Talks speakers

A Modern Replacement for BSD spell(1)
Abhinav Upadhyay

The spell(1) utility in NetBSD is quite ancient and primitive. It is several
decades old based on an implementation which came with AT&T Version 7 Unix 1975.
It falls short of expectations on multiple fronts. For instance, it is not
capable of suggesting corrections for the misspelled words, it merely checks a
dictionary to decide if a spelling is correct or not. Not only that, it does
spell checking based on a set of rules, which are pretty tightly
tied to the English language, making it unusable for text involving
other languages. Also, those rules are not very accurate and are prone
to failure in case of many common misspellings.

Because of so many glaring problems in the existing spell(1) and for the lack
of a reusable library interface for other applications to add spell checking
functionality, I started work on writing a new implementation of spell(1)
with the goal of overcoming these problems and also building a library
to add spell checking feature to apropos(1) in NetBSD.

In this presentation I will talk about:

  • current implementation of spell(1) and demonstrate its short comings
  • spell correction algorithms – Levenshtein distance, metaphone and n-grams
  • work done to implement these techniques resulting in a new spell(1) with a
    library interface
  • performance comparison of the new implementation against against one of the
    most popular open source spell checker – GNU Aspell
  • Demonstrate integration of the library interface with other applications such
    as apropos(1) and sh(1) to do spell correction and context sensitive text
Speaker biography:
Abhinav Upadhyay is a NetBSD developer and works for Reve Marketing,
a martech startup of Pramati Technologies, as a Senior Software Engineer.
Abhinav first worked for The NetBSD Foundation during Google Summer of Code 2011.
He is responsible for rewriting apropos(1) in NetBSD, implementing full text
search for man pages. He has also created – a web interface to
NetBSD’s apropos(1). His interests lie in the areas of systems software
and machine learning. He enjoys working in the cross section of the two domains
to build novel tools and interface.

Never Lose a Syslog Message
Alexander Bluhm

On security systems logging is crucial. You have to know what an
attacker was doing. Also the attacker could provoke that important
information is lost. To provide a reliable view of the system, I
have implemented a bunch of mechanisms in the OpenBSD kernel and

Unfortunately traditional BSD syslog protocol is based on datagram
sockets and UDP messages. Both may fail unnoticed. The new system
call sendmessage(2) makes local logging work in harsh conditions
and also provides a single point from where errors can be reported.
Overflow of dmesg(8) buffer is detected and reported. For remote
logging TCP and TLS transport have been implemented together with
counters of lost messages due to buffer exhaustion.

The talk will explain these mechanisms together with more new
features in OpenBSD syslogd(8).

Speaker biography:

  • developer since 2007
  • working for genua GmbH, a company which builds OpenBSD based firewalls

My BSD sucks less than yours (extended edition), Act I
Antoine Jacoutot

This talk will look at some of the differences between the FreeBSD and OpenBSD
operating systems. It is not intended to be solely technical but will also show
the different “visions” and design decisions that rule the way things are

We shall try and hit where it hurts when that makes sense. Obviously, both
speakers have their own personal and subjective preferences and will explain
why. Showing some of the weaknesses may encourage people to contribute in some

This is the Act I of a totally biased talk from two different perspectives.

Speaker biography::
Antoine Jacoutot has been an OpenBSD developer since 2006. He is currently
working as an open source consultant and evangelist at D2SI.

My BSD sucks less than yours (extended edition), Act II
Baptiste Daroussin

This talk will look at some of the differences between the FreeBSD and OpenBSD
operating systems. It is not intended to be solely technical but will also show
the different “visions” and design decisions that rule the way things are

We shall try and hit where it hurts when that makes sense. Obviously, both
speakers have their own personal and subjective preferences and will explain
why. Showing some of the weaknesses may encourage people to contribute in some

This is the Act II of a totally biased talk from two different perspectives.

