MidnightBSD Developer Journal

The MidnightBSD project does get some funding from Patreon users, and it's greatly appreciated.

Our current infra spending breaks down like this (monthly):

OVH: $180 (UK mirror)
AWS: $250
Business cable connection for hosting the project: $430

Additionally, we have hardware and electricity costs. Our rack idles around 300 watts these days.

We're currently running on:
ryzen 5700x 64GB (to be retired soon)
HPE DL360 gen 10 (2x20 core xeon) 256GB RAM
HPE DL360 gen9 (2x18 core xeon) 160GB RAM
HPE DL20 gen9 (quad core Xeon) 32GB RAM (firewall)
Aruba Instant on 1960xt (10G copper and fiber switch)
Engenius 2.5G 8-port switch
cable modem/router
HPE microserver Gen10 plus (xeon)
HPE microserver Gen8 (opteron)

An update on hardware upgrades:

I've migrated two of the three servers to the new HPE DL360 GEN10 server. This should result in a little less power consumption and a lot more compute power. We're still waiting on a drive that had to be RMA'd for the remaining server.

So far, we've migrated our database and one of our virtualization servers over to the new hardware. The virtualization server runs Jenkins, magus build nodes, logging infrastructure, and a few other things.

We've also taken the opportunity to migrate a number of services on the database server into their own jails using Bastille.

Packages

We've refreshed packages for i386 and amd64 3.2 systems. This included a number of security updates and a large jump in total packages available.

4.0 CURRENT progress

Current work has been progressing slowly, in part because I'm recovering from COVID. I also wanted to get the new hardware in place to help with builds.

The kernel is working, but there are a few things in userland broken at the moment. I'm working through those as I find them. The original plan was to release in May but that's obviously been delayed. I don't have an ETA on the release right now.

AWS & MidnightBSD

Amazon recently took down our AWS marketplace listing because the software was old and had a security issue. The last attempt we made to update it resulted in a rejection. They wouldn't test it manually and their automated tools can't handle the alternate partition and file system to scan it.

I've been working on a different approach to build images for AWS in hopes of refreshing them more often. The project does use them and the current approach was to install and then update manually. This is a big hassle. It would also be nice if we could support newer instance types as we are currently limited to old hardware (like t2 instances)

We do publish image ids for aws us-east-1 on the midnightbsd download page for folks who want to run them manually without marketplace.

Our hardware upgrade is still in progress. We've managed to migrate almost 2 physical servers infra to a new box.

There is one more server to migrate, but we're going to wait on that. One service is left from the second server and it's lower priority.

* Firefox 138.0.3
* Thunderbird 138.0.1
* LibreOffice 25.2.2
* TeXLive 20250308
* Darktable 5.0.1
* Okular 25.04.1
* VLC 3.0.21
* Mesa 25.05
* Qemu 10.0
* GCC 14.2.0
* LLVM 20.1.4
* Go 1.24.3
* Rust 1.86.0
* Rvn 1.0.2

added sensors script by Slawomir Wojciech Wojtczak & Trix Farrar

v3 from https://raw.githubusercontent.com/vermaden/scripts/master/sensors.sh

Similar to the sensors output on linux, but limited.

There is overlap with batt(1) but still useful.

MidnightBSD 3.2.3 ISOs are uploading to mirrors.

Changes in this version are mostly third-party dependencies:

OpenSSH 9.9p2

tcpdump 4.99.5

expat 2.7.1

fix for xz CVE-2025-31115

unbound 1.22.0

And the MidnightBSD package manager, mport, was updated to 2.6.8.

Important notes:

1. An issue with the firstboot script was fixed after this release. It won't hurt anything per se, but there was still code in there to start hald. It will be included in the next release. (thanks ykla)

2. mport 2.6.8 does have a few bugs, particularly with removing a lot of packages at once. This was fixed in later versions, but mport 2.7.x isn't ready for broad release yet. (3.2.0 shipped with mport 2.6.0 and 3.2.2 had mport 2.6.4)

3. There are a number of CVEs fixed in this release related to OpenSSH, unbound, expat, xz, and tcpdump.

A new mport-manager, graphical package manager release, 0.23 is now available in mports and on github.

There's a new mport package manager release. https://github.com/MidnightBSD/mport/tree/2.7.0

Due to its massive changes, we're not going to merge it yet into the os. (for one thing, the build will change a lot)

It does bump the master database version. There is a new table for storing conflicts. We don't make them visible in commands, but it will help with debugging the state when a package was added. Conflict detection is done at install time using the data in the package currently.

