Feature-Rich FreeBSD 10 Alpha Released

An anonymous reader writes "The first alpha release of FreeBSD 10.0 is now available for download. FreeBSD 10 features include replacing GCC with LLVM/Clang, VPS support, an AMD Radeon KMS support, Raspberry Pi support, Bhyve for HVN virtualization, and ARM EABI support."

Hurrah?

[DavidClarkeHR]

Year of the BSD desktop.... FINALLY!

Re:Hurrah?

[geek]

OSX = BSD, so yeah, its been year of BSD on the desktop for about a decade.

Re:Hurrah?

[tlambert]

Not just userland. Much of the OS X kernel is derived from FreeBSD and NetBSD, too.

Almost all of the BSD in the kernel is based on BSD 4.4-Lite2 and NetBSD; there are a couple of small sections, which ironically I wrote, that were pulled in from FreeBSD, like the BSD parts of the init code, and parts that generally everyone wrote, like chunks of the networking stack. I really wanted to change some of the VM APIs to be more like FreeBSD, i.e. in band errors in value returns should have been converted to value returned into variables passed by address with out of band error returns, but this would have required work on the part of the Intel guys prior to the Intel code integration.

The problem, though, is that Apple has slowly stopped developing the Unix parts.

This is BS.

They've literally deprecated fork, because they can't be bothered to make it work reliably with Core Framework.

No, that's a combination of several factors, some of them being Apple having poor representation on the UNIX steering committee. Specifically regarding the committee, there's no such thing as a pthread_atexec() and several other APIs which would be necessary in order to make fork() deterministically useful in already multithreaded programs.

The CoreFoundation factor is a combination of GCD, which starts and stops threads behind the programs back (and can't register exec handlers), and directory services, which for non-root processes starts another thread as a means of security partitioning to support everything DNS and network address related. It doesn't actually need to do this, and neither does GCD, but between that and the missing process lifecycle management functions in POSIX for threads, it's not supportable.

Basically, CoreFoundation is a piece of shit. It's now showing its initial lack of threads support in the design, and binary backward compatibility prevents it being redesigned. Catch-22.

The positive side of this is that people effectively have to use posix_spawn[p]() instead, which means they don't have to copy a massive fricking address space from one process to the other, which is expensive as hell in Mach, since they haven't adopted the red/black tree acceleration for ptov[] translations, mostly because there's too much code that relies on address aliases. In CS terms, the p:v has a cardinality of 1:N instead of 1:!, which breaks code relying on ptov(). There wasn't a lot of it, but there was absolutely no hope of getting rid of the aliases without the VM API changes I mentioned previously.

So boo fricking hoo: use LaunchServices like you were supposed to be doing when using CoreFoundation, and quit using fork() directly, and your problems will go away.

Neither are they tracking POSIX or BSD developments anymore, having stopped several years ago.

The only "tracking" of BSD kernel code that happened since 2003 that I'm aware of (but I left Apple in 2011) was in the networking code, and there was precious little of that, since Apple and BSD selected different concurrency models. BSDs is arguably more scalable, if you have unlimited memory to burn, other wise you want XNUs. You probably want XNUs anyway, particularly if you want to take cores on and offline out from under the CPU for power management or thermal budgetary reasons, and the scalability issues can be addressed.

OS X's POSIX support is a full release behind. They're compliant to the 2001 specification, but the latest is 2008, plus fixes. In a few years, their POSIX support will be about as useful as Windows', in terms of interoperability with modern FOSS.

That just asinine.

First off, the next jump to standards conformance, if any, will be unlikely to be 2008, since it's not going to be widely adopted by industry until IBM and Oracle can get their shit together, which takes more than 5 years, since it includes a migration strategy for mai

Re:Hurrah?

The UNIX side of OS X has been just fine in the recent releases. The problems with OS X are:

1. It doesn't have a real package management system.
2. Long turnaround time for security patches. They should stop this insane "we have to wait until 10.x.y until we ship this patch even though it's ready." A proper package management system would certainly help there.

