Category: FreeBSD

FreeBSD Weekly Roundup: May 11–17, 2026

Thorsten Geppert Leave a comment

This week saw the third beta of FreeBSD 15.1, a critical execve() privilege escalation vulnerability, the KDE desktop installer option being pushed to 15.2, and two libnv security advisories that remain highly relevant. Here’s your summary.

FreeBSD 15.1 Beta 3 Released

FreeBSD 15.1-BETA3 was released over the weekend as the latest weekly test candidate. The release is entering its final stretch — the Release Candidate (RC) is expected next week, and if all goes well, FreeBSD 15.1-RELEASE is targeted for June 2, 2026.

Key changes in Beta 3:

  • OpenZFS 2.4.2 has been integrated — the latest OpenZFS release with various fixes and minor enhancements.
  • Cloud images now automatically run pkg upgrade on first boot to apply security updates to the base system. A sensible improvement for cloud deployments that often start from stale images.
  • Kerberos has been updated.
  • bsdinstall scripted installations now use pkgbase.

The beta cycle has been relatively smooth so far. BETA1 and BETA2 in previous weeks brought Zstd 1.5.7, userland fixes for ifconfig, lockf, stat, tail, and certctl, plus kernel fixes for nullfs, so_splice, and VT.

BETA2 Recap (May 8)

  • Updated to Zstd 1.5.7
  • bsdinstall now consistently uses pkg.freebsd.org for package bootstrap
  • Various userland and kernel bug fixes

Critical execve() Privilege Escalation — CVE-2026-7270

A serious kernel vulnerability disclosed in late April continues to generate discussion. FreeBSD-SA-26:13.execdescribes an operator-precedence error in the execve(2) implementation that leads to a buffer overflow. Attacker-controlled data can spill into adjacent argument buffers, corrupt kernel state, and grant unprivileged users root access.

The flaw affects all supported FreeBSD releases (13.5 through the 15 branch). Patches were published within hours, adding explicit parentheses to enforce the intended evaluation order and tightening size checks.

Community Reaction

  • Positive: Rapid response — the advisory went live less than an hour after discovery, with patches available for every supported branch the same day.
  • Concerns: There is no workaround. Administrators who can’t immediately reboot (e.g., high-availability systems) remain exposed.
  • Source-based installations require kernel recompilation and reboot, which can take hours on older hardware.
  • Early adopters on the 15 branch reported a minor regression in custom execve wrapper scripts that relied on the previous (buggy) argument handling.

Two libnv Security Advisories (SA-26:16 and SA-26:17)

Also disclosed on April 29, two libnv vulnerabilities remain relevant for anyone who hasn’t patched yet:

  • SA-26:16 (CVE-2026-39457): Stack overflow via select() file descriptor set overflow — when a socket descriptor exceeds FD_SETSIZE (1024), select(2) overflows its file descriptor set. An attacker who can force a program to open many descriptors can trigger stack corruption and potentially escalate privileges via setuid-root programs. Discovered by Joshua Rogers (AISLE Research Team).
  • SA-26:17 (CVE-2026-35547): Heap overflow in libnv — message size is not properly validated when processing headers, enabling out-of-bounds writes on the heap. This can cause crashes, panics, or potential privilege escalation by unprivileged users. Discovered by Mariusz Zaborski.

Both affect all supported FreeBSD versions with no workaround. Upgrade and reboot are mandatory.

KDE Desktop Installer Option Delayed to FreeBSD 15.2

The long-awaited KDE desktop installation option in the FreeBSD installer has been delayed again — this time from 15.1 to FreeBSD 15.2 (expected December 2026). Originally planned for 15.0, then moved to 15.1, the installation script needs updates for new NVIDIA drivers and removal of obsolete components. After committing to CURRENT, a testing period in STABLE is required, which no longer fits the 15.1 timeline.

Until then, KDE Plasma can be set up manually via pkg after installation.

Mailing List Discussions

Update Strategy and Timing (freebsd-current)

Bob Prohaska kicked off a discussion about preferred update strategies for self-hosted FreeBSD systems. On stable branches, freebsd-update is straightforward. On current, things get more complex. Warner Losh, Rick Macklem, Mark Millard, and others weighed in on the trade-offs of different approaches — a worthwhile read for anyone running current in production.

PKGBASE: Upgrading 15.0 to 15.1-BETA2

Vermaden asked about the upgrade path from FreeBSD 15.0-RELEASE to 15.1-BETA2 using the PKGBASE model. Colin Percival confirmed this path isn’t fully documented yet. The PKGBASE system remains marked as experimental, and the minor-release upgrade workflow needs more work.

Beach Cleaning Project: Infrastructure Cleanup

The FreeBSD Foundation published a detailed report on the Beach Cleaning Project in late April that continues to draw attention:

  • Machine-readable inventory of over 1,000 components in the base system, including 73 third-party imports
  • OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 (replacing OpenSSL 3.0, which reaches EOL September 2026)
  • SBOM generation in SPDX 2 and SPDX 3 formats
  • CODEOWNERS-style reports for better maintainability
  • Preparation for importing pkg into the base system as part of the pkgbase transition

The project was funded by Alpha-Omega and produced practical tooling, security assessments, and implementation plans that will serve FreeBSD development well beyond the project’s lifespan.

Blog Posts This Week

Vermaden: FreeBSD PKGBASE Minor Upgrades

Vermaden published a practical guide for upgrading FreeBSD 15.0 to 15.1-BETA2 using PKGBASE and ZFS Boot Environments. The walkthrough covers creating a new BE, configuring the pkg repository, upgrading the base system, and rolling back if needed — including an alternative approach using --chroot.

Going Back to BSD

Pete shared a personal blog post about returning to BSD after decades on Linux. He describes moving from Arch Linux to FreeBSD, setting up mail servers with Bastille jails, and appreciating the simplicity of the rc system compared to systemd. A nostalgic and practical read.

Looking Ahead

Next week will see the Release Candidate for FreeBSD 15.1. If no unexpected issues arise, the final release is expected on June 2, 2026. Administrators should patch the three security vulnerabilities (execve, libnv x2) immediately if they haven’t already.

Sources: PhoronixFreeBSD Mailing ListsFreeBSD Security AdvisoriesFreeBSD FoundationVermaden BlogLavX Newspeteftw.com

FreeBSD Weekly Roundup: May 4–11, 2026

admin Leave a comment

Published May 11, 2026

The past week has been one of the most eventful in the FreeBSD project in quite some time: two beta releases, a massive security advisory bundle, eye-catching AI-driven vulnerability discoveries, and a new blog post on the pkgbase upgrade path. Here’s the rundown.

FreeBSD 15.1: Beta 1 and Beta 2 Released

The release cycle for FreeBSD 15.1 is gaining momentum. After Colin Percival announced 15.1-BETA1 on May 2, 15.1-BETA2 followed on May 8 — the weekly cadence is holding.

