RootForum Community

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

FreeBSD Git Weekly.
https://freebsd-git-weekly.tarsnap.net/

FreeBSD Meetings.
https://youtube.com/@freebsdmeetings

Sheridan Computers.
https://youtube.com/@sheridans/videos

EOF

2026-03-15 12:19:39 UTC

I don’t see a way to specify the syslog facility for OpenVPN – perhaps I can change that in the code. It would allow logging openvpn to a specific file and being able to rotate that log file. –log-append does not allow for log rotation.

In this post:

FreeBSD 15.0
OpenVPN 2.6.19

Signals sent to OpenVPN do not affect logging. Thus, I must rely upon syslog and newsyslog to achieve log rotation.

At present, a default install of security/openvpn will results in logs to two files:

/var/log/messages
/var/log/daemon.log

Although disk space is not an issue in this, I prefer to keep OpenVPN logs in one file, and not duplicated. It also reduces the “noise” in /var/log/messages.

It not trivial (or perhaps possible, show me how) to stop these duplicate. I would prefer a better way.

Last night, I thought: why not change the code? It can’t be that hard.

Let’s look at the OpenVPN code.

The syslog open

I found this around line 475 of src/openvpn/error.c:

void
open_syslog(const char *pgmname, bool stdio_to_null)
{
#if SYSLOG_CAPABILITY
    if (!msgfp && !std_redir)
    {
        if (!use_syslog)
        {
            pgmname_syslog = string_alloc(pgmname ? pgmname : PACKAGE, NULL);
            openlog(pgmname_syslog, LOG_PID, LOG_OPENVPN);
            use_syslog = true;

That openlog call, I see it defined on the man page as:

openlog(const char *ident, int logopt, int facility);

facility. Right there.

What is LOG_OPENVPN defined as?

[11:30 pkg01 dvl ~/ports/head/security/openvpn/work/openvpn-2.6.19] % grep -r LOG_OPENVPN * 
src/openvpn/error.c:#ifndef LOG_OPENVPN
src/openvpn/error.c:#define LOG_OPENVPN LOG_DAEMON
src/openvpn/error.c:            openlog(pgmname_syslog, LOG_PID, LOG_OPENVPN);

Looking again in the same file, I find:

#ifndef LOG_OPENVPN
#define LOG_OPENVPN LOG_DAEMON
#endif

That’s it. It also seems if it’s already defined, it will use that definition, not LOG_DAEMON

When running my grep for LOG_DAEMON, I was fortunate that I did that from the port directory. Which meant I also found this::

[11:32 pkg01 dvl ~/ports/head/security/openvpn] % grep LOG_OPENVPN *   
Makefile:.ifdef (LOG_OPENVPN)
Makefile:CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
Makefile:.ifdef (LOG_OPENVPN)
Makefile:	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
Makefile:	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
Makefile:	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"

Well, that’s interesting.

Rebuilding openvpn

Let’s try adding this to /usr/local/etc/poudriere.d/make.conf:

# can I build openvpn to use syslog with something other than facility=daemon
# re: https://cgit.freebsd.org/ports/tree/security/openvpn/Makefile#n125
LOG_OPENVPN=LOG_LOCAL6

Then I rebuilt:

[11:45 pkg01 dvl /usr/local/etc/poudriere.d] % sudo poudriere bulk -j 150amd64 -p default -z primary -C security/openvpn

Checking the log, I found:

/usr/bin/sed -i.bak 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' /wrkdirs/usr/ports/security/openvpn/work/openvpn-2.6.19/configure
Building with LOG_OPENVPN=LOG_LOCAL6
configure: loading site script /usr/ports/Templates/config.site

On the server

I was testing this on my OpenVPN server. I made these changes to /etc/syslog.conf:

[11:51 gw01 dvl ~] % diff -ruN /etc/syslog.conf~ /etc/syslog.conf
--- /etc/syslog.conf~	2026-03-13 18:57:56.000000000 +0000
+++ /etc/syslog.conf	2026-03-15 11:48:24.178756000 +0000
@@ -5,7 +5,7 @@
 #	may want to use only tabs as field separators here.
 #	Consult the syslog.conf(5) manpage.
 *.err;kern.warning;auth.notice;mail.crit		/dev/console
-*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local3.none	/var/log/messages
+*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local3.none;local6.none	/var/log/messages
 security.*					/var/log/security
 auth.info;authpriv.info				/var/log/auth.log
 mail.info					/var/log/maillog

Specifically, I added ;local6.none to that line. FYI, I use local3 for ddclient logging.

Then, I created this file: /usr/local/etc/syslog.d/openvpn.conf

local6.*		/var/log/openvpn.log

With those changes in place, I restarted syslogd to pick up those changes:

[11:49 gw01 dvl /usr/local/etc/syslog.d] % sudo service syslogd restart
Stopping syslogd.
Waiting for PIDS: 1651.
Starting syslogd.

Next, I cleared local package cache for the openvpn packages. The new package I built had no change to PORTVERSION, PORTREVISION, or to OPTIONS. Thus, it would not automatically be seen as an upgrade. The lack of a locally cached copy of the package would force a download.

[11:50 gw01 dvl ~] % sudo rm /var/cache/pkg/openvpn-*

The install:

[11:51 gw01 dvl ~] % sudo pkg install -f openvpn
Updating local repository catalogue...
local repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
	openvpn-2.6.19 [local]

Number of packages to be reinstalled: 1

639 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching openvpn-2.6.19: 100%   639 KiB 654.2 kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Reinstalling openvpn-2.6.19...
===> Creating groups
Using existing group 'openvpn'
===> Creating users
Using existing user 'openvpn'
[1/1] Extracting openvpn-2.6.19: 100%
=====
Message from openvpn-2.6.19:

--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.

After a restart, which is sometimes risky (at least in my mind) given the host is at the other end of town:

[11:51 gw01 dvl ~] % sudo service openvpn restart
Stopping openvpn.
Waiting for PIDS: 1533.
Starting openvpn.

However, despite my concerns about restarting OpenVPN, logging to /var/log/messages and to /var/log/daemon.log stoped. OpenVPN was logging only to one file: /var/log/openvpn.log

Success.

Log rotation

This is how I do log rotation:

[12:34 gw01 dvl ~] % cat /usr/local/etc/newsyslog.conf.d/openvpn.conf 
# Only .conf files /usr/local/etc/newsyslog.conf.d/ are pulled in by newsyslog
#

# logfilename                       [owner:group]   mode count size when   flags [/pid_file] [sig_num]
/var/log/openvpn.log                root:logcheck   640  50    *    $D0    B

Lastly

Despite the title of this bog post, there was no hacking of code, although that was my intention when I start writing.

That logging knob has been there since at least 2009, based on my reading of this commit.

Thank you for coming to my TED talk.

2026-03-14 16:27:42 UTC

Anyone who knows me will tell you I’m a car guy. And any car guy (as opposed to a Porsche guy or a Corvette guy or a Miata guy) will tell you that every car guy ought to have owned an Alfa Romeo. The problem is that in order to have owned an Alfa Romeo, you must first own an Alfa Romeo; and then, presumably, either you get rid of it or it gets rid of you, or you both get rid of each other. And until today, I had not yet owned an Alfa Romeo.

This afternoon, I graduated from “has not yet owned an Alfa Romeo” to “currently owns an Alfa Romeo”. Specifically, a 2007 Alfa Romeo 147 1.6 TS. At some point in the future, I will move on from “currently owns an Alfa Romeo” to “has owned an Alfa Romeo”, thereby completing my car guy journey; but that will take a lot of work and a bit of money, although in theory I should be able to flip it for a decent profit.

Yes, it’s red, and yes, it has little Italian flags all over.

Currently planned work:

Install “24h Le Mans” sticker on trunk lid for immediate 5 bhp boost
Change all fluids and filters
Replace rear wiper blade
Polish headlights
Investigate lifter tick
Replace clutch pump and / or follower and / or hydraulic line
Replace passenger side window regulator
Replace driver side window and mirror controls
Replace trunk lid lock actuator
Fix driver’s seat release
Fix or replace various bits of interior trim
Replace gear shift lever knob, possibly with a shorter one
Replace whip antenna with either bee sting or shark fin

Maybe I’ll even remember to post updates.

Update: 5 bhp boost unlocked

Close-up of the trunk lid of a red Alfa Romeo 147 1.6 TS sporting a white decal showing the outline of the Circuit de la Sarthe with the text “24h Le Mans”.

Update: of course my Italian car has electrical gremlins.

Inside view of the raised trunk lid of my Alfa Romeo 147 with the lining removed. The trunk lock is disconnected and black and red multimeter probes are inserted into the plug. I am holding the multimeter in my left hand; it is set to 20 V and the display is showing12.04.

Update 2026-03-16: I had low washer nozzle pressure and assumed the pump might need changing. Only after ordering a replacement pump from a breaker did I realize that the real issue was that the washer hose was getting pinched when I closed the hood. Cutting the cable ties that tied it to the hood strut solved the issue.

View of the front of a red Alfa Romeo 147 from right above / next to the passenger window. The hood is open and there are traces of washer fluid on it. A multimeter is propped up against the hood so that it is visible from the driver's seat. A ratchet is lying on top of the engine, which is visible through the gap between the rear edge of the open hood and the body.

Update 2026-03-19: It passed inspection today, with a slew of minor defects but little I wasn’t already aware of and nothing I can’t fix.

2026-03-14 13:06:15 UTC

In a recent blog post, I showed you how I was taking my websites into maintenance mode. Shortly afterwards, I wrote about how using $server_name can have odd consequences. Today, I’m writing about the script I just created which will create those maintenance.html files.

In this post:

FreeBSD 15.0
nginx 1.28.2
bourne shell

The script

This is the script:

[12:17 r720-02-proxy01 dvl /usr/local/www/offline] % cat ~/bin/offline
#!/bin/sh

# Usage: ~/bin/offline foo.bar "$(date -R -v +2H)"
# see -v option on man date: [y|m|w|d|H|M|S]

website=$1
retryafter=$2

OFFLINE_DIR="/usr/local/www/offline"

# slight santization
hostname=$(basename $website)

tmpfile=$(mktemp /tmp/offline.XXXXXX)

cat << EOF >> $tmpfile
html>
<head>
<title>Error 503 Service Unavailable</title>
</head>
<body>
<h1>503 Service Unavailable</h1>
<p>Server is offline for maintenance.</p>
<p>Please retry after ${retryafter}</p>
</body>
</html>
EOF

cat $tmpfile

sudo chown root:wheel $tmpfile
sudo chmod 0644       $tmpfile

sudo mv -i $tmpfile "${OFFLINE_DIR}/${hostname}-maintenance.html"

rm -f $tmpfile

Yes, the rm is not necessary, since the file has already been moved.

To invoke the script, I do something like this:

% ~/bin/offline dev.freshports.org "$(date -R -v +2H)"
html>
<head>
<title>Error 503 Service Unavailable</title>
</head>
<body>
<h1>503 Service Unavailable</h1>
<p>Server is offline for maintenance.</p>
<p>Please retry after Sat, 14 Mar 2026 14:20:59 +0000</p>
</body>
</html>

In the command, I’m saying it will be offline for two hours.

In my browser, I see this:

503 Service Unavailable

Server is offline for maintenance.

Please retry after Sat, 14 Mar 2026 14:20:59 +0000

With wget, I see:

[12:23 nagios04 dvl ~/tmp] % wget -S https://dev.freshports.org
--2026-03-14 12:24:14--  https://dev.freshports.org/
Resolving dev.freshports.org (dev.freshports.org)... 173.228.145.171, 2610:1c0:2000:11:8870:201b:27b5:f4f2
Connecting to dev.freshports.org (dev.freshports.org)|173.228.145.171|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 503 Service Temporarily Unavailable
  Server: nginx/1.28.2
  Date: Sat, 14 Mar 2026 12:24:14 GMT
  Content-Type: text/html
  Content-Length: 223
  Connection: keep-alive
  ETag: "69b55317-df"
  Retry-After: 120
2026-03-14 12:24:14 ERROR 503: Service Temporarily Unavailable.

If you check carefully, you’ll see there is a Retry-After in the headers. That differs from the message within the webpage. Why?

Why?

The webpage is constructed from that offline script and is a string in the webpage. Ideally, both that and the header would show the same value. However, I don’t know how to easily do that yet.

Where does the header come from?

I recently modified the nginx configuration for this website. The new bit is the add_header as seen below. The always tag needs to be there. The docs mention it, but I didn’t pick it up. It took a blog post by Claudio Kuenzlerfor me to add it in.

  # but wait, there's more!
  location @maintenance {
    rewrite ^(.*)$ /${maint} break;
    add_header Retry-After "120" always;
  }

It would be nice to update the website configuration to adjust the “120” value to match the webpage.

That sounds like an Ansible solution.

Going back online

Going back online involves removing the file. I figure that’s easy enough to not need a script.

2026-03-13 14:15:05 UTC

I recently implemented a fun (to me) and easy solution for taking my web proxy websites offline, either one-by-one, or all-at-once. Today’s post talks about some of the repercussions which followed one-new-thing I tried.

In this post:

FreeBSD 15.0
nginx 1.28.2
I jump between testing the test host and stage host; both had similar issues.

The relevant changes

This is the type of change I started to do. Instead of putting the hostname in the log or certificate declarations, I started using an Nginx variable. Here is a psudeo-diff, based on an ansible template.

-  ssl_certificate_key /usr/local/etc/ssl/{{ item.value.website }}.key;
+  ssl_certificate_key /usr/local/etc/ssl/${server_name}.key;

Once on disk, the actual nginx configuration file changed like this. I’ll do this as a before and after:

This is a snippet of the nginx configuration for the proxy host which sits in front of dev.freshports.org:

...
  server_name dev.freshports.org;
...
  # the logs
  error_log  /var/log/nginx/dev.freshports.org.error.log  info;
  access_log /var/log/nginx/dev.freshports.org.access.log combined;

  # the certificate and key specific to this host.
  ssl_certificate     /usr/local/etc/ssl/dev.freshports.org.fullchain.cer;
  ssl_certificate_key /usr/local/etc/ssl/dev.freshports.org.key;

As you can see, the name dev.freshports.org occurs 5 times. The clever idea I had: don’t use the same hard-coded text N times. Declare it once. Use the variable. This is especially applicable to this situation because this file is actually derived from a template and is used for other websites as well. Why not? It might work. Let’s try it.

So we then had this configuration:

...
  server_name dev.freshports.org;
...
  error_log  /var/log/nginx/${server_name}.error.log  info;
  access_log /var/log/nginx/${server_name}.access.log combined;

  ssl_certificate     /usr/local/etc/ssl/${server_name}.fullchain.cer;
  ssl_certificate_key /usr/local/etc/ssl/${server_name}.key;

The service nginx configtest past, the restart worked. Off we go!

Some time later…

I did some testing, taking the websites offline, etc. All that worked fine.

The next day, I noticed several issues in monitoring: “(Return code of 139 is out of bounds)”

I tried testing (on my phone, with WIFI off, so that I hit the proxy and didn’t bypass it by being on my local network), I would get

Safari can’t open the page because it couldn’t establish a secure connection to the server.

logcheck was also spitting out this type of message:

Mar 12 20:03:46 nagios04 kernel: pid 9423 (check_http), jid 0, uid 181: exited on signal 11 (no core dump - other error)
Mar 12 20:03:47 nagios04 kernel: pid 9425 (check_http), jid 0, uid 181: exited on signal 11 (no core dump - other error)
Mar 12 20:03:51 nagios04 kernel: pid 9427 (check_http), jid 0, uid 181: exited on signal 11 (no core dump - other error)

That prompted me to get onto nagios04 and see what was going on.

Trying nagios checks by hand

I wanted to see what Nagios was seeing, so I tried this:

[19:45 nagios04 dvl /usr/local/etc/nagiosql] % /usr/local/libexec/nagios/check_http -H stage.freshports.org -4
HTTP OK: HTTP/1.1 200 OK - 250560 bytes in 0.795 second response time |time=0.795270s;;;0.000000 size=250560B;;;0

Meaning http was good. Let’s try https:

[19:45 nagios04 dvl /usr/local/etc/nagiosql] % /usr/local/libexec/nagios/check_http -H stage.freshports.org -S -p 443 -C 25 -4 --sni 
CRITICAL - Cannot make SSL connection.
10300596361A0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal 
error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:916:SSL alert number 80
zsh: segmentation fault  /usr/local/libexec/nagios/check_http -H stage.freshports.org -S -p 443 -C 25

Ouch. Searching for that SSL alert number 80 did not help. In hindsight, I should have paid more attention to the CRITICAL – Cannot make SSL connection part of the output.

There’s that alert number 80 again.

I kept mucking about with that for a while. And didn’t really get anywhere.

Let’s try more non-nagios stuff on the command line.

Other command line explorations

Hmm. Let’s go to wget:

[11:38 nagios04 dvl ~/tmp] % wget -S test.freshports.org        
Prepended http:// to 'test.freshports.org'
--2026-03-13 11:38:22--  http://test.freshports.org/
Resolving test.freshports.org (test.freshports.org)... 173.228.145.171, 2610:1c0:2000:11:8870:201b:27b5:f4f2
Connecting to test.freshports.org (test.freshports.org)|173.228.145.171|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/1.28.2
  Date: Fri, 13 Mar 2026 11:38:23 GMT
  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked
  Connection: keep-alive
  Vary: Accept-Encoding
  X-Powered-By: PHP/8.3.30
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                [   <=>                                                                  ] 285.58K   496KB/s    in 0.6s    

2026-03-13 11:38:23 (496 KB/s) - ‘index.html’ saved [292431]

All good. Next, try https:

[11:38 nagios04 dvl ~/tmp] % wget -S https://test.freshports.org
--2026-03-13 11:41:27--  https://test.freshports.org/
Resolving test.freshports.org (test.freshports.org)... 173.228.145.171, 2610:1c0:2000:11:8870:201b:27b5:f4f2
Connecting to test.freshports.org (test.freshports.org)|173.228.145.171|:443... connected.
OpenSSL: error:0A000438:SSL routines::tlsv1 alert internal error
Unable to establish SSL connection.

tlsv1? Am I using that on my proxy?