Speaker biography:
Baptiste Daroussin has been a FreeBSD developer since 2010, member of the
FreeBSD core team since 2014, member of the portmgr team.
He is working at

Portable Hotplugging: NetBSD’s uvm_hotplug(9) API development
Cherry G. Mathew

This presentation is based upon the work of two authors: Cherry G. Mathew and
Santhosh Raju.

The current implementation of uvm(9) uses a static array to “manage”
memory segments. The uvm hotplug(9) API enables dynamically “managed”
memory segments allowing for the possibility of hot plugging and unplugging of
memory. During the process of implementing uvm hotplug(9) we used a Test
Driven Development methodology and Pair Programming to achieve our goal.

This talk focuses on how to re-organize the code for testing, test design
strategy for correctness and performance evaluation and the possibilities of
testing kernel code in userspace, specifically code pertaining to uvm(9). The
talk will also cover the methodology we used to achieve TDD on an existing
code base which lacked any prior formal written tests. In addition to the
above there will also be a small section on how tests(7) was used as a tool
to measure performance by load testing.

Speaker biography:
Cherry has been a NetBSD user since 2005 and a developer since 2006. His
first project was to import the ia64 FreeBSD sources to NetBSD.

Later he turned his attention to minor OF tweaks to the ibook G3 he

His serious contributions to NetBSD came after an internship with what
was then Xensource in the U.Cambridge startup scene. He committed SMP
support for NetBSD/Xen in 2011, the Xen memory ballooning driver for
NetBSD and the uvm hotplug interface.

Cherry also got FreeBSD to boot single user to Xen in its
Paravirtualised avatar – however this project was made redundant by the
excellent PVHVM support by royger@

Cherry likes to play with kernel code, electronics, walk up mountains,
travel footloose and hang out with the locals, pretend to cook, do a
bit of gardening / small scale farming, teach, take things apart, and
generally pretend that he is an intelligent sort.


Reproducible builds on NetBSD
Christos Zoulas

I will talk about my recent work getting reproducible
builds on NetBSD. The talk will be based on information that I
first posted at:

and it will have more detailed examples of the toolchain, build,
and application changes that every OS needs to make to achieve

I will also discuss the meaning of timestamps and other “build-specific”
information that needs to become predictable for fully reproducible
builds, and if it is worth faking in the first place to achieve
identical built artifacts at the media level.

Speaker biography:
I live in New York City and work in the Finance Sector. I spend most
of my free time with my kids. When they let me I try to write and
fix things for NetBSD/file/tcsh/libedit/… and other pieces of code
I’ve worked on over the years.

Bacula – nobody ever regretted making a backup
Dan Langille

In this talk, you will learn the basics of Bacula, a leading open source backup
solution. As a Bacula developer, Dan has some unique insights into the use and
deployment of Bacula. An avid user since 2004, he has used Bacula for his own
networks and in commercial settings.

Topic to cover will include:

  • overview of Bacula: client, storage, director
  • Jobs
  • Pools
  • FileSets
  • running a job
  • restoring a job
  • copy/migrate jobs from one media to another
Speaker biography:
Dan Langille has been using FreeBSD since 1998 and almost immediately he started
documenting his experiences. This online journal eventually became The FreeBSD
Diary. Along the way, he founded a couple of conferences and created a few other
websites. He is very good at describing the step-by-step procedures to perform a
wide variety of tasks, from changing your prompt to creating and maintaining

Running CloudABI applications on a FreeBSD-based Kubernetes cluster
Ed Schouten

Two years ago, I gave a talk at EuroBSDCon in Stockholm, where I
presented a project I started working on that same year, called
CloudABI. CloudABI is a framework that allows you to design POSIX-like
programs that are very strongly sandboxed. CloudABI is comparable to
FreeBSD’s sandboxing technique Capsicum, but differs in the sense that
sandboxing has to be turned on as soon as the first instruction of
your program starts. This has a couple of interesting implications:

  • You can safely run programs that you don’t trust at all, as long as
    you don’t provide it access to file descriptors of resources that
    should remain off-limits. This makes it a very useful building block
    for a multi-tenant cloud/cluster computing service.
  • By having Capsicum always enabled, we can remove all of the features
    that conflict with Capsicum. This allows you to modify applications to
    work well with sandboxing a lot more easily. It is easy to make an
    inventory of which modification need to be made, simply by looking at
    compiler errors generated by the absence of the incompatible features.
  • Software becomes easier to test and manage. This effectively brings
    the principle of Dependency Injection from object oriented programming
    to full-scale programs.