Heads up: the new AMD AI laptop CPUs have soldered RAM and Mediatek wifi. AMD has an exclusive partnership for this generation with them. That means all new AMD laptops will have broken WiFi on BSD systems.

Download at https://www.midnightbsd.org/download/

Release notes at https://www.midnightbsd.org/notes/ orhttps://github.com/MidnightBSD/src/releases/tag/3.2.0

Project update:

We've been working on restoring the UK mirror after a complete loss of the OS on the server after an update. (it was a freebsd box at ovh) It's been rsyncing for over a week now. We're only getting about 500kbps for some reason. Very slow. At this point, it should have everything but snapshots. 900 files to go.

We've updated amd64 and i386 3.1 packages recently with the latter being the first update since November. We're currently working on building packages for 3.2 amd64.

A 3.2 stable branch was created recently and we plan to fix a few bugs and get updated packages and then do a release off this branch. The original timeline was may but several issues have slowed us down.

One of our VM servers died suddenly in May. It was a consumer Ryzen 5700x box 64GB 3 SSDs. We've replaced it with an HPE dl360 gen9 with e5 xeon v3 24 cores / 48 threads 160GB RAM and 6 SAS SSDs.

We had to do a large refactor on how we handle perl for the new 3.2 version and this caused a lot of 3.1 ports to break. We've fixed these for folks on the latest 3.1.x release, but if you are on an early release, you may experience issues with man page paths for perl ports. We recommend updating to the latest 3.1.5 as of writing. (if you install via packages, it should work OK with other 3.1.x releases)

RavenPorts has done a big update with MidnightBSD packages. Highlights include: Xorg Server: 21.1.13 Mesa 24.0.6 Firefox 125.0.3 Thunderbird 115.9.0 LibreOffice 24.2.2.2 Gimp 28.10.38 LLVM 18.1.5 Rust 1.77.2 Go 1.22.2 There's also been a lot of progress on wayland support.

I just updated unbound to 1.19.3 in the stable/3.1 branch. This fixes a number of CVEs. Anyone using it on 3.1 should consider updating the base system or use the mports version.

MidnightBSD 3.1.4 release

Fixes issues with mport and updates timezone data.

https://github.com/MidnightBSD/src/releases/tag/3.1.4

I've updated the xz version in 3.2-current to 5.4.x and avoided the known vulnerable releases. This aligns with recommendations from several sources.

As far as the calls to switch off xz for everything, that's unlikely in the short term. A lot of software distributed in mports uses tar.xz files. Further, package files generated by mport use it. Early releases of mport used bzip2 but we migrated many years ago to tar.xz. We're investigating the possibility of migrating to zstd and are working on updating libarchive to a newer release in base for this purpose. It will likely not happen for the midnightbsd 3.2 release and will need to happen during a major release cycle. (4.x? 3.3?)

The long term risk is that xz isn't taken over or forked by a trustworthy source and CVEs start piling up. The actual linux specific issues with 5.6.x are not a concern for BSD platforms aside from the real risk of something like this happening again. (the supply chain attack piece is a danger)

The harsh reality of open source is that there is a lot of code and it's difficult to review it all. Companies have been bitten by issues like Amazon Music getting crypto mining node modules years ago or the recent attack on Notepad++ plugins. It happens. How we deal with it is what's important.

We've tagged 3.1.4 in git for the stable/3.1 branch and have an amd64 ISO on the FTP. Still need to build i386.

This includes updated timezone data and some major fixes to mport package manager. There were a lot of issues in the 3.1.3 release of MidnightBSD with installing and using packages.

I'm uploading a 3.2 amd64 snapshot to the primary FTP server for MidnightBSD

We just released mport 2.6.2; it fixes two bugs with mport list and mport list updates that would cause no output to display.

This has been imported into current and stable/3.1 branches

There is an xz vulnerability in 5.6.0 and 5.6.1 that was caused by a malicious payload added via a commit.https://boehs.org/node/everything-i-know-about-the-xz-backdoor

At this time, I am unaware of anything in libarchive that is considered dangerous as mentioned on that website. MidnightBSD does not use the affected versions of xz in base. We have 5.2.9 right now.

There's two security vulnerabilities in the base system unbound.

We've updated unbound to 1.19.1 in 3.2 CURRENT and 1.19.3 in mports.