Changes in Beta 2 (vs. Beta 1)

  • Zstd updated to 1.5.7 — latest upstream compression support
  • less updated to v692
  • bsdinstall now consistently uses pkg.FreeBSD.org for package bootstrap operations
  • nuageinit only parses user_data as YAML when necessary
  • rtadvd(8) now honors pltime and vltime in interface declarations
  • Various userland bug fixes: ifconfig(8), lockf(1), stat(1), tail(1), certctl(8)
  • Kernel bug fixes: nullfs, so_splice, vt(4)
  • Miscellaneous manual page and test fixes

Available Architectures

Images are available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, ROCK64 variants), and riscv64. Additionally, VM disk images (QCOW2, VHD, VMDK, Raw), OCI container images (static, dynamic, runtime, notoolchain, toolchain), and Amazon EC2 AMIs are provided.

Schedule

  • Beta 3 expected next week
  • Release Candidate the week after
  • 15.1-RELEASE on June 2, 2026 — if all goes according to plan

Critical Security Vulnerabilities — 8 Advisories on April 29

On April 29, FreeBSD published a large batch of security advisories that were widely discussed this week:

AdvisoryModuleDescriptionSeverity
SA-26:11amd64Missing large page handling in pmap_pkru_update_range()High
SA-26:12dhclientRemote code execution via malicious DHCP options (CVE-2026-42511)Critical
SA-26:13execveLocal privilege escalation via execve(2)High
SA-26:14pfStack overflow parsing crafted SCTP packetsHigh
SA-26:15dhclientRemotely triggerable out-of-bounds heap write in dhclientCritical
SA-26:16libnvStack overflow via select() file descriptor set overflowHigh
SA-26:17libnvHeap overflow in libnvHigh

Additionally, EN-26:11 was published on May 1: an errata notice correcting overly strict dhclient lease validation behavior — a side effect of the security fixes.

The 21-Year-Old dhclient RCE (CVE-2026-42511)

Particularly notable: the vulnerability in dhclient (SA-26:12) had existed in the code for over 20 years. The BOOTP file field was written to the lease file without escaping embedded double-quotes, enabling injection of arbitrary dhclient.conf directives — and thus remote code execution after a system restart.

AI-Driven Vulnerability Research: AISLE vs. Anthropic Mythos

On May 7, AISLE published a blog post that made waves: their multi-model system had discovered three critical vulnerabilities in FreeBSD — independently of and in parallel with the findings made by Anthropic’s “Claude Mythos.”

AISLE’s findings:

  1. The 21-year-old dhclient RCE (CVE-2026-42511)
  2. A remotely triggerable heap buffer overflow in dhclient
  3. A stack buffer overflow in ping6 (local privilege escalation)

All three were discovered on April 13, reported on April 14, and patched on April 29.

The debate AISLE’s findings sparked is noteworthy: AI-powered security systems can be very effective even with smaller, cheaper models — a well-designed system beats pure scaling through larger models. AISLE references their research showing that security capability is “jagged”: small models can outperform larger ones at many security-relevant tasks.

FreeBSD Foundation: “Cleaning Up Critical Infrastructure”

On April 20 (still widely discussed this week), the FreeBSD Foundation published a detailed blog post about the Alpha-Omega Beach Cleaning Project. Key points:

  • OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 — avoiding an unsupported fork of OpenSSL 3.0 (EOL September 2026) for over four years
  • A machine-readable inventory of the base system was created: over 1,000 components in a YAML-based database, including 73 third-party imports
  • SBOM generation via SPDX 2 and SPDX 3 formats
  • CODEOWNERS-style reports for better maintainership tracking
  • Preparation for importing pkg into the base system as part of the pkgbase transition

Vermaden: PKGBASE Minor Upgrades with ZFS Boot Environments

On May 10, well-known FreeBSD blogger Vermaden published a practical guide for minor upgrades (e.g., 15.0 to 15.1) using PKGBASE and ZFS Boot Environments. Since PKGBASE is still marked as experimental and freebsd-update(8) is no longer available for minor releases, he demonstrates two methods:

  1. Classic method: Create a new ZFS BE, chroot, configure pkg.repo, run pkg upgrade -r FreeBSD-base
  2. Alternative method: Use pkg --chroot and ABI/OSVERSION overrides without manual devfs mounting

Both methods allow a safe rollback via ZFS Boot Environments if the upgrade causes issues.

Q1 2026 Status Report: 45 Entries

The FreeBSD Status Report for the first quarter of 2026 was published on April 23 — with a record 45 entries. Highlights:

  • Cyber Resilience Act (CRA) Readiness Project — preparing for EU regulation
  • amd64 FRED support — new CPU flexibility features
  • LinuxKPI 802.11 and Native Wireless Update — WiFi driver progress
  • Suspend/Resume and Hibernate improvements
  • Sylve — a unified system management platform for FreeBSD
  • daemonless — native FreeBSD OCI containers without a daemon
  • KDE on FreeBSD — Plasma 6 and Wayland progress
  • FreeBSD on EC2 and STACKIT Cloud Integration
  • bhyve: Full CPUID Control, Management GUI

Looking Ahead

With Beta 3 coming next week and the Release Candidate after that, FreeBSD 15.1-RELEASE on June 2 is fast approaching. Anyone running supported versions should urgently apply the April 29 security advisories — especially the critical dhclient RCE. And for those testing pkgbase, Vermaden’s guide provides a solid starting point.

Links:

FreeBSD Weekly Roundup: April 20–27, 2026

admin Leave a comment

This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.

Two Security Advisories, One Day

On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.

SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)

The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.

All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.

SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)

The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.

The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.

Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.

Q1 2026 Status Report: 45 Entries

The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:

Alpha-Omega Beach Cleaning

The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.

Cyber Resilience Act (CRA) Readiness

The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.

Laptop Testing & Integration

The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:

  • S0ix (Modern Standby): Suspend/Resume support for modern laptops
  • Hibernate (Suspend-to-Disk): Under active development
  • CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
  • Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review

Sylvea v0.2.3

The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.

HPC Initiative

FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.

Cloud

FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).

Ports Updates

  • KDE Plasma 6.6.3
  • OpenJDK 21/25
  • Wazuh 4.14.3 (Security Monitoring)

FreeBSD 15.1: Code Slush Reached

The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:

MilestoneDate
releng/15.1 branchMay 1, 2026
BETA1May 1, 2026
BETA2May 8, 2026
BETA3May 15, 2026
RC1May 22, 2026
RELEASEJune 2, 2026

FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.

FreeBSD 13.5: EOL on April 30

Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.

Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.

ZFS: Snapshot Automount Deadlock Fixed

Hamza (ixhamza) contributed two significant ZFS fixes:

  1. Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
  2. AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.

Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.

For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.

BastilleBSD Hiring Plans

BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.

TopBar: Wayland Desktop Environment

TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.

ZFS Performance Without New Hardware

A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:

  • Tune recordsize to workload (16K for databases, 1M–4M for storage)
  • Enable LZ4 compression — often reduces I/O overhead rather than increasing it
  • Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
  • Disable prefetch for random-access workloads (databases)

Nothing new for ZFS veterans, but a solid reference for newcomers.

