K00HFK7A.
Jul 13 19:21:00 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_2_TO_44E1K00HFK7A.

I’ll add a concluding section later.

zpool scrub done

Well, this isn’t ideal.

[0:11 x8dtu dvl ~] % zpool status data
  pool: data
 state: ONLINE
status: One or more devices has experienced an unrecoverable error.  An
	attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
	using 'zpool clear' or replace the device with 'zpool replace'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P
  scan: resilvered 1.23T in 03:08:32 with 0 errors on Sun Jul 13 22:29:37 2025
config:

	NAME                            STATE     READ WRITE CKSUM
	data                            ONLINE       0     0     0
	  mirror-0                      ONLINE       0     0     0
	    gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0
	    gpt/SLOT_2_TO_44E1K00HFK7A  ONLINE       0     0 1.36K

errors: No known data errors

The errors are on the drive I just added (slot 2). Let’s try a scrub:

[0:11 x8dtu dvl ~] % sudo zpool scrub data
[0:14 x8dtu dvl ~] % 

[0:14 x8dtu dvl ~] % zpool status data    
  pool: data
 state: ONLINE
status: One or more devices has experienced an unrecoverable error.  An
	attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
	using 'zpool clear' or replace the device with 'zpool replace'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P
  scan: scrub in progress since Mon Jul 14 00:14:12 2025
	1.23T / 1.23T scanned, 447M / 1.23T issued at 224M/s
	0B repaired, 0.03% done, 01:35:43 to go
config:

	NAME                            STATE     READ WRITE CKSUM
	data                            ONLINE       0     0     0
	  mirror-0                      ONLINE       0     0     0
	    gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0
	    gpt/SLOT_2_TO_44E1K00HFK7A  ONLINE       0     0 1.36K

errors: No known data errors

Monday morning: 6:58 AM

Current status:

z%                                                                                                                             [10:57 x8dtu dvl ~] % zpool status data
  pool: data
 state: ONLINE
status: One or more devices has experienced an unrecoverable error.  An
	attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
	using 'zpool clear' or replace the device with 'zpool replace'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P
  scan: scrub repaired 0B in 02:38:15 with 0 errors on Mon Jul 14 02:52:27 2025
config:

	NAME                            STATE     READ WRITE CKSUM
	data                            ONLINE       0     0     0
	  mirror-0                      ONLINE       0     0     0
	    gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0
	    gpt/SLOT_2_TO_44E1K00HFK7A  ONLINE       0     0 1.36K

errors: No known data errors

All OK on the scrub. Let’s clear, and for fun and games, scrub again.

[10:57 x8dtu dvl ~] % sudo zpool scrub data        
[10:57 x8dtu dvl ~] % zpool status data    
  pool: data
 state: ONLINE
  scan: scrub in progress since Mon Jul 14 10:57:49 2025
	1.23T / 1.23T scanned, 4.28G / 1.23T issued at 168M/s
	0B repaired, 0.34% done, 02:06:38 to go
config:

	NAME                            STATE     READ WRITE CKSUM
	data                            ONLINE       0     0     0
	  mirror-0                      ONLINE       0     0     0
	    gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0
	    gpt/SLOT_2_TO_44E1K00HFK7A  ONLINE       0     0     0

errors: No known data errors

I’ll report back later.

Later. Monday evening: 5:55 PM

Looks good now:

[21:53 x8dtu dvl ~] % zpool status data
  pool: data
 state: ONLINE
  scan: scrub repaired 0B in 02:40:17 with 0 errors on Mon Jul 14 13:38:06 2025
config:

	NAME                            STATE     READ WRITE CKSUM
	data                            ONLINE       0     0     0
	  mirror-0                      ONLINE       0     0     0
	    gpt/SLOT_3_TO_382AK6KIFJKA  ONLINE       0     0     0
	    gpt/SLOT_2_TO_44E1K00HFK7A  ONLINE       0     0     0

errors: No known data errors
[21:53 x8dtu dvl ~] % 

As I said before, don’t do this. Get the right-sized drive.

FreeBSD project started to officially add kernel modules pkg(8) repositories to default installation – starting with FreeBSD 14.3-RELEASE version.

To understand why they were brought to light of day its first needed to understand the problem they are here to solve.

Problem

This problem does not exists with x.0 FreeBSD releases – they have all their packages built against proper FreeBSD x.0 version. The problem arises when x.1 release is made, or x.2 … or any OTHER then x.0 to be precise … but why?

The main problem is that pkg(8) packages are built against the currently supported oldest FreeBSD version in the tree. For example when 14.3-RELEASE is announced – the packages for 14.x tree are still built on 14.2-RELEASE for next 3 months since 14.3-RELEASE availability.

This usually does not break any ‘userspace’ applications but kernel modules related packages often are broken and cause kernel panics even on module load – and there are about 70 of them. While FreeBSD team fights really hard to keep ABI and kernel interfaces stable across ‘point’ releases – its sometimes not possible due to the nature of Linux DRM graphics drivers being imported and improved to support more modern GPUs on FreeBSD.

The problem mostly arises in the desktop/laptop area of FreeBSD UNIX usage – as with broken ABI the drm-kmod related kernel modules just panic and reboot each such system instantly … and this problem persists for whole 3 months within which the older release is still in support. After these 3 painful months – and after older ‘point’ release is out of support – the pkg(8) packages are finally started to built against PROPER latest FreeBSD version – and problem disappears … up to next ‘point’ release and painful 3 months.

The damage of this policy can be limited with ZFS Boot Environments using tools like beadm(8) or bectl(8) but its just workaround solution.

Additional Repositories

I have spoken about that problem for years – trying to make FreeBSD project do something about it – for example as there are TWO independent pkg(8) branches of packages – the default quarterly and optional latest one – I suggested to switch latest to the LATEST FreeBSD version since day 1 of release and keep quarterly as the ‘legacy’ version packages branch … but that proposal did not saw any appreciation.

After many years something different was introduced – additional separate kernel modules related pkg(8) repositories – both for quarterly and latest branches.

Initially they were unofficial and official at the same time. Official for those who follow the FreeBSD project and daily use the Mailing Lists – CFT: Repository for Kernel Modules – and unofficial for all the others – no mention in the Release Notes – no mention in the Errata for a FreeBSD release.

Official Solution

In the middle of the FreeBSD 14.3-RELEASE process the situation become more clear as the additional pkg(8) repositories became official in the FreeBSD 14.3-RC1 Now Available announcement – described as:

  o  The default pkg.conf file now includes the FreeBSD-kmods repository.

Finally.

List of kernel modules repositories that are available:

FreeBSD 14.2-RELEASE  kmods_latest_2     https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_latest_2
FreeBSD 14.2-RELEASE  kmods_quarterly_2  https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_2

FreeBSD 14.3-RELEASE  kmods_latest_3     https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_latest_3
FreeBSD 14.3-RELEASE  kmods_quarterly_3  https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3

FreeBSD 14.3-STABLE   kmods_latest       https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_latest
FreeBSD 14.3-STABLE   kmods_quarterly    https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly

FreeBSD 15.0-CURRENT  kmods_latest       https://pkg.FreeBSD.org/FreeBSD:15:amd64/kmods_latest

One may ask – why FreeBSD project will not just use the most easy way and build separate set of packages for each release – the answer is simple and brutal – lack of resources – while FreeBSD remains one of the few really free and freedom powered systems – it comes at a price – you do not often get all the toys for free for playing the ‘freedom’ game.

Upgrade Path

Initially I was skeptical about the repositories – but I started to upgrade one of my systems within ZFS Boot Environment … and I was surprised that freebsd-update(8) asks to modify /etc/pkg/FreeBSD.conf file with additional FreeBSD-kmods repository … finally some good fucking news

I upgraded and rebooted the FreeBSD system up to the latest and greatest 14.3-RELEASE official version – and everything worked as it should. As I prefer to have more recent version of packages with latest branch of pkg(8) packages – I also switched to kmods_latest_${VERSION_MINOR} for the kernel related packages. For convenience (if needed) I have left the quarterly branch commented out.

My /etc/pkg/FreeBSD.conf file looks like that right now.

FreeBSD % cat /etc/pkg/FreeBSD.conf
FreeBSD: {
# url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}
FreeBSD-kmods: {
# url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_quarterly_${VERSION_MINOR}",
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_latest_${VERSION_MINOR}",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

FreeBSD % pkg repos  
FreeBSD: { 
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/latest",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }
FreeBSD-kmods: { 
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_latest_3",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }

There are now two ‘same’ … or should I say ‘similar’ packages that come from additional kernel repository. Take a look for example for the drm-61-kmod package.

FreeBSD % pkg search drm-61-kmod
drm-61-kmod-6.1.128.1402000_5  DRM drivers modules
nvidia-drm-61-kmod-570.153.02.1402000_2 NVIDIA DRM Kernel Module
drm-61-kmod-6.1.128.1403000_4  DRM drivers modules

I remember that when these additional repositories were introduced – for example – the VirtualBox kernel modules were not available – not a case now – everything is covered.

FreeBSD % pkg search virtualbox-ose-kmod
virtualbox-ose-kmod-6.1.50.1402000_1 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-70-7.0.26.1402000 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-71-7.1.10.1402000 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-legacy-5.2.44.1402000_7 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-6.1.50.1403000_1 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-70-7.0.26.1403000 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-71-7.1.8.1403000 VirtualBox kernel module for FreeBSD
virtualbox-ose-kmod-legacy-5.2.44.1403000_7 VirtualBox kernel module for FreeBSD

Take a look at the package suffix – its 1402000 for the 14.2-RELEASE from the ‘default’ repository and 1403000 for the 14.3-RELEASE from the kernel repo – and that is treated as pkg(8) as higher version then the ‘default’ one.

Results

I have tested these repos in both Intel and AMD based GPU systems – and they work properly on all of them.

Feel free to share your thoughts on the topic.

While FreeBSD is similar in many concepts to other UNIX systems or to Linux – its good to know exact commands and solutions for various needs.

Today I would like to share all of them – after using FreeBSD for about 20 years – both privately and professionally.

The Table of Contents looks as follows.

• Scroll Raw FreeBSD Console
• Suspend/Resume Internals
• Network Information
• FreeBSD Tools
• Additional Mount Points
• Disk Information and Evaluation
• Linux lsblk(8) Command
• Instant Reboot
• Mount ISO Image
• Free RAM Memory
• What is Listening
• The tar(1) That Does More
• Create/Extend Raw Volume
• Filesystem Detection
• Track Disk Utilization over Time
• Manage ZFS Boot Environments
• Sensors
• Gigabytes in df(8) Command
• Process Tracing
• Idle and Realtime Priority
• The fstab(5) Input
• Forgotten systat(8) Command
• Apply devfs(8) Ruleset Live
• UPDATE 1 – Network Information on macOS

~

Scroll Raw FreeBSD Console

This is probably the first question I asked at the legendary – now killed and not existent – BSDForums.net – how to scroll the raw terminal on the FreeBSD – as I came from the Linux world to FreeBSD – I expected that just [SHIFT]+[PGUP] and [SHIFT]+[PGDN] would work … not on FreeBSD.

On FreeBSD You first need to hit [Scroll Lock] key – then you can scroll the console buffer with [PGUP] and [PGDN] keys.

~

Suspend/Resume Internals

On FreeBSD system one can use to enter sleep (S3) state with zzz(8) command.

To add various tasks that need to happen before sleep happens can be added to the /etc/rc.suspend file.

To add various tasks that need to happen after sleep ends and resume phase happens – use the /etc/rc.resume file instead.

~

Network Information

Linux is well known to rewrite its older ifconfig(8) and router(8) tools into ip(8) command.

FreeBSD still uses (and develops) the ifconfig(8) and route(8) commands – but if you come from Linux – the so called muscle memory will often guide your fingers to type ip(8) command instead of ifconfig(8) – how to cope with that?

The answer is simple – additional shell function that would take care of that.

Below you can copy the needed function.

FreeBSD % grep -A 256 'ip()' /usr/local/etc/zshrc | bat -l sh
  ip() {
    case ${1} in
      (r)
        netstat -Wrn -f inet \
          | grep -A 256 '^Destination' \
          | awk '{printf("%20s  %-18s  %18s  %-7s\n", $1, $2, $4, $3)}'
          ;;
      (l)
        netstat -Win -f link \
          | awk '{printf("%20s  %-18s  %18s  %-7s\n", $1, $4, $3, $2)}'
          ;;
      (a|*)
        netstat -Win -f inet \
          | awk '{printf("%20s  %-18s  %18s  %-7s\n", $1, $4, $3, $2)}'
          ;;
    esac
  }

FreeBSD % ip a
                Name  Address                        Network  Mtu    
                 lo0  127.0.0.1                  127.0.0.0/8  -      
           vm-public  10.1.1.1                   10.1.1.0/24  -      
          vm-VLAN239  172.27.33.193         172.27.33.192/26  -      
                 ue0  192.168.50.3           192.168.50.0/24  -      

FreeBSD % ip r
         Destination  Gateway                          Nhop#  Flags  
             default  192.168.50.114                      11  UGS    
         10.1.1.0/24  link#5                               2  U      
            10.1.1.1  link#2                               3  UHS    
           127.0.0.1  link#2                               1  UH     
    172.27.33.192/26  link#6                               4  U      
       172.27.33.193  link#2                               5  UHS    
     192.168.50.0/24  link#3                               6  U      
        192.168.50.3  link#2                               7  UHS    

I still need to work with Linux systems from time to time – so having a working ip(8) command equivalent on FreeBSD is welcoming.

… and if you are curious why I always use -prism option set for the uname(1) command – besides that it shows all information that is needed – its my personal tribute to Edward Snowden – the man who bravely whistleblowered the PRISM program – KUDOS to You mate. Not sure how much accurate is the movie – Snowden (2016) – but I really enjoyed it – especially after the Joseph Gordon-Levitt performance in the Dark Knight Rises (2012) and Premium Rush (2012) movies.

~

FreeBSD Tools

By default the FreeBSD ifconfig(8) command displays information in hexadecimal values like netmask 0xffffff00 for example instead of /24 … but you can use -f cidr option to switch to the latter.

