I am frequently asked what exactly it is that I do. The short answer: I develop software and administrate systems, mainly those under FreeBSD. The longer answer is this post.
My occupation moves in between software development, infrastructure and system architecture. I help with constructing systems or stabilizing them in order for them to work long-term – technically sound, comprehensible and maintainable.
Software Development: Quality instead of quantity
In my blog articles about software development I wrote a lot about what goes wrong in companies: Unreadable code, missing architecture, technical debts that no one touches anymore, and the focus on processes instead of the product itself. This is no abstract critique, but things that I, over the course of many years in different companies, experienced up close and personal.
The result is what I offer: Clean, comprehensible and maintainable software. Code that can still be understood by someone in five years. I have acquired a lot of experience in different programming languages – from system-oriented programming up to complex GUI-Applications with Qt and wxWidgets. Databases (especially PostgreSQL) as well as client-server architecture and network programming are also included.
If you manage a project that went off the rails, which was developed by one singular person and that no one can make sense of now or if you are in the desperate need of a new architecture- then I am the right person to turn to.
FreeBSD has been with me since Version 4, which means since over two decades. My own servers run on it, I have experience with ZFS with RAIDz, FreeBSD-Jails, Bhyve, pf, CARP, HAST and the common network services (DNS, DHCP, NTP, NFS, Samba, LDAP and others) because of daily practice – not only through documentation.
What I solve and what I offer: You need a stable, secure server or a scalable server infrastructure under FreeBSD? You want to isolate services in Jails? You manage a running system that is in need of care or extension, expansion or add-ons? Or you stand before a specific problem that seems without solution? I am fairly acquainted with such situations – and in finding pragmatic solutions.
For companies
If you are reading this in the interest of a company: I merge software development with system administration. I am no specialist who tweaks only one screw but someone who understands systems as a whole. I have worked in companies were both were of importance and I know of the relevance of development and infrastructure fitting together to paint the whole picture.
I appreciate a corporate culture in which mistakes are understood as a learning opportunity, skills are used sensibly and where the product is the main focus – not the management of tickets. If you share these views, we should talk: thorsten@tgeppert.de.
This past week was one of the most eventful for FreeBSD in recent memory: six security advisories dropped simultaneously, FreeBSD 15.1 hit release candidate status, and the FreeBSD Foundation’s executive director went public about daily-driving FreeBSD on a laptop.
FreeBSD 15.1-RC1 Released
On May 22, Colin Percival announced FreeBSD 15.1-RC1 — the first and likely only release candidate before the planned final release in early June. RC1 is available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, PINEBOOK, ROCK64, ROCKPRO64), and riscv64.
Changes since Beta 3 include:
The six new security advisories SA-26:18 through SA-26:24(see below)
Improvements to fwget(8) for automatically identifying necessary firmware for more Wi-Fi cards
EC2 “small” instances no longer run firstboot_pkgs by default
freebsd-update no longer prompts to merge changes to /etc/ssl/cert.pem
Various kernel bug fixes and man page updates
The full set of installation images, VM images (QCOW2, VHD, VMDK, raw), OCI container images, and EC2 AMI images are available on the usual download mirrors.
Security Advisory Blitz: Six Advisories at Once
On May 20, the FreeBSD Security Team released six security advisories simultaneously — several of which were discovered through AI-driven vulnerability research.
The most severe vulnerability of the week. A sizeof type error in kern_setcred_copyin_supp_groups()(sys/kern/kern_prot.c) causes a kernel stack buffer overflow in the setcred(2) system call. The bug: sizeof(*groups) evaluates to 8 bytes (pointer size) instead of the intended 4 bytes (sizeof(gid_t)). An unprivileged local user can exploit this to escalate to root — even on systems with SMAP/SMEP enabled. The vulnerability was disclosed by Przemyslaw Frasunek under the name “FatGid” and affects FreeBSD 14.3, 14.4, and 15.0.
Fixed in: 14.3-RELEASE-p14, 14.4-RELEASE-p5, 15.0-RELEASE-p9. FreeBSD 13.x and earlier are unaffected (the setcred(2)syscall doesn’t exist there).
SA-26:19.file — Kernel Use-After-Free
A file descriptor system call flaw can lead to a kernel use-after-free condition. Discovered by Calif.io (AI-driven vulnerability discovery).
SA-26:20.fusefs — Heap Overflow in FUSE_LISTXATTR
The kernel processes extended attribute lists from userspace FUSE daemons without verifying proper NUL termination, potentially allowing a malicious FUSE daemon to trigger a heap overflow. Discovered by the AISLE Research Team (autonomous vulnerability discovery).
SA-26:21.ptrace — Missing Validation in ptrace(PTSCREMOTE)
Missing input validation allows unprivileged local users to escalate privileges to root. Discovered using GLM-5.1 by Z.ai.
SA-26:22.libcasper — select(2) File Descriptor Set Overflow Causes Stack Overflow
An overflow of the file descriptor set in select(2) within libcasper leads to a stack overflow. Discovered by the AISLE Research Team.
SA-26:23.bsdinstall — Remote Code Execution via Installer Wi-Fi Scans
A specially crafted network name (SSID) can trigger arbitrary command execution via sub-shell during Wi-Fi access point scanning in bsdinstall and bsdconfig. Practically relevant when installing in Wi-Fi environments.
SA-26:24.cap_net — Incorrect Permission List Manipulation
Faulty manipulation of limitation lists in libcap_net can extend a process’s permissions beyond what was intended. Discovered by the AISLE Research Team.
Takeaway: What’s notable is that several of these vulnerabilities were discovered through AI-based tools (Calif.io, GLM-5.1, AISLE Research Team). This marks a turning point in OS security auditing — AI-driven discovery is now producing real, exploitable findings.
FreeBSD 15.1 Beta 3 (May 17)
The third beta of FreeBSD 15.1, released the previous weekend, brought important updates:
OpenZFS 2.4.2 was integrated (bug fixes and improvements)
Cloud images now run pkg upgrade on first boot to apply security updates
Kerberos was updated
Scripted bsdinstall installations now use pkgbase
The planned KDE desktop installation option was deferred to FreeBSD 15.2, as the script still needs adaptation for new NVIDIA drivers and removal of obsolete components
FreeBSD Foundation ED Daily-Drives FreeBSD on Laptop
Deb Goodkin, Executive Director of the FreeBSD Foundation since 2005, presented at the Open Source Summit North America (OSS 2026) in Minneapolis about her experience daily-driving FreeBSD on a Framework Laptop. Previously, every attempt to run FreeBSD on laptops “felt like a mountain” — time-consuming and ultimately getting stuck. With the KDE desktop, the touchscreen “just worked,” as did peripherals like a wireless mouse. Challenges remained: Zoom required effort to get working, the webcam needed manual steps to enable, and Microsoft Teams only partially worked. An encouraging sign, but also an honest assessment of the remaining gaps in desktop support.