Re:Hurrah?

[tlambert]

The UNIX side of OS X has been just fine in the recent releases. The problems with OS X are:

1. It doesn't have a real package management system.

It's called "drag and drop"; properly written applications are self-contained in directories represented by the application icon. If you follow the Mac model, and don't try to install your files all over from hell to breakfast, there's no issue. This is why a lot of demo machines in stores now have epoxy in their USB ports (e.g. the ones at Fry's), since people were stealing already activated copies of Microsoft Office by plugging in their iPod shuffle or other thumb-drive and just dragging it over.

If you want to install all over from hell to breakfast, there's always http://www.macports.org/ or you can make a 5 line change to the FreeBSD ports management system to use "${MAKE}" instead of "make", and deal with two "echo" compatibility issues which are fixed by using "printf" instead, and almost all of the FreeBSD ports system "just works". I gave those patches back to FreeBSD (via Jordan Hubbard); not sure if they made them in.

Note that another benefit of the Mac model is that you can have different applications requiring different versions of libraries, and nobody cares except people already short on disk space. Duplicate block coalescing can fix that, but only works for ZFS, which is an add-on.

2. Long turnaround time for security patches. They should stop this insane "we have to wait until 10.x.y until we ship this patch even though it's ready." A proper package management system would certainly help there.

This is an issue for security problems in the kernel; otherwise, Apple ships regular security patches for all user space components; leave Software Update turned on, and it's automatic, and will pop up and bug you to install updates, since they usually mean an application or system restart (depending on what layer the installs happen).

For the kernel, this is really a management/resources/security-guys-do-not-push-hard-enough problem; the current development model for the Mac OS X kernel is "Scrum", which is good if you want to keep an organ bank of coders around to throw at the next iPhone/iPod Touch/iPad problem, and less good if you actually want to make substantive changes or progress in kernel technology, so it's mostly on managements back. I agree this is a problem.

Re:Hurrah?

[TheRaven64]

They've literally deprecated fork, because they can't be bothered to make it work reliably with Core Framework

fork() deserves to be deprecated. The API originates with old machines that could have a single process in-core at a time. When you wanted to switch processes, you wrote the current process out and read the new one in. In this context, fork was the cheapest possible way of creating a new process, because you just wrote out the current process, tweaked the process control block, and continued executing. On a modern machine, it requires lots of TLB churn as you mark the entire process as copy-on-write (including TLB shootdowns which require IPIs on a multithreaded program using multiple cores). And then, in most cases, it's followed by exec() and so the process that you've just created is replaced by another one and you need to go through the whole sequence again to stop its memory being CoW.

Not only is fork() a ludicrously inefficient way of creating a process on a modern machine, it's also incredibly difficult to use correctly. When you fork(), all of your threads and all of your process descriptors are copied. You need to make sure that every thread that you create uses pthread_atfork() to ensure that it doesn't do any I/O after the fork() and before the exec(). You also need to ensure that you close any file descriptors that you don't want to be propagated to the child, which is nontrivial if you have other threads opening and closing files in the background (O_CLOEXEC helps here, but do you remember to use it everywhere?).

Oh, and posix_spawn() isn't much better. It's designed to be possible to implement on top of existing APIs and so ends up being largely useless without non-standard additions. It doesn't, for example, provide a mechanism to say 'close all file descriptors in the child, except for these ones'.

Re:Hurrah?

[BitZtream]

Just for reference to those who aren't aware of who the post above is from

tlambert is:

http://people.freebsd.org/~terry/
http://www.linkedin.com/pub/terry-lambert/2/70a/770

I.E. He knows his shit and has the references to back it up. His resume is pretty much a list of industry leading companies for the last 25 years.

Re:Hurrah?

[evilviper]

Year of the BSD desktop.... FINALLY!

Meh. My preferred slogan is:

"FreeBSD. Still dying after all these years..."

Netcraft confirms it, in the library, with the lead pipe.

Re:Hurrah?