You can also make that permanent with IFCONFIG_FORMAT=inet:cidr variable exported within your shell configs with either export(1) or setenv(1) depending on your preferred shell.

FreeBSD # ifconfig ue0
ue0: flags=8843 metric 0 mtu 1500
        options=0
        ether 02:25:6d:76:1e:7b
        inet 192.168.50.3 netmask 0xffffff00 broadcast 192.168.50.255
        nd6 options=29

FreeBSD # export IFCONFIG_FORMAT=inet:cidr

FreeBSD # ifconfig ue0
ue0: flags=8843 metric 0 mtu 1500
        options=0
        ether 02:25:6d:76:1e:7b
        inet 192.168.50.3/24 broadcast 192.168.50.255
        nd6 options=29

~

Additional Mount Points

In about 2013 I wrote and published automount(8) that utilizes FreeBSD devd(8) daemon to automatically mount and serve removable media and disks. Twelve years later – after many updates and improvements – I still use and maintain that very solution.

While using FreeBSD there came one additional need that automount(8) does not cover. What is additionally mounted and what I can unmount to get to the ‘default’ state of mounted filesystems?

In the past I checked the output of mount(8) command – and acted accordingly – that took time. Every. Single. Time.

That pushed me to kinda semi automate it – to not waste much more time on that.

Meet mnt.sh command (script).

It has two functions – first to list all filesystems and devices that are mounted additionally to what FreeBSD system has after the boot – or in Jails – or in Bhyve VMs. Secondly it allows to successfully unmount all of them with -u option. Nothing more. Nothing less.

~

Disk Information and Evaluation

When people think about that topic – they often either think about some S.M.A.R.T. related tools or benchmarks … and the diskinfo(8) can tell you fast how good the disk performs. Just start it against any disk with -cvt arguments and you know what You need to know.

In the terminal.

FreeBSD % diskinfo -ctv DISK

That is most that you need for a start.

~

Linux lsblk(8) Command

While for most of the time I prefer FreeBSD tools for the job – exceptions sometimes happen – and lsblk(8) is one of such welcoming exception. It lists all disks/partitions/filesystems in a system that FreeBSD does not with its Geom disk list or gpart show commands – or just not in a condensed way that I really like.

It took me some time to rewrite the meritum of the tool in the POSIX /bin/sh shell – but now its available at lsblk package on FreeBSD.

You can read more about lsblk(8) for FreeBSD on the List Block Devices on FreeBSD lsblk(8) Style page.

~

Instant Reboot

Nothing really fancy – but sometimes needed – imagine some process (or mount) went sideways and usual reboot(8) or shutdown(8) commands are not able to do anything to reboot a locked system.

This is when this tip is useful. Its equivalent of Linux -r flag for the reboot(8) command. Restart the system NOW – in that single second – no questions asked. We need to make sure we will disable crash dumps before doing that ‘instant’ restart with dumpon off command.

FreeBSD # dumpon off
FreeBSD # sysctl debug.kdb.panic=1

After issuing that command you can be SURE that its restated.

~

Mount ISO Image

Mounting ISO image on Linux systems requires one step while it requires two steps on FreeBSD.

Lets bring that up to par with loop.sh script.

FreeBSD % loop.sh -h
usage: loop.sh image.iso /mnt/point

Example usage below.

Keep in mind that even loop.sh image.iso ISO command would work.

~

Free RAM Memory

You can get the amount of free RAM from – for example – the top(1) command – but a lot of people already have the free(1) command. Fortunately you can install freecolor package on FreeBSD and have the same functionality.

FreeBSD # pkg install -y freecolor

FreeBSD # freecolor -o -m
             total       used       free     shared    buffers     cached
Mem:         31728       6874      24854          0          0          0
Swap:         2048          0       2048

FreeBSD # pkg which -o $( which freecolor )
/usr/local/bin/freecolor was installed by package sysutils/freecolor

~

What is Listening

The question that every sysadmin asks himself everytime server is managed.

FreeBSD offers really great sockstat(8) command for that.

FreeBSD # sockstat -l4
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sshd       42298 8   tcp4   *:22                  *:*
root     nfsd       90131 5   tcp4   *:2049                *:*
root     cupsd      81818 7   tcp4   127.0.0.1:631         *:*

~

The tar(1) That Does More

On FreeBSD the tar(1) command uses libarchive(3) – it allows tar(1) to also read and extract – for example – ISO files.

FreeBSD % which tar      
/usr/bin/tar

FreeBSD % tar -tf ~/vm/iso/FreeBSD-15.0-CURRENT-amd64-20250612-e6928c33f60c-277883-disc1.iso | head
.
bin
bin/cat
bin/chflags
bin/chio
bin/chmod
bin/cp
bin/cpuset
bin/csh
bin/tcsh

~

Create/Extend Raw Volume

On FreeBSD that is covered by the truncate(1) command.

For example – want to expand your vm-bhyve VM disk up to 100 GB in size? This is the command.

FreeBSD # cd /vm/poudriere   

FreeBSD # truncate -s 100g disk0.img      

~

Filesystem Detection

When I started with automount(8) I could only rely on file -s ... command for filesystem detection.

Some time after automount(8) introduction the fstyp(8) command was introduced.

It is more or less simplified way to check what filesystem is on a device – and its really useful.

FreeBSD % fstyp /dev/nda0p1
msdosfs

~

Track Disk Utilization over Time

One of the commands I love from FreeBSD is this one – gstat(8) – just shows in desired interval how many IOPS and bandwidth the disks provide.

FreeBSD # gstat -p -I 3s
dT: 0.010s  w: 1.000s
 L(q)  ops/s    r/s   kBps   ms/r    w/s   kBps   ms/w   %busy Name
    0    486    486  20228  0.214      0      0  0.000   10.4| nda0
    0      0      0      0  0.000      0      0  0.000    0.0| nda1
    0      0      0      0  0.000      0      0  0.000    0.0| da0

It also comes with useful colors – and there is also Rust version on the FreeBSD Ports as sysutils/gstat-rs port available.

~

Manage ZFS Boot Environments

Right now FreeBSD has bectl(8) in the base – which works well. There is also mine beadm(8) available as sysutils/beadm package that has one important additional reroot option – ZFS Boot Environments Revolutions – more on that here.

Once You understand how great protection ZFS Boot Environments give – you will never want to live without them.

~

Sensors

Linux comes with a sensors(8) command that prints various sensors temperatures etc. While similar information was available on FreeBSD – it was never gathered in one single place … up till I wrote the sensors(8) command for FreeBSD.

Installation is pretty straightforward.

FreeBSD # mkdir -p ~/bin
FreeBSD # fetch -o ~/bin/sensors https://raw.githubusercontent.com/vermaden/sensors/master/sensors
FreeBSD # chmod +x ~/bin/sensors

If you would like to read more about it – Sensors Information on FreeBSD – you will find it here.

~

Gigabytes in df(8) Command

Both IBM AIX and FreeBSD UNIX systems have one advantage that Linux df(8) command – they both support -g flag that will display usage in gigabytes. Unfortunately with Linux one you can either have megabytes at most.

The one on IBM AIX looks slightly different – but the end result is similar.

~

Process Tracing

On Linux systems many times I needed to use useful strace(8) command. On IBM AIX and FreeBSD UNIX its called truss(8) but does the same thing.

FreeBSD # truss -s 30 /bin/ls /tmp/gimp 2>&1 | grep /
open("/etc/libmap.conf",O_RDONLY|O_CLOEXEC,030250030030) = 3 (0x3)
read(3,"includedir /usr/local/etc/libm"...,35)   = 35 (0x23)
open("/usr/local/etc/libmap.d",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,0165) = 3 (0x3)
open("/usr/local/etc/libmap.d/mesa.conf",O_RDONLY|O_CLOEXEC,0165) = 4 (0x4)
open("/var/run/ld-elf.so.hints",O_RDONLY|O_CLOEXEC,016177641474) = 3 (0x3)
pread(3,"/lib:/usr/lib:/usr/lib/compat:"...,437,0x80) = 437 (0x1b5)
open("/lib/libutil.so.9",O_RDONLY|O_CLOEXEC|O_VERIFY,00) = 3 (0x3)
open("/lib/libtinfow.so.9",O_RDONLY|O_CLOEXEC|O_VERIFY,00) = 3 (0x3)
open("/lib/libc.so.7",O_RDONLY|O_CLOEXEC|O_VERIFY,00) = 3 (0x3)
readlink("/etc/malloc.conf",0x2b93923aae70,1024) ERR#2 'No such file or directory'
open("/usr/share/locale/en_US.UTF-8/LC_COLLATE",O_RDONLY|O_CLOEXEC,022216535310) = 3 (0x3)
open("/usr/share/locale/en_US.UTF-8/LC_CTYPE",O_RDONLY|O_CLOEXEC,022216532030) = 3 (0x3)
open("/usr/share/locale/en_US.UTF-8/LC_MONETARY",O_RDONLY|O_CLOEXEC,022216533616) = 3 (0x3)
open("/usr/share/locale/en_US.UTF-8/LC_NUMERIC",O_RDONLY|O_CLOEXEC,022216533636) = 3 (0x3)
open("/usr/share/locale/en_US.UTF-8/LC_TIME",O_RDONLY|O_CLOEXEC,022216533656) = 3 (0x3)
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES",O_RDONLY|O_CLOEXEC,022216533656) = 3 (0x3)
fstatat(AT_FDCWD,"/tmp/gimp",{ mode=drwxr-xr-x ,inode=354,size=3,blksize=4096 },0x0) = 0 (0x0)
open("/tmp/gimp",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,016033264547) = 4 (0x4)

One can also use DTrace if needed.

~

Idle and Realtime Priority

I do not remember how many times I wanted a process – like make(1) for FreeBSD Ports compiling for example – would REALLY do not interfere with what I am interactively doing right now – have as low priority as possible … and the good oldschool renice(8) was just not enough.

This is where FreeBSD idprio(1) and rtprio(1) command come handy – for idle and realtime respectively. If you want to allow a regular user to be able to use them – add that user to idletime or realtime groups.

While the renice(8) command takes argument from -19 to 20 – both idprio(1) and rtprio(1) commands take argument from 0 to 31. Higher the value – bigger the power. For example idprio 31 command would make a command ultra low in the priority – that when anything else uses CPU – that command will literally have to wait till its not

~

The fstab(5) Input

When you are on a Linux system – the /etc/mtab file helps mounted filesystems in fstab(5) format. That helps if you mounted filesystem by hand and now want to add that information to /etc/fstab file to make it permanent. On Linux you would do something like that:

Linux # tail -1 /etc/mtab >> /etc/fstab
Linux # vi /etc/fstab

On FreeBSD there is no /etc/mtab file – but there is -p file for mount(8) command – that prints mounted filesystems in fstab(5) format – so on FreeBSD you would do something like that instead.

FreeBSD # mount -p | tail -1 >> /etc/fstab
FreeBSD # vi /etc/fstab

~

Forgotten systat(8) Command

Its rarely known – that systat(8) command – I often use it for example to check how much the network interfaces are utilized.

FreeBSD # systat -if 1

                    /0   /1   /2   /3   /4   /5   /6   /7   /8   /9   /10
     Load Average   ||

      Interface           Traffic               Peak                Total
           tap0  in      0.000 KB/s          0.000 KB/s           10.095 MB
                 out     0.174 KB/s          0.174 KB/s          350.764 MB

     vm-VLAN239  in      0.160 KB/s          0.160 KB/s           22.615 MB
                 out     0.174 KB/s          0.174 KB/s          351.268 MB

      vm-public  in      0.160 KB/s          0.160 KB/s           12.183 MB
                 out     0.000 KB/s          0.000 KB/s            0.000 KB

            lo0  in      0.160 KB/s          0.160 KB/s          113.110 MB
                 out     0.000 KB/s          0.000 KB/s           95.753 MB

            em0  in      8.569 KB/s         25.965 KB/s           37.437 GB
                 out     6.907 KB/s        127.806 KB/s           82.828 GB

The next one should be familiar to IBM AIX fans – as it kinda reminds topas(8) command.

FreeBSD # systat -vmstat

    6 users    Load  0.31  0.61  0.62                  Jun 24 15:29:45
   Mem usage:  89%Phy  5%Kmem                           VN PAGER   SWAP PAGER
Mem:      REAL           VIRTUAL                        in   out     in   out
       Tot   Share     Tot    Share     Free   count
Act 24451M    995M   7391G     116G    3591M   pages
All 24515M   1058M   7391G     117G                       ioflt  Interrupts
Proc:                                                     cow    3353 total
  r   p   d    s   w   Csw  Trp  Sys  Int  Sof  Flt    49 zfod        atkbd0 1
         33 1364        7K   53   2K   2K    2   52       ozfod       acpi0 9
                                                         %ozfod       psm0 12
 0.6%Sys   0.5%Intr  1.2%User  0.0%Nice 97.6%Idle         daefr   145 cpu0:timer
|    |    |    |    |    |    |    |    |    |    |       prcfr   129 cpu1:timer
+                                                      25 totfr   121 cpu2:timer
                                           dtbuf          react   129 cpu3:timer
Namei     Name-cache   Dir-cache   1102463 maxvn          pdwak   115 cpu4:timer
   Calls    hits   %    hits   %     17701 numvn     1108 pdpgs    86 cpu5:timer
     196     188  96                  1404 frevn          intrn   207 cpu6:timer
                                                    2729M wire    115 cpu7:timer
Disks  nda0  nda1   da0 pass0 pass1 pass2           2616M act    1961 xhci0 128
KB/t   2.67  1024  0.00  0.00  0.00  0.00             21G inact       nvme0:admi
tps       1     1     0     0     0     0           1542M laund       nvme0:io0
MB/s   0.00  0.80  0.00  0.00  0.00  0.00           3591M free        nvme0:io1
%busy     0     0     0     0     0     0               0 buf       1 nvme0:io2
                                                                      nvme0:io3
                                                                      nvme1:admi
                                                                    1 nvme1:io0
                                                                      nvme1:io1
                                                                      nvme1:io2
                                                                      nvme1:io3
                                                                  188 hdac0 139
                                                                  147 em0:irq0
                                                                    8 vgapci0
                                                                      iwm0 142
                                                                      xhci1 143

The systat(8) command even comes with ZFS ARC monitor.

