First-time user: Expired mirror-master certificate - and other problems :(

[Marcin Cieslak]

On Sun, 2 Jun 2024, Michael Neumann wrote:

> Sorry that you got an initial "negative" impression about DragonFly. We
> are a small community and especially things like installation are not
> done frequently enough by ourselves to catch all possible bugs... Once
> DragonFly is installed, you'd normally never re-install it via the
> installer, just do an update from source.

Thank you Michael for a very nice reply.

Yes, I do the same, carrying over my home directory over
decades of different hardware. But in order to make
a community a bit larger it is important to get some
new users from time to time...

I know that DragonFly is less polished than FreeBSD but
frankly the installation experience (Erfahrung, not
Erlebnis!) was much worse than I anticipated.

I miss the old FreeBSD 4.x times where everything
was smooth, well documented and still small.

I considered a switch because I am getting annoyed
by few things in FreeBSD:

1) on my low-end old hardware it takes 2 days to rebuild
the world.
2) ZFS always keeps my hard drives very busy no matter
what, up to the point where you need to wait for
terminal windows from urxvtd(!) to open.
3) I have a feeling people care less about the laptop user
anymore, most people seem to run in BSD on their racks
in the data center and they have MacOS on their laptops.

> Luckily, tuxillo has fixed this once and for all (fingers crossed).

I hope the dehydrated hook is there. Apache really needs it.
Frankly, why not enable http port 80 on primary repo then?
It's better to have this work even if this means 
that HTTPS Everywhere purists scream at you.

(And pkg could sign the packages, how to contribute changes to
pkg building infra?)

> A list of ports that you'd want to be maintained would definitively help
> here... in case you plan on giving DragonFly a second chance :).

Before we get that far, I need to be able to run the damn thing.
After 4 days I am able to ssh to my mail server and write this
email from Xorg running on DragonFly. That's a bit too long.
And run really a minimal environment (Xorg+i915.ko+dwm+xterm/rxvt-unicode).

Speaking of which:

I read the documentation to contribute to DPorts and
the process seems to be extremely complicated.

I have copied and fixed security/openssh-portable from FreeBSD
(and updated it to make it work with Kerberos), but do I really
need to do the dance with buildworld, three git repos to
contribute a patch?

We need current security/openssh-portable (9.7p1 as of now)
plus the patch from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279437

> I've seen this myself, e.g. for the "h2o" webserver port seems to be
> unmaintained in DragonFly but not in FreeBSD. As this is a project run
> by volunteers, you can't expect that someone will fix this :). It's best
> to learn how to fix a port and create a PR (pull request). Usually, the
> FreeBSD port just builds fine without huge modificatinos.

My question was not about lack of maintainer. In FreeBSD,
I can install any port in the tree that is not BROKEN,
even if MAINTAINER is set to ports@ (unmaintained).

The IGNORE message currently says

"unmaintained, please request fixing to users mailing list"

do we really want to say this?

>> I was fighting some DNS issues (unrelated to DragonFly)
>> and I was sadly surprised that there is no DNS server
>> in the base anymore. (And I could not install bind9
>> due to security issue in the port).
>
> Personally, I am happy that we got this out of the base installation.
> Have you tried unbound as an alternative? Can you elaborate or create a
> bug report on the security issue of the bind9 port?

See above about contributing to the DPorts. The fix
for me was to build bind918 port from FreeBSD.
How to "contribute" something like this back quickly?

On a side note, I dislike unbound (it does eagerly cache negative
answers when the network is not working - for example
airport wifi with a captive portal), but anything would do
in that situation.
(I switched to bind for the resolver on my FreeBSD
laptop recently)

>> Is there Kerberos in the base? I couldn't find
>> kinit/klist but some ports give me "base Heimdal"
>> as an option - is it just some leftover from FreeBSD
>> ports?
>
> We have the security/heimdal port:
>
>    $ pkg search heimdal
>    heimdal-7.8.0_6                Popular BSD-licensed implementation of Kerberos 5
>
> If a port has a Kerberos option, I assume that it adds this as a
> dependency. Dunno if FreeBSD has that still in their base.

The problem is that we still seems to offer HEIMDAL_BASE option,
it should go away from all ports, unless we bring Heimdal back.

I've had this discussion in FreeBSD before, so I'll ask here as well:

Do we want to have NFSv4 support in the kernel? If yes, does this
mean we should bring Kerberos to base system again?

----

Thank you for responding to all those points in my email.
I really want to thank you for spending your time to
respond do my rant.

I must say, I find FreeBSD boot procedures with ZFS on root
beautiful - the loader knows encryption (GELI), ZFS and
everything runs smoothly. I tried to explain this once
to Linux people and they could not believe this. And there is
no initrd.

Marcin