What This Week Means

Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.

If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.

FreeBSD Weekly Roundup: April 20–27, 2026

Thorsten Geppert Leave a comment

This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.

Two Security Advisories, One Day

On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.

SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)

The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.

All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.

SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)

The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.

The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.

Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.

Q1 2026 Status Report: 45 Entries

The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:

Alpha-Omega Beach Cleaning

The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.

Cyber Resilience Act (CRA) Readiness

The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.

Laptop Testing & Integration

The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:

  • S0ix (Modern Standby): Suspend/Resume support for modern laptops
  • Hibernate (Suspend-to-Disk): Under active development
  • CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
  • Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review

Sylvea v0.2.3

The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.

HPC Initiative

FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.

Cloud

FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).

Ports Updates

  • KDE Plasma 6.6.3
  • OpenJDK 21/25
  • Wazuh 4.14.3 (Security Monitoring)

FreeBSD 15.1: Code Slush Reached

The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:

MilestoneDate
releng/15.1 branchMay 1, 2026
BETA1May 1, 2026
BETA2May 8, 2026
BETA3May 15, 2026
RC1May 22, 2026
RELEASEJune 2, 2026

FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.

FreeBSD 13.5: EOL on April 30

Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.

Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.

ZFS: Snapshot Automount Deadlock Fixed

Hamza (ixhamza) contributed two significant ZFS fixes:

  1. Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
  2. AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.

Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.

For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.

BastilleBSD Hiring Plans

BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.

TopBar: Wayland Desktop Environment

TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.

ZFS Performance Without New Hardware

A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:

  • Tune recordsize to workload (16K for databases, 1M–4M for storage)
  • Enable LZ4 compression — often reduces I/O overhead rather than increasing it
  • Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
  • Disable prefetch for random-access workloads (databases)

Nothing new for ZFS veterans, but a solid reference for newcomers.

What This Week Means

Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.

If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.

FreeBSD Weekly Review – April 14–20, 2026

admin Leave a comment

A summary of the most important developments, security advisories, and discussions in the FreeBSD ecosystem over the past week.

Release Engineering: 15.1 Approaches Code Slush

On April 17, the stable/15 code slush began in preparation for FreeBSD 15.1. The full schedule, published by Release Engineering Lead Colin Percival back in January, looks like this:

MilestoneDate
Ports Quarterly BranchApril 1, 2026
stable/15 SlushApril 17, 2026
doc/ Tree SlushApril 24, 2026
releng/15.1 BranchMay 1, 2026
BETA1May 1, 2026
BETA2May 8, 2026
BETA3May 15, 2026
RC1May 22, 2026
RELEASE BuildMay 29, 2026
RELEASE AnnouncementJune 2, 2026

Percival noted in January that 15.1 might be “a relatively bumpy minor release” given the experience with 15.0, particularly due to additional pkgbase changes. Meanwhile, stable/13 reaches its End-of-Life at the end of April — weekly snapshot builds for that branch will cease.

Security: SA-26:08 — Critical Stack Overflow in rpcsec_gss

Perhaps the most notable security development of recent weeks is FreeBSD Security Advisory SA-26:08, which describes a stack overflow in svc_rpc_gss_validate(). The vulnerability allows remote code execution and affects all supported FreeBSD versions. Patches are available for 15.0-RELEASE-p5 and the 14.x series.

What makes this advisory remarkable: the vulnerability was discovered and exploited by Nicholas Carlini using Claude AI (Anthropic) — an early example of AI-assisted security research uncovering real kernel vulnerabilities. The fix commit by Mark Johnston (143293c) addresses the buffer overflow in the GSS validation routine.

Q1 2026 Status Reports Published

The FreeBSD status reports for the first quarter of 2026 are now online. The Release Engineering Team update documents the successful 14.4-RELEASE publication in March and the ongoing planning for 15.1.

Laptop Project: Community Testing Call

The FreeBSD Foundation published a Call for Testing for the Laptop Integration Testing Project on April 6. Following the Year-One Update in February, the team has been building testing infrastructure since January. Community members can now test their laptops:

pkg install python hw-probe
git clone https://github.com/FreeBSDFoundation/freebsd-laptop-testing
cd freebsd-laptop-testing
make

The testing tool automatically probes laptop hardware and creates anonymized reports that can be submitted via Pull Request. Results feed into a public compatibility matrix at freebsdfoundation.github.io/freebsd-laptop-testing.

OpenZFS: Native relatime Property

On April 1, OpenZFS gained a native relatime property (commit 1685849 by @amotin). Relatime (relative atime) only updates a file’s access time when it is older than its modification or status change time, significantly reducing unnecessary write operations — especially beneficial for SSDs and caches. Previously only configurable via mount options, relatime can now be set natively per dataset.

Ports: GNU ld Checks Removed

Brooks Davis committed a tree-wide cleanup (d87609e) on April 13, removing all checks for whether the base linker is GNU ld. Since FreeBSD adopted lld (the LLVM linker) as default, these checks have been obsolete. The commit affects Makefiles across the entire ports tree.

Mailing Lists

IPv6-Only RA: Proposal to Adopt RFC 8925

Pouria Mousavizadeh Tehrani proposed on freebsd-current to remove the experimental implementation of the IETF draft DRAFT_IETF_6MAN_IPV6ONLY_FLAG and adopt RFC 8925 (IPv6-Only preference via DHCP option) instead. The backstory is interesting: Bjoern Zeeb originally proposed marking networks as IPv6-only via an RA flag. The draft was abandoned because RAs can be trivially forged — an attacker could maliciously disable IPv4 networks. Google later submitted the same idea as a DHCP option, which became RFC 8925. Pouria is seeking feedback on removing the draft-specific code paths from the kernel and userland.

Kqueue Panic: knlist Assertions Added

A kernel panic — “knote was already on knlist” — was reported on freebsd-current after build main-n284826. Kyle Evans (kevans91) responded by adding assertions in knlist_add() and knlist_remove_kq() (commit 306c904) to catch such error states earlier and more reliably. The related bug report (Bug 293382) describes deadlocks and crashes around closefp_impl, suggesting the issue involves file descriptor closure and kqueue registration interaction.

FreeBSD Weekly Roundup: April 6–13, 2026

admin Leave a comment

Week 15 brings movement across several fronts: the 15.1 schedule is official, the Laptop Project calls for community testing, OpenZFS finally gets a native relatime property, and freebsd-current debates IPv6-only RA flags and a knote panic.

FreeBSD 15.1: Schedule Published, Code Slush on April 17

On April 3, the Release Engineers sent out the official schedule reminder for FreeBSD 15.1. Key dates:

MilestonePlanned
Code slush beginsApril 17, 2026
releng/15.1 branchMay 1
BETA1May 1
RC1May 22
RELEASEJune 2

Code slush starts this week: from April 17 onward, no new features should be committed to the stable/15 branch. Commits are still permitted, but the focus shifts to stability and bug fixes.