FreeBSD # systat -zarc

                       Total     MFU     MRU    Anon     Hdr   L2Hdr   Other
     ZFS ARC            641M    303M    234M   1917K   4525K       0  99181K

                                Rate   Hits Misses | Total Rate   Hits Misses
     arcstats                  :  0%      0      0 |        96%   177M  6695k
     arcstats.demand_data      :  0%      0      0 |        98% 41577k   633k
     arcstats.demand_metadata  :  0%      0      0 |        96%   134M  4870k
     arcstats.prefetch_data    :  0%      0      0 |         4%  18251   425k
     arcstats.prefetch_metadata:  0%      0      0 |        64%  1371k   768k
     zfetchstats               :  0%      0      0 |        39% 13054k 20324k
     arcstats.l2               :  0%      0      0 |         0%      0      0







Disks  nda0  nda1   da0 pass0 pass1 pass2
KB/t   0.00  0.00  0.00  0.00  0.00  0.00
tps       0     0     0     0     0     0
MB/s   0.00  0.00  0.00  0.00  0.00  0.00
%busy     0     0     0     0     0     0

~

Apply devfs(8) Ruleset Live

One of the things I found useful – especially for debugging – was how to apply new devfs(8) ruleset to running Jail.

FreeBSD # devfs -m /jail/dns/dev ruleset 130

Hope that helps.

~

Summary

Feel free to share your favorite useful FreeBSD commands that make your life better.

~

UPDATE 1 – Network Information on macOS

Thanks to @matuzalem I can add variation that works better on macOS – thanks for sharing.

ip() {
  case ${1} in
    (r)
      printf "%20s %-18s %18s %-7s\n" "Name" "Address" "Network" "Mtu"
      netstat -Wrn -f inet \
        | grep -A 256 '^Destination' \
        | awk '{printf("%20s %-18s %18s %-7s\n", $1, $2, $4, $3)}'
      ;;
    (l)
      printf "%20s %-18s %18s %-7s\n" "Name" "Address" "Network" "Mtu"
      netstat -Win -f link \
        | grep -vE 'lo[0-9]*|awdl[0-9]*|llw[0-9]*|stf[0-9]*|gif[0-9]*|pflog[0-9]*|pktap[0-9]*' \
        | awk '{printf("%20s %-18s %18s %-7s\n", $1, $4, $3, $2)}'
      ;;
    (a|*)
      printf "%20s %-18s %18s %-7s\n" "Name" "Address" "Network" "Mtu"
      netstat -Win -f inet \
        | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" \
        | awk '{printf("%20s %-18s %18s %-7s\n", $1, $4, $3, $2)}'
      ;;
  esac
}

Enjoy

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

Mastering FreeBSD Ports: Build/Customize/Optimize with nsysctl Command.
https://thedistrowriteproject.blogspot.com/2025/07/Mastering-FreeBSD-Ports-Build-Customise-and-Optimise-with%20-nsysctl.html

GhostBSD 2025/05 Finance Report.
https://ghostbsd.org/news/May_2025_Finance_Report

Practicing User Management and SSH Security on FreeBSD 14.
https://linkedin.com/pulse/user-configuration-security-freebsd-14-tiago-de-oliveira-wonyf/

The pkgsrc-2025Q2 Released.
https://mail-index.netbsd.org/pkgsrc-users/2025/07/04/msg041734.html

12 Year Old sudo(8) Linux Vulnerability Root Privilege Escalation.
https://cybersecuritynews.com/sudo-linux-vulnerability/

FreeBSD Foundation Laptop 2025/06 Update.
https://github.com/FreeBSDFoundation/proj-laptop/blob/main/monthly-updates/2025-06.md

FreeBSD Scheduler sched_ule Recovers Previous Nice and Antistarvation Behaviors.
https://cgit.freebsd.org/src/commit/?id=6792f3411f6d99e1698589835adbf6b7b51c7c74

XScreenSaver 6.12 Release.
https://jwz.org/blog/2025/07/xscreensaver-6-12/

Can We Install FreeBSD on AWS in Under a Minute?
https://youtube.com/watch?v=V9-5QC6vLHY

3 Ways to Try FreeBSD in Under 5 Minutes.
https://freebsdfoundation.org/blog/three-ways-to-try-freebsd-in-under-five-minutes/
https://github.com/FreeBSDFoundation/blog/tree/main/three-ways-to-try-freebsd-in-under-five-minutes

Overleaf Web Based Open Source Online Real Time Collaborative LaTeX Editor.
https://github.com/overleaf/overleaf

Crucial FreeBSD Toolkit.
https://vermaden.wordpress.com/2025/07/08/crucial-freebsd-toolkit/

The Book of PF – 4th Edition by Peter N. M. Hansteen is Happening.
https://nostarch.com/book-of-pf-4th-edition

LabWC Stacking Wayland Window Manager Inspired by Openbox.
https://youtube.com/watch?v=JyqiAXlZvjc

KDE Plasma 6.4 – Wayland vs X11 – Processor and Power Benchmarks.
https://dedoimedo.com/computers/plasma-6-4-performance-wayland-x11-power-cpu-kernel.html

Wayland Fedora Gnome vs KDE Neon Plasma Plus X11 Data.
https://dedoimedo.com/computers/wayland-fedora-gnome-kde-neon-amd-graphics-benchmark.html

Bastille 1.0 20250714 Release Announcement.
https://github.com/BastilleBSD/bastille/releases/tag/1.0.20250714

Install and Configure Galene Video Meeting Server on FreeBSD.
https://freebsdfoundation.org/blog/how-to-install-and-configure-the-galene-video-meeting-server-on-freebsd/

Official OPNsense Hardware Deciso DEC677 with 2.5GbE Networking.
https://youtube.com/watch?v=mb6Uyn816uo

The watch(1) Utility Added to OpenBSD-current.
https://undeadly.org/cgi?action=article;sid=20250711091546

Building Simple Router with OpenBSD.
https://btxx.org/posts/openbsd-router/

The Book of PF – 4th Edition is Coming Soon.
https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html

Distributed Filesystem for OpenBSD.
https://youtube.com/watch?v=6DQqTG3QGZc

Local Chatbot RAG with FreeBSD Knowledge.
https://hackacad.net/post/2025-07-12-local-chatbot-rag-with-freebsd-knowledge/

Wine 10.12 Released with Experimental EGL Backend for X11.
https://phoronix.com/news/Wine-10.12-Released

Supporting FreeBSD in the Field.
https://youtube.com/watch?v=N1-sViicQvU

Unix-like power, made simple

Illumarine OS Brings Best of Illumos and Other Open Source UNIX Technologies to Everyone.
https://illumarineos.com/

Funding Security in Open Source: Insights from FreeBSD Audit Journey.
https://youtube.com/watch?v=B7_0aKMs6zs

FreeBSD Laptop and Desktop Workgroup – Call 8.
https://youtube.com/watch?v=iq0gYApns18

The rsyslog Goes AI First.
https://rsyslog.com/rsyslog-goes-ai-first-a-new-chapter-begins/

OpenBSD I/O Benchmarking: How Many Jobs are Worth It?
https://rsadowski.de/posts/2025/fio_simple_benckmarking/

Computing on Sun Blade 100.
https://retrobsd.ddns.net/nvdh7j.htm

Hardware

Frame of Preference – History of Mac Settings – 1984–2004.
https://aresluna.org/frame-of-preference/

160 Core RISC-V Super Cluster on Single M.2 Card.
https://youtube.com/watch?v=HRfbQJ6FdF0

IBM Boasts New POWER11 Chips are Stingy on Power Usage.
https://theregister.com/2025/07/08/ibm_claims_x86_beating_efficiency/

Commodore 64 Ultimate.
https://commodore.net/

Inside Beelink Mini PC Production: How Tiny Computers are Made.
https://.youtube.com/watch?v=ohwI3V207Ts

Other

Dutch Court Forces Broadcom to Support VMware Migration After 85% Price Hike Backlash.
https://networkworld.com/article/4015489/dutch-court-forces-broadcom-to-support-vmware-migration-after-85-price-hike-backlash.html

Thunderbird 140 Mail Client Debuts as Newest ESR Release.
https://phoronix.com/news/Thunderbird-140-ESR-Release

Citizens Petition to Stop Killing Games Reaches 1M Signatures Likely Triggering EU Review.
https://euronews.com/next/2025/07/08/citizens-petition-to-stop-killing-games-reaches-1-million-signatures-likely-triggering-eu-

Danish Ministry Switching from Microsoft Office 365 to LibreOffice.
https://blog.documentfoundation.org/blog/2025/07/08/danish-ministry-switching-from-microsoft-office-365-to-libreoffice/

Let Me Pay for Firefox!
https://discourse.mozilla.org/t/let-me-pay-for-firefox/141297

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

BSDSec.
https://bsdsec.net/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

As mentioned in Doing a bit of stress work on a new HDD, I have a failing 5TB drive which is going to be replace by a 4TB drive. Only about 1.45TB are used, so there’s plenty of space to grow.

If you get one thing from this post, don’t be downsizing zpools like this. I would have had much less work and opportunity for error, if I had returned that 4TB drive and waited for a 5TB drive to arrive. Don’t do what I did.

Earlier today, I visited the Bridgewater location of 365DataCenter.com and took out the old drive and added in the new drive. As mentioned in that last post, I still have some work to do. I have to export the old zpool (to take it offline), then adjust all the mountpoint for the new zpool, then run some tests and see if I got everything right.

This post is about those changes to see how things go.

In this post:

1. FreeBSD 14.2

Creating a new user

I need to create a new user, one with a home directory outside /home – that’s because the zpool in question contains that directory. If that filesystem is unavailable, I still want to be able to log in and fix it.

[23:17 x8dtu dvl ~] % zfs list -r data/home main_tank/home
NAME             USED  AVAIL  REFER  MOUNTPOINT
data/home       86.0G  2.43T  86.0G  /data/home
main_tank/home   266G  3.15T  86.0G  /usr/home

Here we go:

[23:20 x8dtu dvl ~] % sudo adduser
Username: dvl-alt
Full name: Dan Langille - alt account
Uid (Leave empty for default): 
Login group [dvl-alt]: 
Login group is dvl-alt. Invite dvl-alt into other groups? []: wheel
Login class [default]: 
Shell (sh csh tcsh bash rbash git-shell zsh rzsh nologin) [sh]: zsh
Home directory [/home/dvl-alt]: /usr/dvl-alt
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: no
Username    : dvl-alt
Password    : 
Full Name   : Dan Langille - alt account
Uid         : 1008
Class       : 
Groups      : dvl-alt wheel
Home        : /usr/dvl-alt
Home Mode   : 
Shell       : /usr/local/bin/zsh
Locked      : no
OK? (yes/no) [yes]: ydx
OK? (yes/no) [yes]: yes
adduser: INFO: Successfully added (dvl-alt) to the user database.
Add another user? (yes/no) [no]: no
Goodbye!
[23:22 x8dtu dvl ~] % 


[23:23 x8dtu dvl ~] % ls -dl /usr/dvl-alt 
drwxr-xr-x  2 dvl-alt dvl-alt 9 2025.07.12 23:22 /usr/dvl-alt/

Next, I’ll copy over my existing .ssh directory and see how that goes. Notice that I change the permissions after copying.

[23:23 x8dtu dvl ~] % sudo cp -r ~dvl/.ssh ~dvl-alt
[23:24 x8dtu dvl ~] % ls -la ~dvl-alt
total 53
drwxr-xr-x   3 dvl-alt dvl-alt   10 2025.07.12 23:24 ./
drwxr-xr-x  17 root    wheel     17 2025.07.12 23:22 ../
-rw-r--r--   1 dvl-alt dvl-alt  950 2025.07.12 23:22 .cshrc
-rw-r--r--   1 dvl-alt dvl-alt  311 2025.07.12 23:22 .login
-rw-r--r--   1 dvl-alt dvl-alt   79 2025.07.12 23:22 .login_conf
-rw-------   1 dvl-alt dvl-alt  289 2025.07.12 23:22 .mail_aliases
-rw-r--r--   1 dvl-alt dvl-alt  255 2025.07.12 23:22 .mailrc
-rw-r--r--   1 dvl-alt dvl-alt  966 2025.07.12 23:22 .profile
-rw-r--r--   1 dvl-alt dvl-alt 1003 2025.07.12 23:22 .shrc
drwx------   2 root    dvl-alt   11 2025.07.12 23:24 .ssh/
[23:24 x8dtu dvl ~] % sudo chown -R dvl-alt:dvl-alt ~dvl-alt/.ssh
[23:24 x8dtu dvl ~] % ls -la ~dvl-alt                            
total 53
drwxr-xr-x   3 dvl-alt dvl-alt   10 2025.07.12 23:24 ./
drwxr-xr-x  17 root    wheel     17 2025.07.12 23:22 ../
-rw-r--r--   1 dvl-alt dvl-alt  950 2025.07.12 23:22 .cshrc
-rw-r--r--   1 dvl-alt dvl-alt  311 2025.07.12 23:22 .login
-rw-r--r--   1 dvl-alt dvl-alt   79 2025.07.12 23:22 .login_conf
-rw-------   1 dvl-alt dvl-alt  289 2025.07.12 23:22 .mail_aliases
-rw-r--r--   1 dvl-alt dvl-alt  255 2025.07.12 23:22 .mailrc
-rw-r--r--   1 dvl-alt dvl-alt  966 2025.07.12 23:22 .profile
-rw-r--r--   1 dvl-alt dvl-alt 1003 2025.07.12 23:22 .shrc
drwx------   2 dvl-alt dvl-alt   11 2025.07.12 23:24 .ssh/
[23:24 x8dtu dvl ~] % 

First ssh in

This went well.

[19:26 air01 dan ~] % ssh dvl-alt@x8dtu
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

--- Type one of the keys in parentheses --- q
x8dtu% 
x8dtu% 

OK, what I’m going to do next is copy over the entire home directory, just to get all the other stuff I want. I could pick and choose. I’d rather just do everything. It’s only 6GB.