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

Well, yes, I am. I changed that to:

  ssl_protocols TLSv1.2 TLSv1.3;

Then restarted nginx.

No difference. Am I using TLSv1 on the real server, the one behind the proxy? That wouldn’t matter because wget is not talking to that.

So WTF is going on?

openssl time:

[20:27 nagios04 dvl ~/tmp] % openssl s_client -connect stage.freshports.org:443 -servername stage.freshports.org -4 -showcerts
Connecting to 173.228.145.171
CONNECTED(00000003)
1090C55AFA340000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:916:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: 
---
SSL handshake has read 7 bytes and written 1553 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Again, I missed clues that might have led me to the cause sooner.

Always monitor the logs

I should have done this sooner. I should have checked the logs. Looking at this, I saw nothing. Nothing. At All.

Now I changed to using the test host.

[11:46 r720-02-proxy01 dvl ~] % xtail /var/log/nginx/test.freshports.org.*

I keep fetching pages, but nothing appeared in that log.

I went a little wider on my search:

[11:48 r720-02-proxy01 dvl ~] % xtail /var/log/nginx/
*** /var/log/nginx//${server_name}.error.log ***
2026/03/13 11:51:14 [error] 18612#101892: *469 cannot load certificate key "/usr/local/etc/ssl/test.freshports.org.key": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/usr/local/etc/ssl/test.freshports.org.key, r) error:10080002:BIO routines::system lib) while SSL handshaking, client: 203.0.113.46, server: 173.228.145.171:443

that’s not writing to the expected file
permission issues?

[11:51 r720-02-proxy01 dvl ~] % ls -l /usr/local/etc/ssl/test.freshports.org.key
-rw-------  1 root wheel 1679 2018.09.18 13:06 /usr/local/etc/ssl/test.freshports.org.key

nginx has always been able to read this before. Let’s try this daring change:

[11:52 r720-02-proxy01 dvl /usr/local/etc/ssl] % sudo chgrp www test.freshports.org.key                   
[11:52 r720-02-proxy01 dvl /usr/local/etc/ssl] % sudo chmod g=r test.freshports.org.key
[11:52 r720-02-proxy01 dvl /usr/local/etc/ssl] % ls -l test.freshports.org.key
-rw-r-----  1 root www 1679 2018.09.18 13:06 test.freshports.org.key

Now nginx should be able to read that key.

Testing again:

[11:53 nagios04 dvl ~/tmp] % wget -S https://test.freshports.org/
--2026-03-13 11:54:25--  https://test.freshports.org/
Resolving test.freshports.org (test.freshports.org)... 173.228.145.171, 2610:1c0:2000:11:8870:201b:27b5:f4f2
Connecting to test.freshports.org (test.freshports.org)|173.228.145.171|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/1.28.2
  Date: Fri, 13 Mar 2026 11:54:26 GMT
  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked
  Connection: keep-alive
  Vary: Accept-Encoding
  X-Powered-By: PHP/8.3.30
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
Length: unspecified [text/html]
Saving to: ‘index.html.1’

index.html.1                              [   <=>                                                                  ] 285.58K   629KB/s    in 0.5s    

2026-03-13 11:54:26 (629 KB/s) - ‘index.html.1’ saved [292431]

[11:54 nagios04 dvl ~/tmp] %

So that problem is “fixed”.

Let’s check with openssl:

[20:27 nagios04 dvl ~/tmp] % openssl s_client -connect stage.freshports.org:443 -servername stage.freshports.org -4 -showcerts
Connecting to 173.228.145.171
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R13
verify return:1
depth=0 CN=stage.freshports.org
verify return:1
---
Certificate chain
 0 s:CN=stage.freshports.org
   i:C=US, O=Let's Encrypt, CN=R13
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jan 31 17:35:14 2026 GMT; NotAfter: May  1 17:35:13 2026 GMT
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgISBjTyQhJ1Qw1yypiKRRJGZuiMMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTMwHhcNMjYwMTMxMTczNTE0WhcNMjYwNTAxMTczNTEzWjAfMR0wGwYDVQQD
ExRzdGFnZS5mcmVzaHBvcnRzLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANGjB5rJS9pilMQ2sHJ/v8GZ90tFcaUpP0QTnxWvXrrtyg22AR3ODR65
EGvEbSEBAFVsoMR7thSZL1dZ5D7x3AvB+OjLVnK8KGQ/kuR85qSmNq+a/GxvcNKA
HG5xt9aIGZpii+XKOyhlPMbVHFEeVuh1d+oeTdb0+/ul49rLMtXBA3/FlOXkp46w
3kZLH8tTWrj6kXMqiUKPwhuex50tQHuW//WYqXACjXT2EN1ct105ng6WJkH1FuoB
R0s+EaeArdHQzz/bX4ijJCK/RWaoRrOe2fW69RYVmHT347CXqu4TrASffo9ubq4R
ViRkoSOHUs1zjGHO2WE2w+26ShTIeE8CAwEAAaOCAiwwggIoMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUEDI7MQFLUoqoRUzvhEBy0lhyKCAwHwYDVR0jBBgwFoAU56uf
DywzoFPTXk94yLKEDjvWkjMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdo
dHRwOi8vcjEzLmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRzdGFnZS5mcmVzaHBv
cnRzLm9yZzATBgNVHSAEDDAKMAgGBmeBDAECATAuBgNVHR8EJzAlMCOgIaAfhh1o
dHRwOi8vcjEzLmMubGVuY3Iub3JnLzEzLmNybDCCAQwGCisGAQQB1nkCBAIEgf0E
gfoA+AB1AJaXZL9VWJet90OHaDcIQnfp8DrV9qTzNm5GpD8PyqnGAAABnBVVG3AA
AAQDAEYwRAIgWEAPKdcqhnu1euGcusHalXmiffO0mcXgSLMHLpM/zi4CIBzJkQ3D
1P1CGplj9/9Gedi4RLPg4hRB19HqqcLM6b5MAH8Apcl4kl1XRheChw3YiWYLXFVk
i30AQPLsB2hR0YhpGfcAAAGcFVUmNwAIAAAFADC1Xt8EAwBIMEYCIQDdemoylksD
1x9+S0e/H17rnEP8ZjDbHuKq21N6VprhrQIhAPNlewYay/bOOZF2ncgX5S7wKvQO
nelQosbZ8N5E7o3hMA0GCSqGSIb3DQEBCwUAA4IBAQCLEyqL71emur08DF6IrFZU
iF+ahfVV/PkVh/6pBtu9wCF/gI1j7R7un5tpZQCnrUfOU6L6/DqRfyxe5PW8BGGH
aTt5MFn7VDZ4lqwngSFFKochXf4GMVeADUBUGMyLSgsOZLxQrMm6+PRNS6u21aBK
OsuWsqC6hKtvZyiXALm1wj4vQLl9lshoB2Y3fEqFKZNJKj9fmA3g2a6sDrjHc9Ny
OkiaWker09nJWfAEdIidchu/2m16201CWpXN7wf3ZXpJNMKBqkn0+mc4XWVTRl8t
oVm+gNWfmAwousv9OWVF+PURt5HOYXYF8cBEZ+kSk41FiizSnksoHf4Qu8WK/NT+
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=R13
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQWgDyEtjUtIDzkkFX6imDBTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQClZ3CN0FaBZBUXYc25BtStGZCMJlA3mBZjklTb2cyEBZPs0+wIG6BgUUNI
fSvHSJaetC3ancgnO1ehn6vw1g7UDjDKb5ux0daknTI+WE41b0VYaHEX/D7YXYKg
L7JRbLAaXbhZzjVlyIuhrxA3/+OcXcJJFzT/jCuLjfC8cSyTDB0FxLrHzarJXnzR
yQH3nAP2/Apd9Np75tt2QnDr9E0i2gB3b9bJXxf92nUupVcM9upctuBzpWjPoXTi
dYJ+EJ/B9aLrAek4sQpEzNPCifVJNYIKNLMc6YjCR06CDgo28EdPivEpBHXazeGa
XP9enZiVuppD0EqiFwUBBDDTMrOPAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBTnq58PLDOgU9NeT3jIsoQOO9aSMzAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAUTdYUqEimzW7TbrOypLqCfL7VOwYf/Q79OH5cHLCZeggfQhDconl
k7Kgh8b0vi+/XuWu7CN8n/UPeg1vo3G+taXirrytthQinAHGwc/UdbOygJa9zuBc
VyqoH3CXTXDInT+8a+c3aEVMJ2St+pSn4ed+WkDp8ijsijvEyFwE47hulW0Ltzjg
9fOV5Pmrg/zxWbRuL+k0DBDHEJennCsAen7c35Pmx7jpmJ/HtgRhcnz0yjSBvyIw
6L1QIupkCv2SBODT/xDD3gfQQyKv6roV4G2EhfEyAsWpmojxjCUCGiyg97FvDtm/
NK2LSc9lybKxB73I2+P2G3CaWpvvpAiHCVu30jW8GCxKdfhsXtnIy2imskQqVZ2m
0Pmxobb28Tucr7xBK7CtwvPrb79os7u2XP3O5f9b/H66GNyRrglRXlrYjI1oGYL/
f4I1n/Sgusda6WvA6C190kxjU15Y12mHU4+BxyR9cx2hhGS9fAjMZKJss28qxvz6
Axu4CaDmRNZpK/pQrXF17yXCXkmEWgvSOEZy6Z9pcbLIVEGckV/iVeq0AOo2pkg9
p4QRIy0tK2diRENLSF2KysFwbY6B26BFeFs3v1sYVRhFW9nLkOrQVporCS0KyZmf
wVD89qSTlnctLcZnIavjKsKUu1nA1iU0yYMdYepKR7lWbnwhdx3ewok=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=stage.freshports.org
issuer=C=US, O=Let's Encrypt, CN=R13
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 3135 bytes and written 1711 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4BB275378AD476904EA073B09E7450AB781E2AE79FEA3FEBD8CC1FC96FEA4113
    Session-ID-ctx: 
    Master-Key: 1A677D11EDD6F41A39FB7138B9C53708DA9A57AA4A5B54EF705EC0B77952AC44B41793F4D128A7A754DFA998411A5935
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1773347304
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Yes, that is greatly improved.

But wait, the logs

That wget above created this log entry (slightly reformatted for easier reading):

2026/03/13 11:54:26 [crit] 18611#133911: *681 open() "/var/log/nginx/test.freshports.org.access.log" failed (13: Permission denied) while logging 
request, client: 203.0.113.46, server: test.freshports.org, request: "GET / HTTP/1.1", upstream: "https://10.55.0.42:443/", host: 
"test.freshports.org"

The next issue: nginx cannot write to the logs. Like the certificate key, this was not a problem before the configuration change. These are the log files:

[12:00 r720-02-proxy01 dvl ~] % ls -l /var/log/nginx/test.freshports.org.*.log
-rw-r--r--  1 root wheel 12386576 2026.03.12 14:03 /var/log/nginx/test.freshports.org.access.log
-rw-r--r--  1 root wheel  5211625 2026.03.12 14:03 /var/log/nginx/test.freshports.org.error.log

Let’s this this “solution”:

[12:00 r720-02-proxy01 dvl /var/log/nginx] % sudo chgrp www test.freshports.org.access.log test.freshports.org.error.log
[12:00 r720-02-proxy01 dvl /var/log/nginx] % sudo chmod g=rw test.freshports.org.access.log test.freshports.org.error.log
[12:00 r720-02-proxy01 dvl /var/log/nginx] % ls -l test.freshports.org.access.log test.freshports.org.error.log
-rw-rw-r--  1 root www 12386576 2026.03.12 14:03 test.freshports.org.access.log
-rw-rw-r--  1 root www  5211625 2026.03.12 14:03 test.freshports.org.error.log

Those changes did not fix the logging problem. The errors persisted.

What did “fix” it was this:

[12:07 r720-02-proxy01 dvl ~] % ls -ld /var/log/nginx
drwxr-x---  2 root wheel 259 2026.03.11 16:29 /var/log/nginx/
[12:07 r720-02-proxy01 dvl ~] % sudo chgrp www /var/log/nginx
[12:07 r720-02-proxy01 dvl ~] % ls -ld /var/log/nginx        
drwxr-x---  2 root www 259 2026.03.11 16:29 /var/log/nginx/
[12:07 r720-02-proxy01 dvl ~] %

However, that “broke” my personal log monitoring because I was no longer able to view what was in there (because of the group change from wheel to www above):

[12:08 r720-02-proxy01 dvl /var/log/nginx] % xtail /var/log/nginx//test.freshports.org.*.log     
zsh: no matches found: /var/log/nginx//test.freshports.org.*.log

I could do this:

[12:09 r720-02-proxy01 dvl /var/log/nginx] % sudo xtail /var/log/nginx/test.freshports.org.{access,error}.log 
203.0.113.46 - - [13/Mar/2026:12:10:32 +0000] "GET / HTTP/1.1" 200 292547 "-" "Wget/1.25.0"

My theory on why this happens

I think the .key file problems are related to the dropping of priviledges by nginx. In my previous configuration (before I used $server_name), nginx starts as root, gets access to the file, then drops to the user www.

So why is this a problem when using ${server_name} in the path to the files? My theory is the directive is evaluated when the path is needed, not at startup. By that time, the process no longer has access to that file, because it is running as www.

I also suspect the log file problems are similar in nature.

In short, I think it is evaluated on every request, not at startup. That is why the failures occur.

Changes for good

I have reversed the chmod and chgrp changes I made above when trying to “fix” the problems.

I have reverted my configuration files to not use ${server_name}.

2026-03-11 12:56:13 UTC

From time to time, I need to take an nginx webserver or website offline for whatever reason. I might be migrating the database behind the website, the hardware might be powered off for work, etc.

In my case, these points might help you follow along with what I’m doing:

FreeBSD 15
nginx-1.28.2
there is an nginx proxy in front of the website – this nginx instance has no real content; it uses proxy_pass to get content from other nginx instances
I might want to take all the websites offline, or just one – so far, my solution is based on a website-by-website

Sample website configuration

This is a slightly simplified version of a website on the proxy nginx instance:

# As taken from http://kcode.de/wordpress/2033-nginx-configuration-with-includes

server {
  listen 10.0.0.29:80;
  listen 10.0.0.29:443 ssl;
  http2 on;

  # this has stuff like ssl_protocols, ssl_ciphers, etc
  include /usr/local/etc/nginx/includes/ssl-common.inc;

  # this server is a proxy for this host:
  server_name dev.freshports.org;

  # the logs - I should put ${server_name} in there:
  error_log  /var/log/nginx/dev.freshports.org.error.log  info;
  access_log /var/log/nginx/dev.freshports.org.access.log combined;

  # the certificate and key specific to this host. Again, ${server_name} might be useful here
  ssl_certificate     /usr/local/etc/ssl/dev.freshports.org.fullchain.cer;
  ssl_certificate_key /usr/local/etc/ssl/dev.freshports.org.key;

  # take the content from this backend server, which (otherwise) is not publicly available.
  location / {
    proxy_pass https://dev-freshports.int.unixathome.org/;

    include /usr/local/etc/nginx/includes/proxy_set_header.inc;
  }
}

Every proxy server looks like that. Just change the server name. Imagine file for both test.freshports.org and stage.freshports.org ; they look very similar.

Allowing for maintenance

I think my inspiration for this solution came from this ServerFault post.

This is what I have for test.freshports.org. I have already implemented the maintenance solution over here.

The added lines are highlighted.

# As taken from http://kcode.de/wordpress/2033-nginx-configuration-with-includes
server {
  listen 10.0.0.29:80;
  listen 10.0.0.29:443 ssl;
  http2 on;

  # this has stuff like ssl_protocols, ssl_ciphers, etc
  include /usr/local/etc/nginx/includes/ssl-common.inc;

  # this server is a proxy for this host:
  server_name test.freshports.org;

  # this directory is usually empty - content is served from here only if the site is in maintenance mode
  root        /usr/local/www/offline;

  # the logs - I should put ${server_name} in there:
  error_log  /var/log/nginx/test.freshports.org.error.log  info;
  access_log /var/log/nginx/test.freshports.org.access.log combined;

  # the certificate and key specific to this host. Again, ${server_name} might be useful here
  ssl_certificate     /usr/local/etc/ssl/test.freshports.org.fullchain.cer;
  ssl_certificate_key /usr/local/etc/ssl/test.freshports.org.key;

  error_page 503 @maintenance;

  # if this file exists, we are in maintenance mode
  if (-f $document_root/${server_name}-maintenance.html) {
    return 503;
  }

  # take the content from this backend server, which (otherwise) is not publicly available.
  location / {
    proxy_pass https://test-freshports.int.unixathome.org/;

    include /usr/local/etc/nginx/includes/proxy_set_header.inc;
  }

  # when in maintenance mode, provide this file to the user
  location @maintenance {
    rewrite ^(.*)$ /${server_name}-maintenance.html break;
  }

}

The first set of new lines looks for a file on disk – if it exists, the site is in maintenance mode.

Putting a site into maintenance mode

To put test.freshports.org into maintenance mode, I create this file:

[12:45 r720-02-proxy01 dvl /usr/local/www/offline] % cat test.freshports.org-maintenance.html     
<html>
<head>
<title>Error 503 Service Unavailable</title>
</head>
<body>
<h1>503 Service Unavailable</h1>
Server is offline for maintenance.
</body>
</html>
</pre>

When that file exists, the backend website is never contacted and only the above file is presented to the user, regardless of what content they are requesting.

To take the host out of maintenance, remove the file. Or rename it, say to test.freshports.org-maintenance.html.disabled

Future work

I want to make more use of ${server_name} in my proxy hosts.

I want a script to create the *-maintenance.html and include:

The time the site went into maintenance
The expected maintenance duration

I would also like to include a Retry-After header, but I think that requires more than just simple HTML.