The release notes page already exists and lists planned improvements: KDE Plasma 6 desktop installer option, improved Realtek WiFi support (RTW88/RTW89), updated graphics drivers from Linux, and expanded power management features.

What this means: If you have changes you want in 15.1, the window is closing fast. After Friday, it’s beta season.

Laptop Integration Testing Project: Community Call to Action

The FreeBSD Foundation has launched a new community testing program: the Laptop Integration Testing Project. LWN reported on it April 6.

The idea: the Foundation has limited access to test hardware and wants community involvement. Volunteers can test FreeBSD on their laptops and submit results via a GitHub repository — without worrying about environment setup, formatting, or repo-specific details.

Particularly valuable: not just automated hardware enumeration, but also manual commentary about personal experience running FreeBSD on a given device. Results will be displayed in a public compatibility matrix.

What this means: Finally, a structured way to document laptop compatibility. If you run FreeBSD on a laptop, visit the repository and submit your results — every entry counts.

Repository: github.com/FreeBSDFoundation/freebsd-laptop-testing

OpenZFS: Native relatime Property for FreeBSD

Alexander Motin (amotin) merged a long-awaited commit into OpenZFS on April 1: relatime as a native ZFS property on FreeBSD.

Previously, FreeBSD users who wanted relatime (relative access-time updates — atime is only written if it’s older than mtime/ctime or older than 24 hours) had to rely on mount-option workarounds. With this commit, relatime becomes a proper ZFS dataset property, settable via zfs set relatime=on pool/dataset.

The implementation follows the Linux kernel logic: atime is updated only if at least one condition is met:

  • atime < mtime
  • atime < ctime
  • atime older than 24 hours

What this means: Fewer unnecessary ZFS writes on read access, especially on SSDs and laptops. If you need atime=on (e.g., for Maildir or backup tools), you can now set relatime=on and get the best of both worlds.

Mailing Lists: IPv6-only RA Flag Should Go

Pouria Mousavizadeh Tehrani proposed on freebsd-current (April 2) the removal of the IPv6-only RA draft implementation in favor of RFC 8925 (DHCP-based approach).

Background: Bjoern Zeeb had submitted an IPv6-only flag implementation as an IETF draft, also present in the FreeBSD kernel and userland (not compiled by default, behind DRAFT_IETF_6MAN_IPV6ONLY_FLAG). The draft was abandoned by the IETF because RA flags are trivially forgeable and could be used to maliciously disable IPv4 networks. RFC 8925 uses a DHCP option instead, which is better protected by DHCP snooping in practice.

Pouria is asking for consensus to remove the draft-specific code paths and migrate to RFC 8925. Bjoern is cc’d, and the discussion is ongoing.

What this means: If you’re using the experimental IPv6-only RA flag, plan to migrate to RFC 8925. The code cleanup is a good step — fewer dead paths in the kernel.

Mailing Lists: knote Panic and etcupdate Slowdown

Two active issues on freebsd-current:

knote Panic: After commit d9d7b5948649 (main-n284826), some users experience a panic: "knote ... was already on knlist...". Konstantin Belousov and Kyle Evans are working on diagnosis. The bug (Bugzilla #293382) involves closefp_impl and can cause deadlocks and kernel crashes. Affected: -CURRENT users after April 2.

etcupdate twice as slow: Bob Prohaska reports that etcupdate on armv7 (Raspberry Pi 2) now takes twice as long as before. Discussion with Dimitry Andric and Mark Millard suggests the root cause lies in the pkgbase transition and changed file structure — etcupdate must process more files.

What this means: -CURRENT users should watch for the knote bug fix. On armv7 systems, consider evaluating mergemaster as an alternative until the issue is resolved.

Ports: Chromium 146 and Security Updates

The Ports Collection received several updates this week:

  • Chromium 146.0.7680.177 (April 1, René Nagy) — current major release
  • Previously: Chromium 146.0.7680.164 with VuXML entry for vulnerabilities in versions < 146.0.7680.164
  • March 30: Revert of an upstream commit that broke file dialog behavior on FreeBSD

The continuous Chromium updates show active port maintainership — but also that upstream commits regularly cause FreeBSD-specific regressions.

New Committer: Kenneth Raplee

On April 4, Kenneth Raplee (kenrap@FreeBSD.org) was announced as a new ports committer. Welcome to the project!

Looking Ahead

  • April 17: Code slush for 15.1 begins — last chance for feature commits
  • The knote panic in -CURRENT needs a fix
  • The IPv6-only RA discussion may lead to a commit
  • The Laptop Testing Project hopes for first community results

FreeBSD Changes and Updates – Week of April 4, 2026

admin Leave a comment

Executive Summary

FreeBSD 14.4-RELEASE, announced on March 10, 2026, represents a significant milestone in the stable/14 branch with substantial improvements in security, virtualization, and cloud integration. This comprehensive overview covers the latest developments, security advisories, and technical enhancements in the FreeBSD ecosystem.

FreeBSD 14.4-RELEASE: Major Features

OpenSSH 10.0p2 with Post-Quantum Cryptography

The most notable security enhancement in FreeBSD 14.4 is the upgrade to OpenSSH 10.0p2, which introduces:

Hybrid Post-Quantum Algorithm: Default use of mlkem768x25519-sha256, combining traditional elliptic curve cryptography with post-quantum Kyber-based algorithms
Enhanced Key Exchange: Protection against future quantum computing threats while maintaining compatibility with existing infrastructure
Improved Authentication: Stronger security posture for SSH connections in enterprise environments

OpenZFS 2.2.9 Storage Enhancements

The OpenZFS filesystem receives significant updates:

Performance Improvements: Optimized ARC implementation and reduced memory overhead
Metadata Handling: Faster directory operations and improved metadata caching
Compression Enhancements: Better zstd compression ratios and performance
Snapshot Management: More efficient incremental send/receive operations

bhyve Virtualization: p9fs Integration

A groundbreaking feature for virtualization environments:

9P Filesystem Support: Native implementation of the 9P2000 protocol (p9fs) enables direct filesystem sharing between bhyve hosts and guests
Usage Examples:

# Mount p9fs share in guest
mount -t virtfs sharename /mnt

# Use as root filesystem (advanced)
vfs.root.mountfrom="p9fs:sharename" in /boot/loader.conf

Benefits: Simplified file sharing, reduced overhead compared to NFS/SMB, and improved security through protocol isolation

Cloud Integration: nuageinit Improvements

Enhanced cloud-init compatibility addresses enterprise deployment needs:

Better Metadata Handling: Improved parsing of cloud provider metadata formats
Network Configuration: More reliable network interface configuration in cloud environments
User Data Processing: Enhanced support for cloud-init user-data scripts and configurations

Security Enhancements

Encrypted Swap Support: Native encryption of swap space using geli(8) encryption system
Jail Security: Improved isolation and resource controls for FreeBSD jails
MAC Framework: Enhanced Mandatory Access Control policies and utilities