[23:27 x8dtu dvl ~] % sudo cp -rp . ~dvl-alt/
cp: ./.bash_profile: No such file or directory
[23:28 x8dtu dvl ~] % 

What’s that, oh yeah, I renamed my accounts a long time ago. It seems this was missed.

[23:28 x8dtu dvl ~] % ls -l ~/.bash_profile
lrwxr-xr-x  1 dvl dvl 38 2025.02.21 12:56 /usr/home/dvl/.bash_profile -> /usr/home/dan/src/scripts/bash_profile

Let’s fix that for dvl first.

[23:30 x8dtu dvl ~] % rm .bash_profile
[23:30 x8dtu dvl ~] % ln -s ~/src/scripts/bash_profile .bash_profile
[23:30 x8dtu dvl ~] % 
Connection to x8dtu.unixathome.org closed.
[19:31 air01 dan ~] % x8dtu
Last login: Sat Jul 12 23:27:51 2025 from 108.52.204.170
[23:31 x8dtu dvl ~] % ls -l ~/.bash_profile                         
lrwxr-xr-x  1 dvl dvl 38 2025.07.12 23:30 /usr/home/dvl/.bash_profile -> /usr/home/dvl/src/scripts/bash_profile
[23:31 x8dtu dvl ~] % 

Trying ssh again:

[19:27 air01 dan ~] % ssh dvl-alt@x8dtu
Last login: Sat Jul 12 23:26:13 2025 from 108.52.204.170
[23:33 x8dtu dvl-alt ~] % 

That’s better.

And fix this up here too:

[23:33 x8dtu dvl-alt ~] % ln -s ~/src/scripts/bash_profile .bash_profile
[23:34 x8dtu dvl-alt ~] % ls -l ~/.bash_profile
lrwxr-xr-x  1 dvl-alt dvl-alt 37 2025.07.12 23:34 /usr/dvl-alt/.bash_profile -> /usr/dvl-alt/src/scripts/bash_profile
[23:34 x8dtu dvl-alt ~] % 

OK, I think this user is good to go. I’m not sure why, or even if, ~/.bash_profile, is still relevant. I know I’m using this:

[23:32 x8dtu dvl ~] % ls -l ~/.zshrc
lrwxr-xr-x  1 root dvl 17 2024.07.03 19:07 /usr/home/dvl/.zshrc -> src/scripts/zshrc
[23:36 x8dtu dvl ~] % 

And inside there, I have:

if [ -e $HOME/src/scripts/bash_profile_global ]; then
source $HOME/src/scripts/bash_profile_global
fi

if [ -e $HOME/src/scripts/bash_profile-$HOST ]; then
source $HOME/src/scripts/bash_profile-$HOST
fi

Oh, that’s how it works.

Looking at symlinks:

[23:38 x8dtu dvl ~] % ls -la | grep -- '->'
lrwxr-xr-x   1 dvl  dvl           38 2025.07.12 23:30 .bash_profile -> /usr/home/dvl/src/scripts/bash_profile
lrwxr-xr-x   1 root dvl           17 2024.07.03 19:07 .zshrc -> src/scripts/zshrc


[23:37 x8dtu dvl-alt ~] % ls -la | grep -- '->'

lrwxr-xr-x   1 dvl-alt dvl-alt         37 2025.07.12 23:34 .bash_profile -> /usr/dvl-alt/src/scripts/bash_profile
[23:38 x8dtu dvl-alt ~] % ls -l ~/.zshrc
-rw-r--r--  1 dvl-alt dvl-alt 2599 2023.11.06 13:56 /usr/dvl-alt/.zshrc

Ahh, no symlink for .zshrc, it’s a real file. Reading man cp, perhaps -R would have been better:

[23:41 x8dtu dvl ~] % sudo cp -R ~/.zshrc ~dvl-alt/ 

[23:40 x8dtu dvl-alt ~] % ls -l ~/.zshrc
lrwxr-xr-x  1 root dvl-alt 17 2025.07.12 23:41 /usr/dvl-alt/.zshrc -> src/scripts/zshrc

[23:42 x8dtu dvl-alt ~] % 
Connection to x8dtu.unixathome.org closed.
[19:42 air01 dan ~] % ssh dvl-alt@x8dtu
Last login: Sat Jul 12 23:33:06 2025 from 108.52.204.170

Yes, that seems to have worked better.

Break for Patchwork

I’ve been asked to play a game of Patchwork. Insert break here.

The next day

It’s now 8:02 on Sunday morning – coffee in hand, or rather, on the cafe table.

Shutting down FreshPorts

This is how I shutdown anything which might be using the data I’m going to copy:

[12:33 x8dtu dvl ~] % sudo service jail stop
Stopping jails: perl540 svn nginx01 ingress01.freshports ingress01 pg01.
[12:33 x8dtu dvl ~] % sudo service jail disable
jail disabled in /etc/rc.conf
[12:33 x8dtu dvl ~] % 

Existing mountpoints

Here are the existing mountpoints:

[12:34 x8dtu dvl-alt ~/tmp] % zfs get -t filesystem -r mountpoint main_tank
NAME                                                                    PROPERTY    VALUE                                              SOURCE
main_tank                                                               mountpoint  none                                               local
main_tank/backups                                                       mountpoint  none                                               local
main_tank/backups/rsyncer                                               mountpoint  none                                               inherited from main_tank/backups
main_tank/backups/rsyncer/backups                                       mountpoint  /home/rsyncer/backups                              local
main_tank/backups/rsyncer/backups/Bacula                                mountpoint  /home/rsyncer/backups/Bacula                       inherited from main_tank/backups/rsyncer/backups
main_tank/backups/rsyncer/backups/bacula-database                       mountpoint  /home/rsyncer/backups/bacula-database              inherited from main_tank/backups/rsyncer/backups
main_tank/freshports                                                    mountpoint  none                                               inherited from main_tank
main_tank/freshports/ingress01                                          mountpoint  none                                               local
main_tank/freshports/ingress01/var                                      mountpoint  none                                               inherited from main_tank/freshports/ingress01
main_tank/freshports/ingress01/var/db                                   mountpoint  none                                               inherited from main_tank/freshports/ingress01
main_tank/freshports/ingress01/var/db/freshports                        mountpoint  /jails/ingress01/var/db/freshports                 local
main_tank/freshports/ingress01/var/db/freshports/cache                  mountpoint  /jails/ingress01/var/db/freshports/cache           inherited from main_tank/freshports/ingress01/var/db/freshports
main_tank/freshports/ingress01/var/db/freshports/cache/html             mountpoint  /jails/ingress01/var/db/freshports/cache/html      inherited from main_tank/freshports/ingress01/var/db/freshports
main_tank/freshports/ingress01/var/db/freshports/cache/spooling         mountpoint  /jails/ingress01/var/db/freshports/cache/spooling  inherited from main_tank/freshports/ingress01/var/db/freshports
main_tank/freshports/ingress01/var/db/freshports/message-queues         mountpoint  /jails/ingress01/var/db/freshports/message-queues  inherited from main_tank/freshports/ingress01/var/db/freshports
main_tank/freshports/ingress01/var/db/freshports/repos                  mountpoint  /jails/ingress01/var/db/freshports/repos           inherited from main_tank/freshports/ingress01/var/db/freshports
main_tank/freshports/ingress01/var/db/ingress                           mountpoint  /jails/ingress01/var/db/ingress                    local
main_tank/freshports/ingress01/var/db/ingress/message-queues            mountpoint  /jails/ingress01/var/db/ingress/message-queues     inherited from main_tank/freshports/ingress01/var/db/ingress
main_tank/freshports/ingress01/var/db/ingress/repos                     mountpoint  /jails/ingress01/var/db/ingress/repos              inherited from main_tank/freshports/ingress01/var/db/ingress
main_tank/freshports/jailed                                             mountpoint  none                                               inherited from main_tank
main_tank/freshports/jailed/ingress01                                   mountpoint  none                                               local
main_tank/freshports/jailed/ingress01/jails                             mountpoint  /jails                                             local
main_tank/freshports/jailed/ingress01/jails/freshports                  mountpoint  /jails/freshports                                  inherited from main_tank/freshports/jailed/ingress01/jails
main_tank/freshports/jailed/ingress01/mkjail                            mountpoint  /var/db/mkjail                                     local
main_tank/freshports/jailed/ingress01/mkjail/14.1-RELEASE               mountpoint  /var/db/mkjail/14.1-RELEASE                        inherited from main_tank/freshports/jailed/ingress01/mkjail
main_tank/freshports/jailed/nginx01                                     mountpoint  none                                               inherited from main_tank
main_tank/freshports/jailed/nginx01/var                                 mountpoint  none                                               inherited from main_tank
main_tank/freshports/jailed/nginx01/var/db                              mountpoint  none                                               inherited from main_tank
main_tank/freshports/jailed/nginx01/var/db/freshports                   mountpoint  none                                               inherited from main_tank
main_tank/freshports/jailed/nginx01/var/db/freshports/cache             mountpoint  /var/db/freshports/cache                           local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/categories  mountpoint  /var/db/freshports/cache/categories                inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/commits     mountpoint  /var/db/freshports/cache/commits                   inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/daily       mountpoint  /var/db/freshports/cache/daily                     inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/general     mountpoint  /var/db/freshports/cache/general                   inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/news        mountpoint  /var/db/freshports/cache/news                      inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/packages    mountpoint  /var/db/freshports/cache/packages                  inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/pages       mountpoint  /var/db/freshports/cache/pages                     inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/ports       mountpoint  /var/db/freshports/cache/ports                     inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/spooling    mountpoint  /var/db/freshports/cache/spooling                  inherited from main_tank/freshports/jailed/nginx01/var/db/freshports/cache
main_tank/freshports/nginx01                                            mountpoint  none                                               inherited from main_tank
main_tank/freshports/nginx01/var                                        mountpoint  none                                               inherited from main_tank
main_tank/freshports/nginx01/var/db                                     mountpoint  none                                               inherited from main_tank
main_tank/freshports/nginx01/var/db/freshports                          mountpoint  none                                               inherited from main_tank
main_tank/freshports/nginx01/var/db/freshports/cache                    mountpoint  none                                               local
main_tank/home                                                          mountpoint  /usr/home                                          local
main_tank/jails                                                         mountpoint  /jails                                             local
main_tank/jails/ingress01                                               mountpoint  /jails/ingress01                                   inherited from main_tank/jails
main_tank/jails/nginx01                                                 mountpoint  /jails/nginx01                                     inherited from main_tank/jails
main_tank/jails/perl540                                                 mountpoint  /jails/perl540                                     inherited from main_tank/jails
main_tank/jails/pg01                                                    mountpoint  /jails/pg01                                        inherited from main_tank/jails
main_tank/jails/svn                                                     mountpoint  /jails/svn                                         inherited from main_tank/jails
main_tank/mkjail                                                        mountpoint  /mkjail                                            local
main_tank/mkjail/14.1-RELEASE                                           mountpoint  /mkjail/14.1-RELEASE                               inherited from main_tank/mkjail
main_tank/mkjail/14.2-RELEASE                                           mountpoint  /mkjail/14.2-RELEASE                               inherited from main_tank/mkjail

Mountpoint references

I will also need to update these entries:

[12:35 x8dtu dvl-alt ~/tmp] % grep main_tank /etc/jail.conf 
    exec.created+="zfs jail $name    main_tank/freshports/jailed/ingress01";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/ingress01";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/categories";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/commits";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/daily";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/general";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/news";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/packages";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/pages";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/ports";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/spooling";
    exec.created+="zfs jail $name    main_tank/freshports/jailed/nginx01/var/db/freshports/cache";

That should just be a change from main_tank to data.

And these entries in the webserver:

[12:38 x8dtu dvl-alt ~/tmp] % sudo grep main_tank /jails/nginx01/usr/local/etc/freshports/*
/jails/nginx01/usr/local/etc/freshports/config.sh:fp_zfs_caching_parent="main_tank/freshports/jailed/nginx01/var/db/freshports/cache"
/jails/nginx01/usr/local/etc/freshports/fp-listen.ini:PKG_ZFS_SNAPSHOT = main_tank/freshports/jailed/nginx01/var/db/freshports/cache/packages@empty

One last sync

This seems repetitive.

[12:40 x8dtu dvl-alt ~] % sudo syncoid --no-privilege-elevation -r  --compress=lzo --quiet main_tank data

CRITICAL ERROR: Target data exists but has no snapshots matching with main_tank!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports exists but has no snapshots matching with main_tank/freshports!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01 exists but has no snapshots matching with main_tank/freshports/ingress01!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01/var exists but has no snapshots matching with main_tank/freshports/ingress01/var!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01/var/db exists but has no snapshots matching with main_tank/freshports/ingress01/var/db!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/freshports exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/freshports!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/freshports/cache exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/freshports/cache!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/ingress01/var/db/freshports/cache dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/freshports/cache/spooling exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/freshports/cache/spooling!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/ingress01/var/db/freshports/cache/spooling dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/freshports/message-queues exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/freshports/message-queues!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/freshports/repos exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/freshports/repos!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/ingress01/var/db/freshports/repos dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/ingress exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/ingress!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/ingress/message-queues exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/ingress/message-queues!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/ingress01/var/db/ingress/message-queues dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/ingress01/var/db/ingress/repos exists but has no snapshots matching with main_tank/freshports/ingress01/var/db/ingress/repos!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/jailed exists but has no snapshots matching with main_tank/freshports/jailed!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/jailed/nginx01 exists but has no snapshots matching with main_tank/freshports/jailed/nginx01!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/jailed/nginx01/var exists but has no snapshots matching with main_tank/freshports/jailed/nginx01/var!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/jailed/nginx01/var/db exists but has no snapshots matching with main_tank/freshports/jailed/nginx01/var/db!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/freshports/nginx01 exists but has no snapshots matching with main_tank/freshports/nginx01!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/nginx01 dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/nginx01/var exists but has no snapshots matching with main_tank/freshports/nginx01/var!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/nginx01/var dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/nginx01/var/db exists but has no snapshots matching with main_tank/freshports/nginx01/var/db!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/nginx01/var/db dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/nginx01/var/db/freshports exists but has no snapshots matching with main_tank/freshports/nginx01/var/db/freshports!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/nginx01/var/db/freshports dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/freshports/nginx01/var/db/freshports/cache exists but has no snapshots matching with main_tank/freshports/nginx01/var/db/freshports/cache!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

          NOTE: Target data/freshports/nginx01/var/db/freshports/cache dataset is < 64MB used - did you mistakenly run
                `zfs create data` on the target? ZFS initial
                replication must be to a NON EXISTENT DATASET, which will
                then be CREATED BY the initial replication process.


