Starting today, I am running continuous builders for Go on NetBSD/386 and NetBSD/amd64. Both are running fine, so Go is now (semi-officially) supported on NetBSD. You need at least version 5.99.51 or, even better, a NetBSD-6.0 release candidate. In addition, the latest Go release (1.0.3) does not have the NetBSD support, so you must build from source on tip.

Go 1.1, which is expected for January 2013, will support NetBSD on x86 officially.

There are a lot of monospaced fonts or “programmer’s fonts” available these days. Personally, I like neither the default “sans” that is generally used in Gtk applications nor the default monospace font in Mac OS X, Menlo. Both fonts are very similar, as Menlo is based on Bitstream Vera Sans.

Now, Adobe has just released an excellent monospaced OpenType font, called Source Code Pro, as open source. The fonts can be directly downloaded from their SourceForge page.

(Of course, if you are into non-antialiased fonts, nothing beats the “fixed” font included with X.)

Packages for pkgsrc-2012Q2 are now available on ftp.NetBSD.org. They have been built for MirBSD-current on i386. This time, there is notably a much larger selection of software for X11, due to a successful build of gtk+2. All in all, there are about 6300 packages available.

There have been some interesting recent developments in MirBSD. As always, there has been development on mksh but tg@ is more qualified to write about this.

The kernel has also seen some improvements: bge(4) is now again included in the GENERIC kernel, and it supports some newer chips — for example the BCM5751 Gigabit Ethernet. This chip is the one in the machine graciously donated by Marc Balmer. The umsm(4) driver has been added, supporting certain 3G “surf sticks”.

There has been a new release of jupp, joe-3_1jupp21, containing several critical fixes regarding the use of uninitialized memory. It also contains a bugfix for syntax highlighting.

In pkgsrc, have been attacking the list of broken packages breaking the highest number others. The three versions of Ruby in the tree (1.8.x, 1.9.2 and 1.9.3) now build fine, as do ilmbase, blas and a few others. Fixing blas meant introducing a weird special case in libtool: Usually, MirBSD has no Fortran compiler; however, pkgsrc has f2c, which it uses as f77, confusing libtool. It actually needed a special-case entry to treat it like gcc (which it uses internally). There is also a weird failure in policykit, where an XSLT processor segfaults during the creation of one of the manpages. Maybe it hits an ulimit, I am not sure. Anyway, these fixes are now in pkgsrc-current.

I (bsiegert@) have been interviewed by OSWorld, a Polish news site about open source software. The interview took place at FOSDEM 2012. I talk about the project, about the community and about some of the great things when using open source. Check out the video.

Read the original article (in Polish) over at OSWorld. Thanks guys!

(Update: Corrected the HTML. Again.

I’ve been debugging a weird problem at work — after upgrading a complex system from lenny to wheezy, some https clients failed to connect: GNU wget and Debian’s version of lynx(1) which is linked against libgnutls26 fail. NSS applications continue to work, as does cURL; wget and lynx on MirBSD (linked with OpenSSL of course) work. Even Debian’s gnutls-cli tools from both gnutls26 and gnutls28 work. Huh. The error_log shows renegotiation problems, yet setting the new Apache 2 configuration option to “use insecure renegotiation” doesn’t help either. (The option is a total #FAIL: its only other value is “use secure TLSv1.x renegotiation”, but I don’t want/need SSL renegortiation at all, anyway.) Natureshadow told me this was a hot issue on Debianforum at the moment, yet, nobody had a clue or enough information to file a formal bugreport against (initially) apache2, as that’s what changed. I tracked it down on a new VM with no configuration otherwise, and here are my findings so others don’t run into it.

Tracking down the problem, this can be reduced to the following configuration (minimised, to show the problem) in /etc/apache2/sites-enabled/1one:

	<VirtualHost *:443>
		ServerName wiki-70.lan.tarent.de
		RedirectMatch permanent . https://evolvis-70.lan.tarent.de/
		SSLEngine on
		SSLCertificateFile /etc/ssl/W_lan_tarent_de.cer
		SSLCertificateKeyFile /etc/ssl/private/W_lan_tarent_de.key
		SSLCertificateChainFile /etc/ssl/godaddy.ca
	</VirtualHost>

Do not mind the actual content, this is a very stripped-down demo on a not-actually-set-up-yet box.