In this talk, I’m going to discuss how I’ve added support for running
CloudABI-based applications directly on top of Kubernetes, an Open
Source cluster management suite. An interesting aspect of this is that
it effectively removes the dependency on Docker and makes Kubernetes
work on FreeBSD. After giving a crash course on Kubernetes, I will
present the software that I have developed to make this work.

Speaker biography:
Ed Schouten has been a developer at the FreeBSD project since 2008.
Initially, he focussed on terminals, TTYs and console drivers. Later
on he maintained a branch of FreeBSD called ClangBSD, whose purpose it
was to replace FreeBSD’s system compiler, GCC, with Clang. Nowadays,
he spends most of his time working on CloudABI.

State of the DragonFly’s graphics stack in 2017
François Tigeot

Following my “Porting the drm/kms graphic drivers to DragonFly” talk at
EuroBSDCon 2014, and my “State of the graphics stack in DragonFly” talk
at EuroBSDCon 2015, I plan to give an updated version of the later talk
this year.

About DragonFly

  • Unix-like operating system, BSD descendant
  • Started from FreeBSD 4.x in 2003
  • High-performance, unique approach to MP operation
  • Unique features: HAMMER filesystem, swapcache

I have been trying to make DragonFly more useful by benchmarking its
performance, making it able to use some common technologies and porting
various pieces of software.

In particular, I have been working since 2012 on porting drm/kms graphic
drivers to DragonFly. I am also generally involved in various
discussions about graphics in the DragonFly community.

Speaker biography:

  • Independent consultant, sysadmin
  • X11 and BSD user since the 1990s
  • DragonFly developer since 2011
  • Has ported drm/i915 and drm/radeon kernel drivers to DragonFly

The Realities of DTrace on FreeBSD
George Neville-Neil

This presentation is based upon the work of five authors:
Jonathan Anderson, Brian Kidney, George Neville-Neil, Arun Thomas, and
Robert Watson.

For more than a year we have been using DTrace as one of the three core
components of a security research project, CADETS. Unlike earlier users
of DTrace, which were focused on occasional, deep debugging sessions,
the CADETS project uses DTrace to bring total system transparency to
both the operating system and the applications that are running on top
of it. The use of “always-on tracing” pushes the DTrace system up to,
and often, past its limits and shows how some of the original design
tradeoffs need to be revisited to address the needs of our project. Our
talk covers our current efforts to extend and improve the DTrace
framework in FreeBSD, including performance and programming improvements
to address the needs of always-on tracing as well as integration with
FreeBSD’s audit subsystem and the addition of machine-readable output
for use by creators of downstream security-analysis tools.

Speaker biography:
George Neville-Neil works on networking and operating system code for
fun and profit. He also teaches various courses on subjects related to
computer programming. His professional areas of interest include code
spelunking, operating systems, networking, time and security. He is the
co-author with Marshall Kirk McKusick and Robert Watson of The Design
and Implementation of the FreeBSD Operating System and is the columnist
behind ACM Queue’s “Kode Vicious.” Mr. Neville-Neil earned his
bachelor’s degree in computer science at Northeastern University in
Boston, Massachusetts, and is a member of the ACM, the Usenix
Association, the IEEE, and is one of the Directors of the FreeBSD
Foundation. He is an avid bicyclist and traveler who currently resides
in New York City.