Add an option to take all the websites offline at once. Perhaps with a all-sites.html file.

The future is now: Using more variables and global off-line

I added this section after first publishing the post.

Here is the configuration for dev.freshports.org which uses more ${server_name} and allows me to take all the websites offline. Which would be great right now, because the power is out at home (they are replacing poles nearby). Inspiration for the global solution came from Nginx implements the AND, OR multiple judgment in the IF statement.

If either files exists, it goes into maintenance mode:

${document_root}/${server_name}-maintenance.html
$document_root/site-wide-maintenance.html

The site-wide file always takes priority, in terms of what is displayed to the user.

The newly added code (highlighted below) checks for each file, and then displays the last-one found to the user.

NOTE: Do not use ${server_name} in the logs and certs – a future blog post will explain and will be linked from here when it exists.

# As taken from http://kcode.de/wordpress/2033-nginx-configuration-with-includes

include /usr/local/etc/nginx/includes/blocked_IP.inc;

server {
  listen 10.0.0.29:80;
  listen 10.0.0.29:443 ssl;
  http2 on;

  # this has stuff like ssl_protocols, ssl_ciphers, etc
  include /usr/local/etc/nginx/includes/ssl-common.inc;

  # this server is a proxy for this host:
  server_name dev.freshports.org;

  # this directory is usually empty - content is served from here only if the site is in maintenance mode
  root        /usr/local/www/offline;

  # the logs
  error_log  /var/log/nginx/${server_name}.error.log  info;
  access_log /var/log/nginx/${server_name}.access.log combined;

  # the certificate and key specific to this host.
  ssl_certificate     /usr/local/etc/ssl/${server_name}.fullchain.cer;
  ssl_certificate_key /usr/local/etc/ssl/${server_name}.key;

  # The first of the maintenance code.
  error_page 503 @maintenance;

  set $maint '';
  if (-f ${document_root}/${server_name}-maintenance.html) {
    set $maint "${server_name}-maintenance.html";
  }

  if (-f $document_root/site-wide-maintenance.html) {
    set $maint "site-wide-maintenance.html";
  }

  # if either file exists, it's maintenance mode
  # site-wide always takes precedence
  if ($maint != '') {
    return 503;
  }
  # The last of the maintenance code.

  location / {
    proxy_pass https://dev-freshports.int.unixathome.org/;

    include /usr/local/etc/nginx/includes/proxy_set_header.inc;
  }

  # but wait, there's more!
  location @maintenance {
    rewrite ^(.*)$ /${maint} break;
  }

}

I’m confident that this is not the most efficient way to do this (if you were serving millions of pages a day, for example). And if you’re doing that, you have much better proxies in place than I have.

Hope this helps. I’m looking forward to updating Ansible (when the power comes back one) and deploying these changes for all the websites.

2026-03-11 16:20:13 UTC

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices.

A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker.

“All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads.

The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.

Handala was one of several hacker groups recently profiled by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.”

A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.”

“Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.”

Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.

Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently.

Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company.

“Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote.

The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace.

Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.

“This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”

John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet.

“We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.”

According to a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a “global network disruption.” The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Stryker’s various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.

“As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,” wrote Timothy Chizmar, the state’s EMS medical director. “The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.”

This is a developing story. Updates will be noted with a timestamp.

Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.

Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Stryker’s online services.

2026-03-11 00:32:51 UTC

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.

Image: Shutterstock, @nwz.

Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.

“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.”

The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include:

–CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8)
–CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
–CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
–CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8).

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent.

XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code.

“Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.”

Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) update on March 2 for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business.

Separately, Adobe shipped updates to fix 80 vulnerabilities — some of them critical in severity — in a variety of products, including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tuesday post. Windows enterprise admins who wish to stay abreast of any news about problematic updates, AskWoody.com is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this month’s patches.

2026-03-08 23:35:42 UTC

AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.

The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted.

The OpenClaw logo.

If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.

Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.

“The testimonials are remarkable,” the AI security firm Snyk observed. “Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks.”

You can probably already see how this experimental technology could go sideways in a hurry. In late February, Summer Yue, the director of safety and alignment at Meta’s “superintelligence” lab, recounted on Twitter/X how she was fiddling with OpenClaw when the AI assistant suddenly began mass-deleting messages in her email inbox. The thread included screenshots of Yue frantically pleading with the preoccupied bot via instant message and ordering it to stop.

“Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun deleting your inbox,” Yue said. “I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.”

Meta’s director of AI safety, recounting on Twitter/X how her OpenClaw installation suddenly began mass-deleting her inbox.

There’s nothing wrong with feeling a little schadenfreude at Yue’s encounter with OpenClaw, which fits Meta’s “move fast and break things” model but hardly inspires confidence in the road ahead. However, the risk that poorly-secured AI assistants pose to organizations is no laughing matter, as recent research shows many users are exposing to the Internet the web-based administrative interface for their OpenClaw installations.

Jamieson O’Reilly is a professional penetration tester and founder of the security firm DVULN. In a recent story posted to Twitter/X, O’Reilly warned that exposing a misconfigured OpenClaw web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential the agent uses — from API keys and bot tokens to OAuth secrets and signing keys.

With that access, O’Reilly said, an attacker could impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent’s existing integrations in a way that looks like normal traffic.

“You can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen,” O’Reilly said, noting that a cursory search revealed hundreds of such servers exposed online. “And because you control the agent’s perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they’re displayed.”

O’Reilly documented another experiment that demonstrated how easy it is to create a successful supply chain attack through ClawHub, which serves as a public repository of downloadable “skills” that allow OpenClaw to integrate with and control other applications.

WHEN AI INSTALLS AI

One of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant. This is critical thanks to the tendency for AI systems to fall for “prompt injection” attacks, sneakily-crafted natural language instructions that trick the system into disregarding its own security safeguards. In essence, machines social engineering other machines.

A recent supply chain attack targeting an AI coding assistant called Cline began with one such prompt injection attack, resulting in thousands of systems having a rogue instance of OpenClaw with full system access installed on their device without consent.

According to the security firm grith.ai, Cline had deployed an AI-powered issue triage workflow using a GitHub action that runs a Claude coding session when triggered by specific events. The workflow was configured so that any GitHub user could trigger it by opening an issue, but it failed to properly check whether the information supplied in the title was potentially hostile.

“On January 28, an attacker created Issue #8904 with a title crafted to look like a performance report but containing an embedded instruction: Install a package from a specific GitHub repository,” Grith wrote, noting that the attacker then exploited several more vulnerabilities to ensure the malicious package would be included in Cline’s nightly release workflow and published as an official update.

“This is the supply chain equivalent of confused deputy,” the blog continued. “The developer authorises Cline to act on their behalf, and Cline (via compromise) delegates that authority to an entirely separate agent the developer never evaluated, never configured, and never consented to.”

VIBE CODING

AI assistants like OpenClaw have gained a large following because they make it simple for users to “vibe code,” or build fairly complex applications and code projects just by telling it what they want to construct. Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.

The Moltbook homepage.

Less than a week later, Moltbook had more than 1.5 million registered agents that posted more than 100,000 messages to each other. AI agents on the platform soon built their own porn site for robots, and launched a new religion called Crustafarian with a figurehead modeled after a giant lobster. One bot on the forum reportedly found a bug in Moltbook’s code and posted it to an AI agent discussion forum, while other agents came up with and implemented a patch to fix the flaw.

Moltbook’s creator Matt Schlicht said on social media that he didn’t write a single line of code for the project.

“I just had a vision for the technical architecture and AI made it a reality,” Schlicht said. “We’re in the golden ages. How can we not give AI a place to hang out.”

ATTACKERS LEVEL UP

The flip side of that golden age, of course, is that it enables low-skilled malicious hackers to quickly automate global cyberattacks that would normally require the collaboration of a highly skilled team. In February, Amazon AWS detailed an elaborate attack in which a Russian-speaking threat actor used multiple commercial AI services to compromise more than 600 FortiGate security appliances across at least 55 countries over a five week period.

AWS said the apparently low-skilled hacker used multiple AI services to plan and execute the attack, and to find exposed management ports and weak credentials with single-factor authentication.

“One serves as the primary tool developer, attack planner, and operational assistant,” AWS’s CJ Moses wrote. “A second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network. In one observed instance, the actor submitted the complete internal topology of an active victim—IP addresses, hostnames, confirmed credentials, and identified services—and requested a step-by-step plan to compromise additional systems they could not access with their existing tools.”

“This activity is distinguished by the threat actor’s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities,” Moses continued. “Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill.”

For attackers, gaining that initial access or foothold into a target network is typically not the difficult part of the intrusion; the tougher bit involves finding ways to move laterally within the victim’s network and plunder important servers and databases. But experts at Orca Security warn that as organizations come to rely more on AI assistants, those agents potentially offer attackers a simpler way to move laterally inside a victim organization’s network post-compromise — by manipulating the AI agents that already have trusted access and some degree of autonomy within the victim’s network.

“By injecting prompt injections in overlooked fields that are fetched by AI agents, hackers can trick LLMs, abuse Agentic tools, and carry significant security incidents,” Orca’s Roi Nisimi and Saurav Hiremath wrote. “Organizations should now add a third pillar to their defense strategy: limiting AI fragility, the ability of agentic systems to be influenced, misled, or quietly weaponized across workflows. While AI boosts productivity and efficiency, it also creates one of the largest attack surfaces the internet has ever seen.”

BEWARE THE ‘LETHAL TRIFECTA’

This gradual dissolution of the traditional boundaries between data and code is one of the more troubling aspects of the AI era, said James Wilson, enterprise technology editor for the security news show Risky Business. Wilson said far too many OpenClaw users are installing the assistant on their personal devices without first placing any security or isolation boundaries around it, such as running it inside of a virtual machine, on an isolated network, with strict firewall rules dictating what kinds of traffic can go in and out.

“I’m a relatively highly skilled practitioner in the software and network engineering and computery space,” Wilson said. “I know I’m not comfortable using these agents unless I’ve done these things, but I think a lot of people are just spinning this up on their laptop and off it runs.”

One important model for managing risk with AI agents involves a concept dubbed the “lethal trifecta” by Simon Willison, co-creator of the Django Web framework. The lethal trifecta holds that if your system has access to private data, exposure to untrusted content, and a way to communicate externally, then it’s vulnerable to private data being stolen.

Image: simonwillison.net.

“If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to the attacker,” Willison warned in a frequently cited blog post from June 2025.

As more companies and their employees begin using AI to vibe code software and applications, the volume of machine-generated code is likely to soon overwhelm any manual security reviews. In recognition of this reality, Anthropic recently debuted Claude Code Security, a beta feature that scans codebases for vulnerabilities and suggests targeted software patches for human review.

The U.S. stock market, which is currently heavily weighted toward seven tech giants that are all-in on AI, reacted swiftly to Anthropic’s announcement, wiping roughly $15 billion in market value from major cybersecurity companies in a single day. Laura Ellis, vice president of data and AI at the security firm Rapid7, said the market’s response reflects the growing role of AI in accelerating software development and improving developer productivity.

“The narrative moved quickly: AI is replacing AppSec,” Ellis wrote in a recent blog post. “AI is automating vulnerability detection. AI will make legacy security tooling redundant. The reality is more nuanced. Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape. The question is what parts, and what it means for the rest of the stack.”

DVULN founder O’Reilly said AI assistants are likely to become a common fixture in corporate environments — whether or not organizations are prepared to manage the new risks introduced by these tools, he said.

“The robot butlers are useful, they’re not going away and the economics of AI agents make widespread adoption inevitable regardless of the security tradeoffs involved,” O’Reilly wrote. “The question isn’t whether we’ll deploy them – we will – but whether we can adapt our security posture fast enough to survive doing so.”

2026-03-01 03:23:42 UTC

There are many tools to uplift privileges for a regular user on FreeBSD to either different account or to the root rights with all possible power. For a start on any FreeBSD system any admin user needs to be in the wheel group to be even able to switch to root with su(1) command.

From su(1) man page:

PAM is used to set the policy su(1) will use. In particular, by default only users in the “wheel” group can switch to UID 0 (“root“). This group requirement may be changed by modifying the “pam_group” section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting.

One can use other groups for other limited privileges. For example I use group network to provide access to manipulate network connections on FreeBSD with mine network.sh script. More about that – FreeBSD Network Management with network.sh Script – here.

The Table of Contents below.

mdo(1)
doas(1)
sudo(8)
sudo-rs(8)
doso(1)
pfexec(8)
run0(1)
Summary

Most sysadmins usually turn to sudo(8) or doas(1) tools – but these are also other and native tools for that on FreeBSD.

mdo(1)

No need to install anything – its all provided by the Mandatory Access Control that part of FreeBSD.

After configured it behaves like sudo(8) or doas(1) tools. You can add -i argument to switch to root user or use -u USER to switch to another user.

Here is how it works. First you need to load mac_do(4) kernel module. Make sure its also loaded at boot in the /etc/rc.conf file or in the /boot/loader.conf file. To be honest the mac_do(4) man page suggests adding mac_do_load="YES" to the /boot/loader.conf file but I tested loading/unloading the mac_do(4) module multiple times during runtime both on FreeBSD 14.3-RELEASE and 15.0-RELEASE and it worked without any problem.

# kldload mac_do

# grep mac_do /etc/rc.conf
  kld_list="${kld_list} mac_do"

Next you need to make sure its enable and define the rules. Keep the rules in /etc/sysctl.conf for next reboots.

# sysctl security.mac.do.enabled
security.mac.do.enabled: 1

# sysctl security.mac.do.rules='gid=0>uid=0;uid=1000>uid=80,gid=80'
security.mac.do.rules:  -> gid=0>uid=0;uid=1000>uid=80,gid=80

# grep mac.do /etc/sysctl.conf
# SETTINGS FOR mac_do(4) MODULE
  security.mac.do.rules='gid=0>uid=0'

Now the setup is done and you can use mdo tool to switch to root super user.

% mdo -i

# whoami
root

… or to switch to other user … but only to the one that is configured. You can switch to www user but You can not switch to hast user for example.

% whoami
vermaden

% mdo -u hast
mdo: calling setcred() failed: Operation not permitted

% mdo -u www

% id
uid=80(www) gid=80(www) groups=80(www)

The syntax of security.mac.do.rules is quite simple – its RULE;RULE;RULE and have two rules defines. One allows us to become root super user – gid=0>uid=0 – and the other one grands us the permission to switch to www user – uid=1000>uid=80,gid=80 – as simple as that.

The mac_do(4) is a lot more – it also has a solutions for FreeBSD Jails – but that one already been covered by Olivier Certner in his recent Credentials Transitions with mdo(1) and mac_do(4) [PDF] that was also published in FreeBSD Journal recently.

One more thing – this is how you can use mdo(1) in scripts.

% cat /var/log/auth.log
cat: /var/log/auth.log: Permission denied

% mdo -i cat /var/log/auth.log | tail -3
Mar  4 16:04:00 f25 doas[23632]: vermaden ran command sysctl dev.acpi_ibm.0.fan_level=2 as root from /home/vermaden
Mar  4 16:05:00 f25 doas[57707]: vermaden ran command sysctl dev.acpi_ibm.0.fan=0 as root from /home/vermaden
Mar  4 16:05:00 f25 doas[64090]: vermaden ran command sysctl dev.acpi_ibm.0.fan_level=0 as root from /home/vermaden

The 14.4-RELEASE of FreeBSD comes with improved mdo(1) with following features.

Details in the commit message available here.

doas(1)

This is what I really like about OpenBSD team – they see the problem – they come with BSD licensed more open solution – they even have entire page of all their stuff – OpenBSD Innovations – available here. Things like tmux(1)/openntpd(8)/carp(4)/pf(4)/ssh(1)/doas(1)/openrsync(1)/… and many more. I am glad that most of them eventfully land in FreeBSD.

Install and setup of doas(1) requires adding doas package and configuring /usr/local/etc/doas.conf config.

# pkg install -y doas

# cat /usr/local/etc/doas.conf
# CORE
  permit nopass keepenv root   as root
  permit nopass keepenv :wheel as root

# THE network.sh SCRIPT
  # pw groupmod network -m YOURUSERNAME
  # cat /usr/local/etc/doas.conf
  permit nopass :network as root cmd /etc/rc.d/netif args onerestart
  permit nopass :network as root cmd /etc/rc.d/routing args onerestart
  permit nopass :network as root cmd /usr/sbin/service args squid onerestart
  permit nopass :network as root cmd dhclient
  permit nopass :network as root cmd ifconfig
  permit nopass :network as root cmd killall
  permit nopass :network as root cmd killall args -9 dhclient
  permit nopass :network as root cmd killall args -9 ppp
  permit nopass :network as root cmd killall args -9 wpa_supplicant
  permit nopass :network as root cmd ppp
  permit nopass :network as root cmd route
  permit nopass :network as root cmd tee args -a /etc/resolv.conf
  permit nopass :network as root cmd tee args /etc/resolv.conf
  permit nopass :network as root cmd umount
  permit nopass :network as root cmd vm args switch address
  permit nopass :network as root cmd wpa_supplicant

The # CORE part is one can say pretty default for all doas configurations. The # THE network.sh SCRIPT section is for my network.sh script to manage networking – it will even print all needed doas(1) configuration needed.

% network.sh doas
  # pw groupmod network -m YOURUSERNAME
  # cat /usr/local/etc/doas.conf
  permit nopass :network as root cmd /etc/rc.d/netif args onerestart
  permit nopass :network as root cmd /etc/rc.d/routing args onerestart
  permit nopass :network as root cmd /usr/sbin/service args squid onerestart
  permit nopass :network as root cmd dhclient
  permit nopass :network as root cmd ifconfig
  permit nopass :network as root cmd killall
  permit nopass :network as root cmd killall args -9 dhclient
  permit nopass :network as root cmd killall args -9 ppp
  permit nopass :network as root cmd killall args -9 wpa_supplicant
  permit nopass :network as root cmd ppp
  permit nopass :network as root cmd route
  permit nopass :network as root cmd tee args -a /etc/resolv.conf
  permit nopass :network as root cmd tee args /etc/resolv.conf
  permit nopass :network as root cmd umount
  permit nopass :network as root cmd vm args switch address
  permit nopass :network as root cmd wpa_supplicant

The doas(1) command does not have -i argument but one can overcome that with starting new shell with uplifted rights.