[tlambert]

It's called "drag and drop"; properly written applications are self-contained in directories represented by the application icon.

That's all fine-and-dandy until you need to keep track of the different version of library packages and make sure they're all up-to-date and not conflicting.

You don't need to worry about different versions because there is only one version of the library associated with the app: the one in the app bundle.

The way to make sure your app is up to date is to ensure it's up to date by dragging a new version, or having the app insert itself into the Software Update process, or to have it maintain its own update checks and cycle. The method to do this is documented.

By definition, since all libraries are private to the app, they are non-conflicting. That's the reason they are private to the app.

Do you want your system handling patches and updates or do you want to manually go through an infinite number of directories and waste your time?

I would prefer updates happen in binary form, and that the application handle itself, either by having code to do it on startup, or by installing its own handler into the Software Update process so that it gets checked when the system automatically checks for Apple supplied updates.

Basically, this boils down to you having two non-existant problems, and one self-caused problem (or vendor caused, if they don't support internal updates.

Re:Hurrah?

[catmistake]

If you're compiling binaries, you're doing it wrong.

yea

[celle]

Woman screams and waves arms.

FreeBSD!!

Oh, geek screams and waves arms.

TCP congestion control research in FreeBSD

[bcreane]

FreeBSD hosts interesting work with respect to TCP congestion control. An earlier version (I think FreeBSD 8.0) introduced modular congestion control algorithms, and this version introduces CAIA Delay-Gradient (CDG) congestion control algorithm. The check in is here: http://svnweb.freebsd.org/base?view=revision&revision=252504, and an interesting (if slightly esoteric) slide deck is here: http://www.ietf.org/proceedings/84/slides/slides-84-iccrg-2.pdf.

Re:The real problem with BSD

Apparently you missed http://www.freebsd.org/handbook

In well written english, with screenshots and everything.

security

[santax]

As much as I love freebsd I have stopped using it after their servers got 'served' with the use of 'legitimate' ssh keys. http://www.paritynews.com/2012/11/19/487/two-freebsd-project-servers-hacked/ Given that Freebsd never released a good audit report after that hack I can only be worried more. Add to that, we now that we know the NSA had access to the certs from diginotar and might had done or paid for the diginotar hack I think one might as well use windows. I hate to say it, but the complete codebase from freebsd needs to be checked. Again and again. Preferable with the help from openbsd.

Re:security

As much as I love freebsd I have stopped using it after their servers got 'served' with the use of 'legitimate' ssh keys. http://www.paritynews.com/2012/11/19/487/two-freebsd-project-servers-hacked/

Given that Freebsd never released a good audit report after that hack I can only be worried more.

Add to that, we now that we know the NSA had access to the certs from diginotar and might had done or paid for the diginotar hack I think one might as well use windows. I hate to say it, but the complete codebase from freebsd needs to be checked. Again and again. Preferable with the help from openbsd.

Maybe you should read over the report from freebsd.org: http://www.freebsd.org/news/2012-compromise.html

1) It was a single ssh-key that was leaked.
2) The accompanying user rights allowed access to two build server nodes which they took offline and they compared the data to a known good offline copy.
3) They pulled the 9.1-RELEASE packages they couldnt verify.
4) The compromised user only had access to the build system for binary packages. The BUILD system (and third party at that). NO access to the source repositories (except checking out, like you and me).
5) If you didn't use the 3rd party binary packages you weren't affected at all. (and who uses binary packages with freebsd anyway?)

I don't know how the infrastructure is organized in your company, but usually there is a user management on a server if you hand out ssh-keys and only a few if any are allowed to sudo su. IF there is sudo at all. That isn't a desktop box where every user added gets an entry in sudoers to su.