A primer on synchronizing multiprocessor kernel resources
Gilles Chehade

Last talk about opensmtpd dates from 2013 when we first made it production ready.
This talk will go through the many features and security changes that happened in
the last few years and provide an overview of what to expect from the future in a
range of areas including configuration, scheduling, routing and filters.
Speaker biography:
2001-2006: Student at Epitech, Paris

2007-2009: R&D engineer at Exalead search engine

2009-2011: Deputy dean of studies at Epitech, Nantes

2011-2012: R&D software engineer at Scality

2012-2017: R&D software engineer at Dalenys (ex-Rentabiliweb)

2017-> : Lead developer at Vente-Privee

Started using Linux in 1996.

Started experimenting with BSD and fell in love with OpenBSD in 1999.

Joined the OpenBSD madhouse as a commiter sometime in 2007.

Imported the OpenSMTPD daemon late 2008.


OpenBSD Testing Infrastructure Behind
Jan Klemkow

I have built an infrastructure for semi-automatic testing of source code
changes. Clean systems can be automatically installed on real hardware
based on the latest published snapshot. The serial console and power
switch of each system can be accessed over the Internet.

My college and OpenBSD developer bluhm@ has used this infrastructure to
run the OpenBSD regression tests. Results for those tests have been
available at for over
a year now.

The test infrastructure is mostly made of old hardware that had
accumulated in our company for years. So it should be quite easy and
inexpensive to replicate a similar infrastructure for your testing

The talk will explain the infrastructure in detail, include live-demos
that show how easy it can be used and share some ideas on how the system
could be improved further.

Speaker biography:
Jan Klemkow has been an OpenBSD user since 3.9 and contributor since
5.0. He finished his master degree in technical computer science at the
university of applied science Wismar in 2013. Since 2011 he has been
working as a software developer at genua GmbH near Munich.

OpenBSD’s small steps towards DTrace (a tale about DDB and CTF)
Jasper Lievisse Adriaanse

This talk will be about the work that is going on in OpenBSD to develop a
dynamic tracing/profiling system, not unlike DTrace.

The road towards a fully working DTrace-like implementation is long and a lot
of that depends on having binaries annotated with CTF.

CTF is a converted subset of DWARF that can be embedded in all a wide range of
binaries, including the kernel.

Throughout this presentation I will discuss the dynamic profiling part that has
been developed by Martin Pieuchot and I will go into the work that went into
adding support for inspecting kernel CTF-data with DDB. Lastly the status quo
will be reviewed as well as what pieces are still missing from the puzzle.

Speaker biography:
Jasper Lievisse Adriaanse is an OpenBSD developer from the Netherlands. He
joined the project in 2006 and has since been involved in many areas of the
tree, ranging from Octeon and GNOME to CTF.

Running BSD on AWS
Julien Simon, Nicolas David

No, Amazon Web Services is not only Linux territory! It’s actually quite easy
to run your favorite BSD OS in the Cloud and we’ll show you how in this session.
First, we’ll start with a quick recap on the AWS infrastructure, before
explaining how you can build and launch BSD-based Amazon Machine Images.
We’ll then start a FreeBSD instance on a rather large server and we’ll build a
ZFS volume based on local disks. Finally, we’ll see how fast we can run a full
‘build world’: place your bets 😉
Speaker biography:
Julien Simon, Principal Technical Evangelist at Amazon Web Services.
Before joining AWS, Julien served for 10 years as CTO/VP Engineering in
top-tier web startups. Thus, he’s particularly interested in all things
architecture, deployment, performance, scalability and data. As a Principal
Technical Evangelist, Julien speaks very frequently at conferences and technical
workshops, where he meets developers and enterprises to help them bring their
ideas to life thanks to the Amazon Web Services infrastructure.

