From nobody Mon Sep 22 21:36:04 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cVxHr27xGz68TM9 for ; Mon, 22 Sep 2025 21:36:08 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cVxHr09Gzz3PZR for ; Mon, 22 Sep 2025 21:36:08 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-4257f2b59ffso4097115ab.1 for ; Mon, 22 Sep 2025 14:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1758576966; x=1759181766; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=C362194gGLkAeayed2Wsmq4SHYPTrjnIxQ4pRRxWQxA=; b=UqvtoOQgBqhCtMgIFipNI9vnHMaTYru+59efFPUg5VHiyiLGWi0Mnf+v7WhblLWj9a JWPeT3zYchykpk4WpFnrv6QR9GQIsjh4Utb4phB6fmINT3dFJrK0mw0jPAI1PwLD6aP6 pEiUI/7h4EIc4M5S9jxR08sGhw0BcpdWQ13TvLAaDjfPL5aByTTF/nu4TnkfuraGdMaX eVRu2UblynyUpYzYD+uFtgyuW7ZQ0x9E3k7pKPLT2XZox5+V5idQMsO3PeLc1Fv2C0wX jDk0Y3TdhF8MqKwbq4lcyXkNvw4hTFghKMA4sxFCmMNhd5hd3x/cy4j270GnNJPqBB/T /AEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758576966; x=1759181766; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=C362194gGLkAeayed2Wsmq4SHYPTrjnIxQ4pRRxWQxA=; b=K0KYEt9hJUiPKrIX0g7jnJnrfK7YRSMI8Sj35A5b+0IT5t+QQhp6j1rfazZmmtohgr pLEByLaP2IV8BsOQeDDIC4JW3DPM7o76RbUnsSDXkkkisQ4srP9UDX/RfCHjtF62+0bt YS9RlzHzS+CTyT7x7kb3bjxk/H4eNt7svC4IF3SQv4HRaHdLMBAMJDF3aUQNT0srygF1 pgUd8CiclwJyf3kNn+qEX0K1gdRNT5VBJfKaAl6/51NU2jbM4cYLG2VpWantBPHfXi+/ vs4S+RG9UxBjOAbeknO5thKHJZcxfVFX2abq5dUl6v1ZwnQw6qVw4nzI5DqOjXp7+5T3 42fg== X-Gm-Message-State: AOJu0YwrWaxIK+F+3lmHbL5CBB7VRqI3SymVnnx4U5MCy0y4rQ6XFCHI ff7060jTT0OaHo3Op3h+x+oF7toXBd2xnIPUchp1JwkEi0jTDjx1ETSN8fYMlbp9PQ4= X-Gm-Gg: ASbGncsb4Q50rAfVsEl1TmnEQW8iGCcRiU/hmN6/w7vzZtk8nC8674o4e6PvppXo7Tn A+LXlPbQv9vbrlZZqoTjed44/w0kd2ITmNi3BuGHwp4tvuAM8TsoQMdv+9ma9LsDS6Q61YcjCQO uxEA/yXNstITByzT4YQ4K4ceadQyRz7e9ZS4ihqqIcU7ffYTAq0CoIeFogG473pw6u3cxzZLDUy 4RaOCn9hqfj3Y5ySCo9YRvUuC5kKdjxvXvVtamHxnh8QlUHyFb6Q0+9jAf249lOLRX4KSlLSwHt I6EaQhhc3lg1DHcsWjITlVUZ0oMGsRcv3B2e+NJWOj4D0rAkka6eVSA3UUAJz9pzpcQ8dAij1f0 UJTFZmct7aecWjaU= X-Google-Smtp-Source: AGHT+IFmuIAc56yqyW2esfKW4Tq2PauqEe1NG5hePnKjlWVUvxLfzpgvAgbW3Tc5YqpRdWqgmuqljg== X-Received: by 2002:a05:6e02:218f:b0:423:2666:4687 with SMTP id e9e14a558f8ab-42582339e3fmr2940455ab.15.1758576965989; Mon, 22 Sep 2025 14:36:05 -0700 (PDT) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-5586a4393c5sm2620875173.10.2025.09.22.14.36.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Sep 2025 14:36:05 -0700 (PDT) Date: Mon, 22 Sep 2025 21:36:04 +0000 From: Shawn Webb To: Colin Percival Cc: "freebsd-current@freebsd.org" , FreeBSD Release Engineering Team Subject: Re: Plan for "distribution set" deprecation Message-ID: X-Operating-System: FreeBSD mutt-hbsd 14.3-STABLE-HBSD FreeBSD 14.3-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vmex3apg44fsze6u" Content-Disposition: inline In-Reply-To: X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4cVxHr09Gzz3PZR --vmex3apg44fsze6u Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: Plan for "distribution set" deprecation MIME-Version: 1.0 On Mon, Sep 22, 2025 at 11:54:30AM -0700, Colin Percival wrote: > Hi everyone, >=20 > With pkgbase landing in 15.0, I decided that it's time to announce the > timeline for deprecation of the legacy "distribution sets". Here's the > plan: >=20 > 15.0-RELEASE: > * PKGBASE becomes the default in release/Makefile and a new NOPKGBASE > option is added. > * The installer supports both install options, with dist sets marked > as "legacy" in the pick-how-to-install menu. > * The disc1 images only contain a pkgbase repo; people who want to install > from disc1 without pkgbase will need an internet connection. > * The dvd images contain both dist sets and a pkgbase repo suitable for > offline installation with either mechanism. > * Traditional FreeBSD Update will work for the entire 15.x branch, includ= ing > security updates, since this is relatively easy to do as long as we have = dist > sets. > * Work is underway to make freebsd-update behave as a wrapper around pkgb= ase > on pkgbase-enabled systems (right now it just refuses to do anything). >=20 > 16-CURRENT around 2026Q4: > * NODISTSETS becomes the default in release/Makefile and a new DISTSETS > option is added to enable them. > * support for dist sets in the installer is disabled by default (build > option to re-enable). >=20 > 16.0-RELEASE and later: > * Legacy distribution sets are not included on any release media. > * Install images only support pkgbase. > * Legacy FreeBSD Update does not exist on 16.x; users will need to > pkgbasify their 15.x systems before upgrading to 16.x. > * Code for distribution sets remains in the tree so that it can be used > by downstream projects which aren't on pkgbase yet. >=20 > 17-CURRENT around 2028Q4: > * All the dist set code gets removed from main. >=20 > Note that this is all about releases and binary updates; the traditional > process for updating from source (installworld and friends) is not expect= ed > to change in the near future. It's possible that *eventually* that will > move to a "stage the world, package it, and then install the packages" > approach (just like ports moved from installing directly to "staging" over > a decade ago) but if that change happens there will be ample notice. Hey Colin, Thank you for your (and others!) work on this. I'm hoping that this bug can be resolved before PKGBASE is enabled by default for release generation: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D287877 For the life of me, I can't figure out why I'm hitting that bug downstream. I've made the changes I need to make to match on HardenedBSD-related packages (and can provide the diff if needed.) But even with those changes (mainly just `sed s/FreeBSD/HardenedBSD/g`) I'm still hitting that lua assertion. I haven't tried on regular FreeBSD, only HardenedBSD. But I suspect that since another FreeBSD user is hitting that assertion, it's likely not related to HardenedBSD. I have confirmed that the pkgbase repo that gets built does indeed include the right kernel package. Hence why I'm puzzled why that lua assertion is being tripped. This is the one thing preventing HardenedBSD from being a guinea pig in this pkgbase effort. Update after writing the bulk of the email: I just retried making release media (previous attempt was just a day or two before that bug report having been submitted). I hit the same assertion, but the release/scripts/pkgbase-stage.lua script has changed. New line number: 38. Below is the HardenedBSD version of the script (again, mainly just a branding change). The line numbers are included at the very left. =3D=3D=3D=3D BEGIN lua script OUTPUT =3D=3D=3D=3D 22 local function select_packages(pkg, media, all_libcompats) 23 local components =3D {} 24 local rquery =3D capture(pkg .. "rquery -U -r HardenedBSD-base= %n") 25 for package in rquery:gmatch("[^\n]+") do 26 local set =3D package:match("^HardenedBSD%-set%-(.*)$") 27 if set then 28 components[set] =3D package 29 -- Kernels other than FreeBSD-kernel-generic are ignor= ed 30 -- Note that on powerpc64 and powerpc64le the names are 31 -- slightly different. 32 elseif package:match("^HardenedBSD%-kernel%-hardenedbs= d.*-dbg") then 33 components["kernel-dbg"] =3D package 34 elseif package:match("^HardenedBSD-kernel%-hardened.*"= ) then 35 components["kernel"] =3D package 36 end 37 end 38 assert(components["kernel"]) 39 assert(components["base"]) 40=20 41 local selected =3D {} 42 if media =3D=3D "disc" then =3D=3D=3D=3D END lua script OUTPUT =3D=3D=3D=3D That assertion, the assert(components["kernel"]) is what fails, even though the package is actually there. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --vmex3apg44fsze6u Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmjRwTAACgkQ/y5nonf4 4fr45A//W08YHGBX2E9E3XKWVnOjB1CZ8sFF+OAZXFdw0kCNmVDvdiZawbhTDECx pnrzQDY8Ux1ev2bCVH7FaRIdcR00QfdN4OZrT9HYdVlqzhOxSmTOWaILDDkfCB3Q rSLI1d40TmNwD8Jk7WrHZ1KXxipNDZFRJsA8k3BIUo6op4mP9JEf2CN8kfk5SZdc NCeMBNwLHNM83UWcaA7ga2DDA3jLTnioZoljV4FzHHk4Fb5jKuf+htFiNbJL5Rbf c7Fo9U+Nn6zwU8yzeJkpSA/cRQbfXXfrnMi7uKJzQ4zP8XKG4vL94MS5xCx8W/HV yuxaTzI0seK9Y/PsaKRBPJSOoexwV5SdWMpfnggbLbhlFzHKtSKNgUUBPSNW0ENE ol+ng4cc/rSuyOXIODl8wXsqvw1rKrt228wiwLOrYSj9fQcXhR/lbnh22x5yMi1a gDXtKUNe8ckUNFwNGybRbsPDYPHxbb2B/k8lTTlSl00bnPI/QBo1upgI1CswY+39 bUgWtB8e/lyyPu8NGiEXx4a/tSsym7NjNn5awUS0iwYm76d59DRmiUNiIFM0SZ6I 30EwHrEpup7YQX/8JMSZp4IzGNF03VWqMq9w+pEH+1F3I9+MtkSkhAOxS+RP7bcM Khp1vBPYVwlLTNSeKCmuAjTehd5Jif61PDQt6BPZQrGXmu2qlAU= =7734 -----END PGP SIGNATURE----- --vmex3apg44fsze6u--