Recent Security Advisories

FreeBSD-SA-26:09.pf (March 26, 2026)

Severity: High
Affected Versions: FreeBSD 14.x, 15.0
CVE: CVE-2026-4652

Issue: The pf firewall silently ignores certain rule configurations, potentially allowing unintended network access

Resolution:

  • Patches available for all supported branches
  • Immediate upgrade recommended via:
freebsd-update fetch
freebsd-update install
# Or using packages
pkg upgrade

Workaround: Temporarily rewrite affected rules using tables or labels instead of direct interface specifications

FreeBSD-SA-26:07.nvmf (March 25, 2026)

Severity: Medium
Affected Versions: FreeBSD 15.0

Issue: Security vulnerability in NVMe over Fabrics subsystem implementation

Patches Released:

  • stable/15 branch: March 25, 2026 01:29 UTC
  • releng/15.0 branch: March 26, 2026 01:11 UTC

Ports and Packages Updates

pkgsrc-2026Q1 Branch (March 27, 2026)

The new quarterly branch brings:

Software Updates: Latest versions of popular applications and libraries
Security Fixes: Patches for vulnerable packages in the ports collection
Dependency Resolution: Improved handling of complex dependency chains

Notable Package Upgrades

  • OpenSSL 3.5: Multiple security fixes and performance improvements
  • PostgreSQL 17: Enhanced query optimization and replication features
  • Python 3.12: New language features and runtime optimizations
  • pkg 2.6.2_1: Improved package management with better dependency resolution

Development and Community News

Google Summer of Code 2026

FreeBSD has been selected for Google Summer of Code 2026, with focus areas including:

Kernel Development: Performance optimization and new driver support
Tooling Improvements: Enhanced developer tools and debugging utilities
Documentation: Comprehensive documentation updates and translations

Release Engineering Changes

The FreeBSD project has adopted a new release strategy:

Quarterly Releases: Every 3 months for regular feature updates
Biennial Releases: Every 2 years for long-term support versions
Benefits: More predictable release cycles, better security maintenance, and improved stability

System Administration Guidance

Upgrade Recommendations

For systems running FreeBSD 14.x:

# Standard upgrade process
freebsd-update fetch
freebsd-update install

# Rebuild third-party packages if necessary
pkg upgrade

Security Best Practices

  1. Regular Updates: Schedule weekly security update checks
  2. Firewall Review: Audit pf rulesets for potential issues
  3. Monitoring: Implement comprehensive system monitoring
  4. Backup Strategy: Ensure regular ZFS snapshots and offsite backups

Performance Monitoring Commands

# ZFS performance
zpool iostat -v 1
zfs get all poolname

# Network monitoring  
pfctl -s info
pfctl -s rules

# System health
vmstat 1
iostat 1

Support Timeline

FreeBSD 14.4-RELEASE: Supported until December 31, 2026
FreeBSD 13.x: Entering end-of-life phase, migration to 14.x recommended
FreeBSD 15.0: Current development branch, production use with caution

International Security Notices

BSI (Germany): Multiple advisories regarding FreeBSD vulnerabilities
Canadian Centre for Cyber Security: AV26-179 advisory for critical fixes
DFN-CERT: DFN-CERT-2026-0689 covering local privilege escalation issues

Resources and References

  • Official Security Advisories: https://www.freebsd.org/security/advisories/
  • Release Notes: https://www.freebsd.org/releases/14.4R/relnotes/
  • Mailing Lists: https://lists.freebsd.org/
  • Community Support: https://forums.freebsd.org/
  • Documentation: https://docs.freebsd.org/en/books/handbook/

Upcoming Events

  • FreeBSD Developer Summit: April 15-16, 2026 (Virtual)
  • Google Summer of Code: Coding period begins May 1, 2026
  • Next Quarterly Release: FreeBSD 14.5 expected June 2026

In‑Depth Comparison of the BSD Family: FreeBSD, OpenBSD, NetBSD, and DragonFlyBSD

admin Leave a comment

Table of Contents

  1. Introduction and History
  2. Philosophy, Development Model and Licensing
  3. Typical Use Cases – Where Each BSD Excels
  4. Kernel Architecture in Detail
  1. Derivatives, Specialty Distributions and Ecosystem
  2. Pros and Cons Tables – Quick Comparison
  3. Decision Guide – Which BSD Fits Your Project?
  4. Future Roadmaps and Development Plans
  5. References, Further Reading and Community Links

Introduction and History

The BSD family originates from the Berkeley Software Distribution released by the University of California, Berkeley, in 1977. The early releases (1.0 – 4.3BSD) introduced the now‑ubiquitous TCP/IP stack, a pivotal innovation that turned BSD into the backbone of the modern Internet.

During the early 1990s the project split into several independent branches, each pursuing a distinct vision:

  • FreeBSD (founded 1993) focused on performance, stability and a massive Ports collection for third‑party software.
  • OpenBSD (branched off 1995) adopted a strict security‑first policy, aiming to be the most secure UNIX‑like OS.
  • NetBSD (1993) embraced portability, coining the slogan “runs on anything” – it now supports more than 50 CPU architectures.
  • DragonFlyBSD (2003) forked from FreeBSD 4.8 to address concerns about development speed and SMP scalability, culminating in a modern kernel and the HAMMER2 filesystem.

These divergent histories still shape the design decisions, community culture, and target workloads of each system today.

Philosophy, Development Model and Licensing

ProjectPrimary GoalDevelopment ModelLicense
FreeBSDHigh‑performance server & desktop platformCentral core team, Commit‑Access managed by a small Core Team; Ports tree maintained by a large pool of volunteers.BSD 2‑Clause + CDDL for ZFS (exception for the ZFS implementation)
OpenBSDMaximal security and code correctnessVery conservative, small team; each change undergoes extensive code audit before being committed.BSD 2‑Clause (pure, no additional encumbrances)
NetBSDPortability, clean code, support for exotic hardwareDecentralised, Git‑based repository; pkgsrc is a separate, cross‑platform package collection.BSD 2‑Clause
DragonFlyBSDScalable SMP performance, modern filesystemsSmall, focused core team; rapid six‑to‑eight‑week release cycles.BSD 2‑Clause

Licensing matters for enterprises. FreeBSD’s inclusion of the CDDL ZFS code can raise compliance questions, whereas OpenBSD, NetBSD and DragonFlyBSD remain under a single, permissive BSD licence.