CRITICAL ERROR: Target data/home exists but has no snapshots matching with main_tank/home!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/jails exists but has no snapshots matching with main_tank/jails!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/mkjail exists but has no snapshots matching with main_tank/mkjail!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/mkjail/14.1-RELEASE exists but has no snapshots matching with main_tank/mkjail/14.1-RELEASE!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


CRITICAL ERROR: Target data/mkjail/14.2-RELEASE exists but has no snapshots matching with main_tank/mkjail/14.2-RELEASE!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.

canmount

I'll need these later:

[12:49 x8dtu dvl ~] % sudo zfs get -r -t filesystem canmount data
NAME                                                               PROPERTY  VALUE     SOURCE
data                                                               canmount  on        default
data/backups                                                       canmount  on        default
data/backups/rsyncer                                               canmount  on        default
data/backups/rsyncer/backups                                       canmount  on        default
data/backups/rsyncer/backups/Bacula                                canmount  on        default
data/backups/rsyncer/backups/bacula-database                       canmount  on        default
data/freshports                                                    canmount  on        default
data/freshports/ingress01                                          canmount  on        default
data/freshports/ingress01/var                                      canmount  on        default
data/freshports/ingress01/var/db                                   canmount  on        default
data/freshports/ingress01/var/db/freshports                        canmount  on        default
data/freshports/ingress01/var/db/freshports/cache                  canmount  on        default
data/freshports/ingress01/var/db/freshports/cache/html             canmount  on        default
data/freshports/ingress01/var/db/freshports/cache/spooling         canmount  on        default
data/freshports/ingress01/var/db/freshports/message-queues         canmount  on        default
data/freshports/ingress01/var/db/freshports/repos                  canmount  on        default
data/freshports/ingress01/var/db/ingress                           canmount  on        default
data/freshports/ingress01/var/db/ingress/message-queues            canmount  on        default
data/freshports/ingress01/var/db/ingress/repos                     canmount  on        default
data/freshports/jailed                                             canmount  on        default
data/freshports/jailed/ingress01                                   canmount  on        default
data/freshports/jailed/ingress01/jails                             canmount  on        default
data/freshports/jailed/ingress01/jails/freshports                  canmount  on        default
data/freshports/jailed/ingress01/mkjail                            canmount  on        default
data/freshports/jailed/ingress01/mkjail/14.1-RELEASE               canmount  on        default
data/freshports/jailed/nginx01                                     canmount  on        default
data/freshports/jailed/nginx01/var                                 canmount  on        default
data/freshports/jailed/nginx01/var/db                              canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports                   canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache             canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/categories  canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/commits     canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/daily       canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/general     canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/news        canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/packages    canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/pages       canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/ports       canmount  on        default
data/freshports/jailed/nginx01/var/db/freshports/cache/spooling    canmount  on        default
data/freshports/nginx01                                            canmount  on        default
data/freshports/nginx01/var                                        canmount  on        default
data/freshports/nginx01/var/db                                     canmount  on        default
data/freshports/nginx01/var/db/freshports                          canmount  on        default
data/freshports/nginx01/var/db/freshports/cache                    canmount  on        default
data/home                                                          canmount  on        default
data/jails                                                         canmount  on        default
data/jails/ingress01                                               canmount  on        default
data/jails/nginx01                                                 canmount  on        default
data/jails/perl540                                                 canmount  on        default
data/jails/pg01                                                    canmount  on        default
data/jails/svn                                                     canmount  on        default
data/mkjail                                                        canmount  on        default
data/mkjail/14.1-RELEASE                                           canmount  on        default
data/mkjail/14.2-RELEASE                                           canmount  on        default
[12:49 x8dtu dvl ~] % sudo zfs get -r -t filesystem canmount main_tank
NAME                                                                    PROPERTY  VALUE     SOURCE
main_tank                                                               canmount  on        default
main_tank/backups                                                       canmount  on        default
main_tank/backups/rsyncer                                               canmount  on        default
main_tank/backups/rsyncer/backups                                       canmount  on        default
main_tank/backups/rsyncer/backups/Bacula                                canmount  on        default
main_tank/backups/rsyncer/backups/bacula-database                       canmount  on        default
main_tank/freshports                                                    canmount  on        default
main_tank/freshports/ingress01                                          canmount  noauto    local
main_tank/freshports/ingress01/var                                      canmount  on        default
main_tank/freshports/ingress01/var/db                                   canmount  on        default
main_tank/freshports/ingress01/var/db/freshports                        canmount  off       local
main_tank/freshports/ingress01/var/db/freshports/cache                  canmount  on        default
main_tank/freshports/ingress01/var/db/freshports/cache/html             canmount  on        default
main_tank/freshports/ingress01/var/db/freshports/cache/spooling         canmount  on        default
main_tank/freshports/ingress01/var/db/freshports/message-queues         canmount  on        default
main_tank/freshports/ingress01/var/db/freshports/repos                  canmount  on        default
main_tank/freshports/ingress01/var/db/ingress                           canmount  off       local
main_tank/freshports/ingress01/var/db/ingress/message-queues            canmount  on        default
main_tank/freshports/ingress01/var/db/ingress/repos                     canmount  on        default
main_tank/freshports/jailed                                             canmount  on        default
main_tank/freshports/jailed/ingress01                                   canmount  noauto    local
main_tank/freshports/jailed/ingress01/jails                             canmount  on        default
main_tank/freshports/jailed/ingress01/jails/freshports                  canmount  on        default
main_tank/freshports/jailed/ingress01/mkjail                            canmount  on        default
main_tank/freshports/jailed/ingress01/mkjail/14.1-RELEASE               canmount  on        default
main_tank/freshports/jailed/nginx01                                     canmount  on        default
main_tank/freshports/jailed/nginx01/var                                 canmount  on        default
main_tank/freshports/jailed/nginx01/var/db                              canmount  on        default
main_tank/freshports/jailed/nginx01/var/db/freshports                   canmount  on        default
main_tank/freshports/jailed/nginx01/var/db/freshports/cache             canmount  off       local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/categories  canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/commits     canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/daily       canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/general     canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/news        canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/packages    canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/pages       canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/ports       canmount  on        local
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/spooling    canmount  on        local
main_tank/freshports/nginx01                                            canmount  on        default
main_tank/freshports/nginx01/var                                        canmount  on        default
main_tank/freshports/nginx01/var/db                                     canmount  on        default
main_tank/freshports/nginx01/var/db/freshports                          canmount  on        default
main_tank/freshports/nginx01/var/db/freshports/cache                    canmount  noauto    local
main_tank/home                                                          canmount  on        default
main_tank/jails                                                         canmount  on        default
main_tank/jails/ingress01                                               canmount  on        default
main_tank/jails/nginx01                                                 canmount  on        default
main_tank/jails/perl540                                                 canmount  on        default
main_tank/jails/pg01                                                    canmount  on        default
main_tank/jails/svn                                                     canmount  on        default
main_tank/mkjail                                                        canmount  on        default
main_tank/mkjail/14.1-RELEASE                                           canmount  on        default
main_tank/mkjail/14.2-RELEASE                                           canmount  on        default

export the old zpool

I will export the old zpool, so I can start using the new zpool.

[13:01 x8dtu dvl ~] % sudo zpool export main_tank
cannot unmount '/usr/home': pool or dataset is busy
[13:01 x8dtu dvl ~] %     
Connection to x8dtu.unixathome.org closed.
[9:01 pro05 dvl ~] % ssh dvl-alt@x8dtu
Last login: Sun Jul 13 12:58:12 2025 from 172.56.221.92
[13:01 x8dtu dvl-alt ~] % sudo zpool export main_tank
cannot unmount '/usr/home': pool or dataset is busy
[13:01 x8dtu dvl-alt ~] % w
 1:01PM  up 8 days, 22:46, 10 users, load averages: 0.13, 0.75, 1.28
USER       TTY      FROM                                      LOGIN@  IDLE WHAT
dvl        pts/0    pool-203.0.113.12.phlapa.fios.verizon.ne Thu07PM 1day  -zsh (zsh)
dvl        pts/1    pool-203.0.113.12.phlapa.fios.verizon.ne Thu02PM 1day  -zsh (zsh)
dvl-alt    pts/2    203.0.113.123                            12:02PM    53 -zsh (zsh)
dvl        pts/3    203.0.113.123                            12:08PM    53 -zsh (zsh)
dvl        pts/5    203.0.113.123                            12:32PM    27 -zsh (zsh)
dvl-alt    pts/4    203.0.113.123                            12:28PM    20 -zsh (zsh)
dvl-alt    pts/6    203.0.113.123                            12:39PM     8 tmux: client (/tmp/tmux-1008/default) (tmux)
dvl-alt    pts/7    tmux(15984).%0                           12:40PM    20 -zsh (zsh)
dvl-alt    pts/8    203.0.113.123                             1:01PM     - w
dvl-alt    pts/10   203.0.113.123                            12:50PM     - -zsh (zsh)
[13:02 x8dtu dvl-alt ~] % sudo revoke pts/0
pts/0: No such file or directory
[13:04 x8dtu dvl-alt ~] % w                
[13:04 x8dtu dvl-alt ~] % sudo revoke /dev/pts/0
[13:04 x8dtu dvl-alt ~] % sudo revoke /dev/pts/1
[13:04 x8dtu dvl-alt ~] % sudo revoke /dev/pts/3
[13:04 x8dtu dvl-alt ~] % sudo revoke /dev/pts/5
[13:04 x8dtu dvl-alt ~] % w
 1:04PM  up 8 days, 22:49, 6 users, load averages: 0.03, 0.45, 1.06
USER       TTY      FROM             LOGIN@  IDLE WHAT
dvl-alt    pts/2    203.0.113.123   12:02PM    56 -zsh (zsh)
dvl-alt    pts/4    203.0.113.123   12:28PM    22 -zsh (zsh)
dvl-alt    pts/6    203.0.113.123   12:39PM    10 tmux: client (/tmp/tmux-1008/default) (tmux)
dvl-alt    pts/7    tmux(15984).%0  12:40PM    23 -zsh (zsh)
dvl-alt    pts/8    203.0.113.123    1:01PM     - w
dvl-alt    pts/10   203.0.113.123   12:50PM     3 -zsh (zsh)

Oh, I can't export a directory in use. So I logged my other sessions out.

[13:10 x8dtu dvl-alt ~] % sudo zpool export main_tank
cannot unmount '/usr/home': pool or dataset is busy


[13:11 x8dtu dvl-alt ~] % zfs list -r | grep /usr/home
main_tank/home                                                           193G  3.15T  86.0G  /usr/home

[13:11 x8dtu dvl-alt ~] % sudo zfs umount /usr/home
cannot unmount '/usr/home': pool or dataset is busy

[13:11 x8dtu dvl-alt ~] % sudo zfs umount -f /usr/home
[13:11 x8dtu dvl-alt ~] % 

Next, it's a bunch of stuff like like, where something is mounted, which prevents that something from being exported:

[13:12 x8dtu dvl-alt ~] % zfs list | grep pg01 
data/jails/pg01                                                         23.3G  2.36T  7.49G  none
main_tank/jails/pg01                                                    23.3G  3.15T  7.49G  /jails/pg01
zroot/freshports/pg01                                                   36.3G   146G    96K  none
zroot/freshports/pg01/postgres                                          36.3G   146G  35.9G  /jails/pg01/var/db/postgres
[13:12 x8dtu dvl-alt ~] % sudo zfs umount zroot/freshports/pg01/postgres
[13:13 x8dtu dvl-alt ~] % sudo zpool export main_tank                   
cannot unmount '/jails/ingress01/jails/freshports': pool or dataset is busy

Perhaps I could have the jail should umount and mount that when it stops/starts.

[13:13 x8dtu dvl-alt ~] % sudo zpool export main_tank                   
cannot unmount '/jails/ingress01/jails/freshports': pool or dataset is busy
[13:14 x8dtu dvl-alt ~] % mount | grep /jails/ingress01/jails/freshports
main_tank/freshports/jailed/ingress01/jails/freshports on /jails/ingress01/jails/freshports (zfs, local, noatime, nfsv4acls)
devfs on /jails/ingress01/jails/freshports/dev (devfs)
[13:14 x8dtu dvl-alt ~] % sudo umount /jails/ingress01/jails/freshports/dev
[13:15 x8dtu dvl-alt ~] % sudo zpool export main_tank                      
[13:15 x8dtu dvl-alt ~] % 
[13:15 x8dtu dvl-alt ~] % zpool list
NAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
data   3.62T  1.16T  2.47T        -         -     0%    31%  1.00x    ONLINE  -
zroot   212G  59.7G   152G        -         -    49%    28%  1.00x    ONLINE  -

Finally, I get it unmounted. These are the log enries it created.

Jul 13 13:15:04 x8dtu kernel: vdev_geom_close_locked:352[1]: Closing access to ada2p1.
Jul 13 13:15:04 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from ada2p1.
Jul 13 13:15:04 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for ada2p1.

For my future reference, this confirms that ada2 is the drive to be repartitioned and added to the zpool named data.