Ian Wagner published a helpful blog post on configuring different package repositories per jail under FreeBSD. Using AppJail for declarative jail management, the post demonstrates how to switch specific jails to the latest ports branch when newer packages are needed while others remain on quarterly.
FreeBSD Resource Monitoring, Accounting, and Troubleshooting (Larvitz Blog)
A thorough guide on resource monitoring and troubleshooting on FreeBSD systems — from “the server feels slow” to concrete diagnostic tools and techniques.
Ubuntu 16.04 to FreeBSD Migration
A blog that ran on Ubuntu 16.04 for 10 years reported on its migration to FreeBSD, motivated by Ubuntu 16.04’s end-of-life and the promise of long-term stability.
Valuable News — May 18 (vermaden)
The weekly link roundup from vermaden offers its usual comprehensive overview of BSD and UNIX-related articles.
Mailing List Discussions
pkgbase Upgrade from 15.0 to 15.1
Discussions around the pkgbase upgrade path from 15.0-RELEASE to 15.1-BETA2 reveal that the transition to the new default installation method isn’t entirely smooth yet. Issues with kernel modules (kmods) and the pkgbase-quarterly repos were extensively discussed.
Boot-Time Bugs on freebsd-stable
Garrett Wollman reported issues with booting his server fleet, sparking a discussion about boot-time behavior and error handling.
Diskless Systems on 15.1
Daniel Braniss and Bjoern Zeeb discussed problems with diskless setups under FreeBSD 15.1 that can cause hangs during boot.
Looking Ahead
If all goes according to plan, FreeBSD 15.1-RELEASE is expected around June 2, 2026. The KDE desktop installation option has been deferred to FreeBSD 15.2 (expected December 2026). Until then, manual installation via pkg remains the recommended approach for a KDE desktop on FreeBSD.
This week saw the third beta of FreeBSD 15.1, a critical execve() privilege escalation vulnerability, the KDE desktop installer option being pushed to 15.2, and two libnv security advisories that remain highly relevant. Here’s your summary.
FreeBSD 15.1 Beta 3 Released
FreeBSD 15.1-BETA3 was released over the weekend as the latest weekly test candidate. The release is entering its final stretch — the Release Candidate (RC) is expected next week, and if all goes well, FreeBSD 15.1-RELEASE is targeted for June 2, 2026.
Key changes in Beta 3:
OpenZFS 2.4.2 has been integrated — the latest OpenZFS release with various fixes and minor enhancements.
Cloud images now automatically run pkg upgrade on first boot to apply security updates to the base system. A sensible improvement for cloud deployments that often start from stale images.
Kerberos has been updated.
bsdinstall scripted installations now use pkgbase.
The beta cycle has been relatively smooth so far. BETA1 and BETA2 in previous weeks brought Zstd 1.5.7, userland fixes for ifconfig, lockf, stat, tail, and certctl, plus kernel fixes for nullfs, so_splice, and VT.
BETA2 Recap (May 8)
Updated to Zstd 1.5.7
bsdinstall now consistently uses pkg.freebsd.org for package bootstrap
A serious kernel vulnerability disclosed in late April continues to generate discussion. FreeBSD-SA-26:13.execdescribes an operator-precedence error in the execve(2) implementation that leads to a buffer overflow. Attacker-controlled data can spill into adjacent argument buffers, corrupt kernel state, and grant unprivileged users root access.
The flaw affects all supported FreeBSD releases (13.5 through the 15 branch). Patches were published within hours, adding explicit parentheses to enforce the intended evaluation order and tightening size checks.
Community Reaction
Positive: Rapid response — the advisory went live less than an hour after discovery, with patches available for every supported branch the same day.
Concerns: There is no workaround. Administrators who can’t immediately reboot (e.g., high-availability systems) remain exposed.
Source-based installations require kernel recompilation and reboot, which can take hours on older hardware.
Early adopters on the 15 branch reported a minor regression in custom execve wrapper scripts that relied on the previous (buggy) argument handling.
Two libnv Security Advisories (SA-26:16 and SA-26:17)
Also disclosed on April 29, two libnv vulnerabilities remain relevant for anyone who hasn’t patched yet:
SA-26:16 (CVE-2026-39457): Stack overflow via select() file descriptor set overflow — when a socket descriptor exceeds FD_SETSIZE (1024), select(2) overflows its file descriptor set. An attacker who can force a program to open many descriptors can trigger stack corruption and potentially escalate privileges via setuid-root programs. Discovered by Joshua Rogers (AISLE Research Team).
SA-26:17 (CVE-2026-35547): Heap overflow in libnv — message size is not properly validated when processing headers, enabling out-of-bounds writes on the heap. This can cause crashes, panics, or potential privilege escalation by unprivileged users. Discovered by Mariusz Zaborski.
Both affect all supported FreeBSD versions with no workaround. Upgrade and reboot are mandatory.
KDE Desktop Installer Option Delayed to FreeBSD 15.2
The long-awaited KDE desktop installation option in the FreeBSD installer has been delayed again — this time from 15.1 to FreeBSD 15.2 (expected December 2026). Originally planned for 15.0, then moved to 15.1, the installation script needs updates for new NVIDIA drivers and removal of obsolete components. After committing to CURRENT, a testing period in STABLE is required, which no longer fits the 15.1 timeline.
Until then, KDE Plasma can be set up manually via pkg after installation.
Mailing List Discussions
Update Strategy and Timing (freebsd-current)
Bob Prohaska kicked off a discussion about preferred update strategies for self-hosted FreeBSD systems. On stable branches, freebsd-update is straightforward. On current, things get more complex. Warner Losh, Rick Macklem, Mark Millard, and others weighed in on the trade-offs of different approaches — a worthwhile read for anyone running current in production.
PKGBASE: Upgrading 15.0 to 15.1-BETA2
Vermaden asked about the upgrade path from FreeBSD 15.0-RELEASE to 15.1-BETA2 using the PKGBASE model. Colin Percival confirmed this path isn’t fully documented yet. The PKGBASE system remains marked as experimental, and the minor-release upgrade workflow needs more work.