Typical Use Cases – Where Each BSD Excels

Use caseFreeBSDOpenBSDNetBSDDragonFlyBSD
Web & DB servers★★★★★ – ZFS + Jails, highly tuned TCP stack (Fast Open, RACK) – used by Netflix, GitHub, Yahoo!★★★☆☆ – security‑first front‑ends, but fewer performance‑tuned features.★★☆☆☆ – rarely used as a primary web server; shines on embedded gateways.★★★★☆ – HAMMER2’s dedup & snapshots make it attractive for storage‑heavy workloads.
Firewalls / Routers★★★★☆ – pf (ported), ipfw, pfSense/OPNsense are FreeBSD‑based appliances.★★★★★ – pf originated here; excellent defaults, minimal footprint for pure firewall use.★★☆☆☆ – supports pf via ports, but lacks a native UI.★★☆☆☆ – no dedicated firewall framework.
Embedded / IoT★★☆☆☆ – ARM support exists, but larger footprint limits usage.★★★☆☆ – small, secure, but driver set lagging.★★★★★ – runs on ARM, MIPS, PowerPC, SPARC, RISC‑V; clean‑room builds ideal for deterministic firmware.★★☆☆☆ – focus remains server‑oriented.
Desktop / Workstation★★★★☆ – GhostBSD, MidnightBSD provide ready‑made GNOME/KDE environments.★★☆☆☆ – no official desktop flavour, though X11 is available.★★★☆☆ – NomadBSD (live USB) offers a minimal desktop.★★★★☆ – desktop installer exists but the project’s emphasis stays on server use.
NAS / Storage Appliances★★★★★ – ZFS native, TrueNAS CORE is built on FreeBSD.★★★☆☆ – ZFS ports exist but not a primary feature.★★★☆☆ – FFS with WAPBL, optional ZFS ports.★★★★★ – HAMMER2 provides copy‑on‑write, snapshots and dedup, suitable for backup servers.

Kernel Architecture in Detail

Filesystems and Storage

  1. FreeBSD – ZFS
  • Copy‑on‑Write, end‑to‑end checksumming, compression, deduplication, and native encryption. ZFS pools (zpool) allow mixing devices of different sizes and types. Integrated since FreeBSD 9.0, ZFS can be a root filesystem. The CDDL license of ZFS is the only non‑BSD component.
  1. OpenBSD – FFS + Soft‑crypto
  • Traditional Fast File System (UFS). No native ZFS; experimental ports exist. Encryption is handled via soft‑crypto (GELI) which provides block‑device level encryption.
  1. NetBSD – FFS + WAPBL
  • Uses WAPBL (Write‑Ahead Physical Logging) for low‑overhead journaling of metadata, striking a balance between performance and crash‑consistency.
  1. DragonFlyBSD – HAMMER2
  • Modern copy‑on‑write filesystem with snapshots, deduplication, and cluster‑level mirroring. Optimised for many‑core systems and large storage pools. Tooling is less mature than ZFS, but performance on multi‑core machines is excellent.

Network Stack and Security Features

  • FreeBSD: Highly tuned TCP stack (Fast Open, RACK, NewReno), ipfw as classic firewall, and pf (ported from OpenBSD) for modern packet filtering. BPF (Berkeley Packet Filter) provides fast packet capture for IDS/IPS.
  • OpenBSD: pf is the flagship firewall; the project emphasizes secure‑by‑default sysctl defaults, mandatory access controls, and frequent security audits. Integrated tools include OpenSSH, LibreSSL, OpenBGPD, and OpenNTPD.
  • NetBSD: Supports ipfilter, ipfw, and also pf via ports. The networking code is highly portable, making it ideal for edge routers on obscure architectures.
  • DragonFlyBSD: Includes pf and ipfw. The network stack is clean and well‑documented, though not as feature‑rich as FreeBSD’s implementation.

Virtualization, Containers and Isolation

SystemContainer TechnologyHypervisorNotable Features
FreeBSDJails – OS‑level containers with separate IP stacks, filesystem views, and resource limits (rctl).bhyve – modern hypervisor supporting virtio, UEFI, and KVM acceleration.runjail adds Docker‑compatible runtime, vmm module for hardware acceleration.
OpenBSDNone (no jail‑like facility).vmm – lightweight hypervisor with KVM compatibility.Security‑first design, minimal attack surface.
NetBSDNone (no built‑in container system).Xen, bhyve, hyper‑v support via kernel modules.Broad hardware support, but tooling is fragmented.
DragonFlyBSDVkernel – lightweight kernel instance for isolation, roughly comparable to a micro‑VM.Vkernel enables fast, low‑overhead sandboxing, ideal for micro‑services.

Combining FreeBSD Jails with OpenBSD pf yields a powerful model: Jails give process isolation, while pf provides fine‑grained packet filtering and NAT.

Derivatives, Specialty Distributions and Ecosystem

DerivativeBase BSDTarget AudienceKey Characteristics
GhostBSDFreeBSDDesktop users (GNOME/KDE)One‑click installer, optional ZFS root, encrypted home directories.
MidnightBSDFreeBSDDesktop & entry‑level servermidnightbsd-install, graphical installer, own pkgsrc‑based package manager.
TrueNAS COREFreeBSDNAS applianceFull ZFS management UI, VM support, replication, commercial support available.
pfSenseFreeBSDFirewall / RouterRich plugin ecosystem (OpenVPN, IPSec, Captive Portal), web UI, optional commercial support.
OPNsenseFreeBSDModern firewallAngular‑based UI, IDS/IPS via Suricata, Let’s Encrypt integration, frequent security releases.
NomadBSDNetBSDLive USB + persistenceMinimal live system, easy to write changes back to flash, small image size.
OpenBSD‑based toolsOpenBSDSecurity utilitiesOpenSSH, OpenBGPD, OpenNTPD, LibreSSL – widely embedded in other distributions.
DragonFlyBSD‑BobDragonFlyBSDServer scalingMinimalist image focused on HAMMER2 performance, low overhead.

These derivatives allow teams to pick a pre‑packaged solution that matches their use case without building the entire OS from scratch.

Pros and Cons Tables – Quick Comparison

FreeBSD

ProsCons
Massive Ports collection (≈30 k packages)Larger footprint – less suitable for very constrained embedded devices
Native ZFS support (snapshots, dedup, encryption)License complexity (BSD + CDDL) can raise compliance concerns
Jails – lightweight OS‑level containers with resource limitsJails lack some features of Docker (e.g., overlay filesystem)
High‑performance network stack, pf and ipfw availableSome newer networking features lag behind Linux implementations

OpenBSD

ProsCons
Highest security focus (code audits, securebydefault)Limited driver support, especially for newer hardware
pf firewall engine – reference implementationNo native ZFS (only experimental ports)
Small, coherent code base – easy to auditSmaller ports tree, fewer third‑party packages
Integrated security tools (OpenSSH, LibreSSL, OpenBGPD)Security‑first approach can limit raw performance optimisations

NetBSD

ProsCons
Runs on >50 architectures – perfect for embedded & researchSmaller community, fewer commercial services
WAPBL offers low‑overhead journaling
Clean, modular kernel – easy to patch and extend
No native ZFS (only ports)
Lack of built‑in server‑centric features (no Jails, pf not default)
Documentation sometimes sparse for newcomers

DragonFlyBSD

ProsCons
HAMMER2 – modern COW filesystem with dedup and snapshots
Vkernel – lightweight isolation ideal for micro‑VMs
Strong SMP scaling – excellent on many‑core servers
Rapid release cycle, active development
Smaller community, limited commercial backing
HAMMER2 tooling less mature than ZFS

Decision Guide – Which BSD Fits Your Project?