Setting canmount

Based on information pasted above, I made these changes:

[13:18 x8dtu dvl-alt ~] % sudo zfs set canmount=noauto data/freshports/ingress01
[13:18 x8dtu dvl-alt ~] % sudo zfs set canmount=off data/freshports/ingress01/var/db/ingress 
[13:18 x8dtu dvl-alt ~] % sudo zfs set canmount=off data/freshports/ingress01/var/db/freshports
[13:19 x8dtu dvl-alt ~] % sudo zfs set canmount=off data/freshports/ingress01/var/db/ingress   
[13:19 x8dtu dvl-alt ~] % sudo zfs set canmount=noauto data/freshports/jailed/ingress01        
[13:19 x8dtu dvl-alt ~] % sudo zfs set canmount=off data/freshports/jailed/nginx01/var/db/freshports/cache             
[13:19 x8dtu dvl-alt ~] % sudo zfs set canmount=noauto freshports/nginx01/var/db/freshports/cache                      
cannot open 'freshports/nginx01/var/db/freshports/cache': dataset does not exist
[13:20 x8dtu dvl-alt ~] % sudo zfs set canmount=noauto data/freshports/nginx01/var/db/freshports/cache
[13:20 x8dtu dvl-alt ~] % 

Setting the mount points

Next, tell the new zpool where to mount stuff, based on what I saved above.

[13:20 x8dtu dvl-alt ~] % sudo zfs set canmount=noauto data/freshports/nginx01/var/db/freshports/cache
[13:20 x8dtu dvl-alt ~] % sudo zfs set mountpoint=/home/rsyncer/backups data/backups/rsyncer/backups
[13:21 x8dtu dvl-alt ~] % sudo zfs set mountpoint=/jails/ingress01/var/db/freshports data/freshports/ingress01/var/db/freshports
[13:23 x8dtu dvl-alt ~] % sudo zfs set mountpoint=/jails/ingress01/var/db/ingress data/freshports/ingress01/var/db/ingress      
[13:23 x8dtu dvl-alt ~] % sudo zfs set mountpoint=/usr/home data/home                                                     
[13:24 x8dtu dvl-alt ~] % sudo zfs set mountpoint=/jails data/jails
[13:24 x8dtu dvl-alt ~] % sudo zfs set mountpoint=/mkjail data/mkjail

Some of the datasets are jailed, which means the mount point is relative to the jail into which they are jailed. I'll have to deal with those later I think. I am sure that /jails/ingress01 will be taken care of by these jail.conf directives:

    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache";

# These may no longer be required
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/categories";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/commits";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/daily";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/general";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/news";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/packages";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/pages";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/ports";
    exec.created+="zfs set jailed=on main_tank/freshports/jailed/nginx01/var/db/freshports/cache/spooling";

    exec.created+="zfs jail $name    main_tank/freshports/jailed/nginx01/var/db/freshports/cache";

NOTE: I have modified the above to refer to data, not main_tank.

Starting the first jail

Here's the first jail starting, and I've logged back in as my regular user here, because /home is mounted.

[9:33 pro05 dvl ~] % x8dtu            
Last login: Sun Jul 13 13:01:36 2025 from 172.56.221.92
[13:33 x8dtu dvl ~] % sudo service jail onestart ingress01
Starting jails: ingress01.

and this looks right:

[13:34 x8dtu dvl-alt ~] % zfs get -r -t filesystem mountpoint data/freshports/ingress01
NAME                                                        PROPERTY    VALUE                                              SOURCE
data/freshports/ingress01                                   mountpoint  none                                               inherited from data
data/freshports/ingress01/var                               mountpoint  none                                               inherited from data
data/freshports/ingress01/var/db                            mountpoint  none                                               inherited from data
data/freshports/ingress01/var/db/freshports                 mountpoint  /jails/ingress01/var/db/freshports                 local
data/freshports/ingress01/var/db/freshports/cache           mountpoint  /jails/ingress01/var/db/freshports/cache           inherited from data/freshports/ingress01/var/db/freshports
data/freshports/ingress01/var/db/freshports/cache/html      mountpoint  /jails/ingress01/var/db/freshports/cache/html      inherited from data/freshports/ingress01/var/db/freshports
data/freshports/ingress01/var/db/freshports/cache/spooling  mountpoint  /jails/ingress01/var/db/freshports/cache/spooling  inherited from data/freshports/ingress01/var/db/freshports
data/freshports/ingress01/var/db/freshports/message-queues  mountpoint  /jails/ingress01/var/db/freshports/message-queues  inherited from data/freshports/ingress01/var/db/freshports
data/freshports/ingress01/var/db/freshports/repos           mountpoint  /jails/ingress01/var/db/freshports/repos           inherited from data/freshports/ingress01/var/db/freshports
data/freshports/ingress01/var/db/ingress                    mountpoint  /jails/ingress01/var/db/ingress                    local
data/freshports/ingress01/var/db/ingress/message-queues     mountpoint  /jails/ingress01/var/db/ingress/message-queues     inherited from data/freshports/ingress01/var/db/ingress
data/freshports/ingress01/var/db/ingress/repos              mountpoint  /jails/ingress01/var/db/ingress/repos              inherited from data/freshports/ingress01/var/db/ingress
[13:34 x8dtu dvl-alt ~] % 

But this does not:

[13:34 x8dtu dvl-alt ~] % zfs list -r data/freshports/jailed/ingress01
NAME                                                   USED  AVAIL  REFER  MOUNTPOINT
data/freshports/jailed/ingress01                       208G  2.36T    96K  none
data/freshports/jailed/ingress01/jails                 206G  2.36T   120K  none
data/freshports/jailed/ingress01/jails/freshports      206G  2.36T   203G  none
data/freshports/jailed/ingress01/mkjail               1.73G  2.36T   909M  none
data/freshports/jailed/ingress01/mkjail/14.1-RELEASE   861M  2.36T   861M  none

I stopped the jail. I added these entries to jail.conf:

    exec.created+="zfs set jailed=on data/freshports/jailed/ingress01/jails";
    exec.created+="zfs jail $name    data/freshports/jailed/ingress01/jails";

I started the jail and issued these commands, which I wish I could do automatically. One day.

[13:40 x8dtu dvl ~] % sudo jexec ingress01 zfs set mountpoint=/jails data/freshports/jailed/ingress01/jails
[13:40 x8dtu dvl ~] % sudo jexec ingress01 zfs set mountpoint=/var/db/mkjail data/freshports/jailed/ingress01/mkjail


[13:40 x8dtu dvl-alt ~] % zfs list -r data/freshports/jailed/ingress01
NAME                                                   USED  AVAIL  REFER  MOUNTPOINT
data/freshports/jailed/ingress01                       208G  2.36T    96K  none
data/freshports/jailed/ingress01/jails                 206G  2.36T   120K  /jails
data/freshports/jailed/ingress01/jails/freshports      206G  2.36T   203G  /jails/freshports
data/freshports/jailed/ingress01/mkjail               1.73G  2.36T   909M  /var/db/mkjail
data/freshports/jailed/ingress01/mkjail/14.1-RELEASE   861M  2.36T   861M  /var/db/mkjail/14.1-RELEASE

Got database?

Note that pg01 got started automatically because:

[13:40 x8dtu dvl ~] % jls                                                                                  
   JID  IP Address      Hostname                      Path
     9  127.163.54.32   x8dtu-pg01.vpn.unixathome.org /jails/pg01
    12  127.163.0.10    x8dtu-ingress01.vpn.unixathom /jails/ingress01

[13:43 x8dtu dvl ~] % grep pg01 /etc/jail.conf
    depend = pg01;
    depend = pg01;
pg01 {

That is, two jails depend upon pg01. It gets started before they get started.

But that does not mean the jail is working.

[13:44 x8dtu dvl-alt ~] % zfs get canmount,mounted zroot/freshports/pg01/postgres
NAME                            PROPERTY  VALUE     SOURCE
zroot/freshports/pg01/postgres  canmount  on        default
zroot/freshports/pg01/postgres  mounted   no        -

[13:44 x8dtu dvl-alt ~] % sudo zfs mount zroot/freshports/pg01/postgres

That allowed PostgreSQL to start up.

Starting the webserver

[13:46 x8dtu dvl ~] % sudo service jail onestart nginx01                                                   
Starting jails: cannot start jail  "nginx01": 
mount_nullfs: /jails/ingress01/var/db/freshports/cache/html: No such file or directory
jail: nginx01: /sbin/mount -t nullfs -o ro,nosuid,noexec /jails/ingress01/var/db/freshports/cache/html /jails/nginx01/var/db/freshports/cache/html: failed
.

[13:49 x8dtu dvl ~] % mount | grep /jails/ingress01/var/db/freshports/cache
data/freshports/ingress01/var/db/freshports/cache on /jails/ingress01/var/db/freshports/cache (zfs, local, nfsv4acls)
data/freshports/ingress01/var/db/freshports/cache/html on /jails/ingress01/var/db/freshports/cache/html (zfs, local, nfsv4acls)
data/freshports/ingress01/var/db/freshports/cache/spooling on /jails/ingress01/var/db/freshports/cache/spooling (zfs, local, nfsv4acls)
[13:49 x8dtu dvl ~] % sudo umount data/freshports/ingress01/var/db/freshports/cache/html
[13:50 x8dtu dvl ~] % sudo umount data/freshports/ingress01/var/db/freshports/cache/spooling
[13:50 x8dtu dvl ~] % ls -l /jails/ingress01/var/db/freshports/cache             
total 0
[13:50 x8dtu dvl ~] % sudo zfs mount data/freshports/ingress01/var/db/freshports/cache/html
[13:50 x8dtu dvl ~] % ls -l /jails/ingress01/var/db/freshports/cache                   
total 9
drwxrwxr-x  2 10001 10001 10 2025.07.13 12:33 html/

[13:50 x8dtu dvl ~] % sudo zfs mount data/freshports/ingress01/var/db/freshports/cache/spooling
[13:51 x8dtu dvl ~] % 


[13:51 x8dtu dvl ~] % ls -l /jails/ingress01/var/db/freshports/cache                       
total 9
drwxrwxr-x  2 10001 10001 10 2025.07.13 12:33 html/
drwxr-xr-x  2 10001 10001  2 2025.07.01 00:00 spooling/


[13:52 x8dtu dvl ~] % sudo service jail onestart nginx01            
Starting jails: nginx01.
[13:52 x8dtu dvl ~] % 

I don't know how that happened, but it did.

That got the webserver going. Good so far.

Starting the other jails

Let's try starting the other jails.

[13:54 x8dtu dvl ~] % sudo service jail onestart           
Starting jails: pg01 ingress01 nginx01 svn perl540.
[13:54 x8dtu dvl ~] % jls
   JID  IP Address      Hostname                      Path
     9  127.163.54.32   x8dtu-pg01.vpn.unixathome.org /jails/pg01
    12  127.163.0.10    x8dtu-ingress01.vpn.unixathom /jails/ingress01
    13  127.163.0.80    x8dtu-nginx01.vpn.unixathome. /jails/nginx01
    14  127.163.0.253   svn.freshports.org            /jails/svn
    15  162.208.116.124 perl540                       /jails/perl540
[13:54 x8dtu dvl ~] % sudo service jail enable
jail enabled in /etc/rc.conf
[13:54 x8dtu dvl ~] % 

Starting up the ingress service

After running this in the ingress jail:

[14:05 x8dtu-ingress01 dvl ~] % sudo service ingress start 
Starting ingress.
[14:05 x8dtu-ingress01 dvl ~] % sudo service ingress stop 
Stopping ingress.
Waiting for PIDS: 51965.

I saw these errors:

*** /var/log/freshports//git.log ***
2025.07.13 14:05:36 git-delta.sh has started. Will check these repos: 'doc ports src'
2025.07.13 14:05:36 git-delta.sh XML dir is /var/db/ingress/message-queues/incoming
2025.07.13 14:05:36 git-delta.sh Now processing repo: doc ---------------
2025.07.13 14:05:36 git-delta.sh FATAL error, REPODIR='/var/db/ingress/repos/doc' is not a directory
2025.07.13 14:05:36 git-delta.sh Now processing repo: ports ---------------
2025.07.13 14:05:36 git-delta.sh FATAL error, REPODIR='/var/db/ingress/repos/ports' is not a directory
2025.07.13 14:05:36 git-delta.sh Now processing repo: src ---------------
2025.07.13 14:05:36 git-delta.sh FATAL error, REPODIR='/var/db/ingress/repos/src' is not a directory
2025.07.13 14:05:36 git-delta.sh Ending

This is another case of mounted, but not seen. A umount and mount on the jail host fixes that.

[14:08 x8dtu dvl-alt ~] % zfs get mounted data/freshports/ingress01/var/db/ingress/repos
NAME                                            PROPERTY  VALUE    SOURCE
data/freshports/ingress01/var/db/ingress/repos  mounted   yes      -
[14:08 x8dtu dvl-alt ~] % ls -l /jails/ingress01/var/db/ingress/repos
total 0
[14:09 x8dtu dvl-alt ~] % sudo zfs umount data/freshports/ingress01/var/db/ingress/repos
[14:09 x8dtu dvl-alt ~] % sudo zfs mount data/freshports/ingress01/var/db/ingress/repos 
[14:09 x8dtu dvl-alt ~] % ls -l /jails/ingress01/var/db/ingress/repos                   
total 26
drwxr-xr-x   7 10002 10002 11 2021.09.17 21:47 doc/
drwxr-xr-x  70 10002 10002 81 2021.09.17 21:52 ports/
drwxr-xr-x  27 10002 10002 44 2021.09.17 21:47 src/
[14:09 x8dtu dvl-alt ~] % 

This time, the commits-to-process start coming in:

*** /var/log/freshports//git.log ***
2025.07.13 14:11:04 git-delta.sh has started. Will check these repos: 'doc ports src'
2025.07.13 14:11:04 git-delta.sh XML dir is /var/db/ingress/message-queues/incoming
2025.07.13 14:11:04 git-delta.sh Now processing repo: doc ---------------
2025.07.13 14:11:04 git-delta.sh REPODIR='/var/db/ingress/repos/doc' exists
2025.07.13 14:11:04 git-delta.sh Repodir is /var/db/ingress/repos/doc
2025.07.13 14:11:04 git-delta.sh Running: /usr/local/bin/git fetch:
From https://git.FreeBSD.org/doc
   0059394b06..ba183da7db  main       -> origin/main
2025.07.13 14:11:07 git-delta.sh fetch completed.
origin/HEAD skipping
origin/main processing ****
2025.07.13 14:11:07 git-delta.sh working on 'origin/main'
2025.07.13 14:11:07 git-delta.sh Is freshports/origin/main defined on the repo 'doc'?
2025.07.13 14:11:07 git-delta.sh running: /usr/local/bin/git rev-parse -q --verify freshports/origin/main^{}
0059394b06f45ec3ffdf302c3dea0bb8fefa9094
2025.07.13 14:11:07 git-delta.sh the latest commit we have for freshports/origin/main is:
0059394b06f45ec3ffdf302c3dea0bb8fefa9094
2025.07.13 14:11:07 git-delta.sh Running: /usr/local/bin/git rev-list freshports/origin/main..origin/main
2025.07.13 14:11:07 git-delta.sh Done.
2025.07.13 14:11:07 git-delta.sh The commits found are:
2025.07.13 14:11:07 git-delta.sh ba183da7dbc9ed31393e4e0cf9c49ba937716882
2025.07.13 14:11:07 git-delta.sh c557f6f251023465dba4e62a22acafb8a3d022c2
2025.07.13 14:11:07 git-delta.sh adf12d59665b0de71b129cd26a22e7199d70fabf
2025.07.13 14:11:07 git-delta.sh 62bbcdec39ad7a8aab212dbb216fcff662e7eed3
2025.07.13 14:11:07 git-delta.sh c594cfc979f3704d11d846b0570b68a8f5f549ea
2025.07.13 14:11:07 git-delta.sh 0069602e6d511177be4cf9836fae1b06501b07bc
...