Nicolas David. Prior to joining AWS, Nicolas evolved for 15 years
in information technology industry at major French and European
actors of the Software Edition, Bank and Insurance businesses in a
variety of roles. Today, Nicolas uses his experience to support AWS
customers transforming their way to think IT using the cloud
computing. While delivering a broad range of sessions from introductory
level (AWSome Days, AWS Technical Essentials, AWS Business Essentials),
to advanced courses (Architecting/Advanced Architecting Concepts
on AWS, System Operations on AWS, Security Operations on AWS, DevOps
Engineering on AWS, Big Data on AWS); Nicolas contributes to
Presentations, Hands-on Labs and the material used in and around
AWS Training Sessions, like events, meetups and public talks.


The LLDB Debugger on NetBSD
Kamil Rytarowski

Goals and benefits of porting the LLDB Debugger to NetBSD.

What to expect when using the new debugger on NetBSD.

Impact of this port on the base distribution.

New kernel features to host the new debugger.

Regression tests for the ptrace(2) system call.

Tracking LLDB’s trunk.

Pending tasks, known bugs and missing features.
Speaker biography:
Kamil Rytarowski has been NetBSD users since 2013 and a NetBSD committer
since 2015. He is also a team member of the EdgeBSD project with
interest of NetBSD usability on desktop. Author of the .NET port to
NetBSD, LLVM committer. In previous life GNU/Linux desktop user,
enthusiast and since some point developer.

7 years of maintaining firefox
Landry Breuil

It’s 2017, and some (rare) people are still using OpenBSD as a main
laptop OS, and some of them are still using firefox (no, not everyone
moved to chromium) – let’s have a look at what happened since the
firefox 3.6 days, in terms of firefox features, toolchains struggle,
platform coverage, source patching, relationship with upstream, and what
challenges are ahead of us – spoiler alert: there will be rust. And
system limits. And multiprocess.
Speaker biography:
Landry Breuil has been an OpenBSD developer since 2007, mostly
hacking on ports, desktop environments and browsers – he works as a GIS
sysadmin in an small non-profit in France.

Discovering OpenBSD on AWS
Laurent Bernaille

I have been using AWS for several years and many projects require deploying core
infrastructure services such as administration hosts, DNS, VPN gateways and
Service Discovery tools. I used to achieve this using Linux distributions
(Debian or Ubuntu in most cases) but always found them complicated to automate
and not well adapted for these use cases. OpenBSD has been available on AWS for
about a year and I have started using it instead. I had no previous knowledge of
OpenBSD but found it a really great experience. In this talk I will present the
rational behind this shift and will demo how we can automatically build these
services with Terraform. I will show how we can build a dynamic DNS server
backed by Consul for its configuration with everything running on OpenBSD.
Speaker biography:
Laurent Bernaille is a solution architect specialized in cloud, containers, and
automation. He is an open source enthusiast and has lately been focusing on
helping organizations improve their deployment pipelines. He is really
interested in how these new technologies are transforming organizations and IT

What’s in store for NetBSD 8.0?
Alistair Crooks

Speaker biography:

“Is it done yet ?” The never ending story of pkg tools
Marc Espie

Some programs just keep evolving. Each time you think you’re finished
with them, some new ideas come around the corner.

And things keep accreting. The only reason such a program may stop
evolving is because it’s dead, drowned in its own misfeatures.

This talk will look at ways we managed complexity in the past, successes and
failures at keeping enough compatibility for migrations to be less painful.

And also, a roadmap to the future, how we set priorities for what we want
while still keeping the pkg tools in working condition, the current challenge
being to get things faster while still keeping them mostly bug-free.

Speaker biography:
Marc Espie has been an OpenBSD developer for about twenty years, in charge
of the ports and packages infrastructure for over ten years.

When he’s not coding, he’s also a teacher and researcher at Epita’s
Systems and security Lab, trying to teach young pups how to write code that
isn’t complete crap.


Case studies of sandboxing base system with Capsicum
Mariusz Zaborski


Capsicum is a sandbox framework in the FreeBSD operating systems
and it’s based on the capabilities concept. Programs running in a sandbox
don’t have access to any global namespaces (such as fillesytem or network
namespace). Last year was very productive for Capsicum. More people got
involved in the project and new interesting features were developed. However,
most importantly a lot of applications from base systems were sandboxed.