Same is valid for the companion configuration file /etc/apache2/sites-enabled/2two:

	NameVirtualHost *:443

	<VirtualHost *:443>
		ServerName evolvis-70.lan.tarent.de
		SSLEngine on
		# workaround for BEAST (CVE-2011-3389), short-term
		SSLCipherSuite RC4-SHA
		SSLCertificateFile /etc/ssl/W_lan_tarent_de.cer
		SSLCertificateKeyFile /etc/ssl/private/W_lan_tarent_de.key
		SSLCertificateChainFile /etc/ssl/godaddy.ca
		SSLProtocol TLSv1
	</VirtualHost>

Turns out the BEAST workaround was at fault here: the differing SSLCipherSuites between the vhosts (on the same Legacy IP / TCP Port tuple, as we use Wildcard SSL Certificates) made Apache 2 want to renegotiate, so either commenting it on 2two or, better, adding it to 1one helped. Interestingly enough, the SSLProtocol directive did not matter (in my tests).

So, keep SSL settings synchronised between vhosts. In fact, those were already from include files, but 2two was from the “Evolvis 5” generation, whereas we added to 1one an Include of the httpd.ssl1.inc file generated by the previous releases of EvolvisForge and had not switched those legacy vhosts to the new configuration, as everything worked on lenny.

This wlog entry brought to you by the system administrators of tarent solutions GmbH and the Evolvis Project, based on FusionForge.

Update 17.05.2013 — Absolutely do not use RC4-SHA for SSL/TLS (https)! It can leak over 200 initial plaintext bytes easily. (arc4random(3) is not affected from this, especially on MirBSD, nor arc4random(9).)

Now available in the mksh FAQ: Display the current git branch in the prompt.

KiBi is my hero of the day. I’ve long wondered why I couldn’t select fixed-misc as font on my workstation at the dayjob, which is running K?buntu Hardon Heroin. (Luckily, I managed to avoid upgrading to Prolonged Pain.) Now I guess that’ll work again.

My work laptop (running testing) also has got this X.org thingy. My keyboard layout now has got a grml branch (named after the person who first cursed about the insane idea of those toy-breaking boys to rearrange the keycodes) that works with it. Since Debian is marginally more sane than K?buntu, in contrast to the gnu branch I use on my orkstation, the grml branch still has Meta on the left Alt key, not Mode_switch, as it still works in uxterm, which reduces the diff between the MAIN branch (HEAD) on XFree86® and this beast.

And finally: X.org defaults to a black screen and disabled mouse pointer until an application first requests it. Totally unacceptable for evilwm(1) users, and letting people think it crashed, to boot. The Arch Linux guys found this, among others; the fix is: startx(1) users edit /etc/X11/xinit/xserverrc to add -retro behind the X, or copy the file to ~/.xserverrc and change it there:

	#!/bin/sh

	exec /usr/bin/X -retro -nolisten tcp "$@"

For display managers, similar files exist in /etc/kde4/kdm and related places.

Update: Also, newer xterm(1) justify an update to ~/.Xresources for we can finally get rid of cut buffers, and get a blinking underline cursor to boot!

On the other front, worked on Debian packaging, and upstream on pax(1) and jupp, with more things to follow (especially in mksh). Also fixed about ⅔ Linux klibc architectures and learned why I’m a BSD developer despite all the bad parts of it ☺ and fixed fakeroot with pax(1) on Hurd… incidentally in code originally designed to support the Linux pax. My dayjob’s keeping me busy, but I’ve got plans to run mksh(1) through Sonar, in addition to the static code analysēs done by (once again, thanks!) Coverity (commits to mksh pending) and Clang/LLVM scan-build. Uhm, what can I say more, grab me in IRC if you need it. Ah, and some other mksh things coming up that may be of interest to people needing to support legacy scripts.