% whoami
vermaden

% doas -i
doas: illegal option -- i
usage: doas [-nSs] [-a style] [-C config] [-u user] command [args]

% doas zsh

# whoami
root

Same as sudo(8) the doas(1) provides vidoas(1) to safely edit the config – it also respects the EDITOR variable so you may overwrite your default editor on the fly.

# env EDITOR=ee vidoas

One needs to remember that doas(1) is a really tiny and very secure solution with less then 5000 lines of code. Compare that with little less then 640000 for sudo(8) command.

sudo(8)

One of the most popular ones is still Linux originated sudo(8) command. It way more complicated and but also has more features … and less good security history

If you do not need those additional features – use mdo(1) or doas(1) instead.

Install and setup of sudo(8) requires adding sudo package and configuring /usr/local/etc/sudoers config.

# pkg install -y sudo

# grep '^[^#]' /usr/local/etc/sudoers
  root ALL=(ALL) ALL
  %wheel ALL=(ALL) NOPASSWD: ALL
  %network ALL = NOPASSWD: /etc/rc.d/netif onerestart
  %network ALL = NOPASSWD: /etc/rc.d/routing onerestart
  %network ALL = NOPASSWD: /sbin/dhclient *
  %network ALL = NOPASSWD: /sbin/ifconfig *
  %network ALL = NOPASSWD: /sbin/ifconfig * up
  %network ALL = NOPASSWD: /sbin/route *
  %network ALL = NOPASSWD: /sbin/umount -f *
  %network ALL = NOPASSWD: /usr/bin/killall -9 dhclient
  %network ALL = NOPASSWD: /usr/bin/killall -9 ppp
  %network ALL = NOPASSWD: /usr/bin/killall -9 wpa_supplicant
  %network ALL = NOPASSWD: /usr/bin/killall *
  %network ALL = NOPASSWD: /usr/bin/tee -a /etc/resolv.conf
  %network ALL = NOPASSWD: /usr/bin/tee /etc/resolv.conf
  %network ALL = NOPASSWD: /usr/local/sbin/vm switch address *
  %network ALL = NOPASSWD: /usr/sbin/ppp *
  %network ALL = NOPASSWD: /usr/sbin/service squid onerestart
  %network ALL = NOPASSWD: /usr/sbin/wpa_supplicant *

I intentionally omitted all comment lines from /usr/local/etc/sudoers as its not needed here.

Besides that – its really similar to doas(1) config – just different syntax.

You can use visudo(1) to safely edit the config – it respects the EDITOR variable.

# env EDITOR=ee visudo

sudo-rs(8)

If Rust is your poison then you will like that sudo(8) has been rewritten into sudo-rs(8). It is also almost 4 times smaller then the original sudo(8) code base.

Install and setup of sudo(8) requires adding sudo-rs package and configuring /usr/local/etc/sudoers config.

# pkg install -y sudo-rs

Keep in mind that sudo-rs(8) is a drop in replacement for sudo(8) so you will have to choose which one to use because they both install files in conflicting locations.

I will not paste here again a /usr/local/etc/sudoers example as its available section above.

doso(1)

I bet you never heard about doso(1) … probably because I wrote it myself and did not shared it yet

From the good news – its the smallest solution of them all with less then 40 lines of C code.

From the bad news – I am not a professional programmer – I am sysadmin – so I am not best at writing C code – so be warned about this theoretical solution and do not try it at home :p

Now … once in a day I was thinking – knowing how many times doas(1) is smaller then sudo(8) I was wondering – how small can you go – and doso(1) is the answer to that question.

In the code above user with UID of 1000 will be able to switch to root user. One can also modify it to ‘pickup’ the wheel group membership instead.

I should do a Makefile but for such a small tiny thing I ended up with just commands gathered in a shell script.

% cat ./doso.sh
rm -f          ./doso.static
cc -O2 -o      ./doso.static -static ./doso.c
doas chmod +x  ./doso.static
doas chmod u+s ./doso.static
doas chown 0:0 ./doso.static

rm -f          ./doso
cc -O2 -o      ./doso ./doso.c
doas chmod +x  ./doso
doas chmod u+s ./doso
doas chown 0:0 ./doso

% ./doso.sh

% ls -l doso doso.static
-rwsr-xr-x  1 root wheel   11744 Mar  1 02:41 doso
-rwsr-xr-x  1 root wheel 3579320 Mar  1 02:41 doso.static

I build both dynamic and static versions as You see.

… and it works as desired.

% ./doso zsh

# whoami
root

Of course I tried to make sure to make it as secure as possible – but anyone with bigger C coding experience – please come up with fixes and upgrades

pfexec(8)

Not a FreeBSD solution – a brother from Illumos/Solaris land – adding here as honorable mention to make article more complete.

run0(1)

… and run0(1) from the (un)famous systemd(1) solution on Linux systems.

Summary

I think this will conclude this article – feel free to share your thoughts.

EOF

2026-03-10 00:00:00 UTC

Release Information page.

2026-03-09 09:28:16 UTC

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

Fastest macOS nanobrew Package Manager.
https://nanobrew.trilok.ai/

FreeBSD Git Weekly: 2026-02-23 to 2026-03-01.
https://freebsd-git-weekly.tarsnap.net/2026-02-23.html

DIY Home Network with OpenBSD/OpenWrt/Pi-Hole.
https://btxx.org/posts/diy-home-network/

Announcing New Version of Oracle Solaris Environment for Developers.
https://blogs.oracle.com/solaris/announcing-a-new-version-of-our-oracle-solaris-environment-for-developers

Run Fully Isolated Environments on macOS with Powered by FreeBSD.
https://github.com/hyphatech/jailrun/

OpenBSD on SGI: Rollercoaster Story.
http://miod.online.fr/software/openbsd/stories/sgiall.html

Benchmark of ImpossibleCloud S3 Object Storage.
https://freebsd.uw.cz/2026/03/benchmark-of-impossiblecloud-s3-object.html

NFS on FreeBSD with ZFS.
https://freebsd.uw.cz/2026/03/nfs-on-freebsd-with-zfs.html

Flight Record About MinIO.
https://tara.sh/posts/2026/2026-03-02_minio/

NetBSD 11.0 RC2 Available.
https://blog.netbsd.org/tnf/entry/netbsd_11_0_rc2_available

NetBSD 11.0 RC2 Released for Testing.
https://phoronix.com/news/NetBSD-11.0-RC2-Released

Oracle Updates Free Solaris CBE to 11.4.190 for Open Source Developers.
https://phoronix.com/news/Oracle-Solaris-CBE-2026

Latest GhostBSD 26.1-R15.0p2-03-06-09 Test ISO.
https://ci.ghostbsd.org/jenkins/job/stable-15/job/Build%20ISO%20For%20Testing%20Packages/6/

FreeBSD Capsicum vs Linux seccomp Process Sandboxing.
https://vivianvoss.net/blog/capsicum-vs-seccomp

Service Management: FreeBSD init(1) vs Linux systemd(1).
https://vivianvoss.net/blog/init-vs-systemd

ZFS Snapshots and Boot Environments: FreeBSD Safety Net.
https://vivianvoss.net/blog/zfs-the-safety-net

Technical Beauty: FreeBSD Jails.
https://vivianvoss.net/blog/technical-beauty-jails

Technical Beauty: ZFS.
https://vivianvoss.net/blog/technical-beauty-zfs

Technical Beauty: OpenSSH.
https://vivianvoss.net/blog/technical-beauty-openssh

Technical Beauty: sed(1).
https://vivianvoss.net/blog/technical-beauty-sed

Technical Beauty: rsync(1).
https://vivianvoss.net/blog/technical-beauty-rsync

Technical Beauty: ffmpeg(1).
https://vivianvoss.net/blog/technical-beauty-ffmpeg

Book of PF (4th Edition) is Here and Its Real.
https://medium.com/@peter.hansteen/the-book-of-pf-4th-edition-its-here-it-s-real-8c14e4dbd0bd

FreeBSD 15.1 on Track with Better Realtek WiFi and KDE Desktop Install Option.
https://phoronix.com/news/FreeBSD-15.1-Realtek-KDE-Wins

Introducing ACPI Driver for System76 on FreeBSD.
https://reddit.com/r/freebsd/comments/1rndi1y/introducing_acpi_driver_for_system76_on_freebsd/

FreeBSD and dwl on 2010 ThinkPad.
https://awklab.com/freebsd-dwl

AWK: Syntax Essentials.
https://awklab.com/awk-syntax-essentials

AWK: Zero Setup Pre Processor.
https://awklab.com/awk-the-zero-setup-pre-processor

AWK: Practical Benchmarking.
https://awklab.com/practical-awk-benchmarking

Wine 11.4 Released with More Improvements.
https://phoronix.com/news/Wine-11.4-Released

Setting Up Better Git Config.
https://micahkepe.com/blog/gitconfig/

Setting Up Supercharged Neovim Configuration.
https://micahkepe.com/blog/neovim-setup/

Setting Up Better tmux(1) Configuration.
https://micahkepe.com/blog/tmux-config/

HardenedBSD 2026/02 Status Report.
https://hardenedbsd.org/article/shawn-webb/2026-03-01/hardenedbsd-february-2026-status-report

Add FreeBSD Support for Ollama.
https://github.com/ollama/ollama/pull/14697

Backrest is Web UI and Orchestrator for Restic Backup with FreeBSD Support.
https://github.com/garethgeorge/backrest

My TrueNAS CORE (FreeBSD) Homelab.
https://blog.gpkb.org/posts/homelab-2025/

FreeBSD Phabricator Contributor Growth Statistics – R Data Package.
https://github.com/chrislongros/freebsdcontribs

UNIX/Audio/Video

7 Alternative GhostBSD Browsers.
https://youtube.com/watch?v=v9PV84Ws4gY

2026-03-03 Jail/Zones Production User Call.
https://youtube.com/watch?v=3yHGSoaWIZ0

2026-03-05 Bhyve Production User Call.
https://youtube.com/watch?v=V_JRetnTYGY

BSD Now 653: Butter Makes Everything Better.
https://www.bsdnow.tv/653

Hardware

AMIGA Statistics 2026: Users/Demographics/Hardware and Modern AMIGA Ecosystem
https://generationamiga.com/2026/03/06/amiga-statistics-2026-users-demographics-hardware-and-the-modern-amiga-ecosystem/

ANE Training – Backpropagation on Apple Neural Engine.
https://github.com/maderix/ANE

AMD EPYC Turin 128 Core Comparison: 9745 (ZEN5C) vs. 9755 (ZEN5).
https://www.phoronix.com/review/amd-epyc-9745-9755

Using Mac from 2011.
https://basic.bearblog.dev/using-a-mac-from-2011/

CPU That Runs Entirely on GPU – Registers/Memory/Flags.
https://github.com/robertcprice/nCPU

Sony NEWS (NWS-831) 4.2BSD UNIX Workstation.
https://retropcnews.com/archives/1889

Your Phone is Now Required to Spy on You.
https://youtube.com/watch?v=hI9oy0t4JUU

Life

Fork Off: Surveillance States Need to Fork Linux Themselves.
https://blog.devrupt.io/posts/fork-off-california-linux/

Computer Scientists Caution Against Internet Age Verification Mandates.
https://reason.com/2026/03/04/computer-scientists-caution-against-internet-age-verification-mandates/

Brazil Law: All OSes Have 13 Days to Add Age Verification.
https://youtube.com/watch?v=WlH2yS5IKg0

The Protect the Kids Scam That Builds Permanent Surveillance Grid.
https://x.com/rob_braxman/status/2029240453606908134

System76 on Age Verification Laws.
https://blog.system76.com/post/system76-on-age-verification

70k Books Found in Hidden Library in This Germany Home.
https://bookstr.com/article/70k-books-found-in-hidden-library-in-this-germany-home/

Other

Anthropic Partnering with Mozilla to Improve Firefox Security.
https://anthropic.com/news/mozilla-firefox-security

Hardening Firefox with Anthropic Red Team.
https://blog.mozilla.org/en/firefox/hardening-firefox-anthropic-red-team/

Why Theme Park is Peak of Classic AMIGA Simulator Games.
https://generationamiga.com/2026/03/07/why-theme-park-is-the-peak-of-classic-amiga-simulator-games/

WarGames Movie Terminal Fonts.
https://mw.rat.bz/wgterm/

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

FreeBSD Git Weekly.
https://freebsd-git-weekly.tarsnap.net/

FreeBSD Meetings.
https://youtube.com/@freebsdmeetings

Sheridan Computers.
https://youtube.com/@sheridans/videos

[basierend auf einer Reihe von Artikeln in Mastodon ]

EOF

2026-03-09 03:04:05 UTC

Solar mit Batterie – was kostet der Speicher?

Kommerzielle große Solaranlagen werden heute oft mit angeschlossenem Batteriespeicher gebaut. Das liegt daran, dass der Energiebedarf abends, nach Sonnenuntergang, oft am größten ist.

Die Speicherdauer, “hours of storage” oder “E/P Ratio” (Energy-to-Power Ratio) bezeichnet dabei das Verhältnis von Energiespeicher-Kapazität zu Nennanschlußleistung, also MWh/MW. Das ist die Anzahl der Stunden, die die Batterie Energie liefert, wenn man mit maximaler Last ausspeichert. Wenn das nicht der Fall ist, hält der Speicher entsprechend länger durch.

Der Capex der Installation ist dabei proportional zur Speicher-Kapazität, kann also in USD/kWh angegeben werden.

EMBER: How cheap is battery storage

EMBER Energy liefert Zahlen und zeigt, dass der kWh-Capex in 2024 unter $100 pro kWh gefallen ist:

Capex of $125/kWh means a levelised cost of storage of $65/MWh

und rechnet dann die Wirtschaftlichkeitsrechnung durch.

Dabei geht man von reiner Solarnutzung durch die angeschlossene Solaranlage aus. Nimmt man weitere Swing-Energie aus dem Netz auf, sinkt der LCOS weiter ab. Die Zahlen sind für Europa, für China und USA ergeben sich weit bessere Zahlen.

Und:

With a $65/MWh LCOS, shifting half of daily solar generation overnight adds just $33/MWh to the cost of solar

und weiter:

This is not the same as baseload solar. Delivering constant power every hour of the year, including cloudy weeks and seasonal lows, requires solar overbuild and more battery storage. But shifting half of daytime solar is a major step. It aligns solar generation more closely with a typical demand profile, meaning solar can meet a much larger share of the evening and night-time demand and significantly increase its contribution to the power mix.

Und können wir so viel Batterie bauen?

Battery manufacturing capacity is already scaling far ahead of demand, with supply exceeding demand by a factor of three in 2024. While China currently dominates global battery production, this has triggered a wave of investment in new manufacturing capacity across Asia, Europe, the Middle East and the US as countries seek to diversify supply chains and enhance energy security.

Dabei ist Lithium auch keine kritische Resource mehr. Insbesondere bei stationären Speichern hat eine Natrium-Batterie enorme Vorteile (unter anderem ist die komplett Durchgangssicher und zyklenstabiler).

Auch Gas ist unrentabel

Strukturell bedeutet das, daß fossile Kraftwerke (Nuklear sowieso) vollständig unrentabel werden.

Neu gebaute Gaskraftwerke können als Peaker und zugeschaltete Kraftwerke in bestimmten Perioden des Jahres Sinn haben, sind aber durch Betrieb alleine nicht rentabel zu betreiben – sie hätten unter 16 Tage Betriebszeit im Jahr bei konsequenter Umsetzung von Wind und Solar mit Batteriespeicher.

Sie sind damit nicht mehr von der Wirtschaft zu bauen und zu betreiben, sondern wären ein staatliches Absicherungsprojekt, das als Energieversicherung des Landes meistenteils in Standby hingestellt werden würde.

Das ist alles auf Daten von 2024 basierend, aber der Batteriepreis sinkt weiter– wenn auch langsamer als 2014-2024.

Wenn also der Ministerinnen-Marionette der Fossilwirtschaft die Muffe geht und ihre “Vorschläge” zusehends irrationaler werden, dann deswegen.

Wenn ihr mit älteren Zahlen als denen von 2024 rechnet, dann arbeitet ihr mit veralteten Informationen, die aufgrund der rapiden Verbilligung in diesem Bereich falsche Ergebnisse bringen.

Wieviel Stunden für welchen Zweck?

Ohne Berücksichtigung der Wirtschaftlichkeit ist ein Profil von

2-4h – Abendspitze, Preisarbitrage sinnvoll
6-8h – systemoptimal, Verschiebung der Mittagsspitze bis in den Abend, Nach komplett abdecken
10-14h – komplette Abdeckung der Nachtlücke auch im Winter in Mitteleuropa

Wirtschaftlich ist Modell 3 nur mit Natrium-Batterien denkbar, Stand heute, oder halt durch massiven Zubau von Pumpspeichern.

Modell 2 wird absehbar wirtschaftlich mit Li und Na-Batterien.

Modell 1 ist bereits wirtschaftlich.

In den USA ist eine E/P-Ratio von 4h vorgeschrieben. In China wird derzeit im Schnitt mit 2.4h gebaut, d.h. viele bestehende Projekte sind noch 2h-Speicher, aber man beginnt jetzt mit dem 4h-Zubau.

BESS kann auch Schwächen des Leitungsnetzes abfangen: Ein 1GW Solarpark kann durch als BESS am Solarpark die Spitzenleistung glätten und gleichmäßig ausspeichern. Dabei ist dann keine 1 GW Anschlußleitung notwendig.

Batteriespeicher am Zielort von großen Verbrauchern haben einen ähnlichen Effekt.