Beach Cleaning Project: Infrastructure Cleanup
The FreeBSD Foundation published a detailed report on the Beach Cleaning Project in late April that continues to draw attention:
Machine-readable inventory of over 1,000 components in the base system, including 73 third-party imports
OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 (replacing OpenSSL 3.0, which reaches EOL September 2026)
SBOM generation in SPDX 2 and SPDX 3 formats
CODEOWNERS-style reports for better maintainability
Preparation for importing pkg into the base system as part of the pkgbase transition
The project was funded by Alpha-Omega and produced practical tooling, security assessments, and implementation plans that will serve FreeBSD development well beyond the project’s lifespan.
Blog Posts This Week
Vermaden: FreeBSD PKGBASE Minor Upgrades
Vermaden published a practical guide for upgrading FreeBSD 15.0 to 15.1-BETA2 using PKGBASE and ZFS Boot Environments. The walkthrough covers creating a new BE, configuring the pkg repository, upgrading the base system, and rolling back if needed — including an alternative approach using --chroot.
Going Back to BSD
Pete shared a personal blog post about returning to BSD after decades on Linux. He describes moving from Arch Linux to FreeBSD, setting up mail servers with Bastille jails, and appreciating the simplicity of the rc system compared to systemd. A nostalgic and practical read.
Looking Ahead
Next week will see the Release Candidate for FreeBSD 15.1. If no unexpected issues arise, the final release is expected on June 2, 2026. Administrators should patch the three security vulnerabilities (execve, libnv x2) immediately if they haven’t already.
The past week has been one of the most eventful in the FreeBSD project in quite some time: two beta releases, a massive security advisory bundle, eye-catching AI-driven vulnerability discoveries, and a new blog post on the pkgbase upgrade path. Here’s the rundown.
FreeBSD 15.1: Beta 1 and Beta 2 Released
The release cycle for FreeBSD 15.1 is gaining momentum. After Colin Percival announced 15.1-BETA1 on May 2, 15.1-BETA2 followed on May 8 — the weekly cadence is holding.
Changes in Beta 2 (vs. Beta 1)
Zstd updated to 1.5.7 — latest upstream compression support
less updated to v692
bsdinstall now consistently uses pkg.FreeBSD.org for package bootstrap operations
nuageinit only parses user_data as YAML when necessary
rtadvd(8) now honors pltime and vltime in interface declarations
Various userland bug fixes: ifconfig(8), lockf(1), stat(1), tail(1), certctl(8)
Kernel bug fixes: nullfs, so_splice, vt(4)
Miscellaneous manual page and test fixes
Available Architectures
Images are available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, ROCK64 variants), and riscv64. Additionally, VM disk images (QCOW2, VHD, VMDK, Raw), OCI container images (static, dynamic, runtime, notoolchain, toolchain), and Amazon EC2 AMIs are provided.
Schedule
Beta 3 expected next week
Release Candidate the week after
15.1-RELEASE on June 2, 2026 — if all goes according to plan
Critical Security Vulnerabilities — 8 Advisories on April 29
On April 29, FreeBSD published a large batch of security advisories that were widely discussed this week:
Advisory
Module
Description
Severity
SA-26:11
amd64
Missing large page handling in pmap_pkru_update_range()
High
SA-26:12
dhclient
Remote code execution via malicious DHCP options (CVE-2026-42511)
Critical
SA-26:13
execve
Local privilege escalation via execve(2)
High
SA-26:14
pf
Stack overflow parsing crafted SCTP packets
High
SA-26:15
dhclient
Remotely triggerable out-of-bounds heap write in dhclient
Critical
SA-26:16
libnv
Stack overflow via select() file descriptor set overflow
High
SA-26:17
libnv
Heap overflow in libnv
High
Additionally, EN-26:11 was published on May 1: an errata notice correcting overly strict dhclient lease validation behavior — a side effect of the security fixes.
The 21-Year-Old dhclient RCE (CVE-2026-42511)
Particularly notable: the vulnerability in dhclient (SA-26:12) had existed in the code for over 20 years. The BOOTP file field was written to the lease file without escaping embedded double-quotes, enabling injection of arbitrary dhclient.conf directives — and thus remote code execution after a system restart.
AI-Driven Vulnerability Research: AISLE vs. Anthropic Mythos
On May 7, AISLE published a blog post that made waves: their multi-model system had discovered three critical vulnerabilities in FreeBSD — independently of and in parallel with the findings made by Anthropic’s “Claude Mythos.”
AISLE’s findings:
The 21-year-old dhclient RCE (CVE-2026-42511)
A remotely triggerable heap buffer overflow in dhclient
A stack buffer overflow in ping6 (local privilege escalation)
All three were discovered on April 13, reported on April 14, and patched on April 29.
The debate AISLE’s findings sparked is noteworthy: AI-powered security systems can be very effective even with smaller, cheaper models — a well-designed system beats pure scaling through larger models. AISLE references their research showing that security capability is “jagged”: small models can outperform larger ones at many security-relevant tasks.
FreeBSD Foundation: “Cleaning Up Critical Infrastructure”
On April 20 (still widely discussed this week), the FreeBSD Foundation published a detailed blog post about the Alpha-Omega Beach Cleaning Project. Key points:
OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 — avoiding an unsupported fork of OpenSSL 3.0 (EOL September 2026) for over four years
A machine-readable inventory of the base system was created: over 1,000 components in a YAML-based database, including 73 third-party imports
SBOM generation via SPDX 2 and SPDX 3 formats
CODEOWNERS-style reports for better maintainership tracking
Preparation for importing pkg into the base system as part of the pkgbase transition
Vermaden: PKGBASE Minor Upgrades with ZFS Boot Environments
On May 10, well-known FreeBSD blogger Vermaden published a practical guide for minor upgrades (e.g., 15.0 to 15.1) using PKGBASE and ZFS Boot Environments. Since PKGBASE is still marked as experimental and freebsd-update(8) is no longer available for minor releases, he demonstrates two methods:
Classic method: Create a new ZFS BE, chroot, configure pkg.repo, run pkg upgrade -r FreeBSD-base
Alternative method: Use pkg --chroot and ABI/OSVERSION overrides without manual devfs mounting
Both methods allow a safe rollback via ZFS Boot Environments if the upgrade causes issues.