RequirementRecommended BSDRationale
Maximum security (firewall, crypto, audits)OpenBSDpf originated here, LibreSSL, OpenSSH hardening, securebydefault defaults.
Enterprise storage (ZFS, snapshots, replication)FreeBSD (or TrueNAS CORE)Native ZFS, mature management tools, large community.
Broad hardware support (IoT, ARM, MIPS, SPARC, RISC‑V)NetBSDSupports >50 architectures, clean‑room builds, deterministic firmware.
Scalable SMP servers (many cores, dedup)DragonFlyBSDHAMMER2 dedup, Vkernel, excellent multi‑core performance.
Desktop experience (GNOME/KDE, plug‑and‑play)GhostBSD (FreeBSD) or MidnightBSDReady‑made installers, pre‑configured desktop environments.
Firewall appliancepfSense / OPNsense (FreeBSD‑based)Web UI, extensive plugin ecosystem, commercial support available.
NAS / storage applianceTrueNAS CORE (FreeBSD)Full ZFS UI, VM support, replication, enterprise features.
Research / developmentNetBSDPortability, pkgsrc works across many platforms.

When making a decision, also weigh community activity, package availability (Ports vs. pkg vs. pkgsrc), licensing constraints, and support options (mailing lists, issue trackers, commercial vendors).

Future Roadmaps and Development Plans

  • FreeBSD 15.x – Continued ZFS evolution (ZFS 2.2 with improved scrubbing and compression), GPU pass‑through for bhyve, tighter Kubernetes integration via csi‑freebsd.
  • OpenBSD 7.9pf engine enhancements, introduction of Trusted Execution Environments (TEE), expanded hardware root‑of‑trust mechanisms.
  • NetBSD 10 – Strong focus on RISC‑V support (new toolchains, device‑tree), pkgsrc extensions for container orchestration, modernised network‑stack libraries.
  • DragonFlyBSD 6 – Final stabilisation of HAMMER2, new Vkernel features (namespace isolation, cgroup‑like limits), optional ZFS ports for hybrid setups.
  • Derivatives: TrueNAS SCALE (Debian‑based) challenges the FreeBSD‑based CORE, while pfSense 2.8 adds eBPF support for advanced packet processing pipelines.

References, Further Reading and Community Links

  • FreeBSD Project – Official Documentation: https://www.freebsd.org/docs/
  • OpenBSD Project – Goals & Security: https://www.openbsd.org/faq/faq4.html
  • NetBSD Project – Platform Overview: https://www.netbsd.org/ports/
  • DragonFlyBSD – HAMMER2 Documentation: https://www.dragonflybsd.org/docs/hammer2/
  • pfSense – Documentation & Release Notes: https://docs.pfsense.org/
  • OPNsense – Features & Roadmap: https://opnsense.org/
  • TrueNAS – ZFS Management: https://www.truenas.com/
  • GhostBSD – Desktop Project: https://ghostbsd.org/
  • MidnightBSD – Release Notes: https://midnightbsd.org/
  • NomadBSD – Live‑USB System: https://nomadbsd.org/
  • NetBSD – WAPBL & FFS: https://netbsd.org/docs/technical/
  • OpenBSD – pf Manual Page: https://man.openbsd.org/pf.conf
  • FreeBSD – Jails Handbook: https://docs.freebsd.org/en/books/handbook/jails/
  • DragonFlyBSD – Vkernel Overview: https://www.dragonflybsd.org/docs/vkernel/

FreeBSD in the Last Seven Days: Between 14.4 Reality, ZFS Concerns, and Small pkg Ideas

Thorsten Geppert Leave a comment

Those waiting for FreeBSD to make a big splash often wait a long time. That’s one of the things I both appreciate and occasionally find frustrating about the system. I appreciate it because you’re not bombarded with marketing hype every other day. But it’s frustrating because you often have to piece together the most interesting developments from mailing lists, release notes, and passing remarks.

Looking back at the past seven days, the core picture is quite typical for FreeBSD: outwardly, it’s relatively quiet, but beneath the surface, discussions are happening in precisely the areas that make operating systems either pleasant or frustrating in daily use—software build performance, ZFS stability and memory behavior, and how to make pkg more practical in a PKGBASE environment.

FreeBSD 14.4 Remains the Dominant Topic

The most important official news in the observed period is still the release of FreeBSD 14.4-RELEASE on March 10. While it falls just outside the seven-day window, it has clearly shaped discussions this week—and for good reason.

Key highlights of 14.4 include:

  • OpenSSH 10.0p2
  • Hybrid post-quantum algorithm mlkem768x25519-sha256 enabled by default
  • OpenZFS 2.2.9
  • Improved cloud-init/nuageinit compatibility
  • A new p9fs(4) for filesystem sharing between host and bhyve guests
  • Enhancements to manpages and their tools

Overall, this is a solid release. No revolution, but exactly the kind of version FreeBSD is known for: evolutionary, pragmatic, and focused on meaningful maintenance rather than spectacle.

Also worth mentioning is the dedication of this release to Ken Smith, who passed away late last year and played a key role in FreeBSD’s release engineering for many years. Such acknowledgments often get lost in technical announcements, but they matter—they remind us that behind all the code, there are people.

Early Feedback on 14.4: Build Times Cause Frustration

More interesting than the release announcement itself were this week’s real-world reports. On the mailing list, a case was described where, after upgrading from 14.3 to 14.4, build times with poudriere had increased—sometimes doubling in duration.

This isn’t a minor detail. For those who build ports, maintain packages, or compile locally, this isn’t just a cosmetic issue—it’s a daily pain. If a full build suddenly takes two days instead of one, that’s no longer a footnote.

The discussion pointed to a known performance issue and noted that a workaround exists to restore the previous behavior. That’s the good news. The less good news is that such problems only surface in practice, and users have to dig through threads and commit messages to find solutions.

This is, unfortunately, not uncommon with FreeBSD: the technology is often solid, but communication about it can be less user-friendly than it could be.

ZFS Remains Excellent—and Sometimes Frustrating

Things got really interesting in a discussion about ZFS deadlocks and memory accounting issues on NFS servers. A scenario was described where machines, despite having plenty of free RAM, came under memory pressure, started swapping, and in the worst cases, hit OOM (out-of-memory) conditions. This is particularly frustrating because large storage and file-serving systems running FreeBSD are often chosen precisely because ZFS is supposed to excel in such environments.

The reported case involved systems with very high RAM capacity, where ARC memory appeared evictable, yet the system still entered a problematic state. There were also reports of blocked processes and wait states around ARC and dbuf mechanisms. Of course, this is just one case from a mailing list—not a universal statement about all 14.x installations. But it’s exactly the kind of signal that should make administrators take notice.