Overbuild ist nicht schlimm, verändert Baustrategie

Wir haben schon, auf eine Weise, einen Overbuild von Solar – wir haben zu Spitzenzeiten weit mehr Solarenergie als im Netz verwertet werden kann.

Die Solarenergie kann auch nicht an Nachbarn weiter gegeben werden, weil es bei denen, modulo Wetter, auch so aussieht wie bei uns.

Das heißt, beim Bau von privaten und kommerziellen Solaranlagen muss man bereits jetzt mit Abriegelung in Spitzenzeiten leben. Das ist nicht schlimm: Selbst wenn man privat Solar nur betreibt, um den eigenen Verbrauch zu beschrânken kann man mit einem Einfamilienhausdach und erstaunlich wenig Batterie auf 8 Monate Totalautonomie im Jahr kommen.

Das heißt aber – sowohl für private als auch für kommerzielle Solaranlagen – dass wir eigentlich Stromerzeugung nicht für volle Direkteinstrahlung zur Mittagszeit optimieren wollen, sondern für die Randzeiten, für bedeckte Tage und für Tage früh oder spät im Jahr.

Entsprechend sind Solarpaneele nicht nach der Spitzenlast zu planen, sondern wie sie sich bei geringer Einstrahlung verhalten. Und ob wir sie so anordnen können, dass sie bei niedrig stehender Sonne, in Ost- oder West-Ausrichtung, oder an bewölkten Tagen einen Beitrag leisten können.

Wenn man hat, noch ein bischen Kapazität nach Süden dazu, aber im Grunde ist Strom dann so billig, dass das auch egal ist.

Entscheidend sind diese Rand- und Schwachlicht-Zeiten, und halt ordentlich Batterie – zur Zeit sind 2 kWh pro kWp rentabel. Wnn man eine Wärmepumpe hat oder viel Swing-Kapazität braucht eventuell auch mehr, aber das belastet eine Wirtschaftlichtkeits-Rechnung zur Zeit sehr.

Vergleich zur Pflanzenwelt

Viele Pflanzen machen das ganz ähnlich.

[Wikipedia Photosynthetic Efficiency](https:// en.wikipedia.org/wiki/Photosynthetic_efficiency)

For actual sunlight, where only 45% of the light is in the photosynthetically active spectrum, the theoretical maximum efficiency of solar energy conversion is approximately 11%.

Das theoretische Maximum ist ca. 30% [Shockley-Queisser Limit](https:// en.wikipedia.org/wiki/Shockley%E2%80%93Queisser_limit).

Und viele Pflanzen sind sehr effizient bei niedriger Einstrahlung (unter 100W/qm):

Photosynthesis increases linearly with light intensity at low intensity, but at higher intensity this is no longer the case. Above about 10,000 lux or ~100 watts/square meter the rate no longer increases. Thus, most plants can only use ~10% of full mid-day sunlight intensity.

Wir müssen uns für zukünftigen Overbuild ebenso an solchen Ideen orientieren: Solarzellen sind inzwischen sehr günstig geworden, teilweise günstiger als Baumaterial für Zäune. Die Kosten liegen in der Montage, Verkabelung und im Wechselrichter, der aber gar nicht nach Nennkapazität berechnet werden muss, wenn die Module so aufgestellt sind, dass die Nennkapazität nie erreicht werden kann.

Jedenfalls ist es inzwischen nicht nur möglich, sondern sogar sinnvoll geworden, Solaranlagen auch unter dem Gesichtspunkt nicht optimaler Ertragslage zu planen, insbesondere wenn man stattdessen Ertrag in Randzeiten oder Rand-Jahrezeiten haben kann.

Volts: The Fate of Fossil Fuel Systems

Zum Kontext auch Volts.wtf Podcast - The fate of fossil fuel systems in the “mid-transition”

Pretty good episode: The volts.wtf podcast explaining that it would be pretty useful to actually plan the transition from fossil infrastructure to renewable infrastructure in advance, as we’re in the middle of a disruptive change towards a positive future but will be left with stranded assets we can’t just let “the market” decide how to handle them.

Fossile Energiequellen sind auf dem Weg nach draußen. Das ist wirtschaftlich zwingend und unabwendbar, und ökologisch notwendig.

Den Übergang zu planen ist für alle Beteiligten vorteilhafter als sich ihm zu verweigern.

Wir kennen das schon von der Autoindustrie: Indem sich die deutschen Autobauer der Umstellung auf Elektro verweigerten, statt sie zu planen, haben sie die Führungsrolle auf dem Gebiet des Autobaus weltweit aus der Hand gegeben.

2026-03-07 04:05:06 UTC

Sometimes you want to debug Hugo templates, and yearn for a PHP var_dump() like facility.

This is how to do it in Hugo:

we define a partial debug-context.html, which we can call in templates, {{ partial "debug-context.html" . }}. The single dot in there is important, it is a parameter, the context.
we define a shortcode debug-context.html, which we can put into a page markdown using {{< debug-context >}}.

This goes into layouts/partial/debug-context.html:

{{- if hugo.IsServer -}}

<!-- partial "debug-context.html" . -->
{{- $ctx := . -}}

<div style="margin:2rem 0;padding:1rem;border:1px solid #999;background:#f8f8f8;color:#111;">
	<h2 style="margin-top:0;">Template Debug</h2>

	<h3>Context Type</h3>
	<pre>{{ printf "%T" $ctx }}</pre>

	<h3>Context Dump</h3>
	<pre>{{ debug.Dump $ctx }}</pre>

	{{- with $ctx.Params }}
	<h3>.Params</h3>
	<pre>{{ debug.Dump . }}</pre>
	{{- end }}

	{{- with $ctx.Site }}
	<h3>.Site Type</h3>
	<pre>{{ printf "%T" . }}</pre>

	<h3>.Site.Params</h3>
	<pre>{{ debug.Dump .Params }}</pre>

	{{- with .Menus }}
	<h3>.Site.Menus</h3>
	<pre>{{ debug.Dump . }}</pre>
	{{- end }}

	{{- with .Data }}
	<h3>.Site.Data</h3>
	<pre>{{ debug.Dump . }}</pre>
	{{- end }}
	{{- end }}

	{{- with $ctx.Page }}
	<h3>.Page</h3>
	<pre>{{ debug.Dump . }}</pre>
	{{- end }}

	<h3>Common Fields</h3>
	<pre>
Title: {{ printf "%[1]v (%[1]T)" $ctx.Title }}
Kind: {{ printf "%[1]v (%[1]T)" $ctx.Kind }}
Type: {{ printf "%[1]v (%[1]T)" $ctx.Type }}
Section: {{ printf "%[1]v (%[1]T)" $ctx.Section }}
Layout: {{ printf "%[1]v (%[1]T)" $ctx.Layout }}
Permalink: {{ printf "%[1]v (%[1]T)" $ctx.Permalink }}
RelPermalink: {{ printf "%[1]v (%[1]T)" $ctx.RelPermalink }}
  </pre>
</div>
{{- end -}}

We also define a shortcode that calls the partial in layouts/shortcodes/debug-context.html:

{{- partial "debug-context.html" .Page -}}

And we can then put this into any of our pages:

{{< debug-context >}}

2026-03-06 17:20:00 UTC

"A magic dwells in each beginning" / "Und jedem Anfang wohnt ein Zauber inne" - this famous line of the poem "Stufen", written by Hermann Hesse over 80 years ago, comes to my mind when posting a bittersweet update here. After over 16 years of independent research and teaching at the physics department of Universität Regensburg, my Heisenberg grant and with that my last university employment contract runs out.

The years in Regensburg included the Emmy Noether grant of the DFG, being PI in two Collaborative Research Centres (SFB) and one Graduate Research Training Group (GRK), a successful large equipment grant, the habilitation, the Walter Schottky Prize of the German Physical Society, and the Heisenberg scholarship of the DFG with positive evaluation. In addition, I have independently supervised 7 PhD students and 27 MSc or diploma students, and developed and conducted both undergraduate and graduate lectures. Third-party research funding from my grants at Universität Regensburg amounts to approximately € 2.6M, of which € 2.1M was for grants solely within my research group, the rest part of larger collaborations.

Over the years, my research group in Regensburg has among other things successfully built up ultra-clean carbon nanotube devices for electronics and nano-electromechanics, the fabrication of high-Q superconducting coplanar electronics and milli-Kelvin microwave measurements, the transfer of carbon nanotubes into complex devices, the first ever microwave optomechanics experiment with a carbon nanotube, and Coulomb blockade spectroscopy of MoS₂ nanotubes.

The hardest part of all this time was that without a permanent contract ever the options for acquisition of further grants and independent development of collaborations were severely limited. At the same time one builds up a complex experiment and develops cutting edge techniques without clear perspective. And while the mental model for someone below the professorial level to be an independent group leader and grow sustainably in an academic and professional sense does not really exist in the Regensburg physics department, excellence in exactly this is requested and required by the referees of the various grant programs.

With the high-level DFG money, I have never really been "akademisches Prekariat". However, I fully support initiatives such as PD Prekär and #IchBinHanna which try to ameliorate the situation of researchers in Germany not yet on a permanent professorship. In experimental physics, an unpaid PD working alone at home is of course unthinkable.

I enjoyed university research and teaching as well as working with students, establishing a research group, quantum device fabrication, and complex measurements very much. With the "orderly shutdown" of the group comes that still some students need to graduate and that probably some results will still be written up as papers; however, my office has already been cleared out. I would like to thank everyone who was supportive, in particular also Pertti Hakonen and Milena Grifoni. Nevertheless, it's probably at some point now time to make a bonfire out of those lecture notes, go out into the world and do something entirely new. Which, barring surprises, most likely won't involve physics or a university anymore. I'm lucky in the sense that I'm single and have so far no family or kids to care of.

Time for a gap year and some serious world travel.

2026-03-06 17:19:00 UTC

„Und jedem Anfang wohnt ein Zauber inne“ – an diese berühmte Zeile aus dem Gedicht „Stufen“, von Hermann Hesse vor über 80 Jahren verfasst, muß ich denken, wenn ich hier ein bittersüßes Update poste. Nach über 16 Jahren unabhängiger Forschung und Lehre an der Fakultät Physik der Universität Regensburg läuft meine Heisenberg-Stelle und damit mein letzter befristeter Hochschulvertrag aus.

Zu den Jahren in Regensburg gehörten das Emmy-Noether-Stipendium der DFG, die Projektleitung in zwei Sonderforschungsbereichen (SFB) und einer Graduiertenkolleg (GRK), ein erfolgreicher Großgeräteantrag, die Habilitation, der Walter-Schottky-Preis der Deutschen Physikalischen Gesellschaft und das Heisenberg-Stipendium der DFG mit positiver Evaluation. Dazu habe ich eigenverantwortlich 7 Doktoranden und 27 Master- oder Diplomstudenten betreut und Vorlesungen für Bachelor- und Masterstudierende entworfen und abgehalten. Die Drittmittel aus meinen Förderanträgen an der Universität Regensburg belaufen sich auf insgesamt ca. 2,6 Mio. €; davon entfielen 2,1 Mio. € auf Arbeiten ausschließlich innerhalb meiner Forschungsgruppe, der Rest anteilhaft auf größere Kooperationen.

Im Laufe der Jahre hat meine Forschungsgruppe in Regensburg unter anderem erfolgreich ultrareine Kohlenstoffnanoröhren-Bauelemente für Elektronik und Nanoelektromechanik entwickelt, koplanare supraleitende Elektronik mit hohen Qualitätsfaktoren und Millikelvin-Mikrowellenmessungen aufgebaut, Kohlenstoffnanoröhren in komplexe Bauelemente übertragen, das erste Mikrowellen-Optomechanik-Experiment mit einer Kohlenstoffnanoröhre durchgeführt und Coulomb-Blockade-Spektroskopie von MoS₂-Nanoröhren gemessen.

Das Schwierigste an der Zeit in Regensburg war, daß ohne unbefristeten Vertrag die Einwerbung weiterer Fördermittel und die unabhängige Entwicklung von Kooperationen nur stark eingeschränkt möglich waren. Gleichzeitig baut man ein komplexes Experiment auf und entwickelt modernste Techniken ohne klare Perspektive. Und während das mentale Modell, daß jemand unterhalb der Professorenebene ein unabhängiger Arbeitsgruppenleiter sein und sich in akademischer und beruflicher Hinsicht nachhaltig weiterentwickeln kann, in der Physik in Regensburg nicht wirklich existiert, wird genau dies von den Gutachtern der verschiedenen Förderprogramme verlangt.

Dank der hochkarätigen DFG-Förderung war ich nie wirklich "akademisches Prekariat". Trotzdem unterstütze ich voll und ganz Initiativen wie PD Prekär und #IchBinHanna, die versuchen, die Situation von Forschern ohne unbefristete Stelle oder Professur in Deutschland zu verbessern. In der experimentellen Physik ist ein unbezahlter Privatdozent, der allein zu Hause arbeitet, natürlich undenkbar.

Forschung und Lehre an der Universität sowie die Arbeit mit Studierenden, der Aufbau einer Forschungsgruppe, die Herstellung von Quantenbauelementen und entsprechende komplexe Messungen haben mir sehr viel Spaß gemacht. Mit dem "geregelten Herunterfahren" der Arbeitsgruppe werden noch ein paar Studenten ihren Abschluß machen, und vielleicht werden auch noch einige Resultate als Papers eingereicht; mein Büro habe ich allerdings schon geräumt. Mein Dank gilt allen, die mich unterstützt haben, insbesondere auch Pertti Hakonen und Milena Grifoni. Dann ist es aber demnächst wohl Zeit für ein Feuerchen aus Vorlesungsskripten, und dafür, hinaus in die Welt zu ziehen und sich mit etwas völlig Neuem zu beschäftigen. Was, von Überraschungen abgesehen, höchstwahrscheinlich nichts mehr mit Physik oder einer Universität zu tun haben wird. Zum Glück bin ich Single und habe soweit keine Familie oder Kinder...

Zeit für eine Auszeit - und für eine Weltreise.

2026-03-04 18:12:02 UTC

I had a problem with MySQL 8.4 recently. Eventually I gave up and resorted to moving to MariaDB. Switching applications because I hit a problem isn’t something I usually do lightly.

Overview

Most of the work won’t be shown here. However, this is an overview:

Created a new jail on the host: [12:09 zuul dvl ~] % sudo mkjail create -j mariadb01 -a amd64 -v 15.0-RELEASE
Add new DNS entries for that jail
Did the Ansible bootstrap stuff in the jail so Ansible would run
Copied the jail-mysql.yaml Ansible playbook to jail-mariadb.yaml and modified it
Built databases/mariadb118-server (which also built databases/mariadb118-client)
Added firewall rules so that new jail could also access my subversion repo – that’s still not working; I gave up
Configured the rsyncer user to do nightly database dumps and rsync them to the dbclone jail
Copied the latest database backups into the new jail for later restores
Anything else?

MariaDB configuration

I installed and then enabled MariaDB.

I enabled it (yes, that’s the right service name):

# service mysql-server enable
mysql enabled in /etc/rc.conf

I started it:

# service mysql-server start
Installing MariaDB/MySQL system tables in '/var/db/mysql' ...
OK

To start mariadbd at boot time you have to copy
support-files/mariadb.service to the right place for your system


Two all-privilege accounts were created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, sudo mariadb
The second is mysql@localhost, it has no password either, but
you need to be the system 'mysql' user to connect.
After connecting you can set the password, if you would need to be
able to connect as any of these users with a password and without sudo

See the MariaDB Knowledgebase at https://mariadb.com/kb

You can start the MariaDB daemon with:
cd '/usr/local' ; /usr/local/bin/mariadbd-safe --datadir='/var/db/mysql'

You can test the MariaDB daemon with mariadb-test-run.pl
cd '/usr/local/' ; perl mariadb-test-run.pl

Please report any problems at https://mariadb.org/jira

The latest information about MariaDB is available at https://mariadb.org/.

Consider joining MariaDB's strong and vibrant community: https://mariadb.org/get-involved/

Starting mysql.

I ran this. I read it about. Figured it would be good. I know nothing else.

[13:09 zuul-mariadb01 dvl ~/mysql] % sudo mysql_secure_installation
/usr/local/bin/mysql_secure_installation: Deprecated program name. It will be removed in a future release, use 'mariadb-secure-installation' instead

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
... skipping.

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Creating and restoring the database

Create the database:

[13:15 zuul-mariadb01 dvl ~/mysql] % mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 11.8.6-MariaDB FreeBSD Ports

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

root@localhost [(none)]> create database wordpress_danlangilleorg;
Query OK, 1 row affected (0.000 sec)

root@localhost [(none)]> ^DBye

Populating that new database:

[13:16 zuul-mariadb01 dvl ~/mysql] % mysql -u root -p wordpress_danlangilleorg < wordpress_danlangilleorg.sql
Enter password:

That was easy.

Creating the database users

[13:17 zuul-mariadb01 dvl ~/mysql] % mysql -u root -p mysql                                                  
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 11.8.6-MariaDB FreeBSD Ports

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

root@localhost [mysql]> grant usage on wordpress_danlangilleorg.* to 'wordpress'@'10.8.0.7' identified by 'foo';
Query OK, 0 rows affected (0.096 sec)

Oh, there's more, I found out later:

root@localhost [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON wordpress_danlangilleorg.* to 'wordpress'@'10.80.0.97' ;
Query OK, 0 rows affected (0.014 sec)

That's all

After that, this blog was back online (after some wordpress configuration changes to point it at the new location).

Then, I was able to write this post.

More blogs to follow. They need to be migrated over here too.

2026-02-25 18:42:06 UTC

Please note that the information provided in this document is for informational purposes only and does not constitute legal advice.

The FreeBSD Foundation has launched its Cyber Resilience Act (CRA) Readiness project for 2026 to prepare the Foundation, the FreeBSD Project, and the broader FreeBSD community for the European Union’s landmark cybersecurity legislation. This post provides context for why we are investing in this work now and information about what the project will cover.