Q1 2026 Status Report: 45 Entries
The FreeBSD Status Report for the first quarter of 2026 was published on April 23 — with a record 45 entries. Highlights:
Cyber Resilience Act (CRA) Readiness Project — preparing for EU regulation
amd64 FRED support — new CPU flexibility features
LinuxKPI 802.11 and Native Wireless Update — WiFi driver progress
Suspend/Resume and Hibernate improvements
Sylve — a unified system management platform for FreeBSD
daemonless — native FreeBSD OCI containers without a daemon
KDE on FreeBSD — Plasma 6 and Wayland progress
FreeBSD on EC2 and STACKIT Cloud Integration
bhyve: Full CPUID Control, Management GUI
Looking Ahead
With Beta 3 coming next week and the Release Candidate after that, FreeBSD 15.1-RELEASE on June 2 is fast approaching. Anyone running supported versions should urgently apply the April 29 security advisories — especially the critical dhclient RCE. And for those testing pkgbase, Vermaden’s guide provides a solid starting point.
This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.
Two Security Advisories, One Day
On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.
SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)
The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.
All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.
SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)
The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.
The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.
Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.
Q1 2026 Status Report: 45 Entries
The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:
Alpha-Omega Beach Cleaning
The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.
Cyber Resilience Act (CRA) Readiness
The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.
Laptop Testing & Integration
The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:
S0ix (Modern Standby): Suspend/Resume support for modern laptops
Hibernate (Suspend-to-Disk): Under active development
CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review
Sylvea v0.2.3
The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.
HPC Initiative
FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.
Cloud
FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).
Ports Updates
KDE Plasma 6.6.3
OpenJDK 21/25
Wazuh 4.14.3 (Security Monitoring)
FreeBSD 15.1: Code Slush Reached
The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:
Milestone
Date
releng/15.1 branch
May 1, 2026
BETA1
May 1, 2026
BETA2
May 8, 2026
BETA3
May 15, 2026
RC1
May 22, 2026
RELEASE
June 2, 2026
FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.
FreeBSD 13.5: EOL on April 30
Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.
Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.
ZFS: Snapshot Automount Deadlock Fixed
Hamza (ixhamza) contributed two significant ZFS fixes:
Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.
Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.
For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.
BastilleBSD Hiring Plans
BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.
TopBar: Wayland Desktop Environment
TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.
ZFS Performance Without New Hardware
A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:
Tune recordsize to workload (16K for databases, 1M–4M for storage)
Enable LZ4 compression — often reduces I/O overhead rather than increasing it
Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
Disable prefetch for random-access workloads (databases)
Nothing new for ZFS veterans, but a solid reference for newcomers.
What This Week Means
Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.
If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.
This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.
Two Security Advisories, One Day
On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.
SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)
The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.
All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.
SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)
The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.
The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.
Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.
Q1 2026 Status Report: 45 Entries
The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:
Alpha-Omega Beach Cleaning
The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.
Cyber Resilience Act (CRA) Readiness
The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.
Laptop Testing & Integration
The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:
S0ix (Modern Standby): Suspend/Resume support for modern laptops
Hibernate (Suspend-to-Disk): Under active development
CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review
Sylvea v0.2.3
The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.
HPC Initiative
FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.
Cloud
FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).
Ports Updates
KDE Plasma 6.6.3
OpenJDK 21/25
Wazuh 4.14.3 (Security Monitoring)
FreeBSD 15.1: Code Slush Reached
The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:
Milestone
Date
releng/15.1 branch
May 1, 2026
BETA1
May 1, 2026
BETA2
May 8, 2026
BETA3
May 15, 2026
RC1
May 22, 2026
RELEASE
June 2, 2026
FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.
FreeBSD 13.5: EOL on April 30
Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.
Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.
ZFS: Snapshot Automount Deadlock Fixed
Hamza (ixhamza) contributed two significant ZFS fixes:
Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.
Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.
For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.
BastilleBSD Hiring Plans
BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.
TopBar: Wayland Desktop Environment
TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.
ZFS Performance Without New Hardware
A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:
Tune recordsize to workload (16K for databases, 1M–4M for storage)
Enable LZ4 compression — often reduces I/O overhead rather than increasing it
Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
Disable prefetch for random-access workloads (databases)
Nothing new for ZFS veterans, but a solid reference for newcomers.
What This Week Means
Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.
If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.
A summary of the most important developments, security advisories, and discussions in the FreeBSD ecosystem over the past week.
Release Engineering: 15.1 Approaches Code Slush
On April 17, the stable/15 code slush began in preparation for FreeBSD 15.1. The full schedule, published by Release Engineering Lead Colin Percival back in January, looks like this:
Milestone
Date
Ports Quarterly Branch
April 1, 2026
stable/15 Slush
April 17, 2026
doc/ Tree Slush
April 24, 2026
releng/15.1 Branch
May 1, 2026
BETA1
May 1, 2026
BETA2
May 8, 2026
BETA3
May 15, 2026
RC1
May 22, 2026
RELEASE Build
May 29, 2026
RELEASE Announcement
June 2, 2026
Percival noted in January that 15.1 might be “a relatively bumpy minor release” given the experience with 15.0, particularly due to additional pkgbase changes. Meanwhile, stable/13 reaches its End-of-Life at the end of April — weekly snapshot builds for that branch will cease.
Security: SA-26:08 — Critical Stack Overflow in rpcsec_gss
Perhaps the most notable security development of recent weeks is FreeBSD Security Advisory SA-26:08, which describes a stack overflow in svc_rpc_gss_validate(). The vulnerability allows remote code execution and affects all supported FreeBSD versions. Patches are available for 15.0-RELEASE-p5 and the 14.x series.
What makes this advisory remarkable: the vulnerability was discovered and exploited by Nicholas Carlini using Claude AI (Anthropic) — an early example of AI-assisted security research uncovering real kernel vulnerabilities. The fix commit by Mark Johnston (143293c) addresses the buffer overflow in the GSS validation routine.
Q1 2026 Status Reports Published
The FreeBSD status reports for the first quarter of 2026 are now online. The Release Engineering Team update documents the successful 14.4-RELEASE publication in March and the ongoing planning for 15.1.
Laptop Project: Community Testing Call
The FreeBSD Foundation published a Call for Testing for the Laptop Integration Testing Project on April 6. Following the Year-One Update in February, the team has been building testing infrastructure since January. Community members can now test their laptops:
pkg install python hw-probe
git clone https://github.com/FreeBSDFoundation/freebsd-laptop-testing
cd freebsd-laptop-testing
make
The testing tool automatically probes laptop hardware and creates anonymized reports that can be submitted via Pull Request. Results feed into a public compatibility matrix at freebsdfoundation.github.io/freebsd-laptop-testing.