With a growing number of sandboxed applications we also recognized
new kinds of problems. Some of them we’ve already managed to solve. The
FreeBSD community was able to sandbox around 22 new applications re-
cently, but it’s still long way from sandboxing all of them.

One of the thing we noticed during that process is a large chunk of code
which we needed to rewrite multiple times in different programs. To simplify
the use of this framework we introduced Capsicum helpers, a small C header
of few inline functions which allows to reduce repeating parts of codes. One
of very common thing is to limit standard output and input descriptors,
this forces us to copy paste around 15 lines of code. Thanks to simple API
1we are able to limit it to 2 lines of code. The header
provides us also more grainy API for every descriptor:

  • caph_limit_stdio
  • caph_limit_stdout
  • caph_limit_stdin
  • caph_limit_stderr

As well as generic function caph_limit_stream which can limit any descriptor
provided. All those function are limiting descriptor to the most common ioctl
and capability rights.

Capsicum helpers also provides a few functions which allows to cache some
common used data. For example localtime need to read once /etc/localtime.
If localtime function is called after entering sandbox then function will get bad
time. The caph_cache_tzdata function was introduced to cache time zones
files. One of the reasons of collecting such functions is also documenting for
developers which things need to be cached before entering Capsicum.
A very common problem of Capsicum is silent failures. When sandbox
is added to an application, a developer cannot notice some conditions of
program. For example if an application is using a library and this library
is using random number generator by opening /dev/random if possible and
otherwise use some insecure random generator. If a developer will not no-
tice this behavior by analyzing the code this can lead to introducing new
bugs while snadboxing application. One way is to use ktrace infrastructure
but this also can be unnoticed by developer. Due to the new debugging
feature for Capsicum which was implemented by Konstantin Belousov un-
der FreeBSD foundation sponsorship. Enabling procctl(PROC_TRAPCAP)
(per-process) or sysctl kern.trap_enocap (globally in the system) kernel will
issue SIGTRAP to generate a core dump or enter the debugger incited of

Some sandboxed applications had very interesting stories, like dd. One
of the problem we encountered was that dd is a build tool. Another one was
the problem which overrating stderr descriptor. Case studies of sandboxing
applications like that can be very educational for future developers.


Last year was crucial for the Capsicum community. My presentation
will focus on the past year of development of Capsicum framework. We
introduced a few interesting features (like Capsicum helper or new debugging
infrastructure). FreeBSD got a few new sandboxed applications, some of
them, like dd, has a very interesting history that are worth presenting.

Speaker biography:
Mariusz Zaborski is a software developer at WHEEL Systems and student at
Warsaw University of Technology.

Mariusz’s main ares of interest are OS security and low-level
programming. At Wheel Systems, Mariusz is developing a solution to
monitor, record and control traffic in an IT infrastructure.

He has been involved in the development of Capsicum and Casper since
Google Summer of Code 2013, which he successfully passed under
the mentorship of Paweł Jakub Dawidek.

Mariusz has been a FreeBSD project commiter since 2015.


Your scheduler is not the problem
Martin Pieuchot

Analysing performance issues might be tricky. No matter how powerful
your tools are, you have to point them to the correct spot and be able
to interpret their output.

This talk presents the analysis and fixes for a performance regression
introduced in Firefox 40.0 on OpenBSD. A debug story from X to libpthread
with a detour in the scheduler all of that without DTrace.

Speaker biography:
Martin Pieuchot is an OpenBSD developer coordinating the ongoing effort
to make the network stack MP-safe. He works as a freelance developer and

The OpenBSD web stack
Michael W. Lucas

OpenBSD includes a variety of tools for building robust web server
solutions. The httpd web server is a lean, fast platform for serving
web pages. Relayd allows you to distribute a site’s load between
multiple servers for redundancy, extra capacity, or both. These two
servers, combined with CARP, PF, and other OpenBSD tools, let you
slice hundreds of thousands of dollars off the cost of deploying
your applications.