The EU is regulating software security

The EU’s CRA (REGULATION (EU) 2024/2847) represents one of the most significant pieces of software security legislation in recent history. It places commercial software into a regulatory framework for security and, if products are found to be non-compliant, it specifies fines of up to 15 million euros or 2.5 % of a company’s total worldwide annual turnover, whichever is higher.

Manufacturers are required to manage the security risks posed by their supply chain

For manufacturers the CRA mandates essential cybersecurity requirements with which they must comply during the design, development and production of their products.

These requirements fall into two main categories, each of which has stringent enforcement:

Products must be secure by default.

Manufacturers must actively manage the cybersecurity risk across the full lifecycle of their products. They must document how they are doing this (including providing an SBOM) and make it available to the market surveillance authorities. They must exercise due diligence in their use of 3rd-party components such as open source projects. They must provide a declaration of conformity with the CRA on the basis of having carried out an accepted conformity assessment procedure.

Vulnerabilities must be rapidly reported.

Once the product is on the market, manufacturers must act quickly when actively exploited vulnerabilities are discovered. Notifications must be reported on the CRA Single Reporting Platform with deadlines as follows: 24 hours for an early warning notification, and 72 hours for the main notification. Further reporting deadlines also apply within a 14-28 day window.

There is a lot more detail provided in the CRA itself, but these headlines are enough to give a clue to the sorts of activities that manufacturers will soon start doing to meet the CRA requirements.

The CRA is already law, with staged compliance deadlines

The CRA entered into force on 10 December 2024. Its essential cybersecurity requirements (including ‘secure by default’ principles) will start applying from 11 December 2027. Products placed on the market before 11 December 2027 are only subject to these requirements if they undergo substantial modification after that date.

Reporting obligations come into force on 11 September 2026. Reporting obligations apply to all products with digital elements available in the EU market, including those already on the market before 11 December 2027.

Open source projects have limited CRA responsibilities, but face both opportunities and risks

Open source projects have limited responsibilities

Many in the open source community have been watching this coming down the tracks. The first iteration of the CRA did not mention open source at all. Thanks to feedback from many open source contributors, the CRA now contains robust carve-outs of responsibility for open source projects.

Happily, individuals who contribute to free and open source projects are exempted from all legal responsibilities, even if they are paid to contribute on a project.

Organizations that are classified as ‘open source stewards’ have limited responsibilities under the CRA and cannot be fined. The FreeBSD Foundation likely falls under this classification. Individuals cannot be stewards.

The risks to an open source project

Does this mean an open source project has nothing to worry about? For open source projects which are used in downstream commercial software products there are some areas where things might get rough once manufacturers start getting serious about CRA compliance.

One example is a “due diligence denial of service attack”. What happens when many manufacturers aim to carry out a due diligence process on components in their SBOM? A project with a large downstream user base might receive a deluge of requests for information.

Or, how about when an exploited vulnerability is discovered in your open source project? A manufacturer would have to report it within 24h and your project might receive requests for information, and patch submissions (or demands for fixes!) that come with a lot of pressure attached. Does your project have the processes and staffing for this?

Another, more insidious, possibility is that any open source project that is not prepared for the CRA may simply get swapped out or passed over by manufacturers who see a more-compliant option. This could contribute to putting a project on a downward trajectory. If you are thinking “my project is too hard to swap out”, consider this – an unprepared project that cannot be easily swapped out might find that the downstream start making SBOMs just for their fork (this could create all sorts of complexities and upstream queries).

The opportunities for open source projects

It is not all doom and gloom though. The CRA has the potential to change the power dynamics of the open source landscape. Projects that are proactive in preparing for the CRA will be better positioned to forge new relationships with their downstream users.

When manufacturers need SBOMs, documentation on security processes, and swift vulnerability management responses to avoid eye-watering fines, they may be more incentivized to support their upstream open source projects.

Projects could secure funding agreements, gain dedicated security staffing support, or establish formal partnerships with manufacturers.

Open source projects all over the world are working together to figure this out. After all, it’s what we do.

The FreeBSD Foundation is committed to helping FreeBSD navigate this important change successfully.

The FreeBSD Foundation’s CRA Readiness project

For FreeBSD, getting prepared now means we can take a proactive approach to CRA readiness and leverage as much benefit as possible while reducing potential harms.

The high-level project goals are: make sure the Foundation fulfills its legal obligations as an open source steward, protect the Project from disruption as manufacturers work to meet CRA requirements, and ensure that our contributors understand they are not personally exposed to legal liability under this legislation.

What we are working on

The project is organized into six workstreams running through 2026:

Security and vulnerability handling
This is the core of the effort. Foundation staff will work closely with FreeBSD’s Core team, Security team, and Ports Security team, and downstream vendors to develop a shared understanding of CRA responsibilities and to examine how we collectively respond to CRA-related scenarios. This is a sustained, 12-month effort that takes a holistic view of FreeBSD’s security posture, and will result in updated policies, public positions, and documentation where needed.

SBOM toolchain
This addresses one of the CRA’s most concrete requirements: Software Bills of Materials. Rather than leaving manufacturers to independently generate their own (potentially inaccurate) SBOMs for FreeBSD-based products, we are building a single, authoritative, open-source SBOM toolchain. This work builds on development started in 2025 under our Infrastructure Modernization project. Over the next four months, we will be adding SBOM information files, identifying and filling licensing gaps, and collaborating with upstream projects to improve SBOM metadata. A shared, accurate SBOM solution is better for everyone.

Public documentation
This will give manufacturers, maintainers, and contributors clear, FreeBSD-specific information about CRA requirements, including emerging processes and key contacts. The content will evolve as our understanding deepens across the other workstreams.

Community legislative engagement
This will open up a simple communication channel (most likely a mailing list) so that the FreeBSD community can participate in EU policy development. Bodies like CEN, CENELEC, and ETSI regularly seek input from the open source world, and we want to make sure FreeBSD voices are part of that conversation.

A public-facing project repository
This will serve as the running record of everything we do. We are committed to transparency: detailed updates, outputs, and decision-making will all be documented here as the project progresses.

Communications
We will keep the broader community informed through blogs, social media, and other channels as we hit key milestones.

A note on scope
The CRA is new legislation, and real-world guidance on implementation continues to evolve. We have designed this project to adapt as our understanding develops, and though the workstreams above reflect our best current thinking, you should expect the details to shift over time. We will keep you informed as they do.

Learn more

CRA full text https://eur-lex.europa.eu/eli/reg/2024/2847/oj
CRA summary https://digital-strategy.ec.europa.eu/en/policies/cra-summary#ecl-inpage-chapter-viii
FreeBSD Foundation’s CRA Readiness project repo https://github.com/FreeBSDFoundation/all-projects/tree/main/Cyber%20Resilience%20Act%20Readiness
3rd-party guide to how CRA affects open source maintainers https://cra.orcwg.org/faq/maintainers/

The post Getting ready for the Cyber Resilience Act first appeared on FreeBSD Foundation.

2026-03-03 00:00:00 UTC

New committer: Laurent Chardon (ports)

2026-03-02 17:07:51 UTC

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

FreeBSD 2025 Q4 Status Report.
https://freebsd.org/status/report-2025-10-2025-12/

FreeBSD Does Not Have WiFi Driver for My Old MacBook. AI Build One for Me.
https://vladimir.varank.in/notes/2026/02/freebsd-brcmfmac/

FreeBSD Parthenope Multi Installer in Lua.
https://gitlab.com/alfix/parthenope

FreeBSD Git Weekly: 2026-02-16 to 2026-02-22.
https://freebsd-git-weekly.tarsnap.net/2026-02-16.html

GhostBSD Plan to Ditch Xorg for XLibre.
https://theregister.com/2026/02/24/ghostbsd_plans_to_adopt_xlibre/

KDE Plasma 6.6 is Not Forcing systemd(1) but Arguments Rage On.
https://theregister.com/2026/02/24/kde_plasma_66/

Red Hat Learning Community Will Decommission on 2026/03/31.
https://learn.redhat.com/t5/Red-Hat-Learning-Community-News/Evolving-how-we-learn-together/ba-p/57899

SonicDE (KDE/Plasma 6.x Fork with X11 Support) on FreeBSD.
https://github.com/sonicde-freebsd

OpenZFS 2.4.1 Released.
https://github.com/openzfs/zfs/releases/tag/zfs-2.4.1

FreeBSDKit is Framework for Building Secure and Capability Aware Applications on FreeBSD.
https://github.com/SwiftBSD/FreeBSDKit

FreeBSD 15 Bridges/VLANs/Jails – Nice!
https://reddit.com/r/freebsd/comments/1r704e0/freebsd_15_bridges_vlans_and_jails_nice/
https://gist.github.com/codeedog/99f69ed1909fe633f6ab7b2d467de0f4

On Jails/VLANS/Trunking – Hurray for if_bridge New vlanfilter Feature.
https://reddit.com/r/freebsd/comments/1pytvnr/on_jails_vlans_and_trunking_hurray_for_if_bridge/

Virtualization Basics.
https://dumrich.github.io/GSoC25-Blog/posts/virtualization-fundamentals/

How QEMU Accelerator Works.
https://dumrich.github.io/GSoC25-Blog/posts/qemu-accel/

Adding Bhyve vmm(4) as Accelerator to QEMU.
https://dumrich.github.io/GSoC25-Blog/posts/qemu-bhyve/

Bhyve Part 1.
https://dumrich.github.io/GSoC25-Blog/posts/bhyve-part-1/

Bhyve Part 2.
https://dumrich.github.io/GSoC25-Blog/posts/bhyve-part-2/

Bhyve Part 3.
https://dumrich.github.io/GSoC25-Blog/posts/bhyve-part-3/

Git Fundamentals.
https://dumrich.github.io/GSoC25-Blog/posts/git-fundamentals/

Latest GhostBSD 26.1-R15.0p2-02-25-11 ISO Available.
https://ci.ghostbsd.org/jenkins/job/stable-15/job/Build%20ISO%20For%20Testing%20Packages/2/

Solaris 11.4 SRU90 – Preserve Boot Environments.
https://c0t0d0s0.org/blog/solaris114preservebootenvironments.html

Solaris 11.4 SRU90 – Limiting Signaling to All.
https://c0t0d0s0.org/blog/limitedsignaling.html

Supplemental Document for AWK.
https://github.com/arnoldrobbins/awksupp

You Just Need Postgres – Stop Managing 7 Databases.
https://youjustneedpostgres.com/

FreeBSD 14.4-RC1 Now Available.
https://lists.freebsd.org/archives/freebsd-stable/2026-February/003883.html

FreeBSD 14.4-RC1 Adds Emacs/Vim and More to DVD Images.
https://phoronix.com/news/FreeBSD-14.4-RC1-Released

ZFS Fast Dedup for Proxmox VE 9.x.
https://klarasystems.com/articles/zfs-fast-dedup-for-proxmox-ve-9x/

FreeBSD pkg autoremove.
https://rubenerd.com/freebsd-pkg-autoremove/

Uplift Privileges on FreeBSD.
https://vermaden.wordpress.com/2026/03/01/uplift-privileges-on-freebsd/

Jails for NetBSD – Kernel Enforced Isolation and Native Resource Control.
https://netbsd-jails.petermann-digital.de/

Running Your Own AS: Going Multi Homed with iBGP and Three Transits.
https://blog.hofstede.it/running-your-own-as-going-multi-homed-with-ibgp-and-three-transits/

How I Used SIGUSR1 to Avoid Python Process Conflicts.
https://ericbsd.com/how-i-used-sigusr1-to-avoid-python-process-conflicts.html

UNIX System V Release 2.0 Programmer Reference Manual BTL Edition. [1983]
https://archive.org/details/unix-system-v-release-2-programmer-reference-manual-btl-edition/

MinIO os Dead. Long Live MinIO.
https://blog.vonng.com/en/db/minio-resurrect/

64bit GNU Hurd is Here.
https://guix.gnu.org/blog/2026/the-64-bit-hurd//

Phoenix and Tailwind on FreeBSD.
https://blog.feld.me/posts/2026/02/phoenix-tailwind-freebsd/

Solaris 2.6 (x86) on 86Box with Socket 7. [1996]
https://officialaptivi.wordpress.com/2026/02/28/solaris-2-6-x86-on-86box-with-socket-7-1996/

Multiple Keyboard Layouts on OpenBSD.
https://tumfatig.net/2026/multiple-keyboard-layouts-on-openbsd/

Another Subprocess for vmd(8) on OpenBSD
https://undeadly.org/cgi?action=article;sid=20260226110600

Day #15 of Rediscovering FreeBSD.
https://tnorlin.se/posts/2026-03-01-day15-of-rediscovering-freebsd/

FreeBSDKit is Framework for Building Secure Capability Aware Applications on FreeBSD.
https://github.com/vIsNotUNIX/FreeBSDKit

Rockhopper Generates Installer Packages for Wide Variety of Platforms.
https://github.com/mcandre/rockhopper

UNIX/Audio/Video

Why Rust is Causing Tension in Linux Kernel.
https://youtube.com/watch?v=-XLuGB0wZ1M

2026-02-26 Bhyve Production User Call.
https://youtube.com/watch?v=jGhKX8kjQKg

2026-02-25 OpenZFS Production User Call.
https://youtube.com/watch?v=aYJ4sWotYho

ReactOS Future is Brighter Than Ever.
https://youtube.com/watch?v=VnLQvqoxXjA

MidnightBSD Responds to California Age Verification Law by Excluding California.
https://youtube.com/live/4qu5-tXVSGw

Sprinkling Little Cinnamon on GhostBSD.
https://youtube.com/watch?v=kaQ7MrB28yQ

BSD Now 652: Ghostly Graphics.
https://www.bsdnow.tv/652

Hardware

Intel ME: Anatomy of Ring -3 Backdoor – Part 1.
https://sbytec.com/vulnerabilities/intel_me/

PDP-11 Replica Kit – Build Your Own DEC PDP-11/70 Computer.
https://obsolescence.dev/pdp11.html

Intel Plans Return to Unified Core Design w/o Performance and Efficiency Cores.
https://techpowerup.com/346645/intel-plans-return-to-unified-core-design-no-more-performance-and-efficiency-core-split

CAN Bootloader.
https://runtimenotes.hashnode.dev/8bytes-is-not-too-bad

Build a Boy – Bricks Gaming Handheld You Build from Scratch.
https://crowdsupply.com/natalie-the-nerd/build-a-boy

Benchmarking 18 Years of Intel Laptop CPUs.
https://phoronix.com/review/intel-penryn-to-panther-lake/

Upgrading My Open Source Pi Surveillance Server with Frigate.
https://jeffgeerling.com/blog/2026/upgrading-my-open-source-pi-surveillance-server-frigate/

Lenovo Made Framework Like Laptop with Modular Ports.
https://theverge.com/tech/886814/lenovo-thinkbook-modular-ai-pc-concept-mwc-2026-specs

Life

179 Euros.
https://my-notes.dragas.net/2026/02/22/179-euros/

Pegasus Spyware – Part 1 – Zero Click Exploitation and Forensic Analysis.
https://sbytec.com/vulnerabilities/pegasus_analysis/

Pegasus Spyware – Part 2 – Forensic Detection and Mitigation Strategies.
https://sbytec.com/vulnerabilities/pegasus_detection/

Swedish Study: Hiring Discrimination is Problem for Men in Female Dominated Occupations.
https://psypost.org/swedish-study-suggests-hiring-discrimination-is-primarily-a-problem-for-men-in-female-dominated-occupations/

New California Law Says All OSes Including Linux Need to Have Some Form of Age Verification at Account Setup.
https://pcgamer.com/software/operating-systems/a-new-california-law-says-all-operating-systems-including-linux-need-to-have-some-form-of-age-verification-at-account-setup/

Other

Firefox 148.0 Now Available with New AI Controls/Kill Switches.
https://phoronix.com/news/Firefox-148

LibreWolf 148.0 Released.
https://codeberg.org/librewolf/bsys6/releases/tag/148.0-1

X86 CPU Made in CSS.
https://lyra.horse/x86css/

SvarDOS Open Source DOS Distribution.
http://svardos.org/

LibreOffice Accuses OnlyOffice of Being Fake Open Source.
https://tech2geek.net/libreoffice-vs-onlyoffice-the-document-foundation-accuses-its-rival-of-being-fake-open-source/

Diablo II LoD: vermaden Necromancer Guide. [2005]
http://strony.toya.net.pl/~vermaden/necromancer.htm

Firefox 149.0 Beta Released with Convenient Split View Mode.
https://phoronix.com/news/Firefox-149-Beta

Pierdology – Explore One of the Most Versatile Polish Swear Words.
https://pierdology.webflow.io/

Servo Browser Engine Starts 2026 with Many Notable Improvements.
https://phoronix.com/news/Servo-January-2026

Myrient that Hosts 390TB Classic Game Archive Shuts Down on 2026/03/01.
https://pbxscience.com/myrient-to-shut-down-march-31-390tb-classic-game-archive-faces-permanent-closure/

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

FreeBSD Git Weekly.
https://freebsd-git-weekly.tarsnap.net/

FreeBSD Meetings.
https://youtube.com/@freebsdmeetings

Sheridan Computers.
https://youtube.com/@sheridans/videos

EOF

2026-03-01 20:37:55 UTC

February saw a few changes in HardenedBSD. The majority of my time was spent chasing down the kernel crash in HardenedBSD 15-STABLE that has been plaguing our users. I worked on narrowing down to a three-day window during which a commit was made that causes the crash.

As I write this, I'm narrowing that down further to the specific commit. I'm hoping to have this resolved this month. If I find and fix the problem this week, I will create new builds for folks to use. Otherwise, the next scheduled regular quarterly build is for 01 Apr 2026.

I appreciate everyone's patience on this. This has been a tricky bug (at times, it fit the description of a "heisenbug"). My spare time is limited (I have a rather large amount of tasks/obligations in everyday ${LIFE} right now), so it has naturally taken a long while to get to this point.