OpenZFS: Native relatime Property
On April 1, OpenZFS gained a native relatime property (commit 1685849 by @amotin). Relatime (relative atime) only updates a file’s access time when it is older than its modification or status change time, significantly reducing unnecessary write operations — especially beneficial for SSDs and caches. Previously only configurable via mount options, relatime can now be set natively per dataset.
Ports: GNU ld Checks Removed
Brooks Davis committed a tree-wide cleanup (d87609e) on April 13, removing all checks for whether the base linker is GNU ld. Since FreeBSD adopted lld (the LLVM linker) as default, these checks have been obsolete. The commit affects Makefiles across the entire ports tree.
Mailing Lists
IPv6-Only RA: Proposal to Adopt RFC 8925
Pouria Mousavizadeh Tehrani proposed on freebsd-current to remove the experimental implementation of the IETF draft DRAFT_IETF_6MAN_IPV6ONLY_FLAG and adopt RFC 8925 (IPv6-Only preference via DHCP option) instead. The backstory is interesting: Bjoern Zeeb originally proposed marking networks as IPv6-only via an RA flag. The draft was abandoned because RAs can be trivially forged — an attacker could maliciously disable IPv4 networks. Google later submitted the same idea as a DHCP option, which became RFC 8925. Pouria is seeking feedback on removing the draft-specific code paths from the kernel and userland.
Kqueue Panic: knlist Assertions Added
A kernel panic — “knote was already on knlist” — was reported on freebsd-current after build main-n284826. Kyle Evans (kevans91) responded by adding assertions in knlist_add() and knlist_remove_kq() (commit 306c904) to catch such error states earlier and more reliably. The related bug report (Bug 293382) describes deadlocks and crashes around closefp_impl, suggesting the issue involves file descriptor closure and kqueue registration interaction.
Week 15 brings movement across several fronts: the 15.1 schedule is official, the Laptop Project calls for community testing, OpenZFS finally gets a native relatime property, and freebsd-current debates IPv6-only RA flags and a knote panic.
FreeBSD 15.1: Schedule Published, Code Slush on April 17
On April 3, the Release Engineers sent out the official schedule reminder for FreeBSD 15.1. Key dates:
Milestone
Planned
Code slush begins
April 17, 2026
releng/15.1 branch
May 1
BETA1
May 1
RC1
May 22
RELEASE
June 2
Code slush starts this week: from April 17 onward, no new features should be committed to the stable/15 branch. Commits are still permitted, but the focus shifts to stability and bug fixes.
The release notes page already exists and lists planned improvements: KDE Plasma 6 desktop installer option, improved Realtek WiFi support (RTW88/RTW89), updated graphics drivers from Linux, and expanded power management features.
What this means: If you have changes you want in 15.1, the window is closing fast. After Friday, it’s beta season.
Laptop Integration Testing Project: Community Call to Action
The FreeBSD Foundation has launched a new community testing program: the Laptop Integration Testing Project. LWN reported on it April 6.
The idea: the Foundation has limited access to test hardware and wants community involvement. Volunteers can test FreeBSD on their laptops and submit results via a GitHub repository — without worrying about environment setup, formatting, or repo-specific details.
Particularly valuable: not just automated hardware enumeration, but also manual commentary about personal experience running FreeBSD on a given device. Results will be displayed in a public compatibility matrix.
What this means: Finally, a structured way to document laptop compatibility. If you run FreeBSD on a laptop, visit the repository and submit your results — every entry counts.
Alexander Motin (amotin) merged a long-awaited commit into OpenZFS on April 1: relatime as a native ZFS property on FreeBSD.
Previously, FreeBSD users who wanted relatime (relative access-time updates — atime is only written if it’s older than mtime/ctime or older than 24 hours) had to rely on mount-option workarounds. With this commit, relatime becomes a proper ZFS dataset property, settable via zfs set relatime=on pool/dataset.
The implementation follows the Linux kernel logic: atime is updated only if at least one condition is met:
atime < mtime
atime < ctime
atime older than 24 hours
What this means: Fewer unnecessary ZFS writes on read access, especially on SSDs and laptops. If you need atime=on (e.g., for Maildir or backup tools), you can now set relatime=on and get the best of both worlds.
Mailing Lists: IPv6-only RA Flag Should Go
Pouria Mousavizadeh Tehrani proposed on freebsd-current (April 2) the removal of the IPv6-only RA draft implementation in favor of RFC 8925 (DHCP-based approach).
Background: Bjoern Zeeb had submitted an IPv6-only flag implementation as an IETF draft, also present in the FreeBSD kernel and userland (not compiled by default, behind DRAFT_IETF_6MAN_IPV6ONLY_FLAG). The draft was abandoned by the IETF because RA flags are trivially forgeable and could be used to maliciously disable IPv4 networks. RFC 8925 uses a DHCP option instead, which is better protected by DHCP snooping in practice.
Pouria is asking for consensus to remove the draft-specific code paths and migrate to RFC 8925. Bjoern is cc’d, and the discussion is ongoing.
What this means: If you’re using the experimental IPv6-only RA flag, plan to migrate to RFC 8925. The code cleanup is a good step — fewer dead paths in the kernel.
Mailing Lists: knote Panic and etcupdate Slowdown
Two active issues on freebsd-current:
knote Panic: After commit d9d7b5948649 (main-n284826), some users experience a panic: "knote ... was already on knlist...". Konstantin Belousov and Kyle Evans are working on diagnosis. The bug (Bugzilla #293382) involves closefp_impl and can cause deadlocks and kernel crashes. Affected: -CURRENT users after April 2.
etcupdate twice as slow: Bob Prohaska reports that etcupdate on armv7 (Raspberry Pi 2) now takes twice as long as before. Discussion with Dimitry Andric and Mark Millard suggests the root cause lies in the pkgbase transition and changed file structure — etcupdate must process more files.
What this means: -CURRENT users should watch for the knote bug fix. On armv7 systems, consider evaluating mergemaster as an alternative until the issue is resolved.
Ports: Chromium 146 and Security Updates
The Ports Collection received several updates this week:
Chromium 146.0.7680.177 (April 1, René Nagy) — current major release
Previously: Chromium 146.0.7680.164 with VuXML entry for vulnerabilities in versions < 146.0.7680.164
March 30: Revert of an upstream commit that broke file dialog behavior on FreeBSD
The continuous Chromium updates show active port maintainership — but also that upstream commits regularly cause FreeBSD-specific regressions.