While wtf(1) always has been a bit central to MirBSD, and the acronym database has been accessible by CVSweb, what we never had was a DAU compatible (and shellsnippets compatible) lookup. This has now changed: the above link to the acronyms file is a persistent link to its latest version (well, latest when the website was last recompiled), tooltips may very well follow soon, and we’ve got an online WTF lookup service.
Contributions to the acronym database are welcome, of course; just eMail them to tg＠mirbsd．org.

Not to stop there, our online HTML manpage search is also new, shiny, and should replace the “!mbsdman” DuckDuckGo hash-bang shortly. (Both of these services offer a DDG search as fallback. Note that DDG is an external service included herein by linking, under their request to spread it, and not affiliated with The MirOS Project. They do, however, donate some advertising money to Debian.)
For all those who didn’t know: only manpages for software in the MirOS BSD base system and for the MirPorts Framework package tools are listed, not for third-party applications installable using ports or, recently, pkgsrc®. Still, if you want to have a peek at a modern classic BSD’s documentation, you’re welcome. (Not to mention content like re_format(7) and style(9) and that some of our documentation is much more legible than others.)

And because writing all that perl(1) made me ill, not to mention I don’t even know that language, I’ve hacked a bit more in the mirmake(1) and mksh(1) parts of the MirWebsite, finally implementing pointing out where in the navigation sidebar the visitor currently is.

We also have exciting mksh porting news involving RT trying a larger number of ancient platforms than I dare count, me fixing bugs in Linux klibc and diving into other things, learning more about why I consider me lucky for hacking a BSD operating system… sorry, I want to keep this short as it’s mostly an announcement.

The MirWebsite source code is, of course, also available. Improvements welcome. Except for these three CGIs, our website is fully statically precompiled, and that’s a good thing. Please help in making the CGIs secure.

So now I am even posting over at TNF on blog.NetBSD.org. Julian Fagir made new NetBSD flyers, and I committed them to the TNF website.

I know that I should write more here but there is not much new on the MirBSD front.

I updated the showcase to NetBSD-6_BETA on the Dom0, and now X refuses to start. Oh well. X does start when using a GENERIC kernel. This is very bad for showcase use, of course :(. pkgsrc is going into freeze very soon, and I did not do a whole lot of MirBSD fixes this time around. This is due to illness, searching for a new job, and working on the Go programming language, which is expected to hit version 1.0 Real Soon Now(TM).

I brushed up my Algorithms and Data Structures a bit by reading the third volume of TAOCP. Fantastic book.

This weekend, the FOSDEM 2012 took place in Brussels. We gave away DVDs with the latest MirOS BSD snapshot and about 3 GiB of binary packages for pkgsrc.

I gave a talk entitled “pkgsrc on MirBSD”. It gives a short introduction to both MirBSD and pkgsrc and details how we managed to get MirBSD supported as a platform, including some details on the new-developer process at the NetBSD foundation. The slides are now available on slideshare or as a PDF for download. —

The showcase is doing strange things. The NetBSD-current kernel panics reproducibly when the network card, an alc, does not have a link. Thus, I put it on a switch with no other connection to “fix” the problem. Furthermore, I have a half-finished pkg_rolling-replace on the NetBSD side; various things now give Memory Errors, including running xfce4-session. Oh well. WindowMaker to the rescue … I am planning on redoing the setup on this machine anyway, once NetBSD-6-alpha will have been branched. I would also like to use LVM to set up the partitions for the Xen domains, to avoid going through a vnd(4) device.

Courtesy of Rob Pike on Google+ and Richard Kettlewell in the comments:

In Plan 9 and Research Unix, rm(1) also removes empty directories. Why doesn't it in Unix? In V7 Unix, only privileged users could unlink() a directory. Thus, rmdir(1) was a setuid executable. rm(1) actually called rmdir(1) via fork()+exec() in its recursive mode. Of course, there were some bugs in rmdir ...