This talk will cover:

  • setting up web sites
  • administering chroots for web apps
  • Lua patterns
  • OpenBSD’s ACME client
  • OCSP stapling
  • multi-server clusters
  • load balancer clusters
Speaker biography:
Michael W Lucas is the author of many technical books, including
“Absolute FreeBSD,” “Absolute OpenBSD,” “PAM Mastery,” and the
brand-new “Relayd and Httpd Mastery.” He lives in Detroit, Michigan,
with his wife and an assortment of rats. Learn more at

Tuning FreeBSD for routing and firewalling
Olivier Cochard-Labbé

The talk will present some tuning tips for a router and firewall use cases.
Starting to define values to measure and how to how to correctly bench a router
and firewall. Continuing by showing the basic journey of a packet across FreeBSD
network stack, then the impact of multiple parameters related to the hardware,
kernel or the NIC drivers.
Speaker biography:
Network Engineer at Orange, founder of FreeNAS and BSD Router Project, FreeBSD
port committer and network performance grapher.

From NanoBSD to ZFS and Jails – FreeBSD as a Hosting Platform, Revisited
Patrick M. Hausen

At EuroBSDCon 2010 I presented how we used NanoBSD to facilitate the operation
and management of larger quantities of hosting servers.

Seven years later not only has hardware become incredibly more powerful. Customers
and software developing colleagues alike expect more agile management, provisioning
and deployment of resources to meet their applications’ demands.

I’d like to present how we employ jails and ZFS to manage a large number of “virtual”
environments while we kept some of the concepts learned from successful use of NanoBSD
as far as software provisioning, updates and general management of production environments
are concerned.

Speaker biography:
Patrick M. Hausen, born 1968, developed an interest in “all things Unix” and networking in
general in the late 80’s. Having worked on various commercial implementations and looking
for an operating system that would be more capable than Minix for actual daily use at home
he found out about FreeBSD in 1993. He’s been using, hacking, advocatiing and occasionally
cursing FreeBSD ever since.

Hardening pkgsrc
Pierre Pronchery

pkgsrc is a package management system, providing over 17.000 packages
today. Even though it originates from the NetBSD Project, it supports
many other platforms, even as the official source for packages for some
of them.

This talk will illustrate how pkgsrc can be used to attempt to enforce
hardening features on every package at once, and whenever possible also
to detect when these features are effectively enabled or failed to
function. The methodology, current status, and ideas for future work in
this direction will be gathered in the talk.

Speaker biography:
Pierre Pronchery (khorben@) joined the NetBSD Foundation in May 2012,
where he focuses on desktop and mobile integration. An IT-Security
consultant at Defora Networks GbR in Germany, he can also be found
promoting Open Source Hardware or researching on Clean-Slate Internet
and the Internet of Things. The outcome of this work is eventually
gathered within the DeforaOS project, an experimental Operating System
project. For about three years now, he has also been leading the EdgeBSD
Project, as an alternative way to work with and contribute to the NetBSD

A Tale of six motherboards, three BSDs and coreboot
Piotr Kubaj, Katarzyna Kubaj

Coreboot is mainly focused on Linux, but it’s an interesting option for those
who care about using open source software. This talk will focus on our
experiences with using coreboot and *BSD OS-es.
We have 6 motherboards that we’d like to talk about:

  • ASUS KGPE-D16,
  • ASUS F2A85-M,
  • ASRock E350M1,
  • Lenovo ThinkPad X200,
  • Lenovo ThinkPad X230,
  • PC-Engines APU2.

We did tests on FreeBSD, OpenBSD and NetBSD and it turns out that some have
great compatibility, while others not so much.