Such issues aren’t problematic because they’re spectacular; they’re problematic because they often disguise themselves as “odd behavior” for a long time. A little swap here, some load there, a few hanging processes—and suddenly, a system that, by superficial metrics, shouldn’t be struggling at all, is in trouble.

FreeBSD still has strong arguments in the storage space. But when reports like this emerge, they should be taken seriously—not hysterically, but seriously.

A Small pkg Discussion, But with Practical Relevance

Less dramatic but still practically relevant was a discussion about pkg and its interaction with PKGBASE. Specifically, the desire to cleanly separate upgrades for third-party packages and the base system.

Proposed additions included aliases like:

  • pkg upgrade-packages
  • pkg upgrade-base

The idea is simple and reasonable: in daily use, users don’t always want to lump everything together. Instead, they want to consciously decide whether to update only ports packages or only the base system.

This isn’t the kind of news that inspires excitement, but it’s a good example of how FreeBSD evolves: often in small, unassuming, yet practical steps. In the end, such improvements often make more of a difference than some grand, heavily promoted project.

At the same time, the discussion highlights a typical problem: naming and clarity aren’t trivial. If you say “packages” when, technically, everything is a package, confusion is almost built in. It’s not a disaster, but it’s not a detail that should be ignored either.

What Stands Out from This Week?

Summing up the past seven days around FreeBSD, this is the picture that emerges:

FreeBSD often appears quiet—almost too quiet—on the surface. But beneath that calm, the discussions revolve around precisely the issues that matter most to users and administrators:

  • How well does a new release perform in real-world use?
  • Are there performance regressions?
  • Is ZFS as stable under real-world load as expected?
  • Are tools like pkg becoming more usable in daily operations?

That, in the end, might be what’s most likable about FreeBSD. The most interesting news is rarely just “New! Bigger! Faster!” Instead, it’s often about where practice clashes with theory—and that’s where a system earns long-term trust.

14.4-RELEASE is undoubtedly the most significant recent development. But the subsequent discussions about build performance and ZFS show that a release isn’t finished when it’s published. That’s when the phase begins where it becomes clear how well things actually work outside of release notes and announcements.

And that phase was the truly interesting part of the last seven days.

Sources

  • FreeBSD News Flash: https://www.freebsd.org/news/newsflash/
  • FreeBSD News RSS Feed: https://www.freebsd.org/news/feed.xml
  • FreeBSD 14.4-RELEASE Announcement: https://lists.freebsd.org/archives/freebsd-announce/2026-March/000228.html
  • FreeBSD-announce Archiv März 2026: https://lists.freebsd.org/archives/freebsd-announce/2026-March/date.html
  • Thread: „Huge build times increase after updating from 14.3 to 14.4“: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003900.html
  • Antwort von Olivier Certner zum bekannten Performance-Problem: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003901.html
  • Nachfrage von Philip Paeps zu den Package-Buildern: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003907.html
  • Thread: „ZFS deadlocks/memory accounting issues“: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003910.html
  • Antwort von Alan Somers im ZFS-Thread: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003911.html
  • Thread/Proposal zu pkg-Aliases: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003942.html
  • Rückfrage zur Benennung der pkg-Aliases: https://lists.freebsd.org/archives/freebsd-stable/2026-March/003944.html
  • FreeBSD-stable Archiv März 2026: https://lists.freebsd.org/archives/freebsd-stable/2026-March/date.html

Why I Use FreeBSD Instead of Linux on Servers

Thorsten Geppert Leave a comment

When it comes to server operating systems, most people immediately think of Linux. That makes sense: Linux is widely used, has a large ecosystem, and is the default choice in many companies.

Despite that, I have preferred working with FreeBSD for many years. I first started using it around the time of FreeBSD 4, and since then it has remained my first choice for many of the systems I run.

Why?

The short answer: FreeBSD feels like a coherent operating system, while many Linux installations feel more like a collection of separate components.

The longer answer is a bit more interesting.

A complete operating system

One of the main differences between Linux and FreeBSD lies in how the system is structured.

Most Linux distributions are built from components developed by many independent projects:

  • the Linux kernel
  • GNU userland tools
  • an init system
  • a package manager
  • additional utilities and frameworks

This works well, but it can sometimes lead to inconsistencies between distributions.

FreeBSD takes a different approach. The base system is developed and maintained as one integrated operating system.

The kernel, system utilities, and core components belong together and are released together. As a result, the system feels very consistent in configuration, behavior, and documentation.

This becomes especially valuable when you run servers for many years.

Predictable behavior

One of the most important qualities of a server operating system is predictability.

Servers should ideally be boring: they should run reliably, behave consistently, and not surprise you after updates. Like an aircraft.

In my experience, FreeBSD systems tend to do exactly that. Once properly configured, they usually run quietly in the background for long periods of time.

Updates are generally straightforward, and the system behaves in ways that are easy to understand and anticipate.

For infrastructure that is meant to run for years, this reliability matters a lot.

ZFS as a first-class citizen

Another major reason I appreciate FreeBSD is its excellent integration with ZFS.

ZFS offers features that are extremely useful in everyday server administration:

  • snapshots
  • simple backup strategies
  • data integrity
  • flexible storage layouts

For servers handling large amounts of data or running multiple services, ZFS can significantly simplify storage management.

Many of my systems rely on ZFS as the foundation for both storage and backup strategies.

Jails: lightweight service isolation

FreeBSD provides Jails, a very elegant mechanism for isolating services.

Compared to full virtual machines, Jails are extremely lightweight. They allow services to run in isolated environments without requiring a complete operating system for each instance.

This has several advantages:

  • lower resource usage
  • clear separation of services
  • simpler administration

For many server setups, this approach is both efficient and easy to maintain.

Clear structure and solid tooling

Another aspect I appreciate about FreeBSD is the clarity of its system design.

Examples include:

  • the traditional rc system for service management
  • a consistent configuration approach
  • the pkg package management system
  • excellent man pages and documentation

When you return to a system months or years later, this clarity makes it much easier to understand how everything fits together.

Practical experience

My preference for FreeBSD is not theoretical.

Over the years I have run many systems based on FreeBSD, including servers providing services such as:

  • web applications
  • databases
  • DNS, DHCP, and NTP
  • NFS and Samba
  • various applications running inside Jails
  • Bhyve as virtualization platform

Some of these systems also involve more complex storage setups using ZFS or virtualization with bhyve.

This long-term practical experience is the main reason why FreeBSD remains my preferred platform for many server workloads.

Conclusion

Linux is an excellent operating system and a great choice in many situations.

However, for many of my own server deployments I still prefer FreeBSD.

The main reasons are:

  • a coherent and well-integrated operating system
  • predictable and stable behavior
  • excellent ZFS integration
  • lightweight isolation with Jails
  • a clear and consistent system design

Especially for long-running infrastructure, FreeBSD has repeatedly proven itself to be a robust and dependable platform.