Do not go to this site with enabled javascript! They spam your uplink DNS provider with thousands of uniq, uncachable (fingerprinting?) 'test' dns keys without your
consent, to identify & track the DNS service you are using!
Projects
Console screen reader infrastructure
Vessel - Integrated Application Containers for FreeBSD
Enable the NFS server to run in a vnet prison
Pytest support for the FreeBSD testing framework
Userland
Base System OpenSSH Update
Kernel
Enabling Snapshots on Filesystems Using Journaled Soft Updates
Wireless updates
Netlink on FreeBSD
Adding basic CTF support to ddb
Architectures
CheriBSD 22.12 release
FreeBSD/riscv64 Improvements
go on FreeBSD riscv64
FreeBSD/ARM64 on Xen
Cloud
FreeBSD on Microsoft HyperV and Azure
FreeBSD as a Tier 1 cloud-init Platform
OpenStack on FreeBSD
Documentation
Documentation Engineering Team
FreeBSD Presentations and Papers
Ports
FreshPorts - help wanted
PortsDB: Program that imports the ports tree into an SQLite database
KDE on FreeBSD
Xfce on FreeBSD
Pantheon desktop on FreeBSD
Budgie desktop on FreeBSD
GCC on FreeBSD
Another milestone for biology ports
Third Party Projects
Containers and FreeBSD: Pot, Potluck and Potman
The compiler (go) is part of a static read-only (compressed/in-memory) RootFS. Build on a air-gap build server, touching only signed/verified/reviewed code from git-offline mirror snaps. Go has no libs, all static. The resulting runtime only binaries are totally uniq/randomized and dependency free, straight from (signed) source code.
Yes, the base idea is not that new. I store since years every GO based application I use as small (few kb) source code tree checkout only, no binary at all. At runtime the wrapper compiles a randomized individual one-time-temporary-uniq binary via garble [0].
Netflix contributes. Real Code. Rock stable. High quality. For so many years. So its not only the Free-Beer-License for them. I have never seen a single commit comming back from others, who build the most (financial) successfull trillion dollar bussines on top of FreeBSD, but comming back again and again, to (hard-)fork.
TLDR: gps tracker with backup battery and activated sim card found in sealed car ECU (BTO from china, to save some pennies, in a high-security-custom build car)
Beside of checks for the integrity of SelfSigned Certificates, I do not used this function directly.
My assumption about the TLS impact was based on the fact that [Certificate.Verify] uses internally [Certificate.buildChains] who calls [Certificate.CheckSignatureFrom], who has only the direct parents IsCA status, but not the full picture of the full path (and ignores it at the end, when missing on the root-Anchor)!?
And yes, in general, the max pathLen helps only to restict the impact of a specific (delegated) subCA compromise, not for a full root CA key leak. But I expect to see a well prepared narrative about a (revokeable) SubCA as most likely response, to protect the Root-Anchor itself. (What a happy co-incidence that the most Root-Anchors do not declare the planned SubCA strategy via maxPathlen upfront.)
One example, the started (and then stuck) net/ip to net/netip migration?
The tailscale netip package is great (as external pkg), but without commit to a full migration plan, just sprinkle here and there some (half/done/slow/wired/bridge) interfaces leads anyone, who tried to migrate, stuck as well. Some all ready started to migrate back ...
> TLS handshakes now return a CertificateVerificationError if they fail because of, well, certificate verification.
... as long the crypto/x509 CheckSignatureFrom ignores the pathlen contraint (the /ONLY/ way of an CA Owner pin down a delegated SubCA usage/raw-key-abuse!) im not sure that CertifictionVerification does what a high-level api user expects!?
Do not go to this site with enabled javascript! They spam your uplink DNS provider with thousands of uniq, uncachable (fingerprinting?) 'test' dns keys without your consent, to identify & track the DNS service you are using!
Take a look at your DNS outbound log yourself!