New Committer: Kenneth Raplee
On April 4, Kenneth Raplee (kenrap@FreeBSD.org) was announced as a new ports committer. Welcome to the project!
Looking Ahead
April 17: Code slush for 15.1 begins — last chance for feature commits
The knote panic in -CURRENT needs a fix
The IPv6-only RA discussion may lead to a commit
The Laptop Testing Project hopes for first community results
FreeBSD 14.4-RELEASE, announced on March 10, 2026, represents a significant milestone in the stable/14 branch with substantial improvements in security, virtualization, and cloud integration. This comprehensive overview covers the latest developments, security advisories, and technical enhancements in the FreeBSD ecosystem.
FreeBSD 14.4-RELEASE: Major Features
OpenSSH 10.0p2 with Post-Quantum Cryptography
The most notable security enhancement in FreeBSD 14.4 is the upgrade to OpenSSH 10.0p2, which introduces:
Hybrid Post-Quantum Algorithm: Default use of mlkem768x25519-sha256, combining traditional elliptic curve cryptography with post-quantum Kyber-based algorithms Enhanced Key Exchange: Protection against future quantum computing threats while maintaining compatibility with existing infrastructure Improved Authentication: Stronger security posture for SSH connections in enterprise environments
OpenZFS 2.2.9 Storage Enhancements
The OpenZFS filesystem receives significant updates:
Performance Improvements: Optimized ARC implementation and reduced memory overhead Metadata Handling: Faster directory operations and improved metadata caching Compression Enhancements: Better zstd compression ratios and performance Snapshot Management: More efficient incremental send/receive operations
bhyve Virtualization: p9fs Integration
A groundbreaking feature for virtualization environments:
9P Filesystem Support: Native implementation of the 9P2000 protocol (p9fs) enables direct filesystem sharing between bhyve hosts and guests Usage Examples:
# Mount p9fs share in guest
mount -t virtfs sharename /mnt
# Use as root filesystem (advanced)
vfs.root.mountfrom="p9fs:sharename" in /boot/loader.conf
Benefits: Simplified file sharing, reduced overhead compared to NFS/SMB, and improved security through protocol isolation
Better Metadata Handling: Improved parsing of cloud provider metadata formats Network Configuration: More reliable network interface configuration in cloud environments User Data Processing: Enhanced support for cloud-init user-data scripts and configurations
Security Enhancements
Encrypted Swap Support: Native encryption of swap space using geli(8) encryption system Jail Security: Improved isolation and resource controls for FreeBSD jails MAC Framework: Enhanced Mandatory Access Control policies and utilities
Recent Security Advisories
FreeBSD-SA-26:09.pf (March 26, 2026)
Severity: High Affected Versions: FreeBSD 14.x, 15.0 CVE: CVE-2026-4652
Issue: The pf firewall silently ignores certain rule configurations, potentially allowing unintended network access
Resolution:
Patches available for all supported branches
Immediate upgrade recommended via:
freebsd-update fetch
freebsd-update install
# Or using packages
pkg upgrade
Workaround: Temporarily rewrite affected rules using tables or labels instead of direct interface specifications
FreeBSD-SA-26:07.nvmf (March 25, 2026)
Severity: Medium Affected Versions: FreeBSD 15.0
Issue: Security vulnerability in NVMe over Fabrics subsystem implementation
Patches Released:
stable/15 branch: March 25, 2026 01:29 UTC
releng/15.0 branch: March 26, 2026 01:11 UTC
Ports and Packages Updates
pkgsrc-2026Q1 Branch (March 27, 2026)
The new quarterly branch brings:
Software Updates: Latest versions of popular applications and libraries Security Fixes: Patches for vulnerable packages in the ports collection Dependency Resolution: Improved handling of complex dependency chains
Notable Package Upgrades
OpenSSL 3.5: Multiple security fixes and performance improvements
PostgreSQL 17: Enhanced query optimization and replication features
Python 3.12: New language features and runtime optimizations
pkg 2.6.2_1: Improved package management with better dependency resolution
Development and Community News
Google Summer of Code 2026
FreeBSD has been selected for Google Summer of Code 2026, with focus areas including:
Kernel Development: Performance optimization and new driver support Tooling Improvements: Enhanced developer tools and debugging utilities Documentation: Comprehensive documentation updates and translations
Release Engineering Changes
The FreeBSD project has adopted a new release strategy:
Quarterly Releases: Every 3 months for regular feature updates Biennial Releases: Every 2 years for long-term support versions Benefits: More predictable release cycles, better security maintenance, and improved stability
System Administration Guidance
Upgrade Recommendations
For systems running FreeBSD 14.x:
# Standard upgrade process
freebsd-update fetch
freebsd-update install
# Rebuild third-party packages if necessary
pkg upgrade
Firewall Review: Audit pf rulesets for potential issues
Monitoring: Implement comprehensive system monitoring
Backup Strategy: Ensure regular ZFS snapshots and offsite backups
Performance Monitoring Commands
# ZFS performance
zpool iostat -v 1
zfs get all poolname
# Network monitoring
pfctl -s info
pfctl -s rules
# System health
vmstat 1
iostat 1
Support Timeline
FreeBSD 14.4-RELEASE: Supported until December 31, 2026 FreeBSD 13.x: Entering end-of-life phase, migration to 14.x recommended FreeBSD 15.0: Current development branch, production use with caution
International Security Notices
BSI (Germany): Multiple advisories regarding FreeBSD vulnerabilities Canadian Centre for Cyber Security: AV26-179 advisory for critical fixes DFN-CERT: DFN-CERT-2026-0689 covering local privilege escalation issues
Resources and References
Official Security Advisories: https://www.freebsd.org/security/advisories/
The BSD family originates from the Berkeley Software Distribution released by the University of California, Berkeley, in 1977. The early releases (1.0 – 4.3BSD) introduced the now‑ubiquitous TCP/IP stack, a pivotal innovation that turned BSD into the backbone of the modern Internet.
During the early 1990s the project split into several independent branches, each pursuing a distinct vision:
FreeBSD (founded 1993) focused on performance, stability and a massive Ports collection for third‑party software.
OpenBSD (branched off 1995) adopted a strict security‑first policy, aiming to be the most secure UNIX‑like OS.