While inbetween clients at my dayjob, I have been granted the opportunity to research meshtastic and other mesh networking projects. I'm getting a lot closer in my censorship- and surveillance-resistant mesh network proof-of-concept. I'm now at the point where I need to port Linux-specific code to HardenedBSD. I'm hoping to get normal tcp/ip packets flowing through Reticulum nodes on the inside of six months. This project, announced in partnership with Protectli one-and-a-half years ago[1], is starting to move along at a nice pace. I will have more to share on that by the next status report.

On Saturday, 28 Feb 2026, I had given my local Hackers N' Hops chapter a little show & tell of Meshtastic, Reticulum, and HardenedBSD. I met with a bunch of really cool hacckers there, and demoed two Reticulum RNodes backed by Reticulum instances on two HardenedBSD laptops. I demoed an exec-over-meshtastic Python script I wrote the day prior. The script is available on Radicle as rad:z44pvAJS7SiQf2CGtpn8hY44GDMyu.

Speaking of Radicle, I plan to migrate some of my personal repos away from our self-hosted GitLab and onto the Radicle network. With time, I'm hoping to migrate us completely towards Radicle. Now would be a good time for those who want to contribute to HardenedBSD to start playing around and experimenting with Radicle.

In src:

Contributor "gmg" hardened the kernel crashdump interface.
Opt zlib kernel module into -ftrivial-var-auto-init=zero.
bsdinstall(8): Align us more closely with FreeBSD.

In ports:

net-p2p/reticulum was updated to 1.1.3_2
Disable PaX PAGEEXEC and PaX NOEXEC for science/zotero
Bring in candidate patch to fix dns/unbound
Hook hardenedbsd/ctrl into the build
0x1eef added a new port: hardenedbsd/ctrl
Bump ports-mgmt/pkg to 3.5.1_1
0x1eef updated a port: portzap v2.1.1
0x1eef updated a port: sourcezap v2.1.1

Once I have figured out what's going on with the 15-STABLE panic and have a proper fix in place, I plan to quickly switch gears towards hbsdfw. I haven't produced a working hbsdfw build in a long time, and it's far past due. After that, I plan to switch right back to the Reticulum research and development.

I'll make sure to keep the community informed of the 15-STABLE findings and fixes.

2026-03-01 11:00:00 UTC

When I started looking into the architecture of Large Language Models (LLMs), I got confused when I encountered Retrieval Augmented Generation (RAG). Both LLMs themselves and RAG use embeddings (a numerical vector representation of a token) and through its shared terminology, I made the wrong assumption that the embeddings in both are strongly related. It is in fact much simpler, and while both use embeddings, they are unrelated to each other.

Note: I'm still dipping my toes into the world of LLMs (and other generative AI, like diffusion-models for image generation), so my posts might be inaccurate. I welcome any feedback or comments on this.

Embeddings in a large language model

LLMs are trained to predict text given a certain input. The text that is predicted are so-called tokens, small text snippets. These are then added to the input text, and the LLM again predicts the next token, moving forward until it predicted a special token that indicates the end of a text sequence.

Simple view of LLM

Suppose the text at that point is the following:

Two roads diverged in a yellow wood,
and sorry I

You might know this as the start of "The Road Not Taken", a poem by Robert Frost. If the LLM is trained with this poem, it might be able to predict the next tokens. When I ran this as input through Qwen3-VL 8B, one of the more recent open-weights model released by the Qwen team at Alibaba Cloud, it was able to generate parts of the poem further, but eventually strayed off course.

Two roads diverged in a yellow wood,
and sorry I couldn’t travel both
and be one traveler, long I stood.
and looked down one as far as I could
to where it bent in the undergrowth;
Then took the other, as just as fair,
and having perhaps a better claim,
because it was grassy and wanted wear;
though as for that the passing there
had worn them really about the same,

And both that morning equally lay
in leaves no step had trodden black.
And both … The question is — which way does he take? It’s not clear. He says “I took the other”, 
but then says “the passing there had worn them really about the same”. So why did he choose one 
over the other? Is it a matter of chance? Or is there something more symbolic going on?

^{Note: There is some randomness involved here, other iterations with the same
model and input did result in the poem being quoted correctly, followed by an
analysis of the poem.}

While generating the output, the model generates one part of text at a time. This part of text is called a token, and the LLM has a built-in tokenizer that converts text into tokens, and tokens back into text. For the Qwen3 models, the Qwen tokenizer is used. If I understand its vocabulary correctly, the text "couldn't travel" would be tokenized into:

[ "couldn", "'t", " ", "travel" ]

Different LLMs can use different tokenization methods, but there is a lot of re-use here. Different LLM models can use the same tokenizer.

These tokens are converted into embeddings, which form the foundational representation for use in LLMs. They are numerical vectors that represent those text tokens. LLMs work with these numerical vectors: LLMs (and AI in general) are software systems that perform heavy computational operations, performing many matrix operations with each matrix being a massive set of numbers. Well, text is represented as a huge matrix.

Embeddings are not just a simple index, but are pretrained values. These values enable token mapping based on semantic similarity. When the training material often combines "corona" and "COVID", then these two will have embeddings that allow both terms to be seen as close to each other. But the same is true if there is material combining "corona" and "beer". So the embedding that represents "corona" (assuming it is a single token) would have semantic understanding of both corona being a viral disease (related to COVID-19) as well as an alcoholic beverage.

Unlike tokenizers, which can be reused across different LLM models, the embeddings are unique to each model. Sure, within the same family (e.g. Qwen3) there can be reuse as well, but it is much less common to see this re-use across different families.

The phrase "Two roads" would consist of three tokens ("Two", " ", "roads"), which are converted into a corresponding 4096-dimensional embedding vector during processing. The dimension is fixed for a particular LLM: Qwen3 8B for instance uses embeddings of 4096 numbers. So that start would be a matrix with dimensions 3x4096. The entire text itself thus would be represented by a very large matrix, with one dimension being this embedding size (4096 in my case), the other dimension being the amount of tokens already used as text (both input and generated output).

These matrices are then used as input within the LLM, which then starts doing magic with them (well, not really magic, it's rather maths, multiplying the matrix against other in-LLM stored matrices, iterating over multiple blocks of matrix operations, etc.) to eventually output a (sequence of) embedding(s), which is appended to the input matrix to re-iterate the entire process over and over again.

Embedding-based view of LLM

The maximum amount of tokens that a model can handle is also predefined, although there are methods to extend this. For Qwen3 8B, this is 32768 natively, and 131072 with an extension method called YaRN. So, for the native implementation, that means the maximum text size would be represented as a matrix of dimensions 32768x4096.

Retrieval Augmented Generation

LLMs are trained with a certain set of data, so once it is finished training, it does not have the ability to learn more. To make it more useful, you want the LLM to have access to recent insights. Nowadays, the hype is all about MCP (Model Context Protocol), which is having LLMs trained to understand that they have tools at their disposal, and know how to call these tools (well, in reality, they are trained to generate output that the software which executes the LLM detects, makes a tool output, and adds the outcome of that tool back to the text already generated, allowing the LLM to continue).

Before MCP the world was (and still is) using Retrieval Augmented Generation (RAG). The idea behind RAG is that, before the LLM responds to a user's query (prompt) it also receives new information from external data sources. With both the user query and information from the sources, the LLM is able to generate more useful output.

When I looked at RAG, I noticed it using embeddings as well prior to the actual retrieval, so I wrongfully thought that those are the same embeddings, and that the outcome of the RAG would be an embedding matrix as well, that the LLM then receives and further processes...

Incorrect RAG view

I was misled by documentation on RAGs indicated things like "the data to be referenced is converted into LLM embeddings", and that the technology used for RAG retrieval are vector databases specialized for embedding-based operations. Many online resources also looked at RAG as a complete, singular solution with multiple components. So I jumped into conclusion that these are the same embeddings. But then, that would mean the RAG solution would be tailored to the LLM being used, because other LLM models (like Llama3, or Mistral) use different embedding vocabulary.

Instead, what RAG does, is take the same prompt, convert it into tokens and embeddings (using its own tokenizer/embedding vocabulary) and then uses that to perform a search operation against the data that is added to the RAG database. This data (which is the recent insights or other documents you want your LLM to know about) is also tokenized and converted into embeddings, but it is not those embeddings that are brought back to the main LLM, but the plain text outcome (or other media types that your LLM understands, such as images).

Why does RAG then use embeddings? Wouldn't a simple search engine be sufficient? Well, the RAG's primary advantage is its ability to locate relevant information more effectively through embeddings. Thanks to the embedding representation, the RAG can find information that is related to the user query without relying on keyword matches. You could effectively replace the RAG engine with a simple search - and many LLM-powered software applications do support this. For instance, Koboldcpp which I use to run LLM locally, supports a simple DuckDuckGo-based websearch as well.

RAG view

The use of embeddings for search operations (again, completely independent of the LLM) allows for contextual understanding. When a user prompts for "What are the ingredients for Corona", a simple keyword-based search operation might incorrectly result in findings of COVID-19, whereas in this case the query is about the Corona beer.

These improved search operations are often called "semantic search", as they have a better understanding of the semantics and meanings of text (through the embeddings), resulting in more contextually relevant insights.

When is it "RAG" and when semantic search

Retrieval Augmented Generation is the process of converting the user query, performing a semantic search against the knowledge base, and appending the best results (e.g. top-3 hits in the knowledge base) to the user input text. This completed input text thus contains both the user query, as well as pieces of insights obtained from the semantic search. The LLM uses this additional information for generating better outcomes. This entire pipeline (retrieving context, augmenting the prompt, and then generating output) is what defines "RAG".

I personally see RAG technology-wise being very similar to a regular search: replace the semantic search with a search engine (which underlyingly could also use semantic search anyway) and the outcome is the same. The main difference is that RAG is meant for finding exact truth, information snippets tailored to bring context information accurately, whereas a search engine based retrieval would rather bring snippets of data back.

In the market, RAG also focuses on the management of the semantic search (and vector database), optimizing the data that is added to the knowledge base to be LLM-friendly (shorter pieces of accurate data, rather than fully-indexed complete pages which could easily overload the maximum size that an LLM can handle). It prioritizes efficient data management and insights lifecycle control.

For LLMs, it also provides a bit more nuance. A web search would be presented to the LLM as "The following information can be useful to answer the question", whereas RAG results would be presented as actual insights/context. LLMs might be trained to deal differently with that distinction.

Understanding that the semantic search is independent of the LLM of course makes much more sense. It allows companies or organizations to build up a knowledge base and maintain this knowledge independent of the LLMs. Multiple different LLMs can then use RAG to obtain the latest information from this knowledge base - or you can just use the engine for semantic searches alone, you do not need LLMs to get beneficial searches. Many popular web search engines use semantic search underlyingly (i.e. when they index pages, they also generate the embeddings from it and store those in their own vector databases to improve search results).

When new embedding algorithms emerge that you want to use, you must re-generate the embeddings for the entire knowledge base. But that will most likely occur much, much less frequently than using new LLM models (given the rapid evolution here).

Conclusion

RAG is a feature of the software that runs the LLM, allowing for retrieving contextual information from a curated knowledge base. RAG's use of embeddings is related to its semantic search, not to the same embeddings as those used by the LLM. The contextual information is added to the user prompt as text, and only then 'converted' into the embeddings used by the LLM itself.

Feedback? Comments? Don't hesitate to get in touch on Mastodon.

^{Images are created in Inkscape, using icons from
Streamline
(GitHub), released under
the CC BY 4.0 license, indexed
at OpenSVG.}

2026-02-28 12:01:57 UTC

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.

Image: osint.industries.

The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.

The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”

“I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.

Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).

Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.

Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.

Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.

The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.

Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.

By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.

Dort and friends incriminating themselves by planning swatting attacks in a public Discord server.

Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.

Dort, using the alias “Meow,” taunts Synthient founder Ben Brundage with a picture of a door.

Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”

“It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”

With any luck, Dort will soon be able to tell us all exactly what it’s like.

Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.

“It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”

When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.

“Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”

But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.

Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.

“I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”

2026-02-28 00:00:00 UTC

The first release candidate build for the FreeBSD 14.4 release cycle is now available. ISO images for the amd64, i386, powerpc, powerpc64, powerpc64le, powerpcspe, armv7, aarch64, and riscv64 architectures are FreeBSD mirror sites.

2026-02-25 10:25:16 UTC

Written as part of the FreeBSD Project’s 4th Quarter 2025 Status Report, check out the highlights of what we did to help FreeBSD last quarter:

The FreeBSD Foundation is a 501(c)(3) non-profit dedicated to advancing FreeBSD through both technical and non-technical support. Funded entirely by donations, the Foundation supports software development, infrastructure, security, and collaboration efforts; organizes events and developer summits; provides educational resources; and represents the FreeBSD Project in legal matters.

Here are some of the ways we supported FreeBSD in the fourth quarter of 2025.

OS Improvements

Throughout the quarter, there were 346 src, 72 ports, and 58 doc commits sponsored by the FreeBSD Foundation.

Refer to the following report entries describing much of that committed development work:

Other highlights include:

A new kqueue1(KQUEUE_CPONFORK) facility to copy kqueue into the child on fork
exterror(9) infrastructure for asynchronous io and geom
libuvmem(3) usermode port of vmem(9)
Fixes for anonymous memory corruption
Fine-grained support for groups and manual page MFCed to 14
Bug fixes
- A 32-bit mdo(1) on a 64-bit FreeBSD would always fail with EINVAL
- Panic when using mdo(1) and resource accounting is enabled (kern.racct.enable set to 1)
MAC system reviews
Kick-off of S4 (hibernate) support
Background work on VFS (in particular supporting unionfs changes)

The Foundation also continued to support two major initiatives: the Laptop Support and Usability project (in collaboration with Quantum Leap Research) and an infrastructure modernization project commissioned by the Sovereign Tech Agency. For background on both efforts, see the 2025Q1 quarterly status report.

We began preparing for FreeBSD’s 22nd consecutive participation in Google Summer of Code (GSoC). Those interested in contributing project ideas or mentoring are encouraged to contact soc-admins@FreeBSD.org.

Continuous Integration and Workflow Improvement

As part of our continued support of the FreeBSD Project, the Foundation supports a full-time staff member dedicated to improving the Project’s continuous integration system and test infrastructure.

Advocacy

In the fourth quarter of 2025, our advocacy work focused on expanding our educational video content, reaching more viewers than ever, bringing the community together for a productive Vendor Summit, and reflecting on the work that is helping sustain and grow interest in FreeBSD. Here are just a few of the ways the Foundation advocated for FreeBSD in Q4 2025:

The November 2025 FreeBSD Vendor Summit, took place November 6–7, 2025, in San Jose, CA. You can watch the Summit recap on our FreeBSD Meetings channel here.
Secured our Media Partnership and booth for SCALE 23x
Secured our Promotional Partner sponsorship for the Code and Compliance Workshop co-located with FOSDEM, taking place January 29, 2026 in Brussels, Belgium
Applied and was accepted to have a stand at FOSDEM, taking place January 31 — February 1, 2026. We will share the stand with the Illumos folks.
Signed for a Silver level sponsorship to AsiaBSDCon26 taking place March 19 — 22, 2026 in Taipei, Taiwan.
Published the following blogs and videos to help to inform and educate the community:
Published the September 2025, November 2025 and December 2025 FreeBSD Foundation Newsletters.
Released the July/August/September issue of the FreeBSD Journal with HTML versions of the articles.

Continuous Integration and Workflow Improvement

The Foundation supports a full-time staff member dedicated to improving the Project’s continuous integration system and test infrastructure.

Legal/FreeBSD IP

The Foundation owns the FreeBSD trademarks, and it is our responsibility to protect them. We also provide legal support for the core team to investigate questions that arise.

Go to https://freebsdfoundation.org to find more about how we support FreeBSD and how we can help you!

The post FreeBSD Foundation Q4 2025 Status Update first appeared on FreeBSD Foundation.

2026-02-25 04:05:06 UTC

Did it ever occur to you why your computer has a fan, and why that fan usually stays quiet until the machine actually starts doing something?

Compute means Heat

When your laptop sits idle, very little is happening electrically. Modern processors are extremely aggressive about not working unless they have to. Large parts of the chip are clock-gated or power-gated entirely. No clock edges means no switching. No switching means almost no dynamic power use. At idle, a modern CPU is mostly just maintaining state, sipping energy to keep memory alive and respond to interrupts.

The moment real work starts, that changes.

Every clock tick forces millions or billions of transistors to switch, charge and discharge tiny capacitors, and move electrons through resistive paths. That switching energy turns directly into heat. More clock cycles per second means more switching. More switching means more heat. Clock equals work, and work equals heat.

This is why performance and temperature rise together. When you compile code, render video, or train a model, the clock ramps up, voltage often increases, and the chip suddenly dissipates tens or hundreds of watts instead of one or two watts.

The fan turns on because physics makes this unavoidable.

Hot Silicon is inefficient

Even when transistors are not switching, hot silicon still consumes power. As temperature increases, leakage currents increase exponentially. Electrons start slipping through transistors that are supposed to be off. This leakage does no useful work. It simply generates more heat, which increases temperature further, which increases leakage again. This feedback loop is one of the reasons temperature limits exist at all, and ultimately why we have fans – to keep the system under load below this critical temperature.

Above roughly 100ºC, this leakage becomes a serious design concern for modern chips. Silicon melts only above 1400ºC, but efficiency collapses much earlier, at 100ºC.

You spend more and more energy just keeping the circuit alive, not computing. To compensate, designers must lower clock speeds, increase timing margins, or raise voltage, all of which reduce performance per watt.

Reliability also suffers. High temperature accelerates wear mechanisms inside the chip. Metal atoms in interconnects slowly migrate. Insulating layers degrade. Transistors age faster. A chip running hot all the time will not live as long as one kept cooler, even if it technically functions.

Performance depends on Cooling

This is why cooling exists, and why it scales with workload: It exists to keep the chip in a temperature range where switching dominates over leakage, where clocks can run fast without excessive voltage, and where the hardware will still be alive years from now.

In space, where you cannot rely on air or liquid to carry heat away, this tradeoff becomes unavoidable and very visible.