Re:security

[TheRaven64]

Someone else has already pointed you at the report on the compromise. One of our developers has a VM that turned out not to be as secure as he though, and which had his ssh keys (with no passphrase) that gave access to the FreeBSD cluster machines. As soon as the attack was noticed (very quickly, owing to one particularly paranoid developer), the affected machines were taken offline. Bringing things back online took a long time, for several reasons:

• All of the code that we're running on FreeBSD.org machines was audited
• Some of it turned out to be a little bit scary (e.g. build machines having access to the FTP servers so they could push packages) and so the architecture needed redesigning in places.
• We rolled out auditdistd on all of the hosted machines, so now they have audit logs that are stored in multiple places, for all machines.
• We redesigned the network layout at all of our sites to reduce interconnectivity of unrelated services.

As to the codebase needing auditing, we had both svn and git mirrors that allowed the entire history to be checked. We also had copies of checksums of releases and so all of these things were verified. Bringing CVS back online took a bit longer, as CVS easily let us verify the top of the tree, but not the history. I think we ended up regenerating the entire CVS history from svn, and took the opportunity to officially remove support for CVS.

Are there still vulnerabilities? Almost certainly. Any codebase more than a few dozen lines long will contain bugs, and some of them are exploitable if you're sufficiently clever. That's why a lot of the focus in 10.0 has been on mitigation techniques. The auditdistd framework lets you easily deploy auditing for an entire site. Capsicum makes it relatively easy to compartmentalise applications and a system daemons use capsicum out of the box. So do some of the normal filter utilities, for example even if you run uniq as a root user, once it's finished parsing the command line arguments it won't be able to access to any files in your system except the ones you told it to read.

Re:The real problem with BSD

[Dahamma]

Everything you say is true. But are the Linux developers really all that different? There have been some epic flamewars on LKML and plenty of RTFM...

The fact is OS developers are generally extremely smart, "self-confident" (I'll try not to say "egotistical" or "arrogant"), and possibly somewhat socially awkward/blunt. The only reason you don't get that from Windows and OSX is that MS and Apple hide their kernel developers away from public debate :)

Re:The real problem with BSD

[Falkentyne]

Yes, I ran into that problem in the past as well but then I realized I was emailing the FreeBDSM mailing list. Needless to say, I've since switched to Linux and I'm being fulfilled in ways you can't imagine.



... and it's actually a website wtf

Re:The real problem with BSD

[icebike]

Apparently you missed http://www.freebsd.org/handbook

In well written english, with screenshots and everything.

Exactly. The handbook is awesome. (I didn't even need to use it to get up and running because bsdinstall (the installer) is pretty self explanitory to anyone
who has been around any nix systems for a while.) You will want a copy of the manual somewhere handy

I haven't touched FreeBSD in years, but recently wanted to play with it again. It was awesomely well documented, both with a manual and several guides, not to mention a zillion Google Hits. I didn't need to bug anyone about any thing, because all the answers were at my finger tips. It was actually a very easy install.
I added XFCE4 just to see how well that worked, and it was quite nice.

If someone gets turfed from the mailing list, its because they joined the WRONG mailing list. Start asking for beginner help on the Linux Kernel Mailing List list and see how warmly you are received.

But installing version 9 was very easy. There is no reason to avoid FreeBSD if you like messing around with different OSs. Learning is not detrimental to your health.

Re:Competition is always good

[dbIII]

It is with things like ZFS - the linux implementation (which I'm also using) is currently miles behind the freebsd version.

Re:The real problem with BSD

[Dahamma]

These people should not be answering questions from rank newbies.

Yes, and there are ways of saying that to someone that are not condescending, rude, or just plain assholish.

Though you know, some people in fact DO like helping others, even newbies (sometimes we call those "teachers", and sometimes they are just good people). But even if someone doesn't want to help, "please use XXX list for this question" is really not any harder to type than than "stupid question, stop posting here and RTFM".

Re:The real problem with BSD

[sumdumass]

I think one of the problems might also be that they are seeing the same damn questions asked over and over but slightly different and the user isn't able to connect the slightly different question to the published answer already given somewhere.