Speaker biography:
Piotr Kubaj is a System Administrator from Gdańsk. He manages GNU/Linux, FreeBSD
and OpenBSD systems. His interests include Linux compatibility layer on FreeBSD,
LibreSSL support in third-party software and low-level firmware used to
initialize computer components like BIOS, UEFI and coreboot. Piotr tries to use
open source software from the bottom – like replacing BIOS and UEFI with
coreboot. He manages several FreeBSD ports and occasionally sends patches to
other open source projects, mainly related to LibreSSL compatibility. He also
sent some new ports, e.g. ports for CentOS 7 compatibility layer.

Katarzyna Kubaj is a web developer, graphic designer, SEO specialist and
occassionally a book translator from Gdańsk, Poland. After hours spent with
websites, she turns into electronics enthusiast. She likes to open some hardware
and reassemble it completely. She made the Core/Libreboot flashing experiments
possible, soldering and pinning what’s neccessary, and keeping Piotr away from


Branch VPN solution based on OpenBSD, OSPF, RDomains and Ansible
Remi Locherer

I’d like to present the new setup for connecting
branch offices we rolled out at Netcetera in 2016/2017. Netcetera
( has its Headquarters in Zurich and several offices
ranging from 5 to 140 employees in Europe and in the UAE (today 6 branch
offices are connected with the new solution).

The new solution is based on OpenBSD, IPSEC, OSPF, RDomains and Ansible.
Our main focus was to reduce maintenance burden with automation.

    In the presentation I would discuss the following topics:

  • Choice of a routing protocol: we did PoCs with OSPF and BGP
  • Integration into the existing Network
  • Redundancy: connect each branch router to a VPN gateway cluster and
    possibly to a 2nd cluster in another data center.
  • Why we need routing domains for the branch router configuration.
  • Automated setup of vpn gateways with OpenBSD autoinstall and Ansible.
Speaker biography:
I started my IT career in 2000 working as a junior in the networking
team of a bank. After earning a degree from the “Zurich University of
Applied Sciences” in 2005 I worked more on the server side with Linux
and web applications (eg. web presence of a major Swiss newspaper).

Since 2009 I work for Netcetera as a System and Network Engineer. I
various things from Puppet for Linux servers to OpenBSD clusters for
firewalls. Currently I mostly work on networking topics.


The school of hard knocks – PT1
Sevan Janiyan

You’ve been asked to provide a workshop at local event, you agree and start to prepare. Very quickly you run into issues such as things being flat out broken & from there the yak shaving commences, you are immersed in a set of problems which you need to resolve otherwise the workshop will run into difficulties. This talk will cover how many different pot holes are discovered & filled in during the process to hopefully prevent future hazards (at least until the next conflicting change).
Speaker biography:
Sevan Janiyan is a sysadmin from South East England who has an interest
in different operating systems & computers. He is a member of the NetBSD
foundation and the FreeBSD project working primarily on the
cross-platform packaging system pkgsrc & the FreeBSD documentation team.

Getting started with OpenBSD device driver development
Stefan Sperling

This talk provides an introduction to device driver development for OpenBSD.
It targets developers who know the C language and have a high-level
understanding of a UNIX-like kernel. We will consider how hardware hacking
differs from a pure software development environment, the state of mind
required to avoid insanity while debugging, kernel APIs for drivers, how
to uncover information about software/hardware interfaces without NDAs,
figuring out a comfortable development process, and how to submit a driver
for inclusion into OpenBSD.
Speaker biography:
Freelance open source developer involved in OpenBSD and Apache Subversion.

Hoisting: lessons learned integrating pledge into 500 programs
Theo de Raadt

I would like to focus on lessons learned integrating pledge into 500 programs.
Probably emphasize how programs were subtly modified to fit the restrictive
model, with some examples. For instance, we further strengthened existing
privsep designs along the way because pledge showed the way. Another
conversation is about a dev process we call “hoisting”, invariant code found in
the main loop was pulled into pre-pledge initialization.
Speaker biography:
Theo is the founder and long time contributor to the OpenBSD project.