First-time user: Expired mirror-master certificate - and other problems :(

Michael Neumann mneumann at ntecs.de
Sat Jun 1 23:19:20 PDT 2024 

On Fri, May 31, 2024 at 02:30:14PM +0000, Marcin Cieslak wrote:
> Hello,

Welcome Marcin :)

> I just installed DragonFlyBSD for a first time
> yesterday and unfortunately:
> 
> 1) pkg bootstrap broke pkg (as described last month
> in https://lists.dragonflybsd.org/pipermail/users/2024-April/452255.html
> The "Avalon" repository (whatever it is) was
> unreachable.

Sorry that you got an initial "negative" impression about DragonFly. We
are a small community and especially things like installation are not
done frequently enough by ourselves to catch all possible bugs... Once
DragonFly is installed, you'd normally never re-install it via the
installer, just do an update from source.

> 2) I gave up troubleshooting pkg yesterday but today
> the cause is certain: the certificate of
> https://mirror-master.dragonflybsd.org/ expired.
> This also got reported to this list a month ago,
> so it must be a recurring event (Let's Encrypt?)

Yeah, we've seen this issue in the past, and it bite me as well during a
fresh installation :)

Luckily, tuxillo has fixed this once and for all (fingers crossed).

> 3) Out of panic I tried to reinstall pkg, ca_root_nss
> and other stuff out of dports only to find out that
> for example security/openssl cannot be installed due to
> security vulnerability.
> 
> Also many dports do not get installed because they are
> "unmaintained", but there does not seem to be a clear
> way to override that.

A list of ports that you'd want to be maintained would definitively help
here... in case you plan on giving DragonFly a second chance :).

I've seen this myself, e.g. for the "h2o" webserver port seems to be
unmaintained in DragonFly but not in FreeBSD. As this is a project run
by volunteers, you can't expect that someone will fix this :). It's best
to learn how to fix a port and create a PR (pull request). Usually, the
FreeBSD port just builds fine without huge modificatinos. 

> I was fighting some DNS issues (unrelated to DragonFly)
> and I was sadly surprised that there is no DNS server
> in the base anymore. (And I could not install bind9
> due to security issue in the port).

Personally, I am happy that we got this out of the base installation.
Have you tried unbound as an alternative? Can you elaborate or create a
bug report on the security issue of the bind9 port?

> Is there Kerberos in the base? I couldn't find
> kinit/klist but some ports give me "base Heimdal"
> as an option - is it just some leftover from FreeBSD
> ports?

We have the security/heimdal port:

    $ pkg search heimdal
    heimdal-7.8.0_6                Popular BSD-licensed implementation of Kerberos 5

If a port has a Kerberos option, I assume that it adds this as a
dependency. Dunno if FreeBSD has that still in their base.

> 
> Initial installation also didn't go smoothly:
> 
> I asked the installer to encrypt /boot and the root filesystem.
> It nicely refused to encrypt /boot but I could mark the root fs
> as encrypted.

Encrypting /boot doesn't work for DragonFly. FreeBSD has encryption
support in their bootloader (UEFI ...), we don't. Instead, we boot a
regular DragonFly kernel (from /boot) and mount a tiny DragonFly
"rescue" system from a MFS (memory file system). This will then setup
LUKS encryption and mount the encrypted device to start init(8) from
the encrypted device. The advantage here is, you can literally do
anything and customize it to you needs, whereas in FreeBSD, you'd need
to hack a boot loader etc. And it also doubles as a rescue system.

> During customization phase it asked me for the encryption password
> again asking for password confirmation, as if we were setting
> the password again (not just mounting). This was confusing.

Hm, interesting. I think we have to look into that. It always help when
you open up a bug report, giving detailed information about the problem.

> In the end, it didn't work - mountroot bailed out trying
> to mount stuff from md0 partitions, which apparently didn't get
> set up during the booting process.

That's bad. We should track this down.

> So I had to go unencrypted.
> 
> I am sure for every problem I have mentioned there can
> be a fix or a workaround if we go patiently through
> the troubleshooting.  It was just very frustrating
> and I simply gave up, and I have to send this email
> from the FreeBSD system instead :(

Sorry for the bad experience and thanks for reporting.

Generally, FreeBSD has a much smoother experience and much better driver
support. If it works for you, perfect! If you want to run DragonFly, you
might have to fix things here and there yourself or ask for help on IRC.
In the end, it lives from people getting involved, which also can be a
lot of fun.

> There was a one positive surprose though: ACPI event
> messages are set up properly out of the box
> (unlike FreeBSD -CURRENT I use as my daily driver).

Yes! :)

Regards,

  Michael

More information about the Users mailing list