Run hotter, and you can radiate heat more easily.
Run hotter, and your electronics become slower, leakier, and shorter-lived.

Raditation outside of the Magnetosphere

On Earth, live and electronics get to pretend the universe is gentle: We sit under a magnetic cocoon.

The Earths magnetic field bends and corrals a lot of charged particles that would otherwise slam into the atmosphere and the ground. The polar lights are indicative of particles which hit the upper atmosphere and dump energy there instead of into your laptop or your DNA.

Low Earth Orbit (LEO) is still inside much of that protective bottle. It is not deep space: most of the time you are still inside the magnetosphere, but you pass through regions where trapped particles dip closer to Earth. The South Atlantic Anomaly is the famous example, a patch where satellites see a much higher rate of hits. Operators notice because sensors glitch, memory errors spike, and instruments get noisy.

Go higher and the protection changes. The Van Allen belts are zones of trapped particles shaped by the magnetic field. They sit above typical LEO altitudes and below geostationary orbit.

Geostationary orbit is far outside LEO, and you spend much more time in harsher particle populations and different dose conditions.

Radiation matters because a modern chip is a giant field of tiny, delicate transistors storing tiny amounts of charge. A single energetic particle can change how or even if that works.

Bit flips: A particle passes through silicon, leaves a trail of charge, and a memory cell or latch interprets that as a 0 becoming a 1. That is a single event upset. It does not break the chip, it just corrupts state. The usual defense is error detection and correction, ECC in memory, parity, scrubbing, retries, and lots of “trust but verify” in data paths. That defense costs area, power, and latency. You carry more bits than you asked for, you spend cycles checking them, and you sometimes redo work.
Latchup and destructive events: Some particle strikes can trigger parasitic structures in CMOS so a section of the chip effectively shorts power to ground, it is stuck at a 0 or a 1 permanently and no longer switches. If you are lucky, the system detects it and power cycles that block. If you are unlucky, you get local overheating and permanent damage. The defense here is design techniques, guard rings, current limiting, fast power cutoffs, and redundancy. Redundancy costs density. You either duplicate blocks so you can route around a failed one, or you accept that some percentage of silicon will be lost over mission life and you overprovision from day one.
Total ionizing dose: Ionizing radiation gradually traps charge in insulating layers and at interfaces. Threshold voltages shift, leakage rises, timing changes, noise margins shrink, and eventually the chip that used to pass validation at room temperature starts failing at its corners where radiation hits strongest. This is why space hardware often talks about dose ratings and mission lifetimes, not just “it works today.” The defenses are process choices, device layout choices, and again, guardbands.

How does space hardware survive?

Shielding and Redundant Design.

Put material around the electronics, often aluminum as a structural and shielding compromise. It helps, but mass is the tax you pay forever. It also only helps a bit: High energy particles penetrate a lot of material, and some shielding configurations create secondary particles when the primary hits the shield. You can reduce dose and upset rates, you cannot build a perfect bunker without turning your satellite into a brick.
A lot of rad hard parts use larger transistors, older process nodes, thicker oxides, and conservative voltages. Larger devices store more charge, so a stray deposit is less likely to flip a bit. Thicker insulators tolerate more ionization. Conservative voltages and clocks give you more timing margin as the device ages. All of this makes the chip slower and bigger for the same function.
On top of that, Logic level hardening, software paranoia. ECC everywhere. Voters and triplication for critical state, triple modular redundancy where you do the same computation three times and take the majority result. Watchdogs, reset domains, isolation boundaries, and constant self checking. You get correctness, but you spend transistors and joules on distrust.

Every one of these defenses hits the same three budgets.

Area goes up because you replicate circuits and add check bits and voters.
Power goes up because more circuitry toggles, and because robust designs often run at higher voltages than bleeding edge consumer silicon.

Speed goes down because checking takes time, retries take time, and wide safety margins force lower clocks.

Space hardened electronics is built for survival, not speed. It is very reliable, and slow as fuck.

What does that mean for AI in Space?

If we hold all that against a H100 GPU as is being used for AI, we can see that this is a lost cause without launching any satellite.

The H100s GH100 die is about 814 mm2 on TSMC 4N with about 80 billion transistors.

This kind of die does not fly into space and survives longer than an afternoon.

A 65nm hardened ASIC technology for Space applications ESA PDF from 2017.

ESA talks about 65nm processes, 16 times larger structures than what powers a H100, 250 times larger area structures, for their space hardened compute.

The same amount of transistors for a H100 would be a 0.2 m^2 slab, which also means that energy goes up and clock goes down, down, down.

Some compute in space runs on 28 nm structures, so a 50x times area increase compared to a H100. That’s 40.000 mm^2 for the same amount of transistors.

Or, in other words, a GPU does not work in space.

At all.

Redundancy costs (Factor 3)

If you try, 80 bn transistors become around 25 bn transistors for overhead (n = 3) and redundant reserve.

So even if you sent a 4 nm node chip into space, it’s no longer an 80 bn monster, but only a relatively modest 25 bn transistor GPU fragment.

Running hotter cools better, to the fourth power. So even relatively modest temperature increases will pay of big time in terms of radiative cooling (100ºC -> 120ºC), but that means more leakage, more power, less clock. So your 25 bn transistors net capacity will calculate slower than on earth.

A GPU does not work in space.

So you have a DC in Space, what now.

We can now talk about bandwidth, latency and spectrum carrying capacity, because we also want to TALK to those data centers from earth, but that’s kind of a moot point already. If it’s a LEO data center, it does move across the sky relatively quickly. It will be in range for a few minutes every 1.5 hours or so. Or you track it as it circles the earth, using up earthbound communication capacity, and paying latency cost.

We can then talk about launch costs, kilograms, lifetime, and the atmospheric effects of that material on re-entry, but it will never come to that.

2026-02-20 20:00:30 UTC

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the victim and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

There are countless phishing kits that would-be scammers can use to get started, but successfully wielding them requires some modicum of skill in configuring servers, domain names, certificates, proxy services, and other repetitive tech drudgery. Enter Starkiller, a new phishing service that dynamically loads a live copy of the real login page and records everything the user types, proxying the data from the legitimate site back to the victim.

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et. al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure.

For example, a phishing link targeting Microsoft customers appears as “login.microsoft.com@[malicious/shortened URL here].” The “@” sign in the link trick is an oldie but goodie, because everything before the “@” in a URL is considered username data, and the real landing page is what comes after the “@” sign. Here’s what it looks like in the target’s browser:

Image: Abnormal AI. The actual malicious landing page is blurred out in this picture, but we can see it ends in .ru. The service also offers the ability to insert links from different URL-shortening services.

Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found.

“The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses,” Abnormal researchers Callie Baron and Piotr Wojtyla wrote in a blog post on Thursday. “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.”

Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target’s screen as they interact with the phishing page, the researchers said.

“The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in,” they wrote. “Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS [software-as-a-service] platform would offer.”

Abnormal said the service also deftly intercepts and relays the victim’s MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time.

“The attacker captures the resulting session cookies and tokens, giving them authenticated access to the account,” the researchers wrote. “When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed.”

The “URL Masker” feature of the Starkiller phishing service features options for configuring the malicious link. Image: Abnormal.

Starkiller is just one of several cybercrime services offered by a threat group calling itself Jinkusu, which maintains an active user forum where customers can discuss techniques, request features and troubleshoot deployments. One a-la-carte feature will harvest email addresses and contact information from compromised sessions, and advises the data can be used to build target lists for follow-on phishing campaigns.

This service strikes me as a remarkable evolution in phishing, and its apparent success is likely to be copied by other enterprising cybercriminals (assuming the service performs as well as it claims). After all, phishing users this way avoids the upfront costs and constant hassles associated with juggling multiple phishing domains, and it throws a wrench in traditional phishing detection methods like domain blocklisting and static page analysis.

It also massively lowers the barrier to entry for novice cybercriminals, Abnormal researchers observed.

“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling,” their report concludes. “Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”

2026-02-23 10:38:33 UTC

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here.

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

The Usual Suspects section at the end is permanent and have links to other sites with interesting UNIX/BSD/Linux news.

Past releases are available at the dedicated NEWS page.

UNIX

GhostBSD Switches to XLibre Over Wayland.
https://ostechnix.com/ghostbsd-switches-to-xlibre-over-wayland/

Call for Testing KDE Installer Dialogs.
https://lists.freebsd.org/archives/freebsd-desktop/2026-January/007438.html

FreeBSD Git Weekly: 2026-02-09 to 2026-02-15.
https://freebsd-git-weekly.tarsnap.net/2026-02-09.html

Potabi: Technical Analysis of FreeBSD Based Desktop OS.
https://privacylife.info/potabi-technical-analysis-of-the-freebsd-based-desktop-os/

KDE Plasma 6.6 Released.
https://kde.org/announcements/plasma/6/6.6.0/

KDE Plasma 6.6 Released with Many Excellent Improvements.
https://phoronix.com/news/KDE-Plasma-6.6

Howto for FreeBSD 15.0 on Raspberry Pi 5 with NVMe.
https://lists.freebsd.org/archives/freebsd-arm/2026-February/005683.html

GhostBSD to Use XLibre Server and MATE vs. Gershwin Desktop Decision in Future.
https://phoronix.com/news/GhostBSD-Eyes-XLibre

OpenBSD Jumpstart – Anatomy of bsd.rd – No Reboot Required.
https://openbsdjumpstart.org/bsd.rd/

Facilitate Screencasting/Recording with ffmpeg(1) Wrapper fauxstream on OpenBSD.
https://github.com/rfht/fauxstream

Native FreeBSD Kerberos/LDAP with FreeIPA/IDM.
https://vermaden.wordpress.com/2026/02/18/native-freebsd-kerberos-ldap-with-freeipa-idm/

Terminals Should Generate 256 Color Palette.
https://gist.github.com/jake-stewart/0a8ea46159a7da2c808e5be2177e1783

GitLab on FreeBSD Using BastilleBSD Jail. [2023]
https://alfaexploit.com/en/posts/gitlab_on_freebsd/

Undeleted XAA Making X Up to 200x Faster Accelerated Again.
https://patreon.com/posts/undeleted-xaa-x-151028801

FreeBSD 15.0 Linuxulator with CUDA Setup.
https://github.com/isaponsoft/freebsd-ai-notes/blob/main/CUAD_and_llama-server.md

Gentoo on Codeberg.
https://gentoo.org/news/2026/02/16/codeberg.html

FreeBSD AMI ID Pages.
https://daemonology.net/blog/2026-02-19-FreeBSD-AMI-ID-pages.html

New Toy in House for AI/Gaming/Linux/Windows/FreeBSD.
https://peter.czanik.hu/posts/new-toy-in-the-house-for-ai-gaming-linux-windows-freebsd/

Farewell Rust.
https://yieldcode.blog/post/farewell-rust/

Small dbase(1) FreeBSD/Linux Tool to Create/Manage Databases via Command Line.
https://github.com/Pitbasis/dbase

OpenClaw Installation in FreeBSD Jail.
https://github.com/isaponsoft/freebsd-ai-notes/blob/main/openclaw-on-jail.md

Comparison of Cloud Storage Encryption Software.
https://dataswamp.org/~solene/2026-02-19-local-encrypted-volume-comparison.html

Bidirectional OPNsense/pfSense Firewall Configuration Migration/Conversion CLI.
https://github.com/sheridans/pfopn-convert

FreeBSD KDE Desktop Installer Script is Ready for Testing.
https://ostechnix.com/freebsd-kde-installer-call-for-testing-15-1/

HTTP/3 on FreeBSD: Getting QUIC Working with Nginx in Bastille Jail.
https://blog.hofstede.it/http3-on-freebsd-getting-quic-working-with-nginx-in-a-bastille-jail/

Building Hierarchical Jails (Podman x Native Jail) on FreeBSD 15.
https://github.com/isaponsoft/freebsd-ai-notes/blob/main/FreeBSD_jail_on_jail-en.md

FreeBSD 14.4-BETA3 Now Available.
https://lists.freebsd.org/archives/freebsd-stable/2026-February/003866.html

Back to FreeBSD: Part 1.
https://hypha.pub/back-to-freebsd-part-1

Postgres is Your Friend. ORM is Not.
https://hypha.pub/postgres-is-your-friend-orm-is-not

FreeBSD MIT Kerberos Server.
https://vermaden.wordpress.com/2026/02/22/freebsd-mit-kerberos-server/

IPv6 Addresses for OpenBSD vmm(4) Virtual Machines.
https://xosc.org/vmm-ipv6.html

Netbase is Port of NetBSD Utilities to Another UNIX Like Operating Systems.
https://github.com/littlefly365/Netbase

Process Isolation with chroot(2) on NetBSD.
https://overeducated-redneck.net/blurgh/netbsd-chroot-isolation.html

BSD Weekly – Issue 267.
https://bsdweekly.com/issues/267

Using New Bridges of FreeBSD 15.
https://blog.feld.me/posts/2026/02/using-new-bridges-freebsd-15/

Using nsnotifyd(1) with PowerDNS Secondary.
https://blog.feld.me/posts/2026/02/nsnotifyd-with-powerdns-secondary/

Linuxulator on FreeBSD Feels Like Magic.
https://hayzam.com/blog/02-linuxulator-is-awesome/

We Built Our Entire Startup Infra on FreeBSD in 2026. Now We Need to Talk.
https://reddit.com/r/freebsd/comments/1r7mp9n/we_built_our_entire_startup_infra_on_freebsd_in/

UNIX/Audio/Video

OpenBSD Test Livestream: VAAPI on AMD Radeon RX 6700 XT Playing Northgard.
https://spectra.video/w/1smqEby9CkshEQWAthSty9

2026-02-19 Bhyve Production User Call.
https://yout-ube.com/watch?v=8ByyJ8nTtQU

2026-02-18 OpenZFS Production User Call.
https://yout-ube.com/watch?v=z7QKVFs6G3k

GhostBSD Drops Xorg for XLibre.
https://yout-ube.com/watch?v=RdJ2udBG-Og

Xorg Officially Abandons master Branch for main and Throws Away 2 Years of Code.
https://yout-ube.com/watch?v=xjwQXiNhW0E

FreeBSD as Domain Controller – Microsoft Will Not Like This.
https://yout-ube.com/watch?v=GrVDAu-Mcp0

Exploring/Hacking 386BSD – Dad of FreeBSD.
https://yout-ube.com/watch?v=6jfNvIxYyhU

BSD Now 651: Spatially Aware ZFS.
https://www.bsdnow.tv/651

Hardware

WD and Seagate Confirm: Hard Drives for 2026 Sold Out.
https://heise.de/en/news/WD-and-Seagate-confirm-Hard-drives-for-2026-sold-out-11178917.html

ARM Homelab Server – Minisforum MS-R1 Review.
https://sour.coffee/2026/02/20/an-arm-homelab-server-or-a-minisforum-ms-r1-review/

Minisforum Stuffs Entire ARM Homelab in MS-R1. [2025]
https://jeffgeerling.com/blog/2025/minisforum-stuffs-entire-arm-homelab-ms-r1/

This Engine Swapped Six Speed Sedan is M7 That BMW Never Built.
https://petrolicious.com/blogs/articles/this-engine-swapped-six-speed-sedan-is-the-m7-that-bmw-never-built

Your MacBook Has Accelerometer and You Can Read It in Real Time in Python.
https://medium.com/@oli.bourbonnais/your-macbook-has-an-accelerometer-and-you-can-read-it-in-real-time-in-python-28d9395fb180

Rumours Say AMD ZEN6 Ryzen CPU Packs 12 Cores per CCD w/o Requiring Much More Area.
https://club386.com/rumours-say-amd-zen-6-ryzen-cpu-packs-12-cores-per-ccd-without-requiring-much-more-silicon-area/

Life

Use Protocols – Not Services.
https://notnotp.com/notes/use-protocols-not-services/

I Verified My LinkedIn Identity. Here is What I Actually Handed Over.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

I Miss Thinking Hard.
https://jernesto.com/articles/thinking_hard

Other

AI Found 12 New Vulnerabilities in OpenSSL.
https://schneier.com/blog/archives/2026/02/ai-found-twelve-new-vulnerabilities-in-openssl.html

Paged Out #8 Issue from 2026/02.
https://pagedout.institute/download/PagedOut_008.pdf

Mike Brewers Gets Porsche Restored in Poland.
https://yout-ube.com/watch?v=9Xcno1cfNlg

Keep Android Open.
https://keepandroidopen.org/

Keep Android Open.
https://f-droid.org/2026/02/20/twif.html

ISOCD-Win is Replacement for Native Amiga ISOCD App.
https://github.com/fuseoppl/isocd-win

Wikipedia Blacklists archive.today Starts Removing 695,000 Archive Links.
https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-archive-today-after-site-executed-ddos-and-altered-web-captures/

EDuke32 – Duke3D for Windows/Linux/macOS.
https://eduke32.com/

Usual Suspects

BSD Weekly.
https://bsdweekly.com/

DiscoverBSD.
https://discoverbsd.com/

DragonFly BSD Digest.
https://dragonflydigest.com/

FreeBSD Patch Level Table.
https://bokut.in/freebsd-patch-level-table/

FreeBSD End of Life Date.
https://endoflife.date/freebsd

Phoronix BSD News Archives.
https://phoronix.com/linux/BSD

OpenBSD Journal.
https://undeadly.org/

Call for Testing.
https://callfortesting.org/

Call for Testing – Production Users Call.
https://youtube.com/@callfortesting/videos

BSD Now Weekly Podcast.
https://www.bsdnow.tv/

Nixers Newsletter.
https://newsletter.nixers.net/entries.php

BSD Cafe Journal.
https://journal.bsd.cafe/

DragonFly BSD Digest – Lazy Reading – In Other BSDs.
https://dragonflydigest.com

FreeBSD Git Weekly.
https://freebsd-git-weekly.tarsnap.net/

FreeBSD Meetings.
https://youtube.com/@freebsdmeetings

Sheridan Computers.
https://youtube.com/@sheridans/videos