NetBSD (1993) embraced portability, coining the slogan “runs on anything” – it now supports more than 50 CPU architectures.
DragonFlyBSD (2003) forked from FreeBSD 4.8 to address concerns about development speed and SMP scalability, culminating in a modern kernel and the HAMMER2 filesystem.
These divergent histories still shape the design decisions, community culture, and target workloads of each system today.
Philosophy, Development Model and Licensing
Project
Primary Goal
Development Model
License
FreeBSD
High‑performance server & desktop platform
Central core team, Commit‑Access managed by a small Core Team; Ports tree maintained by a large pool of volunteers.
BSD 2‑Clause + CDDL for ZFS (exception for the ZFS implementation)
OpenBSD
Maximal security and code correctness
Very conservative, small team; each change undergoes extensive code audit before being committed.
BSD 2‑Clause (pure, no additional encumbrances)
NetBSD
Portability, clean code, support for exotic hardware
Decentralised, Git‑based repository; pkgsrc is a separate, cross‑platform package collection.
Licensing matters for enterprises. FreeBSD’s inclusion of the CDDL ZFS code can raise compliance questions, whereas OpenBSD, NetBSD and DragonFlyBSD remain under a single, permissive BSD licence.
Typical Use Cases – Where Each BSD Excels
Use case
FreeBSD
OpenBSD
NetBSD
DragonFlyBSD
Web & DB servers
★★★★★ – ZFS + Jails, highly tuned TCP stack (Fast Open, RACK) – used by Netflix, GitHub, Yahoo!
★★★☆☆ – security‑first front‑ends, but fewer performance‑tuned features.
★★☆☆☆ – rarely used as a primary web server; shines on embedded gateways.
★★★★☆ – HAMMER2’s dedup & snapshots make it attractive for storage‑heavy workloads.
Firewalls / Routers
★★★★☆ – pf (ported), ipfw, pfSense/OPNsense are FreeBSD‑based appliances.
★★★★★ – pf originated here; excellent defaults, minimal footprint for pure firewall use.
★★☆☆☆ – supports pf via ports, but lacks a native UI.
★★☆☆☆ – no dedicated firewall framework.
Embedded / IoT
★★☆☆☆ – ARM support exists, but larger footprint limits usage.
★★★☆☆ – small, secure, but driver set lagging.
★★★★★ – runs on ARM, MIPS, PowerPC, SPARC, RISC‑V; clean‑room builds ideal for deterministic firmware.
★★☆☆☆ – focus remains server‑oriented.
Desktop / Workstation
★★★★☆ – GhostBSD, MidnightBSD provide ready‑made GNOME/KDE environments.
★★☆☆☆ – no official desktop flavour, though X11 is available.
★★★☆☆ – NomadBSD (live USB) offers a minimal desktop.
★★★★☆ – desktop installer exists but the project’s emphasis stays on server use.
NAS / Storage Appliances
★★★★★ – ZFS native, TrueNAS CORE is built on FreeBSD.
★★★☆☆ – ZFS ports exist but not a primary feature.
★★★☆☆ – FFS with WAPBL, optional ZFS ports.
★★★★★ – HAMMER2 provides copy‑on‑write, snapshots and dedup, suitable for backup servers.
Kernel Architecture in Detail
Filesystems and Storage
FreeBSD – ZFS
Copy‑on‑Write, end‑to‑end checksumming, compression, deduplication, and native encryption. ZFS pools (zpool) allow mixing devices of different sizes and types. Integrated since FreeBSD 9.0, ZFS can be a root filesystem. The CDDL license of ZFS is the only non‑BSD component.
OpenBSD – FFS + Soft‑crypto
Traditional Fast File System (UFS). No native ZFS; experimental ports exist. Encryption is handled via soft‑crypto (GELI) which provides block‑device level encryption.
NetBSD – FFS + WAPBL
Uses WAPBL (Write‑Ahead Physical Logging) for low‑overhead journaling of metadata, striking a balance between performance and crash‑consistency.
DragonFlyBSD – HAMMER2
Modern copy‑on‑write filesystem with snapshots, deduplication, and cluster‑level mirroring. Optimised for many‑core systems and large storage pools. Tooling is less mature than ZFS, but performance on multi‑core machines is excellent.
Network Stack and Security Features
FreeBSD: Highly tuned TCP stack (Fast Open, RACK, NewReno), ipfw as classic firewall, and pf (ported from OpenBSD) for modern packet filtering. BPF (Berkeley Packet Filter) provides fast packet capture for IDS/IPS.
OpenBSD: pf is the flagship firewall; the project emphasizes secure‑by‑default sysctl defaults, mandatory access controls, and frequent security audits. Integrated tools include OpenSSH, LibreSSL, OpenBGPD, and OpenNTPD.
NetBSD: Supports ipfilter, ipfw, and also pf via ports. The networking code is highly portable, making it ideal for edge routers on obscure architectures.
DragonFlyBSD: Includes pf and ipfw. The network stack is clean and well‑documented, though not as feature‑rich as FreeBSD’s implementation.
Virtualization, Containers and Isolation
System
Container Technology
Hypervisor
Notable Features
FreeBSD
Jails – OS‑level containers with separate IP stacks, filesystem views, and resource limits (rctl).
bhyve – modern hypervisor supporting virtio, UEFI, and KVM acceleration.
runjail adds Docker‑compatible runtime, vmm module for hardware acceleration.
OpenBSD
None (no jail‑like facility).
vmm – lightweight hypervisor with KVM compatibility.
Security‑first design, minimal attack surface.
NetBSD
None (no built‑in container system).
Xen, bhyve, hyper‑v support via kernel modules.
Broad hardware support, but tooling is fragmented.
DragonFlyBSD
Vkernel – lightweight kernel instance for isolation, roughly comparable to a micro‑VM.
—
Vkernel enables fast, low‑overhead sandboxing, ideal for micro‑services.
Combining FreeBSD Jails with OpenBSD pf yields a powerful model: Jails give process isolation, while pf provides fine‑grained packet filtering and NAT.
Derivatives, Specialty Distributions and Ecosystem
Derivative
Base BSD
Target Audience
Key Characteristics
GhostBSD
FreeBSD
Desktop users (GNOME/KDE)
One‑click installer, optional ZFS root, encrypted home directories.
MidnightBSD
FreeBSD
Desktop & entry‑level server
midnightbsd-install, graphical installer, own pkgsrc‑based package manager.
TrueNAS CORE
FreeBSD
NAS appliance
Full ZFS management UI, VM support, replication, commercial support available.