Now we have 167 commits to process:

[14:11 x8dtu-ingress01 dvl ~] % ls ~ingress/message-queues/incoming | wc -l
     167

edit, by the time I'd finished typing the next section, there were a few more waiting:

[14:19 x8dtu-ingress01 dvl ~] % ls ~ingress/message-queues/incoming | wc -l
    1717

Starting up the freshports service

Attempting to learn by past events, I checked this out first. Let's see if the required directories are correctly mounted:

[14:17 x8dtu dvl-alt ~] % zfs list -r data/freshports/ingress01/var/db/freshports      
NAME                                                         USED  AVAIL  REFER  MOUNTPOINT
data/freshports/ingress01/var/db/freshports                 12.5G  2.36T   112K  /jails/ingress01/var/db/freshports
data/freshports/ingress01/var/db/freshports/cache           14.0M  2.36T    96K  /jails/ingress01/var/db/freshports/cache
data/freshports/ingress01/var/db/freshports/cache/html      13.6M  2.36T   192K  /jails/ingress01/var/db/freshports/cache/html
data/freshports/ingress01/var/db/freshports/cache/spooling   160K  2.36T    96K  /jails/ingress01/var/db/freshports/cache/spooling
data/freshports/ingress01/var/db/freshports/message-queues  12.5G  2.36T  12.5G  /jails/ingress01/var/db/freshports/message-queues
data/freshports/ingress01/var/db/freshports/repos            152K  2.36T    96K  /jails/ingress01/var/db/freshports/repos
[14:17 x8dtu dvl-alt ~] % ls -l /jails/ingress01/var/db/freshports/message-queues
total 0

[14:17 x8dtu dvl-alt ~] % ls -l /jails/ingress01/var/db/freshports/repos
total 0
[14:17 x8dtu dvl-alt ~] % 

[14:17 x8dtu dvl-alt ~] % sudo zfs umount data/freshports/ingress01/var/db/freshports/message-queues
[14:17 x8dtu dvl-alt ~] % sudo zfs mount data/freshports/ingress01/var/db/freshports/message-queues
[14:18 x8dtu dvl-alt ~] % ls -l /jails/ingress01/var/db/freshports/message-queues
total 2531
drwxr-xr-x  9 10001 10001  20 2025.06.02 03:01 archive/
drwxrwxr-x  2 10001 10001   2 2022.04.08 16:29 incoming/
drwxrwxr-x  4 10001 10001 714 2025.06.30 23:27 recent/
drwxr-xr-x  2 10001 10001   2 2022.04.08 16:27 retry/
drwxrwxr-x  2 10001 10001   2 2025.06.30 23:27 spooling/
[14:18 x8dtu dvl-alt ~] % sudo zfs umount data/freshports/ingress01/var/db/freshports/repos
[14:18 x8dtu dvl-alt ~] % sudo zfs mount data/freshports/ingress01/var/db/freshports/repos 
\%                                                                                                                                                                                                                                         [14:18 x8dtu dvl-alt ~] % ls -l /jails/ingress01/var/db/freshports/repos
total 0
[14:18 x8dtu dvl-alt ~] % 

The message-queues directory is vital. Let me check repos on another working host.

This is my dev jail:

[14:19 dev-ingress01 dvl /var/db/freshports] % ls -l
total 19
drwxr-xr-x   4 www        freshports  4 2020.06.25 11:57 cache/
drwxrwxr-x   7 freshports freshports  7 2024.02.10 01:09 message-queues/
drwxr-xr-x  41 freshports freshports 41 2024.04.10 11:45 packagesite/
drwxr-xr-x   2 freshports freshports  2 2025.07.13 14:00 signals/
drwxrwxr-x   2 freshports freshports  2 2021.02.28 17:16 tmp/

This is the jail I'm working on:

[14:16 x8dtu-ingress01 dvl ~] % ls -l /var/db/freshports 
total 19
drwxr-xr-x   4 root       freshports  4 2025.07.13 13:51 cache/
drwxrwxr-x   7 freshports freshports  7 2022.09.30 16:41 message-queues/
drwxr-xr-x  36 freshports freshports 36 2024.04.10 11:45 packagesite/
drwxr-xr-x   2 root       wheel       2 2021.09.12 14:49 repos/
drwxr-xr-x   2 freshports freshports  2 2025.07.13 14:00 signals/
drwxrwxr-x   2 freshports freshports  2 2021.09.12 15:49 tmp/

I think we can do without the repos directory. I think that is no longer used.

Let's start things up and watch.

[14:22 x8dtu-ingress01 dvl ~] % sudo service freshports start
Cannot 'start' freshports. Set freshports_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.
[14:22 x8dtu-ingress01 dvl ~] % sudo service freshports enable
freshports enabled in /etc/rc.conf
[14:22 x8dtu-ingress01 dvl ~] % sudo service freshports start 
Starting freshports.
[14:22 x8dtu-ingress01 dvl ~] % sudo service freshports stop 
Stopping freshports.

As you can see, I stopped it fairly soon. Because.. errors:

Jul 13 14:22:22 x8dtu-ingress01 freshports[60644]: removing /var/db/ingress/message-queues/incoming/2025.06.28.01.55.59.000002.5d0cf80f4501fb297bc546b624a0e527040a1843.xml
Jul 13 14:22:22 x8dtu-ingress01 freshports[60644]: rm: /var/db/ingress/message-queues/incoming/2025.06.28.01.55.59.000002.5d0cf80f4501fb297bc546b624a0e527040a1843.xml: Permission denied
Jul 13 14:22:22 x8dtu-ingress01 freshports[60644]: removal completed

Checking permissions, the freshports user wan't permitted to remove stuff. Here's where I fixed that:

[14:23 x8dtu-ingress01 dvl ~] % ls -l /var/db/ingress/message-queues
total 450
drwxrwxr-x  2 ingress ingress    2 2025.07.13 14:05 holding/
drwxrwxr-x  2 ingress ingress 1719 2025.07.13 14:15 incoming/
drwxrwxr-x  2 ingress ingress    2 2025.07.13 14:15 spooling/
[14:23 x8dtu-ingress01 dvl ~] % sudo chgrp -R freshports /var/db/ingress/message-queues/incoming 
[14:24 x8dtu-ingress01 dvl ~] % sudo chgrp -R freshports /var/db/ingress/message-queues/spooling
[14:24 x8dtu-ingress01 dvl ~] % ls -l /var/db/ingress/message-queues                            
total 450
drwxrwxr-x  2 ingress ingress       2 2025.07.13 14:05 holding/
drwxrwxr-x  2 ingress freshports 1719 2025.07.13 14:15 incoming/
drwxrwxr-x  2 ingress freshports    2 2025.07.13 14:15 spooling/
[14:24 x8dtu-ingress01 dvl ~] % 

That was based on a working example:

[14:23 dev-ingress01 dvl /var/db/freshports] % ls -l /var/db/ingress/message-queues         
total 1542
drwxrwxr-x  2 ingress    ingress      2 2021.08.08 18:49 holding/
drwxrwxr-x  2 ingress    freshports   2 2025.07.13 13:15 incoming/
drwxrwxr-x  2 ingress    freshports   2 2025.07.13 13:15 spooling/

I started again. I saw many of these:

Jul 13 14:29:13 x8dtu-ingress01 FreshPorts[65322]: message f2d1a3d5172e459af42ebbdfc23ca1254d9a94d3 has already been added to the database (/usr/local/libexec/freshports) 
Jul 13 14:29:13 x8dtu-ingress01 FreshPorts[65336]: message e5716cebd1f60c16dda6eb3a5bca9eeb1f78b6de has already been added to the database (/usr/local/libexec/freshports) 
Jul 13 14:29:13 x8dtu-ingress01 FreshPorts[65349]: message 066925f6e1e7f78bbe3e6f142469be00afb51616 has already been added to the database (/usr/local/libexec/freshports) 
Jul 13 14:29:14 x8dtu-ingress01 FreshPorts[65362]: message da81bddb46f32bddaeea82f30f2f327bd8fc83c7 has already been added to the database (/usr/local/libexec/freshports) 

I think that a replication issue. All those 'no snapshots matching' messages? My replication is missing data. I'm ok with that. I'll explain why. FreshPorts stores all the important data in the database. That database is not part of this zpool (data). It's all in the zroot zpool. The data within the data zpool is copies of the FreeBSD repos, caching information, etc. FreshPorts stores the last commit it processed in the local copy of the repo. That's why the ingress service pulled out so many already-processed commits.

Commits caught up

The commits are all caught up now. There was a problem with the jail in ingress01 not starting up (because the jails service was not enabled). I had to delete some processed commits and rerun them.

Now things seem OK.

What's next?

I still have to delete the main_tank zpool, redo the partitions on that drive, then add that drive into the data zpool to create a mirror.

NOTE: by delete, that's not actually an action I will take. I'll wipe the zpool labels and add it in.

2025-07-14 : Other items which needed updates

Other items which needed updates: a backup script.

[12:02 x8dtu dvl ~] % grep main_tank /usr/local/sbin/jail-snapshots-for-backup.sh
ZFSJAILROOTS="main_tank/jails"
    # the snapshot name is of the form: main_tank/iocage/jails/fedex@snapshot-for-backup

Oh that iocage reference in the comment is memory inducing.

The fix:

[12:03 x8dtu dvl ~] % grep ZFSJAILROOTS /usr/local/sbin/jail-snapshots-for-backup.sh
ZFSJAILROOTS="data/jails"
for ZFSJAILROOT in $ZFSJAILROOTS

The backups should run fine tonight.

Beim Stöbern in meinem alten Wiki bin ich über eine herrliche Anekdote gestolpert, die ich euch nicht vorenthalten möchte. Sie spielt irgendwann um 2004, als ich mich über den lokalen Rocksender Radio21 so herrlich aufgeregt habe, dass ich kurzerhand eine Mail an deren Redaktion geschrieben habe.

Der Grund? Dauerrotation bis zum Erbrechen.

Man hatte das Gefühl, der Sender hätte nur 30 MB Festplattenspeicher und würde exakt zehn Songs in Endlosschleife spielen. Selbst mein Lieblingssong "Whiskey in the Jar" von Thin Lizzy konnte ich irgendwann nicht mehr hören.

Hier ein Auszug aus meiner damaligen Mail:

"Führt ihr eigentlich gerade einen Feldversuch mit dem Thema 'Wie lange dauert es, bis der letzte treue Hörer wegen dauernder Titelrotation den Sender abschaltet?' durch?"

Und:

"Besonders ab 19:00 Uhr Rock aus der Region habe ich früher gerne gehört. Heute ist das nicht mehr auszuhalten."

Natürlich habe ich auch den Moderator morgens nicht verschont:

"Allein dieses Wetter-Geklampfe, dass der Typ sich nicht schämt... Wann sind denn die drei Monate Probezeit von dem Dingsda vorbei?"

Die Antwort von Radio21?
Natürlich freundlich, aber 100% vorhersehbar und komplett aus dem Textbaustein-Generator:

"Dass sich gewisse Songs öfter wiederholen [...] hat nichts mit Bequemlichkeit und schon gar nicht mit Zufall zu tun. [...] Der typische Radio-Hörer hört nur 15-20 Minuten."

Das Lustigste: Zeitgleich hatte meine Kollegin ebenfalls eine fast wortgleiche Beschwerde geschickt – und natürlich exakt dieselbe Antwort bekommen.

Was lernen wir daraus?

1. Sender lieben Rotation.

2. Textbausteine sind der Feind echter Kommunikation.

3. Manchmal muss man einfach Dampf ablassen.

Heute, 20 Jahre später, höre ich schon lange kein Radio21 mehr. Stattdessen gibt's Streaming, Playlists und DAB+ — und die Freiheit, dass kein Sender mir sagt, was ich wann hören muss.

Und wisst ihr was? Ich vermisse es kein bisschen.

Hinweis: Dieser Artikel entstand mit freundlicher Unterstützung von ChatGPT. Die Originaltexte stammen von 2004.

I was up at 5:30 AM today. I packed the car and headed out. I arrived within the datacenter at about 8:15 or so. By 8:50, I was on IRC and the photos of the FreeBSD racks were uploading. Since I was going there anyway, I did some inventory and disposal work (a decommissioned server, about 25 old HDD, and various bits and pieces).

I must say though, I’m not liking this option. Right now, I have two copies of my data, one in each of the zpools you’ll see listed later. Soon, I’ll destroy one of them, partition the larger drive to match the smaller drive, and add that larger drive to the smaller zpool. Destroying data causes me to go all heebie-jeebie.

Out with the old

Removing dead drive:

Jul 12 13:11:06 x8dtu kernel: ada3 at ahcich3 bus 0 scbus3 target 0 lun 0
Jul 12 13:11:06 x8dtu kernel: ada3:  s/n 44E1K00IFK7A detached
Jul 12 13:11:06 x8dtu kernel: (ada3:ahcich3:0:0:0): Periph destroyed

In with the new

Adding in the smaller replacement drive:

Jul 12 13:18:56 x8dtu kernel: ada3 at ahcich3 bus 0 scbus3 target 0 lun 0
Jul 12 13:18:56 x8dtu kernel: ada3:  ATA8-ACS SATA 3.x device
Jul 12 13:18:56 x8dtu kernel: ada3: Serial Number 382AK6KIFJKA
Jul 12 13:18:56 x8dtu kernel: ada3: 300.000MB/s transfers (SATA 2.x, UDMA5, PIO 8192bytes)
Jul 12 13:18:56 x8dtu kernel: ada3: Command Queueing enabled
Jul 12 13:18:56 x8dtu kernel: ada3: 3815447MB (7814037168 512 byte sectors)
Jul 12 13:18:56 x8dtu kernel: ses0: ada3,pass3 in 'Slot 03', SATA Slot: scbus3 target 0

Import

The import:

[13:21 x8dtu dvl ~] % zpool list
NAME        SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
main_tank  4.53T  1.26T  3.27T        -         -    26%    27%  1.00x  DEGRADED  -
zroot       212G  56.1G   156G        -         -    50%    26%  1.00x    ONLINE  -
[13:22 x8dtu dvl ~] % zpool import data
cannot import 'data': no such pool available
[13:22 x8dtu dvl ~] % sudo zpool import data
[13:23 x8dtu dvl ~] % zpool list
NAME        SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
data       3.62T  1.01T  2.62T        -         -     0%    27%  1.00x    ONLINE  -
main_tank  4.53T  1.26T  3.27T        -         -    26%    27%  1.00x  DEGRADED  -
zroot       212G  56.1G   156G        -         -    50%    26%  1.00x    ONLINE  -
[13:24 x8dtu dvl ~] % 

That produced these lines in /var/log/messages:

Jul 12 13:23:47 x8dtu kernel: vdev_geom_open_by_path:799[1]: Found provider by name /dev/gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_read_config:457[1]: Reading config from gpt/SLOT_3_TO_382AK6KIFJKA...
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_attach_ok:696[1]: guids match for provider gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_close_locked:352[1]: Closing access to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_open_by_path:799[1]: Found provider by name /dev/gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_read_config:457[1]: Reading config from gpt/SLOT_3_TO_382AK6KIFJKA...
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_attach_ok:696[1]: guids match for provider gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_close_locked:352[1]: Closing access to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_open_by_path:799[1]: Found provider by name /dev/gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_read_config:457[1]: Reading config from gpt/SLOT_3_TO_382AK6KIFJKA...
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_attach_ok:696[1]: guids match for provider gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_close_locked:352[1]: Closing access to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_open_by_path:799[1]: Found provider by name /dev/gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_read_config:457[1]: Reading config from gpt/SLOT_3_TO_382AK6KIFJKA...
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:315[1]: Detaching from gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_detach:326[1]: Destroying consumer for gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_attach_ok:696[1]: guids match for provider gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:219[1]: Attaching to gpt/SLOT_3_TO_382AK6KIFJKA.
Jul 12 13:23:47 x8dtu kernel: vdev_geom_attach:288[1]: Created consumer for gpt/SLOT_3_TO_382AK6KIFJKA.

More sync

I did this:

[13:52 x8dtu dvl ~] % sudo syncoid --no-privilege-elevation -r  --compress=lzo --quiet main_tank data                 

CRITICAL ERROR: Target data exists but has no snapshots matching with main_tank!
                Replication to target would require destroying existing
                target. Cowardly refusing to destroy your existing target.


[0] 0:sudo*                                                      "x8dtu.example.org" 13:52 12-Jul-25

I got a lot of that…

The existing

This is the old zpool:

[19:54 x8dtu dvl ~] % zpool list main_tank
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
main_tank 4.53T 1.26T 3.27T – – 26% 27% 1.00x DEGRADED –

Its filesystems:

ckages
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/pages         96K  3.15T    96K  /var/db/freshports/cache/pages
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/ports        994M  3.15T   971M  /var/db/freshports/cache/ports
main_tank/freshports/jailed/nginx01/var/db/freshports/cache/spooling     352K  3.15T   120K  /var/db/freshports/cache/spooling
main_tank/freshports/nginx01                                             480K  3.15T    96K  none
main_tank/freshports/nginx01/var                                         384K  3.15T    96K  none
main_tank/freshports/nginx01/var/db                                      288K  3.15T    96K  none
main_tank/freshports/nginx01/var/db/freshports                           192K  3.15T    96K  none
main_tank/freshports/nginx01/var/db/freshports/cache                      96K  3.15T    96K  none
main_tank/home                                                           266G  3.15T  86.0G  /usr/home
main_tank/jails                                                         59.1G  3.15T   112K  /jails
main_tank/jails/ingress01                                               14.2G  3.15T  3.62G  /jails/ingress01
main_tank/jails/nginx01                                                 9.17G  3.15T  2.12G  /jails/nginx01
main_tank/jails/perl540                                                 6.81G  3.15T  4.49G  /jails/perl540
main_tank/jails/pg01                                                    23.3G  3.15T  7.49G  /jails/pg01
main_tank/jails/svn                                                     5.61G  3.15T  4.03G  /jails/svn
main_tank/mkjail                                                        1.68G  3.15T    96K  /mkjail
main_tank/mkjail/14.1-RELEASE                                            862M  3.15T   862M  /mkjail/14.1-RELEASE
main_tank/mkjail/14.2-RELEASE                                            862M  3.15T   862M  /mkjail/14.2-RELEASE

The replacement zpool

This is what will replace it:

NAME   SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
data  3.62T  1.08T  2.54T        -         -     0%    29%  1.00x    ONLINE  -

And the replicated filesystems:

var/db/freshports/cache/pages
data/freshports/jailed/nginx01/var/db/freshports/cache/ports        983M  2.43T   964M  /data/freshports/jailed/nginx01/var/db/freshports/cache/ports
data/freshports/jailed/nginx01/var/db/freshports/cache/spooling     272K  2.43T   120K  /data/freshports/jailed/nginx01/var/db/freshports/cache/spooling
data/freshports/nginx01                                             736K  2.43T    96K  /data/freshports/nginx01
data/freshports/nginx01/var                                         576K  2.43T    96K  /data/freshports/nginx01/var
data/freshports/nginx01/var/db                                      416K  2.43T    96K  /data/freshports/nginx01/var/db
data/freshports/nginx01/var/db/freshports                           256K  2.43T    96K  /data/freshports/nginx01/var/db/freshports
data/freshports/nginx01/var/db/freshports/cache                      96K  2.43T    96K  /data/freshports/nginx01/var/db/freshports/cache
data/home                                                          86.0G  2.43T  86.0G  /data/home
data/jails                                                         59.3G  2.43T   112K  /data/jails
data/jails/ingress01                                               14.3G  2.43T  3.62G  /data/jails/ingress01
data/jails/nginx01                                                 9.19G  2.43T  2.12G  /data/jails/nginx01
data/jails/perl540                                                 6.81G  2.43T  4.49G  /data/jails/perl540
data/jails/pg01                                                    23.3G  2.43T  7.48G  /data/jails/pg01
data/jails/svn                                                     5.61G  2.43T  4.03G  /data/jails/svn
data/mkjail                                                        1.68G  2.43T    96K  /data/mkjail
data/mkjail/14.1-RELEASE                                            862M  2.43T   862M  /data/mkjail/14.1-RELEASE
data/mkjail/14.2-RELEASE                                            862M  2.43T   862M  /data/mkjail/14.2-RELEASE

What’s next? Next, I have to export the old zpool (to take it offline), then adjust all the mountpoint for the new zpool, then run some tests and see if I got everything right.

I should do that as soon as I can. Now is not that time.

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

FreeBSD nsysctl 2.2 Tool is Out.
https://alfonsosiciliano.gitlab.io/posts/2025-06-28-nsysctl-2-2.html

Building Custom Base FreeBSD OCI Container Image.
https://people.freebsd.org/~dch/posts/2025-06-10-oci-base

Using Podman Hooks to Mount Persistent ZFS Datasets into Ephemeral Containers on FreeBSD.
https://people.freebsd.org/~dch/posts/2025-06-27-oci-zfs/

FreeBSD Foundation – EuroBSDCon 2025 Travel Grant Application Now Open.
https://freebsdfoundation.org/blog/eurobsdcon-2025-travel-grant-application-now-open/

XQuartz X11 Server for macOS Can Now Be Built Using XLibre.
https://x.com/probonopd/status/1939785919180988860

Porting X11Libre to FreeBSD.
https://github.com/orgs/X11Libre/discussions/91#discussioncomment-13618266

FreeBSD Foundation Welcomes New Board Member: John Baldwin.
https://freebsdfoundation.org/blog/freebsd-foundation-welcomes-new-board-member-john-baldwin/

FreeBSD pkg repo Shenanigans.
https://people.freebsd.org/~dch/posts/2025-06-10-pkg-shenanigans/

Porting X11Libre to FreeBSD.
https://github.com/b-aaz/xlibre-ports

The bectl(8) Essential Guide to FreeBSD Boot Environments.
https://thedistrowriteproject.blogspot.com/2025/07/bectl-The-Essential-Guide-to-FreeBSD-Boot-Environments.html

New sudo(8) with chroot(8) Elevation of Privilege on Linux.
https://stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

Here are My Thoughts on XLibre vs Xorg Thing.
https://youtube.com/watch?v=sAjtQMVjqpw

HardenedBSD 2025/06 Status Report.
https://hardenedbsd.org/article/shawn-webb/2025-07-01/hardenedbsd-june-2025-status-report

Jekyll Publishing on FreeBSD.
https://euroquis.nl/blabla/2025/07/01/jekyll.html

Who Owns Your Virtualization Stack?
https://virtualize.sh/blog/who-owns-your-virtualization-stack/

How to Install FreeBSD at OVHCloud.
https://fossil.nours.eu/notes/doc/trunk/freebsd-at-ovhcloud.md

FreeBSD Adopting Port: Maomao.
https://evilham.com/en/blog/2025-FreeBSD-adopting-a-port-maomaowm/

How to Install FreeBSD on Providers That Do Not Support It with mfsBSD.
https://it-notes.dragas.net/2025/07/02/install_freebsd_providers_mfsbsd/

Display Colorful ASCII Art Logos with oh-my-logo in Terminal.
https://github.com/shinshin86/oh-my-logo

FreeBSD 14.3 – Laptop Computer with Intel WiFi 5 (802.11ac) Wireless-AC 9260.
https://freebsd.uw.cz/2025/06/freebsd-143-laptop-computer-with-intel.html

Setup Brother BCP-L2530DW Scanner on FreeBSD.
https://fossil.nours.eu/notes/doc/trunk/brother-scanner-on-freebsd.md

Turn Podman Containers into FreeBSD Jails.
https://fossil.nours.eu/notes/doc/trunk/podman2jail.md

How to Test and Boot FreeBSD memstick over IPXE.
https://fossil.nours.eu/notes/doc/trunk/fbsd-ipxe.md

GhostBSD 2025/02 Finance Report.
https://www.ghostbsd.org/news/February_2025_Finance_Report

Poudriere Inside FreeBSD VNET Jail.
https://vermaden.wordpress.com/2025/07/03/poudriere-inside-freebsd-vnet-jail/

OpenBSD obsdfreqd CPU Frequency Manager.
https://git.sr.ht/~solene/obsdfreqd

Nixers Newsletter – 295.
https://newsletter.nixers.net/entries.php#295

Source Code Sandboxing on OpenBSD.
https://undeadly.org/cgi?action=article;sid=20250611122242

Why I Use OPNsense over pfSense and Why I Do Not Trust Netgate at All.
https://xda-developers.com/why-use-opnsense-over-pfsense-dont-trust-netgate/

I Tried Using FreeBSD Distro as My Daily Driver in 2025.
https://xda-developers.com/i-tried-using-a-freebsd-distro-as-my-daily-driver-in-2025/

Can We Install FreeBSD on AWS in Under a Minute?
https://youtube.com/watch?v=V9-5QC6vLHY

Jailfox – Firefox in FreeBSD Jail.
https://youtube.com/watch?v=6lYaaUo25pM

FreeBSD Virtualization with vm-bhyve X11 Forwarding Using SSH.
https://youtube.com/watch?v=bR3B-Ly7GC0

How to Encrypt Your Home Directory on FreeBSD.
https://youtube.com/watch?v=ZeYOxbHRUC0

KDE Plasma 6.4 on OpenBSD.
https://marc.info/?l=openbsd-ports-cvs&m=175160799903144&w=2

Firefox 120-141 Web Browser Benchmarks Review.
https://phoronix.com/review/firefox-benchmarks-120-141

BTRFS Read/Write on FreeBSD: It is Possible and Works Well.
https://treefort.piusbird.space/blog/btrfs-freebsd/

Game of Trees Hub Now Taking Signups for Repository Hosting.
https://undeadly.org/cgi?action=article;sid=20250705080828

4096 Colours and Flashing Text on OpenBSD Console.
https://www.undeadly.org/cgi?action=article;sid=20250705081315

NFSv3 vs NFSv4 Storage on Proxmox – Latency Clash That Reveals More Than You Think.
https://gyptazy.com/nfsv3-vs-nfsv4-storage-on-proxmox-the-latency-clash-that-reveals-more-than-you-think/

How to Restore FreeBSD with ZFS Boot Environments and boot2 Loader.
https://eugene-andrienko.com/en/it/2025/07/06/freebsd-zfs-boot-environment-boot2.html

Custom Gentoo Installer with OpenRC/EFI/BIOS/ZFS/btrfs/luks/mdraid.
https://github.com/oddlama/gentoo-install

Custom Alpine Linux Installer with ZFS Support and ZFSBootMenu.
https://github.com/psy0rz/alpinebox

Hardware

Avalue EPI-ARLS EPIC SBC with LGA1851 Socket for Intel Core Ultra Arrow Lake-S CPUs
https://cnx-software.com/2025/07/02/avalue-epi-arls-4-inch-epic-sbc-features-lga1851-socket-for-intel-core-ultra-arrow-lake-s-processors/