I used to do some support on IRC with a Linux group catering to a specific distro and I saw this all the time. I eventually created macros to ask the questions just to get to the point of the problem because of the 10,000 different ways someone states it. Often the skill levels of the users were so different that you would either talk over someone's head or upset them for talking down to them. It got extremely aggravating when talking over someone's skill level and they don't tell you they don't understand something until you are 20 steps into it. It is even more aggravating when you talk down to someone and they get upset and cuss you out crying they aren't a newbie or something. Most of the problems were incompatible or unsupported devices that were already listed as incompatible and unsupported on the distro's website but people refused to believe it until they saw it first hand.

I eventually bailed on the entire thing after the distro merged with another and dropped all the things I like in order to promote all the things I didn't like about it. Some of the others who helped found it easier to just ssh into the user's box and fix it than to pull the real question out and explain the answer well enough to be used. I can see why some groups get short and say RTFM all the time (not that I agree it is proper to do so). I've about given up on linux- it seems as soon as there is something I like, they go and change it and make it extremely difficult to put it back in.

Re:The real problem with BSD

[Osgeld]

and instead of politely pointing it out, you had to make yourself sound like a snotty condescending ass about it

grats for proving the op's point

Re:The real problem with BSD

[epyT-R]

computers are complex tools. The more operating systems try to hide that, the more dumb the users get.. it's a race to the bottom.

This antipathy towards learning curves is a big part of today's society (the idiocracy). Not only do people abhor learning, their superiors refuse to give them the time necessary to do it... Thus we end up with desktop operating systems that work like tablets. Everyone now thinks all computers should work like smartphones, no matter what they need the machine for. Complex procedures do not work like they do in star trek. Deal with it.

There are users like this with every os, not just linux.

you fuck off.

Re:Advantages / disadvantages vis-a-vis Linux?

[kthreadd]

Advantages:

* The OS and the applications are separate. This means that you can have up to date versions of your desktop and all applications on a stable core OS. On Debian you would either have to build things yourself or upgrade your entire system to testing or sid.
* A mature ZFS implementation. You can use ZFS-on-Linux or Btrfs for similar functionality on Debian, but it's often not considered to be as production ready as ZFS on FreeBSD. Also for license compatiblity issues ZFS-on-Linux will never ship as part of a GNU/Linux distribution and will have to be installed separately.

Disadvantages:

* Not as good hardware support. Usually works well on desktops and servers, but it can take some tweaking to get it to work well on modern laptops.
* Some software does not run on FreeBSD. Very uncommon for open source, but can be a problem if you're running non-free software. You can mitigate this by installing the Linux compatibility layer on FreeBSD.

Re:The real problem with BSD

[allo]

and the userland libraries are PITA. try "rm foo -rf". ARGH.

Re:The real problem with BSD

[BitZtream]

Really, what way is that? Answering 30 ignorant questions a day by people asking for stuff that is so clearly WAY above their heads they shouldn't be asking, yet they do.

As a developer, this is why I avoid working on projects where random people can interact with the devs. You get mailing list questions like

I'm trying to make this plugin that can totally change the way the software works, but I get an error:

main must return a value

Can you help me fix?!!@?$!@?^#$^!@?!?

What is the response I'm supposed to give to all those morons who are so ignorant of what they are doing that they don't have any idea how ignorant they are. Thats not something I can fix, its not my problem, its theirs. Its one thing to not understand how something works, its entirely different to not know anything about the subject matter at all, and then ask someone how to do something that's never been done before.

Do you think race car drivers and mechanics should sit around and answer the 'I want fast car, how me go fast?!?!?!@?! What is drivers license?!?!@?@!?@$ What is engine?!?!?!?! tires?!?!?!?!' crap as well?

When you so clearly don't know what you're doing, and you so clearly haven't tried to figure out anything at all, and then you go ask high-end devs how to do something that shows you know ABSOLUTELY NOTHING ABOUT THE OS OR DEVELOPMENT FOR IT ... you deserve to get a kick in the teeth.

Its fucking rude to waste my time with your ignorance when your ignorance can be solved by spending the time you took to write to the kernel list on Google with far better results. Lazy fucks.