Web UI, extensive plugin ecosystem, commercial support available.
NAS / storage appliance
TrueNAS CORE (FreeBSD)
Full ZFS UI, VM support, replication, enterprise features.
Research / development
NetBSD
Portability, pkgsrc works across many platforms.
When making a decision, also weigh community activity, package availability (Ports vs. pkg vs. pkgsrc), licensing constraints, and support options (mailing lists, issue trackers, commercial vendors).
Future Roadmaps and Development Plans
FreeBSD 15.x – Continued ZFS evolution (ZFS 2.2 with improved scrubbing and compression), GPU pass‑through for bhyve, tighter Kubernetes integration via csi‑freebsd.
NetBSD 10 – Strong focus on RISC‑V support (new toolchains, device‑tree), pkgsrc extensions for container orchestration, modernised network‑stack libraries.
DragonFlyBSD 6 – Final stabilisation of HAMMER2, new Vkernel features (namespace isolation, cgroup‑like limits), optional ZFS ports for hybrid setups.
Derivatives: TrueNAS SCALE (Debian‑based) challenges the FreeBSD‑based CORE, while pfSense 2.8 adds eBPF support for advanced packet processing pipelines.
References, Further Reading and Community Links
FreeBSD Project – Official Documentation: https://www.freebsd.org/docs/
Qt 6.10 is one of those releases that doesn’t radically change how you build Qt applications, but smooths out many edges that mattered in day‑to‑day work: accessibility, layouting, vector animations, data integration between C++ and QML, and developer ergonomics around models and bindings.
Here is a structured overview of the key changes in Qt 6.10, based on the official release information.
Accessibility: High‑contrast and assistive tech
Qt 6.10 makes a noticeable push on accessibility:
High‑contrast mode across platforms:
Built‑in styles now better respect system‑level high‑contrast settings on major platforms.
The goal is for Qt applications to visually align with the rest of the OS environment while improving readability.
As an application developer, you get better contrast behavior essentially “for free” when users enable high‑contrast mode at the OS level.
Improved integration with assistive technologies:
Qt Widgets and Qt Quick Controls have been refined to present themselves more cleanly to assistive technology clients such as screen readers.
The WebAssembly platform in particular benefits from better accessibility integration.
Many of these changes are also being back‑ported to LTS branches via patch releases.
In short: Qt 6.10 helps you get closer to accessibility requirements without forcing you to add platform‑specific hacks everywhere.
Qt Quick: FlexboxLayout and modern UI building blocks
Qt Quick continues to evolve as the main UI technology. Qt 6.10 introduces several notable features.
FlexboxLayout (Tech Preview)
New FlexboxLayout type for Qt Quick, inspired by CSS Flexbox.
Benefits:
More natural behavior on screens with varying sizes and aspect ratios.
Less custom layout code for responsive UIs.
Familiar mental model for developers coming from web/CSS.
Integration:
Integrates with the existing Qt Quick layout system (attached properties etc.).
Currently a technology preview, so the API may still change before the next LTS release.
Animated vector graphics (SVG & Lottie)
Qt 6.10 builds on the vector/SVG improvements introduced in earlier 6.x releases:
VectorImage (introduced in 6.8) is extended:
Supports animated vector graphics in
SVG format, and
Lottie format.
Qt Lottie module:
Improved support for modern Lottie files.
Lottie assets can now be rendered as scalable, hardware‑accelerated vector graphics directly in the Qt Quick scene graph.
For designers and UI developers, this makes it much easier to bring rich motion design from tools like Figma/After Effects (via Lottie) into Qt applications.
New Quick Control: SearchField
Specialized control for search input.
Provides:
Native look and feel on all major platforms, like other Qt Quick Controls.
A built‑in suggestion popup driven by a model (e.g., QAbstractItemModel or QML models).
Works particularly well with the new data/model helpers described below.
Making C++ ↔ QML data integration easier
Bridging C++ backend logic and QML/Qt Quick UIs has always been powerful but sometimes verbose. Qt 6.10 adds several features to reduce boilerplate.
QRangeModel: use C++ ranges directly as models
QRangeModel is a lightweight QAbstractItemModel implementation designed to expose C++ ranges (e.g. std::vector, std::array, or other iterable containers) as models.
Capabilities:
Handles both simple values (ints, strings, …) and more complex types (GADGETs, std::tuple, etc.).
Automatically defines roles for the data it exposes.
Works with both Qt Widgets views and QML/Qt Quick views.
In many common cases, this removes the need to implement custom QAbstractItemModel subclasses just to show a C++ container in a view.
delegateModelAccess: writing back to the model is less awkward
Previously, writing from a delegate back into the model often required:
Directly accessing the model object in the delegate, or
Using context properties and custom signal/slot code.
In Qt 6.10, views can set delegateModelAccess: DelegateModel.ReadWrite, which allows required properties in delegates to write back into the model directly. This fits nicely with the recommended pattern of using required properties for model data and reduces glue code in larger QML UIs.
Synchronizer: two‑way and multi‑way bindings
New Synchronizer element (Tech Preview, in the Qt.labs.synchronizer module).
Purpose:
Keep multiple properties in sync as far as possible, without breaking their individual bindings.
Works with properties implemented in C++ or QML.
Practical impact:
Common patterns like “control ↔ model value” can be expressed declaratively without extra signal handlers.
QML TreeModel
New TreeModel QML type for declaring tree data structures directly in QML.
Targeted at:
Prototyping,
small datasets,
and situations where a full C++ tree model layer would be overkill.
Taken together, these features make the boundary between C++ backends and QML frontends more comfortable to work with.
Qt Graphs: new FilledSurface graph and more
Qt Graphs continues to evolve in Qt 6.10:
New graph types and refinements:
One notable addition is the “FilledSurface” graph type, useful for visualizing filled surfaces.
Better integration with Qt Quick and the new layout/vector features.
If you are already using Qt Graphs, it is worth checking the module‑specific release notes for details.
Other improvements and platform updates
As always, Qt 6.10 comes with a wider set of refinements:
Platform integration:
Official support aligns with current versions of major desktop, mobile, and embedded platforms (see the release note and wiki for specifics).
Bug fixes and polish:
Numerous bug fixes across modules (Widgets, Quick, Network, etc.).
The detailed release notes for 6.10.0–6.10.2 list the low‑level changes.
Conclusion
Qt 6.10 is not a disruptive release, but it addresses many things that matter in real projects: